Slashdot Mirror
Ongoing Linux/Solaris Compromise Epidemic
An anonymous reader writes to point out that Stanford's Information Technology Systems and Services "has written a summary of a series of compromises that have been happening at universities, research institutions, and high performance computing centers, for the last month or more. The attackers are using known vulnerabilities in Linux and Solaris, along with compromised user accounts, to gain access and control of systems, from standalone servers to HPC clusters ... (the attacks are still ongoing)."
Isn't this old news... like circa 1952?
IPv4 allocations for hobbyists? join the ipalloc-l mailing-list! www.operations.net/mailman/listinfo/ipalloc-l
A good substitute for Linux and Sun boxes. My school migrated two years ago, weren't happier ever since.
Here - those guys make a kernel, kickass GUI environment (faster than GNOME and easier to use than KDE) plus some office word editors and educational stuff like encyclopedias and maps.
I'm running Windows XP!
aQazaQa
It is important that when we wave our flags and cheer when Microsoft is laid low by the latest security flaw that we not close our eyes to the very real vulnerabilities in the Unix/Linux system. No OS can be fully secured, and it is absolutely mandatory that we remain vigilant to the possibility of a heretofore unknown security hole in our systems, regardless of the system OS.
Assuming that Unix/Linux is invulnerable to security holes is deadly. Though the OS may have more security features and "more eyes" on the code than closed source operating systems, we must not rest on our laurels watching Windows implode while our own house is burning.
I have been pwned because my
a variety of local exploits, including the do_brk() and mremap() exploits on Linux
In other words, Stanford doesn't keep its Linux boxes up to date. These exploits have been fixed. Linux too requires maintenance and patching, not just Windows.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Dooes it runs Lunix?
It says that good passwords are a good defense.
We know this.
No more default last 4 digits of SSN as a password.
Make them use something more secure! And disable telnet, for goodness sakes.
Inconvieience (sp?) your students in order to secure your system. It's all fun and games until someone uses a rootkit to play with GPAs.
Jay | http://oldos.org
going back to the back-door insertion attempt on the Kernel, the rooting of gnu.org's ftp server, the compromise of Debian's servers... it's the same people doing this.
Just a feeling.
hmmm, maybe their going to make a Beuwulf cluster of all the fastest computers... and try to get on the top 500 list MUHAHAHAHHAA, wait, hmmmmm..... well maybe with the internet2's bandwidth it might work?
come comment on the madness at http://slashdot.org/~phreak03/journal/
on just how widespread this attack really is. The story IS HERE
...because you never know who you're dealing with.
Handling Linux usability complaints!
Don't send passwords in plain text on the network, and enforce proper password policies (8 char minimum, numbers, letters and symbols etc).
Change Linux root password from 1234 to something harder to guess
Well, there's spam egg sausage and spam, that's not got much spam in it.
What gets me is that you can tell the white hats and black hats are both lazy.
If the sysadmins had actually patched their servers with the appropriate security patches the "hackers" would have never gotten in, in the first place. If you read the counter measure section this isn't anything new that they shouldn't be doing every day and enforcing.
If you look at the section entitled Evidence of compromise you can see that the people breaking into the systems are leaving a pretty big trail to follow. In my job, when customers start complaining that their servers are working quite right, when you take a look at whats going on you can see a root kits been installed. The whole idea of a root kit is to cover your tracks. If these guys did a better job you'd never know you were hacked. Its quite sad really. Laziness is the biggest security problem if you ask me.
Servers were down much of last week. The ITS website has a few brief details.
*Insert Spaceballs joke here*
The entire (up to date) Windows lab here gets compromised & backdoored to hell and everyone just says "Have it working by tommorrow". A Linux cluster gets compromised and they issue a press-conference.
my sig's at the bottom of the page.
Isn't that an oxymoron? Cray Canada's CTO says so. Then again, Borland's CTO said "OS X is my favorite Linux distribution.", so maybe CTOs aren't so smart about Technology after all ;)
Honey, I shrunk the Cygwin
Oh, wait...
Well , maybe those admin are too busy receiving complain phone call from student that can't play games or use P2P on campus network. (Or slow download speed)
I used to talk with my school computer lab monitor, he always received calls asking him why they can't use KaZaA or all kinds of P2P software. He just tell them it's school's policy not to allow ANY P2P File Sharing software to be used on campus network.
He just told me recently the admin got some new "Port Blocker" Router, which can block BOTH P2P and BitTorrent connection access to campus network. Too bad, that "Router" device also blocked Counter-Strike and many online games, which cause some students move off campus in a week.
I dont think we will ever have a fully secure box, these vulnerabilies will continue to pop up occassionally and there's nothing we (the developers) can do about that. It is just a testimony of the fact that we are imperfect beings and sooner or later we will have our errors exposed. It is not a bad thing, in the evolutionary way of dealing things, this (finding and sorting out bugs) could probably be a good thing. Having said that, I think developers do have control over how they respond to these problems, like coming up a problem that doesn't just band-aid the wound hoping to find a cure for in the future. Also developers have control over how fast they respond. On both criterias, open source peer reviewing is winner over closed sourced development. One tends to promote security through openness and and in the other security through obscurity like think MSFT( Read comments from a MSFT bigwig who said the only reason MSFT servers are compromised because the vulnerabilities are announced).
Activists United
Windows don't do that.
These are local privilege-elevation exploits. The machines that are getting rooted are already allowing remote logins from all sorts of people.
Wake me up when a windows machine allows thousands people to remotely log in and run whatever jobs they want, and still manages to be mostly secure. Then you'll start to have a comparison.
1234 changed to Indiaorbust
If you believe your Unix computer has been affected by these intrusions, please contact the Information Security Services office (650-723-2911 or security@stanford.edu). Please include the name or IP address of the affected machine, as well as any compromised userIDs.
Never mind the compromised machines. Let's try social engineering instead. I know! We'll make a security alert, get it on Slashdot, and the poor trusting souls will beat a path to our POP3 account!
Seriously, you might as well just hand them your hard drive and credit card number.
You know he's at it again!
could someone more familiar with HPC systems please explain to me why any cluster is attached to the internet? I'm assuming these are externally routable addresses. I just dont understand why you would do this.
Now you know why!
If more sysadmins installed this, perhaps we wouldn't have problems with so many Linux compromises? Of course it's no substitute for patching, but seems like a good additional security measure.
This is from the gnu.org software directory
The exploitation of buffer overflow and format string vulnerabilities in process stacks are a significant portion of security attacks. 'libsafe' is based on a middleware software layer that intercepts all function calls made to library functions known to be vulnerable. A substitute version of the corresponding function implements the original function in a way that ensures that any buffer overflows are contained within the current stack frame, which prevents attackers from overwriting the return address and hijacking the control flow of a running program.
The true benefit of using libsafe is protection against future attacks on programs not yet known to be vulnerable. The performance overhead of libsafe is negligible, it does not require changes to the OS, it works with existing binary programs, and it does not need access to the source code of defective programs, or recompilation or off-line processing of binaries.
Thanks for proving your ignorance, would you care to publish your URL and offer it to the boys at LSD for hacking fun. It would be in your own self interests.
"(And as for numbers and symbols making passwords less crackable--admit it, how many of you use 1337speak to make up the number/symbol quota?)"
A good password isn't that hard. You don't need lots of symbols or numbers to make it hard. In fact making a good password is a lot like the devices used to recall information from memory.
Dear God, your post is Redundant with itself!
Seriously, though, that log could have been cut short. We get it -- they tried logging in to common system user names, ones which are presumably disabled, probably trying either blank passwords or random ones which they had sniffed but could not associate with an account for some reason.
From the Stanford article:
And further down...
To paraphrase a cliche without any attempt at humor:
Imagine a Beowulf cluster running John the Ripper.
A marriage is always made up of two people who are prepared to swear that only the other one snores.
SOMEBODY is looking to get attention from it.
.or someone who has to gain from seeing linux get cracked. And if you think I'm crazy or some conspiracy freak just take a look at the things that microsoft, SCO and other such companies are doing . . .
Thankfully it's comming out to the public that such attacks are happening. It's when nobody finds out that it's a problem.
So either it's a few kids looking to make names for themselves . .
DESPITE having the IE antitrust suit done and over with because they force-fed it to us they're doing it with ITUNES.
The more I learn about computing, the more I like my toaster.
Now, my opinion of MS is not that great, but this just seems wrong.
Regards,
John
Falling You - beautiful
As long as we are being consistent. If unpatched Windows boxes count when complaining about or keeping statistics on compromised systems then unpatched Linux boxes should count as well. Personally I believe Windows' perceived insecurity has more to do with poor administration than technical shortcomings, well at least with the NT family. Linux's intimidation of traditional PC users may work to Linux's benefit here, fewer PHB think they can have an "amateur" administer the Linux box as they believe they can do with the Windows box. If Linux becomes less intimidating we may find more "amateurs" administering them and find them about as vulnerable as the average Windows box. On the other hand, Mac OS X is an excellent example of what Linux could do if it ever gets over its "by geeks for geeks" attitude.
Funny, the same argument is also heard when a new worm attacks an age-old-there's-a-patch-for-it Windows exploit.
Of course, most Windows users are clueless, so the Linux/Unix admins are pretty much guilty in this situation.
To confess (anonymously), where I work we are pretty slack about security as well.. we use ssh and pam, wasn't there a known security risk with these 2 a few months ago?
I'll give it to you: http://www.microsoft.com
Start hacking, I can't wait to see you show those fools what's up!
Yes, I use this.
I also combine it with grsecurity, which adds even more protection.
You should always remember though, these are just added layers of security. If someone can sniff your root password you're still cactus.
For a moment there, I thought they were saying that Solaris and Linux were making compromises in order to become more alike or that universities were compromising by installing Linux on some of their SPARC machines, and that people were saying that it was an epidemic.
Oh well.
Doesn't make sense to help out the person attacking you.
As a professional security researcher and employee of a CLEC I would like to say this is total FUD. IRC taught me that much.
The exploits/vunls being used in all cases is public. Stanford.edu should be so embarrassed right now.
This article was written by a monkey. He/She used every buzz word and hacking group they could think of. Throw in a few lkm rootkits and wow, it almost sounds intelligent.
SLASHDOT EDITORS, wtf are you thinking posting lamer shit like this? Sensational stupid fuckers.
I can see why they would want to target academic boxen if they wanted high-powered computers to do some serious slaved number crunching. If they are just going to launch a DDoS attack or send a bunch of spam though, academic computers are not the best. Most academic sysadmins have fairly limited budgets, and spend a fair amount on bandwidth. As such, they rule their bandwidth with an iron fist in many cases. The Admins at my particular college have bandwidth flags on certain ports and a global flag of somewhere around 1gb/day over 3 days. Break that, and the admin gets very interested in what you are doing with your boxen.
I'm sure other colleges have similar schemes, and I've heard of many colleges which are even more strict with their bandwith (200mb/day limit, etc). These academic boxes may make good targets because of their relatively user intervention and user experience, but they don't have that great of a pipe on them, relatively speaking. If it was me, I would have gone after servers that also run wireless access points. Hard to tell where the bandwidth goes in some cases with those.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
They just used user passwords and exploited local privilege elevation vulnerabilities.
...Is that you cannot make sure your users are careful.
You pretty much have to assume that black-hats are going to be able to runs escalation exploits and work accordingly. That or severely limit how users are allowed to interact with the machine (if they only need to access email or upload files, WTF should they be able to run anything else?).
But yeah, good passwords limit the opportunities.
Xix.
"Everything is adjustable, provided you have the right tools"
I still use libsafe. It is the greatest thing since sliced bread. Ok, that and distcc. Distcc and rsync... and ssh... DOH!
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
Every single god damn worm would not work if users would patch their god damn systems. That's not news. Tell me something new to support that "Linux is secure" myth.
DISCLAIMER: This post is offtopic.
Don't send passwords in plain text on the network, and enforce proper password policies (8 char minimum, numbers, letters and symbols etc).
That reminds me of Wells Fargo's website (I have an account with them). The passwords are 8 char maximum, and they are not case sensitive. At a friggin' bank. Luckily nobody would be able to do much with the $0.74 in my account.
PC's get compromised if security patches are not applied!
and in other news...
cheerio's get soggy in milk
Troll, Troll, go away and flame again some other day
I was looking at one of the Solaris vulnerabilities, and I saw "sadmind".
I thought it was some kind of nasty name for a hacking daemon - until I found out that sadmind was the "Solaris ADMIN Daemon"
READY.
PRINT ""+-0
Straw, meet man.
It is important that when we wave our flags and cheer when Microsoft is laid low by the latest security flaw that we not close our eyes to the very real vulnerabilities in the Unix/Linux system.
No one is. Work is always being done to find and fix vulnerabilities in *nix variants.
No OS can be fully secured
No one with a brain ever claimed that was the case.
Assuming that Unix/Linux is invulnerable to security holes is deadly.
See last comment.
Though the OS may have more security features and "more eyes" on the code than closed source operating systems
Which is true...
we must not rest on our laurels watching Windows implode while our own house is burning.
Last time, NO ONE IS.
Geez. I know your nick is "Obvious Guy", and that's pretty much all you're saying. Well, except for the entire argument about "watching Windows implode while we rest on our laurels", which no one is doing, talking about doing, nor thinking about doing.
Straw, meet man. I'm still befuddled as to the upwards moderation you consistently get, however.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
poor password management is the source of most hacks. i'm betting this cracker has a chip on his shoulder and is out to teach this org a lesson. gaining local access is 1/2 the battle, which is made easy when you use passwords like "password"
If you mod me down, I will become more powerful than you can imagine....
If someone gets root access (and can do what you describe) you're already long gone.
I see a day coming when, in one day, half the computers in the US have their disks erased.
I'm not familiar with libsafe specifically, but I have spent some time looking into obsd's w^x and PaX linux, which have similar goals. My question is, if the buffer overflow is in your own code, would libsafe stop it, or is it just for libraries? Also, does it only protect the stack, or also heap memory and the data regions of an executing program?
====
Crudely Drawn Games
If you're worried about system crackers, install SE-Linux as your kernel, throw on a few of the NSA's utilities, disable unrequired access to software and finally make sure daemons don't have privs they don't need.
Security isn't hard, it merely takes a little more effort than most are willing to put in.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Washington Post has more coverage in this article, Hackers Strike Advanced Computing Networks.
If the Government becomes a lawbreaker, it breeds contempt for law;
Heh, I'm running Windows 95. I figure by now the hackers are just bored of hacking me.
Security through boredom, my new secret weapon take th^454&*%2^$^^^B
Your CPU is not doing anything else, at least do something.
>I'll give it to you: http://www.microsoft.com
>Start hacking, I can't wait to see you show those fools what's up!
Again?
These are HPC clusters. How the fuck are users going to compile thier wares, and run simulations without a fucking shell account?
Give the users something physical that has to be present in order for them to log in. There's a number of usb-key and similar solutions (there was one that looks like a button, I forget the name, but it looked neat). Don't use passwords *at all*. It's a big bullet, but eventually we're all going to bite it.
:-)
Having said that, I haven't bit it yet myself. I wonder if Debian supports any of those systems yet?
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
... at any of these places where the attacks are occuring have any other information to add? I am interested if there is information that might have been gleaned from any captured code that might indicate the exact identity of whom the attackers were going to DDoS once they had their zombied supercomputers. Or was it going to be a DDoS? Another exploit? I think that info might be a clue (well obviously) to who is behind this. One would think that attempting to zombiefy a super computer run by some advanced admins would be more difficult (and thus more unlikley to be used for such a mundane cause) that just gathering-say- dsl connected joe user boxes. Wouldn't you think they might be up to something else? Such as using these supercomputers in an attempt to crack even larger and perhaps more .. sensitive... supercomputers or facilities elsewhere? A two steps removed compromise in other words, a "force multiplier" effort, perhaps "masked" to the ultimate target by seemingly being a benign connection from a respected place, if you follow? Or better, is there a critical tactical penetration advantage in using a zombied super computer on a big pipe that goes beyond the obvious that is already stated/speculated on in the disclosure?
Or do you (anyone who might have some more AC insider info) have any other pertinent data not covered in the articles?
Not a security guru here, but last time I remember anything like this was like around 2 years ago or so when banks were targeted, something like that anyway.
Some universities share their clusters. The cluters are linked to other clusters at other universitiies. I'm guessing they are using the internet to link them together. More info here: http://www.sharcnet.ca/
Your CPU is not doing anything else, at least do something.
The real answer here, may be that we need to start requiring less the use of passwords via ssh and more of the keyed transports. In addition, for true security, perhaps we should having the path recorded via the protocol.
I prefer the "u" in honour as it seems to be missing these days.
Every day we see the constant stream of Microsoft security failures.
And those aren't minor, obscure failures. They affect millions of Windows users. They fill up our our reject logs. And they don't require special conditions -- Windows exploits can hit you simply because you browsed a webpage, played an MP3, received an e-mail, or just by having your PC connected to the Internet.
In fact, not only was there a story about three new Windows vulnerabilities, just two stories before this one, but Windows vulnerabilities set an all time record in February for the number of new exploits in a month. According to The Washington Times, "Internet attacks in February caused an estimated $68 billion to $83 billion in damages worldwide."
And to counter the impression that Windows has bad security, we are presented with... wait for it... a single Linux site, whose faulty administration procedures have left their machines vulnerable to local exploits, requiring the cracker(s) to first sniff a password.
And then the parent poster suggests that the two are somehow equivalent???
How lame!!!
It'll be a sad day when it does. Seriously, who is Linux and can it/he/she be said to have an attitude? Or did you mean some homogeneous collection of people somewhere who all answer to the name Linux? Who is it you want to get over it? Me? Based on your vague statement, I could be Linux. Yes, call me Linux from now on. I use linux, administer it for pay, occasionally preach it's virtues to the unwashed masses, etc. I think RedHat, Suse, Novell, IBM, etc. are all "over it" though, or are they not linux?
Will the real Linux please stand up and knock of it's annoying attitude, this guy wants you to be MacOS X, pronto!
No, it doesn't... many of the same types of reports about windows attacks are ALSO due to UNPATCHED machines.
It's the one-eyed, severely slanted nature of the Slashdot readership that:
* Microsoft is evil, stupid, moronic, evil, nasty, unsafe, did I mention evil?
* Linux is the shining non-denominational grail.
For god sake, there are security vulnerabilities in both people... and they aren't taken advantage of within the *nix world, because... hey, guess what? The majority of users are computer savvy, and know about passwords and firewalls and not leaving ports open etc.
Windows users on the whole have issues programming their VCRs.
As you start to get what you want, which is widespread Linux adoption, you'll start getting more of the VCR no-hopers using Linux, not patching it, not having secure passwords... and GUESS WHAT? Linux will start having major security issues in the same way as Windows does now... not as severe most likely due to better design, but they'll be widespread... there'll be a doozy, and it'll cause all sorts of problems and then people will be "Hey, I thought when we all moved to Linux the world would be a safer place for me and my little children, but now that a vulnerability has allowed my Linux box to be used as a Spam mail distribution point, I feel dirty and scared. I might install XP again."
Stop being so damn one sided.
Why is SSH access allowed to that machine from anywhere on the internet?
hosts.allow ?
Firewall ?
get a life... you are all as pale as michael jackson
Good thing guest is disabled anyways. What's odd is that the attacker only tried to enter with those two logins. The ip is actually hosting http which leads me to think that it came from a compromised machine.
Might want to firewall out that address for the time being?
Even if they're not guessing anything, there's probably no reason for that computer to be on your cluster, anyhow.
(That, and get someone in your Japanese language studies program to help you contact their admins...)
Touché. Still... you know what he meant, so why not respond to that instead of attacking him on some technicality?
But what about using shadow password files and MD5 passwords? Wouldn't these either significantly raise the amount of time it takes (if John the Ripper tool can even crack MD5 passwords) or simply block passwd file access to the average user?
Did not receive identification string from [ip_address]
Lets just go and label any hacker a "Terrorist." Oh wait, I think they did that already...
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
Here is a list of some things that I feel are worth considering:
:). Next configure swatch to alert you upon recieving such messages! Of course you can always use perl or even grep -v to parse logs, but for repeated use I think a specialised tool would save you some trouble in the long run.
1. Patch your system! As soon as a patch comes out, get it applied and reboot if you have to! Also, stay up to date on security issues by subscribing to mailing lists that are related to the software your using. One good general purpose site is cert.org. Keep in mind that while mailing lists are great ways of being notified, they arent fool proof. If your subscription expires and you dont know about it, you wont be exactly up to date in the community now will you?
2. Use grsecurity. This is a kernel patch that is briefly lagged behind official Linux kernel versions. It has many great features for protecting against stack attacks/buffer overflows. ie: Those latest greatest scripts your local script kiddie just downloaded wont likely do anything against you since special addresses are randomised. It can also hide files on your computer such as intergrity checkers so nobody except you know they exist. Plus it can stop insert code into a running kernel by making kernel memory readonly (which btw, would have prevented at least one of the attacks they mentioned).
3. Install a filesystem intergrity checker. Aide, integrit and tripwire all come to mind and essentially all do the same thing but with different config file syntax. Besides, how can you tell if a file is changed if you dont actually check? Also, dont forget to hide the existence of this program using something like grsec's gradm filesystem ACL util and be careful of automating checks in the crontab!
4. Read a good linux securing article. One such article I have read is called Securing & Optimizing Linux: The Ultimate Solution. It will teach you how to lock a system down a fair bit and how to remove unused/unneeded services from your computer.
5. Watch those logs! Log files provide a wealth of information, but administrators rarely check them (well, not all). If you dont know what a log entry means, research it, or else you may be looking at an attack and not even realise it. Now I know some of you are thinking I am nuts considering just how many logs even a small system generates, but there are tools to help you. One way is to use a program called swatch (a perl script). It can parse existing and old archived log files using a perl regex syntax and trigger actions based on found text. Start by configuring the system to ignore any log entries that are known to be friendly and show you everything. Then slowly eliminate each friendly entry one at a time. What will be left is a list of purely evil enteries
Now I know I could go on forever with suggestions, but I think that these few things should give anyone a kick in the right direction. I hope this has been helpful.
Well theres 2 sides to that coin. Some say its really bad to rely on libsafe because the underlying source never gets fixed, therefore libsafe becomes and indispensible middlelayer you rely on more and more to protect legacy code which is inelegant. So in the long run much better to sort out the original source and do the job properly from the top. Just another 0.2c from a different school of thought.
The p;roblem, among others, is that we don't have enough real punishment going on for hacking activities.
The problem is that the concentration of clue among sysadmins is just too low. If you are still running a do_brk vulnerable kernel 5 months after the vulnerability was discovered and patched and widely publicised (remember the Debian and Gentoo server compromises that were all over the news?), you deserve whatever you get. I mean, sure, if you were hacked on December 5, my sympathy goes out to you, but if you are running unpatched 2.4.22 right now, there is no excuse.
As for jail time for hackers: to justify that, you would need to show that a moderately skilled sysadmin, one that reads a security-related news source at least on a quarterly basis, physically cannot protect his/her system from a moderately skilled attacker. For example, suppose someone proved P=NP and made a polynomial-time ssh decryptor. Only then we would need laws against password sniffing, because once you let a government have a taste of regulating the Internet, it will not stop until it has, so to speak, filled its belly with electronic freedoms.
I've heard a lot of people say something like, "It's their own fault for not installing the latest patches." Doesn't that suck anyway though? It's a major pain to need to keep a human around to twiddle some bits periodically.
I'm not sure it really has to be this way. It seems to me, that it is a major design flaw that if there is a small error in one of the *many* programs from *many* different parties being run as root, that it can be exploited so that an arbitrary attacker can end up getting root access or executing arbitrary code or whatever. For that matter, it seems silly that (for desktop systems) disastrous effects can come from code run by Joe user. After all, desktop users store all their important files in some place they *don't* have to authenticate as root to get to.
Rather than just assuming that the ever watchful eyes of open source uber hackers are the only remedy for this as well as all of life's problems, maybe it is possible to come up with some easy solutions, or at least partial solutions, to this problem?
1. Use software that watches the beginning and end of every stack frame for an overflow. If an app overflows *kill it dead*. Similarly, the beginning and end of every block allocated on the heap can be watched. Software like this exists, and it is about time it is built directly into the standard distributions and *turned on by default*.
2. Develop a new security model. The current system sucks out loud. Really, access lists (a la microsoft) are a step in the right direction. Finer grained and more flexible controls are good, but a totally new security model would be better. I've seen some things like this developed as academic projects, but it would be nice to see a patch available for a main stream OS like linux.
3. It might also be useful to have virtualization (think VMWare) built into standard distros and used by default for services like apache that need to run some stuff as root. My understanding is that you can do something like this with chroot currently, but that it is a clumsy and dangerous tool.
I'm not a big security buff, but even I can see that there are some things we can actually *do* about this problem.
That IP seems to be an image uploading site of sorts. Apparently they let anyone upload images to the server. My guess is the uploads are to /tmp and quite likely executable, with no mime-type checking of uploads. Maybe someone who understands Japanese can let them know the box is hacked.
Seriously, you might as well just hand them your hard drive and credit card number.
Okay, this is just plain wrong.
For starters, as has already been pointed out, these are the Stanford security admins. If you can't trust them, you're already quite screwed.
Second of all, if your IP and a subset of usernames on your system is equivalent to your "hard drive and credit card number", you've got major security problems aside from potential bogus security advisories.
May we never see th
MacOS X? Excellent example of what? A poorly threaded, non-SMP, non-NUMA kernel with limited architecture support, no transparent clustering, no support for embedded devices, doesn't run on mainframes, and is only sold and supported by a single vendor for a single hardware platform?
Oh, you were impressed by the flashing lights were you? Here kid, have a lollipop.
reply in english, you'd be surprised how many foreigners know it. im sure they'll decode it before we find a japenese guru. ethics question- would it be bad to hack a machine to upgrade security precautions? technicly not hacking, but im sure that wouldn't hold up in court. anyways, stray thought.
Breaks on redhat systems. 9 no longer even uses it and apps like mathlab vomit.
http://saveie6.com/
Ah. So Bill has hired Mudhen from the Puzzle Palace to try to steal Scotty's and Linus's secrets. Not much to worry about.
Yes they are "losing" market share in terms of server count, and then only marginally. Where they gain marketshare is in enterprise area. More and more enterprise-level websites switch to ASP.NET from alternatives (source: Netcraft).
would it be bad to hack a machine to upgrade security precautions?
Yes.
ah ha! so /this/ is how Google get all their computing resources..
-- Jay Fenton | CTO | Your World TV Ltd | http://www.yourworldtv.com/
In order to keep systems secure, a number of "distasteful" actions have to be performed regularly, these actions can be almost completely automated, but they are "distasteful" to the users.
1: Regular down time to apply patches.
2: Secure passwords
3: A secure environment
Regular downtime can be almost impossible to get permision for, and the bigger the system the harder it gets. The owners of the systems simply don't see the need and so don't allow it, until it's too late.
Secure passwords are a pain in the arse to users and are usually incompatible across applications and systems due to the differing rules. People then write them down and use simple to remember and crack passwords, replace O with 0, l with 1, E with 3 etc.
Secure environments like Kerberos require buy in from all of the little fiefdoms who want their own IT department. That means giving up control. It also means changing working practices quite significantly.
Poor IT security is usually a sign of politics and bad management within an organisation rather than laziness.
Government of the people, by corporate executives, for corporate profits.
Are we waiting for Martin Gates to come nailing a paper to our door with [Windows] 95 Patchesises?
The problem is not about holes but about updating the system.
How do we update a so high availability system. Can we update all rpms online? Could we update the kernel online? Can we do it at least in a cluster?
Shouldn't us be able to upload at least most modules of the kernel without restarting?
How can we speed up the reboot process so restarting a system after uploading a new kernel becomes fast?
Those are the real questions. There are holes, that's absolutely true but, how do we do so we can close a hole worldwide in say 48 hours? That's the real trick we should be thinking on.
These security issues are very different from what is usually reported for Windows: these are sniffing attacks (which are not a software problem but a system management problem--don't install telnet), combined with local exploits. Every Linux machine tries to be secure as a machine with multiple logged in users. When people talk about Windows security problems, they are talking about attacks from the outside.
I hear you there. One of the benefits of Open Source is the sheer number of eyeballs peering over code, and fingers to modify it. I very much believe that bit rot exists. Namely, that if you stop paying attention to something it eventually degrades.
Libsafe is like dropping an egg in your radiator. Yes, it would be ideal to be able to trace the source of the leak, but when you are stranded somewhere you have neither the tools nor the time for a proper repair. Depending on the situation, a quick fix can be a matter of life and death.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
... SUN1 heavy, come about to runway 101010. You may begin your final approach. We're laying down crash foam and keeping DEC's old hangar warm for you.
There are also some jackals from Microsoft who'd like to speak with you in the lobby, after they're done spreading nails on the tarmac.
1) in these environments, experimental kernels, local patches, and other non-standard goodness makes it extremely hard to "just" apply patch X.Y.Z the instant it comes out. sorry. we're doing cool shit here, not just salivating over /. waiting for the next kernel to come out in order to recompile on our l33t LFS box. if it were that easy, we would have done it.
2) a good majority of this access was not gained (initially) via kernel exploits or sniffed passwords, but rather, through trojaned SSH clients on infected machines. no cleartext passwords here, no remote exploits used. when possible, they seem to deploy their rootkits *locally*, but it's not always necessary since they usually get the password of a privileged user (and then trojan SSH) anyway.
a *real* lesson to learn here is to use OTPs and/or hardware tokens when possible for escalating privileges. if possible, eliminate passwords over the wire (i.e. use native Kerberos in SSH).
I see a lot of "well, we're patched up to date, so we're OK"-think, and that's just dangerous. look at your security practices. are you using tripwire on a read-only medium? can you use a readonly root / usr partition? are you actually reading your nightly cron reports from logwatch and such?
you mean people doing HPC work want to use weirdo homebrew applications, kernels, even *operating systems* that don't allow the use of custom patches, libraries, and non-standard schemes like this?!
no way!
seriously, security is easier in theoretical acadmeia land, or for small homogeneous environments with a known userbase (like an OpenBSD mail server for a small department of a company). it's harder when you have to serve the whims of countles scientists from many different places with greatly differing needs, with the requirement that every % of speed lost (from security overhead, e.h.) WILL be noticed and WILL be noted in the site review to the NSF eventually.
sigh.
This sounds like a good time to troll for votes for my Fedora Security Enhancement Bug. Without this enhancement, it's near impossible to verify a Fedora system from read-only media.
I don't know who to bother about getting this implemented but I assume someone at RH would have to adopt it. A few votes might get it recognized.
"I assumed blithely that there were no elves out there in the darkness"
No. I use grsecurity.
http://www.grsecurity.net/
I can confirm this is for real. NCSA, SDSC, ANL, Caltech, and other sites have been hacked, largely Teragrid and HPC resources. .mil has even blocked access from some university nets to prevent attacks, because these attackers are targetting universities for their high-performance resources (for password cracking) and plethora of DOE/DOD and researcher accounts, some of whom have access to classified systems such as Frost at LLNL and the ASCI systems at LANL, Sandia, etc.
They (especially the Teragrid folks) have been trying to keep it very quiet. However, if you read between the lines of this memo:
http://www.teragrid.org/userinfo/index.html
Basically, they've got several clusters at NCSA offline, and accounts being used by crackers to gain access to other systems.
This is the biggest university hack/government hack since the UofO & DOE/LANL hack last winter. Oh, yeah, you never heard about that one either, did you... I mean, if you knew how broken all these sites are, you might be shocked.
More info on the .mil block:
http://www.its.caltech.edu/
Where I work (a college Physics dept. that shall remain nameless), we are ruthless wrt securing our unix boxes but tend to be very slack when it comes to windows. The poor technician gets to reimage windows boxes on a regular basis though. Our (bad) attitude tends to be something like: "Oh, you got a virus/worm/trojan huh? Silly you! Pull the blue cable NOW, we'll have your PC fixed within a week. Until then use the student lab." This really helps with user training too! Go ahead, open the attachment, make my day! Now before you all say that we are suckers since creds harvested off windows boxes will tend to be the same as that user's unix creds, I should fill you in. We tend to classify users: "What operating system will you be running on your desktop? Oh, windows...? Is it alright then if we give you /bin/false as your shell? Great!" ie. don't give shell access to windows users, they have no clue as to how to use a CLI anyway! On top of that we are uber paranoid about account expiration and passwd policy due to these recent local root exploits and restrict remote ssh fanatically using an SSL PHP page. When a user wants remote ssh they have to visit this page, authenticate and nominate the ip from which they will connect. They get 2 weeks max before they have to repeat this process and each time they do we get and they get an email confirming their submission. FYI, cron runs a PHP script that writes the active user@ip lines to /etc/ssh/sshd_conf from the MySQL db.
Its the only way to stop the lusers and ignorant admins for using cleartext passwords.
The really pathetic thing is that where I work everyone already has securids for login to the remote access vpn, but they still use cleartext passwords on the unix boxes
So if I put -fstack-protector in my global CFLAGS, I can ignore all the critical buffer overflow exploit warnings? Why isn't it on by default?
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
MacOS X? Excellent example of what? A poorly threaded, non-SMP, non-NUMA kernel with limited architecture support, no transparent clustering, no support for embedded devices, doesn't run on mainframes, and is only sold and supported by a single vendor for a single hardware platform?
Your points are irrelevant since I was obviously referring to user interface and ease of use.
Totally backs up my theory all universities should be closed and comp sci should be taught on the street corner where it belongs.
I work in an Ivy League University
The proud hacker ethic of yesteryear promotes user patching : the laissez faire school of security. Most major schools have no firewalls and scientists dictate IT policy. There is no staging prior to production. No patch management. No administrative oversight. Imagine buggy half-assed builds scaling to superclusters. This is not your mommas locked down corporate environment.
The only defense is to secure your department as much as you can - the "Islands in the Stream" model of network security. This will complicate your users lives. Depending on where you work, this may be a Career Limiting Move (CLM) in Academia OR the real world. However, the upside of all this malicious intent is the great opportunity for security exposure. Only firewall teams are usually schooled in active attacks. Fuck the corporate bootcamp cram session. This is live fire. Believe me, Honeyd and Tarpits are a godsend.
Of course universities are targets of hack attacks. The student segments are swarming with virii and backdoors. You wanna go tell Joe Jr $40k pa he's not allowed to use his laptop? One successful compromise will lead to a hackers paradise. Windows PCs on University address blocks are everyday targets. All we see here is someone targetting *nix boxes. This is a surprise?
NOO! Kiddies are targetting insecure machines with known vulnerabilities? Users/Admins didn't stay on top of their security patches? Why is this even news?
I think RedHat, Suse, Novell, IBM, etc. are all "over it" though, or are they not linux?
They are not "over it". For example Red Hat/Fedora still needs to be manually configured to recognize a two year old NEC flat panel. Recompiling an NVIDIA video driver still needs to be done occassionally.
FWIW, I was about to write that great improvements have been made in recent years but that would not be entirely accurate. Around ten years ago I brought home a Linux and a FreeBSD cd. Having used BSD at school I naturally installed FreeBSD first on a 486DX2-66. The install was about as painful as many Linux distrobutions until recent years. Then I tried the Linux CD, Yggdrasil Plug-and-Play Linux. The install was amazingly simple and I had working video, sound, etc. with very little effort. Red Hat's recent attention in the area of ease-of-use is not as novel as you may believe.
A Washington Post story has more but questionable details. They rely on one or two anonymous sources and some big dogs at BIG buzzword projects. The picture, however, does point to a ssloppy and pointless attack on 20 or so high profile buzzword projects. This is either a routine script kiddie attack, or one planned by M$.
University buzzword projects have weak security. Most of the PhDs I know are too busy to keep up with computer nonsense and STILL use winblows, telnet and other junk that is the source of these problems. The bigger the dog, the bigger the head and the less time they have had to learn or update.
All the signs are there for Microsoft involvement. The Wintel press has been primed with bullshit about poor security of poorly managed Unix. The hack work was high profile, sloppy and looks like more of a "look at me" stunt than an attempt to gain resources. The wintel word will be dancing in the streets at the news and trying to take yet more ill deserved power.
IS at universities have already been bad. Their response to Winblows problems has already made life difficult for the responsible Unix user. Their ever escalating big dumb vendor solution has made their networks blocked, proprietary, buggy, painful and expensive. Administrators have turned their eyes and minds from publishing potential of networks to stupid copyright and Winblows nonsense. This is going to give those weenies a place to point and say, "See! I told you it was all the user's fault. Give me more control to fix your incompetence."
The optimist in me would like to think that good things can come out of this. Free software users can point to the fact that this was not a robot attack, that it is extremely rare and that the damage will be fixed in two shakes of a GNU tail. I'd even like to think that this will make job opportunities at Universities for competent Linux administrators to help secure systems. Professors need competent help and they are not getting enough of it now. If they were, they would not still be on Winblows, they would not be using Telnet and this attack would never have happened. The pessimist in me thinks that dumb asses are going to things even more difficult.
It's up to competent people to win the day here. It would be absurd for software that's routinly rooted by robots to win out here. You have the experience, you know the answers, get out there and kick some ass!
Friends don't help friends install M$ junk.
At a university? Faculty go many places...
Mine is. It won't POST. Try hacking THAT!
we have a sun system at our institution that runs a webserver for a very specific application. an unnamed vendor (we'll keep it that way) installed this machine and pretty much told us to keep hands-off of it except to change the backup tape. if we made any modifications to the machine or its software, then our service agreement was void and they would not support this particular app. so, we firewall the crap out of this thing, only allowing access to httpd (apache), making sure to explictly block any high port in use. well, this machine gets compromised about a week ago because this vendor has an ancient version of apache (1.3.3 or something) running suid/sgid root. idiots.......this is a problem we could have prevented if our vendor wasnt as dumb as they were. being a small .edu, we cant just pack up and change without spending 6 figures, so we are pretty much stuck with it until their contract comes up in a couple of years (this is an inherited problem). want their take on the problem - apache only will work suid/sgid. wont run unless permissions are that way. so i ask them to change it, and after about 10 minutes of arguing with their lead UNIX guy he does so. he was amazed that it would run......
I've got a WinXP box that cannot be restored without the blaster worm.
The patch system is flawed. It's not secure - in order to patch my XP box, I've got to connect to the internet to download the patches and virus updates.... During which, Blaster siezes the opportunity to infect my machine.
Suppose, for example, that someone wrote a virus which disabled Windows Update, or even AV software. Such a machine could never be successfully patched without having physical media. Nor could it ever access the internet - if one did a restore of the machine, the "older" AV software wouldn't detect the newer virus signature, and the machine would be infected as soon as an internet connection was established. In this case, every user would have to buy a new, recently boxed copy of the AV suite and install it before they connected to the internet.
The idea that users can patch their machine using the internet is inherently flawed. Should someone write a worm which disabled the AV software, or Windows Update, a user's machine could not ever be recovered, as the patching mechanism itself would be disabled. (Of course, they could still shell out cash for the patches on CD....)
The society for a thought-free internet welcomes you.
This is what viruses used to be; the fastest way to patch a network. Alas, they suffered from needing a really big exploit in order to work. Then the black hats got the idea and used it to there own.