Slashdot Mirror

The article was also posted to SecurityFocus's 'vuln-dev' mailing list.. but I don't think it mentioned the notorious DDoS that is the Slashdot effect :)

Yes. At SecurityFocus, there's a list of vendors that have supplied a patch for the kernel used in their distribution. But for me, (as a Slackware 7.1 user, and therefore a 2.2.16 kernel user), this 2.2.20 is a definite good thing. I had toyed around with the idea of getting the kernel from some other distro and apply that distro vendor's patch. It probably would have been a decent enough solution, but being able to simply upgrade to 2.2.20 is going to be a lot cleaner.

see here

and here

I don't mean to rain on your parade, but less than a month ago, a root hole had been discovered in the Linux kernel that goes back to 2.2.0. This is just as bad or worse than any bug that MS produces, most of which DON'T require affecting uptimes (though some may say the NT kernel takes care of that on its own). :P

And with kernel bugs, you have two choices: a) recompile on your own, which is a pain in the arse for many machines if they're slightly different (woe is the sysadmin who tries to copy kernels from machine to machine) or b) use the questionable binary kernel downloads (even more woe). Sometimes i wish OSS people wouldn't take such a high road.

The volume of noise a router could generate absolutely dwarfs what a computer could do.

Of course, a router is a computer.

I guess this isn't surprising, since they've been targetting DSL and cable Windows boxes as platforms from which to launch DDoS attacks -- moving up to the routers is, I suppose, the next logical step.

SecurityFocus.com has an article by Kevin Poulsen which addresses the issue. He talked to Kevin Houle of CERT. Here's an excerpt:

"What we see are routers with default and weak passwords being targeted," Houle said. After cracking a router, attackers can use it to launch straightforward denial of service attacks against an Internet site. Because routers can generate enough traffic to impede an end host, while standing up well to a similar counterattack, it's become a valued platform for cyber vandals engaged in online skirmishes in the mostly-juvenile computer underground.

"If I'm an intruder and I want to be well protected against people DoSing me, a router is somewhat better than an end host," said Houle.

The volume of noise a router could generate absolutely dwarfs what a computer could do.

Of course, a router is a computer.

I guess this isn't surprising, since they've been targetting DSL and cable Windows boxes as platforms from which to launch DDoS attacks -- moving up to the routers is, I suppose, the next logical step.

SecurityFocus.com has an article by Kevin Poulsen which addresses the issue. He talked to Kevin Houle of CERT. Here's an excerpt:

"What we see are routers with default and weak passwords being targeted," Houle said. After cracking a router, attackers can use it to launch straightforward denial of service attacks against an Internet site. Because routers can generate enough traffic to impede an end host, while standing up well to a similar counterattack, it's become a valued platform for cyber vandals engaged in online skirmishes in the mostly-juvenile computer underground.

"If I'm an intruder and I want to be well protected against people DoSing me, a router is somewhat better than an end host," said Houle.

Odd. What's this? Hrmmm. I thought it was an exploit over a network... and I thought it was on bugtraq too. I guess I must be wrong...

Mac OSX also got a remote root exploit of its own.
I don't know whether it's ironic or not that the introduction of open source software led to the first Mac-based remote exploit that I can remember in a long, long time. I'm leaning against it as code's still made by humans and humans still make mistakes. You'd be well-advised to remember this and temper your flames against Any OS That Isn't Mine next time.

are there really people that talented and that dangerous out there?

Yes, there really are.

Do you think that Code Red is the work of a script kiddie?

Since (by definition) script kiddies don't actually create anything, someone must be writing exploit code. These "someones" are the black hats.

(And please hold your tounge if you think that the kiddies are using white hat proof-of-concepts - this email posted to Bugtraq clearly disproves that.)

The Cisco 675 DSL router/modem. This device has very widespread use consumer home and SOHO environments. Other Ciscos in that line were included in a particular issue that cause the router to hang completely until power cycled. Cisco was first notified about this January 10 2000 (no typo there, 01-10-00). A very easy to prove situation was shown to cause this. After 11 months of waiting and two notifications to Cisco, the notifier had given up on Cisco doing The Right Thing (c), and notified BugTraq about the problem, in this post, Nov 28th, 2000. Users from around the world tested, and verified the issue. Want to know what happened? Nothing. Not a peep from Cisco about this, untill recently. The vulnerability DOS in the Cisco was never acknowledged by Cisco, and still isn't admitted. However, a notification of DOS vulnerability was finally admitted by Cisco here, 8-24-2001. Nineteen months since being notified. However, the entire reason for this wasn't the vulnerability mentioned of a skewed HTTP request, but simply its inability to handle multiple http connections. Why? Code Red. The Code Red virus was banging on port 80 so hard that the routers would lock up hard and die until reset. Many thousands of DSL customers were affected by this, and IMHO, a redux of the HTTP code that should have been done over a year and a half before, would have prevented the entire nightmare of Code Red issues for owners of the Cisco 675 (Their systems are another story however).

Checking for other 'exploit code' on the BugTraq list should show that the people who create it are responsible, usually doing no more than running a 'whoami' in the case of elevated privileges. They don't arm 'script kiddiez', they do it themselves, however the proof that a hole is exploitable is all someone needs to write their own. This is not a bad thing, this is a good thing.

It is general policy on BugTraq that companies be notified and given sufficient time to resolve issues, usually 3 months or so. If that lapses, it is the infosec engineers responsibility to post the exploit for the world. The company won't listed to the voice of one competant person, but they will listen when their entire customer base gets proof that the company shirked on their responsibilities to protect their customers.

Toodles

The Cisco 675 DSL router/modem. This device has very widespread use consumer home and SOHO environments. Other Ciscos in that line were included in a particular issue that cause the router to hang completely until power cycled. Cisco was first notified about this January 10 2000 (no typo there, 01-10-00). A very easy to prove situation was shown to cause this. After 11 months of waiting and two notifications to Cisco, the notifier had given up on Cisco doing The Right Thing (c), and notified BugTraq about the problem, in this post, Nov 28th, 2000. Users from around the world tested, and verified the issue. Want to know what happened? Nothing. Not a peep from Cisco about this, untill recently. The vulnerability DOS in the Cisco was never acknowledged by Cisco, and still isn't admitted. However, a notification of DOS vulnerability was finally admitted by Cisco here, 8-24-2001. Nineteen months since being notified. However, the entire reason for this wasn't the vulnerability mentioned of a skewed HTTP request, but simply its inability to handle multiple http connections. Why? Code Red. The Code Red virus was banging on port 80 so hard that the routers would lock up hard and die until reset. Many thousands of DSL customers were affected by this, and IMHO, a redux of the HTTP code that should have been done over a year and a half before, would have prevented the entire nightmare of Code Red issues for owners of the Cisco 675 (Their systems are another story however).

Checking for other 'exploit code' on the BugTraq list should show that the people who create it are responsible, usually doing no more than running a 'whoami' in the case of elevated privileges. They don't arm 'script kiddiez', they do it themselves, however the proof that a hole is exploitable is all someone needs to write their own. This is not a bad thing, this is a good thing.

It is general policy on BugTraq that companies be notified and given sufficient time to resolve issues, usually 3 months or so. If that lapses, it is the infosec engineers responsibility to post the exploit for the world. The company won't listed to the voice of one competant person, but they will listen when their entire customer base gets proof that the company shirked on their responsibilities to protect their customers.

Toodles

The Cisco 675 DSL router/modem. This device has very widespread use consumer home and SOHO environments. Other Ciscos in that line were included in a particular issue that cause the router to hang completely until power cycled. Cisco was first notified about this January 10 2000 (no typo there, 01-10-00). A very easy to prove situation was shown to cause this. After 11 months of waiting and two notifications to Cisco, the notifier had given up on Cisco doing The Right Thing (c), and notified BugTraq about the problem, in this post, Nov 28th, 2000. Users from around the world tested, and verified the issue. Want to know what happened? Nothing. Not a peep from Cisco about this, untill recently. The vulnerability DOS in the Cisco was never acknowledged by Cisco, and still isn't admitted. However, a notification of DOS vulnerability was finally admitted by Cisco here, 8-24-2001. Nineteen months since being notified. However, the entire reason for this wasn't the vulnerability mentioned of a skewed HTTP request, but simply its inability to handle multiple http connections. Why? Code Red. The Code Red virus was banging on port 80 so hard that the routers would lock up hard and die until reset. Many thousands of DSL customers were affected by this, and IMHO, a redux of the HTTP code that should have been done over a year and a half before, would have prevented the entire nightmare of Code Red issues for owners of the Cisco 675 (Their systems are another story however).

Checking for other 'exploit code' on the BugTraq list should show that the people who create it are responsible, usually doing no more than running a 'whoami' in the case of elevated privileges. They don't arm 'script kiddiez', they do it themselves, however the proof that a hole is exploitable is all someone needs to write their own. This is not a bad thing, this is a good thing.

It is general policy on BugTraq that companies be notified and given sufficient time to resolve issues, usually 3 months or so. If that lapses, it is the infosec engineers responsibility to post the exploit for the world. The company won't listed to the voice of one competant person, but they will listen when their entire customer base gets proof that the company shirked on their responsibilities to protect their customers.

Toodles

1. Contact the product's vendor or maintainer and give them a one week period to respond. If they don't respond post to the list.
2. If you do hear from the vendor give them what you consider appropriate time to fix the vulnerability. This will depend on the vulnerability and the product. It's up to you to make and estimate. If they don't respond in time post to the list.
3. If they contact you asking for more time consider extending the deadline in good faith. If they continually fail to meet the deadline post to the list.

1. When the product is no longer actively supported.
2. When you believe the vulnerability to be actively exploited and not informing the community as soon as possible would cause more harm then good.

You mean like this message to bugtraq

Yes, that's the one. It's a special thing we do with posts from time-to-time, we call it a "summary". It's when the moderator takes the time out of his day to collect a bunch of e-mail on a subject, tracks who gets credit, and puts them into a single e-mail for the sake of brevity. The alternative is to let through 20 individual e-mails that have massively quoted previous mails, etc..

After Redhat's recent announcement that Gnome won't be shipping with Redhot 7.2 due to security concerns, the last thing Gnome needs is to be dumped by another major OS. With the damage done to Gnome's image by the recently discovered remote exploits and concerns about possible back doors, what Gnome needs is a ground up re-write and a full audit of the code base to restore confidence. On top of that, Gnome has a long ways to go to catch up with KDE in terms of functionality. All in all, I wish Miguel the best; but I won't be using Gnome until I can be sure it won't give some kiddie an easy r00t on my box.

You mean like this message to bugtraq where he clearly gives credit to every single person, including some guy named Brett Dikeman for telling him about the tab to spaces issue of I Love You? Would this be you?

Sorry, my mistake. Earlier I had thought that that 2708 was not patched at the time, but I guess I was wrong.

The patches for holes that Nimda took advantage of had been available for months. The relevent BIDs can be found in here:
http://aris.securityfocus.com/alerts/nimda/010921- Analysis-Nimda-v2.pdf

I referred to this article, and my argument was rather more detailed. Really "hacking ~ terrorism" was not the entire focus of my letter. Changing careers because of that and other broadly-worded laws was. I'd post it here, but it's three pages long, I'm not into karma-whoring, and frankly I'm not interested in watching you dissect it.

Rule number 1 of writing to your representatives is having a clue of what you're talking about, and not look like a knee-jerk crackpot.

That's certainly true, and if you had one, you wouldn't be playing the ignoramus in this thread.

http://www.securityfocus.com/news/257

"Most of the terrorism offenses are violent crimes, or crimes involving chemical, biological, or nuclear weapons. But the list also includes the provisions of the Computer Fraud and Abuse Act that make it illegal to crack a computer for the purpose of obtaining anything of value, or to deliberately cause damage. Likewise, launching a malicious program that harms a system, like a virus, or making an extortionate threat to damage a computer are included in the definition of terrorism."

BTW, this issue was discussed by Prof. Peter Swire of the George Washington University Law School on Declan McCullagh's politech mailing list, and he included a list of past cases that would fall under the "terrorism" category under the new law.

Next time, read first and then write.

mp

Furthermore, OpenBSD never published a list of bugfixes, or sent patches back to the maintainers. So nothing they did ever propagated outside of the extremely small world of OpenBSD users.

The conclusion is that Theo and OpenBSD doesn't give a flying fuck about Unix security or Internet security. They only care about OpenBSD security and the ability to crow when they avoid a widely disseminated bug, even though their unwillingness to share information has essentially made it impossible for them to upgrade the system.

Also, since their auditing process was never documented, you basically have to take their word about it. An interesting perspective from Al Viro, a Linux hacker, is here:

Finding and fixing these bugs is a simple matter of grep. So far it hadn't been done.
... Frankly. my respect to Theo went way down. This code had never been read
through, let alone audited. And that's the core kernel. Moreover, the
same bugs had been fixed in FreeBSD half a year ago. In other words, just
keeping an eye on other *BSD trees would be enough to catch them.

Yes,I thought the same thing, but according to this.

"As a "Federal terrorism offense," the five year statute of limitations for hacking would be abolished retroactively -- allowing computer crimes committed decades ago to be prosecuted today -- and the maximum prison term for a single conviction would be upped to life imprisonment. There is no parole in the federal justice system."

Maybe I'm misunderstanding but it would seem he could be tried under new law. Which I agree is not constitutional.

This is assuming the ATA doesn't pass. Otherwise it should read Lifetime in prison with no chance of parole.

The article has such an astounding lack of detail that it makes me wonder if this is another case of Yahoo News hacked to provide a story.

How did they determine that there was any quantum entanglement? Once you've got enough atoms, the average properties of both are going to be the same anyway :)

For that matter, what was the setup? And how come the slashdot article says the report is in 'Nature', but the link takes you to Yahoo?

Now when you go to http://www.microsoft.com/downloads/search.asp?, you will see a form. Select the product, win2k server, select Date to sort on, and hit 'find it'. All patches you need to have are there, plus other useful downloads.

Other USEFUL information about how to secure your box: http://www.securityfocus.com/cgi-bin/microsoft_top ics.pl

Windows NT kernel based systems have excellent memory management. You should start/stop services (net start/stop w3svc) once in a while. Or use 'kill'. Reboot not needed. Honestly.

Sorry, but yellow journalism does not get me to believe anything. Perhaps if some real security news forum reported this, I'd believe it. MSNBC belongs on the Tabloid rack at the Pic'n'Save.

This URL is probably what you are looking for.

Added text to defeat stupid "postercomment compression filter".

Security focus has some information on it, we're seeing shedloads of hits at the moment :(

Google lists a few. Looks pretty insecure to me.

Not convinced? How about doing a search for Outlook Express at Security Focus?

Or browse a few Crypto-Gram by Bruce Schneier. Good reading, IMHO.

Yes, Linux is so inconvenient. I mean, it's not like a kindergartner could ever figure it out! Besides, Windows is much more S e c u r e anyway.

Yes, Linux is so inconvenient. I mean, it's not like a kindergartner could ever figure it out! Besides, Windows is much more S e c u r e anyway.

Yes, Linux is so inconvenient. I mean, it's not like a kindergartner could ever figure it out! Besides, Windows is much more S e c u r e anyway.

Yes, Linux is so inconvenient. I mean, it's not like a kindergartner could ever figure it out! Besides, Windows is much more S e c u r e anyway.

Yes, Linux is so inconvenient. I mean, it's not like a kindergartner could ever figure it out! Besides, Windows is much more S e c u r e anyway.

Yes, Linux is so inconvenient. I mean, it's not like a kindergartner could ever figure it out! Besides, Windows is much more S e c u r e anyway.

Where is the bugtraq advisory regarding this security flaw?

I'm a little paranoid myself. When I leave my house, I often stop, turnaround, go back an rattle the front door handle in order to make sure I locked it, and then have another quick look at the windows to remake sure I shut them all. This is the sort of testing we all need to make on our houses and cars etc. to help to protect ourselves from attack. We need to be able to do the same thing with our computers. The big problem is: we are not capable of simply "looking" to see if we've left a window open... we actually have to test them... all of them. The only way of doing that is to use the "cracking" tools which are currently available. It's worose than that... I've got (that is, my computer has) windows I didn't even know existed... and still more! To deny users the tools to test thier own computers for open "windows and doors" is to allow CRACKERS free access. The reason that so many worms and virii can spread so easily is because so many people don't check the integrety of thier computer systems.... Instead of trying to block these utilities, governments should be _requiring_ people to have them installed and regularly updated! Perhaps there is a market oportunity for "cracker protection" software, much as there is a market for virus protection? In the meantime, keep up-to-date with anything you can get from SecurityFocus.

Security focus recently touched on this very subject. Except what they talked about were AV companies spreading virus paranoia to drive sales. If you think about it, there are a lot of parallels in the evil behind writing an inflamatory virus report to boost your ass out of the red and passing off an advertisement as an objective review. Maybe if this shakeout does enough damage to the payees, the backlash will carry over the payers.

In corporate-land, the ones that have mainframes already and are facing huge IT costs and a recession, the ones who are winning the mailboxes are Exchange and Notes. They had virtually no share 10 years ago, now they have lots of network share. They also cost a lot to run (Gartner says $25+ per mailbox per month).

Now here's a company that runs on Unix, that has an IMAP server that can scale HUGELY on one (or many) boxes. That can give Secretary Joe the ability to do the admin on his group's 100 users and do that for 200 groups so that the system admin can do more important things than deal with adding a mailbox for this month's temp receptionist.

QMail? Postifix? Who? Go talk to the CEO's, the stockholders. Given Dan's support group a call at 4AM when your TLS mail isn't working right or general stability of the organization, this isn't a choice for those who don't really want to spend all their money running their computers.

Recall that when you're trying to run mail for 500+ people, there just aren't a lot of options out there. Notes and Exchange tack on the IMAP letters on their product and claim it supports standards.

For those in the Real World, take a look around at how many actual standards based tools there are with solid commercial support.

So Sendmail's MTA, IMAP server and Webmail client run on the Mainframe!? Bitchin', now I have something to counter those MSCE's who claim that we must run Exchange to survive.

Yes, the movie industry is all aflutter about IEEE 1394 (aka FireWire). And that's because it's the delivery vehicle for their final and total control over what you see, how you see it, and how much you're going to pay for it.

Nice rant. However, judging solely on what has happened so far with analog/digital encryption/obsfucation schemes, I kind of like our chances...

DVD: DeCSS, MacroVision: descramblers, SDMI: hacked before release, SafeAudio: rumored to be cracked (worst case scenario -- high quality second-hand sound rips of SafeAudio "CD's"), and the list goes on and on. Now we just need someone to crack HDCP.

Oh wait, it's already been done.

Color me annoyed, but definitely not scared.

Jack Valenti can blow me.

(Warning parents -- the movie Jack Valenti Does Slashdot is rated NC-17. Which means nobody is brutally shot or killed, just hot sex.)

So what's new? Microsoft products are constantly getting maimed . Just type iis or windows into the search box here , for starters.

My guess is you are a karma whore, nothing more. Now I may be wrong, you might be the actual author. In this case, let us know.

/. sucks. FYI, the original foundings where from

Research by wAwAsAn4
wAwAsAn4@root-core.com
Web: www.root-core.com
Email: [Digital-Vortex]@securityfocus.com

Voila.

blah blah, we expect this from MS... blah blah, when will they get their act together...

This was already posted to BugTraq not too long ago. For a more technical breakdown of the details surrounding the Hotmail vulnerability, go here:

http://www.securityfocus.com/archive/1/205785

blah blah, we expect this from MS... blah blah, when will they get their act together...

This was already posted to BugTraq not too long ago. For a more technical breakdown of the details surrounding the Hotmail vulnerability, go here:

http://www.securityfocus.com/archive/1/205785

On a less sarcastic note, remote logging is a very good idea. Security Focus has a new mailing list about Log Analysis that would probably be of some interest to you, as there's been quite a lot of discussion already about remote logging.

You're right about one thing - it does save lots of trees :)

On a less sarcastic note, remote logging is a very good idea. Security Focus has a new mailing list about Log Analysis that would probably be of some interest to you, as there's been quite a lot of discussion already about remote logging.

You're right about one thing - it does save lots of trees :)

Check article "Full Disclosure is a necessary evil" on securityfocus.com

Check article "Full Disclosure is a necessary evil" on securityfocus.com

Remeber sourceforge getting cracked a couple of months back? Apparantly, the guy who did this spoke to securityfocus.com about th attack. In this article he says:

"i hack, dot slash or whatever you might want to call it, i do not write my own exploits, i use other people's stuff, and no im not anti-open source, i am however anti-sec. i support the anti-disclosure movement among the computer and network security communities,"

Furthermore, the cracker said he works as a contractor in the field of security, and perhaps it is the ease of cracking so many sites using nothing but published exploits that makes him support the "anti-disclosure movement."

Although I am personally not against full- or partial- disclosure per se, I do think the anti-disclosure movement has a valid point. There does seem to have been a huge increase in cracking activities recently, and although the script-kiddie phenomenon is at least partially due to the rise of the internet/home computer (i.e. more kids with cheap pc's in their bedrooms), I do think that the current fashion for open-disclosure means that security holes spread into the black-hat community faster than most sysadmins apply patches.

On the other hand, if we go back to the anti-disclosure, it will be like pre 90s. The white hats will know one set of holes. The black hats will know a differnet (far more limited) set of security holes. This scenario obviously poses a whole set of different problems.

Remeber sourceforge getting cracked a couple of months back? Apparantly, the guy who did this spoke to securityfocus.com about th attack. In this article he says:

"i hack, dot slash or whatever you might want to call it, i do not write my own exploits, i use other people's stuff, and no im not anti-open source, i am however anti-sec. i support the anti-disclosure movement among the computer and network security communities,"

Furthermore, the cracker said he works as a contractor in the field of security, and perhaps it is the ease of cracking so many sites using nothing but published exploits that makes him support the "anti-disclosure movement."

Although I am personally not against full- or partial- disclosure per se, I do think the anti-disclosure movement has a valid point. There does seem to have been a huge increase in cracking activities recently, and although the script-kiddie phenomenon is at least partially due to the rise of the internet/home computer (i.e. more kids with cheap pc's in their bedrooms), I do think that the current fashion for open-disclosure means that security holes spread into the black-hat community faster than most sysadmins apply patches.

On the other hand, if we go back to the anti-disclosure, it will be like pre 90s. The white hats will know one set of holes. The black hats will know a differnet (far more limited) set of security holes. This scenario obviously poses a whole set of different problems.