Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Info on Debian.org Security Breach

Posted by michael on from the inspector-clouseau dept.

mbanck writes "James Troup (part of the Debian System administration team) has published more information on the recent compromise of four debian.org machines. The attack vector seemed to be a sniffed password of an unprivileged account, from which the attacker somehow managed to gain root and install the suckit rootkit and crack the other machines. As the machines were fairly uptodate with respect to security, an as-of-yet unknown local root exploit might be in the wild, so keep an eye on your boxen.Note that the main ftp archive running on a sparc machine was not compromised, so the exploit might not yet be ported to non-i386 architectures."

20 of 545 comments (clear)

  1. Human Error by jefbed · · Score: 5, Insightful

    This incident reminds us of the importance of password security. It is sad to see one weak password responsible for such a breach. I think that it would be a good idea for the future to move away from the traditional unix password. An appropriate replacement would be something similar to RSA passphrase mechanism used by secure shell. A random passphrase with a minimum lenght would be idea. The user is the greatest security hole.

    --
    AntiRight, download now!
    1. Re:Human Error by ctr2sprt · · Score: 4, Insightful
      Clearly we need some way to move away from traditional passwords, but RSA keys isn't the way to go. They're impossible to remember, which means you need to store them on a computer. That makes them vulnerable to copying. You can password-protect them, of course, but then you're in the same situation as before (actually worse, for the same reason /etc/passwd is less secure than /etc/shadow).

      That's not to say that RSA or some similar system won't be part of a good solution... but there definitely needs to be some other component. (For example, the private key might be encrypted by a biometric signature or keycard or similar. While that still leaves the system vulnerable to physical attacks, it more or less eliminates network-based ones as long as you use secure protocols.)

    2. Re:Human Error by Anonymous Coward · · Score: 5, Insightful

      Uhh, I dunno if you noticed, but it wasn't a password alone that did this much damage. The account broken into was unprivellaged, meaning it was just a simple user account.

      In theory, a secured system can have this happen to it and the attacker will have fun deleting a single home directory before they run out of damage to do.

      In practice, a single local privelage escalation attack is all it takes. Maybe this will end up being a good thing in the end, we get to find a previously unknown local root exploit, fix it and improve the Debian security practices, all in one move.

    3. Re: Human Error by Black+Parrot · · Score: 5, Insightful


      > Random passphrase? Repeat after me: The best password is the one that isn't stikie'd to the monitor and/or keyboard.

      When it comes to internet-based attacks, my yellow stickies are the securest files on my system!

      --
      Sheesh, evil *and* a jerk. -- Jade
    4. Re:Human Error by God!+Awful+2 · · Score: 4, Insightful


      (For example, the private key might be encrypted by a biometric signature or keycard or similar.
      I have yet to see a biometric signature that would solve this problem. Generally speaking, in biometric identification, information about the fingerprint/retina is stored on the disk and then compared against the data that is read in. The biometric information is not used *AS* the encryption key. So a biometric signature is just like a really big password, except that if someone cracks your password you can change it, but you can't (easily) change your fingerprints.

      -a

      --
      /. users can't
    5. Re:Human Error by Anonymous Coward · · Score: 4, Insightful

      So when an exploit is found in Windows, it is considered a bad thing that shows how lame of an OS it is.. but when it is found (or not?) in Linux it is a good thing?

      Yes. In the past, Windows exploits get found one of two ways. The first way is when a virus is found in the wild. The virus is deconstructed, then Microsoft does a cost analysis to determine if it's worth patching the vulnerability that enables the virus. If so, then a binary only patch will be issued. The first you'll hear of it is when you're able to download the patch. The second way is when a white hat hacker or security analysis team at some college find an exploit. If they go public with it, they're criticised for not giving time for Microsoft to develop a patch. If they go to Microsoft with it first, then the cost analysis process starts, only because the public at large doesn't know a problem exists, there's a much smaller chance a patch will be issued. In either case, the patch may or may not work, and it may or may not break your system. Caveat emptor.

      When an exploit is found in Linux, it gets fixed. The cause of the exploit gets scrutinized world over, and other developers privately consider whether their software might have the capacity to be exploited in the same way.

  2. In a nutshell - somehow by evil_roy · · Score: 4, Insightful

    Quote from the article:

    "Somehow they got root on klecker and installed
    suckit."

    What follows is an interesting read - but the guts are in that 'somehow'.

    1. Re:In a nutshell - somehow by Kulic · · Score: 5, Insightful

      You're absolutely right. For some reason, everyone else seems to be overlooking the fact that there is (or appears to be) an unknown root exploit out there.

      Yes, you can probably guess/crack/social engineer a password if you try hard enough. That's why security is about layers, compartmentalisation and multiple types of protection, not just a single password.

      If this was your box, would you be more worried that someone had managed to sniff an (unprivileged) password? Or that any one of your users can now root your box? I know which one I would lose sleep over.

      Here's to hoping that the root exploit is found and patched nice and quick. Even better if it something else that's been missed and is fixed in the latest patch.

  3. Diebold, take note by RealProgrammer · · Score: 5, Insightful

    All vendors and site administrators should take note of the openness with which the problem was dealt.

    When I go to buy a car, a computer, or a stereo, and the saleslizard is cagey about any problems that come up, my trust level goes down. If they tell me all about all the problems with the thing they're selling before I even notice them, my trust level goes up. It's like a cool drink on a hot summer day.

    Contrasting with Debian, how long did it take to find out that Diebold ATMs had been hit by the Nachi worm?

    I'm now more inclined to trust Debian, and less inclined to trust Diebold.

    --
    sigs, as if you care.
    1. Re:Diebold, take note by jkrise · · Score: 4, Insightful

      More importantly, the openness of Debian is a much more important factor here. When I read these lines in the article:
      The attack vector seemed to be a sniffed password of an unprivileged account, from which the attacker somehow managed to gain root and install the suckit rootkit and crack the other machines. As the machines were fairly uptodate with respect to security, an as-of-yet unknown local root exploit might be in the wild, so keep an eye on your boxen.
      I got the distinct impression that Slashdot is transformig into a FUD channel for unsuspecting readers.

      The fact that a 'clean' Linux system can be backed up and restored from any media, is of more relevance and importance to users. EVERY system connected to the internet has potential unknown vulns, those running Windows are often unpatched and have no disaster control system as well.

      Viewed from this perspective, I don't think we need to keep an eye on our boxen just the backup tapes / disks/ CDs.

      -

      --
      If you keep throwing chairs, one day you'll break windows....
  4. One recommendation by heironymouscoward · · Score: 5, Insightful

    Off-site logging of all accesses.

    One of the first things that get wiped in an intrusion are the logs. All access logs should be copied in as near real-time as possible to a remote server that is not accessible from the machine being logged, i.e. a drop-box.

    --
    Ceci n'est pas une signature
  5. Re:Password was *sniffed* by TheRedHorse · · Score: 4, Insightful

    Why assume it was a cleartext password? It could of been encrypted, captured and crack via brute force or some other method.

  6. #1 on Ten Immutable Laws of Security by Saint+Stephen · · Score: 4, Insightful

    I worked at Microsoft, so Microsoft's list is my frame of reference:
    Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.

    1. Re:#1 on Ten Immutable Laws of Security by Gleef · · Score: 5, Insightful

      Not that I even like Microsoft's security list, since it's very Windows-centric, I'll bite.

      Law #1 doesn't apply here. The intruder sniffed a password, and ran his own software. As far as I know, nobody was tricked into running malicious software. Law #1 should read, for real OS's
      "Law #1: If a bad guy can persuade you to run his program on your account, its not your account anymore."

      The first failure, as per this list was Law #5 "Weak passwords trump strong security." Someone didn't properly protect their password, this gave the attacker their foot in the door.

      The second failure was the unidentified privilege escalation. This doesn't appear to fit any of the laws (they appear to be written assuming privilege escallation is trivial, I guess that says something about Windows). Except perhaps, Law #10: "Technology is not a panacaea". Just because we run well designed software that has few security holes doesn't mean that we run perfectly designed software that has no security holes.

      Occasionally something slips through the cracks, like here, and it's good to know that real people are paying real attention, and that there are effective ways of bringing necessary systems back up in a trusted fashion. Eventually, this escallation will be found, fixed, and machines patched.

      --

      ----
      Open mind, insert foot.
  7. Human Error or faulty security models? by Anonymous Coward · · Score: 5, Insightful

    SELinux would likely have prevented the root exploit from allowing this individual from doing as much harm as was done.

    I think that it's time for the big names like Debian, Slackware, Red Hat etc to start implementing it on their network connected machines. It's being incorporated into the stock kernel for a reason. Use it!

  8. What could be done better... by rxed · · Score: 5, Insightful

    Quote: "All the compromised machines were running recent kernels[1] and were
    up-to-date with almost all security updates[2]."

    Well, it seems that 'almost' just isn't good enough. Perhaps there is more to the break in (like unknown holes)?

    Sniffing passwords? They must be using 'almost patched' version of SSHd.

  9. local root != remote root by placeclicker · · Score: 4, Insightful

    Huge diffrence.

    You still need a local account to make use of a local root exploit.

    You don't for remote root exploits.

    Remote root exploits can be used in worms, local (for the most part) cannot.

    Not to say that local root exploits should be overlooked, especially when they seem realtivly simple to create (e.g., bad symlinks)

    Besides, this is supposedly an *UNKNOWN* local root exploit..

    --

    Browse at -1, because trolls are often the most creative part of /.
  10. Of course there are unknown exploits by Animats · · Score: 4, Insightful
    The serious attackers don't publicize the ones they develop. They save them for use on worthwhile targets.

    This is why security by patching is fundamentally ineffective against enemies, as opposed to nusances.

  11. Re:So much for unbiased Slashdot by jadavis · · Score: 5, Insightful

    Slashdotters are hypocrites and hold double-standards.

    You're saying slashdot posters are inconsistant, but they're just different people who all happen to read slashdot. If you want to make a real argument, pick one person and attack their inconsistancies.

    Another example is the political parties. You can't say that Democrats are inconsistant because of this, that, and the other. Democrats are a varied group, and they have many different perspectives and form their arguments in different, often contradictary ways. They just see a common means to their end, and each individual may be 100% consistant. (note: I'm not a democrat, I just used them as an example. This works with any political party that I can think of.)

    Ultimately what you're doing is grouping variety of people together (slashdot readers) and then attacking the group as a whole for being inconsistant with respect to a separate issue (their perspectives about computer security).

    You can do that to anyone. For example: "Blondes are so inconsistant. First they complain that the environment is being damaged, then the next week they're complaining about too much government regulation." Well, being blonde obviously has nothing to do with the topic, so of course you find inconsistancies in their viewpoint.

    That type of reasoning is very simple-minded. The world is a complicated place with myriad possible groupings of people. Analogies that relate nations, corporations, SIGs, etc. to people often confuse the issue beyond repair. Microsoft isn't a "bully," it's just that the shareholders elect people that are likely to use aggressive business tactics and leverage the monopoly that they have to gain shareholder value. You can't punish MS in any way analogous to punishing a bully, because the shareholders could be long gone by now (however many years it takes to settle an antitrust lawsuit), because it's simply not a person, it's a group. Same with nations, it's a group and should not be personified. Think how much time the media has wasted talking about Bush as though he "doesn't play well with others." Nations are groups, not people.

    --
    Social scientists are inspired by theories; scientists are humbled by facts.
  12. the unknown by maximilln · · Score: 4, Insightful

    This is really the heart of the issue: the unknown exploits. I've often been at the forefront of theorizing about possible vectors for unknown exploits. I'm usually flamed severely for it. The fact of the matter is that these unknown exploits exist and people need to be ready to deal with them.

    If a "bad" hacker comes up with a new root exploit he's not going to e-mail all of the "good" hackers and let them know. He's going to make use of it mercilessly until he's noticed and caught. Microsoft ignores this issue outright and the OSS community tends to skate around it. If the computing public as a whole knew the facts about security then McAfee and Norton wouldn't even be in business. "Updating virus definitions" twice a week is still going to be ten weeks behind the hardcore caffeinated malicious hacker.

    The OSS community has dealt with this issue in the most productive manner possible: complete openness and timely notice. Microsoft, on the other hand, would happily allow millions of users to remain compromised for months or years until their internal programmers manage to find the "unknown local root exploit". This could easily result in identities and credit card numbers stolen, bank accounts infiltrated, and possibly even malicious interference with real life relationships and employers just for fun.

    Should the software manufacturer be liable? No. Should the user be entitled to know? Yes.

    The OSS community is the only solution which addresses this situation correctly.

    --
    +++ATHZ 99:5:80