Various Internet resources for the latest information on intrusions and defenses are listed in this appendix as well as additional source information and documentation that is either changing at a significant rate, or will not fit in the book, or where permission to use the material could not be obtained. This also will allow you quickly to get fixes to security bugs and find out about new tools to increase security, as well as find support for your existing software. The crackers are reading these lists; you should too. Keep in mind that the crackers know that you are looking to these sites for help. There is always the possibility that crackers have breached the sites or have included false information in mailing lists. Generally, CD-ROMs in sealed containers are much less likely to have been compromised, though this author has read that a certain CD-ROM widely distributed by Microsoft contained a Trojan horse, and certainly other vendors have suffered this too. Certainly, checking MD5 or other published checksums increases your confidence. Wait to install a patch until it has been recommended by several trusted sources. I recommend allowing at least a few days for the possibility that someone contributing to one of these sites might say, "Wait! It's a trap!" Because many open-source tools are available from several sites, for extra security download the one you want from several sites and do a byte-by-byte comparison or use md5sum for a hard-to-breach message digest to protect against the cracker breaking into a site and inserting a Trojan. If the patch is not urgent enough to require installing immediately, wait a few days, download it again, then compare it against the earlier copies on the assumption that the intrusion that might have corrupted the first copy would have been dealt with by then. Some of these sites may be "dead" by the time you try them; check my site for updates. Also be wary of alleged "new and improved" versions that might contain Trojans. This did, in fact, happen with one popular security tool around 1998.
|
Top |