On 7/6/2010 5:34 PM, Whit Blauvelt wrote:
> On Tue, Jul 06, 2010 at 05:21:36PM -0400, John Hinton wrote:
>
>
>> My point is these 'security metrics' businesses that are paid, generally
>> by credit card companies, to do these software scans and don't ever do
>> these most basic checks. Not that
On Tue, Jul 06, 2010 at 05:21:36PM -0400, John Hinton wrote:
> My point is these 'security metrics' businesses that are paid, generally
> by credit card companies, to do these software scans and don't ever do
> these most basic checks. Not that my quoted text is the name of one of
> these compa
On 7/6/2010 4:49 PM, John Jasen wrote:
> John Hinton wrote:
>
>> On 6/30/2010 8:54 PM, John Jasen wrote:
>>
>>> Well, I'm a security admin, so of course protection is more important
>>> than utility! :)
>>>
>>> But seriously, the assessment tools provide information on your
>>> environmen
John Hinton wrote:
> On 6/30/2010 8:54 PM, John Jasen wrote:
>> Well, I'm a security admin, so of course protection is more important
>> than utility! :)
>>
>> But seriously, the assessment tools provide information on your
>> environment, based on certain standard metrics. Its (HOPEFULLY! PCI
>> c
On 6/30/2010 8:54 PM, John Jasen wrote:
> m.r...@5-cent.us wrote:
>
>> John Jasen wrote:
>>
>>> m.r...@5-cent.us wrote:
>>>
Frank Cox wrote:
> On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote:
>
>> Sorry, you lost me here. I tur
m.r...@5-cent.us wrote:
> John Jasen wrote:
>> m.r...@5-cent.us wrote:
>>> Frank Cox wrote:
On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote:
> Sorry, you lost me here. I turned off all access to the h/d/ramdisk on
> the printers, and left it off. This, of course, slows things
On Wed, Jun 30, 2010 at 5:02 PM, wrote:
> Frank, I'm not sure of the object of your part of the conversation, me, or
> the security team that I have to deal with. I'm also feeling as though
> we're talking past each other. They ran the scan. My manager handed the
> response handling of it to me.
On Jun 30, 2010, at 6:03 PM, Les Mikesell wrote:
> On 6/30/2010 4:39 PM, m.r...@5-cent.us wrote:
>>> companies/business units/administrators police themselves so you need
>>> metrics for someone else to test with. And even internally you need to
>>> document why the failure of any standard check
On 6/30/2010 4:39 PM, m.r...@5-cent.us wrote:
>> companies/business units/administrators police themselves so you need
>> metrics for someone else to test with. And even internally you need to
>> document why the failure of any standard check should be overlooked.
>
> No, the security people shoul
But the point is that the original poster is NOT the one running the
scan. And the results of the scan (complaining about
vulnerabilities based on version numbers) indicates that it is not a
true 'security' scan anyway. For (almost) every CVE issued, there
is a way to mitigate the risk that does
Les Mikesell wrote:
> On 6/30/2010 4:02 PM, m.r...@5-cent.us wrote:
>>
>> Frank, I'm not sure of the object of your part of the conversation, me,
>> or the security team that I have to deal with. I'm also feeling as though
>> we're talking past each other. They ran the scan. My manager handed the
>
On 6/30/2010 4:02 PM, m.r...@5-cent.us wrote:
>
> Frank, I'm not sure of the object of your part of the conversation, me, or
> the security team that I have to deal with. I'm also feeling as though
> we're talking past each other. They ran the scan. My manager handed the
> response handling of it t
John Jasen wrote:
> m.r...@5-cent.us wrote:
>> Frank Cox wrote:
>>> On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote:
Sorry, you lost me here. I turned off all access to the h/d/ramdisk on
the printers, and left it off. This, of course, slows things down a lot,
but it's "Sec
m.r...@5-cent.us wrote:
> Frank Cox wrote:
>> On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote:
>>> Sorry, you lost me here. I turned off all access to the h/d/ramdisk on
>>> the
>>> printers, and left it off. This, of course, slows things down a lot,
>>> but
>>> it's "Secure".
>> The poin
Frank Cox wrote:
>
> On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote:
>> Sorry, you lost me here. I turned off all access to the h/d/ramdisk on
>> the
>> printers, and left it off. This, of course, slows things down a lot,
>> but
>> it's "Secure".
>
> The point is that the security scan i
On Wed, Jun 30, 2010, Frank Cox wrote:
>
>On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote:
>> Sorry, you lost me here. I turned off all access to the h/d/ramdisk on
>> the
>> printers, and left it off. This, of course, slows things down a lot,
>> but
>> it's "Secure".
>
>The point is that
On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote:
> Sorry, you lost me here. I turned off all access to the h/d/ramdisk on
> the
> printers, and left it off. This, of course, slows things down a lot,
> but
> it's "Secure".
The point is that the security scan is supposed to be verifying t
Jim Wildman wrote:
> On Wed, 30 Jun 2010, Frank Cox wrote:
>> What is the point of doing a security scan under conditions that are not
>> actually "live"?
>>
>> It sounds like moving the flammable materials out before a fire
>> inspection, then moving them right back in when the inspector leaves.
For most (large) organizations, security scans have NOTHING to do with
increasing security, and everything with being able to answer "Yes"
to a question like "Do you regularly scan for known defects?",
probably for a VISA type compliance check.
If you don't already know, you really don't want to k
Frank Cox wrote:
>
> On Wed, 2010-06-30 at 10:10 -0400, m.r...@5-cent.us wrote:
>> I understand that. We had a scan a few months ago (and they're about to
>> do it again), and to satisfy it, I had to turn off the h/d/ramdisks in
>> our laser printers
>
> What is the point of doing a security sc
On Wed, 2010-06-30 at 10:10 -0400, m.r...@5-cent.us wrote:
> I understand that. We had a scan a few months ago (and theyre about to
> do
> it again), and to satisfy it, I had to turn off the h/d/ramdisks in
> our
> laser printers
What is the point of doing a security scan under conditions tha
Les Mikesell wrote:
> Kai Schaetzl wrote:
>> Les Mikesell wrote on Tue, 29 Jun 2010 17:52:37 -0500:
>>
>>> Apache Server 2.x Prior To 2.2.14 Multiple Vulnerabilities Apache
>>> \'mod_proxy_ftp\' Wildcard Characters Cross-Site Scripting.
>>
>> Remove that module from httpd.conf and try again. If it
Kai Schaetzl wrote:
> Les Mikesell wrote on Tue, 29 Jun 2010 17:52:37 -0500:
>
>> Apache Server 2.x Prior To 2.2.14 Multiple Vulnerabilities Apache
>> \'mod_proxy_ftp\' Wildcard Characters Cross-Site Scripting.
>
> Remove that module from httpd.conf and try again. If it still gives that
> warni
Les Mikesell wrote on Tue, 29 Jun 2010 17:52:37 -0500:
> Apache Server 2.x Prior To 2.2.14 Multiple Vulnerabilities Apache
> \'mod_proxy_ftp\' Wildcard Characters Cross-Site Scripting.
Remove that module from httpd.conf and try again. If it still gives that
warning you've proven the tool is bra
On Tue, Jun 29, 2010 at 8:55 PM, John Jasen wrote:
> Googling the CVE # and the vendor will usually turn up the patched
> version or disposition quickly.
An easy way to nail down CVE verifications is via
http://www.redhat.com/security/data/cve/
This url allows you to search and verify CVE issue
On Tue, 29 Jun 2010, Les Mikesell wrote:
> What's the correct response to a security scan that points out that
> apache versions below 2.2.14 have multiple known vulnerabilities? Is
> there an official document about what known vulnerabilities have been
> fixed in the RHEL/CentOS updates or do yo
Kwan Lowe wrote:
> On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell wrote:
>> What's the correct response to a security scan that points out that
>> apache versions below 2.2.14 have multiple known vulnerabilities? Is
>> there an official document about what known vulnerabilities have been
>> fixed
On 06/29/2010 03:52 PM, Les Mikesell wrote:
>
> It's internal, but requires a formal response - or an application
> update. The test tool says:
>
> These are the reported vulnerabilities
>
> Apache Server 2.x Prior To 2.2.14 Multiple Vulnerabilities Apache
> \'mod_proxy_ftp\' Wildcard Characters C
On 6/29/2010 4:37 PM, Bill Campbell wrote:
> On Tue, Jun 29, 2010, Brian Mathis wrote:
>> On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell wrote:
>>> What's the correct response to a security scan that points out that
>>> apache versions below 2.2.14 have multiple known vulnerabilities? Is
>>> there
On Tue, Jun 29, 2010, Brian Mathis wrote:
>On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell wrote:
>> What's the correct response to a security scan that points out that
>> apache versions below 2.2.14 have multiple known vulnerabilities? Is
>> there an official document about what known vulnerabili
On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell wrote:
> What's the correct response to a security scan that points out that
> apache versions below 2.2.14 have multiple known vulnerabilities? Is
> there an official document about what known vulnerabilities have been
> fixed in the RHEL/CentOS upda
On 6/29/2010 5:11 PM, Les Mikesell wrote:
> What's the correct response to a security scan that points out that
> apache versions below 2.2.14 have multiple known vulnerabilities? Is
> there an official document about what known vulnerabilities have been
> fixed in the RHEL/CentOS updates or do yo
On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell wrote:
> What's the correct response to a security scan that points out that
> apache versions below 2.2.14 have multiple known vulnerabilities? Is
> there an official document about what known vulnerabilities have been
> fixed in the RHEL/CentOS upda
What's the correct response to a security scan that points out that
apache versions below 2.2.14 have multiple known vulnerabilities? Is
there an official document about what known vulnerabilities have been
fixed in the RHEL/CentOS updates or do you have to wade through the
changelog to try to
34 matches
Mail list logo
