Slashdot Mirror
Linux Getting Harder To Crack
AlanS2002 points out today's article from Iain Thomson on vnu.net, which says that "Linux systems are getting tougher for hackers to crack, security experts have reported today," summarizing "A study conducted by the Honeynet Project has found that it takes about 3 months before a unpatched Linux machine will be owned, compared with about 72 hours in the past. According to a report on the study default installations are now more secure with less services enabled by default, added to this is newer versions of software such as OpenSSH being more secure. Interestingly Solaris 8 and 9 did not fare so well."
Yes this story has already been posted. But don't worry! Since there is no link to Netcraft it will be duped again when there is official confirmation!
AntiFA: An abbreviation for Anti First Amendment.
it takes about 3 months before a unpatched Linux machine will be owned
Maybe I'm wrong, but shouldn't it be pwnd or 0wned or 0wn3d or 0\/\/|/|3|) or some variation on that instead of owned
Boxing Equipment Reviews
"A study conducted by the Honeynet Project has found that it takes about 3 months before a unpatched Linux machine will be owned, compared with about 72 hours in the past."
"A study conducted by the Honeynet Project has found that it takes about 3 minutes before a unpatched Windows SP2 machine to be owned, compared with about 72 seconds in the past.
De John Wisniewski - a memorial
The game began at 10 a.m. on Friday. The VMS machine on the Green team was configured with Apache web server. As we are aware, VMS is an extremely secure operating system. While many of the other boxes in the room, mostly Unix, linux, and forms of windows, and even a Macintosh, were compromised and subsequently attended to by their masters, the VMS system remained intact. Here is where a real security issue comes into play.
We were very confident of the VMS box, and a lot of interest was generated by it. In the spirit of spreading the good word and educating the people about VMS, we ended up answering a lot of questions about VMS, and showing how the machine automagically added user accounts, and demonstrated the various terminal games and web pages which had been created. We were also aware that, in this crowd of 5000+ hackers, someone might be able to weasel their way into the machine if any security measures were taken lightly.
As events would have it, we had an issue, which we did not understand, with the operation of the serial port used as the operators' console. At 2:00 a.m. Saturday morning the system manager decided to telnet to the box in order to do some routine checks. Using Telnet in an environment with 5000 hackers on your network is an insecure method of administering a computer system. A lot of people were fascinated by the VMS system, and had asked many questions about it, shoulder-surfing the console operator, who of course answered their questions in this friendly game of an environment.
One of the hackers who had been showing a lot of interest in the VMS box happened to be sniffing packets from the system manager's PC. He discovered the password to the account, a simple procedure any 13 year old kid can pull off with ease after a little social engineering. The hacker logged in, and placed a couple text files (his mark for points) in the manager's user directory, and then notified the system manager in order to claim the points. There were no points for hacking the machine because the files were placed in a user directory instead of the `root' VMS directory. He was awarded 10 points for social engineering.
Was this an instance of VMS being hacked? No, it was just a circumstance where a privileged login session was passed in plaintext over a network with 5000 mechanics, social engineers, and hackers on it. By using a telnet session on an open network, the system managers' login information was freely made available to any who cared to record it. Giving away your login info in this way to a hacker who subsequently uses it does not constitute being hacked, it constitutes an error in security procedure. The thought of improved security, such as some level of encryption for telnet on VMS, immediately comes to mind. Be very afraid.
The Alpha was disconnected from the haxor network, the serial port issue (our fault alone) was fixed, and the network was reconnected. The incident did not repeat, nor did any hack whatsoever of the VMS system take place during the event. The hackers bombarded the box with telnets and ftp attempts to every bizarre port number imaginable, obscure ports in the 40,000 range and more. The word of the early-morning incident had spread, and those seeking glory and a reputation besieged the box.
Another kind of social engineering, involving a clever lie intended to trap those who would think it cool to hack the NOC was presented in this way: People came by, with an IP address, saying, "here is the IP address for the NOC, have fun". It was really an outside IP address, and this was a ruse to make those who listened loose points for attacking sites outside the defcon network. Hacking outside the CTF network was forbidden.
As the game progressed, the goons announced that there were not enough hackers (huh? The tables were *full* of people). To make it more enticing, the point award for placing your mark in the root directory of a server
I just read an article at the Register (linking to an old article on http://www.usatoday.com/money/industries/technolog y/2004-11-29-honeypot_x.htm about un-patched XP sp1 machines only surviving for 4 minutes when connected to a broadband connection. Within 10 hours the hackers had an IRC channel running on the machines.
Tongue: A variety of meat, rarely served because it crosses the line between a cut of beef and a piece of dead cow.
because a router will deter all but hackers with a reason to pwn your box, and there is little reason to do so to a home computer.
To create a zombie for a DDoS attack, to host child pornography or warez, to use as a spam relay. All of these and more are reasons home computers are attacked. All they want are more systems in their arsenal, to make them more resilient and more effective. It doesn't make much difference if it's a home PC or a workstation in some office somewhere.
i have said it before and i will say it again: only because more and more people stand up to state how superior and ultra-safe linux is, won't necessarily make it so!
...) ...). therefore it is as questionable a time to glorify linux as it will ever be.
if it is indeed true what this study claims then i am the first to applaude the kernel guys and the distribution makers.
but there are facts that won't change:
- software monoculture is BAD (no matter what the monoculture consists of)
- linux is NOT the safest alternative out there (compare *BSD, VMS,
- there have been an alarming number of exploits as well for the kernel itself (local root exploits, anybody) as also many exploits for user land applications (mplayer, mpeg123, mozilla,
SECURITY IS A PROCESS NOT A STATE!
please, dear media (and also dear slashdot), make an effort to educate people in security matters instead of putting some solution on the "security pedestal". don't make claims about the absolute security of any alternative.
the complete solution is what makes and breaks security, not the components, and without adequate, highly trained and proficient personell it will always be near impossible to achieve truly secure (whatever THAT means) solutions.
well, at least the uprising unices make it easier for the proficient and maybe even raise the security bar for the amateurs, but alas this is not an end to itself!
jethr0
Stop nagging, I'll get to it.
Gene Spafford was interviewed by linuxplanet couple of years ago. He says why linux isn't completely secure, even though it is a outdated interview, I will like to say most of his ideas do make sense even today.
Even if those honeypots are harder to penetrate that does not mean drivers, or individual applications that many people use are designed with security in mind first. Hackers are always going to be around all this means is that script kiddies are going to be able to do less and less to break into a linux but but more sophisticated hackers are going to want to try harder and within time. You will have the same problems just like in real life a ADT system can make your home safer does not mean you still will not get broken into. Plus, within this article you should be asking who are the security experts?
All in all I would hope people read this article in hopes that linux is their solution too security out of the box. In other words if you believe in security do not rely on the distro. to be 80% secure even if you locked the system up tight like your suppose too you still have a good chance of getting hacked. This article is just showing business people in the IT world that they can setup linux and not need a administartor with good experise to be hired instead of that person they can pay half as much with little experence to manage the network because linux is so secure. See where I am going with this article?
Red Hat, on the other hand, has moved to both turning no remotely-accessible inetd/xinetd services on by default and offers an easy install-time firewall that works transparently on workstations and very simple servers. The difference in exposure of vulnerabilities to attackers is tremendous. The vulnerabilities may still be there, but the attacker often can't get to them or can't get the same level of privilege out of them. For instance, running OpenSSH in privilege-separated mode the way most Linux distros do now means that some exploits don't work, while others only grant the attacker non-root access.
Linux vendors/creators have led the commercial Unix world in pre-install hardening - I like to think this is due in part to the success of Bastille Linux, a hardening program for SuSE, Red Hat/Fedora, Debian, and Mandrake Linux, as well as HP-UX and Mac OS X. Bastille ships on recent HP-UX O/S's, is available from both Debian and SuSE as a vendor-supplied package.
Technically it's more PAT (port address translation) rather than NAT (network address translation).
On cisco it's also the "nat overload".
NAT leave you somewhat vulnerable it's a mapping address for address (many to many). Don't feel secure with NAT without firewalling.
PAT is much more closed (many to one).
It's also true that everyone say NAT when they do PAT.
What about client side attacks, such as attacks against web browsers and email clients? These kind of security problems comprise a large portion of attacks against Windows based machines, and with the rising popularity of cheap routers that provide good protection to home users via firewall and NAT rules that will prevent direct attacks against daemons, client side attacks will be rising in popularity over the next few years, and cheaply available firewalls won't do anything to help.
Of course, this kind of analysis would require a more involved approach to testing O/S security, rather than just installing an O/S, throwing it on the internet and sitting back and waiting for whatever randomly happens to it to happen, which doesn't really seem to be the way honeynet likes to operate.
Keep in mind that Honeypots were originally intended to track the behavior of so called blackhats, not to analyze the security of operating systems, and they probbably aren't the best choice for the job.
Two issues with your solaris admin experience:
1) Even way back in solaris 2.5 (and probably before that, but that is when I started), you could just download the latest patch cluster, run 'install_cluster', and then reboot when you were done (if required... see below). That was it. No muss, no fuss... A new cluster was generated every 2 weeks for the lazy admin who wanted to stay up to date with patches yet not actually read the patch notes
2) Nowadays, its even easier... All you have to do is install the latest patchpro. Then you can do several things. For the brave/stupid, you can run smpatch (the main patchpro command) out of cron and have it automatically fetch and install the latest `non reboot` pathes and install them. For those of us who have to run under a change control system that requires notifying others of changes, there is `smpatch analyze`, `smpatch download` and `smpatch add`.
You can use the analyze command to generate a list of patches in order of dependencies and then feed that list into your change control system for tracking what you applied. The use the 'download' and 'add' commands then take that list and download them to the system and then add them to the system. (the 'add' command will also perform the download if you dont want to stage them ahead of time.)
If you made any 'major changes' like an updated kernel, you'll want to reboot. If you didnt apply any patches that require a reboot, then no problem, dont reboot. Some patches may say that they require a reboot, but a savvy admin (or a daring one ) can get around those 'recommendations' reloading the impacted kernel modules (sun even has a way to hot patch the kernel for those customers that absolutely can not bring the system down anytime soon)
Even 'apt-get update' needs a reboot when you change big things like kernels or major libraries (or at least restarting all apps/services/whatever that use those libraries, at which point you may as well just suck it up and reboot since the service is going down. You didnt think that those running apps would get all of those libc.so updates without restarting did ya?)
And as an extra added bonus, smpatch only downloads signed patches and verifies the signature before installing.
Before you post another word on this topic, please demonstrate that you have the slightest idea what your talking about by defining the following words for us:
1. Hub
2. Switch
3. Router
4. Firewall
5. NAT
6. Proxy
7. Modem
Next, explain to us how packets from computer A with ISP X on one side of the world, can possibly attack computer B with ISP Y on the other side of the world without going through at least two routers.
Advanced users are users too!
Next, explain to us how packets from computer A with ISP X on one side of the world, can possibly attack computer B with ISP Y on the other side of the world without going through at least two routers.
http://www.ietf.org/rfc/rfc1149.txt?number=1149
STOP MISUSING APOSTROPHES, YOU MORONS!!!