Slashdot Mirror
Internet Auditing Project Results
The Internet Auditing Project has returned with some pretty grim results. From Jan 99, they tried to crack 36 million servers, and found that a huge amount of the machines, and some you would think aren't, are open. They've also made the program they used Bulk Auditing Security Scanner availible for download. Pretty disturbing results though-well worth reading.
What if that "someone" with a lame box is your ISP? What if it's the company you work for, your government? What if it's the Debian FTP servers (for example) and the intruders start introducing subtley-designed backdoors into packages that *you* download and install because *you* trust the server?
As they said in the report, we don't live in isolation on the Internet. If any host is insecure then there's usually a knock-on effect which could affect any one of us.
Rob Wilderspin
i read this on friday when it was posted to bugtraq and the story of their .jp box getting cracked should be enough to scare most slashdot readers i think.
I hardly consider 450,000 hosts out of 36 million to be a huge amount. In fact, it comes to 1.25% of the hosts. I thought this odd when I read the original BugTraq/Security Focus article on this subject. A big deal was made of the fact that 450 thousand hosts where vulnerable to common exploits, but nobody bothered to note that this was less than 2% of the tested hosts.
I think it was a neat project, I was very interested in the "super hack" that occurred on one of the participating scan servers, and I think the groups recommendation for an IDDN is a worthwhile project.
But I still am actually reassured, not scared, by the fact that less than 2% of the hosts in their fairly sizable test group were "wide open" (as I would consider any host that is vulnerable to a common exploit)
-Count Zero-
One word: bravo! If this one ever comes up, I'll gladly put away RC5 and SETI@Home to work on this. It's important that the Net be a secure place, and we need some kind of thing to ensure that holes are found and stamped out. While IDDN wasn't quite what I had in mind, it's definitely a winner.
Of course, law enforcement will hate IDDN; after all if there are no more security vulnerabilities how are they going to snoop on us^H^H^H^H^H^H^H^H^H^H^H^Hprotect us from evil terrorists?
Check If Hackers Were Smart at Hacker News Network . It expands a bit on the issue (mostly in the end of the article, but to understand you have to read everything).
In fact, if "them" can get into any box in the net, they could change our systems in a way we wouldn't be able to notice (read "Reflections on Trusting Trust"). Then any system we made from any of our systems would be compromissed too. "They" would have backdoors to any computer in the world, and there would be no way we could find out except out of sheer luck ("this system is acting strange, the foo feature is not working as the source says it should...").
See also Worst Nightmares Come Alive .
Aside from the criticly bad spelling and the grandiosity -- Seven hundred thousand vulnerabilities, gaping holes, wounds in the skin of our present and future information infrastructures, our dream for a free nexus of knowledge, a prosperous digital economy, where we learn, work, play and live our lives. -- I mean, puh-LEEZE . . . still, some interesting results.
Notice which vulnerabilities are the most common:
tooltalk 26.1%
bind 18.1%
wu_imapd 15.5% (hel-LOO! anyone hoooome??)
qpopper 12.4%
wwwcount 11.8%
rpc_mountd 10.8%
This was right before the big wave of tooltalk advisories came out so it may be somewhat less now.
What is instructive is that, face it, TCP/IP and all the associated dependencies are way too complex but we can't roll this back so get used to it. No reason to give up on tightening things, of course.
For an interesting view from another level, read Stephen Northcutt's new book Network Intrusion Detection (New Riders Publishing).
-------
Bill Gates Is My Evil Twin.
It seems to occur if you actually use the ``-l logname'' option (at least this is what triggers it for me). The problem seems to be with getopt() not seeing the ``logname'' part, returning 0 which then causes the segfault. I am at a loss at why this would be happening.
However, doing the full `make install' and running it as root with the default log file location (/usr/local/bass/bass.log) works for me.
In general this program seems a little shifty. For example, why is there the (default) ability to clear out it's argv[0] (and thus be less immediately detectable in the process table)? And why does it need a ``coward'' mode. It seems as if it was written to run on machines where it wasn't supposed to be.
"The crack was via an NT box, so the weakness was less in Linux itself than in NT. (NT has more holes than swiss cheese.)"
2: This is only an hypothesis, but is strongly supported by the fact that the entire attack only lasted an incredible 8 seconds! During which the attacker manages to log on (over an employee's SSH account, no less), gain root privileges, backdoor the system, remove any (standard) traces of it's activity and log off.
3: Further investigation shows that this employee's personal NT box, connected over a dynamic dailup connection, had been cracked into 4 days earlier.
It appears that the crack was due to an NT box, not via it. The actual intrusion came in at the Japanese ISP, and the intruder already knew the username and password for both the ISP and SSH. Note that the phone call to the ISP is from an "untraceable overseas" number.
"The second vulnerability was SSH. Someone altered the SSH client to act as a trojan. This should not be possible - programs should be able to detect if they've been modified. Failing that, a virus scanner should be able to detect modifications."
They were using scanning and file comparator software. Even when the backdoor was identified and manually examined, they "could not detect any odd behavior"! Impressive.
"Thirdly, how did they get hold of the ISP password? The article said SSH was cracked, but not that the dial-in software was. "
There's no specific quote I can use here, but knowing the NT box was compromised leads me to believe that the ISP account was compromised shortly thereafter. I've tried L0phtCrack, it's an impressive program. If I can 'script kiddie' almost every NT machine I've ever worked on like this, getting the ISP account info out of the registry isn't much of a stretch.
I want to know how they ID'd the NT box in the first place. I don't know how they did that, and I can't even start to guess...
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
I shall ignore NT ;-) but 4 ssh ... nothing new either but yep, fair enough. But let me tell what one of the security experts in my former company told me : "If people tell you they have never been cracked, then they are either liers or haven't got a clue". In short there is no such thing as total security, as there is no such thing as bug free software. It is not about not getting cracked but about how long does it take "you" to detect that and how can "you" limit the possible damage. In so far a seemingly insecure system can be better than one that, seemingly, is secure. The first one might be one taken care of, the second one might be one where the admin feels happy about having installed the latest security software that does the it all itself. This is the reason I am not impressed as what those guys did was not even lightyears near to a security audit. It was fun for sure; sort of as they ate up a lot of resources and kept quite some people busy who have got better things to do, but that is all. Once you've read the paper that describes how tcp_wrapper came to life you know what *real* trouble means 8-}
No No No.. It doesn't matter if you are a small one man operation or not. If you are on the net and people are talking to you, you need to have some sort of basic security. If you are insecure, you open the doorway for crackers to get to anyone you touch. Lets say I'm a one man software writing business. I have a "free trail" on my web page.. I don't need to be secure, after all, I don't take credit card orders or anything. But, if a cracker penetrates my host, my free trail can be patched to open a few ports on their box. Oh, but no-one with anything to keep secure would download a free trail and just run it? Maybe not, but one of their employee's might, on his home pc.. "It's my pc, I'll install what I like".. then he ssh's into work.
How we know is more important than what we know.
I have a strong political interest in anarchy. My business model reflects that.
How we know is more important than what we know.
The whole thing is amature code dude. If you want something that isn't "amature" buy solaris and we all know how secure solaris is. Please, the reason why we use C is because it is fast and we can compile it anywhere. What's more it's been a static language for over 10 years. Sure, lets code everything in Java, then we have to write a JVM and a JIT and keep it conforming to Sun's specification. Bounds checking is all well and good but you bitch and complain when your code is too slow. C does what the programmer tells it to do, nothing more. Java does whatever the hell it wants to do and the programmer strugles with it to get it to do anything remotely useful in a reasonable time. Oops, I promised myself I wouldn't dis Java's speed.. JIT's make it pretty much equivilent to C speed so I can't really dis that.. but lets dis the fact that you need a support library about the size of mount everest to run anything with it. I'm all for a secure operating system, but it is going to come from people implementing intelligent programming with concern for security on their mind, not from some magical programming language with bounds checking.
How we know is more important than what we know.
Window managers run as the user, and do not listen over the network. As such, a buffer overrun in a window manager would not gain an attacker anything. X on the other hand, runs as root (and by default listens on port 6000). block port 6000 at the firewall, and tunnel X through ssh. If you're hyper-paranoid, boot off a write protected floppy, and run tripwire (binary and database) on a burned CDROM. make sure that tripwire is statically linked! Might want to put ssh on that CD too.
Oh, maybe we should all just install "FED-watch" and leave it to the "Internet Protection Agency" to keep us all secure. We're in an anarchy here, we can either embrace that or we can try to build up authoritarian governments to destroy it. IDDN is an idea that very quickly leads to the libertarian argument (as told by Robert Nozick in "Anarch, State and Utopia"): When living in an anarchy we will sometimes come to disagreements. Sometimes these disagreements will need brute force to resolve (Nozick doesn't beleive that people can resolve conflicts without resorting to violence) and we can't allow anyone to just attack anyone they like.. this leads to feuding, because people will sometimes over-punish those who wrong them, which will lead them to seek retaliation. So, we say, form a group (or a union) who agree that if one person needs backup, we'll all pop up and go and help them. This gets real tired, real quick, so we ask "isn't there someone I can just pay to do this" and someone stands up and says "yer.. I'll protect you if you pay me".. so we have these protection agencies that stake out certain territories and get people to pay them. Now, eventually someone from one territory has a gripe with someone from another territory and the protection agencies go to war. Some time in the future, they decide it would make sense to come up with some way of deciding who is right and who is wrong in this silly argument. They apply these rules and form a sort of "Federation" of protection agencies. However, there is always the man who doesn't want to pay a protection agency. What happens when someone, who is in a protection agency, wrongs him? He goes out seeking retribution and meets up with a wall of resistance. The man defending himself decides that he can't live without protection from the federation of protection agencies. So he signs up.. before long, everyone is expected to pay the protection fee, and the protection agencies start saying "no one has a right to perform acts of violence except us". This is the night watchman of the libertarian state.
From there we move on to people complaining that there arn't enough "public goods". So they start to form welfare societies and opera groups. These slowly get bigger and have trouble managing their money collecting, so they turn to the people who already have a good system of collecting cash - the state. Welfare and opera become another thing that everyone must pay for, and the "protection fee" becomes a "tax".
The alternative is to refute any form of authoritarianism.. because we know where it leads, to an all powerful state who spends billions of dollars on war planes when half the world is starving.
How we know is more important than what we know.
So we should stop trying to make cars safer? Obviously there are risks in anything, but if we can control them, we should take steps to reduce them. Obviously, there are some risks we have no control over. Computer security is not one of them.
With the speed and intimate knowlege shown by the intruder from Week 3, one name comes up.. Erwin!
;-)
I suppose after Columbia Internet got hit with the probe, Erwin took it personally. After having NT on it's drives before, I imagine it knew exactly how to get into the NT box and play around with everything to get the SSH going and eventually onto the Linux box.
It makes perfect sense =) That's what we get for messing around with an AI of that caliber
The article writer is correct when he suspects that military systems approved to process classified information must be specially audited and unconnected to the internet at large.
:)
As a point of caution to those about to grab this latest scanner and joyride, every military installation & network is monitored 24/7. I assure you, portscans are detected and the source IP recorded & blocked. (To be specific, for 15 days after the attack/intrusion; if it occurs again, further measures are taken.)
Of course, where I work, many of the CSSOs and TASSOs consider applying the latest patches/disabling the latest services to be rather a pain. But then, it's a research institution, and scientists don't like to sully their hands with such mundane matters.
Just wanted to reassure slashdotters that the military does take computer security very seriously. At some laboratories, you would have better luck sauntering in and sitting down at a computer physically, than messing around with network attacks.
The similarity I'm drawing on this is that these guys are, in effect, casing servers. Now the good or bad of the facts is something else.
I've come up with a few thoughts:
1) This seems to be beneficial information on the general state of security on the Net (poor)
2) Any sysadmin smart enough to check logs and not be lulled feeling secure should use this as a further wake-up call to review their services. Do they really need non SSH telnet services running? How are those firewall settings?
3) There are those out there who will always take things the wrong way.
I'm interested in seeing where this project ends up. With RC5 like support, or in jail like Mitnick.
--Humpty Dumpty was pushed!
[Now, a little more off topic...]
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
Yes, it sent chills down my spine when I read it as well. I've known such things were possible but didn't think anyone had yet gone to the trouble.
There are things you can do about it, though.
Some Unixes, including Linux and the freeware BSDs (all BSDs since 4.4, I think), have the concept of "securelevels". Set files to be immutable (under *BSD the command is "chflags schg somefile") and raise the securelevel above zero. This prevents everyone, including root, from modifying the file. At securelevel 2, the disk and memory devices are also read-only, to prevent doctoring that way.
This doesn't stop intruders from gaining root, but it can prevent them from trojaning everything and going invisible, or at least make it a hell of a lot harder.
The only way around it is to go to the console and bring the system to single-user mode. If some files or directories used in the boot sequence before the securelevel is raised aren't set immutable, it's often possible to modify them such that the securelevel will not be raised during the next reboot, so it's important to know what you're doing. Other than that, the only way for an intruder to trojan the system is to discover a bug in the kernel itself. There have been bugs found in the past, but they are much less plentiful than root exploits.
I'm realizing that something stupid like an obscene message on one of my stupid little web servers will probably get me in more trouble than a stealthy download of confidential files. Lock it all down. Only the paranoid survive.
Monty
Perhaps the greatest injustice in the scan is that they were only interested in insecure unix machines. Agreed, it is way more interesting to probe unix and a lot easier, but there are a massive number of windoze boxes that are just obviously sploitable. A bigger threat than the splill-on effect of hack-sniff-hack attacks is the "secret weapon" attack. Spend two days in softice looking at tcp/ip code for win98 and you are almost guarenteed to find a DOS attack. Look for a week or more and you will probably find a local sploit.. try your luck at a month and you should be able to find a remote sploit that will get you access to every web surfin' spud's computer. Everything else is downhill from there. When have a sploit that no-one knows exists, you only have to worry about the folks who burn their tcpdump logs every day and only then when you screw up. If you want your network secure, don't use microsoft.. don't let your employee's use microsoft.. but who want's a secure network anyways?
How we know is more important than what we know.
Think it over. They did what they could without being sent to hell. Now finding a known hole, a possible one, does not imply automatically this system is insecure. In addition some domains, even .com, are often used by small to tiny one man companies who just have not a./o. cannot afford the necessary infrastructure. My second criticism is about something like CERT is, well, superfluous. Contrary to their nice try CERT reports *are* about *real* and problems. Any CERT report is more informative than this accumulation of numbers. In short IMHO it was a good PR show within the possible limits and they are for sure qualified enough to go farther if they want to but they have done nothing for security, so thanks for the party and let's shoot the lights.
Actually, it's useless for anti-piracy. You can duplicate a program, bit-for-bit, thus pirating it, but with nothing changed.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Once inside, yes, KDE is going to listen, if it's running. X is a networked GUI, and any server that is active will listen to connections. If XDM(?) is running, that, too, will be listening for network connections.
KDE has almost certainly removed that buffer overflow, in more recent versions. If they haven't, they almost certainly will, soon. I think it's about as safe to install KDE as any other window manager. However, I -don't- advise leaving any window manager running, unless it's needed. They -are- complex pieces of software, and that means possibilities of bugs (memory leaks, etc) and security holes. If the computer is idly running a program that's a potential risk, for no reason but to put swirling patterns on a monitor that's turned off, you're better off with it shut down.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I'd 1/3 agree with both of the above posts:
1. It's assumed that everyone is extremely proficient with the doors. I bet you'd be surprised by the count of simple enough ways to crack the whole-metal, patended lock and all-that door you consider absolutely invulnerable. 'Real-world' criminals spend years studying constructions of doors and locks.
2. Of course it's essential for such an effort to ask the 'door' owner in advance or at least to provide them with test results. However, I didn't find anything stating that this hasn't been done. Obviously, they can't put the whole list online but after this article is published one can address them for security audit log, I believe. Of course one needs to prove his rights
KuroiNeko