Slashdot Mirror
Fears of a Conficker Meltdown Greatly Exaggerated
BobB-nw writes "Many have been worrying that the Conficker worm will somehow rise up and devastate the Internet on April 1. These fears are misplaced, security experts say. April 1 is what Conficker researchers are calling a trigger date, when the worm will switch the way it looks for software updates. A 60 Minutes episode about the worm on Sunday will stoke concerns. But the worm has already had several such trigger dates, including Jan. 1, none of which had any direct impact on IT operations, according to Phil Porras, a program director with SRI International who has studied the worm. 'Technically, we will see a new capability, but it complements a capability that already exists,' Porras said."
that never happens.
... either way. The only certainty is security experts have differing opinion on this.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
You just don't know what payload will be downloaded on April 1st.
It could be your standard 'DDoS and Spam Run' package, but imagine what would happen if all these drones were used to start exploiting an unknown vulnerability, think SQL Slammer...
April 1st is when the worm will *start* looking for updates. It will continue looking from that date on, with a different set of domains each day. So there is no reason why the authors would register one of the domains and put out an update on the first day. If anything, they would wait a while to increase the number of domains security researchers have to watch out for. Also, the authors may not have any reason to update it just yet - it seems to be quite successful in its current iteration. They may be waiting for a buyer to purchase a block of the botnet for example.
I.O.U One Sig.
If everyone were using something else. Lets say linux or OSX Then whe worms would be tailored for those environments. As those environments are not in the majority, they are a poor choice for a botnet.
Maybe I'm wrong here, but doesn't it make more sense to get everyone trying to fight this virus/bot/whatever early rather than wait?
After April 1st, this thing will be drawing from more domains than can be blocked for future updates. It sounds like it'll be much more entrenched and difficult to combat if that happens. So this advise sounds a lot like 'Well, the gangrene has spread from your foot up to your knee, but it's not a problem'.
Knock the last 4 words off of that, and you are right, keep the last 4, and you are a troll.
Windows is generally ill equipped by default, and because of its population density is a larger target, but a huge part of the blame is the ignorance of it's users.
The last virus I had that did any damage to my personal files, or necessitated a reformat, was 7 years ago, the last one that did any sort of "hostile" act was Blaster, which took about 3 minutes to fix.
Pay attention to where you are going, and you wont fall off the road... If You Walk Without Rhythm, You Won't Attract the Worm...(lol had to)
But the problem would be substantially reduced.
Help keep my job interesting. And more relevant. Geez, now I'm in league with the narcs - if there's no crooks, I'm out of a job.
Build your own energy sources from scratch. http://otherpower.com/
Seems like Windows Update is always failing with random errors. Maybe MS could buy up this technology to fix their own? ;)
Here's hoping for no such meltdown.
This thing going stupid on April 1st would just add to my birthday present.
"Happy birthday, Orb. Now get back on the phones, we're all hands on deck for lusers calling in with that Conficker crap."
Now, of course, I'm wondering just where can someone stick the cork to stem the possible flow that this little barstard is going to cause to divert the most damage?
Also, just how big does the cork have to be?
One of these days, I am going to flip out. When I flip out, I'll be back in five minutes.
Current Windows inherited most of its security problems from DOS and Win16. In fact Windows XP was the first "home desktop" Windows (given 2000 was marketed for office use) to use memory protection at all. Prior to that a process could read/write anywhere, which effectively meant there was no security of any kind.
And since most applications require administrator access to run at all, including most server applications, even having memory protection is reduced to the effectiveness of chewing gum. With administrator access, any application can insert itself as a shim into any other application.
Then even when you do narrow down to the few applications that run with pure user access, and run that way all the time, there are plenty of privilege escalation holes to get that administrator access back.
It's swiss cheese from the ground up. Users cannot be expected to be tech geeks just to be basically secure. Certainly if they run an untrusted binary, their personal files are forfeit, but by no means should that be allowed to spread to the whole system (of potentially thousands of users) nor the whole network via server software running as administrator.
Sam ty sig.
I would like this thing to actually shut down all those computers that are infected. It would save quite a bit on energy and actually be quite useful. If there would be a way to permanently disable a computer (flash it's BIOS with a bad image) then maybe it could stimulate the economy. Another thing would be to simulate a 56k connection on all those machines. Finally the intertubes would be cleared of a lot of clutter by people trying to get to awful flash 'movies' of random people on Facebook or MySpace. Another thing would be to register every IP that the computers are connected to as potential spam hosts to well-known spam registries.
Of course if some host is infected and some life or death situation is dependent on it, the blame should be placed on the IT administrator or the vendor, not the creator.
It will be interesting to see what will happen.
Custom electronics and digital signage for your business: www.evcircuits.com
And your inability to spell out your words or use proper grammar makes you so much better, yes?
I've been following storm, and that has dropped off the face of slashdot, and other worms, this latest conflicker is getting an article once or twice a week, but unless i missed something, how does one prevent/detect/remove these worms? All the news articles seem to think that its a foregone conclusion that your (or someone you care about) system WILL BE ASSIMILATED. I run windows, but I practice safe browsing ( I wrap that rascal by not downloading willy nilly, using outlook for e-mail, and use no-script and abp in firefox, all of which is running on an up to date windows XP build running behind a NAT router), am I infected? Will AVG tell me if I am? Would NAV or {other antivirus} tell me?
Wikipedia has info on how to detect and remove using most major antivirus running the latest update. But why don't the news-writers seem to recognize this? Why must every infection be a death sentence to support some nefarious plot with your unwitting computer?
Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
If everyone were using something else. Lets say linux or OSX Then whe worms would be tailored for those environments.
I'd like to see a worm tailored to my custom-compiled hardened 64bit gentoo. Linux is not a monoculture, only in source code form. You cannot target it the way you do windows.
I'm just waiting for someone to realise that April 1st was a spoof, and the attach will actually happen March 31st!
Exactly! That's why Apache installations are the most-compromised servers on the net!
Oh, wait...
I'd like to see a worm tailored to my custom-compiled hardened 64bit gentoo.
If you would read, once more, the post that you quoted, you might notice that it says "If everyone were using something else, such as Linux or OS X." Allow me to define "everyone" for you.... "everyone" is a pronoun meaning "Every person; everybody." "Everyone" cannot custom-compile their own Linux kernel with security in mind. "Everyone" cannot even custom compile their own kernel, period.
The grandparent said that Linux and OS X are a poor choice for a botnet because they are in the extreme minority, but if one were to ever become the majority, black hats would write trojans for that OS. I can assure you that if Linux were to become the majority of the OS market, there would only be a small handful of different compile configs used for 99% of those computers (much like Windows)... none of which would be custom for specific hardware or have extreme security in mind.
tl;dr you completely missed the point
Indeed.
The same year that is the "Year of Linux on the Desktop", will also be the "Year of Malware on Linux". Computer crime is profitable, and if Linux were to dominate the market, then it would definitely be targeted.
Maybe malware will be _slightly_ less prevalent than currently (and profits slightly diminished). But Linux (and OS-X) aren't so much more secure than Windows that they would be invulnerable to the hordes of clueless users/admins that "Year of the Linux Desktop" implies. The huge majority of Windows pwnage has the root cause "operator error".
Posts like this make me think that you've never done any tech support for the average home user in the real world.
Sure, those of who know what we're doing can avoid problems.
That doesn't hold true for the vast majority of windows users. If it did, it wouldn't be a problem.
It's the same kind of thinking that led to the problem being existent in the first place.
Don't get me wrong - I make a fairly nice side income doing tech support for home users on the side.
But I'd much rather go back to teaching people *how* to use their computers - actually making a difference - than fixing broken windows installations and removing viruses, even if it is much more profitable.
Call me old-fashioned or whatever, but that's what I'd prefer.
I'm not necessarily bitching at you in particular. I just remember what it was like, a long time ago, to spend my computer support time solving problems that didn't involve malware infestations. *Teaching* people how to use their computers. I miss it. It was fun. This isn't.
So anyone who says "Oh, I can keep my machine virus free" - whoopdefuckingdoo, so what, so can I. Most people can't, and it's because Microsoft can't write a decent *secure* fucking operating system to save their stock options.
Oh, and get off my damned lawn ;)
(Irritable? You bet. I'm a curmudge-only middle aged bastard...)
I can vent, can't I? *grin*
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
I was looking for some cheap schadenfreude...
Sure they did. Their users and those users expectations.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
You mean having 10x users would reduce the number of different configurations? I don't know what you're smoking, but give me some.
Actually, it would probably be safe to assume that it would. Mass take-up of Linux would either require or force standardisation, and with that would come a form of 'same-ness' that would be open to attack.
Yes, because everyone is an idiot but you. They're not smart enough to deserve the internet. Let us take their PCs from them.
Space Shuttle was a program that strapped humans to an explosion and tried to stab through the sky with fire and math
That is, assuming that EVERY last computer user is running the exact same distro and the default programs on it...
If you create a worm that targets Pidgin, well then the Kopete users are safe (so long as Kopete doesn't share that very same flaw). That's the thing about Linux, each environment is too different. This makes mass-scale infections like this a bit more difficult to accomplish. Not to mention Open Source tends to have fewer exploits overall.
Security by Obscurity is a myth. If it wasn't, then why are Windows servers compromised much more often than *nix based ones, even though they're the minority?
Please oh please stop with the FUD. Security is not equal to the number of "critical" vulnerabilities you fix every week, regardless of what certain parties would like to say otherwise about it.
While what you say is technically true, (no OS is completely immune to malware) Linux simply has more hurdles that malware must jump over before a system can be infected. (people typically not running as root, fewer ports open, most software coming from "sterile" sources like official repositories, etc.) At least one of these obstacles is usually enough to stop most infection attempts before any damage is done. However, when users get lazy or careless and bypass these lines of defense, infection is possible if there is a type of malware able to exploit the opportunity at that exact moment.
"It is a denial of justice not to stretch out a helping hand to the fallen; that is the common right of humanity."
You mean having 10x users would reduce the number of different configurations?
Precisely. And that's because the only way that Linux will EVER have that kind of market share is if it becomes a standardized very easy-to-use OS, supplied by all OEMs, that won't require any sort of customization to get it working whatsoever. Sure, each hardware vendor might have their own flavor, but they would still have mostly the same features and functionality. Seriously, the general public is too stupid to make proper use of Linux. I don't know why you people even try to force its adoption.
Teaching people how to use their computers and fixing hardware problems when they come up is a helluva lot better than repetitive malware removal.
More fun, anyway.
Frak. I'm getting old.
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
They might try to tailor their junk for these environments, but it's like the difference between a normal car (windows) and a car coated with teflon with a motion sensing machine gun on top (OSX/Linux), with the worms/viruses/malware being a type of graffiti paint.
Graffiti will stick pretty well to a normal car (and if you tend to stop in the more seedy parts of town than others, you have more of a chance of having your car "tagged" too), but it's not going to be very effective on the teflon coated ones and the owner is going to have to be silly enough to log in as root to disable the guns so the criminals can get close enough in the first place.
The argument that the reason why windows is being attacked is because it has a majority share is an ass backwards way of thinking about the issue.
Windows is targeted because it's "security" is inherently flawed, it's security isn't flawed because it's being targeted. The fact that it has a majority share is just an added bonus for these people, but it has nothing to do with the underlying problem, (though it certainly does help the problem grow by orders of magnitude).
I'm reminded of Dan Dennett's Ted Talk where he insightfully points out that, we don't like chocolate cake because it's sweet, it's sweet because we like it.
Another way of looking at it is like this... Houses aren't unoccupied, unalarmed and filled with artwork, expensive stereos and silverware because someone wants to break into them, someone wants to break into them because they are unoccupied, unalarmed and filled with artwork, expensive stereos and silverware.
If OSX or Linux took a majority share of the desktop, the problem wouldn't shift like you are thinking it would. Granted, there would be an uptick in attempts and there will inevitably even be a few holes to patch up that were previously unknown, but there certainly won't be an equivalent to the 100,000+ viruses that exist for Windows.
Why are we discussing Windows/Linux/OS X preference at all? Does anyone have even the slightest clue how ignorant these statements sound? Replies like "My custom compiled super secure xxxxxx install is impervious to all attacks from anyone..." are inflammatory and pose no useful, relevant, or even accurate account of how things work in the real world. Don't be dumb. That's the best advise anyone can give. Someone please drop a comment that has useful information regarding the subject. It may actually contribute to understanding why this is doing what it is doing. When the aim of the ploy is understood, we can take steps to mitigate the damage and prevent future nonsense from happening.
Good grief it sucks to be associated with idiots like you.
Respectfully,
A programmer/technologist/"IT" guy
Also their applications, and their applications and programmers' expectations... which needless to say are extremely (cough*AdministratorALLTHETIME*cough) insecure.
Boot Windows, Linux, and ESX over the network for free.
If there were only one Linux. There's not. There are thousands. The kernel itself doesn't require services that need open ports and application level security is a per-distribution thing so no two are going to have the same set of vulnerabilities. Linux is not a "monoculture".
We live in the world as it is, not as it might be. What-ifs really aren't worth spit. You can choose to run an OS that was vulnerable to Conficker, Koobface, Torpig, Storm, Antivirus 2009, Bitfrost, Sasser, MyDoom, Sober, Sobig, Welchia, Blaster, Nimda and Code Red and will be the target of the next six. Or not. It's up to you. Don't try to pretend that there's no functional security difference between the two because that's absurd. Add up the amount of data that was and will be compromised by that list of malware and you have enough to bring the world economy to a screaming halt. Between them those computers probably had access to financial or personal data on a majority of people who've had a digital record and more corporate secrets than should be in a hundred data pools.
What the other guy does shouldn't matter. It should be about being responsible with the data entrusted to you, about being a good steward of your own gear. If you are in IT then your customers are counting on your professional expertise to save them from inadvertently disclosing information via system compromise, and that's a solemn duty. From that perspective the choice is clear. If you can choose to not be a target why would you not leap at that option?
Help stamp out iliturcy.
That brings to mind exploits for very common distributions that I've seen in the past.
But, in reality there have been some nasty ones. How many versions of OpenSSH were exploitable? I remember having the exploit, and running it against our own equipment to see what it would break. I love trying to break my own equipment. If I use the same script kiddie code, and I can't get in, neither can they.
Of course, it helps to have many things protected. I prefer to have SSH on a different port, with the firewall rules disallowing anyone to connect from anything but an authorized network (I love default DROP rules). Most exploitable things have only been available to my authorized networks, and only if they knew our port scheme.
Serious? Seriousness is well above my pay grade.
Mass take-up of Linux would either require or force standardisation
Yes. Protocols and user file formats, but not binaries. On some level, we already have even that with ELF.
And since most applications require administrator access to run at all...
Cite?
100% of the applications that my employer creates require only regular User privs. Also, 100% of the userland code running on my Windows (Server 2k3 , BTW) machine at home runs w/ regular User privs.
Hell. Even Process Explorer runs as an unprivileged process.
Maybe I'm wrong here, but doesn't it make more sense to get everyone trying to fight this virus/bot/whatever early rather than wait?
They're trying. Microsoft has released a patch that supposedly blocks the primary vector (a vulnerability in the Server service affecting all Microsoft operating systems since Windows 98), and updated their repair tool MSRT to detect and remove it (download it from a machine that's not infested). It has probably removed it from several million of the estimated 15 million infested machines. Microsoft is working with ICANN to block registration of the generated domain names in the case where they're not yet registered and the owners of the domains that were previously registered to mitigate downtime. Every managed service provider and major IT shop I know of has pushed out all of this stuff. Unfortunately, this is not even close to enough. The secondary vector, autorun, is pernicious. This thing is now on the root thousands of major shares and every time they remove it one of the thousands of Conficker clients puts it back. It's on millions of pen drives, millions of backups. It's been burned to millions of CDs. It's on iPods and mp3 players, Blackberries and iPhones and Windows Mobile phones, picture frames and DVDs. It's probably now in the root of DVD ISOs distributed via all the popular media distribution sites. Tertiary vectors include compromising network neighbors. Your grandchildren are going to be installing this thing if they don't figure out the whole "autorun is stupid" thing.
This thing is really very well engineered. The next one will be even better. And the next one better still. If you're in a Microsoft shop you're going to be working half your holiday weekends for the rest of your career, and a lot of planned vacations too. Remember that this is not the only Windows malware currently making the rounds. There are at least three major development groups and all of them have active botnets and a release schedule for new exploits.
We've been playing this game for a long time and the black hats are getting more proficient than the white hats. The problem is that the target platform - Windows - cannot be made invulnerable to these threats without defeating its main selling point: application compatibility. Most of the people who work with this toxic stuff do their development on BSD, OS-X or Linux and refer to Windows boxes as "targets". If Microsoft makes Windows so secure that this junk won't spread, most of the apps for it won't run. You might as well run an OS that's not a target now as wait for that to happen.
But TFA is right. April Fools is the day the botmaster begins to harvest his crop of bots. May 22 is more likely the beginning of operations. I could be wrong about this because I previously guessed January 16.
Help stamp out iliturcy.
Destruction of property is not helpful for the economy. Any money that people have to spend on computers, they can't spend on something else. Sorry no free lunch here.
So what is exaggerated? How much people are afraid of Cornficker or its potential to cause damage?
Neither. The fear is warranted because the potential damage will almost certainly be realized to a significant degree. It's already proven its capacity to cause damage or we wouldn't be talking about it. What's exaggerated may be the April First date. April 1 might just be a mode shift day planned by the programmer where the thing goes into a "less stealthy" mode in order to improve a node's chances of catching a control.
For each 1% of infected systems that attach with a successful domain hit, the botmaster will have a net of 150,000 zombies to give up their secrets and do his bidding. Remember that he can continue to sow his infectious apps and reap his harvest of bots for the rest of forever while his owned bots do his work. If the rest of his network is as bulletproof as his infection apps, he's not going to be caught and this is going to be a bad one. The worst case would be if the app started to look at DSNs. What grouped databases might your clients have access to? Would there be SSNs in there? Maybe credit applications? You wouldn't have transaction processing on this consumer grade crap, would you?
I have to admit that I was at first dismissive of "The Cathedral and the Bazaar". It turns out that Eric S. Raymond deserves some credit for capturing a primitive truth and crystallizing it into an essay, even if the elements were common knowledge at the time. It turn out that this work defines the source of this problem and contains the cure.
Help stamp out iliturcy.
Don't be a target. Use some system that doesn't have these problems.
Help stamp out iliturcy.
a0) Hardened Gentoo does run on a couple of exotic arches. Check out their homepage.
a1) I'm not sure that the underlying architecture is *really* going to make that much difference WRT a system's susceptibility to malware attack. We have software replacements for hardware DEP. We have ASLR and other exploit foiling schemes.
b0) GJ @ making an allusion to Ken Thompson's theoretical trojaning of GCC. You lose points for either: making your allusion extremely obtuse, or not mentioning Thompson to your student.
b1) We have mechanisms in place these days that help prevent this sort of trojaning in the future, and provide quick damage control and containment if it ever should happen again. Granted, your computing system is only as trustworthy as its least trusted component. (How many of us have audited the microcode in our CPU? The code in our BIOS's? Hell, how many of us secure our hardware when we leave our houses for the day?)
posting anonymous because I know the windows users will mod me down, but as an uninvolved bystander (I wont name my platform but I no longer touch windows) I find the whole thing incredibly amusing. can you imagine if a particular model of a particular car manufactures electronics system could be compromised by filling up at a particular fuel station; possibly turning the cars into moving timebombs on a certain date. do you think we'd all be sitting around wondering what is going to happen on that day? no fucking way, that model car would be recalled as a danger to public safety. but because its windows and everyone is too scared to cut the fucking cord we end up in this situation where we know terrible shit is going to happen april 1st and nobody is doing anything about it at all.
I know my network will be running smoothly on april 1st; I hope my ISP can say the same. I really hope everyone infected with conficker gets their hdd zeroed. these days it seems like things have to get so far beyond bad before people get motivated to change their bad habits it's just not funny... even as someone who's not directly affected by the stupidity.
Why are we discussing Windows/Linux/OS X preference at all?
If you want a system that's not vulnerable to Conficker, Koobface, Torpig, Storm, Antivirus 2009, Bitfrost, Sasser, MyDoom, Sober, Sobig, Welchia, Blaster, Nimda and Code Red, you need look no farther than "anything that's not Windows".
Help stamp out iliturcy.
Riiiight. That's why I can create folders with sames such as "COM" and "LPT" in those OS's, right?
Out of curiosity, if what you say is true (Microsoft can't write a secure OS) then how is it that you *are* able to keep your machine safe? I keep my machine clean too, and I don't even take exceptional levels of paranoia... with one exception, I won't run anything downloaded without vetting it very carefully first. Since downloaded malware - trojans, usually - aren't really the OS's fault, and since it's Windows' fault that there's so much malware on the platform, there must be something else...
You could try third-party security software, but most of the third-party software out there seems to be more hindrance than help - antivirus is generally reactive, and Windows Firewall (especially in Vista) is quite a good enough proactive defense. Other (non-security) third-party software is actually an attack vector - everything from Flash player (all the time) to Firefox (no matter how fast they patch known holes, its the unknown ones that get you). Some of them *might* be safer than alternatives (Firefox, again... though it would help if they'd use the Low Integrity sandbox that Vista and up provide).
You can point to all the stuff that runs as Admin on Windows, but that is the fault of users and/or developers. A smart user (who certainly doesn't log in as Admin) can usually even change a few security settings (program writes to its install directory? Make the location user-writable) so that the program will run as a standard user. Still not Microsoft's fault - their software is generally very good about respecting standard users - unless you count the default user created on Windows proior to Vista being an Administrator.
Vulnerabilities in the software that the OS ships with have certainly been a problem in the past, but these days they are less and less so. IE still isn't impermeable, but vulnerabilities have become much rarer, and it's a lot harder to exploit them now with DEP, ASLR, and Low Integrity restrictions. Actually, with the exception of Low Integrity, the same applies to pretty much all Windows-included software.
So... what, exactly, makes Windows security so much Microsoft's fault, aside from the fact that as the most common desktop OS, they also have the most ignorant/idiotic desktop users?
There's no place I could be, since I've found Serenity...
What do you mean by "current Windows"? Windows XP?
Even Windows 3.1 had memory protection because 80386 had memory protection (segmentation) and virtualization. So no, applications could not just write anywhere in the memory space.
And no, most Windows applications to NOT require admin privileges. Welcome to 2009.
One of the biggest misconceptions about the current Windows (XP, Vista, Windows 7) security is you only have two kinds of users. This is simply not true although Windows only gives you basic access to those two options. You can perfectly well have local admins and network admins which have different privileges. Local admin would have zero privileges to the whole network, for example.
Flamebait? I thought it was funny myself.
I don't like windows just as much as the next guy, but this is a pretty dumb statement. Users are targets, the OS is just a medium.
*sigh* I really shouldn't feed the Trolls, but one that uses the word "dumb" in almost every sentence in their post, obviously has an affinity for the word and needs some help.
In some instances, users are the "audience" (e.g. adware, phishing, etc) but that's only secondary, their systems are still the target. Unless the malware/virus writers start programming in AminoAcid++, they can't "target" a user, only their systems. And when someone's system is infected by a botnet and that botnet then launches a DDoS on, oh, let's say whitehouse.gov, is that user the target? No. Is Obama the target? No. Is the whitehouse.gov webserver the target? Yes.
So I'd be careful about telling someone that they said something dumb when you follow it up with a clueless statement of your own. But, perhaps you already knew that, since you posted anonymously.
OK, if you must phrase things in this backwards 'clever' way, how's this:
Malware doesn't target dumb users because they use Windows, malware targets Windows because that's what dumb users use.
Feel better?
You obviously missed both the point of logic and the point in general.
I won't try teach you logic, but I'll reiterate the larger point. Malware doesn't target windows because that's where there are "dumb users", it targets windows because that's where the "security" is dumb.
I've met plenty of "dumb users" using OSX, but they aren't getting infected, nor will they ever be to the same extent that their windows brethren are even if MS folded tomorrow and Apple spiked to a 90% market share. Why? Because *NIX security is not inherently flawed like Win* is.
Dumb users will use an infected machine until it no longer functions or something else makes them stop. Smart users know how to use their system in a less risky way, preemptively make their system less vulnerable (e.g. applying updates, using a firewall, using anti-virus).
Guess which OS more dumb users are using?
First off, there are plenty of smart people out there who use Windows and I don't fault them their choice. It's there's to make after all. It's not like they can't afford an alternative or anything.
Secondly, your personal attacks/slights do not add anything positive to the image of our community and in fact, do us a great detriment. Calling the other side dumb is stupid, calling them stupid is asinine and calling them asinine is vacuous. So please stop doing that. We want to be welcoming, not scare them off with psychobabble.
That being said, you can be as smart as you want, keep your system patched, use a firewall, use antivirus and only visit a handful of known and respected sites run by big companies and while all of that effort might make you "less vulnerable", it won't make you invulnerable. At some point, some well crafted packet is going to come in on that wire and it's going to 0-day exploit your up-to-date system. Or one of the few sites you visit is going to have their server compromised, either through a 0-day or because they aren't as carefull as you and when you visit their site tomorrow IE is going to happily hand your system over to a botnet via ActiveX or some other nice friendly hook MS left exposed for such nasty things.
Would be counter productive. Cant make any money off the botnet that way.
Really, even crashing the infected PC is the same. The days of 'dangerous' viruses have long since past.
---- Booth was a patriot ----
I run linux. :)
The windows box only gets booted up once in a while, and I always have a ghosted copy of the install handy. Oh, and Avast! and SuperAntiSpyware, HijackThis, etc...
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
If some fuckwit walked up my street with a hammer smashing car windows every day, then destroying the hammer would certainly help the economy.
Destruction of property is helpful for the economy if the property is doing more harm than good.
Hardly.
What about all of those people who bought those Wal-Mart Everex boxes last year, or the people buying those MySpace PCs, or the people who buy the Dell inspiron mini 9s, for example?
Those are mass installs that are basically cookie-cutter installs of Linux right down the line. Most likely, these machines never get swapped to a distro that has balls, so a number of them exist in the wild, old security vulnerabilities and all.
Granted, they're in the extreme minority, but they too should be ownable, especially if the target PC's owner is a Happy Clicker.
tl;dr: not everyone knows not to accept everything the computer says as gospel.
One of these days, I am going to flip out. When I flip out, I'll be back in five minutes.
Most ironic would be that after update they would patch Windows up to lastest update, clean themselves and leave informational message on screen about computer security. That would rock :)
user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
Generally linux users are more computer savvy and don't go opening every email attachment they get.
Microsoft aggravates my tourettes syndrome.
Security experts claim fears of a global internet meltdown have been gr
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
So anyone who says "Oh, I can keep my machine virus free" - whoopdefuckingdoo, so what, so can I. Most people can't, and it's because Microsoft can't write a decent *secure* fucking operating system to save their stock options.
Most people can't because keeping something secure requires a security mindset that most people can't/don't/won't adopt. These are the same people that hold a security door open for a waiting "delivery man", leave their spare house key in the obvious fake rock, answer telephone surveys with all of their personal info, etc. It has nothing to do with the OS. I've had to teach some _smart_ people running Linux why downloading random .rpms/.debs/binaries is a bad thing.
Destruction of property is not helpful for the economy.
How that be? I've been watching Congress and the President and clearly they think destruction of economy is helpful for the economy...
You are in a maze of twisty little passages, all alike.
Of course, it helps to have many things protected. I prefer to have SSH on a different port, with the firewall rules disallowing anyone to connect from anything but an authorized network (I love default DROP rules).
Simple precautions like that can go a long way. I used to get thousands of brute force login attempts every day on port 22. I moved ssh to a different port two years ago, and have not had even one since then.
Of course this could all get changed or enhanced with an update that could occur on April 1st.
Now, what I want to point out with this comment is that you can end up with a complete infected LAN by only having overlooked or spared out just one system that remained unpatched and here is why:
If you happen to end up with an infection of a system and you log in as domain admin to it the virus has got everything it needs to spread to every system, particularly to the central file server. And if you do not happen to run an AV client for real-time monitoring there or if an updated version is not detected by the systems AV client signatures, you can get infected pretty badly.
When Conficker has domain admin privileges, it creates scheduled processes to execute a copy of itself on remote systems. In order to prevent this, you can either disable the scheduling process or you can write-protect the Root folder on your central file server.
So you might want to CYA and make sure that:
"the namespace as every day has a different unique namespace of 50,000 domains"
Yes I am aware of that. But it still increases the number of domains watched over time. i.e If the update was guaranteed to be on the first day, then they would just have to register those 50,000 domains to prevent the author from doing it, or put watches on those domains and investigate everyone who registers them. But if it's unknown what day it will occur, then they have to watch a different set of 50,000 for every potential future day it may occur on. That's a lot more domains they have to investigate/register/watch over time and for future possible dates.
e.g if it costs $1 for every domain watched/investigated, then it will cost a lot more (read: be less practical to catch them out) the longer the author waits to do an update. An update on the first day would cost $50,000. An update after a few months could cost investigators $4,500,000+ to watch out for them.
I.O.U One Sig.
You can still have fun with those though. Give them a special purpose built SSH connection. :) I used to monitor the logs, and when I saw too many denied connections to port 22 (which no one should have been using anyways), I'd just set a default DROP from them everywhere. Ok so you beat on port 22, well, you won't find the real port either. :) More importantly, it looks like they crashed my server. Well, at least to their IP. To everyone else, its still alive and happy.
Serious? Seriousness is well above my pay grade.
Ok... so here's what I don't get:
Security experts are well aware of this botnet client and are keeping a close eye on it. They've picked the client bot apart line by line. They know exactly how it is supposed to behave on the client side, but they of course don't have a clue about the server side. So why can't they hijack the hijacker?
For example, say this client bot is programmed to go to IP address on April 1st and DL some update. Ok..., block that IP address on the internet or trace the IP address back to the owners and stop it there. Those don't seem hard. (ok... and before someone calls me an idiot for saying "block the ip address on the internet", what i mean is that you can get the major service providers, certainly here in the US, and potentially abroad to "lose" anything sent to a specific address.)
Ok... so let's say that the client bot is programmed to go to IP address to and ping each one to ask for an appropriate update, verifying each update against a specific hash key. Ok... then grab IP address and put in something that DLs a file that neutralizes the bot. There can be no hash key that the researchers can't figure out because they can pick through the entire client bot's code bit by bit.
I'm clearly not getting something crucial here, but it just seems that in all the moaning about how bad this is that it wouldn't be that hard for someone person to write some kill code for it as long as enough time and effort had already gone into understanding the client side code.
Someone please help out a clueless non-security, non-software engineer understand why this is so hard.
d
all language nazi's will burne in heil!
I'd like to think that the vast majority of internet accessible apache installations have been set up by someone with a least some idea about network security and administration. As opposed to the average Windows user.
Sure, trot out the obligatory teflon-coated car analogy. :-)
I like your point regarding inversion of causality. It's a nice way of addressing the reoccurring claims that Windows is attacked not because it's conveniently vulnerable to attack but because it's ubiquitous. Well, hey, water is a ubiquitous source of hydrogen so by the same logic I would expect to see the energy industry all over it. No? Oh dear, now I'm really confused.
Parity: What to do when the weekend comes.
Could you point some of us newbies in the direction of how to do this? I've moved my ssh port already too, but I don't know about DROP.
Stupidity is its own reward.
I've set up a few without knowing what I was doing. They are pretty easy to install nowadays.
Stupidity is its own reward.
Then you should know better than to believe what you hear.
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
To move the SSH port: /etc/rc.d/sshd_config uncomment and modify the Port line.
# in
Port 1222
To block traffic:
I have mine in a big script that does a lot of automated things, like looping through friendly networks, enemy networks, etc, and building a full ruleset based on just a few arrays. You could use the following to do it manually. Just replace any variable (things that start with $) with the real value.
$int = your local interface
$ip = your local IP
$friend = friendly IP or network (like 192.168.1.0/24)
$sshport = your SSH port (1222 if used as above)
-- begin example code
iptables -P INPUT ACCEPT
iptables -A INPUT -s $friend -p tcp --dport $sshport -j ACCEPT
iptables -A INPUT -p tcp --dport $sshport -j DROP
-- end example code
That would:
Accept everything (a safe default).
Specifically allow request to that port from your friends.
Specifically drop all other requests to that port.
To wipe these settings out (like, if you mess up), execute:
iptables -F
A working example is as follows.
I am at work. My IP is 1.2.3.4
My server is 2.1.1.2
Another server is on 2.1.1.3
I run SSH on port 1234
I want to be able to log in from work, but I do NOT want anyone else, including the network my server is on, to be allowed to access
iptables -P INPUT ACCEPT
iptables -A INPUT -s 1.2.3.4/32 -p tcp --dport 1234 -j ACCEPT
iptables -A INPUT -p tcp --dport 1234 -j DROP
That's all you need. Now, I can SSH in from my office. If I SSH from another server, it hangs. Because I set the "DROP" rule, it's simply dropping the traffic.
You can set 3 rules by default. ACCEPT, REJECT, and DROP.
ACCEPT lets the traffic go through normally.
REJECT returns a "Connection refused"
DROP simply drops the packets, so to the remote side it's unsure if anything is even there.
A default DROP rule would be:
iptables -A INPUT -j DROP
Only (ONLY!) ever set a default DROP after you've defined your accepted networks and ports!!!!
In writing this, I made a little mistake. I hit the up arrow to rerun the DROP line, but change it to REJECT. I forgot to run the ACCEPT line first. Now no matter where I'm coming from, I cannot get in. The server is still running, but all SSH traffic is blocked. (I had another way in, don't worry.)
You can get fancier with it for logging. For example, you can make a new rule. I use "LOG_DROP". I put these lines in before any drop lines. You only do this once in your script.
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-prefix '[FW_DROP] : '
iptables -A LOG_DROP -j DROP
Then instead of using the rule "DROP", I use the rule "LOG_DROP"
Now all dropped connections are logged for me. :)
I warn you though, when you set a default DROP for everything, this will make your logs get big really fast. If you're on a network with Windows machines, they babble to each other all day with lots of broadcast traffic.
You can give yourself some control over this, by logging say port 22, but just dropping the rest.
iptables -A INPUT -p tcp --dport 22 -j LOG_DROP
iptables -A INPUT -j DROP
That may not log warning that there's some new nasty that people are scanning for. There's a lot of malware that opens specific ports, which other people will scan for.
I recommend putting all of this somewhere like /etc/rc.d/rc.firewall, or /etc/rc.d/init.d/firewall, and adding it to your startup ap
Serious? Seriousness is well above my pay grade.
I've had to teach some _smart_ people running Linux why downloading random .rpms/.debs/binaries is a bad thing.
Versus the "screensavers", browser exploits, and other malware that are SO MUCH MORE COMMONLY used as malware entry points for windows?
Point out to me just ONE of those types of social attacks that are used against linux and Mac OS systems, that have been successful in infecting more than a very tiny - if any - percentage of machines running those operating systems. Or that COULD BE. You can't just download a screensaver or some other executable on any unix-based system, and have it execute automagically without specifically making it capable of doing so.
Jesus, man. Are you really trying to tell me it's just as easy to insert a userland executable into a unix-based OS that can frak the operating system to the root level as it is to insert one into a windows OS?
Are you out of your mind? Or just ignorant?
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
Point out to me just ONE of those types of social attacks that are used against linux and Mac OS systems, that have been successful in infecting more than a very tiny - if any - percentage of machines running those operating systems. Or that COULD BE. You can't just download a screensaver or some other executable on any unix-based system, and have it execute automagically without specifically making it capable of doing so.
Execute automagically? Installing the binaries with root privs was implied. Just because a higher proportion of Linux users are clueful doesn't mean that social attacks stop working.
Jesus, man. Are you really trying to tell me it's just as easy to insert a userland executable into a unix-based OS that can frak the operating system to the root level as it is to insert one into a windows OS?
Yes
Are you out of your mind? Or just ignorant?
I am neither. I am annoyed with "admins" like yourself who think that Linux is magically safe. They blindly type in the commands to wget a pre-compiled rpm for "betterer th@n decss" from some .ru or .cn, and install it, because some guy on a forum somewhere said it was the best way to watch video XYZ or to compute FOO to the Nth degree. Then their workstation starts brute forcing port 22 on other people's networks, and I have to go to their office, smack them in the back of the head and tell them that sudo privs are not a right.
Thanks, that's a really detailed and well written guide there. I'll give it a shot. I've only really played with iptables once then I basically gave up but you've given me a lot of insight into how the overall thing works with this so I'll have another go at it. cheers.
Stupidity is its own reward.
Oh yes, I used the firefox plugin leetkey to decrypt your signature. It's kinda fun. I've never ever had to use it for anything else but decrypting slashdot user's sigs. ;p
Stupidity is its own reward.
Klez. Remember Klez? That was the tip of the iceberg when it came to automagic load-on-click viruses. Lots worse, now.
And I don't know what the ssh port has to do with what we are talking about. No desktop dist that I'm aware of has ssh servers even installed, much less enabled by default.
Although I'd agree with you if you are dealing with people who are trying to install distros and doing shit like what you describe. Beat them upside the head. But don't blame it on linux or the other unix variants - blame it on the idiot sysadmins. There's no such thing as an idiot proof OS - and neither did I imply there was.
There is such thing as operating systems that are MORE idiot proof, however.
Jesus, man. Are you really trying to tell me it's just as easy to insert a userland executable into a unix-based OS that can frak the operating system to the root level as it is to insert one into a windows OS?
Yes
I'm sorry, but you just plain don't know what the hell you are talking about. If you keep up at all on windows vulnerabilities, you should know better. So I have to assume that either you don't, or that you are an astroturfing troll.
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
It took me a little while to understand how it works. I migrated from ipchains, so it was a world of difference, but I appreciated the larger feature set once I got the hang of it.
Ya, most of the guides are huge and complex, when you can do a lot of things very easily. I've been asked a few times, "How can I block this IP from attacking our SSH port". That's a one liner. You'll be able to derive it from what I posted earlier. :)
Serious? Seriousness is well above my pay grade.
So, what does it say? :)
Serious? Seriousness is well above my pay grade.
So UIDs are up to a mil and half now, huh?
Help stamp out iliturcy.
Does make & autoconf work on your custom-compiled, hardened 64bit gentoo?
There are no trails. There are no trees out here.
I didn't even know that this virus existed until yesterday, and it's like the pistachio scare--seriously, why doesn't the media just go ahead and say you're going to die (or at the very least our computers will)?
If wishes were fishes, we'd all cast nets. If wishes were horses, beggars might ride.
The lesson is that wishes aren't fishes, and they're not horses either. Also, some Linux Distro doesn't have 80% of the desktop market and what the world might be like if that happened is irrelevant. We live in the world we're in and what-ifs aren't worth anything against known threats. In the here-and-now world if you run Windows you're subjecting yourself to the monoculture that bred Conficker, Koobface, Torpig, Storm, Antivirus 2009, Bitfrost, Sasser, MyDoom, Sober, Sobig, Welchia, Blaster, Nimda and Code Red. If you're not, then you're not. It's really that simple.
Also, you guys usually post this template crap AC. Are you tiring of this 'turf account?
Help stamp out iliturcy.