Slashdot Mirror
More Info on Debian.org Security Breach
mbanck writes "James Troup (part of the Debian System administration team) has published more information on the recent compromise of four debian.org machines. The attack vector seemed to be a sniffed password of an unprivileged account, from which the attacker somehow managed to gain root and install the suckit rootkit and crack the other machines. As the machines were fairly uptodate with respect to security, an as-of-yet unknown local root exploit might be in the wild, so keep an eye on your boxen.Note that the main ftp archive running on a sparc machine was not compromised, so the exploit might not yet be ported to non-i386 architectures."
Here come the comments about the word "boxen..."
(\(\
(=_=) Bani!
(")")
This incident reminds us of the importance of password security. It is sad to see one weak password responsible for such a breach. I think that it would be a good idea for the future to move away from the traditional unix password. An appropriate replacement would be something similar to RSA passphrase mechanism used by secure shell. A random passphrase with a minimum lenght would be idea. The user is the greatest security hole.
AntiRight, download now!
Quote from the article:
"Somehow they got root on klecker and installed
suckit."
What follows is an interesting read - but the guts are in that 'somehow'.
All vendors and site administrators should take note of the openness with which the problem was dealt.
When I go to buy a car, a computer, or a stereo, and the saleslizard is cagey about any problems that come up, my trust level goes down. If they tell me all about all the problems with the thing they're selling before I even notice them, my trust level goes up. It's like a cool drink on a hot summer day.
Contrasting with Debian, how long did it take to find out that Diebold ATMs had been hit by the Nachi worm?
I'm now more inclined to trust Debian, and less inclined to trust Diebold.
sigs, as if you care.
Since Debian (even for those smart ones out there using slackware, like i do) is really considered one of the real distros, if we hear that redhat has been atacked, we would just say that they diserve it and go on, it would be delivered in the respective mail list, and that was it.
But this attack has a psicological impact. Debian itself has been attacked, and it seems to be a bug exploited just in part, on the other side, there are updates that the compromised machines never got aplied, and other big mistakes like a non-tared backup lying arround, with the original owner / permissions mask. This is really more that enough to get any netadmin running Debian to get paranoid.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Off-site logging of all accesses.
One of the first things that get wiped in an intrusion are the logs. All access logs should be copied in as near real-time as possible to a remote server that is not accessible from the machine being logged, i.e. a drop-box.
Ceci n'est pas une signature
Right as I am downloading Debian.
I will check the md5sum.
Anyways Something to be said about passwords.. I am getting sick of passwords.. I have looked at the RSA keychains, But they cost too much.
So I ask are there any good one time password systems out there. That are opensource.. I have looked at going with smart cards but again with the money. (not to mention overkill for me)
I have found a few but none with a keychain.. I don't mind paying for a keychain, but I want the software to be opensource.
This was both user and admin stupidity I guess. Admins who care about security shouldn't permit access through cleartext passwords and users shouldn't send their password in cleartext if they care about their account. Unfortunately many users don't know about this risk.
Once an infiltrator is in a machine, it is often just a matter of time before he acquires root access - unless monitoring or disablement are standard procedure.
Depending on the power of the box and the time from which the lower-level account was compromized, it could just be that a password-cracking procedure gained root access. Of course, it's also possible that the attacker managed to nab control of a process running as root, but again the initial compromise still required cracking a password to gain access to the machine.
First rule, secure your passwords... and it's probably not a bad idea to use a password cracklib to ensure that any semi-privileged (can SSH) users have somewhat secure passwords as well.
Not really, just thought it needed to be said.
Install windows. You'll never have to wonder if your system is being compromised, you'll know it is.
Oh, and "password" is not really a "password".
You moved your mouse. Please restart Windows for changes to take effect.
When has windowsupdate ever been compromised?
Windows Update is served by Akamai ie Linux.
Now what was your point ?
I worked at Microsoft, so Microsoft's list is my frame of reference:
Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
Since Linux has no use for hidden files, registry, active directory, complicated booting procecdures and other useless features that come standard with Windows - I see no point getting worked up about these so-called Security Warnings.
99% of Slashdot readers, I believe, treat viruses, worms and other 'security' attacks as a NUISANCE rather than a PRIVACY hazard. A Service Pack or bug fix a week for Windows merely highlights the fact that data privacy on a 'personal' computer is a joke. The nuisance of reinstalling the Windows OS from CD, and reinstalling each and every app with the zillions of settings OR buying expensive, uunreliable 3rd party s/w for disaster recovery can be intolerable.
With Linux, OTOH, simple tools exist that can take backups of disk data (not disk images, just the files), AFTRER installing the apps. A simple restore of these files gets the system back, with all settings and screen-savers intact.
To sum up, 99% of Slashdot readers do not need to care about these security risks, if they choose Linux for their personal or office systems.Those with Windows - a switch to Linux is cheaper than anti-virus s/w PLUS OS cost PLUS frequent updates PLUS frequent reinstalls PLUS loss of data PLUS nuisance.
-
If you keep throwing chairs, one day you'll break windows....
SELinux would likely have prevented the root exploit from allowing this individual from doing as much harm as was done. I think that it's time for the big names like Debian, Slackware, Red Hat etc to start implementing it on their network connected machines. It's being incorporated into the stock kernel for a reason. Use it!
SELinux would likely have prevented the root exploit from allowing this individual from doing as much harm as was done.
I think that it's time for the big names like Debian, Slackware, Red Hat etc to start implementing it on their network connected machines. It's being incorporated into the stock kernel for a reason. Use it!
Law #1: If Bill can persuade you to run his program on your computer, it's not your computer anymore.
The root of the problem is with the root account.
SELinux would likely have prevented the root exploit from allowing this individual from doing as much harm as was done.
I would think that it's time for the big players like Debian, Slackware, Red Hat etc to start implementing it on their network connected machines.
It's being incorporated into the stock kernel for a reason. Use it!
So that means Monica Lewinski wrote the Suckit rootkit?
Manipulate the moderator system! Mod someone as "overrated" today.
Quote: "All the compromised machines were running recent kernels[1] and were
up-to-date with almost all security updates[2]."
Well, it seems that 'almost' just isn't good enough. Perhaps there is more to the break in (like unknown holes)?
Sniffing passwords? They must be using 'almost patched' version of SSHd.
I like how when debian's servers are cracked they tell you about it and furthermore, remind you again later with the details. If a similar thing happened with Microsoft it would be hushed down and certainly no details about it would be publicized later. Come to think of it, even a commercial Linux company like Red Hat might be weary in dealing with a similar issue as well -- I think they'd be likely to be open about it, but you never know what's going to happen when money and stock prices are involved.
Im sure glad my network runs on Windows!
Manipulate the moderator system! Mod someone as "overrated" today.
clearly this is the work of a DX fan. (wwf reference)
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
Certainly the distinction is useful to security students and analysts, but it's misleading for everybody else. "Oh, that one's just a local exploit; not so bad." The OpenBSD advocates promote the fallacy: "only one remote exploit in this millennium!" (or something like that), encouraging us to ignore almost equally damaging exploits in non-core services that provide access to local accounts and more damaging attacks.
There's a similar fallacy in distinguishing security holes from other bugs. Without a depth of analysis that hardly anybody can ever afford, almost any bug might actually be a security hole, too. The OpenBSD people get this one right -- to them, any bug is a security hole until proven otherwise, and they encourage running latest versions -- but almost everybody else gets it wrong. When I fixed a double-free segfault in lib[mumble], nobody posted security warnings about every program that relies on it. despite that double-free bugs can often be exploited.
Debian gets this wrong, and very selectively backports only proven security holes, ignoring the myriad bugfixes that might just as easily be security holes as well. To find holes in stable-branch services, just look for bug fixes in later versions, particularly in libraries used by those services. Failing that, look at new features added shortly before the library-version used. Chances are the last new feature added has bugs that haven't been noted yet, and that might be exploitable.
This might be a good place to mention that the CVS codebase is almost irreparably insecure. The practical implications are: (1) A remotely-accessible CVS server should never be run on a host that does anything else that matters, or that has access to anything else; (2) An anonymous CVS server should never be the same CVS server that is used for checkins, or even run on the same machine. The pserver should be a slave that only gets read access to a copy of the archive. (3) Checkins on remotely-accessible servers should result in patches logged to another archive kept on another, not-remotely-accessible machine. Patches from that server should be posted to the mailing list.
Just out of curriousity, how much logging data would servers like the ones in question produce per day/week/month? It's got to be quite a bit with all the various packages like an httpd, ftpd, MTA and all the typical syslog data.
they merely offer proxy/caching services to microsoft
True, I should have made my point better.
There are many OS's involved in the windowsupdate chain.
I read somewhere Akamia uses quite a variety including BSDs, Linux etc. Who knows what MS actually uses.
So compromising windows update might be achieved without cracking a Windows box.
Huge diffrence.
You still need a local account to make use of a local root exploit.
You don't for remote root exploits.
Remote root exploits can be used in worms, local (for the most part) cannot.
Not to say that local root exploits should be overlooked, especially when they seem realtivly simple to create (e.g., bad symlinks)
Besides, this is supposedly an *UNKNOWN* local root exploit..
Browse at -1, because trolls are often the most creative part of
This is why security by patching is fundamentally ineffective against enemies, as opposed to nusances.
As long as a machine is connected to the internet there is going to be a method to compromise it. My question is this why Debian? They are the only Linux distribution that is truly built by volunteers to gain any mindshare of real note. (not sure about slack so please dont sick bob dobs on me) This is not imhop the work of rank amatuer crackers with there first root kit. These were servers being run by experienced admins using a distro known for stability which when patched and up to date usually means somewhat difficult to hack. I seriously doubt these guys were running winders attempting this either. Wtf is happening to the community when people with talent are attacking a distro that yet again imhop doesnt suck. These guys need to be found and buried. Not by the police but by the commmunity. Last but not least (places tinfoil hat on head) could this have been funded by M$ trying to discredit linux. I cant see the glory angle so its got to be money or power. (no glory in getting called a dick when you tell your friends what you did)
Panel F, Relay #70
Can someone who's familiar with system administration on those debian boxes clarify the above statement? Have they disabled LDAP accounts or was it implied that they're going to set up authentication with a ldap backend in the future. If it's the latter then I'm curious as to how having ldap in the equation would have made cracking those system accounts harder.
That Windows can't fill in for Linux on extremly high-bandwidth servers? ( those patches aren't small )
Browse at -1, because trolls are often the most creative part of
Not only isn't Akamai just a proxy/cache server, they just hold signed files. If someone managed to hijack/compromise those, the downloaded updates would not verify on the user's machine, so it's pretty much a void argument.
Soviet Russia, 6 5 4 3 2 1
I have dealt with this rootkit for nearly 4 months when it first appeared. The fairly safe methods for avoiding this is by 3 steps which I have used and it works well since then.
/tmp to it own partition and set it as noexec, nosuid and give it plenty of space, around 200 to 500 megs for it.
Move the
Patch the kernel with either Grsecurity or Openwall Patch on 2.4.22 kernel and set it as mononthlic kernel, not modular with no open hooks for adding additional modules.
Then I installed the suphp module for PHP to run scripts as users instead of nobody, especially when people trying to exploit it. I get it at www.suphp.org and it works extremely well. Since the changes, I haven't seen any rootkits being successfully implemented on the servers I admin. And note the fact that I manages over 260 servers for various clients points to the track records.
-- Amazing how the Internet still humms along.... -- Dispite all the flaws of Micro$oft in their software!
So, what's going on here? Are these simply two unrelated attacks? Is it an attempt by an immature highschooler with some cracking talent to boast to his friends "LOL 1 hax0rred debian.org!?" Is it an attempt by some sort of anti-Linux commandoes to undermine Linux's public image? I almost suspect the latter, but the prime suspect there is Microsoft, who have far too much to lose by going that route and plenty of money for traditional FUD that will make it into "traditional" news channels better anyway. SCO might be crazy enough to do it, but they probably wouldn't want to divert resources away from spewing lawsuits at everyone in existence.
From what I understand of the cracker community, Linux is held in fairly high regard (although I admit I don't try to keep up on the latest in the cracker community). You'd think that black-hats, who tend to be rather immature, when armed with a brand new exploit, would attack a site seen by the general public and post goatse.cx images on the front page, rather than subtly changing Debian packages. So, who's behind all this?
That's it. I'm no longer part of Team Sanity.
SkyNet - the userless system. Self cleanning user base. No passwords needed. "cut out" he he.....
I don't want a pickle; I just want a Motor-Cycle! A four foot cop arrived with a five foot gun!
the Debian mess is actually more like Microsoft's Windowsupdate, Officeupdate, and MSDN servers all getting rooted at once. Akamai uses Window servers too, as a heterogeneous network is more resistant to this kind of attack. If the root attack that was used is portable across architectures (and there's only circumstantial evidence that it's not) then Debian is doing users a disservice by not running a heterogeneous network.
Given the resources, the Debian admins should run OpenBSD and Windows 2003 machines alongside the (evidently insecure) Debian servers.
To be fair, not even the technical consultant types and the security "experts" get it right all the time. The real world is very, very different from the edges of theory.
Furthermore, just because someone has "at most" a degree in English doesn't mean fresh insight hasn't been exposed. Narrow-minded elitism gets us nowhere.
Until the next announcement comes out, further explaining the possible motives and more on how they exploited the system from an unprivileged account.
This is like a soap opera!! =)
P.S. I don't like soap operas, but if they had one about this, I might just have to quit my day job.
It is pitch black. You are likely to be eaten by a grue.
You can figure out for yourself what I do if C: gets hosed. Hint: getting back to pre-disaster condition is just time-consuming.
I will say that getting back to pre-disaster condition from backup tape a few years back was an. . . adventure.
Tech Public Policy stuff
I use phrase passwords. Pick two or three words. Add a symbol in there or two, and bam! secure password. Like 'bat.fart!smith?'
Okay, I read the article and it said that at least one machine was at a remote location that couldn't be accessed - can anyone tell me what kind of physical setup debian project uses? I always get the impression that they're based out of some dude's dorm or basement, like in this OpenBSD image. Do they have any physical security measures at all around their boxes?
They said the password was sniffed.
Try to shunt this off to a "weak password" all you want, but let's face facts here. A beloved Linux network was clobbered.
Yes, Virgina, Linux is not invincible. You have rootkits and exploits too. Just see Linuxsecurity sometime.
And, yes, it makes all the Linux loonies who rail on about Microsoft insecurities look like religious hypocrites.
Karma Bonus unchecked, because I don't expect this to be well-received by biased moderators.
Look at all the posts...excuses and rationalizations. "Well, this serves as an example of weak passwords" or "non-root privileges," etc.
You never see that level of rational explanation when it comes to a user-transmitted e-mail Outlook worm. In fact, in those cases it magically becomes a "Microsoft hole," even though it's users running the executable!
I know this won't be well-recevied, so Karma Bonus is unchecked accordingly. Nonetheless, it's my opinion and I believe it. Slashdotters are hypocrites and hold double-standards.
Here are two useful utilities to flush out the SucKIT rootkit:
Kernel Security Therapy Anti-Trolls
and
Kernel Security Checker
Have a nice day !
Muchas Gracias, Señor Edward Snowden !
There are people with lots of money who want to see Linux taken down. Not everyone shares your ideals.
autopr0n is like, down and stuff.
"somehow they got root" isn't very informative.
Teacher: "Erwin, what is the plural for Ox?"
Erwin: "Oxen. The farmer used his oxen."
Teacher: "Brian!"
Brian: "Whaaaat?"
Teacher: "What's the plural for Box?"
Brian: "Boxen. I bought two boxen of doughnuts."
Teacher: "No, Brian, you're an idiot."
Teacher: "Let's try another one. Erwin, what's the plural for goose?"
Erwin: "Geese. I saw a flock of geese."
Teacher: "Brian!"
Brian: "Whaaaat?
Teacher: "Brian, what's the plural for Moose?"
Brian: "Moosen! I saw a flock of moosen! There... there were many of them. Many much of them. Many much moosen. They were out in the woods... in the woodsen! They were eating grass... greese! The meese were eating greese in the woodsen! They were looking for the foodis to eatinisit! out in the woodingenis... in the woodenis... in the woodingenisenisen!
Teacher: "Brian, you're an imbecile."
Brian: "Imbecilen!"
it's a sad thing that everyone seems to be so confident in their latest super secure linux setup, the power of fast and often patched open source software or the openess in such issues - so much that nobody takes these problems serious enough.
for every exploit known (and fixed) publically you can bet there are two yet undisclosed and maybe in the hands of the wrong people...
concepts like public key crypto (ssh, ssl), stack guarding (say no to buffer overflows) or process jail (try to escalate privileges from there) are thus essential to implement real security. still ease of setup or performance seems to be more important than safe networking.
perhaps the big desaster has to happen before people understand that projects like openbsd or selinux are not your tinfoil-hat wearing neighbor's business but the only serious choice for any public, responsible service provider.
Hoy sh*t, never thought of that, but you're absolutely right. Good thing you have 2 eyes, not?
When someone mentions retina scanning as an authentication mechanism, i'm always reminded of the movie 'Demolition Man', and for palm/fingerprint scanning, of the 'Inquisitor' episode of Red Dwarf.
Palm scanning only proves you have the hand of someone allowed to access a system.
Retina scanning only proves you have the eyeball of someone allowed to access a system.
Hmm... maybe SELinux would have stopped this? Doesn't it prevent hooking into system routines? If so, then it's a great excuse to see better SELinux support in debian :)
Palm scanning only proves you have the hand of someone allowed to access a system. Retina scanning only proves you have the eyeball of someone allowed to access a system.
Well, the manufacturers of palm/retina scanners generally do include a feature that detects if the bodypart being scanned has a pulse. So you can't fool these scanners just by cutting off someone's hand or ripping out their eyeball. (Although it might be possible to manufacture fake contact lenses or glue-on fingerprints that would work.)
On the other hand, the basic weakness is that the biometric signature is still just a big password. You can "sniff" the signature by installing a fake reader. You can steal the signature off the harddrive of the domain controller. You can bypass the reader by splicing the wire. And your "password" is the same for every site.
Bottom line: I would sooner trust a token card.
-a
I have dealt with this rootkit for nearly 4 months when it first appeared ...you forgot to post as AC. FBI is on the way.
“Wait for Hurd if you want something real” –Linus
There were quite a lot of similiar reports from the folks all aronud at that time
My big hairy conspiracy theory would be in the line of super zonda type of organization hiring some of the most skilled crackers and r00ting the boxen all around ... for spamming, ddosing or whatever ... welcome to the Wild Wild Net.
Two questions:
#1: Has anyone ever proved that implementing any definite number of 'laws' or software conditions can actually add up to security (not crackable except by obtaining/compromising a root password or signature)? If this hasn't been proved, the whole concept of software security itself may be an exaggeration.
#2: What about hardware security? Under current conditions, it might be progressive to reduce the security risks so that any exploit would depend on physical access. If the answer to #1 is 'yes', then security can be implemented by passwords or signatures but it looks like the security of a combination lock. Do we have any computer software security based on a lock that requires a physical key -- (maybe a physical key, or key-guarded switch, that did something like switch an area of memory from writeable to hard-wired non-writeable)? If we do, is it available for use in a crucial installation like a debian server? If we don't, why not?
An attacker who has access to unpublic local root exploits probably won't use a public kiddie-rootkit like Suckit.
And I hardly believe that an experienced cracker would backdoor the boxes in such an uncareful manner. Weird..
'Filtered' means that the port is blocked by the firewall, as opposed to closed ports which can be reached through the firewall but have nothing listening on it.
Rule #1: Don't plug it in.
I've a couple of questions on this.
There was a comment in the origanal posting that remote SSH keys may be compromised if authentication forwarding was used ? Can anyone explain why that might be ?
Also, isn't anyone worried that the only reason the root kit was discovered is because *two* machines were oopsing. ?
Um, someone needs to tell that to the manufacturers.
I can't find a reference at the moment, but there was a nice report recently by someone who has been playing with fooling fingerprint scanners for a long time that the cost of tricking one is now about $20 and 15 minutes, no clever expertise needed. I've been meaning to try it out - the only thing I'm lacking is a fingerprint scanner. In any case, apparently, nobody looks for a pulse on commonly used hardware.
For methods, see google.
I forget what 8 was for.
Note that the main ftp archive running on a sparc machine was not compromised, so the exploit might not yet be ported to non-i386 architectures.
So if we run Linux on Sparc, and Solaris on x86, we're safe!
Proprietary OSes will ultimately be left behind Open Source OSes in terms of security for the following reason. In the fight against proprietary OS's such as Microshaft's, there is a big propaganda war with both sides saying "Look, your OS is insecure". Both OS's will have security holes discovered, and hopefully fixed, from time to time. That is a fact we have to live with. The rate at which they are discovered and fixed is roughly proportional to the number of people actively investigating holes in the OS (ignoring the fact that there might be other, political reasons to look for security holes one OS rather than another). However as time goes on, we should expect the number of users of Debian (and GNU/Linux in general) to increase, hence the number of people discovering and fixing security holes will go up in proportion. This is the 'many eyeballs' effect. this will lead to GNU/Linux becoming ultimately very secure. In contrast the number of people actively looking for security holes in, say windows, is proportional to the amount of money their perpetraitors (sic) are willing to spend in this task. This does not go up in proportion to the number of users. In fact as competition pushes prices down for proprietary offerings, the perpetrators find they have progressively _less_ money to spend on looking for security holes. Ultimately they will get left behind. So we should see that Open Source OSes such as GNU/Linux will become more and more secure at a rate which accelerates much faster than for proprietary OSes. At the moment, we have one OS which is used by 95% of the world's desktops, and scores fairly low on security (although it is improving). On the other hand, we have GNU/Linux which is used on something like 2% of the world's desktops (more on servers), and scores fairly high on security (although it's not perfect). So from this small user-base, we have already benefitted from the 'many eyeballs' effect of Open Source to gain an advantage over the competition in this respect. This advantage can only accelerate, for the reasons I have outlined above. Ultimately we should expect to see Open Source winning on all fronts in terms of reliability, functionality and security. It will never be perfect and there will always be crackers trying to spoil the party, but it will be a lot better than today's situation. We just need to work hard to make this happen sooner rather than later, as it will be a long haul...........
43 - For those who require slightly more than the answer to life, the universe and everything.
Everybody here is talking about an unknown exploit in Debian. What I haven't seen is a discussion on the probability that this might affect other distros too. Is it Debian specific, or Linux, or even UNIX (based on an app) specific? Let's not be complacent here.
that was in the lastest cryptogram by bruce schneider
I know slashdot is almost a java free zone but:
With java
-There are mo buffer over runs or memory allocation issues, but then
-There may be bugs in the java implementation. -Cleartext passwords would still be a problem if the app is not written with security in mind.
Deep problems do not go away, but java solves/automates the solution to many shallow problems.
Be Free: Free Software Tuition
BTW, there's not 'd' in his name.
I forget what 8 was for.
This is really the heart of the issue: the unknown exploits. I've often been at the forefront of theorizing about possible vectors for unknown exploits. I'm usually flamed severely for it. The fact of the matter is that these unknown exploits exist and people need to be ready to deal with them.
If a "bad" hacker comes up with a new root exploit he's not going to e-mail all of the "good" hackers and let them know. He's going to make use of it mercilessly until he's noticed and caught. Microsoft ignores this issue outright and the OSS community tends to skate around it. If the computing public as a whole knew the facts about security then McAfee and Norton wouldn't even be in business. "Updating virus definitions" twice a week is still going to be ten weeks behind the hardcore caffeinated malicious hacker.
The OSS community has dealt with this issue in the most productive manner possible: complete openness and timely notice. Microsoft, on the other hand, would happily allow millions of users to remain compromised for months or years until their internal programmers manage to find the "unknown local root exploit". This could easily result in identities and credit card numbers stolen, bank accounts infiltrated, and possibly even malicious interference with real life relationships and employers just for fun.
Should the software manufacturer be liable? No. Should the user be entitled to know? Yes.
The OSS community is the only solution which addresses this situation correctly.
+++ATHZ 99:5:80
take a look at the time of the attacks.
The attacker stoped at 19:00h and started back at 5:00h.
Now from this time, and assuming the attacker is like most computer guys I know, he would sleep around 2-3 AM, and wake up around 11-12.
This would place the attacker at 6-8+ GMT hours.
that is, in china, Mongolia, Rusia or Indonesia.
I sure hope no one uses remote machines for development, unless they need to test build on say a remote machine like a mac/sparc. Not everyone owns their own G5s and SunBlades, but more than likely you own the arch you develop for or have it in a lab at work/school.
Hence even if the system was otherwise totally secure accidents happen. A bit like driving safely but someone stepping out from behind a van at the very last second. One careless moment is all it takes.
I don't know how long a bar code can be but if you are in need of a longer password you can always require multiple codes.
Yes people can steal your phone but at least that can be protected by a simple PIN that can't be sniffed.
Of course your phone may be insecure if it has Bluetooth:-)
If you're trying to disagree with something, I think you quoted the wrong part of my message. I only said that *dead* bodyparts can't be used to fool the scanner. I haven't read the latest issue of crypto-gram (have to be on the list to see it), but I take it from context that that's not what you meant.
-a
Here's why
You go in through the easiest system you can that has people that use the target or use something that is a step on the way to the target.
Once you have the ability to use suckit or other ways to compromise SSH on any machine you hace access to the next machine along.
Eventually if you are quiet and patient you will get somewhere interesting.
So who is secure?
Programming can be fun again. Film at 11.
I _want_ to play with this stuff, but don't currently have the tools. I'm not likely to have dead body parts sitting around, so I suppose I can't provide a comprehensive answer. All I was getting at was that refactored horse hooves apparently are good, in the minds of current, state of the art scanners, when said refactored hooves are used to fool said scanner by someone with access to Google, access to a grocery store, access to a hardware store , and a motive.
Finding a pulse via software shouldn't be that hard. However, trusting biometrics is not the same thing.
That's all I was getting at.
I forget what 8 was for.
One would hope so, but the evidence isn't as promising.
Search 2010 Gen Con events
A debian developer (who I'm not going to name but it's not exactly a secret) revealed his password by logging into some machine that had been rooted. Shame on him for using the same password, and the Debian project for not policing that kind of thing. (That said, people do this all the time, even people who do/ought to know better.)
The password 'sniffing' being referenced is not sniffing network packets but rather session IO. If you read the 'developer cleanup' instructions it will be clear that they beleive that the 4 dev boxes that were rooted were being used to collect account and password info from developer's sessions. (Another procedure error, the systems in question probably should not be allowing users with shell access to ssh out to other machines.)
There has been a LOT of speculation that there's a privilege-escalation vulnerability in the kernel version running on the target systems and/or up to the 2.4.22 kernel (I'm dubious, however 2.4.23 has just been released today so who knows).
As many here and elsewhere have wondered, it seems unlikely that a 'kiddie would have access to somthing not yet observed in the wild, and if this is the work of more capable 'bad guys' then it seems equally unlikely that they would have been so noisy as to have been caught in less than a day.
Leaving us really not knowing much about the state of either debian or the kernel at this time. I certainly hope that a more complete complete 'explantaion' will be coming, hopefully soon.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
Strange that Microsoft would admit this, in light of Longhorn and how many people believe Bill Gates is a bad guy.
I'm an American. I love this country and the freedoms that we used to have.
but why crack Debian in the first place? here I am stumped, but then I've never fully understood the cracker mentality.
It's called poisoning the well. Now, if you suddenly have a big host of infected computers running a compromised Debian, you got one damn nice Botnet, either for getting data from those, DDoS, platform for other attacks, or just general havoc. In particular I imagine many Debian boxes are connected to fat pipes they'd like, not throttled cable/dsl residential Windows-boxes.
Kjella
Live today, because you never know what tomorrow brings
Our Linux firewall was compromised a while ago. The attacker apparently used a samba exploit to break in (RedHat 9.0 with patches installed) and then tried a bunch of sendmail, NFS and samba exploits on other machines. Its not clear how he got root access but it seems he replaced some libraries with a few extra routines. After becoming root, he replaced all files in /bin and tried many exploits on the win2000 servers.
We were lucky not to have been hit hard, but the scare made us replace the Linux with an OpenBSD firewall with tightly configured ipf and snort. In the proceeding days, we logged attempted telnets and ssh from 3 different IPs 2 in korean primary schools, 1 from a chinese telecommunication company. (APNIC)
So the RedHat has been moved to be an internal server and we're careful about packet filtering now. Theres a finer level of permissions control all over the place and all services run as nonroot users, some in jails.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
So nothing special about that break-in. In long time run such incidents must happen on any machine with publicly available accounts.
When in doubt, go to the library. - Ron Weasley in Harry Potter and the Chamber of Secrets
Why Java? Why not python?
No, seriously. C/C++ is great for local apps and kernels, but for world-facing servers isn't managed code a good idea?
Of course, we could also begin working on some general-purpose security "modules" and make them availed to everyone. Plus the servers would now be multiplatform almost by accident, and be Free software in every sense.
Generalizations are essential to thought. It allows us to analyse things, percieve patterns, judge new things and make decisions. At the end of the day, you can never really be absolutely specific, all you can do is adjust your level of generalization. You simply can't analyse or discuss large scale things without using generalizations. That being the case, you'd be a fool to discard a statement just because it's a generalization.
The simple-minded thing is when you can't communicate with someone about things without nit-picking over exceptions instead of just accepting their comment as being a trend/pattern/norm/whatever and not an absolute.
-1 Uncomfortable Truth
This gives a whole new meaning to "Identity Theft"
A debian developer (who I'm not going to name but it's not exactly a secret) revealed his password by logging into some machine that had been rooted. Shame on him for using the same password, and the Debian project for not policing that kind of thing. (That said, people do this all the time, even people who do/ought to know better.)
I'm going to have to beat into all the distro maintainers. Your servers should adopt OPIE one-time passwords. Failing that, enforce keypair authentication with your users. Put it right into your ssh_config. Force it. I recently engaged in a pro/con discussion of OPIE v. keypair authentication with another unix sysadmin. OPIE, by design, doesn't store the passphrase on either local or remote hosts. If you a rooted/keystroke logger on a connecting client, the password will not get them access after 30 seconds or so (depends on your OPIE config timeouts...) OPIE removes the possibility of keypairs being stolen. I do believe there is still a serious vulnerability to keystroke loggers capturing your OPIE passphrase, if entered on a compromised host. But this removes the possibility of a user's password being discovered with the easier methods.
You could always encourage folks to run their opie calculator on their cell-phone/pda, instead of a host directly attached to a network. (Are people hacking into your mobile yet?) No way to enforce that via policy though.
OPIE provides a one-time password system for POSIX-compliant UNIX-like operating systems. The system should be secure against the passive attacks now commonplace on the Internet (see RFC 1704 for more details). The system is vulnerable to active dictionary attacks, though these are not widespread at present and can be detected through proper use of system audit software. The NRL OPIE software is derived in part from and is backwards compatible with the Bell Communications Research (Bellcore) S/Key(TM) Version 1 Software Distribution. Because Bellcore claims "S/Key" as a trademark for their software, NRL has been forced to use a different name (they picked "OPIE") for its software distribution.
Anyone seen my low uid? last seen 10 years ago while panning the #@$# out of Taco's 'web based discussion system'
Our server has been hacked twice in a 3 weeks time :
:
:
:
x fe\x84f\x93OZ\xe0\xe6\xe6\xef\xaeDRRq\x8dg\x82\xe1 \xfd\xfe\x84f\x93OZ\xe0\xe6\xe6\xef\xaeDRRq\x8dg\x 82\xe1\xfd\xfe\x84f" 501 - "-" "-"f e\x84f\x93OZ\xe0\xe6\xe6\xef\xaeDRRq\x8dg\x82\xe1\ xfd\xfe\x84f\x93OZ\xe0\xe6\xe6\xef\xaeDRRq\x8dg\x8 2\xe1\xfd\xfe\x84f
at first we had a redhat70 fully patched and up to date. we never managed to find how
1) he got in
2) he got root
he installed 3/4 rootkits and defaced all our html with a javascript/iframe pointing to http://viprating.com/rate and http://viprating.com/counter
there, tripwire saved my life!
neverless, we reinstalled every thing with a debian woody.
3 weeks later (4 days ago), the (same?) hacker broke in using
1) an apache 1.3.26 shellcode which attempted to install linux.JAC virus from http://www.infosmolensk.ru/c [217.107.188.155] (beware! virus!), apparently failed to run
The logs showed some shellcodes, followed by a wget
2) second apache 1.3.26 shellcode followed by an unknown root exploit
The logs showed some shellcodes, but no command output
Then he installed suckit rootkit, and defaced all our html with a javascript/iframe pointing to http://viprating.com/rate and http://viprating.com/counter
I found the attack came from a russian site, http://www.infosmolensk.ru [217.107.188.155], as a saw several established connections from this IP to our port 80 with apache stopped...
Yesterday, he tried once again, but hopefully apache 1.3.29 behaved better
access_log: 217.107.188.155 - - [27/Nov/2003:08:00:02 +0100] "\x93OZ\xe0\xe6\xe6\xef\xaeDRRq\x8dg\x82\xe1\xfd\
error_log: [Thu Nov 27 08:00:02 2003] [error] [client 217.107.188.155] Invalid method in request \x93OZ\xe0\xe6\xe6\xef\xaeDRRq\x8dg\x82\xe1\xfd\x
I hope this exploit will be found 'cause we updated apache and put a kernel without LKM, but could not find the exploit!!!
Maybe the same exploit was used against the redhat... which means it might not be debian-specific!
Once sure thing : it is the same hacker, cause the defacing was the same
La paresse est l'habitude prise de se reposer avant la fatigue
Of course there seems to be no better way to grab the ire of todays average crop of open / free software developers than to suggest that anything other than ssh is the correct solution to a problem.
In this instance to the best of our knowlege enforcing the use of cleartext protocols with encrypted authentication could have helped prevent the situation (e.g. as you say opie/skey over telnet or kerberized rlogin)
Additionally iff development work had been done over plaintext then all developer sessions could have been captured with snort/tcpdump and then the methods used by the miscreants would be accessible.
Of course your better class of miscreant is going to recognize this, but that's just part of the game.
It's a pretty sad thing that we're left with such a dilemma, I'm sorry to see it happen to the Debian project, simply because so many folks rely on it. Talk about putting the whole community on the horns of a dilemma (quadrilemma?):
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD