The Honeynet Project Has A Winner

AltGrendel writes with a welcome followup: "The Honeynet Project has announced a winner. OK, actually they announced the three winners and have posted the results here. Details as to how all this was accomplished will be posted though the next few weeks. Congratulations to all finalists!" This project has been mentioned a few times before; if you thought running Linux made you obscure enough to largely escape the attention of random and non-random malice, this is a thorough (if depressing) reason to think otherwise. Hats off to the Honeynet Project and participants for putting this labor-intensive analysis together.

Re:Inflated damage numbers

[dair]

...that shoplifter caused tens of thousands of dollars worth of damage?

You missed out the bit where he says:

losses should only be allowed if such losses can actually be proven, unlike for example the Steve Jackson Games case where a 911 document which could be purchased for some US$30 was valued at US$79,449 for purposes of estimating damages.

Stealing some M&Ms is a self-contained and easily recognised (there's one less bag on the shelf) act, so the damage would be limited accordingly. A compromised system could have suffered any amount of changes - you need to spend the time to understand exactly what did change before you can be sure you've covered it all.

-dair

Inflated damage numbers

[Mike+Schiraldi]

"But all it takes to re-install Red Hat is 30 minutes. How do you come up with US$2000 damage?" ... When a system is compromised, and the data on it and its network are compromised, it is not simple to determine the extent of the damage without a lot of work. We do not know if the blackhat stold peoples passwords, hacked other systems, has implemented sniffers, etc. This argues for strong prevention, defense in depth (including monitoring in depth), and trained responders. If all the administrator does is re-install the OS, they are doing a wholly inadequate job of responding to a security incident, as the extent of damage may be far greater then a single system.

So if someone steals a packet of M&Ms from the local grocery store, and the grocery store conducts a full review and decides to hire a $20/hour security guard, spend $1500 installing cameras and a closet-circuit TV system, and install a checkpoint at the candy aisle, that shoplifter caused tens of thousands of dollars worth of damage?

--

Re:Inflated damage numbers

[Mike+Schiraldi]

How much do you think it would cost Boeing for this incident? How much would you, as a potential passenger on this aircraft, expect them to spend on this one incident?

An incredible amount of money. But it's their own fault, not the intruder's fault. The intruder is guilty of a lot of criminal charges and should go to jail for about the same amount of time as they would if they broke a window, climbed into the office, and rooted through everyone's desks. But no longer than that. And they certainly shouldn't be blamed for the expense of investigating the breakin or beefing up security.

--

Re:Inflated damage numbers

[Amokscience]

How about if someone breaks into Boeing's network and the new airline design is accessible on that network. Furthermore assume that the breakin isn't detected for a few weeks and that lots of work has been done. Now, suppose the person didn't steal anything.

How much do you think it would cost Boeing for this incident? How much would you, as a potential passenger on this aircraft, expect them to spend on this one incident?

This actually occurred several years ago and the estimated cost to Boeing was (IIRC) over $200,000. They had to verify that their data integrity was ok, that work hadn't been tampered with, and so on into the dull sysadmin stuff...

So, yeah, a simple act can cost many times as much as its face value. I don't believe someone would let it stretch as far as your example (and I hope not if it's just M&Ms) but the principle is in place.

Re:Inflated damage numbers

[kevinank]

A better analogy than the M&M's would be the airplane passenger who jokingly mentions that he plans to hijack an airplane.

Hundreds of people are delayed while the airplane is searched for explosives, plus there is the cost of security guards to hold the person in custody, and the staff to complete the search.

That is easily $20k worth of damage, especially when multiplied by the number of of people who visit a busy web site (as opposed to the ~200 that might be delayed at the airport.)

Re:Inflated damage numbers

[rabtech]

I'm glad you aren't in charge of security for any major websites, since you obviously have no clue.

Assuming you wiped the machine and reinstalled, you have to spend hours restoring from tape (assuming you kept good backups), then replacing any material missing since that backup, and finally reset any permissions or settings that may have been lost. This all assumes that you KNOW when the hacks were initially conducted.... for all you know, your last 6 months of backups might also contain virii or backdoors!

If you don't do a reinstall, then you've got to carefully examine every folder. Look at the configurations for all deamons and running processes. Check over log files. Leave no stone unturned. Leave no file unchecked. If you don't examine everything, you risk missing a trojan or backdoor installed somewhere. You need to change passwords on that machine and other machines that might have been accessed from it (like database servers, etc.)

All these things, and many more. To do any less would be like saying "PLEASE, COME VIOLATE ME AGAIN!"

A more correct analogy would be if a bank were broken into without anyone detecting it until a week later..... would you still entrust your safety deposit box and money to them if they decided not to make any changes to their security protocols or go over all the video tapes frame by frame looking for any problems, as well as hiring new guards and possibly bringing in consultants to review their procedures? Absolutely not.

Why would you be so careless with your servers then? I'll repeat my earlier lament: THANK GOD you aren't in charge of any important servers.
-------
-- russ

"You want people to think logically? ACK! Turn in your UID, you traitor!"

Linux a target? I'm not surprised

[Kartoffel]

Of course kiddies are going after Linux systems. Suppose you wanted to 0wn a few boxes, for whatever reason. Would you rather 0wn....

• a commercial *nix box where most of the common linux-centric 'sploits won't work?
• some (l)user's windows machine that gets rebooted and/or crashes all the time?
• a mac?
• some obscure legacy OS running in a factory or big business (w00t, be a VMX h4x0r)
• Jonh Doe's RedHat box running with an out-of-the-box config?

If I were a kiddie (hypthetically speaking, of course), I'd be going after a target that's easy, plentiful, and stable enough to stay online, allowing me to use it for scanning, bouncing, running b0ts, etc. Big Linux distros have new exploits uncovered and published every day. Linux is gaining popularity, too. All the new users installing it don't know jack about locking down their computers and it makes Linux a very ripe arena for the kiddies.

Does this make Linux a bad operating system? No, of course not. It just means that in order to really be secure, you still have to know what you're doing.
--

Re:Link not quite right

[interiot]

Damn. I was hoping someone had just cracked the site... ;)
--

Re:Lessons learned

[Glowing+Fish]

You are right, but for cultural reasons, Americans will never listen to your logic. I don't know about people in other parts of the world.

In America, everytime a plane crashes, or someone overdoses on OTC medications, or someone shoots themselves in the foot or head with a hand gun, the media, activist groups and politicians swarm all over it. Sure these things are bad, but to a certain extant, they are unavoidable. American culture seems to be averse to the fact that things don't work or work in unforeseen ways, and that sometimes people get hurt or killed from these things.

Computer security is no exception to this, people are not going to accept the fact that running a computer implies the risk of having it broken into, and that there is not much to be done about it and that no one is to blame when a security hole in your chosen OS causes loss of thousands of dollars worth of sensitive data. Many people will continue to view security holes as the result of near criminal negligence.

Conclusions about operating systems generaly wrong

[Zeinfeld]

One of the depressing end results of these projects is that they tend to come down to people making staements like 'we proved system x to be better than y' as if this was a soap powder comparison test.

Unfortunately in the real world security is much trickier. Simply installing system X does not necessarily mean you get the better security. Configuration is everything.

Quite often it comes down to did the guy who installed the O/S know what they were doing. More often it comes down to did the person comming after him screw it up?

Windows NT can be reliably and securely configured, however you really have to watch out for keeping up with the latest Microsoft patches.

Unix can be reliably secured, particularly if you don't install sendmail which was the root of 30% of CERT reports a few years back.

Unfortunately no mainstream O/S ships designed to be secure out of the box, and those that do tend to be military O/S which are practically unusable.

Here comes the catch with UNIX security, to secure a UNIX system I take off every package and every service that I don't absolutely need. I'm not talking about removing finger from the inetd, I am talking about removing the binary for finger, ftp, rlogin, telnet and every other executable file that is not critical for the system to run - if possible including X-Windows and emacs.

Now the result is secure but by the time I am finished the 'UNIX' I have left has no resemblance to a machine most folk would want to use. If you put back the executables I have taken out then you are back to roughly the same degree of exposure as Windows NT.

Another problem is that 'security' standards for operating systems are all pre-net. Even the common criteria which were meant to be the latest and greatest appear to be written by someone who thinks that the problem is preventing access conflicts on multi-user machines. Unfortunately while that is an interesting problem it has nothing to do with todays problems of securing networks. Is a server in a client/server configuration a single or a multi user machine?

More interesting than the statistics for which machines got hacked first would be the description of the attack strategies employed.

What I would like to see is a return to the type of security we used to have in operating systems like VMS where processes could be given specific privillege levels. I would like to prohibit the process displaying my email from doing anything other than drawing to the display visual - no taking a look at my address book, no sending off emails to anyone else.

Lessons learned

[CyberDawg]

Is the real lesson here how to increase security on your Linux box, or how to perform forensic analysis after a crack attack, or why you should/shouldn't pick Linux? No. None of the above.

I have long contended that the applicable formula is
convenience = 1 / security

The safer you want your system to be, the less convenient it will be to use the system.

If you have a computer for fun and entertainment, you don't want to make keeping it secure a full-time job (unless, of course, that's your idea of fun). Take some reasonable precautions, keep good backups, don't tempt fate, and get on with life. If you get hacked, deal with it.

If you have a mission-critical system in a business environment, then hire a professional sysadmin to keep it secure. This is not a do-it-yourself job, whether you're using M$, Linux, Solaris, MacOS, OS/2, or BSD.