[Techtalk] Security professionals/hobbyists -- Opinions?

Megan Golding meggolding at yahoo.com
Wed Aug 7 10:02:50 EST 2002 

--- Raven Alder <raven at oneeyedcrow.net> wrote:
> Quoth Megan Golding (Sat, Aug 03, 2002 at 08:05:00AM -0700):
> >  * Have any horror stories you're willing to share?
> >    Network breakins because of some lack of 
> >    knowledge on your or someone else's part?
> 
> 	Heh.  Lots.  I do (among other things) incident response. 
> Most of the incidents were caused by poor configuration or lack of
> updating.

Interesting. I've seen this happening a lot -- administrators with
enough knowledge to get something set up, but not enough knowledge to
lock it down. The SQL Snake from late May/early June this year is a
prime example. Windows admins were running SQL Server with a default
(null) password. SQL Snake spread by looking for the null passwords.

As to lack of updating, I wonder if that's because of lack of time or
knowledge, or some mixture? In part of your response that I snipped,
you described some companies frowning on their sysadmins reading
Bugtraq -- these seem to me the type of environments where the admins
have the knowledge but not the time to keep things patched.

> I had the IOS on one of the Cisco routers at an old job
> replaced with an MP3 of Weird Al singing "It's all about the
> Pentiums, baby". Router wouldn't boot, I wonder why, oh my 
> God.  That one was caused by lack of turning off unnecessary 
> services and patching (router running exploitable web server).

I presume that getting that router patched was a lower priority for
you than other tasks on your plate at the time. Is that a fair
assumption?

The old GI Joe cartoons used to say that "knowing is half the battle"
and I certainly know that's true. My web server was running a
vulnerable version of Apache for a few weeks, even though I was aware
of the recent chunking vuln. I had other things I wanted to get done
first. 

In your cases and mine, I notice that we had the knowledge of what
the security-conscious thing to do was but didn't do it for whatever
reason. I find that interesting. In a business setting, I'd say these
examples call for a process aimed at getting security patches
deployed quickly.

> 
> 	Good luck with your article; let us know when it's out.  I'm
> interested.

Thanks! Will do. Your comments were very helpful in formulating the
focus of my article. I thank you for your insights :)

Meg

=====
Megan Golding    |    http://www.kalamitykat.com

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

More information about the Techtalk mailing list