Menu
▾
▴
Re: [SL] SQL-Ledger vulnerability CVE-2006-4244
|
From: Toni M. <sup...@oe...> - 2006-09-16 16:26:20
|
Hello George, On Fri, 08.09.2006 at 15:57:21 +1000, GeorgeOsvald <geo...@ya...> wrote: > On Friday 08 September 2006 09:55, Josh Berkus wrote: > > Well, security is something you implement at every level, not just at the > > gateway. So: SSL: yes, Domain limits: Yes, server lockdown: yes, strong > > passwords: yes, secure session tracking: yes, database security: yes, > > database auditing: yes. What you *don't* do is implement security in one > > area (like SSL or VPN) and expect that you don't need to worry about > > security anywhere else. That's a fast way to get hacked. > > You can do bit more than that depending on your level of paranoia. I am > extremely paranoid. When it comes to security redundancy is a good thing. nothing of all this helps you in case you *want* your server online, like when you're offering hosted SL. Fortunately, we don't so far, but with this experience in mind, I doubt we ever will. > Frankly If I had an employee who would be able to hack SL he/she would not be > working as an accountant. You can still search the logs to find out who was > logged in and did what. This depends on the degree of access the bad guy had to your server(s). If the claim that finding out the users of SL with almost no prior knowledge is valid, you'll only find in your logs that you were the one committing some kind of crime because the impostor impersonated you. Best, --Toni++ |
