[sf-lug] last meeting... + security

Thu Apr 5 17:26:22 PDT 2012

Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

> Wonder how crackers bypass your firewall and infect your system.
> Easy, get in from an infected web site you are surfing.
> How you ask?
> 
> Evil hides everywhere: Web Application Exploits in Headers
> http://isc.sans.edu/diary/Evil+hides+everywhere+Web+Application+Exploits+in+Headers/12904

Um... if you read that carefully, you will see that it's not discussing
attacks against users from Web sites.  It's discussing attacks against
Web sites using deliberately misshapen _client_ Web queries, using 
HTTP POST operations that pull concealed attack data stashed in the HTTP
headers' HTTP_USER_AGENT environment variable.

So, the ISC blog's cautionary point isn't directed at users but rather
at careless Web designers who cannot be bothered to properly validate
input data sent to Web applications (on Web sites) from any-old-place
anywhere on the planet over 80/tcp (HTTP) transport.  In particular,
it's warning them to not just filter input data half-assedly and to
remember that _all_ input data received from public networks must be
received skeptically and not just hurled at software in a happy-go-lucky
manner, including even the remote user's user agent string.

> How many security advisories are you missing today?:(

So, a propos of that, every major Linux distro has a low-traffic
announcements only mailing list for security advisories.  It's a really
good idea to subscribe to that mailing list and skim-read the couple of
mails a week they send you.  Over time, you learn how to quickly size
almost all of them up and say 'Oh, doesn't apply to me because I don't 
even have that particular bugware installed', or 'Oh, doesn't apply to
me because I don't have the program configured in that peculiar way that
makes it vulnerable', etc.

You'll also learn about the categories of 'vulnerabilities' that aren't
actually security threats in any meaningful sense against your computer:
(1) DoS attacks against your one of your software packages means
typically only that someone can (at least in theory) send some data that
makes it segfault out of RAM, which is annoying but nothing worse.  In
the cases of software you have running as daemons, it is even less bad
than that, because all that happens is that more instances get spawned
to replace the ones killed off.  (2) 'Cross site scripting'
vulnerabilities are not attacks against your workstation but rather are 
holes in software that can, at least in theory, be used to make your
client workstation (e.g., its Web browser) pull attack data from Web
site A and use that data fed through your browser to attack Web site B.
This is undesirable, of course, but not exactly a local emergency for
you, and is not to be confused with things that threaten _your_
security.

You'll also learn about the huge difference of degree between
theoretical vulnerabilities that might hypothetically be used to attack
something if someone figures out a practical way to do so, and
vulnerabilities for which real exploits actually exist now.

You also learn to ignore what the IT press says about security, because
it's usually entirely worthless.