[lug] Security

Evelyn Mitchell efm at tummy.com
Thu Mar 1 09:12:32 MST 2001


In regards to the current discussion about demonstrating exploits.

Even if someone were to demonstrate to me that a particular exploit
was possible, and that after applying a fix, that it was no longer
possible, it doesn't mean that that box is secure.

Computers are extremely complex systems. This complexity may hide
hundreds or thousands of ways to gain inappropriate acces to resources,
many of which will never be discovered with current tools, simply because
they haven't been thought of yet. An example of a class of exploits
which was only recently discovered is the internationalization string
exploits published this fall. The code that the exploit works against
has been in use for at least 10 years, and the computers using the 
code have been vunerable, but it is only within the last 6 months
that we understood it was possible to gain access using this vunerability,
and so to begin to close the hole.

Security is not an event. It is a process.

The steps we need to take in the process are fairly clear: keep up
with software updates, run only essential services, use good firewall
rules, have clear policies in place, be watchful.

This is the message that it is important to pass on to your client.

Focusing on the details of a particular exploit rather than on the
whole process of maintaining good security benefits no one.

Evelyn Mitchell
efm at tummy.com

----- End forwarded message -----



More information about the LUG mailing list