Slashdot Mirror
More Info on Debian.org Security Breach
mbanck writes "James Troup (part of the Debian System administration team) has published more information on the recent compromise of four debian.org machines. The attack vector seemed to be a sniffed password of an unprivileged account, from which the attacker somehow managed to gain root and install the suckit rootkit and crack the other machines. As the machines were fairly uptodate with respect to security, an as-of-yet unknown local root exploit might be in the wild, so keep an eye on your boxen.Note that the main ftp archive running on a sparc machine was not compromised, so the exploit might not yet be ported to non-i386 architectures."
Here come the comments about the word "boxen..."
(\(\
(=_=) Bani!
(")")
This incident reminds us of the importance of password security. It is sad to see one weak password responsible for such a breach. I think that it would be a good idea for the future to move away from the traditional unix password. An appropriate replacement would be something similar to RSA passphrase mechanism used by secure shell. A random passphrase with a minimum lenght would be idea. The user is the greatest security hole.
AntiRight, download now!
Quote from the article:
"Somehow they got root on klecker and installed
suckit."
What follows is an interesting read - but the guts are in that 'somehow'.
All vendors and site administrators should take note of the openness with which the problem was dealt.
When I go to buy a car, a computer, or a stereo, and the saleslizard is cagey about any problems that come up, my trust level goes down. If they tell me all about all the problems with the thing they're selling before I even notice them, my trust level goes up. It's like a cool drink on a hot summer day.
Contrasting with Debian, how long did it take to find out that Diebold ATMs had been hit by the Nachi worm?
I'm now more inclined to trust Debian, and less inclined to trust Diebold.
sigs, as if you care.
Since Debian (even for those smart ones out there using slackware, like i do) is really considered one of the real distros, if we hear that redhat has been atacked, we would just say that they diserve it and go on, it would be delivered in the respective mail list, and that was it.
But this attack has a psicological impact. Debian itself has been attacked, and it seems to be a bug exploited just in part, on the other side, there are updates that the compromised machines never got aplied, and other big mistakes like a non-tared backup lying arround, with the original owner / permissions mask. This is really more that enough to get any netadmin running Debian to get paranoid.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Off-site logging of all accesses.
One of the first things that get wiped in an intrusion are the logs. All access logs should be copied in as near real-time as possible to a remote server that is not accessible from the machine being logged, i.e. a drop-box.
Ceci n'est pas une signature
This was both user and admin stupidity I guess. Admins who care about security shouldn't permit access through cleartext passwords and users shouldn't send their password in cleartext if they care about their account. Unfortunately many users don't know about this risk.
Once an infiltrator is in a machine, it is often just a matter of time before he acquires root access - unless monitoring or disablement are standard procedure.
Depending on the power of the box and the time from which the lower-level account was compromized, it could just be that a password-cracking procedure gained root access. Of course, it's also possible that the attacker managed to nab control of a process running as root, but again the initial compromise still required cracking a password to gain access to the machine.
First rule, secure your passwords... and it's probably not a bad idea to use a password cracklib to ensure that any semi-privileged (can SSH) users have somewhat secure passwords as well.
Install windows. You'll never have to wonder if your system is being compromised, you'll know it is.
Oh, and "password" is not really a "password".
You moved your mouse. Please restart Windows for changes to take effect.
I worked at Microsoft, so Microsoft's list is my frame of reference:
Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
Since Linux has no use for hidden files, registry, active directory, complicated booting procecdures and other useless features that come standard with Windows - I see no point getting worked up about these so-called Security Warnings.
99% of Slashdot readers, I believe, treat viruses, worms and other 'security' attacks as a NUISANCE rather than a PRIVACY hazard. A Service Pack or bug fix a week for Windows merely highlights the fact that data privacy on a 'personal' computer is a joke. The nuisance of reinstalling the Windows OS from CD, and reinstalling each and every app with the zillions of settings OR buying expensive, uunreliable 3rd party s/w for disaster recovery can be intolerable.
With Linux, OTOH, simple tools exist that can take backups of disk data (not disk images, just the files), AFTRER installing the apps. A simple restore of these files gets the system back, with all settings and screen-savers intact.
To sum up, 99% of Slashdot readers do not need to care about these security risks, if they choose Linux for their personal or office systems.Those with Windows - a switch to Linux is cheaper than anti-virus s/w PLUS OS cost PLUS frequent updates PLUS frequent reinstalls PLUS loss of data PLUS nuisance.
-
If you keep throwing chairs, one day you'll break windows....
SELinux would likely have prevented the root exploit from allowing this individual from doing as much harm as was done.
I think that it's time for the big names like Debian, Slackware, Red Hat etc to start implementing it on their network connected machines. It's being incorporated into the stock kernel for a reason. Use it!
Law #1: If Bill can persuade you to run his program on your computer, it's not your computer anymore.
Probably the closest you'll get to a "good" system would be something like S/Key or Opie (debian packages: opie-server, opie-client, libpam-opie - Use OTP's for PAM authentication) for generating and using a one-time-pad of password systems. The issue in this is that you must generate the pad in some secure fashion, if someone sniffs your pad because you downloaded it over the network, you've lost.
You could easily keep a pre-generated giant pad itself on a usb drive or something similar.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Quote: "All the compromised machines were running recent kernels[1] and were
up-to-date with almost all security updates[2]."
Well, it seems that 'almost' just isn't good enough. Perhaps there is more to the break in (like unknown holes)?
Sniffing passwords? They must be using 'almost patched' version of SSHd.
Im sure glad my network runs on Windows!
Manipulate the moderator system! Mod someone as "overrated" today.
Certainly the distinction is useful to security students and analysts, but it's misleading for everybody else. "Oh, that one's just a local exploit; not so bad." The OpenBSD advocates promote the fallacy: "only one remote exploit in this millennium!" (or something like that), encouraging us to ignore almost equally damaging exploits in non-core services that provide access to local accounts and more damaging attacks.
There's a similar fallacy in distinguishing security holes from other bugs. Without a depth of analysis that hardly anybody can ever afford, almost any bug might actually be a security hole, too. The OpenBSD people get this one right -- to them, any bug is a security hole until proven otherwise, and they encourage running latest versions -- but almost everybody else gets it wrong. When I fixed a double-free segfault in lib[mumble], nobody posted security warnings about every program that relies on it. despite that double-free bugs can often be exploited.
Debian gets this wrong, and very selectively backports only proven security holes, ignoring the myriad bugfixes that might just as easily be security holes as well. To find holes in stable-branch services, just look for bug fixes in later versions, particularly in libraries used by those services. Failing that, look at new features added shortly before the library-version used. Chances are the last new feature added has bugs that haven't been noted yet, and that might be exploitable.
This might be a good place to mention that the CVS codebase is almost irreparably insecure. The practical implications are: (1) A remotely-accessible CVS server should never be run on a host that does anything else that matters, or that has access to anything else; (2) An anonymous CVS server should never be the same CVS server that is used for checkins, or even run on the same machine. The pserver should be a slave that only gets read access to a copy of the archive. (3) Checkins on remotely-accessible servers should result in patches logged to another archive kept on another, not-remotely-accessible machine. Patches from that server should be posted to the mailing list.
Huge diffrence.
You still need a local account to make use of a local root exploit.
You don't for remote root exploits.
Remote root exploits can be used in worms, local (for the most part) cannot.
Not to say that local root exploits should be overlooked, especially when they seem realtivly simple to create (e.g., bad symlinks)
Besides, this is supposedly an *UNKNOWN* local root exploit..
Browse at -1, because trolls are often the most creative part of
This is why security by patching is fundamentally ineffective against enemies, as opposed to nusances.
As long as a machine is connected to the internet there is going to be a method to compromise it. My question is this why Debian? They are the only Linux distribution that is truly built by volunteers to gain any mindshare of real note. (not sure about slack so please dont sick bob dobs on me) This is not imhop the work of rank amatuer crackers with there first root kit. These were servers being run by experienced admins using a distro known for stability which when patched and up to date usually means somewhat difficult to hack. I seriously doubt these guys were running winders attempting this either. Wtf is happening to the community when people with talent are attacking a distro that yet again imhop doesnt suck. These guys need to be found and buried. Not by the police but by the commmunity. Last but not least (places tinfoil hat on head) could this have been funded by M$ trying to discredit linux. I cant see the glory angle so its got to be money or power. (no glory in getting called a dick when you tell your friends what you did)
Panel F, Relay #70
Can someone who's familiar with system administration on those debian boxes clarify the above statement? Have they disabled LDAP accounts or was it implied that they're going to set up authentication with a ldap backend in the future. If it's the latter then I'm curious as to how having ldap in the equation would have made cracking those system accounts harder.
I have dealt with this rootkit for nearly 4 months when it first appeared. The fairly safe methods for avoiding this is by 3 steps which I have used and it works well since then.
/tmp to it own partition and set it as noexec, nosuid and give it plenty of space, around 200 to 500 megs for it.
Move the
Patch the kernel with either Grsecurity or Openwall Patch on 2.4.22 kernel and set it as mononthlic kernel, not modular with no open hooks for adding additional modules.
Then I installed the suphp module for PHP to run scripts as users instead of nobody, especially when people trying to exploit it. I get it at www.suphp.org and it works extremely well. Since the changes, I haven't seen any rootkits being successfully implemented on the servers I admin. And note the fact that I manages over 260 servers for various clients points to the track records.
-- Amazing how the Internet still humms along.... -- Dispite all the flaws of Micro$oft in their software!
So, what's going on here? Are these simply two unrelated attacks? Is it an attempt by an immature highschooler with some cracking talent to boast to his friends "LOL 1 hax0rred debian.org!?" Is it an attempt by some sort of anti-Linux commandoes to undermine Linux's public image? I almost suspect the latter, but the prime suspect there is Microsoft, who have far too much to lose by going that route and plenty of money for traditional FUD that will make it into "traditional" news channels better anyway. SCO might be crazy enough to do it, but they probably wouldn't want to divert resources away from spewing lawsuits at everyone in existence.
From what I understand of the cracker community, Linux is held in fairly high regard (although I admit I don't try to keep up on the latest in the cracker community). You'd think that black-hats, who tend to be rather immature, when armed with a brand new exploit, would attack a site seen by the general public and post goatse.cx images on the front page, rather than subtly changing Debian packages. So, who's behind all this?
That's it. I'm no longer part of Team Sanity.
Okay, I read the article and it said that at least one machine was at a remote location that couldn't be accessed - can anyone tell me what kind of physical setup debian project uses? I always get the impression that they're based out of some dude's dorm or basement, like in this OpenBSD image. Do they have any physical security measures at all around their boxes?
They said the password was sniffed.
Try to shunt this off to a "weak password" all you want, but let's face facts here. A beloved Linux network was clobbered.
Yes, Virgina, Linux is not invincible. You have rootkits and exploits too. Just see Linuxsecurity sometime.
And, yes, it makes all the Linux loonies who rail on about Microsoft insecurities look like religious hypocrites.
Karma Bonus unchecked, because I don't expect this to be well-received by biased moderators.
Here are two useful utilities to flush out the SucKIT rootkit:
Kernel Security Therapy Anti-Trolls
and
Kernel Security Checker
Have a nice day !
Muchas Gracias, Señor Edward Snowden !
it's a sad thing that everyone seems to be so confident in their latest super secure linux setup, the power of fast and often patched open source software or the openess in such issues - so much that nobody takes these problems serious enough.
for every exploit known (and fixed) publically you can bet there are two yet undisclosed and maybe in the hands of the wrong people...
concepts like public key crypto (ssh, ssl), stack guarding (say no to buffer overflows) or process jail (try to escalate privileges from there) are thus essential to implement real security. still ease of setup or performance seems to be more important than safe networking.
perhaps the big desaster has to happen before people understand that projects like openbsd or selinux are not your tinfoil-hat wearing neighbor's business but the only serious choice for any public, responsible service provider.
Look at all the posts...excuses and rationalizations. "Well, this serves as an example of weak passwords" or "non-root privileges," etc.
Actually, what I see is people warning of a possible security hole in the wild.
You never see that level of rational explanation when it comes to a user-transmitted e-mail Outlook worm. In fact, in those cases it magically becomes a "Microsoft hole," even though it's users running the executable!
This is because one of the "strong" points which is claimed by windows is that it's designed to be used by non-tech experts, while at the same time it offers NO protection from mistakes. If outlook were modified so that it cannot execute anything and you must manually save to disk and execute whatever you would see (beside a drop in virus infections) fingers pointed at the users instead of Microsoft.
Slashdot is NOT supposed to be unbiased. It's called /. for heaven's sake - if it was a Microsoft oriented site it would be \. (backslashdot.org)
Oolite: Elite-like game. For Mac, Linux and Windows
Palm scanning only proves you have the hand of someone allowed to access a system. Retina scanning only proves you have the eyeball of someone allowed to access a system.
Well, the manufacturers of palm/retina scanners generally do include a feature that detects if the bodypart being scanned has a pulse. So you can't fool these scanners just by cutting off someone's hand or ripping out their eyeball. (Although it might be possible to manufacture fake contact lenses or glue-on fingerprints that would work.)
On the other hand, the basic weakness is that the biometric signature is still just a big password. You can "sniff" the signature by installing a fake reader. You can steal the signature off the harddrive of the domain controller. You can bypass the reader by splicing the wire. And your "password" is the same for every site.
Bottom line: I would sooner trust a token card.
-a
There were quite a lot of similiar reports from the folks all aronud at that time
My big hairy conspiracy theory would be in the line of super zonda type of organization hiring some of the most skilled crackers and r00ting the boxen all around ... for spamming, ddosing or whatever ... welcome to the Wild Wild Net.
Slashdotters are hypocrites and hold double-standards.
You're saying slashdot posters are inconsistant, but they're just different people who all happen to read slashdot. If you want to make a real argument, pick one person and attack their inconsistancies.
Another example is the political parties. You can't say that Democrats are inconsistant because of this, that, and the other. Democrats are a varied group, and they have many different perspectives and form their arguments in different, often contradictary ways. They just see a common means to their end, and each individual may be 100% consistant. (note: I'm not a democrat, I just used them as an example. This works with any political party that I can think of.)
Ultimately what you're doing is grouping variety of people together (slashdot readers) and then attacking the group as a whole for being inconsistant with respect to a separate issue (their perspectives about computer security).
You can do that to anyone. For example: "Blondes are so inconsistant. First they complain that the environment is being damaged, then the next week they're complaining about too much government regulation." Well, being blonde obviously has nothing to do with the topic, so of course you find inconsistancies in their viewpoint.
That type of reasoning is very simple-minded. The world is a complicated place with myriad possible groupings of people. Analogies that relate nations, corporations, SIGs, etc. to people often confuse the issue beyond repair. Microsoft isn't a "bully," it's just that the shareholders elect people that are likely to use aggressive business tactics and leverage the monopoly that they have to gain shareholder value. You can't punish MS in any way analogous to punishing a bully, because the shareholders could be long gone by now (however many years it takes to settle an antitrust lawsuit), because it's simply not a person, it's a group. Same with nations, it's a group and should not be personified. Think how much time the media has wasted talking about Bush as though he "doesn't play well with others." Nations are groups, not people.
Social scientists are inspired by theories; scientists are humbled by facts.
Everybody here is talking about an unknown exploit in Debian. What I haven't seen is a discussion on the probability that this might affect other distros too. Is it Debian specific, or Linux, or even UNIX (based on an app) specific? Let's not be complacent here.
This is really the heart of the issue: the unknown exploits. I've often been at the forefront of theorizing about possible vectors for unknown exploits. I'm usually flamed severely for it. The fact of the matter is that these unknown exploits exist and people need to be ready to deal with them.
If a "bad" hacker comes up with a new root exploit he's not going to e-mail all of the "good" hackers and let them know. He's going to make use of it mercilessly until he's noticed and caught. Microsoft ignores this issue outright and the OSS community tends to skate around it. If the computing public as a whole knew the facts about security then McAfee and Norton wouldn't even be in business. "Updating virus definitions" twice a week is still going to be ten weeks behind the hardcore caffeinated malicious hacker.
The OSS community has dealt with this issue in the most productive manner possible: complete openness and timely notice. Microsoft, on the other hand, would happily allow millions of users to remain compromised for months or years until their internal programmers manage to find the "unknown local root exploit". This could easily result in identities and credit card numbers stolen, bank accounts infiltrated, and possibly even malicious interference with real life relationships and employers just for fun.
Should the software manufacturer be liable? No. Should the user be entitled to know? Yes.
The OSS community is the only solution which addresses this situation correctly.
+++ATHZ 99:5:80