Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 03 > 010441.html (Request Expert securityfocus.com Support)

RE: Hacked web server

From: Ryan Yagatich <ryany(at)pantek.com>
Date: Fri Jan 24 2003 - 12:24:24 EST


Jason et al,

        You are absolutely correct, anything that automatically updates a system is bringing in additional issues itself (i.e. the updating software and any updates that haven't been tested). That is part of what makes Pantek Server Security Guard better than things like Windows automatic updates, or things like 'auto-rpm'. I don't usually like to plug commercial products on lists like this, however with Pantek Server Security Guard the updates are applied manually. Since this is not meant to be an advertisement, you can find information regarding it at http://www.pantek.com/security/ .

        When I referenced the Automatic Updates, I didn't really explain what I was getting at enough. Basically, my point of view is that not only is it there for the people whom are uneducated or do not have the resources to go to windowsupdate.microsoft.com but maybe it can be something to alert that there are vulnerabilities out there besides service pack updates to the systems.

        Now, there are some pitfalls to it because upon the first initialization of it (i believe by default) the configuration is set to automatically download and automatically install them so the user doesn't have to do any work. The user just clicks on OK to be ready to install the automatic updates. This is a problem because it doesn't really alert them that security is an issue, but that the computer mysteriously can re-boot some mornings at 03:00. I think that a notifying service of some form could be more successful at keeping people from updating and not paying attention to what is being updated.

        This then brings in the fact that there are services like the above mentioned, where companies will install the updates on the system for you. This to many comes across with things like 'if Microsoft already does it (or if auto-rpm already does it), why do i need to pay for a service, or for one of my administrators to take the precious time out of their day to do it'. Things like if the company has their own custom written software on the system that is linked against specific libraries and versions of those libraries, the software could break at any point because of the update.

        But, as I mentioned, you are absolutely correct. Anything that automatically downloads and executes applications is by far something that brings in more elements of insecurity, but when used appropriately (i.e. using it more as a notification service than an installation/update service) it _can_ bring in an bit of knowledge to the end administrator that there are applications that need to be updated on a regular basis. Then again, if they don't care, then its completely useless. 

,_____________________________________________________,
\ Ryan Yagatich                     support@pantek.com \
/ Pantek Incorporated                  (877) LINUX-FIX /
\ 
http://www.pantek.com/security        (440) 519-1802 \
/       Are your networks secure? Are you certain?     /
\___5AD777E93D62CC6D850A4DD3F2F730F882532B502A777873___\

On Mon, 20 Jan 2003, Jason Coombs wrote:

>Ryan,

Do you need help?X

<original message snipped>


This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sat Jan 25 10:05:31 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:56 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library