Linux Security: Reflections on 2002, Eye on 2003

Mirko Zorz writes "Here are the reflections on Linux security in 2002 and predictions for 2003 by Bob Toxen, one of the 162 recognized developers of Berkeley UNIX and author of the acclaimed book "Real World Linux Security" already in its 2nd edition. Read more at Help Net Security."

Disappointing article

[Gogo+Dodo]

That was a rather disappointing article. He only made one Linux-related prediction: that there will be a major Linux virus. Besides that, everything else was generic and not Linux specific.

Re:Disappointing article

[robbyjo]

Actually two...

As the worldwide recession continues in 2003, budget pressures will help move the world from expensive SysAdmin-intensive proprietary solutions to Linux. Even the last two holdouts, Sun and Microsoft, have grudgingly started to embrace Linux.

Re:Disappointing article

[rde]

Think of it as a good sign. It's hard to write extensively on holes that don't exist. Or at least, ones that haven't been found yet. cronned apt jobbies and up2date, etc, mean that even the task up updating for newly-discovered vulnerabilities is easier, so it looks as if for the coming year, the biggest problem will be the users. Plus ca change...

Re:Disappointing article

[Slaven+Reitmeier]

The predictions here were consistant with his '7 deadliest sins' which he frequently quotes. In fact, the article is in many ways just a more verbose version of them, with a few specific vulnerabilities thrown in for good measure.

Most of the predictions were "more of the same". I seriously doubt we'll be seeing "a major Cyberterrorism event" though -- I usually expect to hear this from sensationalists, not legitimate security experts. Think Steve Gibson. In fact, the theorized cause of these massive DDoS attacks is supposed to be windows systems, and the Raw Sockets are Evil thread is brought back to mind.

One big unforgivable mistake in the article: there was no bug in DNS -- there was a bug with BIND. Anyone using nameservers or libraries that were not part of BIND were unaffected. The fact that he assumes BIND is the only DNS server in the world is a big mistake, and one of the reasons DJBDNS doesn't get enough airtime.

Overall, I didn't see anything in the article that I didn't already see a hundred other places.

Personally, I'd like to hear what the authors of Hacking Linux Exposed have to say. Their book has a lot more grit and less soft-shoeing over the topics. Real World Linux Security has always been too full of stories and not enough answers for me. (Of course I bought the 2nd edition anyway.)

Near the end, end of honeypots?!

[pr0ntab]

He says that he predicts (and hopes) that the practice of using honeypots, etc. will decrease; that it only serves to illustrate to managers that security will be breached. Thus, we can assume that all sufficiently weak security will be breached eventually, ergo this practice is useless.

He forgets the other valuable feature of honeypots. You can deploy prototype installations and observe the kinds of attacks in the wild, to get a feel for the capabilities of the advisary. These techniques change over time, and that information is invaluable when determining where effort needs to be focused in a security plan for your product.

This short-sightedness casts doubt on some of the other parts of his essay, other than on the obvious points (to us at least, those involving Microsoft, Hollywood, the man keepin us down, blah blah blah)

And flying cars

[ObviousGuy]

There will be flying cars to take us to and from work.

Real World Computer Security

[SuperDuG]

1.) Use Microsoft Server Solutions and leave system alone (as risky as driving 100 mph on ice)

2.) Use RPM based Linux Distribution and leave system alone (risky as swimming in a americanized river).

3.) Use OpenBSD and leave system alone (like sitting on a Sunday with your grandma in Utopia(tm)).

Is this the type of "security" they're talking about? I don't know of one system that advertises itself as "secure" other than OpenBSD. For an opensource site like slashdot I think the best tool for the job should definantelly be used.

Or if you insist on a RPM Linux solution, ge Bastille. And possibly look into a non-RPM based distro, for servers debian certainly works quite well. And if your server is IMPORTANT at all, subscribe to bugtraq, cert, and anything else that applies to your OS. It wouldn't hurt to check the homepage of your OS at least once a week either. And do routine audits on your system.

Security isn't hard if you actually make it a point to be conscious about it.

Re:Real World Computer Security

[SuperDuG]

Who cares who has "dirtier" dirty water. Hell parts of Ol Miss can't even keep fish alive in it. There is a twang of high radition in some areas. And lets not even get into the amount of chemicals that are used to kill things (bacteria, insects, weeds, etc.) and then there's the industry and sewage run off in it.

It's hard to believe that something in the wonderful utopia of wonderfulness which is America can have something so dirty running right down the middle of it.

You think it's so clean?? I'll getcha a glass, and we'll see if you want to drink it, considering how "Clean" it is.

Damn

[stinky+wizzleteats]

Unfortunately, a fair number of "Mom and Pop" sites use IIS, though a surprisingly high percentage do use Linux. For this reason, before giving my credit card to a new web merchant I always do:
nmap -O -sS -F -P0 -T Aggressive newguy.com

Stealth port scan with agressive timing? Now that's consumer activism.

Re:Damn

[JoeBuck]

Yeah, and I'll bet he gives his credit card to waiters in restaurants all the time. The only time I've ever had someone try to use a credit card number stolen from me, it was a busboy at a local Cambodian restaurant (they caught the guy too).

Re:Damn

[yamla]

I personally don't refuse to purchase from places that use IIS but come on. If they can't afford to pay some guy tons of money to set up a linux server, they presumably didn't pay _anything_ to a guy for securing their site. If their site isn't remotely secure, why should I buy from them?

Re:Damn

[Error27]

>they caught the guy too

You just summed up the difference between using a credit card at a restaurant and using one online.

I do not think he is paranoid. Three months after CodeRed first appeared, one out of ten "secure" or "comercial" IIS websites were still infected. (Note the word "secure" as in encryption and the word "infected" as opposed to merely "vulnerable".)

Security predictions

[ACK!!]

Yeah, people act like only MS can get infected with a virus but there will be a major linux virus soon. It is going to happen. As linux gets more exposure more schmucks will write malicious code designed for busting up linux boxes. It is not like the Unix world is some foolproof world of rock hard servers.

After all, why did linux inherit the Unix concern for security?

Enough old-school unix guys have been bitten by the bad security in telnet and NIS and a half dozen old world Unix services with big nasty security issues.

Sure Bastille linux or RedHat secure server makes decent choice and OpenBSD is locked pretty tight right out of the box. That does not mean that it is impossible to break into those boxes. Just that it is more difficult. All you need is a one-day lag between a security issue posting on Cert and the patch to whatever software you are using coming up for your distro or OS. It can happen to any of us. It will happen to many of us.

The over-confident are always the funniest to watch when their shit hits the fan.

The honeypot thing is interesting. I have always wondered if you really get enough useful information from the attacks to warrant the time put into the systems. Somehow it just smacks of a geeky wanking waste of time. On the other hand, maybe the information from such implementations really make this worth it.

Any comments on this?

Re:Security predictions

[zatz]

I think the executable versions, library versions, and specific configurations of services vary a lot more between Linux boxen than Windows hosts. There is much less of a monoculture problem, so it is more difficult for any single worm to infect a large fraction of hosts.

Still, as Linux slowly gains desktop market space and the level of security awareness of the average user declines, it is conceivable that it will become more hospitable to Nimda/Klez-scale worm epidemics. Also Linux tends to run more services; a Windows 98 box is very difficult to compromise remotely because it has almost no interfaces to subvert. We probably won't be at the same level of susceptibility as Micros~1 platforms for a while, though.

Talking about Linux security...

[fungus]

You guys should know that a trivial remote root hole for SSH was released today on bugtraq.

Someone who wants karma bad enough should reply to this with the advisory :)

Re:Talking about Linux security...

[fungus]

ERRATA:

--- begin cut & paste ---

To: BugTraq
Subject: Re: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS
Date: Jan 6 2003 8:05PM
Author: Global InterSec Research
Message-ID:
In-Reply-To:

As some may have gathered, the advisory recently posted by mmhs@hushmail.com
was indeed a fake, intended to highlight several unclear statements made in GIS2002062801.

The advisory in question is currently being updated with more detailed information and will
be
re-posted at: http://www.globalintersec.com/adv/openssh-20020628 01.txt as soon as it becomes

available.

Note that the kbd-init flaw described in GIS2002062801 was proven to be exploitable in our lab
although not all evidence to demonstrate this was provided in the original advisory. A mistake
was made in the original advisory draft, where chunk content data was shown, rather than the
entire corrupted malloc chunk. This will be amended in the revision.

Also note that to our knowledge there are currently no known, exploitable flaws in OpenSSH 3.5p1,

due to its use of PAM as suggested by mmhs@hushmail.com. It is almost certain that the posted
bogus advisory was also intended to cause alarm amongst communities using OpenSSH, through
miss-information.

Global InterSec LLC.

--- end cut & paste ---

The original advisory I was talking about can be found here.

Sorry for misguiding you, humble slashdot readers.

Re:Talking about Linux security...

[Florian+Weimer]

You guys should know that a trivial remote root hole for SSH was released today on bugtraq.

The posting appears to be a fake. (I wonder why your snake oil alerts didn't go off...)

Too many services?

[pben]

I really think that this Toxen guy should quit spouting on about SuSE installing too many services by default. None of the services he complains about is installed by default. He needs to really download and install a Linux distribution that has been released in the last couple of years. You have to turn on the services now at least for SuSE 8.1. He may have written some good stuff in his day but he should do some research before he makes a fool of himself in print.

Help net security: Toxen's Publicist

Help Net Security seems to be Bob Toxe'ns personal publicist. Let's see, they wrote and submitted the RWLS book review, performed at least one interview with him, drove people to their site to win free RWLS books. Now, how many other Linux experts have they interviewed and plugged? Can you find any references to Building Secure Servers vith Linux (Bauer, a damned fine book) or Hacking Linux Exposed (Hatch, also excellent)? Or even a note about inferior books, such as the Red Hat security/optimizing one, or Maximum Linux Security? How about an interview with Ziegler of "Linux Firewalls" fame?

Nope, seems to me Toxen's pseudonym is "Zorz".

Comment removed

[account_deleted]

Comment removed based on user account deletion

Honeypots are awesome.

[tkoney]

I had a very hard time convincing my manager to allow us to set up a honeypot on our DMZ. He said since no one could get there, what was the point. Three weeks later, when a hacker managed to break in via some badly written ASP programs (not my fault) it was the honeypot that send us the alerts that let us get him off our network.

Of course honeypots can also be used to learn what hackers do. The Honeynet Project is a great place to go to learn how to set one up securely so it can't be used to attack other people.

In fact, today a new version of honeyd was released:

As many of you already know, Honeyd is an OpenSource honeypot designed for the Unix platform. It has many featues, including the ability to monitor millions of IP addresses, detect activity on any UDP or TCP port, OS emulation at the user and kernel level, create virtual networks, and so on.

Marcus Ranum and I are big fans of Honeyd. To make it easier for people to work with and understand this technology, we took all the necessary ingrediants together and 'cooked' them up for you, creating the Linux Honeyd Toolkit. This toolkit is a ready to go distribution of Honeyd, with statically precompiled binaries, configuration files, and startup scripts. The idea being you just update the honeyd.conf file to what you want your honeypot to look like and let her rip.

Toxen's fear of Honeynets and Honeypots shows the "if I don't understand it, it's not good" theory I find in too many managers. He should take some time to run a honeypot or two and see how useful they can be.

Comment removed

[account_deleted]

Comment removed based on user account deletion

OpenSSH server not run by OpenSSH crew

The OpenSSH server is not run by the OpenSSH team, it's a university machine. Yes, it was broken into. It's running Solaris, not OpenBSD either, in case you're curious. They use it because it has bandwidth.

Naturally, you should check the pgp signature and/or cryptographic checksums before trusting any code you download.

There are still bugs in SSH.com's version - mostly stability, but I bet there are several security bugs too. OpenSSH will be updated several hours after new bugs are found - can you say the same for SSH.com's versions? I don't think so, not if history is a guide.

Linux securty? Be more specific. Kernel | Userland

All security is an issue of the userland software, not necessarily the Linux kernel itself. The userland software in question is: all of it.

Software that uses suid bit set will still be susceptible to leaving control to the "root" user after it crashes. Telnet and SSH still allows people to do bad things, as well as good things, to the hosted account's property.

Alas, the Linux kernel is a perfect angel...but hark, what do I see? A "Tux" http server in kernel space? That is quite dangerous. No matter what the performance benefits, leave those kind of user-services outside of the kernel because each and every bit of code in kernel land makes the Linux kernel that much more closer to an "unknown" exploit. /other than that, the userland tools taste like chicken and the kernel still smells like hering.

Re:Linux securty? Be more specific. Kernel | Userl

[octogen]

The userland software in question is: all of it.

No, only suid binaries. You don't hack into something which runs in the context of your own account (your own level of access).

Software that uses suid bit set will still be susceptible to leaving control to the "root" user after it crashes

That's the difference between a secure configuration of common OSs like Linux, Free/Net/OpenBSD,... and really secure OSs like VMS or Trusted Solaris (yes, Unix can be a really secure OS).

Secure OSs don't run things as root, they assign privileges to certain users and/or binaries instead. For example, you don't want to allow Apache to override the Discretionary Access Control when it actually only needs 'root' to open port 80.

On Trusted Solaris you just do 'setfpriv -m -a -f net_privaddr /usr/local/apache/bin/httpd' and noone would ever get something like root by hacking into your apache webserver.
That's how the 'principle of least privilege' works.

There is mainly one thing wich keeps your system secure: Access restrictions (users must not load kernel modules, mount disks, access files which they're not allowed to access, ...). But access restrictions can't protect your system from users/processes who are privileged to override these restrictions, and that's why you need fine grained privilege controls to build really secure OSs.

"Worldwide recession"

[Sara+Chan]

The article talks about "the worldwide recession". A recession is typically defined as two consecutive quarters (i.e. six months) of negative GDP growth. The Economist gives the most-recent GDP changes data for each of 19 different Western countries (sorry, not free). Only two are negative (Denmark and Norway). The most-recent quarterly GDP change for the the Euro area is +1.3%; for the USA it is +4.0%.

There is a rationalization going on in business IT. This is not a recession at all.

Wow. Another uneducated whitehat.

[mcroot]

Perhaps he should start by reading bugtraq. If he had, perhaps he would have seen this hole in ssh.com's lovely software in 2002.
http://online.securityfocus.com/bid/6247

Or, who can forget this unbeliavably idiotic mistake in their client from 2001
http://online.securityfocus.com/bid/3078

Yet he call's it more reliable that OpenSSH. Maybe he should look into the nice new privsep code in OpenSSH and comment on that. So called security experts make me wish public floggings were still a common event.

Huh?

[Mandi+Walls]

Ah, yes. Another whiny little post about RPM-based distros.

As another responder so aptly pointed out, the package management system has nothing to do with security, unless you are using file verification as part of your security plan (which isn't a bad idea.. do "rpm -Va" for system-wide verification of all files known about in the rpm database).

However, if you have to support real-world applications, and not just your webserver at the other end of your cable modem, there is another aspect to system security and stability, and that is THIRD PARTY VENDOR SUPPORT.

Now, I realize that the number of guys on /. who actually do stuff for a living that doesn't include final exams is minimal. However, if my boss/engineering staff/customer wants a product for a specific purpose, say, backups, or CRM, or CMS, I don't have the power to say "well, sorry, but we only run StinkyFeet Linux, not Blue Bonnet like that vendor requires". If they don't can me, they'll just go with a Windows-based app to get around that headache.

So then, what good does it do to have several distros around? They all run the SAME PACKAGES, imagine that! And when there is a hole in OpenSausageStuffer on an RPM-based distro, there is going to be a hole in OpenSausageStuffer on a non-RPM-based distro. The Horror!

So instead of having one distro network-wide, which has the same version/feature set across all systems, and the same cronjobs for updates, etc, i now have several, because some fool decided that he didn't have the time to make the appropriate decisions and shut things off. hmmm...

And that doesn't even get into the headache of trying to deploy my own packages, or dealing with the preferences of my users, or with the terms of a contract.

In short, being a stick in the mud about distros isn't going to gain you anything. And not learning how to do your own security in favor of a crutch like Bastille isn't going to gain you anything either. Jay has a good idea, and it's great for noobs, but if I'm paying you (or if you're paying me) to secure a system you better fucking know exactly what is going on. And when security requirements change, you better be able to handle it. Relying on someone else's idea of secure is a place to start, not the final answer to your own security. Security is a process, not a product, no matter what your little imagination tells you.

When it comes to system security, the best distro for the job is the distro you know the best, not the /. poster's favorite distro. A newbie to HandCreamBSD isn't going to be any better off than a newbie to Blue Bonnet Linux.

--mandi