Five Security Mailing Lists You Should Read
Keeping up on security isn’t something you can afford to do lackadaisically. Everyone does, in the beginning, until that fateful day when important servers are compromised. More often than not, it could have been prevented if the server managers read the most important security mailing lists daily.
In this article we’ll tell you about five security-related mailing lists you cannot afford to miss. You’ll also learn why these lists are important, controversial as some may be.
The premiere mailing list is BugTraq. Moderated by SecurityFocus, BugTraq is the main list that all IT professionals should read. Yes, including management.
Every major and many minor security vulnerabilities make this list, often with remediation strategies and tips accompanying. The vast majority of IT compromises are due to well-known security issues not being dealt with immediately. If you read BugTraq, you’re likely to stave off most attacks.
This list is fairly high traffic, sometimes 20 messages or more per day. This is likely the cause of people not keeping up on security issues, but the time investment is well worth it. You generally only need to read the subject lines to know whether or not the announcement is applicable.
Full-Disclosure is a mailing list that pushes the boundaries. The security concept known as “full disclosure” means that the full details of a vulnerability should be public and open, since a system should withstand public scrutiny before it’s deemed secure. The idea is that thousands of eyes will see more problems quicker, and if they share the knowledge, the system will be secure in the end.
Often, actual exploit code is posted to the Full-Disclosure list. The purpose of posting the problem along with an exploit or fix is to pressure the vendor into addressing the security issue. Often the vendor is contacted before making the vulnerability public. If they respond, and actually address the problem, the information isn’t posted until the vendor is ready to post a fix. If they ignore the discovery or drag their feet, the code is usually made public.
You need to be aware of what exploit code is out there so that you can judge which patches are critical and which may be able to wait a week. After viewing the actual exploit code, some people may also realize that the bug affects other, similar systems. Openness in security is very important, and leads to better overall security. Of course, the down side is that once an exploit is posted, it starts to get used; this is why you must read this list.
The Handler’s Diary is more of a blog than a mailing list, but it’s just as important nonetheless. It is written by various volunteers, and published by SANS. The SANS Internet Storm Center tracks and reports on global issues on the Internet. This diary often focuses on current threats, but when the threat level is green, they frequently publish research, tips, and stories. Their primary goal is to publish analysis results and provide information about exploit trends.
Whether you’re interested in security or not, the Diary is extremely valuable for all IT members who need to ensure operational security.
USENET has gone out of fashion, but many people still use it, especially via Google Groups. There are various groups that reiterate information you’ll find on BugTraq, and also some OS- or Application-specific ones. If you like this method of information delivery, you should be able to find plenty of groups dedicated to security announcements.
A few decent general-purpose ones are: alt.security, comp.risks, comp.security.announce, and comp.virus.
Your OS Vendors and Important Applications
Waiting on the OS vendor to release a patch is a sure-fire way to security purgatory. Reading BugTraq is required, since it will often include information about how to work around a security issue before the vendor releases an update. There’s even a Windows-specific BugTraq list, if your environment has Windows workstations or servers.
Your OS vendor should also have a security mailing list. You’ll often find that BugTraq will duplicate this information, but a security announcement straight from the horse’s mouth is usually more informative.
Every OS has a security announcement mailing list. Windows, Linux, *BSD, or OS X, it doesn’t matter. The open source operating systems will likely be more forthcoming with details, but the end result is the same: you get the information, and hopefully an update or workaround.
In addition to subscribing to OS announcement lists, you also must subscribe to lists for every application you run that are publically accessible. Yes, every single one. Most security compromises are via the applications that run on your servers, not from the OS itself. Especially if you’re running a Web server that hosts any open source PHP-based applications, you really must subscribe to their security announce list.
Keeping up on these security lists daily will mean that you’re fully informed about issues that can impact you in the worst ways. Security incidents can be prevented, and the best way is through proactive methods including being informed and patching as soon as updates are released.