Hacker News new | past | comments | ask | show | jobs | submit login
Security Professionals: Yes we're vulnerable but that vector will never happen (ballestrini.net)
7 points by foxhop on Aug 19, 2011 | hide | past | web | favorite | 9 comments

I really don't agree with most of this article.

Scanning of file shares is important. You cannot be sure that every machine on your network that has access to that file share has the same, running, correctly configured, up to date, active antivirus application running.

You also can't be sure your UNIX system sharing files to Windows machines (or other NAS) wasn't compromised and used to seed infected files into shares used by those Windows machines. If you simply don't use UNIX or NAS systems to run file shares for Windows domains, you can put AV on the Windows server sharing the files and have it scan on access, and avoid that 'whole system' scan issue.

There's a huge difference between 'root' and 'elevated privileges'. Especially in a Windows environment (which most are these days) - 'Power Users' or other users granted elevated privileges to do things like 'installing their own printer drivers', don't have administrative control over the machine or the domain, but have elevated privileges that can be used to exploit the attack vector. Such privilege is widely used in large corporate environments, and so it shouldn't be discounted.

I'm mixed on the topic of fire-walling off known attacker addresses. Sure, it won't stop anybody willing to put in even tiny effort. It will, however, stop you from getting nailed because someone forgot to update that wordpress system they forgot to tell you they were running. If you have perfect CM (hah), sure, go ahead and ignore the junk scanners on the interwebs. If you have less than perfect CM, such things may help save your ass in a situation you shouldn't be in in the first place.

| If a vulnerability requires root or elevated privileges to occur, don’t waste your time resolving it. If the attacker already has root, you have bigger problems on your hands.

Well said. I've never considered it that way.

| No system is perfect.

A perfect system is an unplugged system.

That's because it's just not true. There are systems in place where even root cannot do things (such as SELinux based systems). These are systems where the security and integrity of the data is paramount - the system is a mere vessel to protect the data. The data may not be allowed to be seen or manipulated by 'root' or other system administrator type user.

I'll grant you, these types of systems are rare - but they do exist.

SELinux might appear more secure, but I seriously doubt the its flawless.

I believe that SELinux was developed in cooperation with federal agencies quite interested in security. While not flawless it's one of the best systems currently available. Claiming that any system that's not flawless is therefore not interesting is the classic security strawman.

Nothing is flawless. It's significantly flawless enough to not matter at the moment, however.

| A perfect system is an unplugged system.

I like that quote, do you recall the owner?

Every security professional ever.

Made it up, but I doubt that I'm the first to say it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact