On Fri 26 Sep 2014 10:01:52 NZST +1200, Derek Smithies wrote: > So - is my ADSL box exploitable - which has linux inside it? > presumably not - my ADSL box refuses html and ssh login access > from the wild.
Oops. Presumably yes. http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ Robert Graham of Errata Security, [...] "However, everything else probably is. Scan your network for things like Telnet, FTP, and old versions of Apache (masscan is extremely useful for this). Anything that responds is probably an old device needing a bash patch. And, since most of them can't be patched, you are likely screwed. "A lot of wireless routers shell out to ping and traceroute – these are all likely vulnerable." > However, in these days of better code/ standard string types that > don't have overrun issues/ python servers/ how much is overrun a > problem? On your server, as much/little as ever. On your little turn-key boxes, "you are likely screwed". Will Bruce Schneier rate this an 11 again, on a scale from 1 to 10? > So > when > testing a server, what are the things (in the light of this exploit) > that one could do to get into the box? Since one knows how to get > in, one > knows how to secure it. Nope. You might find out how to "get in" to your ADSL/wifi//whatnot, but that still doesn't tell you how to secure it (other than by taking the whole box to the dump). This is the main reason why all this consumer shite couldn't be further away from being a security device, whatever else it may be, like a splendidly easy MITM facilitator. I know only one company that supplies updates for their modems in a timely fashion - AVM for their Fritzboxes. The rest doesn't even understand the word "update", never mind "timely". Borrowing from an old saying about some other company: The only secure consumer electronics product is the one still shrink-wrapped on the shelf. Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. _______________________________________________ Linux-users mailing list [email protected] http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
