Date: 25 Apr 2001 18:17:51 -0400 From: Chris Shenton <chris@shenton.org> To: mudman <mudman@R181204.resnet.ucsb.edu> Cc: <freebsd-security@freebsd.org> Subject: Re: defaced websites and the like Message-ID: <87n194pqsw.fsf@thanatos.shenton.org> In-Reply-To: mudman's message of "Wed, 25 Apr 2001 15:05:10 -0700 (PDT)" References: <Pine.BSF.4.30.0104251453340.9592-100000@R181204.resnet.ucsb.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
mudman <mudman@R181204.resnet.ucsb.edu> writes: > Are these kind of attacks on httpd itself (Apache or otherwise) or are > said "hackers" (heh heh) breaking in through other channels or services? Attacks can use many vectors including holes in a server itself, holes in other services, holes in the OS, holes in the infrastructure (e.g. hacking DNS then exploiting names which are "trusted"), or even "social engineering" (call a sysadm up claiming to be a legit user who forgot his password, etc). When a hole is discovered -- whether it is in the OS, a major server like a web server or a less common one like the recent NTP hole, or an infrastrucuture service (like the recent BIND bug) -- the information propagates quickly within the network community. Good guys try to protect themselves, bad guys try and exploit the problems. Sofware exploit code is released in amazingly short time so you have to fix any problems that are found regardless of where it is. A good reason to practice "security in depth", which I kinda associate with having no system trust any other system/software any more than absolutely necessary in case it gets hacked. > Maybe as a good follow up, would using one OS over another OS change > the risk assessment for this kind of thing? (although I admit this last > question would take into account a lot of different variables) I prefer software I can look at and determine its config, so I prefer things like UNIX-style config files and command-line tools. I find it very hard to tell the state of my system on a grope-n-poke OS likw WinDoze. I also belive Open Source allows many people to look for holes in the software where proprietary relies on the discredited idea of security-through-obscurity. Also, commercial vendors have more pressure to release more features than to fix bugs. A major factor which I am sure others will suggest is to use what you know best. I can secure a FreeBSD, Solaris, or Irix system pretty well. It would take me longer to secure a Linux box cuz it's been a while, and I'd be pathetic trying to secure a WinDoze box due to my unfamiliarity at it (I don't know if it *is* possible to secure, and certainly don't know how). --Chris Anti-Hacking premiums 25% higher for Win NT: An insurance policy against hacker-inflicted damage costs 25 per cent more for companies using Windows NT. This is because "there are so many security holes in Microsoft products", John Wurzler, of Wurzler underwriting managers, told us today. -- http://www.theregister.co.uk/content/8/18324.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87n194pqsw.fsf>