Bryce T. Pier wrote: >Absolutely, but that's being much more specific that I meant. I would suspect >the data collection software is less frequently attacked than the OS it's >running on or other exposed services. > > 4 years Old but still an example of a data collection bug.
http://www.crimelabs.net/docs/syslog-flood.txt The syslog daemon, as shipped with several flavors of Unix, accepts UDP connections and log commands from any IP address. In some unices, this ability is enabled at compile time, and cannot be deactivated without recompiling syslogd. IMPACT: Vulnerable Systems can easily be DOS'd by any malicious person--they can simply send enough syslog messages to fill up all your disk space. >>>Configuration control isn't nearly as important as other security >>>measures. >>> >>> >>I would have to strongly disagree, misconfigured software can expose >>alot more holes. Chrooting can help even the most vulnerable or >>misconfigured systems but even a poorly configured chroot can be >>somewhat pointless. Stack-smashing-protection like >>http://www.trl.ibm.com/projects/security/ssp/ can secure some of the >>buggiest apps but misconfigureing the app can netgate those protections. >> >> > >My point wasn't that configuration wasn't important, it was that you should >use as many layers of security of different types as possible (which is >really more important). > I think of configuration control as being the very begining of enableing a feature in software, wether you configure it ./configure --with-A-BIG-NASTY-EXPLOIT or its an option in the config file/registry. Seems that Will was complaining about the security deprevation caused by windows lack of complete configuration control, which I to beileve is a more important aspect of secureing any OS than other measures. If you want %100 security unplug it, burn the evidence, and kill the witnesses. Insted of waiting for MS to roll out "patches" often one could simply change a configuration(added security layer). >Such as chrooting as you said, etc. Just knowing that >your configuration of an app is rock solid isn't enough. If an exploit is >found in that app's handling of input for example, the configuration of the >app doesn't much matter. > > Sure it does, what types of input is that app accepting? The app may not need to accept such input. Like above anyone could DOS the system from anywhere, unless you configured syslog or the firewall(if any) diffrently. Leave UDP 514 open and your stuck. Configureing syslog to use another port and configureing a firewall to forward only your network to the dmz'd syslog server and your security just improved without any patching, "upgrades", or loss of service. >Which leads us back to my initial point that IT departments of most companies >won't just install new packages without very good reason because standard >security practice is to remove as many packages from a system as possible. > > If we install them for good reason then it seems more sensible to secure them for the same reasons rather than remove them due to security concerns. Like you said KISS, but protecting users from them selves isn't so simple.
