Duqu Attackers Managed to Wipe C&C Servers

Trailrunner7 writes with an update in the saga of Duqu and Stuxnet. From the article: "Shortly after the first public reports about Duqu emerged in early autumn, the crew behind Duqu wiped out all of the command-and-control servers that had been in use up to that point, including some that had been used since 2009. An in-depth analysis of the known C&C servers used in the Duqu attacks has found that some of the servers were compromised as far back as 2009, and that the attackers clearly targeted Linux machines. All of the known Duqu C&C servers discovered up to this point have been running CentOS ... There also is some evidence that the attackers may have used a zero-day in OpenSSH 4.3 to compromise the C&C servers initially."

NO!

[masternerdguy]

Damn, not the command and conquer servers. My weekend is fried.

Re:NO!

I'm relieved. Thought either the "music factory" was screwed or..... I'd have to go back to drinking Shasta cola.

Re:NO!

Well it will give you a chance to get out of your mom's basement and smell the fresh air

Re:NO!

It is the Zionists that are the problem. They want to fry everyone and in good old carry on films "Frying tonight"

They didn't infect Kippo

I ran kippo on SSH. Hell of a honeypot, with the ability to replay sessions to watch how hackers think.

Re:They didn't infect Kippo

[mzs]

Kippo will not work for anyone but the kiddies. Did you change the default root passwords even? Those two are a real tip-off to a honeypot. Also there are hardly any commands, ifconfig never changes, and in this case /etc/issue says Debian and these people were after CentOS. If you had been hacked, you would have had the vulnerable sshd and no Kippo logs would have been the least of your worries.

Re:They didn't infect Kippo

Same AC here.

I actually rewrote many of the commands to appear more realistic. You can also change the output of various commands with a simple configuration change.

I also implemented better wget/curl support along with the virtual FS so it appears to be more accurate.

I agree about it being obvious to educated attackers. That's why I modified it. I enjoy watching the sessions on many of the servers I run for a large hosting company.

Umm, how about a little context?

[Evro]

Editors, your job is not simply to click "post." Read the submission and see if it makes sense. I have no idea what Duqu is or what this is about. I had to dig down 2 links deep to see that this was related to an attack in India. Context: provide it.

Re:Umm, how about a little context?

[martas]

Didn't the very first link in the summary do that?

Re:Umm, how about a little context?

What, do you want them to farking start with Adam and Eve???

Re:Umm, how about a little context?

Who are Adam and Eve and where they came from?

Re:Umm, how about a little context?

They're white people, I think, and not really relevant in our part of the world.

Re:Umm, how about a little context?

[ackthpt]

Editors, your job is not simply to click "post." Read the submission and see if it makes sense. I have no idea what Duqu is or what this is about. I had to dig down 2 links deep to see that this was related to an attack in India. Context: provide it.

It's about distributing a worm using servers which were largely set up, using default passwords or never updating anything. This is why it's so critical to have good, dedicated system administration, intelligent installation and follow-up support . Honestly. Most of these servers were likely built once and left to run on their own, without a single thought to maintaning or even checking for security updates. Lazy, cheap people never seem to learn. It's like leaving your keys in your car and being utterly stunned when someone actually steals it.

Re:Umm, how about a little context?

[forkfail]

Well, you see, Count Duqu was trying to trap Anakin Skywalker and Senator Padmé Amidala....

Re:Umm, how about a little context?

[mapsjanhere]

So, what you're saying is Linux, so easy even a Windows user could do it?

Re:Umm, how about a little context?

[sourcerror]

No, and this proves that you didn't read it.

Re:Umm, how about a little context?

[mcgrew]

Actually, I find that Linux is far easier to use than Windows. When a distro upgrade comes along, there are new perks that you learn. In Windows, an upgrade means you have to relearn the whole damned OS.

Someone who ran Mandrake eight years ago would have no trouble at all migrating to kubuntu 11. Someone running Windows 98 or XP at that time has to relearn everything when upgrading to Win 7.

The "Windows is easier and more user friendly" is a myth. It only seems that way because you kids grew up with Windows computers. My experience is far different. I bought a notebook with a "feature" I absolutely hated -- "tap to click". It took a MONTH to find out where to shutr it off. It was nowhere in the control panel, but in a little widget at the bar at the bottom of the screen, and about twenty mouse clicks from there. When I installed Linux on it, it took less than five minutes to find and change it.

How user friendly is having to reboot? Yes, Windows has gotten better about this, but it still sucks.

How user friendly is the need for AV software?

How user friendly is changing the entire menu system of an application around with every upgrade? How user friendly is that forty character antipiracy key? How user friendly is two dozen reboots for an OS upgrade (which includes all the apps you have to reinstall manually)? in Linux, an OS upgrade requires a single reboot.

How user friendly is having to type your password to log on to a machine behind locked doors that only you use?

How user friendly is a machine that when the power goes out, you restart it and all the apps and documents that were open are now closed? Restart a Linux box and it comes up exactly like you shut it down, unless you change that behavior. Windows doesn't even give you a choice.

How user friendly is doing things the Microsoft way instead of your own way? Actually, I want my computer to be obedient, not friendly. I don't care if it curses me as long as it does what I want it to do, how I want it to do it.

How user friendly is an OS that makes you reinstall every single app when you upgrade?

Can you name ONE thing about Windows that's more "user friendly?"* I use both OSes, do you? I'd be surprised if you've touched a Linux box in at least ten years.

*"Pretty" != "User friendly"

Re:Umm, how about a little context?

How user friendly is the need for AV software?

Apparently not having it is pretty user friendly too :)

Re:Umm, how about a little context?

[MikeBabcock]

Setting up a CentOS server is even faster than configuring a Windows 7 PC, yes.

I run unattended CentOS installations regularly, its very very simple.

Re:Umm, how about a little context?

[martas]

That's extremely interesting, considering that I did in fact read it. You have just proven that common logic is inconsistent, congratulations!

Re:Umm, how about a little context?

[fast+turtle]

I always thought Adam and Eve were fish from the stars. That's why they lived so long and had so many kids.

Re:Umm, how about a little context?

[ljhiller]

Do you know what Bitcoin is? Duqu has been in the news and on the slashdot pages for four weeks at least. Sorry you're behind.

Re:Umm, how about a little context?

[Zamphatta]

I love how easy it is to find software for my Ubuntu laptop & install it. Rarely ever even have to reboot too. So much easier than Windows.

Re:Umm, how about a little context?

[zero0ne]

I'm sorry what?

It's "easy" for someone with 8 years of Mandrake experience to switch to kubuntu 11?
Now, someone with 8 years experience of 98/XP would have it "hard" when migrating to Windows 7?

I love the fair and biased comparison here. /sarcasm

An "End-User" is _ALWAYS_ going to have a difficult time migrating, regardless of the OS, however any technically savvy "computer person" will be able to make either migration easy.

I don't know about you, but in both Linux and Windows, I learned by messing around, be it clicking on random tabs / buttons / icons or typing commands with random arguments.

Someone who used Mandrake for 8 years is NOT a "end user" and never will be. However, that person who used 98 / XP for 8 years is _MOST LIKELY_ a "end user"

Your whole "User Friendly" rant is pointless because you are writing about points that matter to YOU. That married couple down the street may want to be prompted for a password, and may "need" the AV software.

Re:Umm, how about a little context?

[drsmithy]

Someone who ran Mandrake eight years ago would have no trouble at all migrating to kubuntu 11. Someone running Windows 98 or XP at that time has to relearn everything when upgrading to Win 7.

Complete and utter bullshit. The basic structure of the current Windows UI (Start Menu, Desktop, Taskbar, application and document windows, etc) hasn't changed significantly since Windows 95, and in many ways (window manipulation, drop-down menus, the concept of document-application associations) since Windows 3.0.

Anyone who has significant problems going from Windows XP, 98, or even 95 to 7, is going to have _at least_ as much trouble moving between just about any two Linux distributions.

The rest of your rant is equally biased and inaccurate.

Re:Umm, how about a little context?

[drsmithy]

I run unattended CentOS installations regularly, its very very simple.

Unsurprisingly, so are unattended Windows installations. That is, after all, kind of the point of an unattended install.

Re:Umm, how about a little context?

[im_thatoneguy]

Can you name ONE thing about Windows that's more "user friendly?"

Last time I tried to get a dual monitor setup working it took about 3 days.

No, it wasn't ten years ago.

Re:Umm, how about a little context?

* It was nowhere in the control panel, but in a little widget at the bar at the bottom of the screen, and about twenty mouse clicks from there.

NOT a Windows issue, that's a 3rd party app issue.

  * How user friendly is having to reboot? Yes, Windows has gotten better about this, but it still sucks.

I run Windows XP for months at a time without restarting, your point is invalid.

  * How user friendly is the need for AV software?

Follow best practices and there is no need. Run your computer as a limited user and only use Admin when needed - Microsoft recommends it, Linux enforces it, that's why you have sudo.

  * How user friendly is changing the entire menu system of an application around with every upgrade?

It isn't every upgrade, 95, 98, ME, 2000, NT 4, XP all use the same menu system.Vista and 7 use the same menu system, 8 will change a bit in an attempt to make tasks quicker.

  * How user friendly is that forty character antipiracy key?

It only needs to be entered once when you install the OS, you're making it out to be some huge and frequent task.

  * How user friendly is two dozen reboots for an OS upgrade (which includes all the apps you have to reinstall manually)? in Linux, an OS upgrade requires a single reboot.

Have you ever upgraded Windows? Never have I required more than 2 reboots, and almost always 1.

  * How user friendly is having to type your password to log on to a machine behind locked doors that only you use?

What? I never enter a password for my desktop, I don't even have to touch the computer for it to log on and no, I'm not using anything special to log on.

  * How user friendly is a machine that when the power goes out, you restart it and all the apps and documents that were open are now closed? Restart a Linux box and it comes up exactly like you shut it down, unless you change that behavior. Windows doesn't even give you a choice.

I've never had that happen on linux.

  * How user friendly is doing things the Microsoft way instead of your own way? Actually, I want my computer to be obedient, not friendly. I don't care if it curses me as long as it does what I want it to do, how I want it to do it.

My computer is both friendly and obediant, perhaps you just don't know what you're doing.

  * How user friendly is an OS that makes you reinstall every single app when you upgrade?

I don't have to reinstall paint, notepad or calculator, and if I cared so much about reinstalling them then I'd put together a slipstream disk - which is what linux does anyway.

  * Can you name ONE thing about Windows that's more "user friendly?"* I use both OSes, do you? I'd be surprised if you've touched a Linux box in at least ten years.

I can tell you now, changing settings under Windows is by far more friendly. to get HDMI sound on my linux box required creating config files in particular directories, when I upgraded to a newer version, the names and locations of the files had to be changed - this has happened twice.

There are a number of settings that are in obsucre places, with Windows it is almost always logical.

Windows just works, linux can require a fair bit of timewasting to get something as simple as volume control working.

  * "Pretty" != "User friendly"

I agree, Macs suck

Re:Umm, how about a little context?

[Chris+Mattern]

I read the first link. The only piece of concrete information it provided about Duqu was that it was "malware". It actually had more information about Stuxnet than about Duqu.

Re:Umm, how about a little context?

[mcgrew]

The biggest problem I have with Windows (and MS products in general) is changes between releases. For example, what was wrong with XP's control panel? Why did they change the damned thing around making it so hard to find anything? Why couldn't I disable the "tap to click" feature from there? Why was the "settings" in IE in a completely different place in every release from 1 to 6?

The married couple may want to be prompted for a password, when you install Linux it asks you. Simple. They would be prompted for a password. Not there at all in Windows; you get the password whether you want it or not.

I equate "less choice" as "less user friendly". I equate "having to hunt for shit" as being user-hostile. I equate "do it my way or you can't do it" as user hostile.

Re:Umm, how about a little context?

[MikeBabcock]

Unattended Windows installations are not easy to configure or set up or get started with. Your average person who knows how to install Windows would not figure out how to create an unattended installation.

Your average computer person who can read a blog can create their own custom CentOS distribution for installation over PXE in a couple hours (or a lot less).

The actual installation part was not what I was commenting on, sorry.

Re:Umm, how about a little context?

[drsmithy]

Your average computer person who can read a blog can create their own custom CentOS distribution for installation over PXE in a couple hours (or a lot less).

Firstly, you're already comparing apples to oranges ("average person who knows how to install Windows" vs "average computer person") to suit your bias.

Secondly, having spent a sizeable chunk of my career as a Linux sysadmin, and been responsible for setting up and maintaining several unattended install environments, the idea that some random person only capable of installing Linux from a CD can sit down and create one in a matter of hours is utterly laughable.

Re:Umm, how about a little context?

[Evro]

No, the first link, http://it.slashdot.org/story/11/11/16/1810231/experts-convinced-duqu-work-of-stuxnet-authors , talks about Duqu being related to Stuxnet, but offers no indication about what Duqu is or who it's affecting. Yes, I can google it and look it up on Wikipedia. The point is that an editor should do that. A simple sentence like "Duqu, the recently-discovered malware that's related to Stuxnet, which researchers believe is being used to log Iranian President Mahmoud Ahmadinejad's porn collection...", or some other 10-word summary of what it is, is what editors are supposed to provide.

Re:Umm, how about a little context?

[MikeBabcock]

Actually, I suited the opposite bias. I compared people who already know how to install Windows to people who may not know how to install Linux at all. If you'd bothered considering that, you'd realized I'd actually stacked the deck against my argument, not for it.

As a result, the rest of your comment is meaningless to me.

Psst, random Google result: try this.

Re:Umm, how about a little context?

[drsmithy]

Psst, random Google result: try this [greghaygood.com].

If that's your idea of "create their own custom CentOS distribution for installation over PXE", then yes, I suppose anyone could do it in a matter of hours.

As could someone with Windows.

Re:Umm, how about a little context?

[MikeBabcock]

Feel free to post the instructions for Windows for someone to follow; including rights required and hardware compatibility issues.

Re:Umm, how about a little context?

[drsmithy]

Feel free to post the instructions for Windows for someone to follow;

There's a zillion guides out there on making a bootable USB key (preferable) or DVD to install Windows from. It's about 5 steps. Here is one example. After that's done, you just copy whatever custom software you want onto the USB key and you've achieved the same result as that link you gave.

including rights required and hardware compatibility issues.

Now you're moving the goalposts.

Re:Umm, how about a little context?

[MikeBabcock]

I didn't move any goalposts. Its the total cost of ownership concept but in total cost of deployment terms. If any random person can do the one thing, but the other is only available to specific people, its different, isn't it? And worth noting.

PS the above guide is only to make a USB bootable installation image, not a fully automated self-installing image that could be used on a headless system, or for PXE deployment. Those were the original goalposts.

Re:Umm, how about a little context?

[drsmithy]

I didn't move any goalposts.

Yes, you did. You went from automating installs to talk of permissions and compatibility, completely separate topics.

Its the total cost of ownership concept but in total cost of deployment terms. If any random person can do the one thing, but the other is only available to specific people, its different, isn't it? And worth noting.

Why would "any random person" be creating automated installs ? Why would someone with a need to create automated installs not have "rights" to do their job ?

PS the above guide is only to make a USB bootable installation image, not a fully automated self-installing image that could be used on a headless system, or for PXE deployment. Those were the original goalposts.

Indeed they were. But then you posted a link to a process for nothing more than rolling some custom RPMs into an ISO image, so I assumed that's all you were talking about. Hence my comment of "If that's your idea of "create their own custom CentOS distribution for installation over PXE""...

Dear Kids...

[Lumpy]

You never need your server directly on the internet.
put it behind a firewall with holes poked through. they can't attach a zero day SSH exploit if the only hole is port 80 to Apache.

And if you are one of the incredibly rare cases where you really do need to have the machine on the net directly.. I suggest daily security audits.

Re:Dear Kids...

You never need your shell server directly on the internet.
put it behind a firewall with holes poked through. they can't attach a zero day Apache exploit if the only hole is port 22 to SSH.

And if you are one of the incredibly rare cases where you really do need to have the machine on the net directly.. I suggest daily security audits.

Re:Dear Kids...

[amicusNYCL]

they can't attach a zero day SSH exploit if the only hole is port 80 to Apache.

What about the edge cases where you're running something other than a vanilla web server?

Re:Dear Kids...

[RobertLTux]

"they can't attach a zero day SSH exploit if the only hole is port 80 to Apache.

What about the edge cases where you're running something other than a vanilla web server?"

then its "they can't attach a zero day SSH exploit if the only hole is port(s) N-Z to %service%."

the point is if the only ports open are bound to an active service (and you have stripped the list down to what is absolutely needed)
then its a lot harder to attack that system (bonus points if those services are not on default ports)

Re:Dear Kids...

Just open a different port in the firewall?

Re:Dear Kids...

[amicusNYCL]

My point was that several servers do use SSH. If I rent a dedicated server, SSH is how I get things done. If an exploit is discovered in httpd, the correct solution is not to block port 80.

Re:Dear Kids...

Bull. Shit. I'll exploit your file-upload system to install a root kit. All anyone needs is port 80. You're probably already pwned with that ego-centric attitude.

Re:Dear Kids...

[elsurexiste]

they can't attach a zero day SSH exploit if the only hole is port 80 to Apache.

What about the edge cases where you're running something other than a vanilla web server?

As in "any server that can be sysadmin'ed remotely"? :)

About half of the system administrators I know don't work on-site. A few use VPNs + ssh; the rest uses plain ssh. Either way, it's more than a single port 80.

Re:Dear Kids...

[Hatta]

How do I get remote shell access if the SSH port isn't open? It might be wise to run SSH on a non-standard port, or to use port knocking, but simply blocking SSH entirely is way too far down the security/convenience tradeoff. You might as well unplug the thing entirely.

Re:Dear Kids...

You insensitive clod; you can do redirects (Pivot attacks) from apache to port 22 as per a few issues it's had in the last 3 years.

Re:Dear Kids...

My point was that several servers do use SSH. If I rent a dedicated server, SSH is how I get things done.

So get a static IP address if you don't already have one, and setup iptables to only allow that IP address access to port 22.

Re:Dear Kids...

[93+Escort+Wagon]

Just open a different port in the firewall?

Security through obscurity, eh?

Re:Dear Kids...

It actually works pretty damn well to get rid of 99% of bot attacks.

Of course, if you have an actual person who is interested in what's behind your firewall, it's probably not very effective.

Re:Dear Kids...

[morgauxo]

Ha, Typical BOFH statement. What if you don't spend all your time on the LAN? What if you actually USE ssh on a regular basis from outside locations. I guess you run an ethernet cord from home to work to the coffee shop and any other place you go?

Re:Dear Kids...

[Em+Adespoton]

The only things you should need open to the internet are SSH ("the attackers may have used a zero-day in OpenSSH 4.3 to compromise the C&C servers initially") and/or IPSec/L2TP. Anything else should redirect to a DMZ that does NOT route to the same subnet as SSH/IPSec/L2TP. The DMZ should not have port access to the regular network (everything should be pushed). The firewall should be set to not allow active connections out from the DMZ to anywhere, and any activity should not just be logged, but flagged and sent to the administrator. All devices in the DMZ should log to a remote (to them) syslog that is polled from outside the DMZ.

There... that's the ideal world. In reality, this doesn't account for people who don't have that much hardware/expertise with VMs, for people who don't keep up with their patches, for those who want to do an end-run around this policy to set up torrents, etc. directly from their working computer, etc.

It also doesn't help that most gateway routers these days have some full-fledged OS inside and as a result often have exploits that can be leveraged directly against them due to inappropriate default configurations.

Re:Dear Kids...

Google "port knocking".

Re:Dear Kids...

[Lumpy]

You never need SSH open to the internet. VPN in then access the ports.

Re:Dear Kids...

[SharkLaser]

You don't need SSH open to the internet, especially if the server is running on internet network. Even then, it's good to assign it to random number and not 22.

Re:Dear Kids...

[SharkLaser]

That damned preview and/or edit... internal network.

Re:Dear Kids...

SSH /is/ VPN. Pick your poison.

Re:Dear Kids...

[morgauxo]

And is there any security threat to a port being open that does NOT have an active service on it? If so what is the attacker cracking? The TCP/IP stack itself?

Why have an active service on any port if you aren't using it?

As far as I can tell firewalls are useful if you aren't sure what services are running on your network and cannot or do not feel like cleaning them up. Or... as a lazy way to make services accessible only on the LAN. For the former use I can understand on a LAN with many users. It may just be impossible to police. For the latter... that is just lazy. What server worth it's salt can't be configured to only accept connections from the LAN and ignore all others?

On the other hand, all firewalls I have seen are prone to err. Perhaps an update fails leaving it in an unusable state. Or the user tries to configure some fancy rules resulting in this or that internet service not working. As an example I know a guy who works in IT security now. When he was still in school he liked to run his own email server. That was back before all the home ISP IPs were blacklisted by most smtp hosts. Most of the time his email didn't work. Not because of his smtp server but because he was tweaking his firewall rules. Eventually I learned that the only way to reach him was to call him on the phone. I guess he liked learning about that security stuff though and now he loves his job.

I just don't see the point of a firewall unless you are in a situation where you cannot control your own LAN. I do think that services should be limited to what one actually uses and then should be actively updated though.

Re:Dear Kids...

[Lumpy]

Most people use the secret service called...... VPN. or if you like more secure, you use an out of band initiation that opens a port for a short window.
Example: I simply SMS my server, it get's the SMS message and opens the VPN firewall rule for 3 minutes. I connect and do my work. if my connect did not happen in the 3 minute window it closes down again.

SMS is easy with a cellular rs232 modem, but there are plenty of other ways to do it as well. Email to a specific gmail account can do the same exact thing.

This is Computer security 101 stuff, nothing advanced.

Re:Dear Kids...

[DigiShaman]

But but but, it's Linux! What do those Windowz lamers know anyways? Like, OMG! You're doing it wrong and stuff.

Re:Dear Kids...

1) VPN implementations can have 0-days as well
2) SSH can be used as VPN

Having a single open port with SSH is just as legit as with VPN.
One may argue about VPNs being less of a swiss army knife provide smaller attack surface, but that's theoretical. I'm convinced there are some VPN implementations being much more prone to exploitable flaws than OpenSSH.

Re:Dear Kids...

[imemyself]

I for one would much rather control which network can access a service in one place (a centralized firewall), rather than manage it through ten different config files that use different syntaxes on a bunch of servers for every service.

Re:Dear Kids...

[KingMotley]

I've found that firewalls work best when you are trying to protect only one machine. You can put a firewall up front, then run a script to open all 65535 ports and forward the packets to the single machine on the internal network. Whoa-la! You have all the protection of a state of the art firewall AND you have all the transparent configurability of being directly on the internet!

Re:Dear Kids...

[Culture20]

My point was that several servers do use SSH. If I rent a dedicated server, SSH is how I get things done.

"So get a static IP address if you don't already have one, and setup iptables to only allow that IP address access to port 22." -Sibling AC
(reposted sibling AC since it's a good idea, and no one notices ACs)

Re:Dear Kids...

Any person using FTFY or editing my postings agrees to a US$50.00 charge

Any person using FTFY or editing my postings agrees to a US$100.00 charge
FTFY.

Re:Dear Kids...

[Bert64]

Well you should only be running the services you need...
If you need a service and have a firewall, then you will allow it through...

It's ridiculous to run unnecessary services and then use a firewall to hide them.

Re:Dear Kids...

[camperdave]

How do I get remote shell access if the SSH port isn't open? .

Dial into the modem...?

Re:Dear Kids...

[MikeBabcock]

We still have modems at most customer sites; although IPSEC is configured to allow remote VPN access; but that's firewalled to only permit attempted connections from known IP addresses (including ours).

Re:Dear Kids...

[mcgrew]

LOL! You're sitting at 0, and he's at +3. Nobody notices MOST ACs because most ACs don't contribute much if anything to the discussion.

BTW, mods, I'm offtopic. Please mod accordingly, this comment was aimed at the parent only.

Re:Dear Kids...

[amicusNYCL]

In an ideal world, that's right, you would whitelist IPs. But in the practical world, that's not how it happens. Web hosts aren't going to whitelist IPs, they just open SSH.

Re:Dear Kids...

[Culture20]

LOL! You're sitting at 0, and he's at +3.

Actually, the AC is at 0 and GP is at 1 (was only modded down 1 by a mod who decided that modding me redundant was more important than modding the AC up, but I had the karma bonus added in).

Nobody notices MOST ACs because most ACs don't contribute much if anything to the discussion.

Nobody notices most ACs because AC comments don't send notifications upon posting (you have to actively recheck your posts to see them), and they start 2 points under where most people read. I wanted to make sure the originator saw the response because it's good practice.

Re:Dear Kids...

[symbolset]

Dear kids: your faith in firewalls is part of the problem. It's a scuba suit in a deep fat fryer.

Re:Dear Kids...

Because I'll always have access to a computer with my VPN client of choice pre-installed and all of my encryption keys and certs handy...SSH is lowest common denominator, you'll find it everywhere or it's a quick download away, and all you need is the password.

In addition, VPN often runs on ports like any other service, and can be compromised via a flaw as much as SSH can.

Re:Dear Kids...

[hughesjr]

You control the iptables on your machine, not the ISP. These guys are not hacking commodity shared servers they are hacking individual/coloacted servers. You would use IPTABLES and limit the access to at least known networks. Why have your ssh port open to China and Russia if it is located in the UK and never accessed from those locations (for example). Even if you don't have a single IP, you are on a specific network and you can allow only access from the "4" class B networks (as an example), etc. Also, you should always disable password logins and use keys to access your servers via ssh. Certainly you should disable direct "root" logins.

Re:Dear Kids...

[Em+Adespoton]

Of course, if you're using SSH without a cert and a secure pass-phrase, it's not much better than having telnet open to the world. That said, I've had a number of sshds open to the world with password auth only for over a decade, and despite getting hit with numerous attacks a day, they have yet to be compromised. Turning off ssh access to all but a single account with a hard to guess user name and a much harder to guess pass-phrase probably has something to do with this. Most remote connections appear to be from China running a dictionary attack.

I did have one interesting connection from Indonesia once that appeared to be trying to leverage some sort of certificate exploit, but as I had certs disabled, it failed.

Right now, it appears that the most insecure part of my internet gateway is the part managed by my ISP and locked away from me... they're running a number of insecure services, some with known potential vulnerabilities. I haven't worried too much, as for the most part you'd have to be on their local line talking ATM to leverage most of the issues. And then you'd have to either re-flash the device with exploit code (dropping my connection) or get past my firewall to do anything at all nefarious.

They should have known better.

[xeeno]

The first thing you do in C&C is build walls around your MCV so engineers won't get it. Seriously, guys.

Re:They should have known better.

The flack cannon that drops them off always shoots through the sand bags.

You need two wallst thick for serious multiplayer.

Duh

CentOS

[future+assassin]

>All of the known Duqu C&C servers discovered up to this point have been running CentOS

Probably since this is a popular OS for web hosts that resell/sell servers. Who are the people who buy these server? Well anyone and everyone who wants to be another web host yet have no idea on how to secure a server so they hire some $40 per month security company to secure their servers. There must be 1000's of those servers out there ripe for raping.

Re:CentOS

My money is RedHat is involved in order to convince the server owners that ReHat support is worth the cost.

Re:CentOS

[JSBiff]

"so they hire some $40 per month security company to secure their servers. There must be 1000's of those servers out there ripe for raping."

If each customer is paying $40 per month, and their are thousands of customers, wouldn't that be a $40,000+ per month security company? For that kind of cash, they should be competent. When I buy into a company like that, I figure I'm supposed to be getting more than $40/mo worth of security expertise, because I'm *sharing* the costs with thousands of other customers.

Sadly, however, you're probably right that many hosting companies don't really have sufficient expertise to know how to secure their customers' servers for them. But, it's not because they aren't being paid enough, it's because they aren't spending the money on the right things.

Re:CentOS

40,000 barely will pay the overhead of 1,000 customers.

Re:CentOS

[dotancohen]

...so they hire some $40 per month security company...

What should I be googling to find these companies? I have one customer that I can no longer support and I'd like to at least refer him to _somebody_ professional.

Re:CentOS

[future+assassin]

Well ones I know off

http://www.platinumservermanagement.com/
http://24x7servermanagement.com/
http://seeksadmin.com/

One I used before and they were ok was http://www.acunett.com/ but then again you can't reply for these companies for real management.

Re:CentOS

[dotancohen]

Thanks. At the least that should give me an idea of what to look for. Have a great day!

Re:CentOS

>All of the known Duqu C&C servers discovered up to this point have been running CentOS

Probably since this is a popular OS for web hosts that resell/sell servers. Who are the people who buy these server? Well anyone and everyone who wants to be another web host yet have no idea on how to secure a server so they hire some $40 per month security company to secure their servers. There must be 1000's of those servers out there ripe for raping.

That's kinda interesting because I work for a web hosting company that doesn't run CentOS and we get fraudulent orders w/ stolen credit cards and a lot of the time when I do a traceroute, it ends up being a shared hosting server. They're usually used to set up phishing or affiliate referral sites.

Zero day or minus one day ?

Using complicated combinations of bugs / software features in code submitted to open-source projects by your own team is also an option for hi-tek low-profile teams like this. Especially if you're a secretly-government-sponsored team.

kinda scary

[martas]

Am I the only one who is kind of worried about the whole stuxnet/duqu thing? We've been hearing/hypothesizing about the dangers of "cyber-warfare" (as much as I hate the term) for a while, pretty much since the beginning of Internet malware, but it seems as though recently shit has finally started to hit the fan, first with increasingly worrying allegations about Chinese hackers and such, and now with this (which seems to be the doing of the US/Israel, at least a lot of people think it is).

If things continue along this trend, one could expect a really bleak future for the Internet where major world governments and other well-financed organizations have virtually unlimited power to do what they like with any computerized system, and continually carry out covert attacks against each other. It seems the only thing that could prevent that from realizing would be some major game-changing advances in computer security, but I'm not seeing any indication that that's likely to happen...

Re:kinda scary

[Statecraftsman]

Even though this story posits a 0-day in OpenSSH as the culprit, I'm of the mind that free software with a strong patch and update system is as good as it gets. If you don't update your systems say because you don't want to break stuff, sorry but even non-0-days will bring you down. So on the sysadmin side, we're moving toward more specialization.

On malware and free software: http://trygnulinux.com/action/?q=node/68

Re:kinda scary

[Baloroth]

That "future" already more or less exists. In fact, it always has. What prevents it from getting bleak is the checks and balances. Governments can screw other governments of course, but being caught really sucks for them diplomatically, so they have to be cautious. Corporations can be caught either by the government (which often seems to do little or nothing) or by the public eye, which can wreck the company. Or by other companies, of course.

This has always been true, and in far more than "cyber"-space. Covert attacks are limited by pressure from various sources. Some of those weaken or grow stronger as public opinion or diplomatic situations change, but it always exists. Except in full-on war (and even some there), and then the attacks stop being covert.

China, for example, could attack the US infrastructure (probably). They don't, because they need our money as much (more, IIRC) as we need their manufacturing. And intelligence agencies have, supposedly, built in backdoors to many systems for decades now. The danger of those being abused is present, but not much greater than the abuse any intelligence agency ever could do. Which is a lot, in theory, but in practice is usually relatively limited (again, by public pressure.)

Re:kinda scary

[morgauxo]

Or.. after a couple high profile attacks they finally disconnect these critical control systems from the internet and we don't hear about it again.

Re:kinda scary

one could expect a really bleak future for the Internet where major world governments and other well-financed organizations have virtually unlimited power to do what they like with any computerized system, and continually carry out covert attacks against each other.

why do you think this isn't already the case?

Re:kinda scary

[Hentes]

If things continue along this trend, one could expect a really bleak future for the Internet where major world governments and other well-financed organizations have virtually unlimited power to do what they like with any unsecured computerized system,

FTFY
Also, I don't want to frighten you, but with an unsecured system it's not just incredibly powerful governments, but every 16 year old scriptkiddie can do what they like.

Re:kinda scary

[martas]

Well, there are certainly degrees to it. A script kiddie probably couldn't have pulled off stuxnet, because he wouldn't have intel about how Iran't enrichment program is run and such.

Re:kinda scary

[couchslug]

"It seems the only thing that could prevent that from realizing would be some major game-changing advances in computer security, but I'm not seeing any indication that that's likely to happen..."

Pre-computer security was an "air gap" (often reinforced with guards and alarms etc) between valuable systems and potential attackers.

The horny craving to have everything connect to the internet and run Windows is to some extent a self-punishing mistake born of extreme hubris.

Re:kinda scary

Or you don't update your system because you use a system (centOS) that leeches off of a company that actually does all the work (Redhat), and said leech doesn't provide security updates as fast as the company doing the work, you will always be under the gun and vulnerable to quick acting hackers.

Re:kinda scary

It's hilarious when you realize that a lot of our problems stem from details of CPU architecture which are forced upon us by Intel and Microsoft for the sake of continuing to run decades-old programs. So we've got a world where we can run stupid PoS PoS software designed for a 286 on a modern quad-core i7, yay us, we also have a bunch of stupid fucking problems due to that.

Points 4. and 5...

[djsmiley]

4.The servers appear to have been hacked by bruteforcing the root password. (We do not believe in the OpenSSH 4.3 0-day theory - that would be too scary!)
5.The attackers have a burning desire to update OpenSSH 4.3 to version 5 as soon as they get control of a hacked server.

Ah yes, lets pretend there is no problem because the idea that there is, is too scary. Someone kill me, please. The only other reason I can think of, which also ties in with the fact they were appently checking the man page for sshd_config is that something changes in the default settings between 4.8 and 5 and this they wanted desperately, but even then this would point to some sort of exploit. *(Maybe an exploit in the way the default settings are in centos, rather than in openssh).

Re:Points 4. and 5...

It suggests to me that the Duqu guys don't want other attackers using the same exploit on a machine they've gone to the trouble to break into and use for their C&C network. I would think this to be a fairly common strategy among blackhats, which is why I am a little surprised that it didn't occur to the Kaspersky analyst. And what's with this pretending not to know who's behind the of development of stuxnet? Ridiculous.

Re:Points 4. and 5...

4.The servers appear to have been hacked by bruteforcing the root password. (We do not believe in the OpenSSH 4.3 0-day theory - that would be too scary!)

Why the f**k PermitRootLogin defaults to yes on CentOS's sshd config?
Isn't it supposed to be a enterprise oriented distro?

Re:Points 4. and 5...

There doesnt necessarily have to be an exploit in the newer ssh version. It could very well be psychology. If you hear about an exploit, and then check your version and it's not vulnerable, then you probably wont check the security of the rest of your system, allowing the remote attacker to maintain their privileges. leaving the vulnerable sshd on a compromised server would suggest that the server needs some more scrutiny to check and see if it was compromised.

Re:Points 4. and 5...

[CyprusBlue113]

Judging by the rest of the article, I strongly suspect it has more to do with enabling their secure hierarchy of kerebos based logins than turning off the exploit they used. You can see some of the other things they do relate to features that require a 5+ openSSH once they're in.

Re:Points 4. and 5...

[knarfling]

That was my question!! The second one being, "Why wasn't PermitRootLogin turned off?" One of the first things I do when setting up a new server is verify that the root cannot get in remotely. As soon as there is any kind of user authentication set up and a user either set up or can log in, PermitRootLogin is set to no. From then on, admins wanting remote access with root privileges must log in as a user and either use sudo (preferably) or su. I even have the server email a group if someone does an su to root or logs in as root from a console.

I don't expect everyone to be able to set up that kind of monitoring, but allowing remote root logins is just asking for trouble.

Re:Points 4. and 5...

[Pharmboy]

Why the f**k PermitRootLogin defaults to yes on CentOS's sshd config?
Isn't it supposed to be a enterprise oriented distro?

Most enterprises have IT staff to change that as soon as the OS is installed. The problem with not allowing root to ssh in with a fresh install is that a fresh install only creates the user "root", so you physically have to be at the machine to log in and setup the system if you don't allow root to ssh in. Yes, it is technically safer to disallow root to log in with a vanilla install, but it is inconvenient. On the DESKTOP, it makes sense to disallow root via ssh from a vanilla install, however.

On servers, I usually setup vanilla, then ssh in, add a user, change to disallow root logins, and change the default port, then restart ssh, open a new session to test as that new user on the new port and "su -" to root, then log out of the first root shell, and finally start a new session on the new port and try to root in, to make sure I can't. I can't be that unique in doing it this way.

Serious question to all: Do people still use the default port for SSH anymore? I never have, as once we went from telnet to ssh (over a decade ago...) we just always used a non-standard port. Makes my logs a lot easier to read.

Re:Points 4. and 5...

[asdfghjklqwertyuiop]

Serious question to all: Do people still use the default port for SSH anymore? I never have, as once we went from telnet to ssh (over a decade ago...) we just always used a non-standard port. Makes my logs a lot easier to read.

Yes, I run it on the default port, as does everyone else I personally know. How does running it on a non-standard port make your logs easier to read?

Re:Points 4. and 5...

[gatkinso]

It decreases the number of script based dictionary attacks aimed at port 22, so your logs are not as cluttered. Other than this running on a nonstandard port does nothing to enhance security.

However some fools somehow think it does.

Re:Points 4. and 5...

Most enterprises have IT staff to change that as soon as the OS is installed. The problem with not allowing root to ssh in with a fresh install is that a fresh install only creates the user "root", so you physically have to be at the machine to log in and setup the system if you don't allow root to ssh in.

Then set PermitRootLogin to without-password and bake the customer's public key into the image before turning it on. This is what the "run your own Linux image in the cloud" services I use do. Anything else is just begging for problems.

Re:Points 4. and 5...

[gatkinso]

The whole nonstandard port thing is silly. It does nothing (yes, nothing) to enhance security but to be fair it doesn't impact security either. Note that some places block outbound connections on nonstandard ports.

Have fun logging into your box from such places.

Re:Points 4. and 5...

If you need to access remote server via SSH do two things VERY early in the process:

1) Convert SSH to use pubkey authentication ONLY and disallow root logins via SSH. SSH with password authentication (especially with root access) is very bad practice.
2) Install denyhosts (denyhosts.sourceforge.net). This daemon adds anyone trying brute force attacks to hosts.deny file. This also helps keep down the failed login attempts in the security log files because after a couple of attempts, they are blocked by hosts.deny.

Simple solutions that take a couple of minutes to implement.

Re:Points 4. and 5...

[asdfghjklqwertyuiop]

It does nothing (yes, nothing) to enhance security

It may enhance your luck. Sometimes exploits are found and there's some time between the discovery of the vulnerability and you fixing your system. In that time it could be that the only attack that will be attempted on your system will be an untargeted one by someone who's just quickly sweeping the whole internet on the standard port for as many machines to root as quickly as possible.

Re:Points 4. and 5...

[ChumpusRex2003]

I don't understand the "brute force" claim. In the article, they later explain:

"Note how the 'root' user tries to login at 15:21:11, fails a couple of times and then 8 minutes and 42 seconds later the login succeeds. This is more of an indication of a password bruteforcing rather a 0-day. "

This makes no sense to me. 2 attempts at a login, and then the 3rd succeeds? How is that brute force? Or is it just extraordinary luck (or an inept password policy).

While I don't regularly perform penetration testing, my current understanding of brute-forcing SSH passwords, is that it requires thousand or millions of attempts, with the hope that an IDS doesn't spot the attempted ingress and lock-down firewalls, etc.

To me, this looks more like a 0-day. A few probes with potentially exploitative malformed logins, until they find one that works on the specific kernel/SSH version.

Re:Points 4. and 5...

[Pharmboy]

Nothing foolish about knocking out 100% of the scripted attacks on the server, which are over 99% of the attacks that will ever be attempted on most servers. Running on a non-standard port isn't the solution to running a secure server, it is just part of the solution, and works great for 0 day exploits in particular. Any decent admin knows that.

Re:Points 4. and 5...

I am djsmiley ;)

Or..... knowing some default root pw's that may of been used for setting up these servers (same provider maybe?) and hitting those....

but yeah, its hard to correlate any kind of understanding without more infomation - Maybe its some weird timing based attack which requires you to attempt to login at specific times, only during a specific phase of the moon..... as the terrible article says, we'll never know.... unless someone goes back, looks over the code and notices an issue.

Re:Points 4. and 5...

[Pharmboy]

THAT is the entire point of using non standard ports. Anyone who says otherwise is too busy trying to sound important to realize how attacks really happen. I've run on non-standard for years, and I get no (repeat, NO) entries in my logs from scripts trying to log in. Obviously I still have to patch everything and keep it all up to date, but this removes one vector: 0-day ssh exploits. I keep my stuff up to date, my concern isn't the easy stuff, it is the 0-day stuff that I can't just patch.

Some will say "big deal, how often does that happen?" and of course, the obvious answer is "it only has to happen once to fuck up your whole week".

Re:Points 4. and 5...

[gatkinso]

It isn't part of the solution, it is just lazy (which ironically ends up being more work), and imparts a false sense of security.

Even if I were foolish enough to buy into the whole security through obscurity angle, I would implement this via a firewall/router that forwards traffic on a nonstandard port to port 22 on the server in question, not by simply plugging in the red cable into my box and having it listen on a nonstandard port (or even more retardedly forwarding the nonstandard port ssh traffic to a nonstandard port on the ssh server).

Re:Points 4. and 5...

[MikeBabcock]

Its actually handy for those of us who do multiple VNC installs of CentOS on the LAN at once. I start a bunch of LAN installations, monitor them by VNC, and on reboot, I ssh in as root, upload keys for the default user, disable root access and password logins, and voila, its done.

What I really wish they'd do is put up an /etc/issue.net prompt complaining that the server hasn't been configured yet (like snmpd.conf's).

Re:Points 4. and 5...

[grcumb]

The problem with not allowing root to ssh in with a fresh install is that a fresh install only creates the user "root", so you physically have to be at the machine to log in and setup the system if you don't allow root to ssh in.

Is this true? I haven't installed plain CentOS in years and years, but I don't recall seeing this behaviour back when I was using RedHat (1990s - early 2000s), and it absolutely never happens with Debian.

But even if it is true, it's not difficult at all to customise one's installer so that it runs a script to create a second user account, add it to sudoers, and then disallow remote root login. It's as easy as adding a single RPM to the install image. Given the security risk that root login creates, something like this would surely be worth the effort for any company running more than a trivial number of servers.

Re:Points 4. and 5...

[Raenex]

Even if I were foolish enough to buy into the whole security through obscurity angle

What's foolish about this? If I have all the security plans and an exploit is found (as they have been time and time gain), then you are vulnerable. If an additional layer of obscurity was applied on top of that, you are a harder target.

Re:Points 4. and 5...

[lebean]

There's nothing foolish about it, he's wrong. That is, provided you continue to keep up-to-date with patches. Given two equal SSH daemons, both fully updated but one on a random high port, the one listening on 22 will log hundreds or thousands of attempts per day, the one on a random port will log *zero*. Which do you think makes log auditing easier to look for truly dangerous threats? (If you see failures on your "obscured" SSH daemon, you _know_ you have a problem because someone has fully scanned your address(es) and is actively attempting a break in, while those attempts just disappear in the noise on the port 22 daemon). Similarly, if/when that next SSH 0-day hits, which of the two is in immediate danger of being rooted? The one that is in the logs of dozens or hundreds of scanning script kiddies, or the one that has never been hit a single time by an unknown user, that nobody in the world even knows exists?

Re:Points 4. and 5...

[Jerry]

"Brute force" in only three tries? How logical is that?

Re:Points 4. and 5...

[dweller_below]

Given two equal SSH daemons, both fully updated but one on a random high port, the one listening on 22 will log hundreds or thousands of attempts per day, the one on a random port will log *zero*. Which do you think makes log auditing easier to look for truly dangerous threats?

I can second this. For years I have monitored the SSH activity at my university. Today we had 30K+ active devices and hundreds of SSH servers. I use Snort rules to detect SSH negotiation on non-standard ports. We have NEVER had an attack against a SSH server using a properly obscured SSH port. Of course, we don't depend on obscurity. Here is a snippet from our guide to setting up a SSH server: https://it.wiki.usu.edu/ssh_description

We try to use multiple overlapping security layers to protect SSH:

• Set your firewall to limit the vulnerable scope of SSH to a few trusted hosts.
• Set your firewall to prevent credential guessing by rate-limiting connections to the SSH port.
• The SSH Port is treated as a shared secret. Only interesting, targeted attacks find the SSH server.
• The SSH server should not allow known usernames including root. The attacker must find a username.
• The admin is trained to create good passwords for his usernames.
• SSH users are taught to verify the identity of their systems when they first connect.
• System admins must regularly review the activity of their SSH servers.
• USU IT Security monitors all SSH connections, including ones on non-standard ports. We follow up on interesting connections.
• USU has SSH Honeypots that help us respond to SSH attack.

When we reviewed the SSH activity today, we found 2 compromised systems. One had sprouted an SSH server on port 8080 and had a large community of hackers connecting to it. The other had bot C&C running over an SSH connection to the Netherlands. This review is easy when we don't look at all the crap on TCP/22.

Miles

Re:Points 4. and 5...

[hughesjr]

It is set up that way because that is how RHEL is setup.

This says it all for Linux "security"

"An in-depth analysis of the known C&C servers used in the Duqu attacks has found that some of the servers were compromised as far back as 2009, and that the attackers clearly targeted Linux machines" - Posted by Unknown Lamer on Wednesday November 30, @11:46AM
from the nsa-reads-slashdot dept. FROM THE MAIN ARTICLE ITSELF

Current proof that Linux's NOT "invulnerable secure" yet again, & yes, that Linux does get targetted by malwares...

(Despite all the "FUD" you see & have seen for YEARS now on this website from the "Pro-*NIX/Penguinista" around here!)

Linux gets "hit" by the worst kind too, in these "blended-threat tech" types, that use rootkits that employ drivers + bogus bootsectors shown in this article today...

Plus - the entire LAMP stack doesn't do well http://www.theregister.co.uk/2011/06/10/domains_lamped/
  (especially Apache lately -> http://apache.slashdot.org/story/11/11/28/0335213/apache-flaw-allows-internal-network-access & earlier still here http://www.theregister.co.uk/2009/09/03/apache_website_breach_postmortem/ ).

* Yes - Any OS' is securable, & far better than they come by default (yes, even SeLinux, but you have to go beyond its mere defaults to make it better, + MacOS X too (Apple produces guides for that in fact)), however/again:

The years of hearing how "secure" OpenSores/LAMP is around here was totally unrealistic & a blatant lie based on the information above, & yes, below next too!

APK

P.S.=> Top that off with this current information from this year 2011 also:

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

---

---

Linux's showing in CA's breached recently too? Ok:

http://uptime.netcraft.com/up/graph?site=StartCom.com

http://uptime.netcraft.com/up/graph?site=GlobalSign.com

http://uptime.netcraft.com/up/graph?site=Comodo.com

http://uptime.netcraft.com/up/graph?site=DigiCert.com

The majority (4/5) of what was breached RAN LINUX (StartCom, GlobalSign, DigiCert, & Comodo)... per these articles verifying that:

http://itproafrica.com/technology/security/cas-hacked/

---

Toss ANDROID (yes, a Linux since it uses a Linux kernel) also, since it's being "shredded" on the mobile phone security-front rampantly for years now? You get the picture...

... apkb

Re:This says it all for Linux "security"

[MMAfrk19BB]

If I had mod points I would give them to you for actually linking articles that prove your point, but try to be a bit more coherent and maybe don't post as AC next time. Have the balls (or ovaries) to stand up for what you said. That being said, anyone who thinks that FOSS is $DEITY's gift to security by default is mistaken. Nothing is safe until someone competent configures, patches, and hardens it correctly. However, I don't believe that the proprietary corps are any better, and are usually worse, because they rely on security through obscurity (i.e. no one knows our code so we don't have to worry that much about it.)

Re:This says it all for Linux "security"

[americamatrix]

It's just like any other OS. You need to know what your doing.

A poorly setup Linux box will be worse than a locked down Windows install. Everyone knows this.

To say Linux itself is inherently vulnerable is an ignorant statement.


-americamatrix

Re:This says it all for Linux "security"

[c0d3g33k]

1. Please try again with a coherent critique of Linux security rather than a spittle spraying rant. I might read it and take it seriously.
2. You seem to have an agenda here, and have convinced yourself that it is validated. Good for you (pat on head).
3. Schadenfreude is bad for your health.
4. So ... what's your point exactly, and what do you expect people to do exactly if they happen to agree with whatever your point is?

Re:This says it all for Linux "security"

[sandytaru]

I'd argue that they're targeting Linux precisely because everyone assumes their Linux servers are invulnerable.

Re:This says it all for Linux "security"

[jellomizer]

Oh come on!
If someone did a rant like this for Windows it would be moderated +5 Insightful.

The Agenda here is to point out that Linux isn't the God of OS. It has its problems just like Windows and the others. As we giggle and glee when there is a Major Windows Issue, we like to discredit any Linux problem.

It isn't that Windows is More Secure then Linux but there are too many people running Linux feeling invincible from all the world has to attack them.
The biggest problem in IT Security isn't the OS it is the Dumb Ass who runs the systems.

You can have a Windows Network running for years without a security issue. You can Have a Linux network that is attacked daily. It determine the skill of the System Administrator.

Re:This says it all for Linux "security"

[dclozier]

Yes I think it does say it all for Linux "security".

I'd argue that this was because after taking control the attackers could easily secure/defend the machine and prevent others from taking it over. A C&C machine is a valuable asset for any organization.

Re:This says it all for Linux "security"

Current proof that Linux's NOT "invulnerable secure" yet again, & yes, that Linux does get targetted by malwares...

Yeah, go for it! You keep at it, pal! You're beating your opponent so hard that the straw is leaking out!

Seriously, nobody with any credibility has ever claimed that Linux is "invulnerable secure". The strongest argument usually made is that Linux is more secure than Windows, which was absolutely true when it was commonly being made 10 years ago. The debate has moved on. The claims you should be arguing against today are that Linux is better value-for-money on servers, and more secure than Windows specifically on the desktop.

As for malware - well, a targeted attack probably by a nation-state is hardly the scenario people are thinking of when they say "Linux doesn't get viruses". The claim you should be fighting here is that Linux is less likely to be hit by drive-by malware or compromised at random by malicious websites. These claims are absolutely true; even if Linux is no more secure than Windows, it is still a much smaller and less attractive target, and therefore safer.

But, hey, I'm getting in the way of you beating on your strawman, so I'll shut up now and let you keep on with your regularly scheduled trolling!

Re:This says it all for Linux "security"

The guy is a common troll around here and will link pages and pages of articles in incoherent rants whenever OS security is mentioned (you can see his joke of a thread about locking down Windows, it's just as badly written as every single one of his posts here, with a lot of bolds, caps, and dotted lines)

Re:This says it all for Linux "security"

[magamiako1]

As far as desktop is concerned I don't consider linux to be any different than Windows. While it is true that by default Windows XP and previous permitted Administrative privileges, UAC in Vista and 7 go a step above to prevent "drive by" system-level malware infections.

Local root escalation exploits exist, but they exist in Linux, too. This goes for a very wide range of applications.

Both Windows and Linux have gone through great lengths for local security though, and I'd suggest looking at the Microsoft Enhanced Mitigation Experience Toolkit utility that is available.

You can harden individual processes from common exploit techniques (heap spray, null page, structured exception handling, etc)

Re:This says it all for Linux "security"

You are absolutely right... A Windows machine with the default install and an easily guessable password would never have been compromised.

Perhaps you should start taking your medications more regularly.

Re:This says it all for Linux "security"

Current proof that Linux's NOT "invulnerable secure" yet again, & yes, that Linux does get targetted by malwares...

Yep proof that Linux is just as insecure as Windows. The hundreds of Linux servers the hackers painstakingly rooted to create C&C for the millions of Windows machines they casually rooted.

Re:This says it all for Linux "security"

[Culture20]

Sorry in advance for feeding the Troll, but he's at +4 Interesting...

Current proof that Linux's NOT "invulnerable secure" yet again, & yes, that Linux does get targetted by malwares... (Despite all the "FUD" you see & have seen for YEARS now on this website from the "Pro-*NIX/Penguinista" around here!)

Great Scott! It's the Strawman! Hurry Robin, knock it down before Commissioner Gorden gets here!

The line of reasoning here has always been: Linux Nut: Ha Ha! Windows has another [TCP stack / Kernel Font Rendering] vulnerability!
Microsoft nut: Well, that's only because Linux is never targeted. It's just as non-secure, but no one wants it. Linux Nut: Linux is targeted, and it's more secure because patches are delivered in a shorter time frame (unless you're using CentOS, then patches go through two layers of slow bureaucracy after the upstreams maintainers fix the issue)

Here we have a case where someone wants Linux (usually the prime target, but always out of reach), and they had a small window of opportunity to hack badly administered boxes. These were the microsoft equivalent of Windows 2k3 boxes set up without auto-updates and username/password administrator/administrator.

Re:This says it all for Linux "security"

Apk showed current information which u don't disprove in each point of his on Linux being hacked on servers, hosting malware exploits-rootkits-botnets, and even having its sourcecode repository broken into (very bad) and that CA's that used it got exploited too (very bad for online banking, shopping and the like) and more here http://it.slashdot.org/comments.pl?sid=2551740&cid=38215752 which u and others who are Linux fans seem to avoid disproving in each documented current point from reputable sources he used to show that much. Why's that? Because you can't do it? Obviously.

Re:This says it all for Linux "security"

[grcumb]

The Agenda here is to point out that Linux isn't the God of OS. It has its problems just like Windows and the others.

Fine, but that's an inaccurate statement. To say that it 'has its problems just like Windows' implies that it has the same problems as Windows. That's a perfect example of false equivalence.

For decades now, Windows has had systemic problems with security. Its ecosystem is fundamentally weakened by malware due to a legacy of flagrant disregard to security. (Unix once suffered from the same naiveté, but happily managed to move past it, by and large.) The problem runs so deep, in fact, that even relatively secure versions of the software (those produced in the last two years or so) are still burdened by the deficiency of the environment in which they operate, and the culture of complacency and ignorance that pervades MS systems administration.

In fact, things have got so bad that black hats sometimes overlook the low-hanging Linux fruit, instead spending inordinate amounts of time and effort to break into an increasingly secure Windows environment.

My organisation is in the middle of a Exchange upgrade as I write this, and if this experience is any guide, there are fundamental differences between how people administering Microsoft systems approach change management and how grey-haired old *nix farts like me approach it. These differences are cultural in part, but the respective cultures derive from the design philosophy, which in turn dictates the toolkits and approaches taken.

And yes, the Linux philosophy (and approach and toolkit) does have flaws. Here's just one example. But they have very little in common with Windows. The single most important difference is that Linux's flaws have not yet led to systemic dysfunction. I'm not saying they won't; I'm saying they haven't. Yet.

Re:This says it all for Linux "security"

[Culture20]

Apk showed current information which u don't disprove in each point of his on Linux being hacked on servers, hosting malware ... which u and others who are Linux fans seem to avoid disproving in each documented current point from reputable sources he used to show that much. Why's that? Because you can't do it?

Actually,

I can't read the stuff that

is formatted in the way that
Random Anonymous Cowards

write with the tagline of APK

It's very jarring. I usually read the first few lines, let him rant like Gene Ray, then read the closing argument.

Re:This says it all for Linux "security"

Disprove apk's data on Linux's recent security issues instead of looking a fool http://it.slashdot.org/comments.pl?sid=2551740&cid=38215752

I'm Screwed!!! C&C down!???????

I was just restarting my Red Alert install into a VM.

I didn't have time to click the links in the summary.

Noooo!!

Not the Music Factory! How will we know when to dance now?

All CentOS, but no RHEL

[gatkinso]

That makes me think twice about skipping on that Redhat license.

Perhaps the folks at Cent should be checking their logs.

Re:All CentOS, but no RHEL

[Culture20]

That makes me think twice about skipping on that Redhat license. Perhaps the folks at Cent should be checking their logs.

It's just representative of the extra week that CentOS sometimes takes before patches are available. They've been slightly better lately, only one day behind RHEL. Of course compare that to windows machines with a sometimes multi-month lag on patches..

Re:All CentOS, but no RHEL

[gatkinso]

This event spanned YEARS. Why no RHEL victims?

I smell a rat in CentOS.

Re:All CentOS, but no RHEL

[hughesjr]

Because CentOS is used more than any other linux server on the Internet maybe:

w3techs web usage

Re:All CentOS, but no RHEL

[gatkinso]

But CentOS X.Y is supposed to be basically identical to RHEL X.Y-1.

So, again, why no exploited RHEL servers? Note that RHEL is pretty damn common as well.

Re:All CentOS, but no RHEL

[hughesjr]

You would have to ask the people who did it. I suppose that they might think that people who pay for RHEL are more security savy that those who take the free route. I am a centos developer, so I do not appreciate the suggestion that the CentOS team did something. There is no issue that makes centos more or less secure than RHEL in this instance. They likely chose CentOS because it is more prevalent than any other distro in the world and they had a scanner to find it. The initial entry is almost certainly a brute force ssh root password break in. They also likely developed their "malicious code" using the CentOS distro (it is free and the most widely used distro ... what would you pick to develop your code on?), so they likely know it works for sure on CentOS. Why take a chance it does not work on RHEL if they developed it on CentOS?

One of the issues in bding the most widely used distro and free is that bad guys use your stuff to build bad things.

Sleep well at night.

[bmo]

1. Don't run services you don't need. This goes for all systems, including Windows.
2. If you do need sshd running, install denyhosts.
3. If at all possible, run sshd on a nonstandard port.

#3 keeps the logs quiet from bots trying to jiggle a door handle that isn't there on 22.

--
BMO

Re:Sleep well at night.

[knarfling]

4. Change PermitRootLogin to no. If you must have remote root access, make them log in as a normal user and su to root. (Better yet, set up sudo and control who can do what.)

Re:Sleep well at night.

[bmo]

Yeah, that too.

It's just that I've been running Ubuntu so long and got so used to sudo and no root logins and all that I entirely forgot about it.

Because any other way is madness.

Speaking of no-root-login, there is a certain kind of user or admin who will fight to the death against removing the login for root and say how sudo is a security hole. I just don't get it.

Someone else also mentioned fail2ban. I endorse that too.

--
BMO

Re:Sleep well at night.

[magamiako1]

From the article it appears it had nothing to do with whether or not root login is turned on.

Remember, OpenSSH runs as the root user even if root logins are not accepted. Exploiting a vulnerability in OpenSSH isn't entirely out of the picture.

A more proper way to do things is to force a VPN scenario to manage your servers. Try to run known proven VPN hardware from major vendors (such as Juniper and Cisco) where the hardware they use is special purpose (and not running a lot of extra fluff), which limits your attack surface. Then you enable management of your machines via the VPN.

FYI: I have seen video proof of a current version of OpenSSH with a remote escalation exploit that has yet to be acknowledged or patched. The exploit code was supposedly purchased by Apple. The demonstration was run on Ubuntu 11.10.

Re:Sleep well at night.

[knarfling]

From the article it appears it had nothing to do with whether or not root login is turned on.

Sorry, but the logs from both servers in the article (second link) do show that they both accepted a password for user=root from a remote IP address. That doesn't happen when sshd_config is set to prevent remote root logins. The sshd logs should show a normal user logging in. The secure logs should then show the su or sudo with privilege escalation.

Even though OpenSSH runs as root, that does not mean that anyone who connects in has root privileges. If the exploit allowed someone to connect in as root when PermitRootLogin is set to no, that would be very, very scary.

BTW, I am not claiming that there is no exploit or that they did not use one. It seems very possible that they could have used the exploit to gain access the first time, changed or found a way to guess the root password and then logged in as root from then on. On server from 2009, it appears that they did not do that since there were several bad password attempts for user=root before they got in. But they could have done it on the other server.

A more proper way to do things is to force a VPN scenario to manage your servers. Try to run known proven VPN hardware from major vendors (such as Juniper and Cisco) where the hardware they use is special purpose (and not running a lot of extra fluff), which limits your attack surface. Then you enable management of your machines via the VPN.

A good VPN is definitely a good idea for the first line of defence. But that should not be all. Some people cannot afford the VPN hardware, and have to make do without it. Even with it, you should still limit remote root access. That makes a breach that much harder to accomplish. At my company, we happen to use both. In addition, we have monitoring set up so that even if someone does access the root user, we get alerts.

Re:Sleep well at night.

[magamiako1]

You employ good security measures IMO :)

Even if attackers can remove relevant logs they have no guaranteed knowledge of what your logging is doing and triggering upon first entry (hopefully). A root login or escalation that triggers an e-mail is something they're very unlikely to catch before you are notified about the intrusion.

Re:Sleep well at night.

FYI: I have seen video proof of a current version of OpenSSH with a remote escalation exploit that has yet to be acknowledged or patched. The exploit code was supposedly purchased by Apple. The demonstration was run on Ubuntu 11.10.

And I'm the Queen of Sheba.

Re:Sleep well at night.

[DrBoumBoum]

1. Don't run services you don't need.

You'd have to know what services you truly need. I remove all obvioulsy uneeded services on any new CentOS installation but always stop at these ones: acpid, auditd, cpuspeed, haldaemon, irqbalance, messagebus, microcode_ctl and possibly kudzu and sysstat. Do I need them? I just have no idea and no willingness to try.

2. If you do need sshd running, install denyhosts. 3. If at all possible, run sshd on a nonstandard port.

#3 keeps the logs quiet from bots trying to jiggle a door handle that isn't there on 22.

No. You just shouldn't have SSH accessible from the outside, period. Use OpenVPN if you need remote access, it's free.

Re:Sleep well at night.

[bmo]

You know, I had a reply half thought up, but then all I have to say is this now:

Thanks for jumping down my throat.

Piss off.

--
BMO

Re:Sleep well at night.

[pclminion]

If you must have remote root access, make them log in as a normal user and su to root.

Can somebody please explain how this is safer than just logging in as root?

Re:Sleep well at night.

[knarfling]

There are several ways that this is safer.
1. It removes the known user problem. Since root is a user on all Linux boxes, if I want access, all I have to do is to find a password. I only have to discover one piece of information. If root cannot log in, I must now find three pieces of information, a username, a password for that user, and the root password.
2. It discourages scripting attacks. Since root cannot get in, I would need to modify my script to try common usernames, or try specific usernames for each company or server I am attacking. While this does not block attacks that are targeted directly against me, script writers going after the easy targets are unlikely to spend the time needed to figure out what usernames are valid for my servers.
3. If I do breach a computer with a specific username, I now have two avenues of approach. I can try to exploit another hole that allows privilege escalation, or try to determine a root password. Guessing, using dictionary attacks/ribbon tables, or brute force methods take time. This increases the odds of being detected by Host Integrity Monitors (If they are being used). There is no guarantee that the server has the software with an exploit is deployed on that server, or that the users I have compromised has access to that software.
4. Logging. Instead of one part of a log that might be missed showing that I logged in as root, I now have multiple log entries. At least one showing that I logged in as a normal user, and another showing that the user had escalated privileges. Again, increasing the odds that I will get caught. Hopefully before I can do any damage.
5. Although this does not appear to be common, at least one company I know has monitoring set up to detect root access. A second local account is set up with root privileges. Admins sudo to the second account and only admins have rights to sudo su to it. The root is given a very, very complex password that is hidden. Traps are placed so that all admins are alerted if anyone at all logs in as root. If I get an alert in the day that someone is logging in as root, I can check with other admins to see who is doing what. If I get an alert at night, I can guess that my server has probably been breached and I can take appropriate steps. I don't get alerts for normal occasional root functions, but if someone does breach my servers, I know before they can do much.

These are just a few ways that using a normal user and then forcing su or sudo to root is safer. There might be more that I don't remember at the moment. BTW, this does not prevent all attacks, but it does help.

Re:Sleep well at night.

[pclminion]

Some of those are good points, but several of them seem to be logically equivalent to "use a longer root password." You can argue that logging in as a user, then su'ing to root requires more information, but I can just cat those three bits of info together and use that as the root password. You might as well just pick a longer password.

Re:Sleep well at night.

holy shit don't cry yourself to sleep tonight, sweetie

A CentOS user responds

Here's the post I just made to Kaspersky labs:
I found this very interesting, having followed the link from slashdot. Two details stand out, esp. after speaking to my manager about the sshd business: first, why would they yum update openssh, since you report they installed 5.8 from an ubuntu/debian source package. CentOS 6, like RHEL 6, is running 5.3p1 (with all known security fixes backported by upstream)?

Secondly, my manager agrees with the previous poster: you update to prevent other attackers' access. After all, their attacks might break your attack.

Finally, this indicates very, very bad password policy on the part of the compromised servers. If these belong to corporations, management should be looking very hard at why they were so easily broken... and why they're not running brute-force resistance, such as fail2ban.

                  mark

Re:A CentOS user responds

[Culture20]

why would they yum update openssh, since you report they installed 5.8 from an ubuntu/debian source package.

Because the rpm database would list openssh as the latest RHEL version if it were audited, but they could modify the ubuntu source before compiling it to allow for a back door?

They got it backwards

[David+Frankenstein]

I would think this points to an exploit in SSHD 5.x, not 4.3. Once I brute-forced into a system, I would think the first order of business is to ensure I can get back in if the password is changed, not to patch the little-known exploit I used to get in in the first place.

Re:They got it backwards

[gatkinso]

Patch the hole because you don't want someone else (say a pron spammer) to come in behind you and end up getting caught (or screwing up your server). But yes there could be an exploit they are using in 5.x as well.

I suspect it was not a brute force attack, they simply disguised the exploit as one so that it falls into the noise of the hundreds of brute force attacks each day.

Re:They got it backwards

No, if you have a target of interest, particularly one containing sensitive and/or valuable data, you sequester access for yourself and remove any attempts at gaining access for your competition. Standard practices for those in the "industry."

Re:They got it backwards

[magamiako1]

This guy ^

broken forever

there are three things the "government" will never allow to function properly:
1. BIND
2. OpenSSH
3. the linux dekstop
by any means, even "under-cover" government spies posing as open-source programmers.
it's kind-of-like a missile defense shield but of cyberspace, isn't it obvious?

It's cute when dogs walk on their hindlegs

and pretend that they're people; it's cuter when apk reveals that he keeps track of his comment moderations and pretends that they're Academy Awards.

Alex is a performance artist, right? I mean c'mon, what kind of sad fuck would keep an actual log of his anonymous comments?

Not bruteforce but dictionary attack

The compromised Linux servers were not attacked by bruteforce, but by a dictionary attack. Get a dictionary of say 10,000 common English words, and in automated succession try every one of them for the password. If its a common word, then you don't have to try millions or billions of unlikely words or jumble of letters that aren't normally a word, a mere 10,000 will do the trick. This is why security people insist on using passwords that aren't common words (or even uncommon words), but rather a mix of letters, numbers and punctuation: it defeats dictionary and ribbon table attacks.

"Rinse, Lather, & Repeat"

http://it.slashdot.org/comments.pl?sid=2551740&cid=38216998

APK

P.S.=>

"apk reveals that he keeps track of his comment moderations and pretends that they're Academy Awards. Alex is a performance artist, right? I mean c'mon, what kind of sad fuck would keep an actual log of his anonymous comments?" - by Anonymous Coward on Wednesday November 30, @01:46PM (#38217124)

They're useful for illustrating that many others here disagree with your initial comments (off topic illogical adhominem attack trolling ones directed MY way) on my posts' quality!

Via showing you're outnumbered 75:1 in your "opinions", off topic trollish ones though they are from you, here http://it.slashdot.org/comments.pl?sid=2551740&cid=38216686 are effete & useless...

Facts, documented undeniable ones such as I used vs. yourself and in my initial post on Linux security being shredded this past year alone?

Heh - they ALWAYS "blow away" trolls such as yourself... & all you're left with?? More trollish off topic illogical adhominem attacks, lol...

... apk

Linux enjoyed years of "security-by-obscurity"

Nobody uses Linux on desktop essentially http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10

THUS , nobody bothers attack it on those grounds!

Simply because of that. Linux has been enjoying "Security-By-Obscurity"!

Penguins, here on /. especially for YEARS NOW, have attempted to mislead others on that note that "Linux = secure", when lately where it's being used, it's being shown as ANYTHING BUT THAT!

Per my 1st posts current, undeniable, & documented facts from reputable sources on that very note, here:

http://it.slashdot.org/comments.pl?sid=2551740&cid=38215752

and more over time also...

* FOR EXAMPLE: ANDROID however, being a Linux variant? It has become "the Windows of the smartphone world" in terms of usage/mindshare/marketshare!

(Thus, ANDROID, a Linux variant which uses a Linux kernel, shows that once Linux DOES get into the hands of "noob users" (for lack of a better expression, I am a "noob" too in various areas so not "putting them down" for being ignorant of things security on computers), it can be SHREDDED, & has been, for years on the very note I speak of - security by obscurity no longer works in Linux' favor there!)

It wouldn't on the desktop either were it higher than a 1.19% overall usage/marketshare/mindshare of the mass of both PC & Server usage... period.

APK

P.S.=> Hacker/cracker/malware makers (& the like)?

Hey - They're just like PICKPOCKETS near trains & in subways or malls + streets: They go where the MOST PEOPLE ARE (potential victims) & on PC desktops especially, that's Windows!

Linux doesn't qualify on PC desktops where the MOST vulnerable users are, not a worthy enough target because NOT ENOUGH USERS OF IT ON THE DESKTOP TO JUSTIFY THE TIME & EXPENSE ATTACKING IT ON PC DESKTOPS, not enough "ROI" for them!

Different story on smartphones though, again, look @ ANDROID being torn up security wise, month in & month out for YEARS now!

(Especially on end-user desktops, Linux just isn't used, & was "hiding behind 'security-by-obscurity'"... especially where the most easy victims ALWAYS are, on PC desktops usage, with they NOT being "security gurus" & OS' setup, by default, FAR weaker security-wise than they can be IF "security-hardened")...

... apk

duqu definition in short

[boldi]

http://en.wikipedia.org/wiki/Duqu

Duqu is a computer worm discovered on 1 September 2011, thought to be related to the Stuxnet worm. The Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics in Hungary, which discovered the threat, analyzed the malware and wrote a 60-page report, naming the threat Duqu. Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.
Symantec, based on the CrySyS report, continued the analysis of the threat, which it called "nearly identical to Stuxnet, but with a completely different purpose", and published a detailed technical paper on it with a cut-down version of the original lab report as an appendix. Symantec believes that Duqu was created by the same authors as Stuxnet, or that the authors had access to the source code of Stuxnet.

More likely Duqu==Stuxnet==Stars. Same guys, different vulns, different tools. Duqu is an instance made from a lego-kit.

Re:Thank you & more inside... apk

[chill]

People don't like your posts for several reasons.

1. You compare Apples to Oranges. Specifically a fully-hardened Windows system to an out-of-the-box Linux distro.

2. You're overly sensitive to little criticisms. This is easily seen by the thread you linked to on the PC Pitstop forum. (Side question -- why are you banned from there?)

3. Your childish references to things like "open sores" ranks you right down there with the people who call it "M$". Grow up.

4. You seem to confuse the OpenBSD crowd and their "secure by default / no remote hole in XX years / we are unhackable" attitude with Linux supporters. Though, admittedly, there are fanboys and fanatics in every camp.

5. Some of your indirect links are questionable. For example, from the PC Pitstop forum article you lauded this link on IPSec. http://www.analogx.com/contents/articles/ipsec.htm

I'm unsure how to respond to that other than to say WTF? That has as much to do with IPSec as your post does with ice skating. It is talking about configuring a host firewall and never mentions anything about, well, IPSec!

Finally, one of the main security benefits a Linux system has over Windows is the ability to REMOVE any component that isn't needed. Not just disable, but actually remove it totally.

Custom Linux kernels can be built to support only the hardware on a specific machine. Entire classes of devices, from the printing subsystem to networking can be removed totally. You can't do that with Windows.

Others disagree w/ U, 75:1++... apk

"People don't like your posts for several reasons." - by chill (34294) on Wednesday November 30, @02:45PM (#38217842)

Many others in this partial list below of my posts modded up over time, clearly shows otherwise:

---

Roughly 75++ of them & I post as AC (hard to get even +1, as /. hides our posts & we "AC"'s start @ ZERO/0 points, unlike registered "lusers", lol!):

+5 'modded up' posts by "yours truly" (4):

HOSTS & BGP:2010 -> http://tech.slashdot.org/comments.pl?sid=1901826&cid=34490450
TESLA:2010 -> http://science.slashdot.org/comments.pl?sid=1872982&cid=34264190
TESLA:2010 -> http://tech.slashdot.org/comments.pl?sid=1806946&cid=33777976
NVIDIA 2d:2006 -> http://hardware.slashdot.org/comments.pl?sid=175774&cid=14610147

----

+4 'modded up' posts by "yours truly" (3):

INFO. SYSTEMS WORK:2005 -> http://slashdot.org/comments.pl?sid=161862&cid=13531817
WINDOWS @ NASDAQ 7++ YRS. NOW:2009 -> http://tech.slashdot.org/comments.pl?sid=1290967&cid=28571315
CARMACK'S ARMADILLO AEROSPACE:2005 -> http://science.slashdot.org/comments.pl?sid=158310&cid=13263898

----

+3 'modded up' posts by "yours truly" (6):

APK MICROSOFT INTERVIEW:2005 -> http://developers.slashdot.org/comments.pl?sid=155172&cid=13007974
APK MS SYMBOLIC DIRECTORY LINKS:2005 -> http://it.slashdot.org/comments.pl?sid=166850&cid=13914137
APK FOOLS IE7 INSTALL IN BETA HOW TO:2006 -> http://slashdot.org/comments.pl?sid=175857&cid=14615222
PROOFS ON OPERA SPEED & SECURITY:2007 -> http://slashdot.org/comments.pl?sid=273931&threshold=1&commentsort=0&mode=thread&cid=20291847
HBGary POST in Fake Names On Social Networks, a Fake Problem:2011 -> http://tech.slashdot.org/comments.pl?sid=2375110&cid=37056304
APK RC STOP ROOKIT TECHNIQUES:2008 -> http://it.slashdot.org/comments.pl?sid=1021873&cid=25681261

----

+2 'modded up' posts by "yours truly" (10):

HOW DLL API CALL LOADS WORK:2008 -> http://tech.slashdot.org/comments.pl?sid=1001489&cid=25441395
APK TRICK TO STOP A MALWARE:2008 -> http://tech.slashdot.org/comments.pl?sid=1010923&cid=25549351
DOING SHAREWARE 1995-2004:2007 -> http://it.slashdot.org/comments.pl?sid=233779&cid=19020329
MHTML SECURITY BUG FIX IE:2011 -> http://tech.slashdot.org/comments.pl?sid=1973914&cid=35056454
EXCEL SECURITY FIX:2009 -> http://it.slashdot.

Re:Others disagree w/ U, 75:1++... apk

[chill]

I understand you have provided useful and informative posts. I was responding to YOUR assertion that the "Penguinistas" get up in arms about your posts. If they are a small minority, then why complain?

Why didn't you respond to my point that you were comparing well secured Windows systems to out-of-the-box Linux systems?

Posting links of compromised Linux systems doesn't "prove" anything. I can match every one with ten on compromised Windows systems. However, in neither case can it be demonstrated that they were properly secured.

You also didn't address my question of why you've been banned in the PC PitStop Forum, nor why I considered Linux superior for security -- because of the modularity that Windows simply does not have.

As for Android, a phone is a different environment. That would be like me pointing out that lack of reports of hacked supercomputers running Linux. Total security! Right? No -- an environment you can't compare to standard desktops and servers.

Re:UR offtopic & use illogical adhominem attac

Funny how you never even mention all the "-1 Troll", "-1 Flamebait", "-1 Offtopic" posts that you've had and that are almost exact copy/paste of the aforementionned posts modded positively by clueless mods not knowing who and what you are ...

All these "-1-modded" posts largely conterbalance your list here above

Go Peter ! Go ! Now, just threaten to sue someone like you're used too (remember Jeremy, Thor and the others ?) and call me a troll without answering any of my questions, points and proofs that you're dead wrong on almost everything you say (you're right though : there is no such thing as a secure OS, be it OSX, linux, windows or BSD).

Keep up that awesomeness of yours Peter, we'll always love you and try do decipher your unreadable posts to make something out of it (not !)

On the Internet now, they call me "The One who kicked APK's ass" :-)

Re:AC troll that "kicked my ass" (lol, NOT)

Oh poor poor poor Peter, There is a World PR conspiracy against you ...

I'll paraphrase though:

It just takes one unknowing slashdoter or Windows PR flack to plus-moderate any comment (i.e. APK's rant). Unfortunately, once PR agencies and so on started paying people to moderate online communities, and to have hundreds of accounts each, things changed

And could you be kind enough to remind us exactly WHY you got banned from that website : pcpitstop.com after they realized that you should never ever have won that 100$ prize ? (if you even give me the links needed to kick your ass again and again, it won't be funny anymore Peter)

Oh, by the way, so that everyone knows, Peter/APK is convinced that Duqu attacks Microsoft Office through Word Macro and goes as far as calling people trolls and whatnot when they kindly point out his mistake (it's a TrueType Font problem Peter, do your homeworks) ! That tells you how knowledgeable he is ...

U musn't hang around here much

Since for yrs. that went on here on /. & along the lines of "Linux = good/secure, Windows = bad/insecure!

That was purest FUD and bullshit, especially in regards to the current documented verifiable facts I posted here:

http://it.slashdot.org/comments.pl?sid=2551740&cid=38215752

To which I am getting in weak effete trolling retaliation, these types of responses:

---

A.) Technically unjustified mod downs on it seeing it from from +1, to 0, +2, to +3, & now +4 "interesting" ratings by others here now

OR

B.) Off-topic illogical adhominem attack attempts on myself in subsequent posts beneath it by trolls!

---

* Each trolling b.s. reply's simply failing weakly in resorting to either in the end!

(Especially since rather than disproving the documented current facts I used in my link above (ALL from reputable sources on Linux's security issues being exposed nowadays, rampantly...) all it seems the "penguins" can do, is act the trolls they are illustrating themselves to be, & weak/effete in doing so)...

U FAIL also, as the saying goes, on the same note!

APK

P.S.=>

"Yeah, go for it! You keep at it, pal!" - by Anonymous Coward on Wednesday November 30, @12:40PM (#38216232)

I will, & have AND have a +4 "interesting" rated post for it here (once more for your reference) currently:

http://it.slashdot.org/comments.pl?sid=2551740&cid=38215752

All you & yours have is off topic illogical adhominem attack attempts @ trolling & technically unjustified mod downs in response to its documented current facts that indeed show Linux is FAR from what it's been oft stated to be on /. here, for years:

Along the lines of "Linux = good/secure & Windows = bad/not secure" type FUD)...

* Each failing weakly in resorting to either in the end, rather than disproving the documented current facts I used in my link above (ALL from reputable sources on Linux's security issues being exposed nowadays, rampantly...)

Funniest part is, ANY claims I make have concrete, verifiable, current documented information from reputable sources in my initial post that's generated a frenzy of off-topic illogical adhominem attacks...

You? You have ZERO on that account as far as backing your alleged "points" (some of which I agree with, but the fact remains that Linux != what was said of it here FOR YEARS NO LESS, misleading others)

... apkb

"Rinse, Lather, & REPEAT" (lol)... apk

Disprove the documented current facts from reputable sources I used here http://it.slashdot.org/comments.pl?sid=2551740&cid=38218414

Funny you avoid doing that eh? Can't be DONE is why!

---

* And, Yes, I freely admit that I've been banned from sites (the majority not, but a few over a 17++ yrs. long time online since 1994, & for a few years with a gap before it in academia in the 1980's)...

See, this will doubtless "escape you", since you troll as AC, but...

I figure you haven't LIVED until you have been banned from a forums!

OR

Rather, lived LIKE A MAN with some balls + faith in what he says!

(E.G.-> One like myself that doesn't try to hide behind AC trolling posts like yours, or using multiple 'usernames' rather than being himself!)

Heh - Trolls do that latter & it's widely known:

---

BBC News - Fake forum comments are 'eroding' trust in the web

http://www.bbc.co.uk/news/technology-15869683

---

OR HERE too (HBGary caught doing it)

An HBGary email that should concern you all:

http://www.dailykos.com/story/2011/02/16/945768/-UPDATED:-The-HB-Gary-Email-That-Should-Concern-Us-All

PERTINENT QUOTES/EXCERPTS:

"According to an embedded MS Word document found in one of the HBGary emails, it involves creating an army of sockpuppets, with sophisticated "persona management" software that allows a small team of only a few people to appear to be many, while keeping the personas from accidentally cross-contaminating each other. Then, to top it off, the team can actually automate some functions so one persona can appear to be an entire Brooks Brothers riot online... And all of this is for the purposes of infiltration, data mining, and (here's the one that really worries me) ganging up on bloggers, commenters and otherwise "real" people to smear enemies and distort the truth... "

and

"They are talking about creating the illusion of consensus. And consensus is a powerful persuader... And another thing, this is just one little company of assholes. I can't believe there aren't others doing this already. From oil companies, political campaigns, PR firms, you name it. Public opinion means big bucks. And let's face it, what these guys are talking about is easy."

and

"To the extent that the propaganda technique known as "Bandwagon" is an effective form of persuasion, which it definitely is, the ability for a few people to infiltrate a blog or social media site and appear to be many people, all taking one position in a debate, all agreeing, for example, that so and so is not credible, or a crook, is an incredibly powerful weapon."

---

* Nuff said, proofs in the pudding (via my usual style, documented proofs thereof of things I state, which you are welcome to disprove!)

APK

P.S.=> In the end, as per your stalking/trolling off-topic illogical adhominem attack using methods?

You're VERY easy to "dispatch" via documented facts + truths I use, & you only vindicate me vs. your off-topic illogical adhominem attacks even moreso, which ruins that for you also, easily (which only make you look a fool)...

... apk

Re:"Rinse, Lather, & REPEAT" (lol)... apk

So basically you're admitting and giving proofs via documented facts that there is an army of people modding up your posts and that you're a multi-banned troll ?

Re:"Rinse, Lather, & REPEAT" (lol)... apk

People mod up apk's posts. Ur an off topic illogical adhominem attack using ac troll by comparison. Apk uses documented facts and u use off topic illogical adhominem attacks. Wonder who people will believe (not u). U troll by ac and expect us to think ur credible on that account? Give us a break troll.

Re:"Rinse, Lather, & REPEAT" (lol)... apk

Using a fake supporter to support u APK, that's what u usually do when ur outrun and ass-kicked by your opponent because he uses your highly illogical adhominem troll reasonning against yourself.

They call us "The Ones who kicked APK's ass ... several times in a row"

Re:"Rinse, Lather, & REPEAT" (lol)... apk

Wrong. I'm not apk, I have an account but won't post with it so u can troll me as u do apk using ur trollish off topic illogical adhominem attack useless replies that only show how dumb u r.

Re:"Rinse, Lather, & REPEAT" (lol)... apk

oh please apk, who do you think you're fooling ?

1. you're making the same grammar and phrase construction mistakes that you're the only doing ... ever.

2. everytime in every thread you get your ass kicked the same anonymous coward suddenly appears saying the exact same things (and applying point 1. of course)

oh man, it's so hilarious to see you do that everytime that I just can't stop laughing :-D. It's like a meme inside a meme inside a meme.

Re:"Rinse, Lather, & REPEAT" (lol)... apk

So basically you're admitting and giving proofs via documented facts that there is an army of people modding up your posts and that you're a multi-banned troll ?

Where is my "+1 Funny/Insightful" mod when I need it ?

Re:"Rinse, Lather, & REPEAT" (lol)... apk

Wrong again. Take your paranoia medication.

Re:"Rinse, Lather, & REPEAT" (lol)... apk

Yeah, keep talking apk, as if we're going to believe an anonymous coward troll is not yourself

And I suppose you finally had your PhD in Psychiatry ? Did they give it to you at the same time as the PhD in Computer security ? because if you don't have any of these then you're just talking out of our ass

Bye Peter, always a pleasure (... for me to kick your ass as usual of course)

Re:"Rinse, Lather, & REPEAT" (lol)... apk

You're an anonymous coward troll.

Re:"Rinse, Lather, & REPEAT" (lol)... apk

I beg to differ, I'm an anonymous coward troll's ass kicker, that's different.

Re:"Rinse, Lather, & REPEAT" (lol)... apk

U kicked ur own ass ac troll. Trolls like u always do.

Re:AC troll that "kicked my ass" (lol, NOT)

you're lying, once again, reimer never was "caugt for libelling you" nor has he ever admitted impersonnating you, and is ISP/law enforcement never did anything with regard to him. all you said about that is just your usual BS APK. besides you don't even have a lawyer, you're just an old LIAR stalking troll and that's it.

Keep riding that rollercoaster.

Whew! A comment got moderated, I feel so ALIVE! THIS IS THE GREATEST FEELING IN THE WORLD. I can't believe people actually pay to go to amusement parks when they can get the same thrill by making posts on the internet for free.

Re:Keep riding that rollercoaster.

Stay on topic. Duqu rootkits served on Linux servers.

Facts over @ Windows IT Pro show otherwise

Quotes of Reimer's words, from his original website, are cited in my source from WindowsIT Pro - see the link below!

(Which Reimer then moved his website, & started up again elsewhere on another hosting provider, iirc, himself now as Jay Little who did the same + suggested Reimer do that no less!)

Jay Little, Reimer's 'partner in crime' was ousted from CrystalTech.com for the same no less, suggested he do that (move site to another server, one of his own preferably)

In fact - the folks from CrystalTech told me that Jay Little & Jeremy Reimer would do that in fact (& they have, just be recidivistic criminals & start it on another server again!)

That's again, ALL here, quoted as it happened & from the original sources:

http://www.windowsitpro.com/article/internals-and-architecture/the-memory-optimization-hoax#feedbackAnchor

* Jeremy Reimer, & Jay Little did all of what I stated, impersonating myself & others, email harassing myself, making threats to myself, editing my posts on arstechnica (which I caught GOD & MWNH using the SAME EMAIL ADDRESS for doing, proving they're the same guy, lol) & it was documented years ago!

(Reimer can change servers or hosting providers all he wants to, & re-alter his website all he wants, but the facts are set in stone over @ Windows IT Pro... no getting around that!)

APK

P.S.=> Who are you trying to fool now? Yourself?? Please... lol!

... apk

Re:Facts over @ Windows IT Pro show otherwise

Now you're just bullshitting, there is nothing on that Windows IT Pro "article" that proves anything, it's just a bunch of anonymous posts and a zillion bunch of your posts/rants/whatever you call that (sorry for the late reply by the way, we had to "read" all that crap). Proves only that you're desperate and have no ground to stand on for your absurd an irreal claims (nothing, nuts). However Reimer and Thor severly pwned you, that's what everyone can actually see with some googling.

Re:Facts over @ Windows IT Pro show otherwise

U need 2 learn 2 read better.

Re:Facts over @ Windows IT Pro show otherwise

You need to learn to write better

I'm almost ashamed, this one was waaaaay too easy (2EZ ?)

Re:Facts over @ Windows IT Pro show otherwise

Speak for yourself and quit projecting your faults onto others.

obscurity security has value in some scenarios

[Onymous+Coward]

For the case of most worms and other such automated attacks, moving your service from its default port is actual defense.

I can imagine worms that port scan looking for service signatures, but I haven't heard that that's common. Anyway, scanning lots of ports per machine would greatly slow a worm down or make an automated attack more obvious (showing up in more service logs).

Re:WTF is "Duqu", and why should I care?

So why waste 20 seconds typing this post?

(Ditto, squared, rhetorical, with cherries on top. Nyah nyah nyah.)

I love trolling you.

I can just write one sentence, and make you waste your time responding with 10 paragraph rants. loladhominemhosts=>apkfartpoop

Re:I love trolling you.

u have issues

apk is not a troll

Funny how u don't recognize the superior knowledge that is => only available 2 meth-binging autistics.

INFO. SYSTEMS WORK:2005 -> http://slashdot.org/comments.pl?sid=161862&cid=1353181
WINDOWS @ NASDAQ 7++ YRS. NOW:2009 -> http://tech.slashdot.org/comments.pl?sid=1290967&cid=28571315
CARMACK'S ARMADILLO AEROSPACE:2005 -> http://science.slashdot.org/comments.pl?sid=158310&cid=13263898

Check upratings++ if u dare...apk HOSTS

Re:apk is not a troll

I read this instead http://it.slashdot.org/comments.pl?sid=2551740&cid=38218006

Re:AC troll that "kicked my ass" (lol, NOT)

[Jerry]

Wow, windy fellow, aren't you?

Your rant has one HUGE hole. Your citations are about one-off manual attacks against Linux. Not a single case involves a large group of Linux boxes being compromised by with a single email sent out from a spam box.

Most attacks against Windows boxes are carried out by a simple email payload. That's how the 4,500,000+ Windows zombie bot farm was created last year within a couple of weeks. A Linux zombie bot farm was found last year as well. It contained only 700 boxes and it took the group of hacker who created it nearly six months to do so because they had to manually attack each machine. They ran dearjohn against who knows how many machines trying to find those with insecure root passwords. 700 in six months. They immediately secured those machines against all known exploits and used them for C&C machines to control much, much larger Windows bot farms because Linux IS secure. How many C&C Windows boxes have you heard about?

Ur argument has 1 huge hole

"Your rant has one HUGE hole." - by Jerry (6400) on Wednesday November 30, @05:51PM (#38220432)

Your mouth, lol (as well as your "trolling forums 'illogic-logic'"):

Clue/New News/Newsflash:

Linux is hosting Duqu: That's the topic!

Linux's victimized 2 victimize other systems that are targetted/susceptible by Duqu. More widely used ones, like Windows, & on systems overall on PC's + Servers on the most used hardware platform for them in x86!

My 1st post has documented recent facts regarding Linux's overall security track record the past few months now:

http://it.slashdot.org/comments.pl?sid=2551740&cid=38215752

In real-world security-breach scenarios on many levels ontop of the topic (inclusive of the sourcecode repository for Linux & the CA's (bad, bad, bad for SSL)).

(With ANDROID, lol, it's YEARS of nearly unending attacks/exploits too).

Anyhow, per that link above? Once more:

You're welcome to disprove the data there in my 1st posts' link above

* ... Good luck, lmao, you'll NEED it!

APK

P.S.=> Your argument has 1 huge hole: Your mouth (& b.s. that issues from it)...

... apk

You really don't hang on /. much, do you?

"I understand you have provided useful and informative posts." - by chill (34294) on Wednesday November 30, @06:58PM (#38221000)

I look @ it more as posting simple undeniable truths (because I more often than not use backing documentation from reputable sources to support points I make in my posts).

---

"I was responding to YOUR assertion that the "Penguinistas" get up in arms about your posts. If they are a small minority, then why complain?" - by chill (34294) on Wednesday November 30, @06:58PM (#38221000)

Around here, on THIS site? /.?? Man, see my subject-line above... they're the MAJORITY here & have been for years to decade++ now!

---

"Why didn't you respond to my point that you were comparing well secured Windows systems to out-of-the-box Linux systems?" - by chill (34294) on Wednesday November 30, @06:58PM (#38221000)

They're ALL sent out not nearly anywhere as well secured as is possible is why... CIS Tool (try it sometime, it's multiplatform security benchmark based on industry best practices)...

---

"Posting links of compromised Linux systems doesn't "prove" anything. I can match every one with ten on compromised Windows systems." - by chill (34294) on Wednesday November 30, @06:58PM (#38221000)

Hmmm, but 1/100th of systems out there use Linux, thus, they're less of a target & not worth as much time (especially in the past) to target by "hacker/cracker" malicious types... not enough "ROI" attacking them @ the desktop home users level really (though Android shows otherwise, that once a Linux gets used more, it will be as attacked as Windows is on PC's &/or Servers).

Especially the most victimized market segment - Windows users, & mostly end-users @ home!

---

"However, in neither case can it be demonstrated that they were properly secured." - by chill (34294) on Wednesday November 30, @06:58PM (#38221000)

The same can be said for Windows boxes compromised over time, & the Linux examples I used PRETTY MUCH PROVED THEY WEREN'T PROPERLY SECURED BY BEING BROKEN INTO!

---

"You also didn't address my question of why you've been banned in the PC PitStop Forum" - by chill (34294) on Wednesday November 30, @06:58PM (#38221000)

I had an argument with a moderator iirc... that'll usually do it, but I could be wrong. People actually got "up in arms" about my being banned there though (which was nice), but no biggie - the owner & I are on speaking terms & have conversed via email before after it (regarding his working for NVidia or wishing too - he codes a decent diagnostic tool for video called GPU-Z is why).

---

"nor why I considered Linux superior for security" - by chill (34294) on Wednesday November 30, @06:58PM (#38221000)

I don't - it's mainstream kernel has more bugs & more unpatched bugs than does Windows over time, & again, per this article & others I cited from the past 3-4 months also show Linux security breaches like mad (important stuff too, like the linux sourcecode repository & CA's used for SSL!)

---

"-- because of the modularity that Windows simply does not have." - by chill (34294) on Wednesday November 30, @06:58PM (#38221000)

Linux doesn't the user mindshare or marketshare Windows does between Servers &/or PC's combined though, not anywhere NEAR it (1.19% for Linux, & what? 94.5% for Windows?)

---

"As for Android, a phone is a different environment." - by chill (34294) on Wednesday November 30, @06:58PM (#38221000)

It still shows that once a Linux is used more, it too can be turned into "security 'swiss-cheese'" (full of holes).

---

* There you go... nuff said!

APK

P.S.=> At least this dicussion wasn't a trolling off topic (totally) one like most replies I've gotten here so far... apk

What is sadder?

The man who only posts as AC, or the man who only posts as AC and also praises himself as AC?

Re:What is sadder?

The off topic troll who trolls others as ac, you, is the saddest of all.

Re:Agreed, 110%... apk

Is this some kind of silly joke or just a really bad ad? Either way, it's hilariously entertaining.

Re:Agreed, 110%... apk

We don't know anymore, the guy (apk) has been like that for the past 10 years or so ... (he also barks a lot but doesn't bite btw)

you're now classified as is mortal enemy though

Re:Agreed, 110%... apk

Replies 2 urself as ac while u ac troll's a joke http://it.slashdot.org/comments.pl?sid=2551740&cid=38231266

Re:Agreed, 110%... apk

you really don't have a job, do you ?

Re:Agreed, 110%... apk

Quit projecting your faults onto others.

Linux is "secure"? Bull-Shit!

"Linux IS secure" - by Jerry (6400) on Wednesday November 30, @05:51PM (#38220432)

Jerry, this all puts your bullshit to rest easily with CURRENT information:

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

---

Linux's showing in CA's breached recently too? Ok:

http://uptime.netcraft.com/up/graph?site=StartCom.com

http://uptime.netcraft.com/up/graph?site=GlobalSign.com

http://uptime.netcraft.com/up/graph?site=Comodo.com

http://uptime.netcraft.com/up/graph?site=DigiCert.com

The majority (4/5) of what was breached RAN LINUX (StartCom, GlobalSign, DigiCert, & Comodo)... per these articles verifying that:

http://itproafrica.com/technology/security/cas-hacked/

---

Toss ANDROID (yes, a Linux since it uses a Linux kernel) in also, since it's being "shredded" on the mobile phone security-front rampantly for years now?

You get the picture...

* TOP THAT OFF WITH DUQU BEING SERVED FROM LINUX, PER THIS ARTICLE? You're FULL OF IT!

Period...

APK

P.S.=> Please Jerry: Your quote about "Linux is secure" BULLSHIT falls apart fast in light of the current information above about LINUX BEING ANYTHING BUT SECURE! Including its sourcecode, from kernel.org above...

... apk