Slashdot Mirror
Internet Auditing Project Results
The Internet Auditing Project has returned with some pretty grim results. From Jan 99, they tried to crack 36 million servers, and found that a huge amount of the machines, and some you would think aren't, are open. They've also made the program they used Bulk Auditing Security Scanner availible for download. Pretty disturbing results though-well worth reading.
What if that "someone" with a lame box is your ISP? What if it's the company you work for, your government? What if it's the Debian FTP servers (for example) and the intruders start introducing subtley-designed backdoors into packages that *you* download and install because *you* trust the server?
As they said in the report, we don't live in isolation on the Internet. If any host is insecure then there's usually a knock-on effect which could affect any one of us.
Rob Wilderspin
One word: bravo! If this one ever comes up, I'll gladly put away RC5 and SETI@Home to work on this. It's important that the Net be a secure place, and we need some kind of thing to ensure that holes are found and stamped out. While IDDN wasn't quite what I had in mind, it's definitely a winner.
Of course, law enforcement will hate IDDN; after all if there are no more security vulnerabilities how are they going to snoop on us^H^H^H^H^H^H^H^H^H^H^H^Hprotect us from evil terrorists?
"The crack was via an NT box, so the weakness was less in Linux itself than in NT. (NT has more holes than swiss cheese.)"
2: This is only an hypothesis, but is strongly supported by the fact that the entire attack only lasted an incredible 8 seconds! During which the attacker manages to log on (over an employee's SSH account, no less), gain root privileges, backdoor the system, remove any (standard) traces of it's activity and log off.
3: Further investigation shows that this employee's personal NT box, connected over a dynamic dailup connection, had been cracked into 4 days earlier.
It appears that the crack was due to an NT box, not via it. The actual intrusion came in at the Japanese ISP, and the intruder already knew the username and password for both the ISP and SSH. Note that the phone call to the ISP is from an "untraceable overseas" number.
"The second vulnerability was SSH. Someone altered the SSH client to act as a trojan. This should not be possible - programs should be able to detect if they've been modified. Failing that, a virus scanner should be able to detect modifications."
They were using scanning and file comparator software. Even when the backdoor was identified and manually examined, they "could not detect any odd behavior"! Impressive.
"Thirdly, how did they get hold of the ISP password? The article said SSH was cracked, but not that the dial-in software was. "
There's no specific quote I can use here, but knowing the NT box was compromised leads me to believe that the ISP account was compromised shortly thereafter. I've tried L0phtCrack, it's an impressive program. If I can 'script kiddie' almost every NT machine I've ever worked on like this, getting the ISP account info out of the registry isn't much of a stretch.
I want to know how they ID'd the NT box in the first place. I don't know how they did that, and I can't even start to guess...
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
With the speed and intimate knowlege shown by the intruder from Week 3, one name comes up.. Erwin!
;-)
I suppose after Columbia Internet got hit with the probe, Erwin took it personally. After having NT on it's drives before, I imagine it knew exactly how to get into the NT box and play around with everything to get the SSH going and eventually onto the Linux box.
It makes perfect sense =) That's what we get for messing around with an AI of that caliber
The article writer is correct when he suspects that military systems approved to process classified information must be specially audited and unconnected to the internet at large.
:)
As a point of caution to those about to grab this latest scanner and joyride, every military installation & network is monitored 24/7. I assure you, portscans are detected and the source IP recorded & blocked. (To be specific, for 15 days after the attack/intrusion; if it occurs again, further measures are taken.)
Of course, where I work, many of the CSSOs and TASSOs consider applying the latest patches/disabling the latest services to be rather a pain. But then, it's a research institution, and scientists don't like to sully their hands with such mundane matters.
Just wanted to reassure slashdotters that the military does take computer security very seriously. At some laboratories, you would have better luck sauntering in and sitting down at a computer physically, than messing around with network attacks.
Yes, it sent chills down my spine when I read it as well. I've known such things were possible but didn't think anyone had yet gone to the trouble.
There are things you can do about it, though.
Some Unixes, including Linux and the freeware BSDs (all BSDs since 4.4, I think), have the concept of "securelevels". Set files to be immutable (under *BSD the command is "chflags schg somefile") and raise the securelevel above zero. This prevents everyone, including root, from modifying the file. At securelevel 2, the disk and memory devices are also read-only, to prevent doctoring that way.
This doesn't stop intruders from gaining root, but it can prevent them from trojaning everything and going invisible, or at least make it a hell of a lot harder.
The only way around it is to go to the console and bring the system to single-user mode. If some files or directories used in the boot sequence before the securelevel is raised aren't set immutable, it's often possible to modify them such that the securelevel will not be raised during the next reboot, so it's important to know what you're doing. Other than that, the only way for an intruder to trojan the system is to discover a bug in the kernel itself. There have been bugs found in the past, but they are much less plentiful than root exploits.
I'm realizing that something stupid like an obscene message on one of my stupid little web servers will probably get me in more trouble than a stealthy download of confidential files. Lock it all down. Only the paranoid survive.
Monty
Perhaps the greatest injustice in the scan is that they were only interested in insecure unix machines. Agreed, it is way more interesting to probe unix and a lot easier, but there are a massive number of windoze boxes that are just obviously sploitable. A bigger threat than the splill-on effect of hack-sniff-hack attacks is the "secret weapon" attack. Spend two days in softice looking at tcp/ip code for win98 and you are almost guarenteed to find a DOS attack. Look for a week or more and you will probably find a local sploit.. try your luck at a month and you should be able to find a remote sploit that will get you access to every web surfin' spud's computer. Everything else is downhill from there. When have a sploit that no-one knows exists, you only have to worry about the folks who burn their tcpdump logs every day and only then when you screw up. If you want your network secure, don't use microsoft.. don't let your employee's use microsoft.. but who want's a secure network anyways?
How we know is more important than what we know.
The second vulnerability was SSH. Someone altered the SSH client to act as a trojan. This should not be possible - programs should be able to detect if they've been modified. Failing that, a virus scanner should be able to detect modifications.
(Ideally, for an ultra-paranoid setup, the connection should be made via an IPIP tunnel, and connections refused from anything other than the correct end-point.)
Thirdly, how did they get hold of the ISP password? The article said SSH was cracked, but not that the dial-in software was. I assume they have thought of that. If not, the NT box and the ISP account are still wide open.
That the Linux kernel could be modified on-the-fly via a module is a serious security hole. That really needs to be fixed, urgently, IMHO.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Once inside, yes, KDE is going to listen, if it's running. X is a networked GUI, and any server that is active will listen to connections. If XDM(?) is running, that, too, will be listening for network connections.
KDE has almost certainly removed that buffer overflow, in more recent versions. If they haven't, they almost certainly will, soon. I think it's about as safe to install KDE as any other window manager. However, I -don't- advise leaving any window manager running, unless it's needed. They -are- complex pieces of software, and that means possibilities of bugs (memory leaks, etc) and security holes. If the computer is idly running a program that's a potential risk, for no reason but to put swirling patterns on a monitor that's turned off, you're better off with it shut down.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)