Slashdot Mirror
The Honeynet Project Has A Winner
AltGrendel writes with a welcome followup: "The Honeynet Project has announced a winner. OK, actually they announced the three winners and have posted the results here. Details as to how all this was accomplished will be posted though the next few weeks. Congratulations to all finalists!" This project has been mentioned a few times before; if you thought running Linux made you obscure enough to largely escape the attention of random and non-random malice, this is a thorough (if depressing) reason to think otherwise. Hats off to the Honeynet Project and participants for putting this labor-intensive analysis together.
You missed out the bit where he says:
Stealing some M&Ms is a self-contained and easily recognised (there's one less bag on the shelf) act, so the damage would be limited accordingly. A compromised system could have suffered any amount of changes - you need to spend the time to understand exactly what did change before you can be sure you've covered it all.
-dair
However, you'll be able to catch the vast majority of rootkits even with RPM on a comprimised system. So far I haven't seen one smart enough to cover its tracks that extensively. (Not to say that it doesn't exist, it just isn't very common. Patching the RPM database is not needed because the average Linux workstation user doesn't even know about rpm -V)
Posted by srvivn21:
That is not to suggest that every intrusion warrants a complete forensic investigation, but in some circumstances it is entirely appropriate and needs to be done quickly (and correctly).
A stolen bag of candy is easy enough to quantify. An intruded system is another matter.
The problem is that our systems are designed around a fundamental flaw, security by what you know (anything you know can be known by others.)
We have to get to systems designed around security by what your are.
We have no security and we won't until we start using biometric characteristics for security (even the primitive A.F.I.S. retrieval key for fingerprint identification, 13 points of reference with self-relative x,y coordinates, ie direction, shape, depth characteristics & 26 double precision floating point numbers, in a single string) is a lot longer than some lousy digit PINs.
There's much secure identification available.
Basically what this means is that secure systems will be extemely secure with unforgable keys (imagine using your you DNA sequence for encrypting your e-mail, in hardware.)
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
While I would agree that such information is unforgable now I really doubt it will stay that way. DNA is just information after all, and remember if we can see it we can copy it.
:)
Besdies I could always just cut off your hand and get through your fingerprint/dna security.
I envision a computer of the future knowing who I am by the way I act. So I sit down and have a nice short little chat with my computer and it logs me in because it knows who I am by the way I talk to it. A bit of a crazy idea, but I think it would be neat.
Q.
A short lesson in stocks by Jeffery "Felinoid" McLean.
The economy dumps. All stocks dump.
Microsoft bad mouths Linux.. Linux stocks dump.
Microsoft is sued into oblivion.. All tech stock dump "including Linux stock".
Linux makes money.. Stock dumps.
VA Linux loses billions and on brink of death....
Stock shoots the roof.
I don't actually exist.
If you are really so worried about blackhat hackers why not just use a hardware firewall and NAT and give every machine an unroutable ip. use port forwarding to direct traffic towards your mail and web servers, and just make sure your all your daemons aren't grossly insecure.
I'm really getting sick of this "which os is the most secure?" crap. if you want out of the box anally secure go with OpenBSD. period.
Note, however, that i'm not defending the criminal in any of these examples. If someone walks into my house through an open door, they're still guilty of trespassing. However, it's not as bad as if they rooted through my drawers or set the place on fire.
But let's say they do break into my house and set fire to my filing cabinet. It costs $50 to buy a new filing cabinet, $5000 worth of my time to get my files back in order, $1000 to hire a detective to figure out how they broke in, and $30,000/yr to hire a security guard. I would blame the criminal for the $50 and the $5000, but not the $1000 or the $30,000/yr.
--
--
Mod up a post Rob doesn't like and you'll never mod again
Excellent point! Here's a new analogy: Let's say they just picked a lock without damaging it, opened a safe without damaging it, took nothing, damaged nothing, and left a note that said, "You need better security. I broke into your safe."
I'd say they're guilty of the criminal charges of trespassing, burglary, and breaking and entering. However, i don't think they're guilty of any civil charges, and i don't think they should pay one penny to the store in question. Even if the store in question has to conduct an extremely expensive review or purchase a new security system.
--
--
Mod up a post Rob doesn't like and you'll never mod again
Absolutely. It sucks. It's an astronomical expense. The intruder is an asshole. And guilty of criminal charges. But that doesn't mean you should be able to send them a bill for your new security measures. Security measures are YOUR job, and YOUR expense. Damages are their expense, but should only include damages, not investigative costs or new security.
If the police or the store spend ten million dollars to figure out that you were the one who stole a pack of M&Ms, that's their expense.
Why would you be so careless with your servers then?
Who said i advocated being careless with servers?
--
--
Mod up a post Rob doesn't like and you'll never mod again
If that's as far as it goes, then no new crimes have been committed. If someone else uses that information to break in and break a bunch of stuff, then the first person, IMO, is guilty of accessory to [whatever]. In this case, the first person should be expected to pay for damages. (The second person, too)
--
--
Mod up a post Rob doesn't like and you'll never mod again
Me neither. I hate that argument. People who break into other people's systems are assholes and criminals, and should go to jail, for about the same amount of time as people who break into other people's houses.
If someone breaks into someone else's site and gets caught then they deserve what they get. Nobody forces people to go cracking. If you can't do the time don't do the crime.
Absolutely.
At $2K per day consulting rates that is a non-trivial amount of cash.
Absolutely. Their expense, not the intruder's.
--
--
Mod up a post Rob doesn't like and you'll never mod again
So if someone steals a packet of M&Ms from the local grocery store, and the grocery store conducts a full review and decides to hire a $20/hour security guard, spend $1500 installing cameras and a closet-circuit TV system, and install a checkpoint at the candy aisle, that shoplifter caused tens of thousands of dollars worth of damage?
--
--
Mod up a post Rob doesn't like and you'll never mod again
It was missing a slash. Here's the real link:
http://project.honeynet.org/challenge/results/
What's your damage, Heather?
err, s/VMX/VMS/. See how obscure that stuff is? I can't even remember the name properly.
--
When doing forensics, never trust the tools that are already installed on the compromised system. Download or bring a floppy with a known good copy of cksum(1) or something.
--
- a commercial *nix box where most of the common linux-centric 'sploits won't work?
- some (l)user's windows machine that gets rebooted and/or crashes all the time?
- a mac?
- some obscure legacy OS running in a factory or big business (w00t, be a VMX h4x0r)
- Jonh Doe's RedHat box running with an out-of-the-box config?
If I were a kiddie (hypthetically speaking, of course), I'd be going after a target that's easy, plentiful, and stable enough to stay online, allowing me to use it for scanning, bouncing, running b0ts, etc. Big Linux distros have new exploits uncovered and published every day. Linux is gaining popularity, too. All the new users installing it don't know jack about locking down their computers and it makes Linux a very ripe arena for the kiddies.Does this make Linux a bad operating system? No, of course not. It just means that in order to really be secure, you still have to know what you're doing.
--
I realize that was a big tongue in cheek, but that is what we do. We have a very small network, but it's made up of commodity hardware, so when there is an intrusion, the machines on that network are replace with fresh installs. This has happened twice in 3 years. Of coarse that isn't going to work for everybody, but anyway...
Sigs are awesome huh?
"But all it takes to re-install Red Hat is 30 minutes. How do you come up with US$2000 damage?"
More typically, a company takes out insurance against such "disasters." When the company is attacked, they have to make a claim to the insurance company. They're knee-jerk worst-case numbers. It is often these numbers that are quoted to media.
[
uh?
The people who got in left a small notice with bad grammar... something about bases belonging to "us."
Why not simply throw away the computers and buy new ones.
--
Je t'aime Stéphanie
The previous Slashdot article mentioned that psychologists were working on the project. Is it just me, or would being a spychologist trying to put together a psychological profile of 5cr1p7 k1dd13z be a very amusing job? I can imagine a psychologist sitting around, trying to guess what fonts and color schemes would be the most amusing to cr4ck3rz.
On a serious note, I wonder if any psychological research has been done that debates the notion of kiddies\crackers as being teenage males with bad social skills. It would be interesting to see if more cracker types wern't (for example) socialy outgoing and healthy college students who like the thrill of cracking. Or maybe their is a substantial amount of middle aged computer programmers that have access to high tech computers, and use them for breaking into other systems out of boredom.
despite what the previous Slashdot post said, the documents available don't seem to have any kind of abstract of the psychological characeteistics of the people that broke into the system.
Hopefully I didn't put any [] around my words.
You are right, but for cultural reasons, Americans will never listen to your logic. I don't know about people in other parts of the world.
In America, everytime a plane crashes, or someone overdoses on OTC medications, or someone shoots themselves in the foot or head with a hand gun, the media, activist groups and politicians swarm all over it. Sure these things are bad, but to a certain extant, they are unavoidable. American culture seems to be averse to the fact that things don't work or work in unforeseen ways, and that sometimes people get hurt or killed from these things.
Computer security is no exception to this, people are not going to accept the fact that running a computer implies the risk of having it broken into, and that there is not much to be done about it and that no one is to blame when a security hole in your chosen OS causes loss of thousands of dollars worth of sensitive data. Many people will continue to view security holes as the result of near criminal negligence.
Hopefully I didn't put any [] around my words.
the needless use of cat award!
/etc/inetd.conf | grep tel
/etc/inetd.conf | grep tel
/usr/sbin/tcpdin.telnetd
bash# cat
cat
telnetstream tcp nowait root
--
--
grep "xercist"
This just in...
Psychologists say k1dd13z are 50cc33r m0mz.
According leading psychologists studying a particular kind of hacker, called "script kiddies", have reason to believe that they aren't really kids at all. According to the latest profile, the average script kiddie has an affinity for SUV's, cocker spaniels, and anything from the Pottery Barn. This startling discovery has led them to believe that the average "script kiddie" is actually a "soccer mom"...
"The words of the prophets are written on the Slashdot walls."
There is a great deal of argument about whose OS is more "secure".
... err ... exploited! But - the most important thing is that they're located, and fixed!. Linux is equipped to deal with potential problems very quickly, due to the sheer number of people combing through the code. Microsoft (and any closed-source developer) simply do not have the required number of people to check their code for vulnerabilities. This means that weaknesses can only be located and fixed by a small number of people. Yes, it also means that it's harder for crackers to find exploits, but, as the last couple of years have shown, they've still managed admirably.
It is true that both systems can be well secured if the sysadmin knows what he/she is doing, keeps up with the latest patches, and keeps a wary eye open for attacks.
It is also true that an inexperienced sysadmin can use either OS to create a box that is dangerously insecure.
So, why do I believe that Linux will always have a security advantage over NT? Because the source code is available for anyone to look at. Exploits are found, and sometimes
Security is not a quantity - it's a process, and Linux moves faster.
This doesn't apply to just security problems, but also to bugs in general. We notified MS about a bug in their TCP implementation some time ago. All we can do is twiddle our thumbs while we wait for a fix (which may never arrive). If their stack were open-sourced, we could identify the offending line of code, and come up with a fix ourselves, which we could then submit for approval, thus speeding things up no end.
Strags
I wish I had access to this when that darn RedHat "Ramen" worm hit us. There's some invaluable tricks here for finding out exactly what an intruder has done. The use of RPM to compare checksums of original files vs. current files is particularly ingenious. I tried to do something similar with "find", but apparently some root kits actually mess with files date stamps, making things more difficult. All in all, good stuff to know.
std::disclaimer<std::legalese> sig=new std::disclaimer; sig->dump(); delete sig;
things like this are really positive for all our high security OS's out there. Hacking/Cracking is an extremely positive activity when put to actally helping me secure my box.
Knowledge Speaks, Wisdom Listens -- Jimi Hendrix
Unfortunately in the real world security is much trickier. Simply installing system X does not necessarily mean you get the better security. Configuration is everything.
Quite often it comes down to did the guy who installed the O/S know what they were doing. More often it comes down to did the person comming after him screw it up?
Windows NT can be reliably and securely configured, however you really have to watch out for keeping up with the latest Microsoft patches.
Unix can be reliably secured, particularly if you don't install sendmail which was the root of 30% of CERT reports a few years back.
Unfortunately no mainstream O/S ships designed to be secure out of the box, and those that do tend to be military O/S which are practically unusable.
Here comes the catch with UNIX security, to secure a UNIX system I take off every package and every service that I don't absolutely need. I'm not talking about removing finger from the inetd, I am talking about removing the binary for finger, ftp, rlogin, telnet and every other executable file that is not critical for the system to run - if possible including X-Windows and emacs.
Now the result is secure but by the time I am finished the 'UNIX' I have left has no resemblance to a machine most folk would want to use. If you put back the executables I have taken out then you are back to roughly the same degree of exposure as Windows NT.
Another problem is that 'security' standards for operating systems are all pre-net. Even the common criteria which were meant to be the latest and greatest appear to be written by someone who thinks that the problem is preventing access conflicts on multi-user machines. Unfortunately while that is an interesting problem it has nothing to do with todays problems of securing networks. Is a server in a client/server configuration a single or a multi user machine?
More interesting than the statistics for which machines got hacked first would be the description of the attack strategies employed.
What I would like to see is a return to the type of security we used to have in operating systems like VMS where processes could be given specific privillege levels. I would like to prohibit the process displaying my email from doing anything other than drawing to the display visual - no taking a look at my address book, no sending off emails to anyone else.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Is the real lesson here how to increase security on your Linux box, or how to perform forensic analysis after a crack attack, or why you should/shouldn't pick Linux? No. None of the above.
I have long contended that the applicable formula is
convenience = 1 / security
The safer you want your system to be, the less convenient it will be to use the system.
If you have a computer for fun and entertainment, you don't want to make keeping it secure a full-time job (unless, of course, that's your idea of fun). Take some reasonable precautions, keep good backups, don't tempt fate, and get on with life. If you get hacked, deal with it.
If you have a mission-critical system in a business environment, then hire a professional sysadmin to keep it secure. This is not a do-it-yourself job, whether you're using M$, Linux, Solaris, MacOS, OS/2, or BSD.
What you describe would indeed be considered a criminal act, however it still amuses me that thousands of businesses pay security consultants through the nose for that same service when they could just wait for a burglar to break in and leave them a note detailing how they did it for free.
God bless our current model of capitalism (or is it consumerism?) which allows people to either make tons of money or be sent to jail for a number of years for commiting exactly the same act.
Bow before my sig, for it is good.
Forensics on a compromised machine is really tricky. So many things to look for. I suppose this just proves the best defense for your machines is to be ever-vigilant, bordering on paranoid :-)
Where's my lobbyist? Right here.