[PLUG-TALK] Server Security and Cracking

Ronald Chmara ronabop at gmail.com
Mon Mar 4 21:07:18 UTC 2013 

On Mon, Mar 4, 2013 at 7:32 AM, Rich Shepard <rshepard at appl-ecosys.com>wrote:

>    In the early 1970s those of us in the sciences at the University of
> Illinois had to put up with the CS101 students showing off their skills
> (computer, not social) by crashing the IBM mainframes (S/360s in those
> days)
> by manipulating the Job Control Language. Since the turn of the century I
> assumed that most enterprise backends ran some flavor of UNIX or
> work-alikes
> such as linux and the *BSDs and the admins kept up with security patches.
>

Many companies collect metrics about downtime. Installing patches regularly
creates downtime. In addition, most large companies have a weird
hodge-podge of systems, with bizarre legacy equipment (and operating
systems) that haven't been replaced because of budgetary constraints,
political turf wars, etc. Here's an eye opener: XP came out in 2001. It's
had thousands of known holes. It represents roughly 40% of the desktops
*currently* in use. A company may have big-iron in their server rooms, but
almost any large organization has, oh, somebody in the HR department
running that-one-MS-Access-program-that-they-cannot-do-without, and thus,
make for an easy target.


>    I can easily understand how individual personal users, particularly
> running the ubiquitous Windows, have their machines taken over by those
> will
> less-than-honorable intentions. But, are the enterprise/government servers
> actually being taken over or are they used as conduits to individual
> workstations by social engineering and use of weak passwords obtained by
> dictionary or other brute-force attacks?
>

It's often not the case that the big iron is attacked and used to get to
workstations, it's that workstations are a soft target, and used to get
access to the iron. Of course, there's huge exceptions to this, in my
field, I've seen so much amazingly bad web application code that it would
make a CxO's skin crawl, if they understood what was going on... but they
generally don't. A typical problem is "developers" using frameworks, and
just trusting somebody else's code, contrasted with another problem which
is "developers" who write their own code, without understanding the
underlying technology well enough to use it safely and accurately... a good
site to get a feel for how bad it really is out there is
http://thedailywtf.com , it's chock full of screwups, in code, in social
interactions, in ill thought UI, with a new entry *daily*.

-Ronabop
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pdxlinux.org/pipermail/plug-talk/attachments/20130304/40fea65e/attachment.html>

More information about the PLUG-talk mailing list