Re: Ten least secure programs

From: Tim Greer (chatmaster_at_charter.net)
Date: 07/08/03

  • Next message: Martin Peikert: "Re: Proxy Server"
    To: "Meritt James" <meritt_james@bah.com>, "Erik !" <viking0069@hotmail.com>
    Date: Tue, 8 Jul 2003 08:54:52 -0700
    
    

    No, it's never happened. This is definitely a possibility for many
    instances, but if you know how and where to check, use tools to alert you if
    anything has changed, and have the experience, you'd know. Anyway, that's
    not the case, and it's not exactly a rare thing to not have been
    compromised, as if it's inevitable. Provided you don't get hit with any
    zero-day exploits that you couldn't have prevented by what you run, filter
    or how it's configured, or just don't use software/services that are
    vulnerable to them--or you just aren't targeted, it's not really
    unreasonable to hear.

    --
    Regards,
    Tim Greer  chatmaster@charter.net
    Server administration, security, programming, consulting.
    ----- Original Message -----
    From: "Meritt James" <meritt_james@bah.com>
    To: "Erik !" <viking0069@hotmail.com>
    Cc: <chatmaster@charter.net>; <bugtraq@planetcobalt.net>;
    <security-basics@securityfocus.com>
    Sent: Tuesday, July 08, 2003 6:45 AM
    Subject: Re: Ten least secure programs
    > Recommended modification: "Do not know ever been hacked."  You very well
    > may have been but do not know that you have been.  Only the inept get
    > caught.
    >
    > Jim
    >
    > "Erik !" wrote:
    > >
    > > Tim,
    > > 1. I'm glad you have never been hacked ...  8)
    > >
    > > 2. ever hear of:
    > >
    > > a. social engineering, and
    > > b. zero-day exploits
    > >
    > > ?
    > >
    > > 3. *... I'll find a new line of work*
    > >
    > > WHEN that time comes, I hear barbers enjoy nice long relaxing careers.
    > >
    > > erik
    > >
    > > ----Original Message Follows----
    > > From: "Tim Greer" <chatmaster@charter.net>
    > > To: "Erik !"
    > >
    <viking0069@hotmail.com>,<bugtraq@planetcobalt.net>,<security-basics@securit
    yfocus.com>
    > > Subject: Re: Ten least secure programs
    > > Date: Thu, 3 Jul 2003 14:44:01 -0700
    > >
    > > Please, I never bought the "if someone wants in, they will get in" line.
    :-)
    > > There's not enough conditionals to that claim.  There's not just
    inevitably
    > > a way in, no matter what and that a sys admin can't do anything about
    it, as
    > > if that's "just the way it is".  if you believe otherwise, I'll set up a
    > > system and you can manage to "just get in" and I'll find a new line of
    work.
    > > --
    > > Regards,
    > > Tim Greer  chatmaster@charter.net
    > > Server administration, security, programming, consulting.
    > >
    > > ----- Original Message -----
    > > From: "Erik !" <viking0069@hotmail.com>
    > > To: <bugtraq@planetcobalt.net>; <security-basics@securityfocus.com>
    > > Sent: Wednesday, July 02, 2003 3:20 PM
    > > Subject: Re: Ten least secure programs
    > >
    > >  > Here's what the experts use (for starters - bigger cos. develop their
    own
    > >  > list, based upon their own internal consensus).
    > >  >
    > >  > http://www.sans.org/top20/
    > >  >
    > >  > this is broken out by windows and unix centric apps/services.
    > >  >
    > >  > It really pegs the most comman apps/services that sysadmins overlook
    and
    > >  > hence end up causing the most problems.
    > >  >
    > >  > A determined hacker could get into most any network, it gets back to
    the
    > > old
    > >  > adage:
    > >  >
    > >  > You are going to be hacked at some point, it's just a matter of how
    soon
    > > you
    > >  > want that to happen.
    > >  >
    > >  > Balance your LAN security against your business needs.
    > >  > Erik
    > >  >
    > >  >
    > >  > ----Original Message Follows----
    > >  > From: Ansgar Wiechers <bugtraq@planetcobalt.net>
    > >  > To: security-basics@securityfocus.com
    > >  > Subject: Re: Ten least secure programs
    > >  > Date: Tue, 1 Jul 2003 10:52:23 +0200
    > >  >
    > >  > I'm not sure if this discussion will be productive in any way, since
    you
    > >  > seem to concentrate too much on the software and ignore layer 8,
    which
    > >  > is (IMHO) the major problem. But anyway, here you go:
    > >  >
    > >  > On 2003-06-28 Chris Berry wrote:
    > >  >  > I'm putting together a list of what seem to be the ten least
    secure
    > >  >  > computer items in use today with the idea of having a set of
    things to
    > >  >  > recommend AGAINST people using, probably to be posted on the IT
    room
    > >  >  > door with a note like "NO, you cannot use the following!!".  Here
    is
    > >  >  > what I have so far, I'm looking for additions and comments.  The
    list
    > >  >  > is in order from with the worst offender being number one.  These
    > >  >  > should be products whose inheirent design is flawed, not that are
    just
    > >  >  > difficult to secure.  I expect vigorous discussion. *putting on
    flame
    > >  >  > retardent garments*  Oh, and leave Operating systems out of this
    one.
    > >  >
    > >  > I'm not sure if this discussion will be productive in any way, since
    you
    > >  > seem to concentrate too much on the software and ignore layer 8,
    which
    > >  > is (IMHO) the major problem. But anyway, here we go:
    > >  >
    > >  >  > 1) Microsoft Outlook
    > >  >
    > >  > I beg to differ on this one. Outlook is a groupware client and is
    > >  > therefore *designed* to be insecure. It's a behaviour I would expect
    > >  > from a groupware client. Of course one should *not* use Outlook as an
    > >  > internet mail client (at least not without taking further
    precautions).
    > >  > Also I would like to mention that AFAIR all vulnerabilities in
    Outlook
    > >  > are vulnerabilities of the Internet Explorer (which I suggest to put
    on
    > >  > this list instead).
    > >  >
    > >  >  > 2) Telnet
    > >  >  > 3) Sendmail
    > >  >  > 4) IIS Server
    > >  >  > 5) Wireless networking
    > >  >  > 6) PHP
    > >  >  > 7) ?
    > >  >  > 8) ?
    > >  >  > 9) ?
    > >  >  > 10) ?
    > >  >
    > >  > You might want to add FTP in general and BIND (at least earlier than
    > >  > version 9) here.
    > >  >
    > >  > Regards
    > >  > Ansgar Wiechers
    > >  >
    > >  >
    >
    > --------------------------------------------------------------------------
    > > -
    > >  > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
    analysts!
    > >  > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    > >  > while InStat has confirmed Neoteris as the leader in marketshare.
    > >  >
    > >  > Find out why, and see how you can get plug-n-play secure remote
    access in
    > >  > about an hour, with no client, server changes, or ongoing
    maintenance.
    > >  >
    > >  > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    > >  >
    >
    > --------------------------------------------------------------------------
    > > --
    > >  >
    > >  > _________________________________________________________________
    > >  > Add photos to your messages with MSN 8. Get 2 months FREE*.
    > >  > http://join.msn.com/?page=features/featuredemail
    > >  >
    > >  >
    > >  >
    >
    > --------------------------------------------------------------------------
    > > -
    > >  > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
    analysts!
    > >  > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    > >  > while InStat has confirmed Neoteris as the leader in marketshare.
    > >  >
    > >  > Find out why, and see how you can get plug-n-play secure remote
    access in
    > >  > about an hour, with no client, server changes, or ongoing
    maintenance.
    > >  >
    > >  > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    > >  >
    >
    > --------------------------------------------------------------------------
    > > --
    > >  >
    > >
    > > _________________________________________________________________
    > > STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
    > > http://join.msn.com/?page=features/junkmail
    > >
    >
    > --------------------------------------------------------------------------
    -
    > > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
    analysts!
    > > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    > > while InStat has confirmed Neoteris as the leader in marketshare.
    > >
    > > Find out why, and see how you can get plug-n-play secure remote access
    in
    > > about an hour, with no client, server changes, or ongoing maintenance.
    > >
    > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    >
    > --------------------------------------------------------------------------
    --
    >
    > --
    > James W. Meritt CISSP, CISA
    > Booz | Allen | Hamilton
    > phone: (410) 684-6566
    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------
    

  • Next message: Martin Peikert: "Re: Proxy Server"

    Relevant Pages

    • Re: Ten least secure programs
      ... Outlook is a groupware client and is ... > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ... > about an hour, with no client, server changes, or ongoing maintenance. ...
      (Security-Basics)
    • Re: Ten least secure programs
      ... Outlook is a groupware client and is ... > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ... > about an hour, with no client, server changes, or ongoing maintenance. ...
      (Security-Basics)
    • Re: Ten least secure programs
      ... >>The Gartner Group just put Neoteris in the top of its Magic Quadrant, ... and see how you can get plug-n-play secure remote access ... >>about an hour, with no client, server changes, or ongoing maintenance. ...
      (Security-Basics)
    • RE: sshd for windows
      ... Is there a sshd for Windows that is freely ... The Gartner Group just put Neoteris in the top of its Magic Quadrant, ... and see how you can get plug-n-play secure remote access ... about an hour, with no client, server changes, or ongoing maintenance. ...
      (Security-Basics)
    • RE: sshd for windows
      ... Subject: sshd for windows ... NTLMv2 authentication for the password challenge maybe, but telnet ... > The Gartner Group just put Neoteris in the top of its Magic ... and see how you can get plug-n-play secure remote ...
      (Security-Basics)