Okay, have a question for those who are systems administrators at
either a highly sensitive site (government, intelligence, financial or
insurance data, et cetera)...sites which have INTENSE security
measures in place in EVERY aspect of systems administration.

The question is: WHY is the simple disclosure of the operating system
version such a forbidden item when one TELNETs or FTPs to/from such
site. Our banner displays the following (as an example):

SystemX> telnet SystemY
Trying...
Connected.Escape character is '^T'.

SunOS 5.8

Guard your LOGIN-ID and password. If you think your password has
been
compromised, change your password and contact Corporate Information
Security (CIS) immediately.
Direct LOGIN-ID requests to CIS, Suite 1234, on Form EDP-123.

login: mylogin
Password:
Last login: Mon Jul 28 09:03:14 from SystemX
Sun Microsystems Inc. SunOS 5.8 Generic Patch October
2001

Apparently it is a SERIOUS SECURITY FLAW to advertise that we are at
Solaris 5.8.

For those who agree that such information IS such a security flaw,
please enlighten me.....or does it seem that someone is going too far?

Thanks.

Richard

On 28 Jul 2003 11:51:16 -0700,
Richard E Sgrignoli <Richard.Sgrignoli@highmark.com>, in
<9a3c69df.0307281051.1ba22b51@posting.google.com > wrote:

[example of a telnet session snipped]

+> Apparently it is a SERIOUS SECURITY FLAW to advertise that we are at
+> Solaris 5.8.

Someone has bought into the "security by obscurity" school of
thought. A standard nmap OS fingerprinting portscan may still give up
the OS's ID anyway.

However, if they're still letting telent connections[*] proceed, y'all
have bigger security issues than banner advertising what OS is
running.
[*] unless you're running a secure telnet, or using a OTP mechanism

James
--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.

Rich Teer wrote:

> Apparently, the people who
> advise this tactic haven't heard of nmap's (and presumably others')
> ability to identify an OS just on it's TCP/IP stack finger print.

According to a recent post, this can be thwarted.

> It's an example of security by obscurity, which is next to worthless.

It might work (if only for a short while) if its Solaris x86
rather than Solaris SPARC or Linux on SPARC rather than Wintel.
You could also try letting it announce itself as VMS rather
than Solaris. I don't expect the rubes to be fooled for very
long though.

-am © 2003

Rich Teer <rich.teer@rite-group.com> writes:

> There is a (somewhat misguided) school of thought that says if
> you advertise the version of the OS you're using, you're giving
> the Bad Guys info to help them crack your systems, so changing
> the banner allegedly thwarts that.

Here's one example of that school of thought. The Recording Industry
Association of America (RIAA) attempts to discourage hackers by
setting their web server's banner to "TST-SECURE-OS". (They actually
run Microsoft IIS 6.0 atop Windows Server 2003.) By all reports, they
are regularly hacked into. See:

Ashlee Vance
RIAA blocks attacks with TST-Secure-OS
The Register (2003-07-25)
http://www.theregister.com/content/6/31983.html

On 28 Jul 2003 11:51:16 -0700, Richard.Sgrignoli@highmark.com (Richard
E Sgrignoli) wrote:

>Okay, have a question for those who are systems administrators at
>either a highly sensitive site (government, intelligence, financial or
>insurance data, et cetera)...sites which have INTENSE security
>measures in place in EVERY aspect of systems administration.
>
>The question is: WHY is the simple disclosure of the operating system
>version such a forbidden item when one TELNETs or FTPs to/from such
>site. Our banner displays the following (as an example):
>
> SystemX> telnet SystemY
> Trying...
> Connected.Escape character is '^T'.
>
> SunOS 5.8
>
> Guard your LOGIN-ID and password. If you think your password has
>been
> compromised, change your password and contact Corporate Information
> Security (CIS) immediately.
> Direct LOGIN-ID requests to CIS, Suite 1234, on Form EDP-123.
>
> login: mylogin
> Password:
> Last login: Mon Jul 28 09:03:14 from SystemX
> Sun Microsystems Inc. SunOS 5.8 Generic Patch October
>2001
>
>Apparently it is a SERIOUS SECURITY FLAW to advertise that we are at
>Solaris 5.8.
>
>For those who agree that such information IS such a security flaw,
>please enlighten me.....or does it seem that someone is going too far?

The idea is that if you know the version of the OS (or application)
one can attempt to exploit the system through the known
vulnerabilities for that OS (or application).

Josh

On Tue, 29 Jul 2003 20:30:05 GMT, hoh@invalid.invalid (Goran Larsson)
wrote:

>In article <26vciv0sbgu7olvsuc8sl5pknf46ohd4e1@4ax.com>,
>Josh McKee <jtmckee@rmac.net> wrote:
>
>> The idea is that if you know the version of the OS (or application)
>> one can attempt to exploit the system through the known
>> vulnerabilities for that OS (or application).
>
>This improves the security just as much as removing the badges on the
>car in an attempt to make it more difficult to steal.

I didn't say it was effective. I merely answered his question.

Josh

Good morning all!

Post your technical queries to ap-csc-english@sun.com if you are based in
the Asia Pacific region (including Australia and New Zealand). This is the
Technical Support area. They should be able to point you in the right
direction.

However, unless you have a Cobalt machine - all other hardware and software
support requires you to have a valid maintenance contract number with Sun.
If you don't have one, be prepared to pay for time and materials costs.

Best regards
Andrew

"Douglas Siebert" <dsiebert@excisethis.khamsin.net> wrote in message
news:bg423d$gqm$1@sword.avalon.net...
> Richard.Sgrignoli@highmark.com (Richard E Sgrignoli) writes:
>
> >Okay, have a question for those who are systems administrators at
> >either a highly sensitive site (government, intelligence, financial or
> >insurance data, et cetera)...sites which have INTENSE security
> >measures in place in EVERY aspect of systems administration.
>
> >The question is: WHY is the simple disclosure of the operating system
> >version such a forbidden item when one TELNETs or FTPs to/from such
> >site. Our banner displays the following (as an example):
>
> > SystemX> telnet SystemY
> > Trying...
> > Connected.Escape character is '^T'.
>
> > SunOS 5.8
>
> > Guard your LOGIN-ID and password. If you think your password has
> >been
> > compromised, change your password and contact Corporate Information
> > Security (CIS) immediately.
> > Direct LOGIN-ID requests to CIS, Suite 1234, on Form EDP-123.
>
> > login: mylogin
> > Password:
> > Last login: Mon Jul 28 09:03:14 from SystemX
> > Sun Microsystems Inc. SunOS 5.8 Generic Patch October
> >2001
>
> >Apparently it is a SERIOUS SECURITY FLAW to advertise that we are at
> >Solaris 5.8.
>
>
> Used to be that knowing what version of what OS you were attacking was
> almost a "must have" to tailor your attacks. Nowadays there are other
> ways (TCP signatures, what ports are listening, the way the software
> responds on standard ports, etc.) that cracker software uses. However,
> while the anti "security through obscurity" crowd will claim that the
> ability to find the OS rev in other ways makes hiding it a useless
> measure, I think you shouldn't give attackers anything for free if you
> have to make them work for it. You'll never stop someone determined to
> get into your particular machine by hiding such info, but if you make
> things hard enough you might make someone who just wants to break into
> any old machine look elsewhere for easier targets.
>
> I don't particularly care for canned lists of security fixes that are
> done without reason. Nowadays you can type "solaris security" into
> google and get various lists of recommendations. But people who grab
> these lists and utilize them, or just add to existing lists over the
> years without considering whether something smart in 1993 is still
> useful in 2003 really annoy me. Sometimes you see things like requiring
> Kerberos be used instead of NIS for security reasons, nevermind that
> there have been several recent security holes in Kerberos but I can't
> remember the last attack against NIS (Kerberos may hide the encrypted
> passwords better but that's no good when you've got remote root holes
> lying around!) Not to say there aren't unknown root holes in NIS but
> complexity is the enemy of security and the simplicity of NIS is your
> friend in this instance.
>
> --
> Douglas Siebert dsiebert@excisethis.khamsin.net
>
> "Suppose you were an idiot. And suppose you were a member of Congress.
> But I repeat myself." -- Mark Twain

In article <bgkbls$48s$1@mawar.singnet.com.sg>, akam@singmail.com
says...
> Good morning all!

[ninth round of spam/troll garbage]

Fuck off, Andrew.

plonk