Slashdot Mirror

...what do you assume the shelf life of a vanilla Linux/FreeBSD install will be?
Much as I enjoy the painful auto-fellation, put aside the inane OS chest thumping. A savvy user who stays on top of their patches and is security-minded will always be safer than a relatively clueless home user.

For a more detailed version of this same type, see the Honeynet Project. Knowledge is power, as the saying goes.

Hundreds of thousands of W2K boxes are hooked up to 24/7 broadband connections right now. Default installs, with IIS running, you bet. Not in server rooms, but in people's homes. And most of these folks don't know Jack about security. Yet.

Last week, we learned here about the writeup the Honeynet.org people put together on the fantastic aggressiveness of modern "blackhats". About how an unhardened RedHat 6.2 box, connected to the Internet without any publicity or announcement, gets root compromised in about 3 days on average.

Well, folks, what Lance Spitzner and friends are also doing is simulating your average non-technical American with a shiny, new 24/7 connection. You recall, the Honeynet is set up in Mr. Spitzner's home, at the end of a DSL connection. Without firewalls or host-hardening.

You know, early this week, I went through firewall log data which was clearly the traces of three reconnaissance probes against my company's networks. Now I'm not going to tell you who we are, or what netblocks we use. But it is not saying too much to relate that what I monitor (today) consists of a /26 and a /27 netblock. The /26 has 64 IPs. Throw away the first and last IP (network wire and broadcast address) gives you 62 IPs for boxes. The /27 has 32, the same exercise yields 30 IPs for boxes. The two netblocks are close in IP space. So I expect competent attackers to sweep anywhere from 92 to 97 (adding in the external firewall interface) IPs when they check us out.

These probes sucked. One tried for 35 of our IPs, another for 55, the third for 93 (and missed 3 IPs actual boxes might have lived on). What script kiddy could be so dense? I quipped to my boss about "script infants", and he laughed.

Interesting thing is, all three attacks showed up in the same day's logs. And they all came from IPs owned by broadband providers. Hell, one IP was specifically spelled out, right there in the "whois" output, to live in a netblock reserved for cable modem customers.

weave's post leaves me with a wonder and a speculation.

My wonder is: were those incompetently executed sweeps the result of worm activity?

My speculation is simply this: CodeRed behaves precisely like the Honeynet Project's "blackhats", and what others, such as myself, call "script kiddies". They simply probe and probe and probe. And when they find a box that may be vulnerable, they fire off their exploit. Sometimes, compromising and then infecting the target box, which then replicates the same essentially mindless behavior. Where is such a strategy going to make the biggest splash? Easy answer: America's dens and living rooms, where, more often than not, nobody in the family has even heard of a firewall, and "hackers" are evil phantoms that the media depicts as targeting big outfits like Microsoft, Yahoo, and eBay. The attitude is "Hack US? Never, we're insignificant small fry. Where are the bragging rights in that?"

I've been worrying about this for almost two years, now. I swear, there are times when I almost want to wear a sandwich board when I walk down the street to work, which announces something like "REPENT, SINNERS! FIREWALL YOUR BROADBAND CONNECTIONS OR GOD WILL PUNISH YOU WITH ETERNAL HELLFIRE!". :-)

The fellow who wrote the CodeRed worm failed in his primary goal (DDoS against www.whitehouse.gov) mostly because he was a moron. He hardcoded the target by IP, not by FQDN. So the feds kept moving whitehouse.gov from one IP to another, updating DNS records all the while. BUWAHAHAHAHA!

The assh@le who writes CodeRed-II will probably not be such a knuckle-dragging dimbulb.

And he will produce a highly successful infector, if Ramen, Lion, and now, CodeRed are any indication.

In which case, the DDoS could very well succeed.

This will scare a lot of people badly. Including congresscritters.

Next thing you know, laws will begin their trip through Capitol Dung^H^H^H^HHill requiring that folks who purchase 24/7 connections register their IP addresses (or, perhaps their boxes, assuming DHCP-based IP allocation by ISPs survives the panic) by location. So that whatever constabulary organization(s) ultimately get tasked can verify (by use of nmap or something similar) that said IPs are properly firewalled, and write citations to serve to the folks whose IPs are not. Or a summons. Or just seize the box as a "menace".

And the next thing you know, the existing registration structure will lead to calls to use it to defray enforcement costs, on the local or national level. Holy shit, an Internet PC tax!

And heightened logging requirements imposed on ISPs will make it trivial for the self-appointed Guardians Of Public Morality to Save The Children by tracking porn downloads to their ultimate destination much more easily. Using rich data sources, legal compulsion mechanisms, and automated analysis tools these vermin only dream about today.

Of course, the next little item would be some real TEETH in DMCA enforcement.

Not to mention the disappearance of anonymity in chat boards, as multiple-terabyte ISP log partitions nab not only packet headers, but much of the packet body as well.

GODDAM! I've just GOT to get my lazy ass out to Home Depot! TOMORROW! Let's see .. 2 24"x36" pieces of plywood .. two 12" pieces of strapping to hold the upper edges together .. a couple of sheets of 24"x36" pasteboard .. an extra-large magic marker .. maybe I should have the lettering done by a print shop .....

Best practices dictates that you uninstall any unneeded services: you install a vanilla (OS of your choice) server and point it to the internet, it's gonna get rooted in no time; the Honeynet Project has shown this to be (perhaps not statistically) true.
The service may have been exploitable, but the VAST majority of websites weren't even using it and as such should have removed the script mappings (and DLLs, for the truly paranoid).
Of course, IIS patches do a fine job of restoring script mappings behind your back, so maybe you have a point after all?
Easy does it!

If you put up a machine to get hacked (a honeypot), aren't you partially responsible for any attacks to other machines that blackhats launch from that machine?

This is explained in the main paper:
http://project.honeynet.org/papers/honeynet/

To sum it up: they don't let spoofed packets out of their network, and limit a machine to 5 outbound connections (over some time period, I suppose, although it doesn't really say), after which the system is marked as compromised and can then be reloaded, or whatever...

To summarize: Yes, but you can't launch outgoing attacks from any of the honeynet machines (they're careful that way).

-Renard

What about that fetchmail exploit that went by the other day?

Are you "up to date" on your distributions security patches?

Have you read http://project.honeynet.org/

I think we linuxers are too complacent and will suffer one day...

On the lighter side, this must really tweak the folks at the Honeypot Project. "Dammit - just when we got the network nice and insecure, those cheese bastards fixed it! Where's that RH6.0 CD?" They'll be in the unenviable position of having to protect their systems against worms just so that they can be 0wn3d by script kiddies.

On the darker side, this reminds me of the "toner wars" in Diamond Age , where good and evil nanites ("mites") battled in the air, and the carnage was horrific. Going outside during a toner war was like breathing straight graphite powder. Is this the future of security? The future battleground for white hats and black hats?

It's a cute idea, really, but it has to stop. All property rights aside, we cannot afford to fight this war in this arena. The point of having an army (if I may carry the analogy a little farther) is to keep the enemy away from civilization. But in some ways the battleground already is the property we need to protect; worms are in a real way terrorist rather than military. What's to be done? Education, and lots of it. Hope it's enough.

question: is control controlled by its need to control?
answer: yes

The benefits of this would be manyfold:

• You'd make money and become famous

• Evil corporations would get what they deserve

• Patent secrets would be exposed

• Evidence of corporate corruption could be collected (See how the
• honeynet project is able to collect info without a search warrant)

Naturally you can't do all of these things at the same time or even have all of these things done by the same person, seeing as the explanation for what the hell you were doing listening in on the traffic in the first place might range from dubious to illegal.

That's two weeks worth of IRC logs from a compromised machine. A typical day seems to involve hanging out on the #warez channels and begging for someone to give you some credit card numbers.

It was missing a slash. Here's the real link:

http://project.honeynet.org/challenge/results/

You mean like this one?

http://project.honeynet.org/papers/worm/

It's things like this that make things like the Honeynet Project look more and more attractive to me every day. I think that it would behoove more than a few of us to install honeypots on our networks and then prosecute anyone we catch. If there were enough honeypots around, we might start catching a higher percentage of the PFY's and getting Johnny Law knocking on their doors. While we may not be able to get the bastards in Romania, there are quite a few countries that don't look kindly upon this type of thing...

There is already a distributed.net worm. More info.
---------------------------