Wait a sec.. at some point in time u actually wrote:
>Hiding version strings is very pointless. The only use is to let admins
>be
>a tad bit more lazy in patching so s'kiddies, who only look for version
>strings for exploit purposes, will pass by the box. This doesn't stop
>someone with a clue, so it's a waste of time. Patch the box correctly,
> and
>you'll have less problems.
>
>Besides, Netcraft is cool. It's nice to see that I have the second
>longest
>uptime on campus. :)
>
>This has been discussed many times before, check the list archives.
Im not responding to flame, but, this is silly. Hiding the version is
very relevant. It is blatantly ignorant to say that any kind of action that
elevates security is in itself moot. For example say I find a new bug in
WallyWebserver version X. Lets assume I am your average blackhat
who codes some decent exploits but does little more than root servers
for personal amusement (gee this personality is rare). More than
likely the first thing I do after testing the bug on my LAN is develop a
simple scanner that snags the banner of webservers at random IPs
across the net for statistical analysis. What I will then do is process
the numbers to determine my overall ratio of WallyWebserver X to
other servers thus giving me an estimate of the total number of
potential targets I may find in the wild. Next thing I would do is attempt
to exploit this vulnerability on several different platforms to broaden
my range of targets. This would be a case where the aggressor is by
no means a script kiddie. In fact, types of situations such as this
arise quite more often than we tend realize. Should we allow the
individual access to information on our machine? Absolutely not.
In information warfare obviously the less data our enemies have
the less vulnerable we become. Example number two is even more
prevalent. Script kiddie hangs out on IRC with various hackers of
various levels of skill. He happens to hang with just the right people
and gets 0day for SuperNeet Webserver version X2. He has a
target predefined via some previous confrontation with the owner/
admin of the site. First thing he will do is try to see if the server is
running the vulnerable software. You may be patched for known
exploits but what about the 0day you dont hear about? Sure, the
kiddie may try the exploit anyways. We see this every day while our
UNIX servers are being attacked by unicode exploitation tools. But,
many people will determine the server software information before
risking exposure or losing a rootshell/proxy due to attack
complaints by an unpenetrated target. If we misdirect the aggressor
via placed data it can minimize our vulnerability in both situations.
There is no reason why we should dismiss this as a viable tactic
of defense. Sure it may not stop someone who is determined to
penetrate you or die trying. In that case however you still must have
the wisdom to give the attacker as little as possible. As far as
patching is concerned... you cant patch your environment..
BTW, we are all impressed with your uptime ;-)
northern_

Free, encrypted, secure Web-based email at www.hushmail.com

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]