[geeks] Security People haven't heard of OpenBSD!

[Greg A. Woods]

[ On Saturday, November 3, 2001 at 21:27:38 (+1100), Scott Howard wrote: ]
> Subject: Re: [geeks] Security People haven't heard of OpenBSD!
>
> On Fri, Nov 02, 2001 at 05:05:56PM -0600, Bill Bradford wrote:
> >
> > It was full of stuff like "this system is running NFS".  We were like 
> > "no shit."

Yeah -- I've not yet met any so-called security auditing company who is
honest, intelligent, and who knows enough about customer requirements
and risk analysis to even give the time of day to (not counting my own,
of course! ;-).  I'm sure they exist -- I just haven't yet met one that
I can honestly evaluate; but I have been handed reports like this this
from many who are clearly fly-by-night shysters.

They feed off the incredibly high cost-benefit ratio they can get from
mostly automated reporting tools vs. the outrageous prices they charge.
They often also use it as a sales tool with the fear mongering they do
to get followup work from the sucker, er, I mean customer.  :-)

> We get one of these done each year (as dictated by our "Operational Risk"
> people)...
> 
> This year they looked over one of our Internet facing, massively cutdown
> (for security of course) machines. The report contained things like :

Not atypical from what I've seen over the years.  Ever since a lot of
automated scanners have come out there have been a lot more people
getting taken to the cleaners by people like this.  There's quite a
difference between a quick cursory audit (that can be done cheaply by an
inexperienced person, and/or by an automated tool), and someone who
claims to provide in-depth security analysis and ends up giving just
these same kinds of lame reports but at ten or more times the cost they
should be done for.

Back about ten years ago I worked on the R&D of one of the first
successful commercial systems security monitoring tools, and I did
manual cursory audits of many types of systems to gain the experience
necessary to automate the job.  Unfortunately even when you tell some
people that they're just getting a basic audit that compares their
system against a de facto normative standard and explicitly does not
take their specific requirements or risk analysis into account, they'll
often still get all defensive and accusatory.  :-)

On the other side of the exchange sometimes I've been handed reports
that I'm absolutely certain were the result of an automated scanner
running on some totally separate machine (maybe on the auditor's own
machine! ;-).  Once I was able to prove they'd never ever even logged in
on the subject system!

Worst was the time a so-called security company claimed they'd breached
root access from remote.  They made the claim because they'd run nessus
against our network (their entire report was cribbed from the nessus
report with absolutely zero added value) and it claimed some remote root
exploit might be present in the version of SSH we were running.  I had
patched that bug about four months earlier when it was first reported on
BUGTRAQ and was able to prove that the known exploits failed.  I even
challenged them to repeat the exploit and promised I wouldn't replaced
the existing binary, nor even restart sshd.  They did try, and I caught
their exploit attempt in the logs, but they didn't succeed of course.

My client had paid over $10K up-front for the audit.  I told them it
would be well worth their time to sue the auditing company for maybe
$100K or more, but it turned out there were other relationships that I
didn't know about.  I damn near sued my client over it, but since it was
their money, and since they also paid me for the time I spent countering
the stupid lying nessus report, I let it slide....

I should have also run nessus myself, had the report printed in colour
and bound just like their's was, and submitted it too with a $10K
invoice.  Would have been the easiest and most profitable hour's worth
of work I'd ever done!  ;-)

Anyone else need any security auditing done?  :-)

(seriously, that's one of the things I do, but when I do it you'd better
damn well be able to show me everything, and expect me to examine not
just what patches you have installed and why, but also the very design
and implementation of your networks, firewalls, applications, etc., as
well as of course your physical and people security too; and it's
probably going to cost a lot more than $10K and take a lot longer than
an hour to do!)

> * SunRPC is running on this machine. (You mean this isnt the same as portmap?)

and now the real reason I replied:  No, you don't need portmapper or
rpcbind to be running for SunRPC services to be active -- there are a
few very well known RPC service numbers that are not strictly necessary
to be accessed through the portmapper.  However the only one that comes
to mind right off the top (other than portmapper itself at 111) is NFS
(which is always 2049), and I don't imagine you were running NFS on that
machine....  :-)

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>     <woods at robohack.ca>
Planix, Inc. <woods at planix.com>;   Secrets of the Weird <woods at weird.com>