[Techtalk] Security professionals/hobbyists -- Opinions?

Raven Alder raven at oneeyedcrow.net
Mon Aug 12 20:24:22 EST 2002 

Heya --

Quoth Megan Golding (Wed, Aug 07, 2002 at 10:02:50AM -0700):
> Interesting. I've seen this happening a lot -- administrators with
> enough knowledge to get something set up, but not enough knowledge to
> lock it down. The SQL Snake from late May/early June this year is a
> prime example. Windows admins were running SQL Server with a default
> (null) password. SQL Snake spread by looking for the null passwords.

	That's pretty much what you get when you sell products as "easy
to set up" or "anyone can do it".  When security is not designed into a
product by default, it won't be a concern of many of the users, and the
defaults, whatever they be, will stand.  When I've worked on product
development, I've made an effort to provide sensible defaults in order
to prevent just this sort of thing. 
 
> As to lack of updating, I wonder if that's because of lack of time or
> knowledge, or some mixture? In part of your response that I snipped,
> you described some companies frowning on their sysadmins reading
> Bugtraq -- these seem to me the type of environments where the admins
> have the knowledge but not the time to keep things patched.

	Often the admins have the knowledge but not the ability to patch
things -- if they don't set their own priorities, the managers may
decide that updating isn't all that important anyway and they'd rather
have the admin's time spent elsewhere.  Too often, I've had to justify
proactive security measures economically to the CEO.  Everyone's worried
about 'hackers' but very few business execs that I've encountered
outside the security field have sufficient motivation to do anything
about it.
 
> > I had the IOS on one of the Cisco routers at an old job
> > replaced with an MP3 of Weird Al singing "It's all about the
> > Pentiums, baby". Router wouldn't boot, I wonder why, oh my 
> > God.  That one was caused by lack of turning off unnecessary 
> > services and patching (router running exploitable web server).
> 
> I presume that getting that router patched was a lower priority for
> you than other tasks on your plate at the time. Is that a fair
> assumption?

	I'd been at that job about a week at the time.  Standardizing
the router configs and updating all the IOS's was on my to-do list, but
I just hadn't gotten to it yet.  I tend to start work at places with
fairly broken networks, become horrified, and then form a plan to get
them up to scratch.  Packet janitor am I.  [grin]  So in another week it
would have been fixed.  Unfortunately, the attacker didn't kindly wait
until I was ready for them.
 
> In your cases and mine, I notice that we had the knowledge of what
> the security-conscious thing to do was but didn't do it for whatever
> reason. I find that interesting. In a business setting, I'd say these
> examples call for a process aimed at getting security patches
> deployed quickly.

	One would think.  But many businesses (and individuals) have to
be bitten once before they realize how painful it is to actually get
compromised and then try to recover from that.

Cheers,
Raven
 
"I have complete respect for you.  Please join my harem."
  -- Ryan, on seduction techniques

More information about the Techtalk mailing list