topic Re: Forums and Security in Operating System - HP-UX

Forums and Security

Martin Burnett_2 — Mon, 11 Mar 2002 16:28:20 GMT

Hello Everyone,

Just a friendly reminder to make sure that you "scrub" any system specific information that might be considered a security risk from your posts and submissions to the forums.

This is particularly important when posting error messages from logs, many of which contain system specific information. In almost all instances this information is not required to try and resolve your issue by the forum members.

This includes but is not limited to IP addresses, system hostnames, HP support agreement identifiers, as well as User Identification codes (User IDs), passwords, product serial numbers, etc. All of these important information elements should be protected.

If you have any questions review the Terms of Use under User Submissions and Customer Responsibilities sections. A weblink is located at the bottom of the Forums home page.

As always, thanks for participating in the forums and let's all practice "safe submissions".

Martin

Re: Forums and Security

Wodisch — Mon, 11 Mar 2002 17:58:33 GMT

Hello Martin,

a well-meant point, which I would completly agree with, but (istn't there always a "but" ;-) taking the growth of the forums and the recent level of questions into consideration, I am afraid many will not be able to this, as they do simply not know enough to decide which information they have to hide, and what they have to substitute with *safe* values...
That could be a place for the forums' team to step in - those of you, who are able to decide when to *move* postings to another forum, might be able to do the *substitution*, perhaps?

Just my $0.02,
Wodisch

Re: Forums and Security

harry d brown jr — Mon, 11 Mar 2002 18:06:21 GMT

Martin,

I agree with everything except for IP's, especially when someone is talking about routing and subnet masks. Most people don't understand IP's, subnet masks, and routing. By having them "scrub" them, will lead to erroneous postings and erroneous answers.

live free or die
harry

Re: Forums and Security

Martin Burnett_2 — Mon, 11 Mar 2002 18:10:36 GMT

Hello Wodisch,

Excellent point and we (I) do. In fact, this is precisely what I was doing this morning for one of our forum users and is also what prompted me to write and post this little security reminder blurb. My concern is that as hard as we try we may still miss one or two posts out there that contain sensitive information. I would hate to see anyone get "cracked" because of information they posted in our forums. This was simply intended as a gentle reminder to us all. Thanks for the feedback.

Martin

Re: Forums and Security

Mark Greene_1 — Mon, 11 Mar 2002 18:15:04 GMT

scrubbing IP's is superfluous. using nslookup one can aquire a list of IP's for any system with internet access, and there is the freely available whois registration information for the domain.

obviously login ID's, passwords, serial numbers and other types of "access" information is crucial not to post. Think of the IP address as the roadmap, which one cannot hide, and the other info as they keys to the door.

just a thought,
mark

Re: Forums and Security

Craig Rants — Mon, 11 Mar 2002 18:15:49 GMT

Martin,
I do agree to a point, I certainly have seen information in a post that I would not not have posted. But it also would not take long for someone to gather information about a postee and put two and two together. I could do this by getting the domain of the company from the postee's profile, checking dns records for that domain, finding the ip block assigned to that domain, etc... Pretty soon I have all the info I want and more.

Keeping your messages sanitized should always be a priority, but a smart person could easily gain all that info and more if they wanted.

Just my thoughts,
Craig

Re: Forums and Security

harry d brown jr — Mon, 11 Mar 2002 18:18:18 GMT

Martin,

I finally beat my network boy's into submission. They were always so secretive about anyone knowing our IP numbers and host names, and my reply was this: Security based upon lack of information is security based upon ignorance.

It's like having an encryption routine where the formula is secret, and there are no "keys", just a formula.

live free or die
harry

Re: Forums and Security

Martin Burnett_2 — Mon, 11 Mar 2002 18:23:14 GMT

Hello Harry,

Also a good point, and you are correct if the issue requires it. This is why I stated in the original posting that "...almost all instances this information is not required ..." This is just intended to get people thinking about whether the information they post is necessary and relevant to the issue, does it pose a security problem, and having thought about the issue then they can make their own "informed" decision about whether or not to post this type of info. Thanks for the feedback.

Martin

Re: Forums and Security

Mark Greene_1 — Mon, 11 Mar 2002 18:23:39 GMT

Harry,

funny you should mention that. my boss at my very first job out of college would say "security based on ignorance is not secure, just ignorant!"

I've not thought about him in a while, thanks for the reminder. :-)

mark

Re: Forums and Security

harry d brown jr — Mon, 11 Mar 2002 18:29:30 GMT

Martin,

Are you a newcommer to the Forum and HP, or just the Forum? If so, welcome, and thanks for the info on the Dec2001 release!

live free or die
harry

Re: Forums and Security

Martin Burnett_2 — Mon, 11 Mar 2002 18:36:08 GMT

Well, just new to the forums in this capacity. Sort of an additional duty due to the rapid growth in the ITRC we are experiencing thanks to all you guys and gals (experts) out there and your active participation.

I bow to all of you and your expertise in this area. I give, uncle on the IP addresses. 8-)

But you have to admit that this got all of you thinking about the security issues and that was my whole intent.

Martin

Re: Forums and Security

Carlos Fernandez Riera — Tue, 12 Mar 2002 08:46:49 GMT

Go top...

Re: Forums and Security

Bill McNAMARA_1 — Tue, 12 Mar 2002 08:54:54 GMT

I've noticed that some posters don't understand that the forums are public support.. they believe that it is an official hp support site.

There's no doubt that you'll end up with

telnet myserver
root password root

one of these days!

It is important to keep this tread alive somehow..

Later,
Bill

Re: Forums and Security

Kenny Chau — Tue, 12 Mar 2002 08:58:37 GMT

Hi Martin,

Absolutely agree what you said. I always hide the information and post as much information as possible to the forum so that the experts here can solve my problem.

If I expose any company's information here, I will be fired by my boss.

Regards,
Kenny.

Re: Forums and Security

K.Vijayaragavan. — Tue, 12 Mar 2002 08:58:41 GMT

Hi Martin.

I fully agree with you.

When no one wants to leave all these precious information on their workpalce itslef, obviously it is dangerous to leave all thess info in the forum.

A warning message consisting of the points mentioned in you note can be displayed whenever a new user is registering in this forum as new user.

Thanks!

Regards,

K.Vijay

Re: Forums and Security

Justo Exposito — Tue, 12 Mar 2002 09:49:11 GMT

Hello Martin,

Yes this is very important information for all the forum members and it's needed for the new users as well.

Perhaps it's a good practice that this thread or similar appears all the months and if somebody had an attack because the information showed in the forum can explain to everybody. Something like the forums issues thread for the month.

Regards and thanks for the advertising,

Justo.

Re: Forums and Security

Steven Sim Kok Leong — Tue, 12 Mar 2002 09:57:57 GMT

Hi,

I agree with you indeed.

On occasions, I have seen posters who cut and paste their unshadowed /etc/passwd files straight onto their posting. Someone could potentially run crack on these password files.

Such postings need to be sanitized.

Steven Sim Kok Leong

Re: Forums and Security

Roger Baptiste — Tue, 12 Mar 2002 13:30:55 GMT

Good point. I dont think it is too difficult to mask information before posting it.
Put the output in a editor and do a find/replace all. Ofcourse, even with all care, i have occasionally had slips.

The reason for masking has less to do with it being misused, but more to do with company guidelines etc etc..
Afterall, what is anybody going to do with IPs or hostnames etc; as for people who post password file, well they shouldnt be admins in the first place ;-)

cheers
-raj

Re: Forums and Security

John Bolene — Tue, 12 Mar 2002 13:34:14 GMT

Help is help, but security must take first priority.

Posting password files or any other sensitive information like this is a real bad thing, but then a lot of our systems are behind firewalls or not even connected to the internet and even if I gave you root passwords, you would not know which machine they go to, and could not get to them if you tried.

More information is better than less information, but as you said, you can go too far. Most folks don't know what information to give to solve problems and we have to ask for more anyway.

We get all the time at work, "My computer is broke", well they don't really have a computer, they have an X-terminal, which is a computer but in a very limited way.

The other problem is "My terminal is slow today". That is a very hard one to solve.

My 2 cents.

Re: Forums and Security

Justo Exposito — Tue, 12 Mar 2002 16:55:33 GMT