An interview of r.f.p., from Wiretrip and ADM "Whenever you implement a production server on the internet, you have to think twice about *everything*" |
|
<Kitetoa> - r.f.p., you've published an advisory called "NT ODBC Remote Compromise". Could you explain within some lines in untechnical words ;) what it is about? I mean what, basically can you do on a remote machine running NT and IIS apart from "everything"? <r.f.p.> - The problem is with ALL windows (NT, 95, and maybe 98). ODBC is a generic way for the system to use a database. The problem is one type of database from Microsoft, the MS Access database (which uses what is called the Jet engine) has a small secret feature that allow you to run special commands to do anything on the server. So if someone can use your database, someone can do bad things. The tricky part is that MS Access/Jet databases are the 'free' ones that come with NT, and are very popular/easy to use. Even your MS Access that comes with Office 97 has the same problem. <Kitetoa>
- Did Miscrosoft publish a patch or a security
advisory, and where can an admin find it? <r.f.p.> - I have not seen *anything* from Microsoft on this topic. I think this is because of 2 reasons: 1. It was a 'feature'--it was there *on
purpose*. It was not a bug. It 2. MDAC 2.1.1 was released, which fixed this problem silently. They just removed this feature. Well, so it seems. I haven't finished my testing yet. >:) <Kitetoa> - Do you think that the the fact that there is the eEye bug, your advisory, BO2K, and, I guess, many other exploits out there for NT and/or IIS, should make people think about it twice before making a choice on what OS and server they are going to use for a Web site? <r.f.p.> - Quite honestly, whenever you implement a production server on the internet, you have to think twice about *everything*. The problem is that some corporations have standardized on Windows. That means, even if Linux looks like a good idea, they will not--they only use Windows, and that's policy. So rather than complain that you want to use Linux, figure out how to make NT secure. <Kitetoa> - NeonSurge says he can... Is there, in your opinion, ways of really securing an NT box running IIS ? <r.f.p.> - Yes there are. The problem is that it's usually stuff you have to dig and find out yourself, and only the better experts (like NeonSurge) know how to do it--it's not default. And Microsoft doesn't help you any. IIS ships with a few holes open *by default*. Not many people know where to look and what to close. And with Microsoft's big push to make NT administration 'easy', that means we are having more and more 'less-technical' admins surface, compared to the unix gurus of the old day. They just don't know how to do some of the technical stuff. <Kitetoa> -Do you think Internet should be used to conduct e-commerce? Mudge and Kitetoa (yes, he is smarter ;) ... ) think that it has not been disigned to be secure... Let's put it in another way: companies are linking in a way or another their information systems (which is the heart of their business capabilities) to the net. In many cases they put themselfs at risks. Is that wise? <<r.f.p.> - I have to say yes and no. I don't think the Internet has been designed securely enough for e-commerce. Well, what I really mean is that *there are secure ways to do e-commerce*. They do exist. Unfortunately, a bunch of humans run it, and humans are less than perfect. The create bugs, holes, and otherwise break that secure model. To be a hacker, you only have to find one hole. To be an admin, you have to patch *all* the holes. Now, when we start making it so that servers are easier to administer, we get sysadmins that aren't exactly as aware of the big picture as they should be. If I was a company, and I put the heart of my corporation on the Internet, I would want to make sure my admins were 'the best', and not just 'ok'. <Kitetoa> - What would be your advice for a sysadmin so that he could get all the needed information to keep his/her domain secure? What should he/she read? What mailing list, what Web server? <r.f.p.> - Best advice is 'don't assume anything'. Pretend you're a secret government agent--only give people 'what they need to know'. Keep everything as minimal as you need it. Go over everything with a fine-tooth comb. Understand how it works on the lowest level...don't assume it just 'works'. When you get intimate with the technology and understand it, you'll also know how to protect yourself.
Back
|
Naviguer, lire.... Le Sommaire |
Communiquer... |
Les rubriques! |
Les rubriques! |
Les dossiers |
Malade mental... Qui est Jean-Paul Ney, Le texte de la condamnation |
Malade mental, bis repetita Jean-Paul Ney condamné Condamnation de Jean-Paul Ney |
D'autres choses... |
Rechercher... et sur le Net... |