Thursday, September 25, 2008
THE INFOCAPALYPSE IS NIGH UPON YOU!
I swear, I want to take a clue-by-four to some of these so-called “computer network security consultants.”
One of our clients just received an audit from these people, and just like the last time (although last time it was some other company) this audit report is just inane, if not shorter (thankfully).
For instance, this lovely bit (not the full table):
|ICMP||Ping||Accepting||Your computer is answering ping requests. Hackers use Ping to scan the Internet to see if computers will answer. If your computer answers then a hacker will know your computer exists and your computer could become a hacker target. You should install a firewall or turn off Ping requests.|
Hackers can use
ping to target my computer?
THIS IS A XXXXXXX WEBSERVER YOU MORONS! DISABLING
ping WON'T “HIDE” THIS COMPUTER FROM HACKERS!
XXXXX XXXXXXX XXXXXX IS THIS STUPID!
I'm calming down now.
And to be fair, it may be that these so called “computer network security consultants” had no idea what the computer was tasked to do and erred on the side of Armageddon.
But generally, I feel such reports are, at best, worthless and at worst, scaremongering tactics to extract a lot of money (link picked at random) for what you get, which is nothing more than a list of open ports that may “help a hacker to gather information about what is running on this machine and what kind of machine you have.” Have these people not heard that security through obscurity doesn't work? That if I have to hide what I'm actually using I've already lost? That a false sense of security is bad because you're deluding yourself that you are safe?
In fact, the entire report can be boiled down to:
We found a computer at this IP address. This is bad because then “hackers” can break into the computer and do bad “hacker” things. Cut the network cable, yank the power cord, smash the computer to bits, embed in concrete, dump into the middle of the Pacific ocean, and nuke the site from orbit, just to make sure everything is secure.
“I'm refusing to run this program and you don't like it!”
And while I'm on the subject of security through annoyances, if you ever find yourself trying to use FastCGI under Apache using suEXEC, keep in mind that suEXEC is very fussy and won't run any program unless it passes a 20 point inspection test.