Slashdot Mirror

I agree. <imo>Anti-virus software companies are in the business of protecting against viruses; of preventing a large number of users from being compromised by the same code. They are not interested in the kind of security that would prevent script kiddies or social engineers from gaining access to your computer, and so they rate viruses by the amount of damage they cause, rather than rating security holes by the amount of damage they allow. I suppose they do this to be consistent with their stance that "the viruses are the enemy".</imo>

By the way, did anyone else think it was strange that CERT listed anti-virus software companies, and only anti-virus software companies, in the "vendor information" section of their advisory about SirCam? They could have easily targeted

• E-mail client vendors, for having poor user interface surrounding attachments. (Especially Microsoft, for releasing at least one version of OE that shows a very similar dialog when you double-click a .jpg attachment as it does when you double-click a .exe attachment.)
• Microsoft, for relying on extensions as the only way for a user to tell the difference between a document and a program, rather than doing one or more of the following:
  • Giving users and programs a way to flag files as "executable" (or as "not executable"), like linux does with the +x mode.
  • Using a single, special extension for executable files. For example, foo.vbs would have to be renamed to foo.vbs.exe before it would run.
  • Using a special type of icon, or icon overlay, to indicate that something is a document. For example, always show documents as a piece of paper, and show an icon chosen by the associated application in the middle of the paper.
• Microsoft, for not providing a function in Windows for "is a file with extension .foo a document or a program?".

I agree. <imo>Anti-virus software companies are in the business of protecting against viruses; of preventing a large number of users from being compromised by the same code. They are not interested in the kind of security that would prevent script kiddies or social engineers from gaining access to your computer, and so they rate viruses by the amount of damage they cause, rather than rating security holes by the amount of damage they allow. I suppose they do this to be consistent with their stance that "the viruses are the enemy".</imo>

By the way, did anyone else think it was strange that CERT listed anti-virus software companies, and only anti-virus software companies, in the "vendor information" section of their advisory about SirCam? They could have easily targeted

• E-mail client vendors, for having poor user interface surrounding attachments. (Especially Microsoft, for releasing at least one version of OE that shows a very similar dialog when you double-click a .jpg attachment as it does when you double-click a .exe attachment.)
• Microsoft, for relying on extensions as the only way for a user to tell the difference between a document and a program, rather than doing one or more of the following:
  • Giving users and programs a way to flag files as "executable" (or as "not executable"), like linux does with the +x mode.
  • Using a single, special extension for executable files. For example, foo.vbs would have to be renamed to foo.vbs.exe before it would run.
  • Using a special type of icon, or icon overlay, to indicate that something is a document. For example, always show documents as a piece of paper, and show an icon chosen by the associated application in the middle of the paper.
• Microsoft, for not providing a function in Windows for "is a file with extension .foo a document or a program?".

Code Red in all incarnations use a vulnerability in the Indexing Server Stuff (TM) while Sadmind/IIS used a directory traversal vulnerability. See CA-2001-19 and CA-2001-13, both at CERT/CC for more info on the vulnerabilities.

Code Red in all incarnations use a vulnerability in the Indexing Server Stuff (TM) while Sadmind/IIS used a directory traversal vulnerability. See CA-2001-19 and CA-2001-13, both at CERT/CC for more info on the vulnerabilities.

If you look at the CERT Advisory, the only fix it discusses is installing commercial anti-virus software... While that might be a good idea, I would think that there's got to be some other proceedure, like Delete this or that, reinstall MS Word, go into the Control Panel and click the little box that says "I'm not a complete fool, and I care slightly about system security, so don't run any damn macros without asking me", or whatever.

Has anyone seen cleanup proceedures discussed? I know little about the Windows world these days, but my friends still have me pegged as The Computer Expert.

IIRC, everyone was forewarned (see here and here) last time!

If you believe a host under your control has been compromised, you may wish to refer to Steps for Recovering from a UNIX or NT System Compromise

CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests

From how I understood the advisory, it refers to a page that automatically displays info directly from a link, like showing the search string on the search results page. If the displayed string contains script, the script will be executed in the client browser.
----

Yes, it's old news and yes it's been fixed but I think it illustrates quite well that you can never blindly trust your apps to be secure, not matter what platform you're on.

Part of me is incredulous that slashdot staff would recommend installing a system daemon with a known unfixed vulnerability, but hey, these guys aren't journalists, and have no obligation to us.

Actually, now that I look at it, my parent post seems to be making an allusion to being hacked due to running NTP on a home linux box hosted on a DSL line. Not bad, but parent has a long way to go before getting close to the sublety of a real USENET troll.

Yeah, it's good to check at CERT. And, from what I see here, CERT didn't really retract too much (there's a long list of problems they mention)

Better to sign up to something like CERT advisories than rely on random postings to Slashdot.

Really.

This was announced on their list about 14 hours ago.

Dear cluebie:

Go read the security advisory on bugtraq or CERT.org that talks about the weakness in BIND that the Lion worm is exploiting. It's an error in the way BIND handles TSIGs. Hey - I'll make it easy for you.

How about next time you read the security advisories. Just because the worm's for Linux, doesn't mean the vulnerability it uses to get where it's going is only on one platform.
_____

If you find that you've accepted one of the bogus certs, then you may, in fact, need to do a clean and install of your system to expunge it. I would, however, strongly suggest that you contact CERT, Microsoft and/or your local/national police force (FBI, etc.) so that they can try and track where you got the cert from and what it's trying to do.
--

Indeed that does seem to be what is being said:

The whole thing is merely pointing out that some IP stacks don't give anything like enough randomness between connections (attempts) from different hosts.

The vendors of such stacks need to get a clue[tm].

I don't believe that this problem affects either the Linux or FreeBSD kernels because they generate their ISNs from /dev/random which is considered to be quite secure (at least, as secure as you can get without an external hardware device to collect truly random information), therefore, these numbers are almost impossible to predict.

According, to his attack summary he identifies a problem with kernels that increment the ISN value for each connection based on some predictable value. However, interestingly enough, he does not identify any systems that exhibit this vulnerability. Nor does he provide a whole lot of detail into how this vulnerability is any different than the ones that have been identified starting all the way back in 1996.

In general, I think it is all part of a much larger problem that almost no OSes (except for Linux and FreeBSD) provide a kernel driver, such as /dev/random, to generate relatively unpredictable data. That kind of service is enormously helpful in all kinds of application, starting from the most obvious one - cryptography and TCP ISN selections to shuffling decks of cards in online casino games.

Um... Not sure if you meant that to be a troll or not. But how about CERT?

And by the way, Symantec isn't doing these things out of the goodness of their hearts. They're a business, and they do it because (directly or indirectly) it brings in money. Crow about their accomplishments if you like, but don't make them out like they're Mother Teresa's Sisters of Digital Mercy - they're a large business, and therefore (practically by definition) almost certainly amoral.

Troll point number 2: I don't know why you think it takes more or less skill to detect a virus not in the wild than one in the wild. That's inane. I'd actually think that figuring out the ones in the wild would be harder, since they're the ones original enough to get through emplaced defenses in the first place.

In the future, remember: Think, then post.

OK,
- B
--

Fortunately I can ssh into my server at home, so I had it upgraded within an hour.

Another scary thing is the CERT graph showing the exploit reports for the NXT bug. I definitely don't want to have an un-upgraded BIND in the peak of that curve.

Actually, bind, sendmail and wu-ftpd have had a really bad history of aweful bugs. The subject of this message, "WuFTPD: Providing *remote* root since at least 1994" really sums it up pretty well. As mentioned on the Cert page, BIND has had TWELVE Cert Advisories and this makes 13. The even named the 11th one "Continuing Compromises of DNS servers", though I suppose it's just the infamous NXT bug.

You just have to wonder what recently means, 90 days?

Generally this means 45 days with CERT. They have been criticised on a few occassions for this response time, and for the fact that they refuse to go "full disclosure". Their policy is to inform the software vendor first of any discovered vulnerabilities, and allow the vendor that time to release patches before making it widely known.

That's why you can get a version of BIND from the ISC on the same day that the vulnerability was made public.

I'd like to know earlier as well, but at the same time, I'm glad this hasn't been public for 45 days while I sit and wait for a patch.

Check out their policy on this at http://www.cert.org/faq/vuldisclosurepolicy.html (hope that makes it throught the /. filters OK :)

- cicadia

This wu-ftpd bug was widely reported in June and observing system admins plugged it already. According to CERT's security advisory older versions of proftpd also required updating.

It's in rpc.statd and wu-ftp. More info at CERT

Another way this is bad: we have CERTs for a reason - to deal with this kind of thing. By forming this "coalition", they're further fragmenting the system of disaster recovery. CERT.org was created some time ago just for things like this, and it doesn't cost $5k a year to get warnings. It's free.

Propaganda is the best term for this, and marketing is a close runner up. If they really want to team up and help stop attacks on computer systems, they can work with everyone else instead of creating a members-only club.

My karma's bigger than yours!

https://www.cert.org/advisories/CA-2001-01.html
------------------------------------------------ -

try it without the http protocol http://www.kb.cert.org/vuls/id/247371.

One question springs to mind though. How long has interbase been open source, and consequently, how long has it taken for this to be discovered?

Turns out that a plain http transfer works as well.
-russ

I expect this is the Trinity attack that is described in considerably detail here by X-Force. You can find the actual article and anlysis of the Stacheldraht tool here written at the University of Washington. The author of that article claims that he wrote a program that detects Stacheldraht on a system. Of course, getting the ISPs that are sending these DDOS messages to actually use some security might be a bit difficult. By the way, this is old news, since the CERT advisory is dated June 99.

Thalia

While it is troubling that the closed source OS (some flavors/pieces, anyway) may have been exposed to an 3l33t3 few and chances are their motives are nefarious, that security snowball has enough momentum to keep it from attaining it's .NET Web ubiquity.

Much more concerning is the simplicity the Linux/UNIX vendors have put into their installations. From CD-ROM to *N*X system in less than 30 minutes for anyone. The one who most disturbs me is RedHat with the ServerInstall option. Every service, none secured. Since these boxes are usually put on public IP's to perform some service(s), they usually have the most potential for causing problems to servers that have been locked down. It would be nice to see a firewall script installed and enacted in any distribution, with instructions on how to unfirewall certain things post-install. This might help cut down on the DDOS agents out there. The hundreds of compromised hosts they're talking about are most likely not Micro$oft systems. The vulnerability was on port 111.

The RPC vulnerabilities have been around forever, along with the WU-FTPD problems, but, they have been around for ages and fixes, or at least host access and firewall techniques have been around just as long. For some reason, the patches just don't get applied, and, the systems get taken over. I just hope with all this newfound popularity, the Open Source OSes don't earn the same bad security wrap Windows has earned. And, I do mean earned. Because we can do something to secure our systems, if we think security is important. It is and we should.


Linux rocks!!! www.dedserius.com

While it is troubling that the closed source OS (some flavors/pieces, anyway) may have been exposed to an 3l33t3 few and chances are their motives are nefarious, that security snowball has enough momentum to keep it from attaining it's .NET Web ubiquity.

Much more concerning is the simplicity the Linux/UNIX vendors have put into their installations. From CD-ROM to *N*X system in less than 30 minutes for anyone. The one who most disturbs me is RedHat with the ServerInstall option. Every service, none secured. Since these boxes are usually put on public IP's to perform some service(s), they usually have the most potential for causing problems to servers that have been locked down. It would be nice to see a firewall script installed and enacted in any distribution, with instructions on how to unfirewall certain things post-install. This might help cut down on the DDOS agents out there. The hundreds of compromised hosts they're talking about are most likely not Micro$oft systems. The vulnerability was on port 111.

The RPC vulnerabilities have been around forever, along with the WU-FTPD problems, but, they have been around for ages and fixes, or at least host access and firewall techniques have been around just as long. For some reason, the patches just don't get applied, and, the systems get taken over. I just hope with all this newfound popularity, the Open Source OSes don't earn the same bad security wrap Windows has earned. And, I do mean earned. Because we can do something to secure our systems, if we think security is important. It is and we should.


Linux rocks!!! www.dedserius.com

• Bind
• RPC
• ftpd
• Proper TCP/IP stacks

• A proper browser, such as Netscape
• Kerberos stuff

• Bind
• RPC
• ftpd
• Proper TCP/IP stacks

• A proper browser, such as Netscape
• Kerberos stuff

• Bind
• RPC
• ftpd
• Proper TCP/IP stacks

• A proper browser, such as Netscape
• Kerberos stuff

• Bind
• RPC
• ftpd
• Proper TCP/IP stacks

• A proper browser, such as Netscape
• Kerberos stuff

• Bind
• RPC
• ftpd
• Proper TCP/IP stacks

• A proper browser, such as Netscape
• Kerberos stuff

• Bind
• RPC
• ftpd
• Proper TCP/IP stacks

• A proper browser, such as Netscape
• Kerberos stuff

Second: Linux is hardly ever specifically mentioned. Most security problems are application problems, not kernel problems and affect all *nixes. Linux kernel problems are as rare as Windows NT kernel problems.

Typically Win32 problems are with IIS, LanManager, IE and Office. Recent *nix problems have to do with apache/mysql, samba, bind, bash, ssh, identd etc. The only problems that haunt mostly the Windows OS are the Integration (and Visual Basic) related problems. Apparently that is just too complex to get secure. It's the fact that there is virtually no integration between most *nix applications that saves the *nix community from this *for now*.

Links: [Microsoft Security] [SecurityFocus] [CERT]

--

Before we all play "jump on Microsoft", have a look at CERT CA-2000-21, posted on Thursday. This is a great DoS attack for anyone who controls a bunch of slave machines: fully open many TCP connections on the victim's box, then leave them stuck in the ESTABLISHED or FIN WAIT-1 states. This requires minimal traffic and no memory on the attacker's side once the sockets are in the right state. I doubt syncookie-like strategies will take care of the problem, and the TCP keepalive mechanism probably uses intervals too large to do much good against a concerted attack.

Many systems are vulnerable to this attack. Right now, Linux, the BSD's, and a number of other UNIX flavors appear vulnerable; see the statements from IBM, Compaq, and FreeBSD in the advisory.

Interestingly, MS says that Win2K is resistant to these attacks by design, though NT 4 has been patched. I wonder how they defend against an attack from multiple machines without refusing new connections or RST'ing the wrong ones? Similar recovery problems have already proven somewhat difficult in the context of handling local memory exhaustion attacks on Linux systems.

This Linux security howto may be of interest to some, so i'll humbly submit it:
DEFEND YOUR SYSTEM!

I'd expected more mature responses to MSFT being hacked than childish attacks either blaming NT like the above post or claiming that MSFT being hacked is good for Open Source like others I've seen. Frankly *nix and Windows are roughly equivalent in default security (except for OpenBSD) and only through the machinations of a good sys admin is either OS properly secured.

For those that believe *nix is somehow more inherrently secure than Windows here are a few sources that may refute that claim The major security issues in Windows are Outlook (disable preview pane, be careful with attachments) and Internet Explorer (disable Javascript). Doing that and using a firewall like ZoneAlarm is most of the securing that a typical Windows box needs. On the other hand due to the use of insecure C libraries (str* functions, *scanf functions, etc) most of the services that are enabled by default in a typical Linux install are insecure (especially RedHat the primary consumer Linux OS in the U.S.). Take a quick look at security sites like Attrition.org, CERT, SANS, rootshell, SecurityFocus, etc and check the results. Defacements of Linux sites has been rising at a steady rate and now there are more defacements of Linux sites than NT sites. CERT regularly has more Linux and Unix security advisories than for Windows. The SANS (System Administration, Networking, and Security) Institute top ten list of security holes has more entries for *nix than Windows. A quick search of the terms "linux" and "windows" on Rootshell's seearch engine come up with 84 downloadable exploits for Linux versus 39 for Windows.

The above post is not intended to be flamebait (I run Win2K but plan to reinstall Linux on my second machine so I am a Linux user) but as a counterpoint to the above post which was rated +5 when I replied to it.



Second Law of Blissful Ignorance

Who the heck moderated this thing up as Informative? It has one link!! To a well-known OS's website, no less!

Here, I'll be more informative:

Linux.com
Linux Kernel
Computer Emergency Response Team (CERT)
Securityfocus.com

Woo-hoo! Now I'll just kick back, relax, and watch the karma roll in...

I'm an @home user. Before I learned the value of having a firewall (LRP rocks!), I was cracked once (IMAPd) and had my DNS killed (BIND buffer overflow; killed the daemon but didn't get root-kitted).

Based on my friends logs, an @home customer can expect constant port scans.

Don't get me wrong - I like the service; people just shouldn't run unsecured systems. (For that matter, nor should you leave the keys in your car. ;-)

If your O/S is inherently unsecure (like Windows), I would definetly employ a firewall. I use LRP (I like the control), but I know folks having good luck with those cute LinkSys units.

I'm an @home user. Before I learned the value of having a firewall (LRP rocks!), I was cracked once (IMAPd) and had my DNS killed (BIND buffer overflow; killed the daemon but didn't get root-kitted).

Based on my friends logs, an @home customer can expect constant port scans.

Don't get me wrong - I like the service; people just shouldn't run unsecured systems. (For that matter, nor should you leave the keys in your car. ;-)

If your O/S is inherently unsecure (like Windows), I would definetly employ a firewall. I use LRP (I like the control), but I know folks having good luck with those cute LinkSys units.

It's funny you should mention the TCP SYN attacks on Panix, because I actually did E-mail a description of this problem to the CERT a full three years before it was actually used as a denial of service attack. I also wrote to the IETF main mailing list a more general observation about denial of service attacks, and the need for all ISPs to do ingress filtering of packets based on IP source address in order to have a first approximation of DoS attack source (who you then go and stomp).

The CERT didn't get it. They did nothing about it until Panix was attacked.

The responses on the IETF list mostly moaned about the cost of adding all those filters to all those CPE routers, and how ingress filtering would stomp one mode for mobile IP...

Three years later, people were a whole lot more interested in dealing with this.

CERT is no longer the "Computer Emergency Response Team."

According to their FAQ:

CERT" does not stand for anything. Rather, it is a registered service mark of Carnegie Mellon University.

Its history, however, is that the present CERT® Coordination Center grew from a small computer emergency response team formed at the SEI by the Defense
Advanced Research Projects Agency (DARPA) in 1988. The small team grew quickly and expanded its activities. As our work evolved, so did our name.

When you refer to us in writing, it's OK to refer to us as the CERT® Coordination Center or the CERT/CC. Although you should not expand "CERT" into an acronym, it's appropriate to note in your text that we were originally the computer emergency response team.

Firewall logs?

Mine for several weeks have been showing almost nothing but port 137, 138, 139 shit which, at http://www.cert.org/incident_ not es/IN-2000-02.html is:

"Exploitation of Unprotected Windows Networking Shares"

"Intruders are actively exploiting Windows networking shares that are made available for remote connections across the Internet. This is not a new problem, but the potential impact on the overall security of the Internet is increasing."

"Unprotected Windows networking shares can be exploited by intruders in an automated way to place tools on large numbers of Windows-based computers attached to the Internet. Because site security on the Internet is interdependent, a compromised system not only creates problems for the system's owner, but it is also threat to other sites on the Internet. The greater immediate risk to the Internet community is the potentially large number of systems attached to the Internet with unprotected Windows networking shares combined with distributed attack tools such as those described in "IN-2000-01, Windows Based DDOS Agents"."

t_t_b
--
I think not; therefore I ain't®

Perhaps due to the numerous security flaws in Outlook??

I'm surprised they let you use IE if that was the case!!!

I am completely convinced that by version 8 or so, Perl will

• make "$", "%", and "@" optional

• Status: Withdrawn

• will have a decent object-oriented system

• It already has a decent object-oriented system i.e. an optional one (and what it lacks in syntactic sugar can easily be procured from CPAN). Personally, I hardly ever write non OO Perl (and, yes, I'd like to see it graduate from 'decent' to best-of-breed), but there's a bunch of areas - quick'n'dirty CGI, sysadmin scripts, optimizations and general gluing and mucking about - where OO is overkill. Don't forget Perl is a great Unix tool amongst many other things. You can munge the hell out of text with little more than a commandline salvo.

• will have useful threading

• Try version 6.

• will have a secure sandbox ala Java

• Er, you mean like Safe, which is as old as Java, offers vastly more control than the Java sandbox (it operates at the opcode level), and which, to my knowledge, has never met a script kiddie yet it couldn't politely but firmly kick to the kerb.

Perl has many fine and dandy features because it promiscuously and 'diagonally' soaks up good ideas (Larry has even been spotted flirting with C# of late). You don't have to be a hypocritical hobgoblin to want to make it finer and dandier: just another perl hacker.

It's only keyservers that this could occur on. Personally I keep mine on my web pages, anyone who wants to mail me securely uses that, or the one I mail them...

Rule: Only use keyserver keys for verification of an unknown source, and even then, if it's important don't trust it...

EG I get the CERT key from their web site

It's your security people, don't give it to someone else...

The Yellow Network Coalition takes old 486's and turns them into firewalls and IP masquerading servers they give away for free to people who have cable modems and DSL. I gave them my 486 when I moved. They also set up free public-access kiosks. These guys are inspired by the freely available yellow bicycles in Amsterdam.

They Need Your Donations of Old 486's and Other Hardware

The Forum on Risks to the Public in Computers and Related Systems discusses security holes, bugs in software, user and usability problems that cause such trouble as security problems, and carries security announcements.

The CERT Coordination Center carries authoritative announcements of security problems and what you can do to fix them; provides rapid response to security emergencies while they are in progress.

I've also heard BugTaq is good and better than CERT for timely information but don't have a URL handy.