I would like thanks to all contributors of this interesting debate, for their effort.
L. > As with Rob, this is my final say as well. > On Fri, Sep 11, 2015 at 1:38 PM, Petr L?z?ovsk? <lazna at volny.cz>wrote: >> 1. Security through obscurity is your first mistake. There is no such thing. > > Interesting.... It does not exist, but it have article on wikipedia. Sounds > like UFO or Yetti... > "Security through Obscurity" in layman terms is that you provide no > additional valid information to whomever is accessing your system. If you're > URL provides CGI in its path, it points (Doesn't necessarily MEAN) more at > that it is a Linux box than a Windows box. That doesn't mean it isn't, just > that it is more likely to. Looking at HTTP headers, you can find out what OS > your script is running on, what version of PHP, ASP, .NET, whatever. Black > Hats typically keep a very long list of found security holes on every single > version of whatever script processor you're using. Obscurity means you're > just muddying the waters, or hiding facts, or acting like an outright liar. > It doesn't mean your system becomes locked down and people aren't going to be > interested ESPECIALLY if you're found to be on a fat pipe to the net. > Because Security through Obscurity is becoming more mainstream, I'm sure > these Black Hats don't even look at that and have techniques to just get what > they need done. > > >> 2. Assuming that nobody is writing CGI scripts on Windows Servers is your >> next mistake. A lot of systems still do this, a lot of old systems still >> use this technique and some new ones, The attack vector is not necessarily >> through your CGI script itself but through the Windows Web server. Unless >> you have patched and patched and patched your web server, you will be >> attacked. > > Of course I keep my web server software up-to-date, why do you think I do > not did it? I am talking here about my scripts, not about the server SW. But > the server SW is relatively rare too... > "Scripts" and the underlying script processors are what do the processing. > OS updates are one thing, but the script processing engine is another, and so > are the scripts you write. If any one of those three links in the chain are > broken, then buh-bye security. The script processor talks to the OS to get > things done, such as allocate memory, set aside a portion of drive space, > execute other code, etc. If you don't sanitize your inputs 100% of the time > properly, you're subject to losing a LOT of information or having your > machine taken over, or as Rob mentions, resources sold (A thought I hadn't > even thought about). The 'execute other code' should scare the bejezus out > of you. If your system is allowed to run other code (Say, for example, [ ls > -ltr /etc ] to get a directory list), if you don't sanitize your code, > someone can (Not might, CAN if you don't sanitize) change that to [ ls -ltr > /etc ; rm -rf /etc ] and if Apache has access to write anything there, you > have a new install of an OS to do. > The company I work for sells software for the web that runs off both IIS and > Apache under Linux. Both are scrutinized for security even though the main > portion of the software is behind a paywall (Need credentials to get into the > heart and main functions of the system) and all communications are via HTTPS. > All HTTPS does is ensure that no one else knows what you're saying on the > socket, essentially. It doesn't mean that the system isn't hackable. If we > didn't ensure that the login field on the login page wasn't sanitized, then > we're pretty much bending over. > > >> 3. You assume that nobody is interested in your machine. Wrong. A lot of >> people are very interested as they can add your hacked server to their >> bonnet and sell your resources on. Your machine does not have to be >> publicised at all. As an example, I have a private server which I use. It >> has no DNS entry (a common way to search for machines), so is only >> accessible through an IP address which has never been published. It only >> has a single ssh port open and port 80 for a private web server running >> some software there rest of the machine is locked down as best I can. The >> lock down took me a day to do. It is not trivial. My last weekly report >> showed over 200,000 attempts to break into the machine via ssh, http, and >> various CGI exploits. Thats 200,000 robot attempts, the most prevalent was >> an ssh attempt from a single machine which accounted for 72,000 goes. A >> public web server I have has over 1M hacking attempts per week. This is for >> a low usage machine. > > Script kiddies starting codes writen to attack widely spreaded systems, > otherwise it will be not much fun. Some of this codes could be specialized to > intrude minor systems, but I have doubts there are number of working scripts > to successfuly intrude systems with rare occurance. > > Real hackers, those who are experienced in writing WORKING code targeted to > intrude one specific rare system, need a REAL reason to did such job. My > system does not offer such reason.... > > "Real hackers" is funny. I've never met a fake one. > People DO want your machine, and it isn't for fun, but for profit and money, > which is a hell of a lot more motivational than fun. Your mentality is still > pointing at the script kiddy level, not at a high end serious money making > strategies which INVOLVES your computer(s). They don't care what your > computer has on it, what it is running, what your software does, or anything > of the sort. They just want onto your machine to make it do their bidding, > and if you don't ONLY secure the box with updates, and validate that your > code can't be tricked into doing something it shouldn't be doing, then you > might as well just hand the keys over to the black hats. > >> I give your machine less than 24 hours once it is live on the internet if >> you put it on without taking security seriously. You need to get the OS >> patched up, the ports closed down, the web server patched up and correctly >> configured. Out of the box the security on a Windows server (depending on >> the version) is poor. You need to learn what you need to do (and there are >> loads of guides on the internet) otherwise your server will be owned by >> somebody else very quickly. > > As I already wrote, not using IIS. OS is protected by manualy configured > firewall. By concept Security through obscurity using this one > http://wipfw.sourceforge.net/ Intruding script perform OS detection first, > but do not expect BSD firewall on Windows... Simple as it. Did you > understand STO concept now? > A firewall isn't going to save your hide. A firewall is a bunch of holes to > let information flow through to different machines. It is a single point in > which one more more computers are exposed to the net. Firewalls have the > ability to sniff out what inbound traffic is doing and validate if what the > inbound communication is doing is not an attempt to break the TCP/UDP > packaging system, or not allow Torrent traffic, or decide the actions on > whatever different type of communication protocols are out there, but it > ABSOLUTELY WILL NOT protect you against unsanitized code. > What people expect versus what people are going to do are two completely > different things. They may not expect that you're running a BSD firewall on > windows, but then, why would they care? They already know you're running a > web server, so they'll run their suite of tools against it to find those > exploits. > You need to get it through your head that money is the driving force Black > Hats work for. If they have access to ONE of your computers, they may be > able to gain access to more. If they have access to more, they'll turn > whatever they have access to into a cluster. These guys DO-NOT-CARE what > you're running, just that the resources exist and that they want to exploit > it.