Slashdot Mirror

← Back to Domains

Domain: securityportal.com

Stories and comments across the archive that link to securityportal.com.

Comments · 61

  1. my response to jane's editor (properly formatted) by Anonymous Coward · · Score: 2 · on Cyberterrorism Article in Jane's is Available

    Hi, I work as a writer/security type for SecurityPortal.com, I do a weekly column, a weekly newsletter, wrote a 200 page guide to Linux security, so I feel somewhat qualified to critique this article.

    That article is (I'm trying to think of a gentle word) bad.

    ---start--- According to hackers, 99% of cracking incidents can be blamed on so-called 'script-kiddies'. These are usually young people who manage to acquire some 'cracking tools' somewhere on the Internet and are keen try them. They choose a 'cool' target (such as NASA, the Pentagon or the White House) and launch the tools. Older, more established ---stop---

    Pulling statistics out of thin air is a bad idea. I personally would put the percentage lower based on the types of attacks I have seen a lot of (ie bulk scans performed by worm like programs, not something a "script-kiddie" can write).

    ---start--- Global estimates vary, but a JIR extrapolation based on mid-1990 estimates by Bruce Sterling, author of The Hacker Crackdown: Law and Disorder on the Electronic Frontier, puts the total number of hackers at about 100,000, of which 10,000 are dedicated and obsessed computer enthusiasts. ---stop---

    Are we talking about hackers (Linux kernel hackers) or crackers here? A mid-1990's estimate is horribly out of date by now, I don't think there is any remotely reliable way to peg it. Also you need to define it first. If a 14 year old decides to go to rootshell, gets an exploit, defaces a major website, gets away with it, but realizes how much trouble he might have gotten into, and never does it again, is he a cracker? Is someone who tries out a few exploits from rootshell on his ISP "for fun" once a cracker?

    ---start--- However, to launch a sophisticated attack against a hardened target requires three to four years of practice in C, C++, Perl and Java (computer languages), general UNIX and NT systems administration (types of computer platform), LAN/WAN theory,remote access and common security protocols (network skills) and a lot of free time. On top of these technical nuts and bolts, there are certain skills that must be acquired within the cracker community. ---stop---

    No. Many "hardened" sites are not maintained properly, or even if they are (not hardened enough of course) there will be at least one time when a new exploit comes out and is not fixed for say 6 hours, a large windows of oppurtunity. Classic examples are bugs in Bind (DNS server software used by almost everyone), most DNS servers that are secured are secured quite well, however there have been several bugs that surfaced this year that pretty much nixed anything you could do to secure it (on most systems anyways).

    Protecting yourself from your software

    Securing Bind

    There are a lot more items in the article I take exception to. As far as social engineering goes you should make the author read Winn Schwartau's "Information Warfare" (actually he should read it in anycase, it's a pretty comprehensive book). You might also check out:

    Sunworld article on social engineering

    Also in general the article is pretty messy, there is a bit on social engineering a few paragraphs before the social engineering section, I would seriously recomend removing it and having someone rewrite it from scratch.

    -Kurt Seifried - my sig deleted

  2. my response to jane's editor (properly formatted) by Anonymous Coward · · Score: 2 · on Cyberterrorism Article in Jane's is Available

    Hi, I work as a writer/security type for SecurityPortal.com, I do a weekly column, a weekly newsletter, wrote a 200 page guide to Linux security, so I feel somewhat qualified to critique this article.

    That article is (I'm trying to think of a gentle word) bad.

    ---start--- According to hackers, 99% of cracking incidents can be blamed on so-called 'script-kiddies'. These are usually young people who manage to acquire some 'cracking tools' somewhere on the Internet and are keen try them. They choose a 'cool' target (such as NASA, the Pentagon or the White House) and launch the tools. Older, more established ---stop---

    Pulling statistics out of thin air is a bad idea. I personally would put the percentage lower based on the types of attacks I have seen a lot of (ie bulk scans performed by worm like programs, not something a "script-kiddie" can write).

    ---start--- Global estimates vary, but a JIR extrapolation based on mid-1990 estimates by Bruce Sterling, author of The Hacker Crackdown: Law and Disorder on the Electronic Frontier, puts the total number of hackers at about 100,000, of which 10,000 are dedicated and obsessed computer enthusiasts. ---stop---

    Are we talking about hackers (Linux kernel hackers) or crackers here? A mid-1990's estimate is horribly out of date by now, I don't think there is any remotely reliable way to peg it. Also you need to define it first. If a 14 year old decides to go to rootshell, gets an exploit, defaces a major website, gets away with it, but realizes how much trouble he might have gotten into, and never does it again, is he a cracker? Is someone who tries out a few exploits from rootshell on his ISP "for fun" once a cracker?

    ---start--- However, to launch a sophisticated attack against a hardened target requires three to four years of practice in C, C++, Perl and Java (computer languages), general UNIX and NT systems administration (types of computer platform), LAN/WAN theory,remote access and common security protocols (network skills) and a lot of free time. On top of these technical nuts and bolts, there are certain skills that must be acquired within the cracker community. ---stop---

    No. Many "hardened" sites are not maintained properly, or even if they are (not hardened enough of course) there will be at least one time when a new exploit comes out and is not fixed for say 6 hours, a large windows of oppurtunity. Classic examples are bugs in Bind (DNS server software used by almost everyone), most DNS servers that are secured are secured quite well, however there have been several bugs that surfaced this year that pretty much nixed anything you could do to secure it (on most systems anyways).

    Protecting yourself from your software

    Securing Bind

    There are a lot more items in the article I take exception to. As far as social engineering goes you should make the author read Winn Schwartau's "Information Warfare" (actually he should read it in anycase, it's a pretty comprehensive book). You might also check out:

    Sunworld article on social engineering

    Also in general the article is pretty messy, there is a bit on social engineering a few paragraphs before the social engineering section, I would seriously recomend removing it and having someone rewrite it from scratch.

    -Kurt Seifried - my sig deleted

  3. my response to janes edit (formatted properly) by Anonymous Coward · · Score: 0 · on Charging for Cable Internet Access in Australia

    Hi, I work as a writer/security type for SecurityPortal.com, I do a weekly column, a weekly newsletter, wrote a 200 page guide to Linux security, so I feel somewhat qualified to critique this article.

    That article is (I'm trying to think of a gentle word) bad.

    ---start--- According to hackers, 99% of cracking incidents can be blamed on so-called 'script-kiddies'. These are usually young people who manage to acquire some 'cracking tools' somewhere on the Internet and are keen try them. They choose a 'cool' target (such as NASA, the Pentagon or the White House) and launch the tools. Older, more established ---stop---

    Pulling statistics out of thin air is a bad idea. I personally would put the percentage lower based on the types of attacks I have seen a lot of (ie bulk scans performed by worm like programs, not something a "script-kiddie" can write).

    ---start--- Global estimates vary, but a JIR extrapolation based on mid-1990 estimates by Bruce Sterling, author of The Hacker Crackdown: Law and Disorder on the Electronic Frontier, puts the total number of hackers at about 100,000, of which 10,000 are dedicated and obsessed computer enthusiasts. ---stop---

    Are we talking about hackers (Linux kernel hackers) or crackers here? A mid-1990's estimate is horribly out of date by now, I don't think there is any remotely reliable way to peg it. Also you need to define it first. If a 14 year old decides to go to rootshell, gets an exploit, defaces a major website, gets away with it, but realizes how much trouble he might have gotten into, and never does it again, is he a cracker? Is someone who tries out a few exploits from rootshell on his ISP "for fun" once a cracker?

    ---start--- However, to launch a sophisticated attack against a hardened target requires three to four years of practice in C, C++, Perl and Java (computer languages), general UNIX and NT systems administration (types of computer platform), LAN/WAN theory,remote access and common security protocols (network skills) and a lot of free time. On top of these technical nuts and bolts, there are certain skills that must be acquired within the cracker community. ---stop---

    No. Many "hardened" sites are not maintained properly, or even if they are (not hardened enough of course) there will be at least one time when a new exploit comes out and is not fixed for say 6 hours, a large windows of oppurtunity. Classic examples are bugs in Bind (DNS server software used by almost everyone), most DNS servers that are secured are secured quite well, however there have been several bugs that surfaced this year that pretty much nixed anything you could do to secure it (on most systems anyways).

    Protecting yourself from your software

    Securing Bind

    There are a lot more items in the article I take exception to. As far as social engineering goes you should make the author read Winn Schwartau's "Information Warfare" (actually he should read it in anycase, it's a pretty comprehensive book). You might also check out:

    Sunworld article on social engineering

    Also in general the article is pretty messy, there is a bit on social engineering a few paragraphs before the social engineering section, I would seriously recomend removing it and having someone rewrite it from scratch.

    -Kurt Seifried - my sig deleted

  4. my response to janes edit (formatted properly) by Anonymous Coward · · Score: 0 · on Charging for Cable Internet Access in Australia

    Hi, I work as a writer/security type for SecurityPortal.com, I do a weekly column, a weekly newsletter, wrote a 200 page guide to Linux security, so I feel somewhat qualified to critique this article.

    That article is (I'm trying to think of a gentle word) bad.

    ---start--- According to hackers, 99% of cracking incidents can be blamed on so-called 'script-kiddies'. These are usually young people who manage to acquire some 'cracking tools' somewhere on the Internet and are keen try them. They choose a 'cool' target (such as NASA, the Pentagon or the White House) and launch the tools. Older, more established ---stop---

    Pulling statistics out of thin air is a bad idea. I personally would put the percentage lower based on the types of attacks I have seen a lot of (ie bulk scans performed by worm like programs, not something a "script-kiddie" can write).

    ---start--- Global estimates vary, but a JIR extrapolation based on mid-1990 estimates by Bruce Sterling, author of The Hacker Crackdown: Law and Disorder on the Electronic Frontier, puts the total number of hackers at about 100,000, of which 10,000 are dedicated and obsessed computer enthusiasts. ---stop---

    Are we talking about hackers (Linux kernel hackers) or crackers here? A mid-1990's estimate is horribly out of date by now, I don't think there is any remotely reliable way to peg it. Also you need to define it first. If a 14 year old decides to go to rootshell, gets an exploit, defaces a major website, gets away with it, but realizes how much trouble he might have gotten into, and never does it again, is he a cracker? Is someone who tries out a few exploits from rootshell on his ISP "for fun" once a cracker?

    ---start--- However, to launch a sophisticated attack against a hardened target requires three to four years of practice in C, C++, Perl and Java (computer languages), general UNIX and NT systems administration (types of computer platform), LAN/WAN theory,remote access and common security protocols (network skills) and a lot of free time. On top of these technical nuts and bolts, there are certain skills that must be acquired within the cracker community. ---stop---

    No. Many "hardened" sites are not maintained properly, or even if they are (not hardened enough of course) there will be at least one time when a new exploit comes out and is not fixed for say 6 hours, a large windows of oppurtunity. Classic examples are bugs in Bind (DNS server software used by almost everyone), most DNS servers that are secured are secured quite well, however there have been several bugs that surfaced this year that pretty much nixed anything you could do to secure it (on most systems anyways).

    Protecting yourself from your software

    Securing Bind

    There are a lot more items in the article I take exception to. As far as social engineering goes you should make the author read Winn Schwartau's "Information Warfare" (actually he should read it in anycase, it's a pretty comprehensive book). You might also check out:

    Sunworld article on social engineering

    Also in general the article is pretty messy, there is a bit on social engineering a few paragraphs before the social engineering section, I would seriously recomend removing it and having someone rewrite it from scratch.

    -Kurt Seifried - my sig deleted

  5. Chipcards in Germany/Infrastructure view by U3mancer · · Score: 1 · on Username/Password - Is It Still Secure?

    In Germany every person gets a chipcard from their health insurance company (health insurance is required by law here).
    These cards comply to a certain standard. Without my card, the medical personnel has no access to my records, except for special purposes where only certain partial aspects are important, e.g. billing.

    I know that since my chipcard went broke after 5 years of use and my dentist could not enter the services he had made until my next visit.

    I think that that is an interesting model for your problem:
    One part of the system at the doctors side (reader) and one part at the patients (card).

    But from my point of view this covers only a part of the problem (the german solution is several years old).
    What you really need is a complete security infrastructure.

    You have to ensure data integrity (against tampering), access control, authentication, digital signature, etc. From the network architects view this cries for a public key infrastructure solution (PKIX).
    You might want to look at this page at securityportal.com. Its a good starting point on PKIX.

  6. Chipcards in Germany/Infrastructure view by U3mancer · · Score: 1 · on Username/Password - Is It Still Secure?

    In Germany every person gets a chipcard from their health insurance company (health insurance is required by law here).
    These cards comply to a certain standard. Without my card, the medical personnel has no access to my records, except for special purposes where only certain partial aspects are important, e.g. billing.

    I know that since my chipcard went broke after 5 years of use and my dentist could not enter the services he had made until my next visit.

    I think that that is an interesting model for your problem:
    One part of the system at the doctors side (reader) and one part at the patients (card).

    But from my point of view this covers only a part of the problem (the german solution is several years old).
    What you really need is a complete security infrastructure.

    You have to ensure data integrity (against tampering), access control, authentication, digital signature, etc. From the network architects view this cries for a public key infrastructure solution (PKIX).
    You might want to look at this page at securityportal.com. Its a good starting point on PKIX.

  7. You can get the MAC of most PC's on the Internet. by Anonymous Coward · · Score: 2 · on Statement on IPv6 Privacy Concerns

    The current situation is this: Any PC running Windows 95/98/NT with the Microsoft network client installed will give it's MAC address out if you query it. Hence the vast majority of all computers on the Internet right now give out the MAC addresses.

    See this article for a complete explanation

  8. Re:Excellent timing by hbruijn · · Score: 1 · on Network Intrusion Detection: An Analysis Handbook

    The Linux Administartor's Security Guide by Kurt Seinfried is a pretty expansive online reference on securing linux systems.
    As an answer to your question it has a long description on log-files, how to use them and suggested tools for automaticly checking them, but it is still mostly aimed at prevention rather then finding out how they got in in the first place.
    For a list of exploits try bugtrack or rootshell.
    The second good thing about LASG is the extensive list of references (also online) for more detailed information.

  9. They shoulda read the LASG by Anonymous Coward · · Score: 3 · on PCWeek "Hack This Page" Cracked

    Linux Administrator's Security Guide http://www.securityportal.com/lasg/

  10. ms linux by Akeldama · · Score: 3 · on Microsoft/Siemens in Joint Linux Venture?
    not too long ago, someone at securityfocus.com said something along the lines of...it's only a matter of time before ms comes out with their own distro of linux. the guy then got flamed. he then wrote a piece about his opinion and reasons behind them.


    check it out at http://securityportal.com/coverst ory19990830.html

  11. info: security distributions & resources by maphew · · Score: 1 · on Linux in the Military

    see the Linux Weekly News' Security page for information on Linux security projects which are already under way:
    Secure Linux Projects Bastille Linux
    Khaos Linux Secure Linux
    Security List Archives
    Bugtraq Archive
    Firewall Wizards Archive
    ISN Archive

    Distribution-specific links
    Caldera Advisories
    Debian Alerts
    Red Hat Errata
    SuSE Announcements

    Miscellaneous Resources
    CERT
    CIAC
    Comp Sec News Daily
    Crypto-GRAM
    Linux Security Audit Project
    OpenSEC
    Security Focus
    SecurityPortal