Re: Ten least secure programs

From: Tim Greer (chatmaster_at_charter.net)
Date: 07/08/03

  • Next message: Mark McConnell: "RE: Windows 2000 port 10000"
    To: "Meritt James" <meritt_james@bah.com>
    Date: Tue, 8 Jul 2003 09:36:08 -0700
    
    

    ....And luck only gets them very far, if you don't know what you're doing.
    Sort of a catch-22. But, you're right, someone has to find an
    unknown/dangerous exploit, and that's usually done when someone's targeting
    someone else and trying things people might not have thought to. However,
    there's very few people in the world with those skills to even get lucky
    using such a method. Again, for my major services that are remotely
    accessible, I use software that either has no history of exploits (I.e.,
    qmail, djbdns) or no history of anything major or that would compromise the
    server.

    Finally, I rarely run a service in the default manner and usually drop the
    privileges and jail it and the processes, not to mention underlying kernel
    modifications. That's not to say that "no one could ever get in somehow",
    since there's several different services running using different software,
    just only (and specifically) that I've not had it happen (perhaps "yet"),
    simply because I've not been hit by any zero day exploits (maybe one day
    that will be another story and I won't know about it ahead of time), and
    that how I run the programs and services may play a role in that (i.e., if I
    ran BIND and didn't chroot it and have it drop the privileges of the "named"
    user and someone exploited it--that is after all why a lot of people had
    their servers cracked running it a couple of years ago, because they didn't
    take measures to prevent or minimize the damage--just an example). Few
    people have the skills to do anything significant, I've seen and been
    involved enough to see.

    If that sounds arrogant to anyone, they are free to contact me and I'll send
    them a signed FAX and give them permission to try and compromise a specific
    system and I will find a new line of work if they can get in... that's how
    confident I am about my system, my knowledge and the rarity of such large
    exploits that no one else but the attacker would know about and they'd
    manage to still also bypass all the methods I have in place to prevent any
    major exploits. Out of all the people I've seen running servers, the one's
    that keep up to date on software and implement a minimal amount of
    additional configurations and security, have also never (likely) had their
    systems compromised.

    Any checks on their systems show they've not been, though many I didn't
    confirm with md5sums and such to know for sure (thus, I say "likely"). The
    point being, even with very little knowledge from an administrator's point
    of view, there are very few system crackers that could get in. People that
    have a lot of experience and take measures beyond what they are told or know
    is an existing problem to prevent this from being an issue, will have a
    pretty solid system. Of course, that depends on the person, what methods
    they use, how skilled they are and so on. Also, I'm mainly speaking about
    remote exploits, though these are all multi-user systems that I speak of,
    with the works. That, indeed, requires more work and is the most important
    factor (preventing local exploits), but I do many things to prevent that as
    well.

    --
    Regards,
    Tim Greer  chatmaster@charter.net
    Server administration, security, programming, consulting.
    ----- Original Message -----
    From: "Meritt James" <meritt_james@bah.com>
    To: "Tim Greer" <chatmaster@charter.net>
    Cc: "Erik !" <viking0069@hotmail.com>; <bugtraq@planetcobalt.net>;
    <security-basics@securityfocus.com>
    Sent: Tuesday, July 08, 2003 9:13 AM
    Subject: Re: Ten least secure programs
    > I would make no claims for omniscience, which is what that appeared to
    > be.  Your stated confidence appears to be more than I would claim.
    >
    > They don't have to be good, just lucky.
    >
    > Tim Greer wrote:
    > >
    > > You know, knowing you've not been compromised and you know what you're
    > > doing, doesn't always equate to arrogance or being over confident.  And
    no,
    > > that's not to be construed as saying that "I'm the best" or any such
    thing.
    > > I am just tired of seeing the "if someone wants in, they'll get in".
    That
    > > is utter nonsense, I would never trust someone's qualifications that
    > > believed that (barring (yes) zero day exploits you had no way of knowing
    > > about--though it's rare you couldn't know in this field--and that you
    didn't
    > > have it running, configured or use some other method to minimize or
    prevent
    > > it from being a problem on your own system)..
    > >
    > > It's not all about how much will power a cracker has, after all, and few
    > > have those sort of skills (very few, about the same odds as the lottery)
    and
    > > they too, still have to find a way in, and depending on your platform,
    how
    > > it's set up and so on.  I don't tend to just install programs and
    services
    > > and just think I'm okay as long as I keep up to date on patches.  They
    > > (crackers) can only use certain methods, and are using the same
    technology
    > > as you can, you are also in control.  Again, provided you know how and
    where
    > > to check, use tools that will alert you of any files that have their
    sum's
    > > changed, dates, etc. and monitor the system, you would know if you're
    been
    > > compromised.
    > > --
    > > Regards,
    > > Tim Greer  chatmaster@charter.net
    > > Server administration, security, programming, consulting.
    > >
    > > ----- Original Message -----
    > > From: "Meritt James" <meritt_james@bah.com>
    > > To: "Tim Greer" <chatmaster@charter.net>
    > > Cc: "Erik !" <viking0069@hotmail.com>; <bugtraq@planetcobalt.net>;
    > > <security-basics@securityfocus.com>
    > > Sent: Tuesday, July 08, 2003 8:56 AM
    > > Subject: Re: Ten least secure programs
    > >
    > > > I would not express the copnfidence that you just did.
    > > >
    > > > Tim Greer wrote:
    > > > >
    > > > > No, it's never happened.  This is definitely a possibility for many
    > > > > instances, but if you know how and where to check, use tools to
    alert
    > > you if
    > > > > anything has changed, and have the experience, you'd know.  Anyway,
    > > that's
    > > > > not the case, and it's not exactly a rare thing to not have been
    > > > > compromised, as if it's inevitable.  Provided you don't get hit with
    any
    > > > > zero-day exploits that you couldn't have prevented by what you run,
    > > filter
    > > > > or how it's configured, or just don't use software/services that are
    > > > > vulnerable to them--or you just aren't targeted, it's not really
    > > > > unreasonable to hear.
    > > > > --
    > > > > Regards,
    > > > > Tim Greer  chatmaster@charter.net
    > > > > Server administration, security, programming, consulting.
    > > > >
    > > > > ----- Original Message -----
    > > > > From: "Meritt James" <meritt_james@bah.com>
    > > > > To: "Erik !" <viking0069@hotmail.com>
    > > > > Cc: <chatmaster@charter.net>; <bugtraq@planetcobalt.net>;
    > > > > <security-basics@securityfocus.com>
    > > > > Sent: Tuesday, July 08, 2003 6:45 AM
    > > > > Subject: Re: Ten least secure programs
    > > > >
    > > > > > Recommended modification: "Do not know ever been hacked."  You
    very
    > > well
    > > > > > may have been but do not know that you have been.  Only the inept
    get
    > > > > > caught.
    > > > > >
    > > > > > Jim
    > > > > >
    > > > > > "Erik !" wrote:
    > > > > > >
    > > > > > > Tim,
    > > > > > > 1. I'm glad you have never been hacked ...  8)
    > > > > > >
    > > > > > > 2. ever hear of:
    > > > > > >
    > > > > > > a. social engineering, and
    > > > > > > b. zero-day exploits
    > > > > > >
    > > > > > > ?
    > > > > > >
    > > > > > > 3. *... I'll find a new line of work*
    > > > > > >
    > > > > > > WHEN that time comes, I hear barbers enjoy nice long relaxing
    > > careers.
    > > > > > >
    > > > > > > erik
    > > > > > >
    > > > > > > ----Original Message Follows----
    > > > > > > From: "Tim Greer" <chatmaster@charter.net>
    > > > > > > To: "Erik !"
    > > > > > >
    > > > >
    > >
    <viking0069@hotmail.com>,<bugtraq@planetcobalt.net>,<security-basics@securit
    > > > > yfocus.com>
    > > > > > > Subject: Re: Ten least secure programs
    > > > > > > Date: Thu, 3 Jul 2003 14:44:01 -0700
    > > > > > >
    > > > > > > Please, I never bought the "if someone wants in, they will get
    in"
    > > line.
    > > > > :-)
    > > > > > > There's not enough conditionals to that claim.  There's not just
    > > > > inevitably
    > > > > > > a way in, no matter what and that a sys admin can't do anything
    > > about
    > > > > it, as
    > > > > > > if that's "just the way it is".  if you believe otherwise, I'll
    set
    > > up a
    > > > > > > system and you can manage to "just get in" and I'll find a new
    line
    > > of
    > > > > work.
    > > > > > > --
    > > > > > > Regards,
    > > > > > > Tim Greer  chatmaster@charter.net
    > > > > > > Server administration, security, programming, consulting.
    > > > > > >
    > > > > > > ----- Original Message -----
    > > > > > > From: "Erik !" <viking0069@hotmail.com>
    > > > > > > To: <bugtraq@planetcobalt.net>;
    <security-basics@securityfocus.com>
    > > > > > > Sent: Wednesday, July 02, 2003 3:20 PM
    > > > > > > Subject: Re: Ten least secure programs
    > > > > > >
    > > > > > >  > Here's what the experts use (for starters - bigger cos.
    develop
    > > their
    > > > > own
    > > > > > >  > list, based upon their own internal consensus).
    > > > > > >  >
    > > > > > >  > http://www.sans.org/top20/
    > > > > > >  >
    > > > > > >  > this is broken out by windows and unix centric apps/services.
    > > > > > >  >
    > > > > > >  > It really pegs the most comman apps/services that sysadmins
    > > overlook
    > > > > and
    > > > > > >  > hence end up causing the most problems.
    > > > > > >  >
    > > > > > >  > A determined hacker could get into most any network, it gets
    back
    > > to
    > > > > the
    > > > > > > old
    > > > > > >  > adage:
    > > > > > >  >
    > > > > > >  > You are going to be hacked at some point, it's just a matter
    of
    > > how
    > > > > soon
    > > > > > > you
    > > > > > >  > want that to happen.
    > > > > > >  >
    > > > > > >  > Balance your LAN security against your business needs.
    > > > > > >  > Erik
    > > > > > >  >
    > > > > > >  >
    > > > > > >  > ----Original Message Follows----
    > > > > > >  > From: Ansgar Wiechers <bugtraq@planetcobalt.net>
    > > > > > >  > To: security-basics@securityfocus.com
    > > > > > >  > Subject: Re: Ten least secure programs
    > > > > > >  > Date: Tue, 1 Jul 2003 10:52:23 +0200
    > > > > > >  >
    > > > > > >  > I'm not sure if this discussion will be productive in any
    way,
    > > since
    > > > > you
    > > > > > >  > seem to concentrate too much on the software and ignore layer
    8,
    > > > > which
    > > > > > >  > is (IMHO) the major problem. But anyway, here you go:
    > > > > > >  >
    > > > > > >  > On 2003-06-28 Chris Berry wrote:
    > > > > > >  >  > I'm putting together a list of what seem to be the ten
    least
    > > > > secure
    > > > > > >  >  > computer items in use today with the idea of having a set
    of
    > > > > things to
    > > > > > >  >  > recommend AGAINST people using, probably to be posted on
    the
    > > IT
    > > > > room
    > > > > > >  >  > door with a note like "NO, you cannot use the
    following!!".
    > > Here
    > > > > is
    > > > > > >  >  > what I have so far, I'm looking for additions and
    comments.
    > > The
    > > > > list
    > > > > > >  >  > is in order from with the worst offender being number one.
    > > These
    > > > > > >  >  > should be products whose inheirent design is flawed, not
    that
    > > are
    > > > > just
    > > > > > >  >  > difficult to secure.  I expect vigorous discussion.
    *putting
    > > on
    > > > > flame
    > > > > > >  >  > retardent garments*  Oh, and leave Operating systems out
    of
    > > this
    > > > > one.
    > > > > > >  >
    > > > > > >  > I'm not sure if this discussion will be productive in any
    way,
    > > since
    > > > > you
    > > > > > >  > seem to concentrate too much on the software and ignore layer
    8,
    > > > > which
    > > > > > >  > is (IMHO) the major problem. But anyway, here we go:
    > > > > > >  >
    > > > > > >  >  > 1) Microsoft Outlook
    > > > > > >  >
    > > > > > >  > I beg to differ on this one. Outlook is a groupware client
    and is
    > > > > > >  > therefore *designed* to be insecure. It's a behaviour I would
    > > expect
    > > > > > >  > from a groupware client. Of course one should *not* use
    Outlook
    > > as an
    > > > > > >  > internet mail client (at least not without taking further
    > > > > precautions).
    > > > > > >  > Also I would like to mention that AFAIR all vulnerabilities
    in
    > > > > Outlook
    > > > > > >  > are vulnerabilities of the Internet Explorer (which I suggest
    to
    > > put
    > > > > on
    > > > > > >  > this list instead).
    > > > > > >  >
    > > > > > >  >  > 2) Telnet
    > > > > > >  >  > 3) Sendmail
    > > > > > >  >  > 4) IIS Server
    > > > > > >  >  > 5) Wireless networking
    > > > > > >  >  > 6) PHP
    > > > > > >  >  > 7) ?
    > > > > > >  >  > 8) ?
    > > > > > >  >  > 9) ?
    > > > > > >  >  > 10) ?
    > > > > > >  >
    > > > > > >  > You might want to add FTP in general and BIND (at least
    earlier
    > > than
    > > > > > >  > version 9) here.
    > > > > > >  >
    > > > > > >  > Regards
    > > > > > >  > Ansgar Wiechers
    > > > > > >  >
    > > > > > >  >
    > > > > >
    > > > >
    > >
    > --------------------------------------------------------------------------
    > > > > > > -
    > > > > > >  > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by
    top
    > > > > analysts!
    > > > > > >  > The Gartner Group just put Neoteris in the top of its Magic
    > > Quadrant,
    > > > > > >  > while InStat has confirmed Neoteris as the leader in
    marketshare.
    > > > > > >  >
    > > > > > >  > Find out why, and see how you can get plug-n-play secure
    remote
    > > > > access in
    > > > > > >  > about an hour, with no client, server changes, or ongoing
    > > > > maintenance.
    > > > > > >  >
    > > > > > >  > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    > > > > > >  >
    > > > > >
    > > > >
    > >
    > --------------------------------------------------------------------------
    > > > > > > --
    > > > > > >  >
    > > > > > >  >
    _________________________________________________________________
    > > > > > >  > Add photos to your messages with MSN 8. Get 2 months FREE*.
    > > > > > >  > http://join.msn.com/?page=features/featuredemail
    > > > > > >  >
    > > > > > >  >
    > > > > > >  >
    > > > > >
    > > > >
    > >
    > --------------------------------------------------------------------------
    > > > > > > -
    > > > > > >  > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by
    top
    > > > > analysts!
    > > > > > >  > The Gartner Group just put Neoteris in the top of its Magic
    > > Quadrant,
    > > > > > >  > while InStat has confirmed Neoteris as the leader in
    marketshare.
    > > > > > >  >
    > > > > > >  > Find out why, and see how you can get plug-n-play secure
    remote
    > > > > access in
    > > > > > >  > about an hour, with no client, server changes, or ongoing
    > > > > maintenance.
    > > > > > >  >
    > > > > > >  > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    > > > > > >  >
    > > > > >
    > > > >
    > >
    > --------------------------------------------------------------------------
    > > > > > > --
    > > > > > >  >
    > > > > > >
    > > > > > >
    _________________________________________________________________
    > > > > > > STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
    > > > > > > http://join.msn.com/?page=features/junkmail
    > > > > > >
    > > > > >
    > > > >
    > >
    > --------------------------------------------------------------------------
    > > > > -
    > > > > > > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
    > > > > analysts!
    > > > > > > The Gartner Group just put Neoteris in the top of its Magic
    > > Quadrant,
    > > > > > > while InStat has confirmed Neoteris as the leader in
    marketshare.
    > > > > > >
    > > > > > > Find out why, and see how you can get plug-n-play secure remote
    > > access
    > > > > in
    > > > > > > about an hour, with no client, server changes, or ongoing
    > > maintenance.
    > > > > > >
    > > > > > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    > > > > >
    > > > >
    > >
    > --------------------------------------------------------------------------
    > > > > --
    > > > > >
    > > > > > --
    > > > > > James W. Meritt CISSP, CISA
    > > > > > Booz | Allen | Hamilton
    > > > > > phone: (410) 684-6566
    > > >
    > > > --
    > > > James W. Meritt CISSP, CISA
    > > > Booz | Allen | Hamilton
    > > > phone: (410) 684-6566
    >
    > --
    > James W. Meritt CISSP, CISA
    > Booz | Allen | Hamilton
    > phone: (410) 684-6566
    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------
    

  • Next message: Mark McConnell: "RE: Windows 2000 port 10000"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #152
      ... MICROSOFT VULNERABILITY SUMMARY ... Real Networks Helix Universal Server Remote Buffer Overflow ... ... NEW PRODUCTS FOR MICROSOFT PLATFORMS ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #140
      ... Cafelog b2 Remote File Include Vulnerability ... Webfroot Shoutbox Remote Command Execution Vulnerability ... Pablo Software Solutions Baby POP3 Server Multiple Connection... ... Microsoft Windows XP Nested Directory Denial of Service... ...
      (Focus-Microsoft)
    • RE: Remote Office Configuration Suggestions?
      ... The additional DC at the remote site, could not be the SBS server, as you ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)
    • RE: SBS 2003 sudden services problem over router based vpn
      ... I understand that your remote cannot receive POP3 emails through VPN ... SBS Server through routers. ...
      (microsoft.public.windows.server.sbs)
    • RE: Download connection Manager through RWW
      ... the issue may occur due to the Remote VD is ... Then please rerun the CEICW wizard and Configure Remote access wizard ... Start Internet Explorer. ... Since the Symantec anti-virus application installed on the server, ...
      (microsoft.public.windows.server.sbs)