Slashdot Mirror
SANS Releases Top Ten Exploits
Lizard_King writes: "System Administration, Networking and Security (SANS) Institute published a list of exploits most often used to gain illegal access to network servers. View the list here." This is really a very good list, compiled from the viewpoint of fixing the potential forthcoming breach. Good work!
What does having a driving license have to do with sysadmin ability? I do not have a driving license and until they (a) invent an environmentally friendly car and (b) make it possible to park in my city and (c) make it possible to drive faster than 10 mph in my city and (d) make car collisions no more fatal than bicycle collisions, I never will.
Bow down and worship the god of petroleum.
That's a nice command, but really, if someone is smart enough to get in, get root, and replace bins. Don't you think they'd include a hacked rpm too? Sure your low-level script kiddie wouldn't, but for serious cracks you cannot trust a single thing. That's why security has to be kept in the forefront from the time you build a machine.
My personal favorite article submission was this:
2000-05-04 19:49:50 Best way for Slashdotters to feel sorry for me? (askslashdot,ed) (rejected)
I had a nice write up put in for that. Too bad ya can't get it back...
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Hmm? What's wrong with being connected, as long as you don't allow incoming connections from the Internet? Setting all your daemons to only bind to eth0 isn't that hard, once you've disabled the ones you don't need anyway.
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I suppose if you can get the luser to run a "trojan" like BO2k, Sub7, etc. then this would be a problem in the scenario you describe. Any modern up-to-date virus scanner should find the more popular ones, though.
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Yes, but they are only concerned with problems that can be fixed. Enntee usually can't, so there's no use in reporting and tracking the problems. If you sign with the devil and use enntee, you just have to accept that you're going to get 0wn3d sooner or later.
That's right, q***l and postfix are fairly obscure, so the kiddies don't have sploits for them. Of course, if everyone used them, then this advantage would disappear. This is really just personal bias against Sendmail, so I'm calling you on it. :)
They only allow code into the main tree that they have audited. this includes BIND. obsd still uses bind 4
while bind is important, not sure it deserved to be number one.
the docs and the man pages are also carefully maintained. almost all the man pages have examples.
Hmm... it may be possible to create a PS virus, after all, it is a real programming language. It may be possible to make a specific printer "catch on fire"!
****Gfx Scrollbar Special case hit!!*****
-l
Help cure AIDS, cancer, and more. Donate your unused computer time to worldcommunitygrid.org. Join Team Slashdot!
Wrong again. The good sysadmins ignore CERT, and spend their time groking the cracker sites. Their servers don't touch a net wire until the box is secure. The good sysadmins realize that over 90% of system crack attempts come from internal employees who have at least some level of legitimate access to the system. The good sysadmins work closely with the C?O's of the company, making falling for most common social engineering pranks grounds for immediate termination.
Good sysadmins have their own private networks where they abuse their own systems. They don't believe a word of market-speak about any product unless they can verify it in testing and with common sence (market speak such as OpenBSD being secure "out of the box". Secure - and running NFS and sendmail OUT OF THE BOX BY DEFAULT. Very dumb.).
Good sysadmins are differentiated from the really good crackers only by ethical choice. They are just as dedicated to the security and integrity of their systems as the hardcore cracker is dedicated to exploiting them.
Not to be a troll, but why do you recommend qmail or postfix over sendmail? It is true that in the past sendmail has had a ton of security problems, but so have most daemons that existed at the dawn of the internet.
Since then it appears to me (perhaps naively) that sendmail has been patched appropriately and is probably the most battle-tested MTA out there.
Maybe you could argue that sendmail is harder to configure than qmail or postfix, and thus more susceptible to security-compromising misconfigurations, but is there more to it than that?
If you are that confident in sendmail, why don't you put up the same amount for sendmail?
Je ne parle pas francais.
The 'High Priority Bonus' pretty much covers what's wrong with NT. In and of itself NT isn't bad, but all of it's 'conveniences' defeat an otherwise decent security model. That coupled with global sharing of files, drives and peripherals... Running as Administrator, the 98/95 open file system available to all users.
:) The article is about technical problems, for the most part, while most of the problems with NT result from poor administration and ignorance.
I guess the authors found it hard to write a paragraph outlining sheer idiocy..
-- What you do today will cost you a day of your life.
The only virus that I can think of (don't quote me on this, its been awhile since I was studying this stuff) was the Bubbleboy virus, which caused little damage. Link to article about it below http://www.zdnet.com/zdhelp/stories/main/0,5594,23 90955,00.html I just skimmed it, but it seemed generally accurate.
scp is to rcp what ssh is to telnet. There are a few implementations of ftp through ssh but no standard that Ive heard of. The solution of course is to open a ssl tunnel and use ordinary ftp through it.
Did you try turning on auditing?
Linux(aggr) is misleading. If there is a root exploit in bind it would get reported and fixed in redhat, mandrake, suse, debian, slackware, etc. That is one root exploit but it gets counted 5 times.
There are lies, damn lies, and statistics.
Computer modeling for biotech drug manufacturing is HARD!
IMHO,
DeanT
"This consensus Top Ten list represents an unprecedented example of active cooperation among industry, government, and academia.
I was trying to think of some comments about things like the Manhattan Project, but I think the quote stands on it's own.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?i d=11876
Cheers.
GNU/Linux. The Freshmaker.
This is what I see when I ftp to my nearest Red Hat mirror:
dir bind*
-rw-rw-r-- 2 johan ftpadm 1672369 Mar 8 20:40 bind-8.2.2_P5-9.i386.rpm
-rw-rw-r-- 2 johan ftpadm 405796 Mar 8 20:40 bind-devel-8.2.2_P5-9.i386.rpm
-rw-rw-r-- 2 johan ftpadm 656849 Mar 8 20:40 bind-utils-8.2.2_P5-9.i386.rpm
And these packages aren't even updates, they're the packages shipped with Red Hat 6.2. So, no, the current Red Hat packages are safe in this sense, and I think you're wrong.
GNU/Linux. The Freshmaker.
A list of things that network people know about, so that the crackers can use this as a baseline. Odin's left eyeball, is this a first post? I'm so honoured! -TBHiX-
Basic checking would be to run an rpm verify if you're using an rpm based system. Better would be if you'd run a tripwire session in the beginning and you had correct checksums stored elsewhere.
.history files on the system (heh, some guy who hacked a user account on one of my machines many years ago missed cleaning that one). Run COPS or similar tools. Check all security related config files.
Otherwise, scan the logs, run a find through your system for any suid files and check if they are what they're supposed to be, check all
Any of which can show you that you have been compromized, none of which will prove you havent.
All of which will take far far longer than reinstalling.
Wrong. The good admins patched their systems before this list came out. The good admins subscribe to the CERT mailing list, or at least keep up on the CERT webpage, and they respond appropriately to ALL advisories. And good sysadmins use good passwords.
-----
Because he isn't from L0pht any more, but from @stake, and the signatories are in reverse alphabetical order by organization.
Sendmail is slower, more complex, and less secure than qmail. Only advantage I think sendmail has is its flexablity. Qmail isn't perfect but in my experience its a lot better than sendmail. When you get sick of patching sendmail check out www.qmail.org. And if you don't think Qmail is battle tested, go ahead and try finding *any* exploits for it.
There is an alternate authentication method for
pop3 named apop (see rfc1725).
This involves a salt from the server (usually
timestamp) which client concatenates with passwd
and then runs through md5. Server does the same
operation and then compares. md5 (see rfc1321) is a oneway hash function believed to by cryptographically secure (the fastest way to break it is brute force) so this is very good at on the wire password protection.
Enforcing this at the server also has the nice
effect that people can't use outlook (without
a middle shim layer converting from pop3 to apop)
11. Anything, even if it's vaporware, about Apple.
Mindy: "Well...desserts aren't always right." Homer: "But they're so sweet!"
"7h3 n@m3z n30!"
I did not know that. Thank you. Unfortuneately at school here we use plain test. I like saying things like 'oh me, I didnt put that packet sniffer on the machine. oh by the way, your extra-marital boyfriend is busy tonight.' hehe
pop is plaintext too.
Basically the difference between telnet, and ssh is the way in which the characters are sent between your machine and the remote one.
With telnet each of your keypresses is send plain text, whereas SSH uses encryption which stops people from sniffing your connection.
If the remote machine runns SSHD, (the ssh server), then you really should be using SSH.
For a free SSH client for windows do a search on : http://www.gnusoftware.com.
Steve
---
RCP is to FTP what SSH is to Telnet.
Steve
---
The Ponds Institute just released a list of top cosmetics that cause wrinkles.
The ones shipped with 6.1 were vulnerable, though.
SANS is well known....Obviously you are not in the know.
jas
http://packetnexus.com
12 year old will learn more about these holes, possible cracking un-protected systems
Oh, come on. They hardly said anything about how to exploit them, and anyway, exploits are all over the place. Especially Bind, I know people who got rooted because the current RH RPMS aren't safe (that includes the updates, they're only up to P3, whereas P5 is the only safe version currently available). And that was months ago.
And these packages aren't even updates, they're the packages shipped with Red Hat 6.2. So, no, the current Red Hat packages are safe in this sense, and I think you're wrong.
I was talking about RH 6.1. And, oh my, guess what? RH 6.1 updates is still on P3 (as is 5.2). "Current" RH, ie, the absolute latest release, is safe. But I know people who were running 4.2 until only last winter, and recently (Wednesday) I installed 6.1 on a machine that had been running RH 3.0.3. I admin a good dozen machines running 5.2. A lot of people (myself included) are running 6.0 or 6.1. People running RH < 6.2 will think "Oh, I'm safe, I've got all the updates". And then they'll get rooted and wonder what happened.
I saw this list last night, and my first thought was that it couldn't possibly be right, as most of the compromises on this list are UNIX related. NT accounts for twice as many web server compromises as every other OS combined, even though it holds only 21% of the Internet web server market.
As far as web stuff goes, yeah, Apache is a lot safer than IIS (just based on the relative number of exploits and bugs listed on Bugtraq). However, the big-ticket items there were bind and sendmail. AFAIK, neither of these even run on NT, and even if so, I'm sure Exchange and whatever NT uses for DNS is more popular on the platform.
Personally, I think that, OS to OS, most Unix variants are more secure than NT. But some very popular Unix software is pitifully insecure (bind especially). Hopefully bind 9 (betas are out now!) will improve on that record. But for now, I'm glad my name servers are running on m68k... any Intel-based DNS server is probably going to get rooted faster than you can patch it.
Don't run this script if you don't trust your local users. It can have some funny effects if they use file names with embedded spaces.
Anybody know a IMAP client that supports the following:
- tree-view of IMAP folders
- three-window layout (like Agent)
- multiple account support
- choose sender address at send time
- login as needed, whenever a folder is opened, without switching accounts.
Of course, it also integrates well with the rest of Windows (ducking). You just gotta watch those attachments.I've tried Simeon^H^H^H^H^H^HExecmail, and didn't like it much.
Edith Keeler Must Die
Actually ICMP Packet Too Big is used for MTU discovery. There are several ICMP packet types that are useful. I block most ICMP from most machines I admin, but there are some types that are handy. I tend to allow more types of ICMP packets inbound than I do outbound. It's nice to get a port/address/net unreachable inbound so I don't have to wait for a timeout.
I really shouldn't have used someone else's email address for this account.
I read about this at ZDNet, and wasted time reading those comments. Seems most Microserfs view this as news that MS makes a *better* OS. Sad that they don't realize that MS makes a *better* OS for idiot use, like providing the *safe* plastic spoon and fork to my children. I learned on Windoze, then moved to *nix when I figured out which was my ass and which was the hole in the ground. Too bad ownership of computers isn't regulated...
That said, I think it *should* have been included, since it is the biggest source of web defacements out there....
You mean like the manager that has them in his Rolodex under "P" for "Password"?
LongTail SSH Brute Force analysis tool is here!
BSD is better than Linux :) who needs to claim?
Chaos, Mayhem, and Destruction: Not
Honorable mention: using Microsoft products at all. (Though they do mention a few by name.)
Ok, ok, a more realistic danger: not caring about security. It's one thing to say, "yeah, we're secure," just because you don't think you've ever been hacked. It's something completely different to actually have someone look around for exploits to use against your site or products, even just at the script kiddie level that untrained people (which includes someone panic-drafted into a "make us secure" effort) can easily do.
I think this is where I come in =) ...), OSI's, RFC's, C, C++, PHP, SQL (MS-SQL, Oracle, MySQL, ...), VB/VBA/ASP, Most applications in most OS, even the Win32 API ;) //brag
I try to know everything (almost), *nix (Solaris, Linux,
The more you learn the simpler everything gets.
There's a pattern - It's created by humans...
(visper, visper, he has no life) *I heard that*
Yes. I was rooted on BIND P3.
How many of these are you going to post?
It was funny the first time, but... come on! It's getting old.
True, but again, I'm not sure where the benefit is. If your system is compromised where someone can modify a file on one partition, modifying it on your root partition is no different. I am ignoring NFS, where I could see some value to mounting a partition nosuid.
If you use chroot to secure certain facilities on your server, and have any setuid program located within, your script would move the program out of the tree. The symbolic link would not function because the path would be invalid.
I personally would tend to be suspicious of anything that wasn't in it anticipated spot. Now, if I move something, then obviously I'm aware of whats going on, but any auditing system/procedure might not. And lets face it, and auditing system that crys wolf alot, is only marginally better then no system.
IMHO, the best way to watch setuid programs is to do just that. Just scan them for changes that your not aware of, or new ones showing up or going missing, and take what ever action you deem to be required.
This is good for us guys hiding deep behind a good corporate firewall. My boxes don't get hacked, virus'd, 'cause corporate security has their act together. But I'll still implement all of these I haven't yet, and dig deeper. I've got a good gig going, but nothing lasts forever.
At some point we learn, dig, and hack our way into that next great job, and need to keep this stuff at the forefront.
Keeps everything cool and froody, and free's up time for useful things, slashdot, Quake, sleep.
RubyRidge
--Keep your finger on the trigger, the idiots are out there--
That is what I want to know, how the hell did NT get such a high DOD rating C2 or whatever, without having a decent logging/auditing system?
I am not flaming here, I just don't know much about NT and would really like to know how to log more than the default.
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
Good: - Network admins will be able to patch up a lot of their holes. - Novice admins will be able to locate many holes they would not have located - The network community as a whole will increase its security awareness Bad: - Crackers will know what will be patched on most systems - 12 year old will learn more about these holes, possible cracking un-protected systems Ugly - This will force companies to tighten up. See BAD, raising the bar/costing them resources - UNLESS they tighten up, cracking will become more common.
joyous children play in parks,
not yet hacked by life.At the end of the article, they recommend blocking some ICMP messages and mention echo reply and request, and destination unreachable...
Blocking ICMP destination unreachable of type fragmentation needed will give a hard time to PMTU discovery (eg. Linux, FreeBSD, any OS with a decent TCP/IP stack).
Why would you want to do that ? Are there any exploits using ICMP ? I know you can tunnel stealthily using ICMP, but any protocol can be used as tunnel...
90% of ICMP should not be blocked IMHO.
- users have separate offices instead of cubicles, and
- users are not technically savvy enough to grasp the necessity of remembering their password.
This means everyI have never heard of this institute, should I have? Also, isn't SANS an abbrevation for some other institute, conducting research in some completly different area (can't remember which one at the moment), as well?
"If you think education is expensive, try ignorance" - Derek Bok
% touch 'foo /bin/ln' /bin/ln' /etc/passwd' /etc/passwd' /sbin/init' /sbin init'
Perhaps someone else can think of something more devilish!% chmod u+s 'foo
% touch 'foo
% chmod u+s 'foo
% touch 'foo
% chmod u+s 'foo
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
I thought haikus needed a seasonal reference? At any rate, information is information, and if these security holes aren't fixed by the admins, they deserve what they get.
Be a moderator, not a brick.
My story sumbissions almost always get posted. You must just be a dumbass (evidenced by your whining that your story got rejected -- get a grip)
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
Nah, I got a story accepted once. So anyone can do it!
You are in a maze of twisty little relative jumps, all alike.
7. "Natalie Portman has been dropped from Episode 2!" (nothing like teasing the trolls).
8. "Mac OS X screen shots!".
9. "Linus speaks out against breaking up Microsoft!"
10. "WebTV consoles can be hacked to run Linux!"
Yeah you're right...
"Woah... I know DDOS"
I agree... I think most NT types (er... and perhaps I'm guilty of this) are rather icon-numbed if that makes sense, and have more of a sense that there's a ghost in the machine instead of thinking they could have control of the problems...
Whoops, when I said freaks I mean that for the hardcore, Linux can do no wrong, type people. I've ran into more than a few people who seem to think of Linux as a religion, and that any comments about improvement, or other OS's doing something better is heresy.
Spelling & grammar checker off because I don't care
Agreed that it doesn't show what is unpatched, but that's not the original point of the entire topic.
One can sure argue that there are potential exploits out there, but it really doesn't do any good because it's all theoretical. Linux (in theory) should have fewer and fewer exploits as time goes on, is this true yet... nope. What I personally think, Linux is going to only get a little better and then stay at some kind of equilibrium point (little better, little worse depending upon the year). Now before you jump for the throat, I believe because of how much of a state of flux it is in, new code is going in daily, and that new code is going out the door just as quick.
What is the main cause for new exploits.... new code. The Linux distro's & writers are not taking enough time to audit their code before it gets out the door. All they are really doing is waiting for someone else to find the bugs that they should have worked to find, before they released in the first place. BSD does this the right way, lets get good code first then put it out into a stable release, instead of rush, rush, rush, cool feature, push out, and hope the bugs get found quickly. Opensource allows us to find & repair the problems quicker, but until the Linux community decides they don't need the latest wiz-bang feature now, their code is going to be constantly riddled with exploits (just like other software companies)
Spelling & grammar checker off because I don't care
Comment removed based on user account deletion
Comment removed based on user account deletion
Humans
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
From the article:
I'm curious about these embedded-script e-mail viruses. Although scripts can be run without an attachment (by putting a <SCRIPT> tag in the e-mail's HTML in Outlook), it seems to have a somewhat stripped-down VBScript capability. For example, with a default installation, an embedded VBScript can't access the objects necessary to create an ILOVEYOU-type virus. Other than just forwarding copies to more recipients (which I suppose could still be done in an embedded VBScript virus), is there really any "virus" that could be built using this, or are these limited to a "mere" worm?
Has anyone out there encountered (or written?) one of these embedded-script viruses? Just how dangerous could these be, or is the only threat the consumption of bandwidth? The article didn't say much about these except that they (could?) exist.
--
The real Captain Derivative has a Slashdot ID.
I can see why many of the hacks to NT are not reported...
Under NT it's often virtually impossible to figure out where they came from or how they got in. Reinstall NT, lock it down as best you can and hope that fixes it seems to be the best solution most of the time.
NT's event logger sucks horribly. I've had systems go completely belly-up without so much as a single entry in the eventlog. I've hack-tested some of my own machines, and punched holes and exploited them, and check later to find nothing in the security or system log. It boggles the imagination that a professional server wouldn't keep track, or at least have the option to keep track, of every system event.
----
----
"I used to listen to Null Device before they sold out."
Maybe you want to do some research before saying something like this. Sorry but when you say there are far less *NIX exploits your head must be up your @$$. I really don't want to go into the details of why these numbers are like this I just wanted to point out that your statement is utterly nieve. Why trying to prove a point, you can't just have a conclusion, but also points (premises) to back up your claim.
I am
Why did mudge end up last on the Signatories List? IMO folks from L0pht should be higher on the list. Sheesh, they ar obviously the most qualified.
back when i was in high school, on a HP-UX system in the CS labs, you could redirect output to another user's tty... this was tons of fun for hs kids. :) if only we'd realized its full potential... :)
eudas
Blessed is he who expects the worst, for he shall not be disappointed.
I agree with you
Information will escape
Secure your system
The season is spring
Or maybe it is summer?
Who cares... its slashdot
Sysops will bellow...
How dare they release this tool!
Remember "SATAN"?
Really you can never know if you are currently vulnerable with a system that's been active for ages. As Rootprompt.org's Cracked! series of articles shows, the first thing script kiddies and crackers do is start replacing standard system utilities. I've seen on Linux various hacks to hide processes, kernel modules, etc. So just doing lsmod suddenly means very little. :)
Your best bet is to start with a fresh install. I'd say there's 99.99% chance that your standard Mandrake, Redhat, Debian, etc don't have these rootkit bins on their CDs. I have taken to running tcpdump on my little ppp connection (damn phone company refuses to put DSL here) whenever I am online. It is quite interesting seeing just how many attempts people make to various things, SMB is the most common, telnet, linuxconf, imap, etc are all attempted.
Perhaps the best method would be to find an old 486, P90 or whatever, and run one of those floppy setups like the Linux Router Project. Poke a couple holes for the services you need to pass through to a full Linux server (web, mail, etc). With the system running fully in memory, any bins a cracker replaces get restored by a mere reboot. And by having a very limited number of bins on the system, that gives crackers vastly less chance to successfully getting into your system. You will still have to keep abreast on security notices for the things you do have.
A good read on the damage one cracker can cause with a sniffer, check RootPrompt's Cracked! series of articles.
One workaround for this is to use ssh tunnels for things like an IMAP connection. Although, obviously the long-term fix is for all sensitive daemons to use encryption. I hope the expiration of the RSA patent in September makes this easier to implement.
--
Your best bet is a Virtual Private Network.
kindbud wrote:
I can hardly say enough good things about Dan's suite of DNS servers and client programs.
Having gone through the annoyance of administering a qmail site, I don't suffer from this disability.
dnscache, dnsfilter, tinydns, pickdns, walldns, rbldns, axfrdns, axfr-get, and the sundry associated libraries are just yet more screwball non-free software from Bernstein: He can keep 'em, and all his other non-FHS-compliant offerings. If I switch to anything, it'll be the GPLed Dents package.
Rick Moen
rick@linuxmafia.com
I found out when I noticed that /root/.bash_history was linked to /dev/null. DOH!
Hmm, the 8.22-P5 bind can be found on rpmfind.net, if you want rpms... Made by redhat.
I have seen *good* NT admins who understood the strengths and weaknesses of the system do some great things. And the same with *good* *nix admins. I think the reason NT gets such a bad namme is that the GUI makes it too easy to *think* you know what you are doing without understanding what is really going on in the background. There are a lot of mediocre NT admins who don't know that there is more to the system then rebooting it.
The second problem is that most (not the good ones) NT admins believe that the box can run an infinite number of services all at the same time without effecting the system. Hah. NT is very stable if you do a default install, patch it , run 1 service, and leave the monitor disconnected so it is harder for a junior admin to try to install a new screen saver :-)
BTW, before the coyotes nip at my heals I am a Sun/Linux/AIX admin, not NT... just work in the real world where you use the best tool for the job.
Can't sleep, clowns will eat me....
It's incredible to see the 8th reason is:
8. User IDs, especially root/administrator with no passwords or weak passwords.
The worst of this is, if an admin uses a blank or weak password for the admin user or install services with pre-installed passwords, it's very possible that this admin will never take care about patching or fixing the other affected services in the list, so their hosts can be a real mess.
Another thing to note is the more or less common proposed fixes in propietary systems (disable the service, like in IIS) and the solutions offered for free systems (upgrade to bar version or use foo patch).
Destination unreachable can be used to confuse some routers ... check on bugtraq archives for more info (dynamic routing?)
.. if you dont need it, why enable it?
ICMP is generally a bad idea, as it is not necessary for core services to run, and can be used to sniff system settings out
--
Anil Madhavapeddy, http://recoil.org
The Five Worst Security Mistakes End Users Make
:). If this was in the IT section, I might be inclined to agree with you. However, end users tend to use a modem for one of two reasons - to connect to Internet resources their firewall blocks, or to get them into their system without a VPN or sanctioned dial-up.
5. Using a modem while connected through a local area network.
Hmm? What's wrong with being connected, as long as you don't allow incoming connections from the Internet? Setting all your daemons to only bind to eth0 isn't that hard, once you've disabled the ones you don't need anyway.
I readded the heading from that section (I should have put the headings in bold, but I didn't think of it in time
In the former case, they typically don't do anything to protect themselves or the corporate network - they just use DUN to connect to their ISP of choice.
In the latter case, they will usually stick PCAnyware or something similar on their system and set it to auto-answer, with a poor (or no) password.
In either case, the end user has made the network security like a chain link hospital gown - string from in front, but baring all.
--
http://www.aikiweb.com - AikiWeb Aikido Information
Mention two Linux companies merging.
Mention Microsoft acquiring anything, even if Bill Gates just acquired a box of cereal for his morning breakfast.
Mention the words "Open Source." Anywhere. (Note -- this has worked. I've posted two articles, one that mentioned Open Source and one that didn't, on the exact same topic. Guess which got accepted =P)
Use a three-letter acronym, such as RMS or ESR. It doesn't matter if it has any relevance to anything you're talking about.
-- BlueCalx | http://nickd.org/
This breaks down the # of known vunerabilities, not the number of unpatched ones. Linux is open source, and new exploits are pointed out, discussed, and patched almost daily. Searching the source is the easiest way to find an exploit, so what I'd like to know is why NT/95 show equivalent numbers? There must be far, far more potential exploits for them.
.sig: Now legally binding!
But there are fewer and fewer exploits in the 'stable branches' For crying out loud, there are currently two activly patched stable trees and one unstable! I'd doubt you could even find a working exploit in 1.2.xx or 2.0.xx!! (Unlike Windows 95, which is of the same vintage, and still has some nagging exploits from as far back as 1997.)
BSD and Debian are different. They've been sitting in 'beta' forever, feature frozen, much like their commercial counterparts. The same commercial counterparts who can't keep their numbers below a known unstable..
And all those counting on the new kernels to be bug free are fools. You need secure, use the LAST stable branch.
.sig: Now legally binding!
>I also think sendmail seemed out of place on the
>list. There hasn't been a root exploit on
>sendmail in what, three years?
The problem is there are still 10's of thousands of systems out there (mostly old Sun workstations and the like) still running vulnerable versions.
>ICMP is generally a bad idea, as it is not necessary for core services to run, and can be used to sniff system settings out .. if you dont need it, why enable it?
Because its an essential part of the protocol. As said before ICMP unreachable is used for MTU discovery. If you block it all, things will break. Furthermore it can be very usefull to see if a host is up with ping. Like all things with system/network administration you must know what your doing. Filtering out suspicious/dangerous ICMP is good (you don't want your network to become a smurf amplifier for example). Blocking everything is bad.
What you are saying sounds to me like: "Power steering in cars is generaly a bad idea, it can break at the wrong time.. if you don't need it, why enable it ?
Because it's fscking usefull
A big part of this is that places like L0pht make programs for the Windows exploits, which means any kiddie can use a simple program to find and exploit the problem. There are far less of these programs for *NIX exploits (either because the *NIX exploits would be harder to create a program for, or because more people hate MS and focus on them). Just because it's popular to bash MS doesn't make it a fact everything said about MS is true.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
Last time I tried an exploit, it was a real mess. People screaming, parents covering their kids' eyes, the embarassing arrest by the cops....
Wait, I'm thinking 'exhibition'. Nevermind.
-Denor
Read this before deciding to use postfix.
Edith Keeler Must Die
Is that these holes still exist on systems because admins are being LAZY. Lazy thinking 'I am running a *nix-based system and therefor I am more secure than Winblowze.'
...
Here's a nice reminder: if you aren't constantly working on your security, SOMEONE ELSE IS! And I am not refering to your assistant admin, either.
Maintaining box/network security is a full-time job. And its a case of constant vigilence. You cant operate on the rules of it 'cant happen to me.' One look at Attrition.org's mirror site should prove you otherwise.
So take this as a wake up call. Before you get woken with a call
*more ramblings - can you tell its a slow day at work?*
Check out Magic Firesheep!
- 1. Opening unsolicited e-mail attachments without verifying their source and checking their content first.
- 2. Failing to install security patches - especially for Microsoft Office, Microsoft Internet Explorer, and Netscape.
- 3. Installing screen savers or games from unknown sources.
Sigh. We've been losing this battle for twenty years now.It should be safe to run untrusted executable code because such code should be run in a sandbox enforced by the operating system and the hardware. By this I mean a set of restrictions similar to those applied to sandboxed Java code.
Browsers don't need much in the way of privileges. The worst that should happen because of a security hole in a browser is that the browser's current state and cache are messed up. Restarting the browser and flushing its cache should cure any problems. Preferences should be changed through a separate program that the user can invoke, but the browser itself can't, and should be stored in a compartment the browser can't write.
Office has to do more, but only a few parts of Office need to be trusted at all.
Neither a screen saver nor a game needs much in the way of privileges.
If you are worried about rootkits (like a fake version of top, who, users, w, etc) you can reinstall those program from you read-only installation medium (ussually a cd-rom) or download and compile them directly from the site (ftp.gnu.org is a great place to start) and turn on a hell of a lot of logging and see if anything pops up.
If you aren't sure or not, backup your data (not programs or config) and reinstall, get lastest patches, configure, secure, test then bring back online
Ussually with linux, if you had your system online for a year, you might want to upgrade any way to your current distro lastest version, just to get the newest and coolest feartures. (Note newest and coolest feartures will have bugs (Note some bugs can be exploited for malice purposes))
If you are unsure, check it out. It is better to find no security holes, then "think" there is no security holes.
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
Hmm. I have two problems with your argument.
First, the Netcraft survey you cite makes no attempt to correlate IP address to MAC address. The vast majority of IP addresses are on multi-addressed boxes in ISP server farms; those boxes tend to run Unix or Linux. This has two consequences: first, we can't determine the relative frequencies of NT boxes and *n.x boxes on the net, and, second, we can assume that the ISP farms are reasonably well-secured. (After all, that's what they do full time.) This would tend to indicate that NT sites would be more likely to be administered by people who aren't quite as attuned to keeping up with the necessary patches, and hence would be more likely to be vulnerable.
Second, though, these vulnerabilities refer to machines on the network generally, and not to web servers in particular. So the frequency with which IIS-based servers are compromised has little or nothing to do with the vulnerabilities of the systems on the Web. How many people still run naked Win98 boxes with always-on connections? Similarly, how many people run unhardened Linux on the network? These vulnerabilities are still there, even if they're not visible on attrition.org.
This list is a bit misleading. You'll notice that they give a BSD(aggr) and Linux(aggr). That means that they're lumping together all flavors of BSD into a single category, and all Linux distributions into a single category (although they do count an exploit only once if it appears in multiple distros).
That means that if RedHat has vulnerability A but not B or C, Suse has vulnerability B but not A or C, and Debian has vulnerability C but not A or B, Linux(aggr) is counted as having three exploits. In reality, if you're using just one distribution you'll only experience one of the three, and Slackware might not have any of those exploits.
The following looks a lot more favorable for Linux:
OS 97 98 99 00
Debian 2 2 29 5
RedHat 5 10 38 17
Slackware 3 8 10 0
Suse 0 0 21 5
Win NT 4 6 99 37
There's no point in questioning authority if you aren't going to listen to the answers.
An excellent point. There is only one problem, however. I have been an NT admin for 5 years. Currently I work for a consulting company, and am one of the few NT people willing to do tech reviews. In the last year I have done over 100 tech reviews for NT admins, with probably 50% of them having an MCSE. Out of that 100, only two have I recommended for hire. My point is only that while I agree that a quality NT person can get an NT box running pretty reliably and securely, there are VERY FEW quality NT people out there. Most of them, as you said, are just too comfy with the GUI to learn anything about the system. (and here is a simple question for all of you hiring types: What is the difference between regedit.exe and regedt32.exe? answer: regedit.exe enjoys a better search engine, but only regedt32.exe can edit the registry key permissions. - if someone can't answer this, they haven't a clue about NT security) The two I recommended for hire were the only two able to answer that question. I would say about 30% didn't even know what patch level their servers were at. And just in case you didn't know, the MCSE teaches NOTHING that is important (hot fixes and security are NOT part of the curriculum, although I think this is starting to change for 2000).
I hope my point was obvious, even though my grammer sucked.
Politics, Culture, Food?
What ever happened to sheer user stupidity? Calling employees in a company and asking them for their username and password... Especially in a university/educational setting with poorly trained and underfunded technology groups.
Hello?
Yes, this is (technology support group name) calling, we're currently working on testing a (fancy acronym here) upgrade, and we were wondering if you could help us. We'll need your username and password...
--You will rephrase your request for me to go to hell. Goto statements are not acceptable programming constructs
It's very slow (don't slashdot it please) but you may want to check out/ stats.html
/. Linux freaks will be suprised as to where Linux sits in (hint pretty much the same as Windows). Here's a small snippit before everyone slashdot's the poor website...
http://www.securityfocus.com/frames/?content=/vdb
What they've done is count up the number of root level compromises on a per OS level on the bugtraq mailing list and ordered them up on a per year basis. Most
OS 97 98 99 00
-------------------
BSD (aggr) 8 8 26 7
Linux (aggr) 10 23 84 30
Win 3.-98 1 1 46 13
Win NT 4 6 99 37
Further down the page Linux gets some better positioning as it breaks down categories, etc.
The biggest omission from the list was wuftpd <2.6.0 (and derivatives). This deserved to be number 2 on the list, after BIND, as it shipped enabled by default on every RedHat up to 6.0.
I generally recommend that Linux users replace wuftpd with ftpd-BSD, the Linux port of OpenBSD ftpd. It's not as featureful, but it's a lot easier to use, and the code has been audited.
I also think sendmail seemed out of place on the list. There hasn't been a root exploit on sendmail in what, three years?
--
Up until a few months ago I was doing some sys admin work. At the time I was pretty happy with the way I set up systems, and I still think they were reasonably secure. However, articles like this have convinced me the best way to have peace of mind is to set up OpenBSD firewalls.
Is Linux more secure than other operating systems? Yes. Is it easy to shoot yourself in the foot and make the system easy to exploit? Definitely. There's an excellent article over at Security Focus that every Linux sys admin must read.
Of course if there were no users, user accounts, or traffic on the wire I'd feel even better.
----- obSig
I find it amusing that I saw ">Download this document in MS Word format" on that page. I mean, there's a security risk right there!
More amusing is that I often see electronic resume requests for that "universal" document format, known as MS Word ".doc", rather than something not subjectable to macro virii, like PDF, Postscript, or good old PLainText.
Ok, so let's say (hypothetically, of course....) that you've been running a low-profile Linux system on the 'net for a while. At first, you just got IP Masqing up and turned off unused services. Later, you did some better firewalling. Then you started using SSH... added back in some services you needed...
But the thing is, it's been out there, in various states of lockdown, for at least the better part of a year.
How to know if you've already been compromised? Is there any way? Or is a fresh, secure install the only way to go?
I'm scared by the root kits that replace top, who, users, etc to make the intrusion undetectable. (Yeah, time to make that read-only floppy...)
---
"Secure by Default"
The default installation of OpenBSD is secure - it takes a careless sysadmin to mess it up. If anyone is truly concerned with security, this is the easiest and best choice.
Features:
And considering there is a reward to anyone who finds a exploit in Qmail, you can actually make money on it (if you can find any).
Now, does anyone feel secure enought to put up a reward for sendmail exploits?
Je ne parle pas francais.
The article is a bit self-agrandizing, but putting the most common holes out where everyone can see them is not a bad thing.
Now, Network Admins have no excuse but to fix things, rather than hoping no one 'figures out' where the holes are. The fixes for the 'ten most common' problems are not hard, and they're readily available.
Exposing security holes and avenues of attack to public review does make it a bit more possible that a cracker will learn something new, but the dangerous guys already know about all of this. Hiding this sort of information is like installing a car alarm - you'll keep the amateurs away, and you'll give the pros a chuckle while they make off with your goods.
If there is some unique set of conditions that make YOUR system vulnerable, and these conditions are very obscure and virtually impossible to 'guess', AND expensive to fix - by all means, keep them a secret as long as you can - but be ready when the hammer hits.
The problems outlined in the article are common-place, and in most cases common-sense. What 'advantage' does a cracker get from knowing that easily guessed passwords are a weakness? What does he gain from an Admin being educated to remove sample CGI scripts and default accounts off of commercial products??
-- What you do today will cost you a day of your life.
stunnel or using ssh as a tunnel is your better bet
---
-
ping -f 255.255.255.255 # if only
This list completely ignores one of the most common security flaws in computer systems: Cleartext passwords sent over the wire.
It does and it doesn't. This list focuses on exploits, but there is an associated list, mentioned by the CNN article, of IT mistakes. Among the IT mistakes are using telnet and other unencrypted protocols.
I saw this list last night, and my first thought was that it couldn't possibly be right, as most of the compromises on this list are UNIX related.
Several of the compromises are multi-platform, not specifically NT or *nix. Categories like the CGI/ColdFusion exploits make up a large percentage of the NT attacks. However, it is probably fair to say that most of us who were asked to participate probably have a *nix background, and are therefore more familiar with *nix exploits. Also, we were looking for remotely exploitable, directed attacks, and the background of *nix as a multi-user, network operating system gives more avenue of attack than an operating system with a single user, stand-alone heritage. Our list of end-user security mistakes (not yet released), on the other hand, is much more Microsoft-heavy.
Programs running as root are the problem.
//--thogard this will allow any user to open any port which cooresponds
// to a group they belong in. apaches user should be in group 80 and 443
// this should be linked moreinto capabile(CAP_NET_BIND_???)
Due to the stupid requirement that you have to root to bind to a port <1024 is a major problem. Its nailed bind, sendmail, ncsa httpd, poper, ftp....
Its time this stupid stuff stoped.
The fix is very simple. In 2.2.15 about line 543 of net/ipv4/af_inet.c put make the following change and it will allow group 53 to open port 53. So you can put bind in group 53, run it as a user with no other access and then the exploits won't have root.
if (snum && !in_group_p(snum) && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
return(-EACCES);
7. Design a computer case someone made out of something weird. Suitcase, plant pot, cow skin, matchbox, etc.
8. Claim to have instructions for playing DVD's on your linux box.
9. Port yet another windows game to Linux.
10. Claim BSD is better than Linux.
http://packetnexus.com
Generally are put out by some publication like Computer World or a web site like ZD. You know what drives me crazy? There is usually some 40-something, bearded yahoo in a suit whose weekly/monthly articles are all about how MegaCorp just decided to move from their IBM mainframes purchased in 1978 to NT servers running IIS.
And then they go on with and interview with some reject from a barnyard with bright red hair in a bowl haircut whose title is CIO/Chief Technologist who describes the methodology for choosing these systems based upon vendors taking them to lunch, boardroom pitches, white papers and indepth studies of competing megacorps' IT organizations.
And it always boils down to a two page ad for MS with a singular paragraph busting Unix as being unscalable and unsupportable and too hard for the desktop users to understand (like they do anything else besides making Excel spreadsheets and Project reports).
The next year, there is an article about how MegaCorp' IIS servers crapped out when a DOS took place or when more than 2 people decided to buy one of their widgets online and the whole system died.
They all learn in the end.
Don't think of this list as being "most widely used cracks" but as "cracks that have the worst effect". Unix runs the Internet, therefore Unix cracks 0wn the Internet.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Important security features in its design:
- Client resolver is a separate process from the authoritative NS. Reduces damage potential should cache poisoning occur.
- Client resolver does not cache out-of-zone additionals. For a dot-com domain, it only believes answers from the root servers, the com servers and the auth NS for the dot-com domain, and only if those answers are in the zone it's asking about. More proof against poisoning.
- Client resolver sets TTL in responses to zero. Helps prevent client mischief. Does not return additionals or authorities to clients.
- All programs run chrooted as a non-priv uid.
- Discards all queries in classes other than IN. No CHAOS or HS classes. No "version.bind" stupidity.
- Its "hints" file is not really taken as "hints". It believes you when you tell it who the roots are, it does not go ask the servers in the hints file who the real roots are.
Design features that are admin-friendly:- Authoritative server gives immediate feedback in the event of typos or syntax errors. No grepping log files looking for problems.
- Erroneous data is rejected. Previous data is used until the error is corrected.
- Reads zone info directly from a fast database, memory requirements are very small compared to BIND.
- All zone data is contained in a single database file, which is easily rsync'd to slaves. Zone transfers are supported for compatibility with BIND, but it's not necessary to use it.
- Client resolver can be set to ask certain servers about certain domains, ignoring the roots. This is great for split DNS setups.
I can hardly say enough good things about Dan's suite of DNS servers and client programs. I will be BIND-free very soon.Edith Keeler Must Die
I saw this list last night, and my first thought was that it couldn't possibly be right, as most of the compromises on this list are UNIX related. NT accounts for twice as many web server compromises as every other OS combined, even though it holds only 21% of the Internet web server market. (look at http://www.netcraft.com and http://www.attrition.org for verification of these figures) Therefore, the most popular attacks should almost all be NT related. I brought this up to a friend, and he proposed that only the good sysadmins (read:mostly unix) actually either detected the intrusions, or bothered to report them. I can accept that, but I'm interested to hear other opinions.
Politics, Culture, Food?
A friend of mine claims to have had a lot of fun during "interview day" on his college's campus. He was wearing a blue suit and the interview hall was right next to the Naval ROTC building. Apparently NROTC middies (?) don't take chances -- when some guy in a blue suit says "Drop and give me 50!" they figure better safe than sorry.
Half of social engineering is attitude. If you act like you belong there, people will usually assume you do. It's just taking advantage of most people's fundamental desire not to cause trouble. Conversely, running across the office's cranky senior staffer, who's had a bad day and is looking for a reason to take it out on someone, can be really bad news for a would-be penetrator.
Even today, people send spam to AOL customers asking for the user's name and password "so we can repair damage to your account that occurred during a server upgrade" and net thousands of logins, giving them access to that many credit cards, despite the text at the top of the AOL mail window that says "REMINDER: AOL staff will never ask for your password or billing information."
As long as there are newbies, there will be trouble with social engineering. The best you can do is make sure that anybody who administers a system you're dependent on understands the concept of verifying identity.
That all said, social engineering isn't really an "exploit" in the classic sense -- it's merely overly lax granting of access rights, akin to leaving your root account passwordless.
My favorite examples of overly permissive systems were the RS/6000's at UVa, on which all the tty's were permissioned -rw--w--w- (I think this was AIX 3.2 - they upgraded to 4.0 later on with a new crop of boxen and I don't know what they're up to now). That's right, anybody could write to any terminal. I didn't do anything truly damaging with it, just pranked a friend into thinking he was getting a talk request from another person who wasn't logged on at the time...
-- Old Man Kensey
- Use qmail or postfix instead of Sendamil.
- Make sure you have all security patches for your system installed. Redhat users, for example, can find those patches here.
- Linux users can read Linux weekly news for security updates.
- Manage your SUIDs. Make sure you keep a close eye on all your suids. For example, I use this script to put all my suid in the directory
/suid/bin:
- Obviously, turn off all unneeded network services in
/etc/inetd.conf and (usually) /etc/rc.d/rc3.d. You can see what services are running on your machine with netstat -na. - For a UNIX that is free and (hopefully) secure out of the box, check out OpenBSD or Trustix.
The advantage of an open-source solution is that we have greater control over our systems, and can better optimize our systems for security.#!/bin/sh
/root/suids
/root/suids` ; do
find / -type f -perm +6000 >
for a in `cat
done
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
This list completely ignores one of the most common security flaws in computer systems: Cleartext passwords sent over the wire.
Even using ssh is not enough if you still use ftp or imap. Assume those accounts are compromised.
I've been told that they will be on the SANS web site Real Soon Now.
Mistakes People Make That Lead To Security Breaches
Technological holes account for a great number of the successful break-ins, but people do their share, as well. Here are the SANS Institute's lists of silly thinks people do that enable attackers to succeed.
The Five Worst Security Mistakes End Users Make
1. Opening unsolicited e-mail attachments without verifying their source and checking their content first.
2. Failing to install security patches - especially for Microsoft Office, Microsoft Internet Explorer, and Netscape.
3. Installing screen savers or games from unknown sources.
4. Not making and testing backups.
5. Using a modem while connected through a local area network.
The Seven Worst Security Mistakes Senior Executives Make
1. Assigning untrained people to maintain security and providing neither the training nor the time to make it possible to learn and do the job.
2. Failing to understand the relationship of information security to the business problem-they understand physical security but do not see the consequences of poor information security.
3. Failing to deal with the operational aspects of security: making a few fixes and then not allowing the follow through necessary to ensure the problems stay fixed
4. Relying primarily on a firewall.
5. Failing to realize how much money their information and organizational reputations are worth.
6. Authorizing reactive, short-term fixes so problems re-emerge rapidly.
7. Pretending the problem will go away if they ignore it.
The Ten Worst Security Mistakes Information Technology People Make
1. Connecting systems to the Internet before hardening them.
2. Connecting test systems to the Internet with default accounts/passwords
3. Failing to update systems when security holes are found.
4. Using telnet and other unencrypted protocols for managing systems, routers, firewalls, and PKI.
5. Giving users passwords over the phone or changing user passwords in response to telephone or personal requests when the requester is not authenticated.
6. Failing to maintain and test backups.
7. Running unnecessary services, especially ftpd, telnetd, finger, rpc, mail, rservices
8. Implementing firewalls with rules that don't stop malicious or dangerous traffic- incoming or outgoing.
9. Failing to implement or update virus detection software
10. Failing to educate users on what to look for and what to do when they see a potential security problem.
And a bonus, number 11:
Allowing untrained, uncertified people to take responsibility for securing important systems.
1. Claim to be running a web server off a Palm Pilot, furby, Commodore 64, or even a bunch of potatoes. (Bonus points if its a port of Apache).
2. Write an article on DeCSS, Napster, MPAA, RIAA, and/or Metallica.
3. Publish a benchmark comparison of Linux and Windows, making sure that Windows scores best in all categories. (Bonus points if your test team is made up of 12 MCSEs and 1 dude who installed Red Hat 5.2 once before).
4. Title your article "X Violating the GPL?" It doesn't matter what the article actually says; it could just be a description of ancient Bulgarian goat herding. You're sure to get all the Slashdotters riled up regardless.
5. Write something about "Geek Sex".
6. Produce blurry, unenlightening satellite pictures of a secret government compound. Bonus points if the site mysteriously disappears in a few hours - the paranoid Slashdotters will have a field day with that one.
... all out of ideas... anyone else?
---- I made the Kessel Run in under 11 parsecs.
While alot of items on the list were UNIX/Linux, they did have a few Windows problems. I think it's probably because they would've felt ashamed to put what the slashdot community wants to hear.
.bat files opened without examining content.
1. MCSE.
2. NT admins without MCSE.
3. NT admins without a driver's license.
4. NT users.
5. VBScript.
6.
7. Running files from http://www.geocities.com/..../3488/kewlstuf.htm as "admin" on NT systems.
8. Giving out admin password on Comic Chat to "AdminDood283" to help you out with constant down time.
9. Innovation anal probes.
10. Putting NT server in a kiosk and still logged in as "admin".