From owner-freebsd-security Fri Jul 6 15:58:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp4.hushmail.com (smtp4.hushmail.com [64.40.111.32]) by hub.freebsd.org (Postfix) with ESMTP id 2268037B403 for ; Fri, 6 Jul 2001 15:58:40 -0700 (PDT) (envelope-from appleseed@hushmail.com) Received: from user7.hushmail.com (user7.hushmail.com [64.40.111.47]) by smtp4.hushmail.com (Postfix) with ESMTP id AA2652F13; Fri, 6 Jul 2001 15:58:12 -0700 (PDT) Received: (from root@localhost) by user7.hushmail.com (8.9.3/8.9.3) id PAA17921; Fri, 6 Jul 2001 15:58:11 -0700 From: appleseed@hushmail.com Message-Id: <200107062258.PAA17921@user7.hushmail.com> Date: Fri, 6 Jul 2001 15:27:13 -0500 (PDT) Cc: webmaster@yclan.net To: security@FreeBSD.ORG Mime-version: 1.0 Content-type: multipart/mixed; boundary="Hushpart_boundary_YBPLbQWwjhwPiBoijQekzShaTmecRUse" Subject: Re: Hiding Versions Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Hushpart_boundary_YBPLbQWwjhwPiBoijQekzShaTmecRUse Content-type: text/plain Wait a sec.. at some point in time u actually wrote: >Hiding version strings is very pointless. The only use is to let admins >be >a tad bit more lazy in patching so s'kiddies, who only look for version >strings for exploit purposes, will pass by the box. This doesn't stop >someone with a clue, so it's a waste of time. Patch the box correctly, > and >you'll have less problems. > >Besides, Netcraft is cool. It's nice to see that I have the second >longest >uptime on campus. :) > >This has been discussed many times before, check the list archives. Im not responding to flame, but, this is silly. Hiding the version is very relevant. It is blatantly ignorant to say that any kind of action that elevates security is in itself moot. For example say I find a new bug in WallyWebserver version X. Lets assume I am your average blackhat who codes some decent exploits but does little more than root servers for personal amusement (gee this personality is rare). More than likely the first thing I do after testing the bug on my LAN is develop a simple scanner that snags the banner of webservers at random IPs across the net for statistical analysis. What I will then do is process the numbers to determine my overall ratio of WallyWebserver X to other servers thus giving me an estimate of the total number of potential targets I may find in the wild. Next thing I would do is attempt to exploit this vulnerability on several different platforms to broaden my range of targets. This would be a case where the aggressor is by no means a script kiddie. In fact, types of situations such as this arise quite more often than we tend realize. Should we allow the individual access to information on our machine? Absolutely not. In information warfare obviously the less data our enemies have the less vulnerable we become. Example number two is even more prevalent. Script kiddie hangs out on IRC with various hackers of various levels of skill. He happens to hang with just the right people and gets 0day for SuperNeet Webserver version X2. He has a target predefined via some previous confrontation with the owner/ admin of the site. First thing he will do is try to see if the server is running the vulnerable software. You may be patched for known exploits but what about the 0day you dont hear about? Sure, the kiddie may try the exploit anyways. We see this every day while our UNIX servers are being attacked by unicode exploitation tools. But, many people will determine the server software information before risking exposure or losing a rootshell/proxy due to attack complaints by an unpenetrated target. If we misdirect the aggressor via placed data it can minimize our vulnerability in both situations. There is no reason why we should dismiss this as a viable tactic of defense. Sure it may not stop someone who is determined to penetrate you or die trying. In that case however you still must have the wisdom to give the attacker as little as possible. As far as patching is concerned... you cant patch your environment.. BTW, we are all impressed with your uptime ;-) northern_ Free, encrypted, secure Web-based email at www.hushmail.com --Hushpart_boundary_YBPLbQWwjhwPiBoijQekzShaTmecRUse-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message