Slashdot Mirror

OpenBSD's just got good marketing... as you say, their security's on par with the other *BSDs and the better Linux distros.

> I would certainly hope that a cookie wouldn't
> contain that information. Usually a cookie just
> has an identifying number, and all information
> is stored server side. I can't imagine anyone
> doing otherwise

You don't have to imagine in it. You can just go here . Or here . Or here, or here, or here, or here...

Chris Mattern

> I would certainly hope that a cookie wouldn't
> contain that information. Usually a cookie just
> has an identifying number, and all information
> is stored server side. I can't imagine anyone
> doing otherwise

You don't have to imagine in it. You can just go here . Or here . Or here, or here, or here, or here...

Chris Mattern

The ignorance on /. is particularly high today.

Java, of course, is composed of byte code that runs in a "sandbox" which is supposed to prevent malicious attacks on a user machine.

Applets are, yes. Applications are NOT. .Net is exactly the same. .Net "applets" loaded from the web are in a sandbox.

Say what you want about Java, but from what I can tell Sun has been pretty successful in achieving their security goals.

Not really. There are several ways Java applets can jump out of their sandbox, most relying on overriding ClassLoader security restrictions.

Brown Orifice is a real-world example of this.

Of course, both .Net and Java files are vulnerable to "old school" viruses, you know the ones that actually modify the executable files. Like this one.

iss.net

This is not a level playing field. The product that I helped build (ISS RealSecure) contains a number of signatures that are not intended to be turned on in normal usage. For instance, RealSecure can generate an even for every single HTTP GET request on your network, no matter how inane.

This feature is intended to be used as a special purpose tool, for instance to analyze web usage over the short term. It is not intended to be turned on during normal IDS usage. If you do turn it on, it often overwhelms your console with tons of incidental data and rapidly fills your logs.

Page 166-167: Performance Under Load

Another RealSecure specific problem here is that RealSecure deliberately drops redundant reports and does not count them, so that you do not get inundated with a million messages that tell you the exact same thing. Therefore I would expect it to fare very poorly in the boping count test.

Others in this thread have pointed out the danger of using tools like SMARTBITS to generate background traffic. The problem is that unless you really know what you are doing, SMARTBITS is likely to generate traffic that is entirely unrealistic. (For instance, TCP data packets that don't correspond to an actual open session that the IDS would have been tracking). This can cause both unrealistically good and unrealistically bad performance, depending on what the background traffic actually is and how the IDS is built.

The assertion early in this section that "if a sensor detects 100 per cent of attacks at 100 per cent load in this test" (of minimum length packets) that it "can handle anything that islikely to be thrown at it" is patent BS. Yes this is the worst case scenario of "packets per second", but packets per second is not the most important metric here.

I also note on page 177 and 178 in a footnote that neither RealSecure nor BlackICE were "re-tested for Edition 2", yet they are not reluctant to conclude that SNORT is better than the commercial products. I think we've got an apples and oranges problem here.

I also question whether their assertion that all products were tested with their latest signature updates can possibly true, if they didn't retest all the products. Most of the commercial vendors release new signatures on a regular basis.

(This is also true for the Cisco, CA, Symantec, Enterasys and other products in the comparison, if you read the footnotes carefully).

I am afraid if you do you are in for a RUDE awakening. The fact of the matter is that these $20,000 solutions cost that much for a reason, and the reason is they've spent years optimizing them for high speed links. This is something the hobbiest programmers who work on Snort cannot compete with. For instance, what open source coder has a SMARTBITS on their desk? Something like that is essential to test these things, but they cost upwards of $10,000.

So I would say yes, if all you want to do is monitor a T1 or two, and you're willing to tinker alot, something like Snort would work. But if you have a SERIOUS network with lots of bandwidth, you're gonna have to pony up the dough.

Disclosure: I helped build one of the systems that Snort supposedly beat, and I analyzed the source code for another one that was bought by that company. Snort CANNOT beat either one in a high bandwidth situation. I've seen the code, I've run the tests, trust me.

I no longer work for that company so have little to gain by saying this.

My experience has been that most of the script-related security problems on Windows are not the scripting language itself, nor the API that binds it to the browser. They were caused by poorly written COM objects which were then accessed via scripts. Even NIMDA, though it uses JavaScript to launch off a web page, is actually exploiting a hole in IE/Outlook express.

I worked for Internet Security Systems for four years, and wrote alot of the guts of their Intrusion Detection System, so I think I have a decent familiarity with the security issues here.

But maybe I missed something, feel free to explain what...

WIRED: EEye alerted Microsoft's security team immediately upon discovery of the vulnerability several weeks ago and has worked closely with Microsoft on the development of a patch and the expeditious alerting of system administrators worldwide.

ZDNN: On that basis, Microsoft scores highly for its response, said International Security Systems' Rouland.

"If you compare the speed at which Microsoft responds to these vulnerabilities, it's incredible," he said. "They get through with the information and the fix much quicker than you'd see with open-source software."

(emphasis mine...)

Fair to say that M. Rouland just scored a huge A+ in my "troll of the year" quest...

But does someone knows what the hell is International Security Systems, except a lame sounding name?

The closest I could find is a Christopher J. Rouland working for X-Force @ Internet Security Systems (xforce.iss.net)...

WIRED: EEye alerted Microsoft's security team immediately upon discovery of the vulnerability several weeks ago and has worked closely with Microsoft on the development of a patch and the expeditious alerting of system administrators worldwide.

ZDNN: "It's just far too complicated--one new capability, one new feature can open holes in an operating system that was thought to be air-tight," Wheatman said. "Security is never done. It's part of the development process."

On that basis, Microsoft scores highly for its response, said International Security Systems' Rouland.

"If you compare the speed at which Microsoft responds to these vulnerabilities, it's incredible," he said. "They get through with the information and the fix much quicker than you'd see with open-source software."

(emphasis mine...)

Fair to say that M. Rouland just scored a huge A+ in my "troll of the year" quest...

But does someone knows what the hell is International Security Systems, except a lame sounding name?

The closest I could find is a Christopher J. Rouland working for X-Force @ Internet Security Systems (xforce.iss.net)...

is on the Board of Directors at Internet Security Systems (ISS) .... You would think that they would have thought to at least run ISS Internet Scanner against their websites or had a third party PenTest of their site in the past 2 years. It would have surely found that backdoor.

No offense to our competitors at the company referenced, but ISS issued an advisory on this over a year ago. Read it here:

--Tim Farley, ISS

"And the recent security problems with Linux, coupled with the lack of key enterprise elements in the new kernel, really call into question whether Linux should be used at all," Miller added.

Ya, I remember those.

Thats why most machines on the net are running Unix. By choice I might add.

I expect this is the Trinity attack that is described in considerably detail here by X-Force. You can find the actual article and anlysis of the Stacheldraht tool here written at the University of Washington. The author of that article claims that he wrote a program that detects Stacheldraht on a system. Of course, getting the ISPs that are sending these DDOS messages to actually use some security might be a bit difficult. By the way, this is old news, since the CERT advisory is dated June 99.

Thalia

I expect this is the Trinity attack that is described in considerably detail here by X-Force. You can find the actual article and anlysis of the Stacheldraht tool here written at the University of Washington. The author of that article claims that he wrote a program that detects Stacheldraht on a system. Of course, getting the ISPs that are sending these DDOS messages to actually use some security might be a bit difficult. By the way, this is old news, since the CERT advisory is dated June 99.

Thalia

There is a much better article at http://xforce.iss.net/alerts/advise59.php .

-------

Synopsis: A new Distributed Denial of Service tool, "Trinity v3", has been discovered in the wild. There have been reports of up to 400 hosts running the Trinity agent. In one Internet Relay Chat (IRC) channel on the Undernet network, there are 50 compromised hosts with Trinity running, with new hosts appearing every day. It is not known how many different versions of Trinity are in the wild.

The flooding commands have this format: , where flood is the type of flood, password is the agent's password, victim is the victim's IP address, and time is the length of time to flood the agent, in seconds. The available flood types are the following:

tudp: "udpflood"
tfrag: "fragmentflood"
tsyn: "synflood"
trst: "rstflood"
trnd: "randomflagsflood"
tack: "ackflood"
testab: "establishflood"
tnull: "nullflood"


Other available commands include:


ping: Ping each client. The client will respond with "(trinity) someone
needs a miracle..." size : Set the packet size for the flood, 0 for random.
port : Set which port to hit, 0 for random.
ver?: Get the agent's version. The agent X-Force is analyzing replies with " trinity v3 by self (an idle mind is the devil's playground)"

-------------
-Pete

Whilst this sounds like a good idea, and can be done using most IDS/firewall combos (e.g. RealSecure from ISS or NFR from... er... NFR, in practice most admins shy away from using it for fear of it being turned against them and their networks (think spoofed attacks that appear to be from the "victim's" business partners).

Apart from the other recommendations made (Essential Sys Admin and Practical Unix Security are must-haves), I would suggest:

• Install TCP Wrappers and configure it appropriately. Block anything that you don't need, log everything else.
• Read the corresponding tech tips from CERT, depending on what you need (e.g. if you want to set up an FTP server, read the "Anonymous FTP Configuration guidelines")
• Read the WWW security FAQ if you are planning on running a web server.
• Use Tripwire. They have a commercial version, but you can always use the free version (1.3). I think they also give the newer version for Linux for free.
• Read other documents at http://www.cert.org/nav/securityim provement.html and http://xforce.iss.net/library/faqs/.
• Be always alert for anything strange that happens on your system. There is no substitute for an alert and informed sysadmin.

Newer versions of the JetDirect firmware have working TCP/IP stacks, which may explain all the wise-asses who wonder what "you're doing wrong".

The easiest solution for those of us unlucky enough to be saddled with bad firmware is to switch to LPRng and, following the advice in the LPRng-HOWTO, use the printer's port 9100 as a direct link to the print engine.

At our site, we had no end of problems with HP printers crashing, locking up, and loosing jobs whenever two people tried to print at once. One day, I bit the LPRng bullet (and even installed "magicfilter" while I was at it). The configuration was a little work, but it was worth the effort. Finally, we have a printing system supporting Linux clients (using both LPRng and legacy "lpr") and Windows clients (via a Samba server acting as an LPRng client) that seems to work flawlessly.

Of course, all our printers are PostScript, so we don't have to worry so much about this newfangled CUPS stuff.

For those of you who are interested, there is a trial version of ISS's Real Secure, which is a very good intrusion detection system; it's the best I have ever seen and used.

I fully agree that IDSs work best as a part of a greater security infrastructure. This technology is the perfect complement to firewall, just as internal alarm system complements a locked door. How many people *here* would trust only a locked door to protect their computer?

BTW: there are versions of RealSecure (agent, for sure, and I think manager to) that run on NT, Solaris, and (drum roll, please) LINUX, so check it out!

Underground+"computer security" equals pretty much crackers for me. Unless you are a cracker, "computer security" is rather boring (yes useful, necessary, but boring), and I can't imagine why people would meet for several days on this subject.

Says you. I work for the ISS X-Force, and I'm not bored.