Slashdot Mirror
Ongoing Linux/Solaris Compromise Epidemic
An anonymous reader writes to point out that Stanford's Information Technology Systems and Services "has written a summary of a series of compromises that have been happening at universities, research institutions, and high performance computing centers, for the last month or more. The attackers are using known vulnerabilities in Linux and Solaris, along with compromised user accounts, to gain access and control of systems, from standalone servers to HPC clusters ... (the attacks are still ongoing)."
What diffrence does it make what the attackers motives are. If he is doing it that means the blackhats can do it as well. This is something we should -all- be concerned about.
It is important that when we wave our flags and cheer when Microsoft is laid low by the latest security flaw that we not close our eyes to the very real vulnerabilities in the Unix/Linux system. No OS can be fully secured, and it is absolutely mandatory that we remain vigilant to the possibility of a heretofore unknown security hole in our systems, regardless of the system OS.
Assuming that Unix/Linux is invulnerable to security holes is deadly. Though the OS may have more security features and "more eyes" on the code than closed source operating systems, we must not rest on our laurels watching Windows implode while our own house is burning.
I have been pwned because my
a variety of local exploits, including the do_brk() and mremap() exploits on Linux
In other words, Stanford doesn't keep its Linux boxes up to date. These exploits have been fixed. Linux too requires maintenance and patching, not just Windows.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
What gets me is that you can tell the white hats and black hats are both lazy.
If the sysadmins had actually patched their servers with the appropriate security patches the "hackers" would have never gotten in, in the first place. If you read the counter measure section this isn't anything new that they shouldn't be doing every day and enforcing.
If you look at the section entitled Evidence of compromise you can see that the people breaking into the systems are leaving a pretty big trail to follow. In my job, when customers start complaining that their servers are working quite right, when you take a look at whats going on you can see a root kits been installed. The whole idea of a root kit is to cover your tracks. If these guys did a better job you'd never know you were hacked. Its quite sad really. Laziness is the biggest security problem if you ask me.
If you believe your Unix computer has been affected by these intrusions, please contact the Information Security Services office (650-723-2911 or security@stanford.edu). Please include the name or IP address of the affected machine, as well as any compromised userIDs.
Never mind the compromised machines. Let's try social engineering instead. I know! We'll make a security alert, get it on Slashdot, and the poor trusting souls will beat a path to our POP3 account!
Seriously, you might as well just hand them your hard drive and credit card number.
could someone more familiar with HPC systems please explain to me why any cluster is attached to the internet? I'm assuming these are externally routable addresses. I just dont understand why you would do this.
Someone is sniffing passwords off the network (telnet or http sessions probably) or cracking badly chosen ones
They could be using hardware keyloggers, in which case NO machine is invulnerable.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
...Is that you cannot make sure your users are careful.
You pretty much have to assume that black-hats are going to be able to runs escalation exploits and work accordingly. That or severely limit how users are allowed to interact with the machine (if they only need to access email or upload files, WTF should they be able to run anything else?).
But yeah, good passwords limit the opportunities.
Xix.
"Everything is adjustable, provided you have the right tools"
Every single god damn worm would not work if users would patch their god damn systems. That's not news. Tell me something new to support that "Linux is secure" myth.
Straw, meet man.
It is important that when we wave our flags and cheer when Microsoft is laid low by the latest security flaw that we not close our eyes to the very real vulnerabilities in the Unix/Linux system.
No one is. Work is always being done to find and fix vulnerabilities in *nix variants.
No OS can be fully secured
No one with a brain ever claimed that was the case.
Assuming that Unix/Linux is invulnerable to security holes is deadly.
See last comment.
Though the OS may have more security features and "more eyes" on the code than closed source operating systems
Which is true...
we must not rest on our laurels watching Windows implode while our own house is burning.
Last time, NO ONE IS.
Geez. I know your nick is "Obvious Guy", and that's pretty much all you're saying. Well, except for the entire argument about "watching Windows implode while we rest on our laurels", which no one is doing, talking about doing, nor thinking about doing.
Straw, meet man. I'm still befuddled as to the upwards moderation you consistently get, however.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
No, no, just ignore this. When Windows is being compromised that's cause for gleeful giggles and jokes on slashdot. When Linux is being compromised that's for social misfits to blush about and shamefacedly ignore.
When Windows is being compromised, that's cause for Microsoft to ignore, deny, and lie about the problem, and if that fails, spend a few billion dollars on PR. When Linux is being compromised, that's for knowledgeable programmers to study, work on, and fix the vulnerability.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
Every day we see the constant stream of Microsoft security failures.
And those aren't minor, obscure failures. They affect millions of Windows users. They fill up our our reject logs. And they don't require special conditions -- Windows exploits can hit you simply because you browsed a webpage, played an MP3, received an e-mail, or just by having your PC connected to the Internet.
In fact, not only was there a story about three new Windows vulnerabilities, just two stories before this one, but Windows vulnerabilities set an all time record in February for the number of new exploits in a month. According to The Washington Times, "Internet attacks in February caused an estimated $68 billion to $83 billion in damages worldwide."
And to counter the impression that Windows has bad security, we are presented with... wait for it... a single Linux site, whose faulty administration procedures have left their machines vulnerable to local exploits, requiring the cracker(s) to first sniff a password.
And then the parent poster suggests that the two are somehow equivalent???
How lame!!!
No, it doesn't... many of the same types of reports about windows attacks are ALSO due to UNPATCHED machines.
It's the one-eyed, severely slanted nature of the Slashdot readership that:
* Microsoft is evil, stupid, moronic, evil, nasty, unsafe, did I mention evil?
* Linux is the shining non-denominational grail.
For god sake, there are security vulnerabilities in both people... and they aren't taken advantage of within the *nix world, because... hey, guess what? The majority of users are computer savvy, and know about passwords and firewalls and not leaving ports open etc.
Windows users on the whole have issues programming their VCRs.
As you start to get what you want, which is widespread Linux adoption, you'll start getting more of the VCR no-hopers using Linux, not patching it, not having secure passwords... and GUESS WHAT? Linux will start having major security issues in the same way as Windows does now... not as severe most likely due to better design, but they'll be widespread... there'll be a doozy, and it'll cause all sorts of problems and then people will be "Hey, I thought when we all moved to Linux the world would be a safer place for me and my little children, but now that a vulnerability has allowed my Linux box to be used as a Spam mail distribution point, I feel dirty and scared. I might install XP again."
Stop being so damn one sided.
Well theres 2 sides to that coin. Some say its really bad to rely on libsafe because the underlying source never gets fixed, therefore libsafe becomes and indispensible middlelayer you rely on more and more to protect legacy code which is inelegant. So in the long run much better to sort out the original source and do the job properly from the top. Just another 0.2c from a different school of thought.
The p;roblem, among others, is that we don't have enough real punishment going on for hacking activities.
The problem is that the concentration of clue among sysadmins is just too low. If you are still running a do_brk vulnerable kernel 5 months after the vulnerability was discovered and patched and widely publicised (remember the Debian and Gentoo server compromises that were all over the news?), you deserve whatever you get. I mean, sure, if you were hacked on December 5, my sympathy goes out to you, but if you are running unpatched 2.4.22 right now, there is no excuse.
As for jail time for hackers: to justify that, you would need to show that a moderately skilled sysadmin, one that reads a security-related news source at least on a quarterly basis, physically cannot protect his/her system from a moderately skilled attacker. For example, suppose someone proved P=NP and made a polynomial-time ssh decryptor. Only then we would need laws against password sniffing, because once you let a government have a taste of regulating the Internet, it will not stop until it has, so to speak, filled its belly with electronic freedoms.
Do a fresh install of the original edition of Windows XP, and do a fresh install of Red Hat from the same time period. Which has more known security holes? They're probably quite similar.
Apply all known patches to each installation. Now which has more known holes? I think you'll find a list of things still currently broken in Windows, but Red Hat (and therefore other Linuxes too) will have their problems patched already.
The parent post looks initially like just another one of those Linux has no holes and Windows is full of them posts, but if you're looking at the situation five days after a security hole is announced, it's perectly true.
Follow me
well get a refund on your Linux.. oh dear was it free?
when people pay $200 for something they expect it to damn well work - if it causes your $2000 appliance to become totally useless then anger can be justified right?
if more people used linux then more people would be making it easier for non-techs to use - so just BE PART OF THE SOLUTION and stop defending corporations, they wont be defending YOU when it comes to the crunch.
"Do a fresh install of the original edition of Windows XP, and do a fresh install of Red Hat from the same time period. Which has more known security holes? They're probably quite similar."
Not at all, my friend!!!
Red Hat from that time, has exactly 0 (zero) remote explotaible bugs when properly installed. Specially since it is a Red Hat from *that* time period: all bugs are clearly stated from ages, and I *can and will* install with no service opened by default till I can upgrade to latest known stable versions, and that *only* for services I really need (all the others won't even be installed, since I tend not to worry too much about software it is not even installed).
Now, try to do the same with XP: probably you won't even end up the installation procedure and you will already be infected with some of the RPC hole bugs. And know what? You won't be able to do *anything* to avoid it, even knowing about it.
On the other hand, if I go for Microsoft I can imagine a bunch of reasons why I would want to install (or get some other way) an XP (or a Windows 2000, or 98 or NT), the major one being that's the product I paid for, and I don't want to pay for an unneeded (funtionality-wise) upgrade. But this is *NOT* the case for Linux distributions. Why the heck would I want to go with "a fresh install of Red Hat from the same time period" when I can have "a fresh install of Red Hat from *this* time period" with no cost implication?
It seems at first glance that comparing XP with a Linux from that days is a fair comparation, but it is not, because Linux is free and open source, so you really don't need to go with the older product because that was the license you bought!
And know what? Your compartion ends up so lamely because Microsoft products are made that way *by design*. Think about it next time you are going to buy another Microsoft license.
First, no one ever said Linux was invulnerable, just inherently more secure.
Second, I actually read the story. There are three methods of access to the compromised machines listed in the article:
"sniffing passwords, cracking passwords from other compromised systems, or by triggering vulnerabilities in remotely accessible services."
Windows is vulnerable to both sniffing passwords and cracking passwords from other systems, so the only Linux specific problems are in the remotely accessible services. The article lists two specific Linux exploits that were used to access these systems, do_brk() and mremap(). I then read the security alerts for these two exploits. do_brk() is specifically vulnerable to attacks by rsync and mremap() appears to only be useful for local permissions escalation (meaning a password has already been cracked).
Having never worked in a University, I don't know how hard security is to maintain, but in my environment I don't run rsync on any machine that is accessible to unauthorized personnel. Looks like this could easily be attributed to poor system administration. A good firewall would have taken care of all of these problems without having to patch the kernel.
Find coupons in Greeley