Linked by Thom Holwerda on Thu 5th May 2011 21:07 UTC, submitted by sawboss
Games There's fail, there's epic fail, and then there's Sony. You may've thought it wasn't possible, but Sony has just outdone itself on the fail scale, forcing us to add yet another notch. During the congressional testimony this morning, Dr Gene Spafford of Purdue University revealed just how badly Sony managed its Playstation Network servers. It's... Bad.
Thread beginning with comment 472034
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Wait a minute. uh.. patches..
by jabbotts on Fri 6th May 2011 13:55 UTC in reply to "Wait a minute."
jabbotts
Member since:
2007-09-06

One example of older version numbers is Iceweasel (firefox 3.6.?) in Debian. However, one example of up to date patches is Debian patching Iceweasel (firefox) or the relevant affected library.

When we're talking security, it's not the latest bleeding edge version release but the latest patch level which is important. Actually, having the latest bleeding edge version usually puts you at greater risk. There is a very good reason why Debian Stable freezes it's list of package versions and just applies security and stability related patches.

And here's the kicker.. hard to keep up to date?

aptitude update && aptitude full-upgrade

tadaa.. now your up to the latest patch version.. "not a big deal" (tm)

.. and lacking packet filtering rules.. really? If it's a linux kernel, it has packet filtering (a firewall) by default in the kernel.. just friggin use it.. iptables is your friend. And as always, every network attached device should be running filtering rules in addition to any mid level or perimiter filtering (firwalls) implemented.

In security terms, Sony wasn't even up to the stage of colouring with crayons. They got caught eating the crayon label paper and sticking broken bits of wax up there nose.

Reply Parent Score: 2

WereCatf Member since:
2006-02-15

.. and lacking packet filtering rules.. really? If it's a linux kernel, it has packet filtering (a firewall) by default in the kernel.. just friggin use it.. iptables is your friend.


Having ipfiltering on the same machine that is running Apache is pointless. If the attacker successfully breaks in there there is nothing stopping him from removing all the ipfilters, too. That's why you should always have a separate firewall that can only be managed from inside the internal network between Internet-side servers and the internal network.

Reply Parent Score: 2

jabbotts Member since:
2007-09-06

I agree. A seporate appliance or server box between your server and the outside world is preferable. iptables on the local machine is still better than nothing though and head and sholders better than Sony seems to have done. All the mitigation in the world on top of your apache isn't going to be much good if iptables underneath your apache still leaves the system wide open (not to mention the number of services that use a loop back port but have no justification for being accessible from outside localhost).

Reply Parent Score: 2

Snapper Member since:
2005-11-16

[quote]
Having ipfiltering on the same machine that is running Apache is pointless. If the attacker successfully breaks in there there is nothing stopping him from removing all the ipfilters, too. That's why you should always have a separate firewall that can only be managed from inside the internal network between Internet-side servers and the internal network.[/quote]

Nope, it is not pointless. It prevents the admin from making a mistake in opening another app by mistake or due to a problem with an update process.

It is another layer of defense. I you know your Apache box is only supposed to be listening on port 80/443 then put the IP filter in there. It may just protect you from an internal compromise.

Reply Parent Score: 1

orestes Member since:
2005-07-06

Haven't done much work with corporate machines I take it. Sane admins don't go off installing updates without understanding what they'll do to the running systems. Admins who wish to remain employed also don't run around rebooting mission critical systems whenever updates pop up.

That doesn't excuse piss poor security practices, but there's a hell of a lot more to the process than aptitude update && aptitude full-upgrade

Reply Parent Score: 2