BugTraq's Elias Levy Talks Security

LiquidPC writes: "UnderLinux.com.br has an interview with the BugTraq moderator, Elias Levy or Aleph1. Questions ranging from what he thinks of 'Hacking Exposed' to whether BSD is more secure than Linux. Kind of short, but interesting nonetheless." He notes the interesting difference between the approaches to security taken by FreeBSD (which he praises) and Linux -- lots of projects vs. a single unified one, and emphasizes that security is ongoing, not defeating any single problem.

OpenBSD, not FreeBSD

[X-ViRGE]

Um, just FYI, he said OpenBSD, not FreeBSD. I think most people would agree about the security of OpenBSD.

security

[Lumpy]

It's very true, Anything can be secured including windows NT/200/xp/zp/ww3p it just takes more time and more money to do it than BSD or linux. but many companies take the stance of hiring a security consultant, get's an audit, fixes what's wrong and then believes that they've done what was needed and that they are secure now. They never think, or dont want to think that security is a moving target that requires full-time attention and trained people to take care of it. Send your IS/It staff to security training and seminars, keep the staff trained.

unfortunately in today's economic world, those programs and positions will be among the first to be cut by the CEO's.

Re:security

I disagree. Win2K is hard to secure because Microsoft's policy regarding security is to release a patch once a vulnerability is identified. Furthermore, a multitude of services are enabled per default, and in a sea of product updates, it can be difficult, if not impossible, to determine which update applies to the system at hand.

Contrast this with OpenBSD. Their approach is much more pro-active. Regular code audits leads to a more secure codebase. However, if something slips through the cracks, a patch is released. Since OpenBSD is "secure by default" it is a simple matter to determine if the patch applies to your system, becase the administrator must enable services as the need arises.

Both systems can be secured, certainly, but Microsoft's security policy is shit, so I'd rather not have to try and secure a windows box when there are better options available.

Re:security

[MeowMeow+Jones]

The worm might be new, but the patch for the exploit in question was released in October 2000. Here are some links that are of interest:

http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/itsolutions/security/tools/lockto ol.asp

http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/itsolutions/security/tools/iis5ch k.asp

Re:security

[coolgeek]

the patch for the exploit in question was released in October 2000

I don't want to harsh on you too roughly. Blaming the end user for not patching their systems is a bit like a programmer blaming a user for pressing that wrong key at that wrong time that crashes said programmers' code. They are innocent and ignorant. Insisting that they become clued about administering their computers is analagous to saying all motorists should be semi-proficient mechanics before climbing behind the wheel. Its just not practical, and it ain't never gonna happen.

Microsoft sure seems to have money to spend when it comes to sicking the BSA on its paying customers, or lobbying various public officials to look the other way while they break the law, yet seems to have $0 when it comes to educating the masses about the flaws in its products. Why not some full-page ads and television spots: "We're sorry we made a boo-boo. Please visit windowsupdate.microsoft.com to repair your Windows installation, and help keep The Internet safe for all of us." (and I have my doubts about whether that plugs these leaks) How about just putting some "Free MSN and Windows Repair CDs" next to the free AOL CDs you see everywhere. Instead, Microsoft seems to be quite content to allow the rest of us to pick up the tab for their follies in the form of lost productivity, upstream bandwidth fees, law enforcement investigations, etc. I would speak to their possible motives as to why they might want us all to waste our time and money, but I've sworn off the flamebait for a while.

Re:security

[Tony-A]

I'd say yes.

Try redhat.com/errata
In addition to links to Errata for 7.1 going back to 4.0,
Notable Security Exploits

Red Hat Linux users who have applied all Red Hat security updates are usually not vulnerable to worms and other security exploits. Click on the links below to read about each recent exploit and what you can do to prevent being affected.
The Adore Worm
Discovered April 3, 2001
The Lion Worm
Discovered March 23, 2001
Bind Exploit
Discovered January 29, 2001
The Ramen Noodle Worm
Discovered January, 2001

http://openbsd.com/errata.html
even better organized

http://www.freebsd.org/releases/4.3R/errata.html

Re:EROS? Vapour? Solutions without a problem?

[Peaker]

This is because a web server has to have access to sockets...or how would it communicate via a network? Of course, from what you say EROS has the capability to restrict access to communication facilities. Of coure, it is possible for a webserver to drop root priviliedges after binging to port 80. At this point it is restricted to accessing only those sockets which ALL applications/processes have access to. EROS may be able to go further and explicitly allow access to individual sockets, but that may be a disdavantage .
You are missing the point. Sure there are tricks and trickery to make your webserver limit access to things, but there are fundumental problems in the *nix approach to such limitations:
A) You trust the webserver to correctly limit access (fail-open), whereas in EROS you only give the webserver the access it requires (a capability to the specific port/etc).
Even if the webserver is malicious, in EROS its not a problem.
EROS does NOT require a superuser or has such fail-open facility.
B) In *nix boxen, the restrictions are placed and implemented as a chains of if-conditionals (ACL-type security), which are very error-prone (as we all know by reading bugtraq) and very hard to debug, and about 15 if's in a chain are required if you want to get close to correspondence to the principle of least privelege. In EROS, keys identifying objects and the rights to access them are held by processes, and a single test is required for every activation of a facility (if(key-is-valid) ...).

This is because a web server has to have access to sockets...or how would it communicate via a network? Of course, from what you say EROS has the capability to restrict access to communication facilities. Of coure, it is possible for a webserver to drop root priviliedges after binging to port 80. At this point it is restricted to accessing only those sockets which ALL applications/processes have access to. EROS may be able to go further and explicitly allow access to individual sockets, but that may be a disdavantage .
In EROS/Vapour/pure cap. systems, each process has a pool of capabilities it can use. A capability is a reference to an object, that allows accessing this object. The only test for an operation's execution is that the capability to operate it is valid. This is very safe, and can be mathematically proven. Try to mathematically prove *nix boxen if-conditional chains.

And none of these systems are proven as the original AC commenter was trying to suggest. While some things are proveable secure (as in theory can show that it is secure e.g. some encryption algorithms), sometimes the IMPLEMENTATION is flawed. Now since these systems were written by people in academia and are not in widespread use, no one knows how well implemented they are, even if there are SECURE CONCEPTUALLY.
These systems are so much simpler, that implementing them correctly is much much easier.
Making flaws in the security implementation of capability protection is much more difficult than flaws in the if-chains of *nix, and even if the implementation is flawed, it shall be fixed in a constant amount of time, as the security system is of a small constant size (the code implementing capabilities, that is), whereas in *nix, security is an ever-lasting huge pile of code that grows with the rest of the code, with new if-chains written for every new piece of code.

One question I DO have is this: how does EROS have such fine grained control over EVERY SINGLE thing a process may do WITHOUT lots and lots of overhead? With thousands of processes in a system, ACLs could potentially grow to enormous sizes and incur long delays while verify that the process has access to certain priviledges. Nothing is for free. This is why the UNIX model is simplistic: because security cannot make the system unusable. If the system is too SLOW there is no point in having it at all. Getting rid of said system would be the ultimate security: nothing to break into...but would there be a point?
This is exactly what you're missing! EROS does NOT use ACL's. ACL's are what EROS is fighting against and trying to replace. EROS uses the capability model, which is of HIGHER performance, of mathamatically provable security, AND much more flexibility!

And what about systems more archaic like: OS/390, OS/400, VMS? Don't they have the same ACL stuff as EROS (wasn't EROS designed as an improvement with os/390 in mind)?
NO. Eros does NOT use ACL's. ACL's are the root of all security problems.

too late?

[slashkitty]

Wouldn't that be too late? Apache logs the request after it is successful. Some request for /path/to/shell/sh?rm+-rf+/ would only need one request, were that a real hole. Your log analysis would detect it, if the log file was even still there.

Instead, your script would have to be a module or proxy that filters all incoming requests. And stops them before the trouble.