[nSLUG] Source for early news on security issues

D G Teed donald.teed at gmail.com
Fri Mar 13 10:36:01 ADT 2015


Hi,

As I've indicated, US-CERT is not fast enough.

Case in point: TA13-268A - Shellshock
News was out on Slashdot around 14:00 on the 24th.
Received US-CERT email at 15:56 on Sept 25, 2014

http://linux.slashdot.org/story/14/09/24/1638207/remote-exploit-vulnerability-found-in-bash

Case in point: TA14-098A - Heartbleed.
Slashdot had news 9 PM on April 7th.
Redhat issued an Errata alert by 9 AM on the 8th.
Received US-CERT email at 5:05 PM on April 8, 2014
By the time the US-CERT was sent, the CRA
website already had information taken.

http://it.slashdot.org/story/14/04/07/2354258/openssl-bug-allows-attackers-to-read-memory-in-64k-chunks

A recent major Drupal issue had the developers stating that if people
didn't have their CMS patched within a few hours of the exploit
announcement, they should assume their site is compromised.

That is the speed of exploits being scanned and exploited today.
The pace of companies like Oracle with Solaris (several days to patch
shellshock)
is way out of touch.  Debian and Redhat are both good, with CentOS
almost as good
(by the nature of it's dependancy on Redhat's packages).

I didn't expect to hear some website could need to be created.
I expected to hear that I'm unaware of something, "didn't you know
about Internet Storm Center's feature X", or whatnot.

It looks like the Slashdot /security web path might be amongst the
earliest sites to aggregate broad platform security news.
I just don't know if that will continue to work - it might be a legacy
feature which disappears some day.


More information about the nSLUG mailing list