[Techtalk] Security professionals/hobbyists -- Opinions?
Megan Golding
meggolding at yahoo.com
Wed Aug 7 10:02:50 EST 2002
--- Raven Alder <raven at oneeyedcrow.net> wrote:
> Quoth Megan Golding (Sat, Aug 03, 2002 at 08:05:00AM -0700):
> > * Have any horror stories you're willing to share?
> > Network breakins because of some lack of
> > knowledge on your or someone else's part?
>
> Heh. Lots. I do (among other things) incident response.
> Most of the incidents were caused by poor configuration or lack of
> updating.
Interesting. I've seen this happening a lot -- administrators with
enough knowledge to get something set up, but not enough knowledge to
lock it down. The SQL Snake from late May/early June this year is a
prime example. Windows admins were running SQL Server with a default
(null) password. SQL Snake spread by looking for the null passwords.
As to lack of updating, I wonder if that's because of lack of time or
knowledge, or some mixture? In part of your response that I snipped,
you described some companies frowning on their sysadmins reading
Bugtraq -- these seem to me the type of environments where the admins
have the knowledge but not the time to keep things patched.
> I had the IOS on one of the Cisco routers at an old job
> replaced with an MP3 of Weird Al singing "It's all about the
> Pentiums, baby". Router wouldn't boot, I wonder why, oh my
> God. That one was caused by lack of turning off unnecessary
> services and patching (router running exploitable web server).
I presume that getting that router patched was a lower priority for
you than other tasks on your plate at the time. Is that a fair
assumption?
The old GI Joe cartoons used to say that "knowing is half the battle"
and I certainly know that's true. My web server was running a
vulnerable version of Apache for a few weeks, even though I was aware
of the recent chunking vuln. I had other things I wanted to get done
first.
In your cases and mine, I notice that we had the knowledge of what
the security-conscious thing to do was but didn't do it for whatever
reason. I find that interesting. In a business setting, I'd say these
examples call for a process aimed at getting security patches
deployed quickly.
>
> Good luck with your article; let us know when it's out. I'm
> interested.
Thanks! Will do. Your comments were very helpful in formulating the
focus of my article. I thank you for your insights :)
Meg
=====
Megan Golding | http://www.kalamitykat.com
__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
More information about the Techtalk
mailing list