tag:blogger.com,1999:blog-422477430134849438.post4627752340474870155..comments2017-09-03T06:52:32.497-07:00Comments on Netragard's SNOsoft Research Team: Hosted Solutions – A Hackers HavenAdriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-422477430134849438.post-12401683035570151562010-05-07T14:39:08.096-07:002010-05-07T14:39:08.096-07:00can you help me hack a bank? or can you do it for ...can you help me hack a bank? or can you do it for me ???Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-422477430134849438.post-17401166095431657692009-11-12T11:33:37.711-08:002009-11-12T11:33:37.711-08:00I see your point, but disagree with the conclusion...I see your point, but disagree with the conclusion. Your logic is true enough; one cannot dispute the mathematics of the server farm vulnerability. However, it seems to me that your conclusion is based on the supposition that the in-house system would be "as secure" as the hosted version. In my experience they rarely are. It takes a highly trained, vigilant, and dedicated staff to ensure that a self-hosted system has the high availability of a cloud server. <br /><br />I speak from personal experience of someone who battled with worms and hackers back in the day when my company hosted its own web server and Exchange Server. It became such a time drain to make sure that a) we knew what we were doing and b) implemented the proper levels of safeguards and c) put out fires when they erupted, that we were thrilled to move them off to hosted solutions when they became cost effective.<br /><br />This is a risk management decision, where one needs to consider both the likelihood of a problem and its consequence. Your point only addressed likelihood and not consequences. When you are hosting your own servers, the consequences of a breach or failure are usually much, much more severe.Jon DiPietrohttps://www.blogger.com/profile/09861859238761416573noreply@blogger.comtag:blogger.com,1999:blog-422477430134849438.post-21163352361687277342009-11-01T02:18:16.471-08:002009-11-01T02:18:16.471-08:00I recently tried to publish a great comment that o...I recently tried to publish a great comment that outlined some of the assumptions that are commonly made about hosted solutions. As a result, I am going to take the time to write about our penetration of a hosted provider. Hopefully that blog entry will clear the air about the security of "most" providers. <br /><br />With respect to the comment, I'm not sure what happened, but it clearly didn't post (too bad because it was a great comment from an anonymous reader).Adriel Desautelshttps://www.blogger.com/profile/16119732948300414743noreply@blogger.comtag:blogger.com,1999:blog-422477430134849438.post-64721721182135226582009-10-26T13:53:29.589-07:002009-10-26T13:53:29.589-07:00Overall, I like your post and agree with the concl...Overall, I like your post and agree with the conclusion that, from a security standpoint, outsourcing isn't the best solution (generally speaking anyway). <br /><br />The assumption that your arguments rests on, however, should be an easy assumption to counter. That is, if one 'site' gets hacked, the entire server is. I would hope that for most reputable web hosts a single site does not hold the keys to the kingdom. That is, the server should have mechanisms in place that isolate the sites from each other. <br /><br />For example, say a certain user (aka website) has full control over their own directory (call it \var\www\sites\userA). I was under the impression that, within Linux, you have the ability to granularly restrict permissions. Thus, any process spawned by that user should *only* have access to \userA. And without access to anything else, the breach should therefore be harmless.Mike Halenoreply@blogger.comtag:blogger.com,1999:blog-422477430134849438.post-68279647257885288282009-10-19T13:56:37.122-07:002009-10-19T13:56:37.122-07:00In response to the "troll" on OCTOBER 14...In response to the "troll" on OCTOBER 14, 2009 6:40 AM<br /><br />You said: "You have reached a 10-year-well-know major web security problem... you should be proud of your self."<br /><br />You become a part of the problem when you make inaccurate and even ignorant assumptions about "common knowledge". Additionally, this issue isn't about trust and it is about the cumulative risks that people face when they outsource their IT to third party providers. The math is simple, the larger the attack surface the higher the risk value. it is almost impossible host 1,000 websites (or other service) without increasing your risk profile. So, if you're a company that needs to host 1 website, why increase your risk by 1000 points?Adriel Desautelshttps://www.blogger.com/profile/16119732948300414743noreply@blogger.comtag:blogger.com,1999:blog-422477430134849438.post-63679789737272153232009-10-17T01:17:38.157-07:002009-10-17T01:17:38.157-07:00Hi.
I agree with point that shared environments i...Hi.<br /><br />I agree with point that shared environments increase the attack surface. but in case decision for outsourcing environment is done in a right manner, first risks/profits should be assessed and analysed if shared hosting acceptable. It is good have a threats check-lists for different hosting types as a guidelines for risk assessment. There might be even operational issues (cpu/memory quotas), not only pure security. And all at all business is money+risks, and shared hosting of course could be good for some cases.<br /><br />Glib PakharenkoAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-422477430134849438.post-87008385609380762382009-10-14T15:19:08.976-07:002009-10-14T15:19:08.976-07:00In response to Anonymous.
That argument is flawe...In response to Anonymous. <br /><br />That argument is flawed because its based on an assumption is countered by reality. Specifically, most people don't know that they've been hacked until after the fact. Compounding that issue is that when a hacker hacks one system, they usually use that system to penetrate other systems on that newly compromised network. That technique is called Distributed Metastasis. Lastly, once a hacker takes a system the chances are good that the hacker will install a covert back door to maintain access. in most cases these backdoors aren't easily detected. <br /><br />So suppose you have 1000 systems that have all been compromised and all have backdoors installed on them. Chances are you won't know it and by the time you do it will already be too late. <br /><br />Go Cloud!!!Adriel Desautelshttps://www.blogger.com/profile/16119732948300414743noreply@blogger.comtag:blogger.com,1999:blog-422477430134849438.post-66714187714043437092009-10-14T14:00:08.619-07:002009-10-14T14:00:08.619-07:00Adriel,
I had the opportunity to speak to many cl...Adriel,<br /><br />I had the opportunity to speak to many cloud providers who felt that their data center security is best in class. They also use nearly the same argument to arrive at a 180 degree conclusion. Once they see an intrusion, they can lock out that hacker from all of their customers. So it is "What is good for one is good for all" versus "What is bad for one is bad for all". <br /><br />I completely understand your point. That is why is up to the cloud customer to audit their cloud provider's security measures before signing that service agreement. As near as I can figure out, that could be a new point of revenue for Netragard if marketed correctly.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-422477430134849438.post-14590003301905715832009-10-14T06:40:51.187-07:002009-10-14T06:40:51.187-07:00Congratulations...
You have reached a 10-year-wel...Congratulations...<br /><br />You have reached a 10-year-well-know major web security problem... you should be proud of your self.<br />< /troll><br /><br />Trust is the word in this issue...<br />Did you trust your host? <br />Did you trust the isp of your host? <br />Did you trust in their cluster/data-center security deployment?<br />Did you trust in the employees inside the data-center?<br />Did you trust in the DNS Record your computer have?<br />Did you trust in your collegues?<br />Did you trust in your PC?<br />...<br /><br />Blind trust is almost 10-year well-know problem even bruce scheiner make a book out of it, the same conclusion you just made has been know for years and the problem will stay cause people will still outsource almost all internet-related activities to another entity.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-422477430134849438.post-21228227978023593372009-10-13T19:45:20.986-07:002009-10-13T19:45:20.986-07:00Nice post... I think that i never consider that po...Nice post... I think that i never consider that posibility :Sluckyr13http://www.apuntux.comnoreply@blogger.comtag:blogger.com,1999:blog-422477430134849438.post-73486339462362800662009-10-13T11:42:52.189-07:002009-10-13T11:42:52.189-07:00Great point, however I do think that most professi...Great point, however I do think that most professional hosting services are well known for their quality of work, and that they put great effort into securing their web servers.<br /><br />Many companies simply cannot afford having a lot of IT people hired (or even a single guy) just to keep their website up and running.<br /><br />What's important though, and that's also what I believe is your point, is that people weigh and understand the risks involved, and that they make sure to evaluate what might happen if their website/web server gets visited by one or more "hackers".knlhttp://bitflop.comnoreply@blogger.com