Where to Go for Timely Alerts
By Bri Hatch.
Summary: A little knowledge can go a long way, especially when that knowledge is about the latest threats to your system. But where does the savvy admin go for such information?
The worst thing that can happen to a security administrator is to be
oblivious to the newest, and thus most pressing, vulnerabilities that
can affect your systems. Without prompt action -- upgrades, patches,
increased access restrictions, or turning off software all together --
you are likely to fall victim to the latest exploits or worms.
So, whom should you turn to for this nay-crucial information? You can
find good Linux security information at a bunch of places, but I trust
very few sources to provide me timely vulnerability announcements.
Most have both Web pages and email lists. Personally, I don't rely on
Web pages because I've never been good at checking things periodically
(and too many of them don't render well in lynx). I prefer email.
It's something I check every few seconds and I can use procmail
to make sure important messages get sent to my pager in case
I'm doing something rare, like sleeping.
So, without further rambling, here are my suggestions for must-read
- CERT: The granddaddy of alert notification. CERT advisories are
usually reserved for the big problems, such as the widespread
SNMP problems, which required careful coordination between multiple
vendors to avoid 'spilling the beans' too early, or the
latest 'Become the Windows Administrator user in 2 easy packets'
$ echo 'subscribe cert-advisory' | mail email@example.com
- SANS Security Alert Consensus: The SANS organization sends out
alerts similar to CERT, though usually with more useful
information such as custom tools you can use to audit your
systems. This newsletter is actually a weekly security summary,
but they use it for important alerts as well.
$ lynx http://www.sans.org/sansnews/
- Incidents: On this list, admins can submit information about
suspicious network activity they've captured. When new worms and
exploits start making the rounds, this is often the first place
they are seen on the radar. It can get pretty high volume as
folks try to figure out what they're seeing in the wild.
$ echo 'SUBS incidents Firstname Lastname' | mail
- Bugtraq: Bugtraq was the original full disclosure list, and it
is an absolute essential to any administrator. Vendors and
hackers alike announce vulnerabilities here. Often no solutions
are suggested, but folks on the list quickly discuss appropriate
responses to the problem.
$ echo 'SUBS bugtraq Firstname Lastname' | mail
- Linux Distro: Whichever Linux distribution you use likely has an
email list dedicated to security concerns. Sometimes the problems
are specific to a particular distribution's configuration whereas
sometimes they are universal Linux concerns.
Your distribution-specific list will give you the links you need
to see exactly what packages you need to upgrade, including the
download URLs and instructions. Unless you're using Debian, of
course, in which case you can upgrade everything with a mere 32
These are the lists that I use for security alerts. You can subscribe
to many other lists for weekly or monthly news, but for timely security
information, I suggest the above lists so you aren't caught off guard.
Bri Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He has been securing and breaking into computers since before he traded in his Apple ][+ for his first Unix system. Bri can be reached at firstname.lastname@example.org.
Copyright Bri Hatch, 2002.
This article was first published here in ITworld.com Inc., 118 Turnpike Rd., Southborough, MA 01772 on 05-Mar-2002.