lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed Nov 23 20:12:16 2005
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: SANS Top 20: Mac OS X? 

On Wed, 23 Nov 2005 08:52:30 EST, Anonymous Squirrel said:

(Writing as a long-time co-conspirator on the Top-20, all the way back to
when it was the Top-10)

> I'm puzzled, SANS remediation is merely patch, turn on the firewall, and
> configure per published guidelines.  That fits for _any_ OS.
> 
> It just doesn't make sense that the _entire_ OS is a "Top 20" yet the
> remediation is so basic.

Actually, it does - the metric for selection was a "bang for the buck", picking
the 20 things that would do the most to change the overall security of a site.
Since the remediation *is* so basic, and the target machines are easily found,
it's a better use of an overworked security geek's time to find the OS X boxes
and fix them than look for (for example) some subtle-but-deadly buggy PHP script
that may or may not be on any of their servers and may or may not be vulnerable
in their configuration...

> Does SANS know something we don't?

Only that there's a lot more OS X boxes that need proper setup and config than
most people realize...

>                                     Is the mere existence of OS X in a
> network so bad that it deserves to be tagged as a "Top 20"?

The problem is that there are enough OS X boxes on networks that are *NOT*
patched, firewalled, and configured that they pose a clear and present danger
to the networks they reside on.

If there weren't as many OS X boxes, or if they were all/mostly done right,
it wouldn't have been a "top 20".
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051123/0fd1b314/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ