Slashdot Mirror
SANS Releases Top Ten Exploits
Lizard_King writes: "System Administration, Networking and Security (SANS) Institute published a list of exploits most often used to gain illegal access to network servers. View the list here." This is really a very good list, compiled from the viewpoint of fixing the potential forthcoming breach. Good work!
The biggest omission from the list was wuftpd <2.6.0 (and derivatives). This deserved to be number 2 on the list, after BIND, as it shipped enabled by default on every RedHat up to 6.0.
I generally recommend that Linux users replace wuftpd with ftpd-BSD, the Linux port of OpenBSD ftpd. It's not as featureful, but it's a lot easier to use, and the code has been audited.
I also think sendmail seemed out of place on the list. There hasn't been a root exploit on sendmail in what, three years?
--
Up until a few months ago I was doing some sys admin work. At the time I was pretty happy with the way I set up systems, and I still think they were reasonably secure. However, articles like this have convinced me the best way to have peace of mind is to set up OpenBSD firewalls.
Is Linux more secure than other operating systems? Yes. Is it easy to shoot yourself in the foot and make the system easy to exploit? Definitely. There's an excellent article over at Security Focus that every Linux sys admin must read.
Of course if there were no users, user accounts, or traffic on the wire I'd feel even better.
----- obSig
I find it amusing that I saw ">Download this document in MS Word format" on that page. I mean, there's a security risk right there!
More amusing is that I often see electronic resume requests for that "universal" document format, known as MS Word ".doc", rather than something not subjectable to macro virii, like PDF, Postscript, or good old PLainText.
Ok, so let's say (hypothetically, of course....) that you've been running a low-profile Linux system on the 'net for a while. At first, you just got IP Masqing up and turned off unused services. Later, you did some better firewalling. Then you started using SSH... added back in some services you needed...
But the thing is, it's been out there, in various states of lockdown, for at least the better part of a year.
How to know if you've already been compromised? Is there any way? Or is a fresh, secure install the only way to go?
I'm scared by the root kits that replace top, who, users, etc to make the intrusion undetectable. (Yeah, time to make that read-only floppy...)
---
"Secure by Default"
The default installation of OpenBSD is secure - it takes a careless sysadmin to mess it up. If anyone is truly concerned with security, this is the easiest and best choice.
Features:
And considering there is a reward to anyone who finds a exploit in Qmail, you can actually make money on it (if you can find any).
Now, does anyone feel secure enought to put up a reward for sendmail exploits?
Je ne parle pas francais.
The article is a bit self-agrandizing, but putting the most common holes out where everyone can see them is not a bad thing.
Now, Network Admins have no excuse but to fix things, rather than hoping no one 'figures out' where the holes are. The fixes for the 'ten most common' problems are not hard, and they're readily available.
Exposing security holes and avenues of attack to public review does make it a bit more possible that a cracker will learn something new, but the dangerous guys already know about all of this. Hiding this sort of information is like installing a car alarm - you'll keep the amateurs away, and you'll give the pros a chuckle while they make off with your goods.
If there is some unique set of conditions that make YOUR system vulnerable, and these conditions are very obscure and virtually impossible to 'guess', AND expensive to fix - by all means, keep them a secret as long as you can - but be ready when the hammer hits.
The problems outlined in the article are common-place, and in most cases common-sense. What 'advantage' does a cracker get from knowing that easily guessed passwords are a weakness? What does he gain from an Admin being educated to remove sample CGI scripts and default accounts off of commercial products??
-- What you do today will cost you a day of your life.
stunnel or using ssh as a tunnel is your better bet
---
-
ping -f 255.255.255.255 # if only
The plan is for this to be a living document - as responsible admins (and vendors) close these holes, new items will go into the Top Ten list. If you check out the Top Ten page, you'll see that there have been three revisions today.
Most of the vulnerabilities listed have beed known for years, and have easy fixes available, but admins haven't known what ones were most important. This is an attempt to help prioritize things.
This list completely ignores one of the most common security flaws in computer systems: Cleartext passwords sent over the wire.
It does and it doesn't. This list focuses on exploits, but there is an associated list, mentioned by the CNN article, of IT mistakes. Among the IT mistakes are using telnet and other unencrypted protocols.
I saw this list last night, and my first thought was that it couldn't possibly be right, as most of the compromises on this list are UNIX related.
Several of the compromises are multi-platform, not specifically NT or *nix. Categories like the CGI/ColdFusion exploits make up a large percentage of the NT attacks. However, it is probably fair to say that most of us who were asked to participate probably have a *nix background, and are therefore more familiar with *nix exploits. Also, we were looking for remotely exploitable, directed attacks, and the background of *nix as a multi-user, network operating system gives more avenue of attack than an operating system with a single user, stand-alone heritage. Our list of end-user security mistakes (not yet released), on the other hand, is much more Microsoft-heavy.
ISP farms are reasonably well-secured.
I'm not going to mention the name of the ISP, a pretty big one, but they are running a Linux box that is servicing over 60 web sites that hasn't been backed up in 3 months and has absoutly no firewall on it.
All of their servers are wide open, i.e. NO FIREWALL! I've just started to administer them (only in extreme circumstances) and I keep pushing for a firewall. Their disregard for security is alarming. They have telnet wide open on every unix machine.
I'm being sub-contracted right now and reciently they were cracked by a script kiddy. They are now finally replacing telnet with ssh but SLOWLY. So in my experience ISP farms are not well-secured they only try to make you feel that way.
If at first you don't succeed, skydiving is not for you.
Programs running as root are the problem.
//--thogard this will allow any user to open any port which cooresponds
// to a group they belong in. apaches user should be in group 80 and 443
// this should be linked moreinto capabile(CAP_NET_BIND_???)
Due to the stupid requirement that you have to root to bind to a port <1024 is a major problem. Its nailed bind, sendmail, ncsa httpd, poper, ftp....
Its time this stupid stuff stoped.
The fix is very simple. In 2.2.15 about line 543 of net/ipv4/af_inet.c put make the following change and it will allow group 53 to open port 53. So you can put bind in group 53, run it as a user with no other access and then the exploits won't have root.
if (snum && !in_group_p(snum) && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
return(-EACCES);
7. Design a computer case someone made out of something weird. Suitcase, plant pot, cow skin, matchbox, etc.
8. Claim to have instructions for playing DVD's on your linux box.
9. Port yet another windows game to Linux.
10. Claim BSD is better than Linux.
http://packetnexus.com
Generally are put out by some publication like Computer World or a web site like ZD. You know what drives me crazy? There is usually some 40-something, bearded yahoo in a suit whose weekly/monthly articles are all about how MegaCorp just decided to move from their IBM mainframes purchased in 1978 to NT servers running IIS.
And then they go on with and interview with some reject from a barnyard with bright red hair in a bowl haircut whose title is CIO/Chief Technologist who describes the methodology for choosing these systems based upon vendors taking them to lunch, boardroom pitches, white papers and indepth studies of competing megacorps' IT organizations.
And it always boils down to a two page ad for MS with a singular paragraph busting Unix as being unscalable and unsupportable and too hard for the desktop users to understand (like they do anything else besides making Excel spreadsheets and Project reports).
The next year, there is an article about how MegaCorp' IIS servers crapped out when a DOS took place or when more than 2 people decided to buy one of their widgets online and the whole system died.
They all learn in the end.
Don't think of this list as being "most widely used cracks" but as "cracks that have the worst effect". Unix runs the Internet, therefore Unix cracks 0wn the Internet.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Important security features in its design:
- Client resolver is a separate process from the authoritative NS. Reduces damage potential should cache poisoning occur.
- Client resolver does not cache out-of-zone additionals. For a dot-com domain, it only believes answers from the root servers, the com servers and the auth NS for the dot-com domain, and only if those answers are in the zone it's asking about. More proof against poisoning.
- Client resolver sets TTL in responses to zero. Helps prevent client mischief. Does not return additionals or authorities to clients.
- All programs run chrooted as a non-priv uid.
- Discards all queries in classes other than IN. No CHAOS or HS classes. No "version.bind" stupidity.
- Its "hints" file is not really taken as "hints". It believes you when you tell it who the roots are, it does not go ask the servers in the hints file who the real roots are.
Design features that are admin-friendly:- Authoritative server gives immediate feedback in the event of typos or syntax errors. No grepping log files looking for problems.
- Erroneous data is rejected. Previous data is used until the error is corrected.
- Reads zone info directly from a fast database, memory requirements are very small compared to BIND.
- All zone data is contained in a single database file, which is easily rsync'd to slaves. Zone transfers are supported for compatibility with BIND, but it's not necessary to use it.
- Client resolver can be set to ask certain servers about certain domains, ignoring the roots. This is great for split DNS setups.
I can hardly say enough good things about Dan's suite of DNS servers and client programs. I will be BIND-free very soon.Edith Keeler Must Die
I saw this list last night, and my first thought was that it couldn't possibly be right, as most of the compromises on this list are UNIX related. NT accounts for twice as many web server compromises as every other OS combined, even though it holds only 21% of the Internet web server market. (look at http://www.netcraft.com and http://www.attrition.org for verification of these figures) Therefore, the most popular attacks should almost all be NT related. I brought this up to a friend, and he proposed that only the good sysadmins (read:mostly unix) actually either detected the intrusions, or bothered to report them. I can accept that, but I'm interested to hear other opinions.
Politics, Culture, Food?
A friend of mine claims to have had a lot of fun during "interview day" on his college's campus. He was wearing a blue suit and the interview hall was right next to the Naval ROTC building. Apparently NROTC middies (?) don't take chances -- when some guy in a blue suit says "Drop and give me 50!" they figure better safe than sorry.
Half of social engineering is attitude. If you act like you belong there, people will usually assume you do. It's just taking advantage of most people's fundamental desire not to cause trouble. Conversely, running across the office's cranky senior staffer, who's had a bad day and is looking for a reason to take it out on someone, can be really bad news for a would-be penetrator.
Even today, people send spam to AOL customers asking for the user's name and password "so we can repair damage to your account that occurred during a server upgrade" and net thousands of logins, giving them access to that many credit cards, despite the text at the top of the AOL mail window that says "REMINDER: AOL staff will never ask for your password or billing information."
As long as there are newbies, there will be trouble with social engineering. The best you can do is make sure that anybody who administers a system you're dependent on understands the concept of verifying identity.
That all said, social engineering isn't really an "exploit" in the classic sense -- it's merely overly lax granting of access rights, akin to leaving your root account passwordless.
My favorite examples of overly permissive systems were the RS/6000's at UVa, on which all the tty's were permissioned -rw--w--w- (I think this was AIX 3.2 - they upgraded to 4.0 later on with a new crop of boxen and I don't know what they're up to now). That's right, anybody could write to any terminal. I didn't do anything truly damaging with it, just pranked a friend into thinking he was getting a talk request from another person who wasn't logged on at the time...
-- Old Man Kensey
- Use qmail or postfix instead of Sendamil.
- Make sure you have all security patches for your system installed. Redhat users, for example, can find those patches here.
- Linux users can read Linux weekly news for security updates.
- Manage your SUIDs. Make sure you keep a close eye on all your suids. For example, I use this script to put all my suid in the directory
/suid/bin:
- Obviously, turn off all unneeded network services in
/etc/inetd.conf and (usually) /etc/rc.d/rc3.d. You can see what services are running on your machine with netstat -na. - For a UNIX that is free and (hopefully) secure out of the box, check out OpenBSD or Trustix.
The advantage of an open-source solution is that we have greater control over our systems, and can better optimize our systems for security.#!/bin/sh
/root/suids
/root/suids` ; do
find / -type f -perm +6000 >
for a in `cat
done
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
This list completely ignores one of the most common security flaws in computer systems: Cleartext passwords sent over the wire.
Even using ssh is not enough if you still use ftp or imap. Assume those accounts are compromised.
I've been told that they will be on the SANS web site Real Soon Now.
Mistakes People Make That Lead To Security Breaches
Technological holes account for a great number of the successful break-ins, but people do their share, as well. Here are the SANS Institute's lists of silly thinks people do that enable attackers to succeed.
The Five Worst Security Mistakes End Users Make
1. Opening unsolicited e-mail attachments without verifying their source and checking their content first.
2. Failing to install security patches - especially for Microsoft Office, Microsoft Internet Explorer, and Netscape.
3. Installing screen savers or games from unknown sources.
4. Not making and testing backups.
5. Using a modem while connected through a local area network.
The Seven Worst Security Mistakes Senior Executives Make
1. Assigning untrained people to maintain security and providing neither the training nor the time to make it possible to learn and do the job.
2. Failing to understand the relationship of information security to the business problem-they understand physical security but do not see the consequences of poor information security.
3. Failing to deal with the operational aspects of security: making a few fixes and then not allowing the follow through necessary to ensure the problems stay fixed
4. Relying primarily on a firewall.
5. Failing to realize how much money their information and organizational reputations are worth.
6. Authorizing reactive, short-term fixes so problems re-emerge rapidly.
7. Pretending the problem will go away if they ignore it.
The Ten Worst Security Mistakes Information Technology People Make
1. Connecting systems to the Internet before hardening them.
2. Connecting test systems to the Internet with default accounts/passwords
3. Failing to update systems when security holes are found.
4. Using telnet and other unencrypted protocols for managing systems, routers, firewalls, and PKI.
5. Giving users passwords over the phone or changing user passwords in response to telephone or personal requests when the requester is not authenticated.
6. Failing to maintain and test backups.
7. Running unnecessary services, especially ftpd, telnetd, finger, rpc, mail, rservices
8. Implementing firewalls with rules that don't stop malicious or dangerous traffic- incoming or outgoing.
9. Failing to implement or update virus detection software
10. Failing to educate users on what to look for and what to do when they see a potential security problem.
And a bonus, number 11:
Allowing untrained, uncertified people to take responsibility for securing important systems.
1. Claim to be running a web server off a Palm Pilot, furby, Commodore 64, or even a bunch of potatoes. (Bonus points if its a port of Apache).
2. Write an article on DeCSS, Napster, MPAA, RIAA, and/or Metallica.
3. Publish a benchmark comparison of Linux and Windows, making sure that Windows scores best in all categories. (Bonus points if your test team is made up of 12 MCSEs and 1 dude who installed Red Hat 5.2 once before).
4. Title your article "X Violating the GPL?" It doesn't matter what the article actually says; it could just be a description of ancient Bulgarian goat herding. You're sure to get all the Slashdotters riled up regardless.
5. Write something about "Geek Sex".
6. Produce blurry, unenlightening satellite pictures of a secret government compound. Bonus points if the site mysteriously disappears in a few hours - the paranoid Slashdotters will have a field day with that one.
... all out of ideas... anyone else?
---- I made the Kessel Run in under 11 parsecs.
While alot of items on the list were UNIX/Linux, they did have a few Windows problems. I think it's probably because they would've felt ashamed to put what the slashdot community wants to hear.
.bat files opened without examining content.
1. MCSE.
2. NT admins without MCSE.
3. NT admins without a driver's license.
4. NT users.
5. VBScript.
6.
7. Running files from http://www.geocities.com/..../3488/kewlstuf.htm as "admin" on NT systems.
8. Giving out admin password on Comic Chat to "AdminDood283" to help you out with constant down time.
9. Innovation anal probes.
10. Putting NT server in a kiosk and still logged in as "admin".