Slashdot Mirror

Spoken like a true M$ fanboi! I think you have never been to http://www.remote-exploit.org/ or http://www.governmentsecurity.org/. For starters, just try http://www.nessus.org/. If you believe that privileges can't be escalated, would you mind if I use your PC?

My university(Ohio State), tried implementing similar policies last year. They rolled it out to some portion of the student population and said at the forefront that anyone running Mac or Linux was exempt.

As an IT employee at Ohio State, I can assure you that there is more of this in the pipeline since it's mandated by the Board of Trustees.

I can't see comparing what is going on at OSU with what the OP reports at CMU -- Ohio State's efforts to lock down the network and restricted data are quite comprehensive and IT staff, like you, are concerned that it's done properly. Mac/Linux support is on the way -- most vendors do not support it so it's quite difficult for the University to support it. The scanners they run on your computer are not there to look at your personal files, track down copyright infringement, or anything else you might be worried about -- they simply look for OS/software patches and run an anti-virus/malware scan. If you don't run the scan with the agent, you will not have any network access. If you take some of the suggestions here and bypass the security agent, you are violating the AUP and, if caught, could face academic misconduct charges.

I can assure you that the University's IT office is underfunded enough that even if they wanted to go out of their way to scan your computer for anything else (they do not), they would not be able to.

On a related note: Some how, when you connect to the residential network, they can detect some botnet signatures on your machine and will deny you access. Your mac address is blacklisted until you reformat. It runs some utility to make sure you actually have reinstalled before they restore your access.

This isn't magic -- they run typical network vulnerability scanners and block you if a virus or bot responds from your IP. DHCP and switch info tells them your mac address.

How about Nessus?

Is a monopoly even possible for an open source company?

Cisco
Tenable

They're using Fusetalk as their forum software. It shows up in the footer on the error page that you get whenever you log in.

Stand back baby, I'm a Nessus monkey with a long list of a**holes, a can 'o nmap, a fully loaded Metasploit, and I ain't afraid to use 'em.

Let me get this right... It's considered "out of the box" to enable OS 9.2.2 Classic web sharing inside of OS X 10.4.x (which has it's own, also off by default), even though the current and previous generation of Intel Macs don't support running Classic at all?

To really get a feel for the validity of their results, get a load of this OS 9 Classic high-risk vulnerability:

"Nessus: The web server tested positive for an Oracle9i crash through an incorrectly crafted, long URL."
http://www.nessus.org/plugins/index.php?view=singl e&id=10654

I knew Macs could do many things, but having an Oracle vulnerability without having Oracle is impressive indeed.

Some things just make you say WOW

If they wanted to find OS 9 / Classic vulnerabilities, they could at least actually test for something real instead of going by questionable out-of-date nonsense in a database.
It is very likely that the old unsupported version of Internet Explorer on OS 9 does have some real vulnerabilities. They didn't even check for that. Of course anyone still using that is probably also vulnerable to eating food from the 90's hiding in the back of their refrigerator.

Their whole approach of using a scanner to compare security of OSes is deeply flawed. While it can be helpful for spotting issues with a machine that just sits there, like a server, it is nearly useless in the case of a desktop system where many of the undesirable events depend heavily on the behavior of the local user. Use of a scanner also neglects little things like browser vulnerabilities!

We're given nearly useless results, and more vulnerabilities for OS X than for XP and Vista combined.
Another MS funded "study" perhaps? It is Vista hype season after all.

Nessus "found" that the Mac OS 9.2.2 box had a vulnerability that would allow an attacker to crash, or run code in, the Oracle 9i application server?

Since Oracle 9i doesn't even run on Mac OS 9.2.2, I don't think this is likely to be a big concern.

I must be in the brainless zone today. I cannot find this highly publicized and promoted list of IP numbers. We got articles, we got links, but IP numbers? Ogg not find. Ogg feeling stupid. Embarrass family. Ogg need know if his IP number on list, even though he regularly change router's WAN ethernet number, get new IP from glomcast. Ogg spend much time nmapping spammers. Running nessus. Ogg probably on someone's list as troublemaker. Ogg not care. Tired of UEC not from wild boar.

The article seems to say they only use Microsoft solutions to provide their security.

emphasis mine on the following.

from the article:

a program run from the network scans the computer for security

The scanning program coordinates with Microsoft's methods for deploying patches

Microsoft's preferred antivirus software must be installed

They never mention that the "scanning program" is a miker$of product. It could be, but the article doesn't say. With all the marketing buzziness, you'd guess they'd have mentioned this.

They surely use another company's product for their anti virus. I do not believe they've bought a viable antivirus company yet.

I would guess they are using something like a ported copy of nessus or similar. It would be the height of embarrassment for them to admit to using Linux to probe for security flaws.

Other than that it is a fluff marketing piece. I wouldn't have expected them to be truthful or even aware of the number of successful breaches at miker$of.

and there are no "automatic" tools to sweep it clean

The parent is totally correct. I guess step 3 would be running every tool that you can think of to test for vulnerabilities (after you have assumed everything you have done is wrong and have patched/locked down everything to the most restrictive policies possible whilst still allowing the system to function). As most people know, nessus is one of the best programs for vulnerability testing.
That just leaves step 1?

First of all, ISS's vulnerability scanner has turned to such a piece of dog doo, I wouldn't touch it with a poop scooper. In 2005, it was installing an vulnerable MSDE onto windows boxes, and just patching the MSDE was enough to break compatibility (This vulnerability has been out for 3 months at the time). On the product side though, ISS's scanners have been thoroughly stomped by Tenable's Nessus and Eeye's Retina.

As far as ISS goes on the IDS/IPS side, their products went from leader to lackluster. Snort, Tipping point, and Intrushield - need I say more?

Then on the vulnerability database side, you have the X-Force DB being demolished by the innovative Open Source Vulnerability Database led by real security gurus like Jericho, not to mention the other DBs like Secunia, NVD, etc.

ISS = vaguely reminds me of CA, corporate types taking good products and not keeping them updated, not innovating, and just trying to suck the blood from corporate customers.

Nessus will scan for amanda.

Thus it would be nice if perhaps some of these bugs in Amanda were addressed

There are products available, memprof, Coverity nessus which can be used to find and fix common forms of previous bugs. These fix everything from repeating previous security flaws (I note a previously unknown DoS flaw I found in Asterisk's skinny codec ages ago which emulated a bug in cisco call manager exactly, which I found with Nessus), to bad programming, or programming mistakes (Coverity), to memory leaks (memprof). These types of bugs are unacceptable, there are tools out there to detect them DURING THE PRODUCT DEVELOPMENT CYCLE. I am not saying that you can fix every bug every time, but 5 digit numbers of open bug reports are unacceptable.

You have kids trying to "make a name" by breaking things. You have companies paying these kids to find vulnerabilities, I've heard that there is a 6-figure type bounty on certain specific vulnerabilities. At the same time you have big corporations that are taking a beating in the media because vulnerabilities are disclosed before they have time to react; you also have big corporations being told about problems (whether or not it is through proper channels remains to be seen, I don't expect that the new Windows bug is going to get fixed when you tell MS Sales about it.) You have security companies like eEye publishing every vulnerability they can find to give their company some "street cred." You have companies like Foundstone (now Symantec) pirating software to search for holes in it. There is this whole rationalization in the "hacker community" that they are some how doing the software vendors favors by finding the stuff; so just randomly postscanning hosts is really "research," huh? Dispite your lack of any publishing, education and any agreements with anybody that you're "researching" on? You have frauds like Steve Gibson saying that big corporations are putting backdoors in to code on purpose. You have opensource tools changing their license and close sourcing because of companies that are simply packaging their work can charging a lot of money for it; who can blame them? There are companies that now sell exploits and "0days." You have a whole OS "designed" around security, yet they cannot publish any of the changes they've actually made and explain why they have made them (come on guys, this would be a best seller of a book, just lists of code, this is the bug, this is why it's a bug, this is how we fixed it...) At the same time, I don't want Apple and MS pushing out patches minutes after they hear about things, I want the code QAed.

Now the lawyers are getting involved. We need to check ourselves as an industry. We are a stones throw away from developers being held responsible for damages caused by software, there are already people in favor of that. Just stop and think about that. There is no union, there is no protection for the worker here, we're held in contempt at a lot of places, because of the highly paid prima donnas jerking around writing shitty code. It will only get worse right now.

It's a sort of hot area right now, the feds are spending money. You can't be involved with software or networking and not have some kind of concern for security. This may sound old fashioned but to get a cert, whatever certs the security world wants to embrace, there should be an oath that encourages security always, encourages openess, discourages black market tactics for trading viruses and exploits, discourages this whole notion of "black magic," and discourages profiting from secrecy regarding security. I'd even go one better and add to the oath that there should be a certain and accepted public disclosure process for when a vulnerability is found in a network or application, the owner is told and then after 90 days the whole world is told, all of the time. I know of companies that have found problems in networks and then extorted money for information regarding them. That's just wrong and that should be criminal.

There are no security best practices, not in any formal sense. You can pull 100 consultants or CISSPs off the street and you'll get a 100 different sets of things you should and shouldn't do. We need to formalize the discipline. We need to encourage practices during the writing of software and constuction of networks for security.

What this all comes down to is our responsibilities as users and developers to the OSS products we use. Part of the idea behind open source is that the users contribute back to the project to better the project. You do not have to be a developer to do this, you can submit bug reports, help with graphics/web design, help with documentation, etc...

With the nessus project, yes there is community development, but the amount of contributed code was disproportionate to the long hard hours the core team has put in to it. I am not saying that community developers have done nothing, but a good example of what i mean is located http://www.nessus.org/plugins/index.php?view=newes there. These people have families, or at least need to feed themselves, and cannot put this amount of work into a product that is making others money while they may or may not be going through hardship themselves.

In the end, you get what you pay for. Whether it be MS Windows, FreeBSD, Linux, Nessus, whatever..... Either you pay in cash or make your contribution.

I will continue to use Nessus, it has saved my a** numerous times and will continue to do so for as long as it is a great product.

According to the nessus.org site, OS X, Solaris, and Windows platforms are supported in early 2006. So for those of us who are currently running nessus on these platforms, we are now experiencing a minor inconvience. In the meantime, be patient and test the software out on linux. That way when it comes out on the platform you are already familiar with the changes and can implement them more effectively.

Nessus 3.0 is immediately available for download from Tenable...

Unless all contributors agree to re-license their work. IANAL, but I think this allows future versions to be closed.

Wikipedia entry
Official Website

sorry, bad karma makes people do this kind of post...
:(

What tools and methods are the best practice when trying to use Linux and Open Source to analyze and fix a network?

• Nagios
• Snort
• ethereal
• dsniff (not updated in ages)
• ncat
• nmap
• nessus v 2 (or one of the forks of version 3)
• SARA

probably one of the best tools ever developed for open-source / security community. I've got a bad feeling from this whole Check Point acquisition, especially with the major revamp in http://snort.org/. Thankfully there's still http://nessus.org/....wait. Fuck!

You fail to see two sides of Nessus here, which might lead to it being eventually being dropped from Debian. Be it a vulnerability scanner, an antivirus or an IDS yo uhave:

• the engine
• the rules

An engine without rules is not useful at all. And Tenable closed-source those already a while back. Just like Sourcefire closed sourced the Snort rules.

Quite sincerely, If I were the Debian maintainer (ehem), I would consider dropping support for both packages in Debian even though I believe it would be as much a loss to Debian users as to the projects themselves (less user-base => less exposure => less bug reports => less enhancements => .... => product dead?). It seems that Sourcefire, however, now has Check Point to sustain the project and fund its development even if the OSS crowd turns away from it.

When the 2.2.5 version of Nessus was released, Brian Weaver (formerly of OpenNMS fame) was puzzled why the GPL version wouldn't scan. After hacking through the source code, Weave found the answer: strong evidence suggesting Tenable Security, the sponsors of the GPL version of Nessus as well as a commercial version, deliberately crippled the GPL version of Nessus. With stunts like this, would you trust Tenable to protect your network?

This is no big deal. Snort will continue to be GPL and freely available to the world.

I'm more worried about the recent Nessus changes, have you heard about this?
Nessus License Change Announcement

Nessus 2 will continue to be free
Nessus 3 will be a free of charge, binary only release

If you need to test the machines on your network Nessus http://nessus.org/ has released plugins.

Snort isn't designed as a vulnerability scanner; Nessus is. And don't forget than nmap is pretty useful in the hands of someone who knows what they're doing.

As far as "intrusion prevention", there's not a "tool" that does that. You can firewall off unwanted and unneeded traffic; you still need to patch your public services. If you run public services, someone should be responsible for making certain everything you run is up to date and no unpatched vulnerabilities are public (and if the latter is the case, find a workaround or preventative measure until a real patch is out).

Jeez. I can (theoretically) sniff packets and I don't even need a court order. Just a copy of ethereal, nmap and nessus, none of which I have ever used or have any experience with. But as pointed out, a packet of encoded fluff doesn't do me, or the government, a lot of good, unless one of us has a way of decoding it in near-real time, and my secret decoder ring only goes to 32 bit.

I was surprised to see that nobody had mentioned Nessus and/or Nmap yet. They're excellent at showing you what you're exposing to the outside world. I should however caution you that they're merely a companion on your journey to security, not the path.

At UB they have disabled ping. And also setup a program similar to nessus

You could implement a (hopefully automated) means of identifying a compromised machine. A single PC on listen-only mode with Snort -- perhaps with a few Nessus scans -- might do the trick.

Once you have monitoring capabilities, you can get to work on responses. You have a few options, depending on the available resources:

-- Put up a public notice somewhere (on a webpage, network status screen, whatever) indicating that the current network outage is a result of Joe's ineptitude. (ie use peer pressure to keep users' boxes clean.)

-- Send an email to the netadmins to have Joe's network access restricted. If the detection mechanisms are reliable, you could ask the netadmins to automate this facility.

-- Provide a facility for end-users to monitor their own recorded state. This will help those who don't know they've been compromised and/or want to make sure their network connection doesn't go away.

When disabling a user's access, it would be ideal if they could retain some limited connectivity so you can feed them a "You've been hacked" webpage -- ideally with some patch download links. Depending on your local network infrastructure, this may not be feasible, but if you can move a compromised machines to a seperate VLAN with heavy ACLs, or simply QoS non-essential network traffic into the ground that'll help when end-users try to fix their machines themselves.

If you don't trust Windows Update to do anything right, I know I don't, you can use the Microsoft Baseline Security Analyzer to give you a list of what needs updating, and all the relevant information, so you can download the patches for yourself. I use this so I can keep copies of all the patches needed on my hard drive and can install them all without connecting to the internet.

Another good way is to load up Nessus and have a good crack at one of your windows boxes.

1. It's very frustrating when you find previously unknown and undocumented features in software that you have purchased.

Well, for this situation finding a potential problem is easy: Port scan, security scanner. Two things that you should be doing on every network enabled device.

The time consuming part comes with the follow up where you check the results of the scans on the local machines and determine if you trust that the exposed services are being handled by secure apps. If in doubt, use an encrypted tunnel or yank the service -- whatever is appropriate. (If neither is an option, determine the danger and try and deal with it as best you can.)

Along with that, setting up a filter to check for supposedly unused ports can catch some clever developers.

Not perfect (it doesn't handle piggybacked dynamic connections on port 80 for example), though it is a good initial test.

While the tool itself *is* still free Lightning has made a change in their pricing model regarding the plugins.
Check it out for yourselves, there are three feeds now. The main feed which used to be free is now on a seven day delay. While this doesn't affect a lot of the scanning efforts it is nice to know about the vulnerability that just came out.
Often when a new serious vulnerabilty makes news a company would like to know how they are affected right away. Now they will have to wait 7 days!
I don't think that there is anything wrong with this, I mean the developers at nessus (tenable lightning) have to eat too. But calling it free just seems sort of inaccurate now. Scanners without updated signatures work about as well as razors without the blades.
A 'Direct Feed' is commercially available which entitles subscribers to the latest vulnerability checks. Customers who purchase a Lightning Console or NeWT Pro scanner receive access to this feed with their annual product maintenance.
A 'Registered Feed' is available for free to the general public, but new plugins are added seven days after they are added to the 'Direct Feed'. To obtain access to the 'Registered Feed', users are required to enter contact information for tracking and also agree to Tenable's license agreement for the plugins.
The 'GPL Feed' does not require registration, and includes plugins written by the user community. As manager of the Nessus project, Tenable continues to accept plugins written from the Nessus and NeWT user communities. Plugins accepted with a copyright under the GNU Public License will be distributed to the Direct, Registered and Public feeds at the same time.
Pricing
The access to the GPL feed and to the Registered Feed is free. Pricing for the 'Direct Feed' is based upon the number of Nessus or complimentary copies of NeWT in use within your organization, consultancy or service. The cost is $1200 per scanner per year. For more information, please contact Tenable's sales staff.

I just received e-mail from Fyodor and had this bad bad news.

Nobody mentioned that here.

(and probably nobody will read that since I'm stuck at 0 :)

It's understandable, they have a lot of leeches on their back that aren't returning anything to the community. From the sound of things some are just outright trying to take credit for what nessus does.

Retina is another excellent tool, but pricey.

nmap and nessus are always in my 'bag'. use it on a regular basis.

1. We've had a number of keylogger viruses and such pop up on local machines, even from machines with restricted permissions (i.e. can't even write to C:). I don't know what's wrong with XP, but this looks to be a pretty big flaw.

If the service that the viruses are using aren't enabled, they can't be exploited.

Here's one way to deal with this...

Isolate the client; vlan/router or yank the system and put it in an isolated environment (test lab, 2 system LAN, ...). Turn off the client XP firewall (if any), run Nessus on another system and point it at the client, go back to the client system and disable all services that Nessus reports -- even the ones that are not considered problems! Do any security hardening Nessus suggests. If you really need the detected services, write down what you would loose by disabling the service, what it would take to secure the service, and if there are any automated tools that can be run client side to clean up or better block hostile attacks.

Document what you needed to do, do the same to a few more systems, and then automate the process (registry files, boot scripts, policies, ...).

Remember, Nessus is your friend.

Not sure how helpful this will be in huge environments, I live in the small to midsize market, but here are some tools that I have found useful in the past:
Not exactly a monitoring tool, but definitely the most versatile all around auditor I have ever found: Nessus.
Ettercap is a good sniffer.
The MRTG tool has been a godsend when I have had managed devices to deal with, and I have heard very good things about the RRD tool and Cacti.
Tripwire is freely available for Linux and the BSDs, though the Win32 version has not been open-sourced.
One tool I have not been able to find in F/OSS is a Windows event log monitor (though believe me I'm still looking).

Here's a link:

http://cgi.nessus.org/plugins/dump.php3?id=11580

And here's a clickable hyperlink (you may have seen these before):
http://cgi.nessus.org/plugins/dump.php3?id=11580

Seriously, it's not that hard! In Slashdot all you have to do is put <URL: at the start and > at the end.

1. Nagios: monitors your servers/services, amails, pages, sends a carrier pigeon when one goes down.

2. Logwatch: Logwatch is something that should be used by every Unix/Linux SA everywhere. It gives you a daily snapshot of events in your logs

3. Mon: Nice, simple, easy. If your webserver goes down, your secondary can bring up a virtual ip a couple of seconds later. No more annoying three am phone calls

4. Snort/ACID: lets me know if a virus breaks out, or if there are stupid script kiddies trying to brute force their way in.

5. Nessus: run it early, run it often. Figure out any holes you have in your security, and make sure you fix them.

There's more, but you should really do some of your own homework.

Another good rootkit checker, which seems to have a more active development cycle, is Rootkit Hunter. Here's a Newsforge article on it, with a few more details.

A few other comments:

Virus scanners won't help on jot against a custom hack (as Valve found out, for instance). They can be helpful, but don't put full reliance on them.

Running an Intrustion Detection/Prevention System such as Snort, Samhain, Prelude, etc. will help you manage the monitoring side of things; more than a few machines becomes a pain without additional help. Also take a look centralising all your logs on a syslogng server or something similar, if you don't already (note that there are various solutions out there to get Windows boxes to log to a syslog server).

A honeypot may distract the hacker from your production servers for long enough for you to identify that there's a problem.

Also take a look at "HoneyTokens": specifically created database records that trigger alarms if they're accessed - usually high profile fictious targets that would make excellent trophy hacks - there's more info on this over at SecurityFocus.

If you suspect that a machine has been compromised, as other have said, the ONLY WAY TO BE SURE is to rebuild the box from scratch. While this may be a real pain, hopefully it'll help you get the procedures in place to make this as painless as possible, so it's not all bad.

Perform security audits/pentests every now and again. Tools like Nessus help: here's a good series on using Nessus (part 2, part 3).

Get familiar with security tools such as the top 75 recommendations at Insecure.org (home of Nmap).

Remember that security is a PROCESS, so be thorough; get an entire plan together and cover all the bases that you can, taking special care to identify and cover the weak points. Your company's security is only as good as its weakest link; for instance, priviledge escalation of weak user account passwords is a good one.

Read SecurityFocus, PacketStorm, CERT and the like, and try to get involved in their communities; they can be invaluable! They're also got a lot of good tutorials, such as how to lock down Apache, IIS; securing PHP, ASP; etc.

Easy, try nessus. Nessus scans networks for security vulnerabilities and spyware as well. To scan for spyware, it needs remote registry access so give it an account with sufficient priviledges. Just look at the plugins page to see which spyware it can detects.

...in those attacks, like they have in the numerous Microsoft leaks. Imagine the strife we'd be in if they stole the source to Debian!

But seriously, how shall I put this? ChkRootKit, TripWire, AIDE, FICC, ProSum, Toby, msec, Nessus, LSAT, Saint, LIDS and of course if you want totally proactive, try SELinux, Medusa DS9 or OpenWall. That's hardly an exhaustive list, but it does hit many of the highlights. Boy, youse bin livin in a monoculture too damn long!

• nmap for basic port sniffing.
• nessus for more extensive security sweeping.
• ethereal for packet capture & analysis.
• snort for intrusion detection.
• magnum marine for spammer management (I feel a mod-down comin on!)

I have a vague notion about how to use some of them in limited fashion, but I'm handicaped by not having an intimate knowledge of how IP and TCP really work (down at the packet level).

Don't forget Nessus, a vulnerability scanner similar to SATAN and SAINT.

Just look closely at the nessus Plugin page. You may have to give nessus the remote registry access password but it can scan an entire network quickly with no special software on client machines. Please, try it on your own machines only or be sure you are permitted to conduct that kind of scan.

Step 1. Get a Mac running *NIX.
Step 2. Get 3 computers of the same hardware.
Step 3. Do default installs of Darwin, Windows 2003 Server, OpenBSD 3.4, and Redhat 9. I mean default.
Step 4. Get another *NIX box, doesn't matter what it's running.
Step 5. Install Nessus on the box from step 4. If you've never used Nessus, then your not really doing all of your job ;)
Step 6. Run full Nessus scans against all 4 computers.
Step 7. Publish results, hardware config, OS Config, and Nessus config.

Leave the operating systems as default installs, this test will not tell you anything other than which OS is more secure by default according to Nessus.