Re: [cobalt-security] RE: 'On my Soap Box'

[Gossi The Dog <gossi@xxxxxxxxxxxxxx>]

On Tue, 6 Mar 2001, Mark Anderson wrote:

> > Did I not say that 'security through obscurity' was a bad thing?
> > And that being paranoid was the way to do things?
> > Sorry Mark, I fail to see what your argument is here. You've
> > basically agreed with exactly what I said in the first place!
>
> No I haven't.
>
> You claimed that little to no intelligence was needed to root
> an online server (assuming basic skill levels for admins). This
> is just not true. Infact the opposite is true - there is such
> a wealth of information available that admins have no excuse
> for having bad security. To be a good hacker/cracker (choose
> your media buzzword) the attacker has to have a level of skill
> and knowledge that exceeds that of the admin.
>
> Example:
>
> A vulnerability is documented on Bugtraq. I update the software
> mentioned, with a patch or fresh install of latest version. Problem
> solved.
>
> An attacker sees the same mail on Bugtraq and tries it on a few
> machines to see what he can get with a little effort. Not only
> is it likely that the exploit code will have been gutted and
> cease to actually work, but the attacker would need an equal
> skill level as the original coder to fix it.
>
> What I'm trying to point out is that protecting a server is
> fall-off-my-chair-laughing easy. However to be a remotely good
> attacker, it takes time, skill, intellect and a few drops of
> luck.
>
> Do you see where we disagree now ?

Hmmm.  Protecting a server is fall-off-my-chair-laughing easy?

I'm sorry, but I have to object here (I'm slightly biased coming from a
security background I suppose)...  Sure, you can install Redhat, kill off
services you don't need, install tripwire and run ipchains, but this does
not make you secure.

What happens when the next 17 year old kid with a copy of gcc and redhat
writes the next major exploit and gives it to all his IRC friends (which
doesn't get posted to bugtraq for a few weeks)?  You get rooted.  Kids
install Linux Kernel Modules, you don't even know you've been rooted,
tripwire etc is useless.

That sort of thing doesn't happen often?  Yes, it does.  A major hole in
wuftpd was known amongst many hax0rs for 6 months+ before it became public
knowledge (somebody posted the exploit to bugtraq) about a year ago.
Wuftpd is installed and enabled by default in Redhat and on earlier RaQs.

Also, most exploits posted to bugtraq et all aren't broken.  Most of them
take the ability of a 14 year old to run from a 56k modem, and very little
skill.  Just look at all the recent Cobalt bind breakins.

The general fact is people see hack attacks as the odd web defacement and
occasional media hype credit card details stolen story.  This isn't true.
Crackers are all over the place, in all kinds of systems, across
corporations and ISPs.  Administrators just don't notice.

Research suggests most of them are 17 years old or below, and hang around
on IRC with their Internet cracking buddies.  Most system administrators
tend to be older, and much more skilled in their areas.  True, many of
them don't understand the dangers of attaching a default install Redhat
box onto the web (or IIS for that matter), but are kids that ./bind-hack
www.redhat.company.com any more intelligent?