Slashdot Mirror
PCWeek Summarizes hackpcweek.com Test
Banraeth writes "This week's PC Week contains a story about the results from their hackpcweek.com security test site. They explain the object of the test, how many attempts they got, the structure of the attempts and the way someone finally got in. The article reads really well and very clearly explains the anatomy of a break-in for those of us who aren't Linux security gurus.
"
I think it's appropriate to suggest the extent to which one might have to go to really maintain a fairly secure system.
I also think it's appropriate for them to re-run the test on fairer ground, in light of claims that installing these 21 security patches is not a whole lot different from installing NT service pack 5.
Not to suggest that this test is all that useful as any sort of security benchmark. High-profile anecdotal evidence is still anecdotal evidence - if a famous person's Audi blows up that doesn't mean it's more prone to explosion than Joe Blow's Pinto.
Trees can't go dancing
So do them a big favor
Pretend dancing stinks!
Here is the thing that irritates me about this article. The statement about no central repository for updates. What about Red Hat's errata section, how about Freshmeat and Linux Today?
I have also spent the last two days trying to download Service Pack 5 for NT. Sure Microsoft has a "central repository", but you are stuck with a 25-75mb file to download and Microsoft's site by itself is slow without having to try to download from Conxion. The farthest I've gotten is 10mb before the connection hung and I cancelled. We have 6 channels of a T1 here, and I'm only getting 3.2kb to Microsoft and on the download.
I think it it pretty obvious from the last two-three weeks that PC Week has done little or no research on anything they are trying to do or write about. It is my personal opinion that we should just ignore them. If they aren't going to take the time to research their articles and statements (think Journalistic Integrity) I'm not going to take the time to read their magazine.
Matt
ST no?
Anyway, ZDnet blew it on this "test" of Linux vs. NT Particularly amusing was the quote "...21 security fixes published by RedHat that have only been out a couple of months..."
A couple of months? Come on give me a break! I check the RedHat Errata page at least once a week, and I'm not even running a contest.
Sig (appended to the end of comments you post, 120 chars)
You trash linux because you "knew" of a box that got hacked, so you jump on the W2K bandwagon because no W2K site has ever got hacked (at least no site ever publicized on ZDNET), so therefore W2K is more secure? And I do laugh at your purchase of a beta. Why? Because I will bet cold hard cash you will pay *yet again* for the priviledge of buying the release product. Your claims of better security smell of astroturf marketing. Do you work in Redmond?
Another take on Eric Raymond's statement -
you also have 1000 would be hackers looking at the code not in the interest of fixing it, but looking for a loophole that hasn't been exploited yet (and there's a lot of source code out there.)
If they didn't have the source, would they be as successful at finding these security holes?
> there is no central repository for testing or approving patches to the Linux system.
So, what about getting updates from RedHat, your vendor.
So, how is any other OS different. I go to Microsoft for WinNT updates (good luck finding them though). I don't go to MS looking for updates for third party utilities.
Linux is only the core kernel, most system utilities are from the GNU project and all other software is from third parties.
So how is this different again?
-- Remember: Wherever you go, there you are!
far from sucicidal, still I get these tendencies... nope, limp bizkit lost my vote when they went for pepsi instead of coke. (sidenote: Negativland's DISPEPSI album, check it) But they should show up in charlotte Nov 13, and I'll be there.
These jerkoffs only mention autorpm because various people have brought it up as a counter to their FUD that Linux is difficult to update ( A GALLING LIE ) and the ignorant manner in which autorpm is used as a shield by ZD shows they still do not care to acquaint themselves with the facts. They plainly do not know how autorpm works and they don't know it isn't the only tool appropriate to this question (if there really is a question). Yet they present themselves as experts, arbiters of facts. *spits*
But there really isn't any problem here to solve. No distraction they can think up will absolve them of their failure to inquire about system updates, the link to which is RIGHT UNDER THEIR NOSE ON THE RH DEFAULT DESKTOP You don't even need to hit a "start" button to see it. Automated install or not, the updates are in your face; you have to actively ignore them not to know about it.
They are poseurs at best, proven LIARS, and probably LIARS FOR HIRE.
Note to John Taschek and friends: You can cover your ass all you like, but it stinks nonetheless. If you don't like our complaints, change your diet, don't tell me it's eau-de-Cologne.
I was present at the PC Week/Mindcraft setup^H^H^H^H^H"rematch", and met Pankaj. Let's just say that we have a difference of opinion when it comes to Linux and Free Software. I think it's a great thing. Pankaj thinks it's wrong to write Free Software. I'm not suprised to find the deck stacked a little unevenly in this 'experiment' as well.
Mark "Young Turk" Willey
BTW, if you're concerned about Linux security and Free Software in general and want to help do something about it, drop me a line. I've decided to dedicate the next part of life to this endeavor.
Mark
What amazes me the most about this guy is his arrogance. He knows he was dead wrong here; downloading RH RPMs and installing them is work a blind chimp could do. To imply that it's too difficult is just a cop out. It disgusts me that this guy simply refuses to come out and say "Okay, I didn't do everything I could have done because it seemed like too much work and I didn't know enough. My bad." He doesn't. Instead he BSes and makes up excuses. Forgetting his skills as a journalist he's a priggish bastard in my opinion with no more spine than your average amoeba. The best, most objective journalists are the ones who aren't above admitting they were wrong. From what I've read here this guy obviously is not one of them.
Even, back in the day, Novell Netware 3.x had patch lists several pages long.
How much you want to bet there's quite a few of these PC Week editors and "IT Managers" with an old Novell CNE tie-tack somewhere in their desk drawer. They know the routine - they've just forgotten.
Business. Numbers. Money. People. Computer World.
I think this is kinda funny.... **The only option for Linux is to use a utility called autorpm, which polls a server for updates and automatically installs them. But no administrators in their right minds would use this sort of utility because they would have no idea what was being installed on their servers.** Kinda funny, we have no clue what M$ is installing on our machines every second that we are online...just struck me as odd that they would use this as a slam against Linux, but all inclusive patches from M$ that we cant check out for ourselves are a good thing for the biz...buncha savages in this industry
For you to be taken seriously, I don't think you should nest your Slashdot comment subject with sh*thead. Go play with Windows, child, I have some real software to write.
Actually you know EXACTLY what the service pack is installing, if you read what the service pack fixes and updates. There's a txt file that tells you exactly what is being updated, and why. I completely agree that the test should of had all patches installed, but I also agree that service packs are a good idea (and if you don't like service packs, all the fixes are available as hotfixes prior to the services, which can be installed singlely)
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
cgi let him on the machine as nobody, cron (1 of the 21 unpatched holes) let him become root.
-- Don't Tase me, bro!
Oh Get over it! They clearly state that both NT and LINUX have many services turned on by default, and any administrator trying to operate a secure server should have these features turned off. This is not biased, no matter how much you want to think it is.
Sig goes here
You missed the last page where they have the "PC Week Labs recommends ..." chart. The second to last recommendation is "Install all vendor-recommended updates: Assign this task to a specific person within the organization. Allocate budget for it. Also subscribe to hacker magazines such as '2600' and patrol hacker Web sites. Read all CERT advisories."
After saying that a corporation wouldn't want to install patches as they were released, they certainly have a funny recommendation for NT adminstrators. Allocate budget? Subscribe to hacker magazines? All that, and all we asked for was 21 measly patches.
Sorry, PC Week. Get your act together, or step aside. I've got work to do...
-Brent--
21 patches? Come on, I'm not even a systems administrator and check Red Hat's errata section all the time. I run one box. It's at my house. I am the only one that uses it. I STILL check apply security updates. If ZD doesn't think a normal sysadmin would apply "21 security updates available for Red Hat 6.0, which had been out for only (My note: only a couple of months? Damn. I check the RH errata site once a week, and I am not even a sysadmin) a couple of months" then that is not a sysadmin I want even breathing on my box. Just my $.02.
Charlie
-- .sig files go when they die?
Child: Mommy, where do
Mother: HELL! Straight to hell!
I've never been the same since.
Just like driving a car:
(D) to go forward
(R) to go backward
RedHat has the equivelant of a Service Pack available-- the updates. These updates contain a number of bug fixes, etc. And RedHat encourages users to get the updates.
So why don't people do it? Because none of the bugs are "well-known", i.e., they don't get news coverage on ZDNet, with headlines screaming "Sky Is Falling, LINUX Insecure!"
But Microsoft tends to get that. Partially because they write shitty software (let's be honest), and partially because it's a name that people recognize and will relate to. It makes for good sensationalism.
My solution, offered with tongue firmly implanted in cheek, is to sensationalize every exploit for Linux. "crond Found Insecure at 8:00 AM, Bob Young Not Answering Phone at Lunch Time!"
Seriously, though, maybe we need to put just a little more emphasis on getting the updates. Now we have an example-- "Hey, Joe, did you download the RH updates? They say that if PC Week had done that, they wouldn't have been cracked!"
Maybe PCweek should look at the number of patches for "established" Unix operating systems like AIX.
In the discussion that followed the successful crack, there was mention of AutoRPM as one solution for staying up to date. So PCWeek jumps in and says "AutoRPM is the only solution." Um.... ok. Or you could just subscribe to the Red Hat mailing list...?
They complain about how hard it is to remember "secure" passwords such as "[Athl!g" and how they had to keep a list (in cleartext I suppose) on a laptop. Try something like "TcIoOtLtWeD" which is nice and easy to remember.*
And of course, as everyone has mentioned, first they say that Red Hat had 21 security updates available, and turn around and lament that there's no place to go to see which security updates are available... durr....
Overall, they just sound clueless and/or heavily influenced.
*"This contest Is one Of the Lamest things We've ever Done."
I totally agree with your assessment.
I will go further and say that it is obvious that this whole test was simply a horse and pony show to prove that Linux is just inheirently insecure.
One can only wonder at the motivations of a company that runs a security test without installing Linux security patches and goes to the length of installing unauditted CGI scripts.
I believe that this test was paid for and ran by Microsoft. Any objective tester for an operating system would have gone to the trouble to install the security patches and report how difficult the task is.
That PC Labs is still claiming that "Linux" doesn't have a central site for its security updates is clearly FUD directed towards those who do not read forums like these.
Linux does have a kernel site that is a central repository for all fixes. But it wasn't a kernel security problem that we are talking about here.
The security hole that allowed a breakin was three fold. An insecure cgi script allowed a person to try to write a file. Wrong directory permissions allowed a file to be overwritten. A know security hole was exploited.
Audit all scripts before you put them on your box. Use the -T flag and use strict option even though they make programming a real pain. Get all updates from your software company and install them. Ensure proper directory permissions for all directories and files. Go to your distribution vendor and download all security patches.
PC Labs only had to goto one place on the whole net to get updates for their Redhat software. All the software. The site is http://redhat.com/support
That's right, not only do you get hundreds of software packages, but you only have to go to one place to get updates on all of those fixes.
Imagine how many sites you would have to visit to upgrade all the software on a Windows box that has an equal amount of software as a Linux box. It wouldn't be one site, that's for sure.
Sounds to me like Linux would be much easier to maintain.
I run Windows NT (ducks throw vegetables and fruit), and I have the benefit of using (according to PC Week) the only OS which has a centralized patch distribution place.
Yeah. Ok.
So, why isn't this obvious? If it weren't for the Ars Technica NT Tweak site, I wouldn't have known that SP5 was out. Hell, I wouldn't have known about any of the hotfixes currently available. Go centralization.
Speaking of which, MS's "patches" are a joke. The warnings on those things remind me more of quantum mechanics jokes than installation warnings: "Due to an effect called 'tunneling' your computer may blow up after you install this patch, and if it does, that's the will of the cosmos, not any problem on our part."
Makes me feel all warm n fuzzy, like. Especially the fact that I have to reboot after each one, which means 3 patches = 30 minutes.
I have friends who use Debian, and they just slap a key, wait a few minutes, maybe restart a service, and they're done.
Me? I, uh... wait until the fact that I'm using obsolete and insecure software becomes painfully obvious and I have to avoid public shunning by seeking out the latest patches.
I think it's interesting that they point out percieved "flaws" in Linux out while comfortably ignoring similar flaws in NT.
God, I love objective journalism...
-- I can't think of anything witty to put here. Sorry.
Come now AC, don't hold back. Tell us how you really feel! Anyway, I totally agree with the general sentiment. This just isn't right. First the article is sort of apologetic for their failure to stay updated and then they bounce the blame right off on there not being a central repository for updates.
Which is just plain silly. The hack could've been prevented if they'd just checked Red Hat's web pages sometime, or the updates ftp directory, or been on the proper mailing list. Or configured autorpm to deal with this for them. Exactly what is a company required to do to get heard by PCWeek's system administrators, perhaps sending out a fripping press release would help? Hmm, makes me wonder if they have found the repository for Microsoft Hotfixes yet. Maybe they just stick to Service Packs?
__
__
nothin' says lovin' like an open source penguin.
Come on, people. You know that Microsoft bashers love to talk about how buggy Microsoft software is, and complain about having to install bugfixes. All I hear from the OSS camp is how peer review results in such wonderful, flawless software. Then why is Redhat's stuff so buggy that it needs so many fixes? If the situation was reversed, you all would be screaming about how after just a couple of months, the latest release of Windows needs 21 security patches!
They are just sooooo wrong. Not applying 21 security patches to the Red Hat System (and those patches were readily available from the Red Hat errata) because that was something "a real life sysadmin would never do" but still they applied the SP 5 for NT... as if that's something a sysadmin would do? This is just way bad... I smell another Mindcraft here
---
Killroy Woz Here
Raptor does it? It just goes to show you, you can't make a decent firewall with one machine. I thought it was humourous that they felt they needed to put it on a dual pentium 450. I guess thats what happens when your "security experts" are really salesmen.
How about a response to the criticisms of the fairness of the test? Or are they still sticking with the 'Enterprises wouldn't apply 21 little patches' whining?
I'm not saying that I-use-autorpm-so-you-should-too but it's a more flexible tool than whiff-davis would have you believe. Frankly, I get the feeling that man autorpm is taxing their notions of due-diligence.
They're correct, there isn't one. But there is a central place to get updates for RedHat Linux:
ftp://updates.redhat.com
They can't make it easier then that, and unlike Microsoft's update site you don't need to click through gobs of advertisements.
US Citizen living abroad? Register to vote!
I don't begrudge a company for releasing buggy software, rather how they handle buggy (especially security related) releases.
Legal liability is another interesting issue. If I was running hoffice's software, and lost millions of dollars because of a hacker, how liable would hoffice be, shrinkwrap licenses notwithstanding? Would PC Week be liable at all? jfs?
as a fair newbie to all this.. its good to see some legit stuff posted on the web so I know what i'm reading is true.. and I think this is the first story i've seen yet without any comments :) soo.... first post I gusss: )
Of course it's always possible for users to step out and get kernel source from ftp.kernel.org and that's pretty darn centralized to look at things from a more independent view
But would you be likely to do that on a box running Official RedHat or Official BrandX when you have a service contract with someone? Probably you'd want to be all buttoned down with your distro's sanctioned kernel source or prebuilt image. Which touches on your very good point: they said nothing about testing the SP on the NT box. They dropped it in and went with it --or rather MS personnel dropped it in. That's pretty much my attitude towards RH security updates: drop it in fer chrissakes! Maybe --just maybe-- they made a mistake when they gave their seal-of-approval, but the risk that the now publicized vulnerability will get hit while you dither is the greater risk.
Is it just me, or are they complaining that there are too many distinct patches for software that has only been out a couple of months, making it difficult to find all these patches? If an admin is willing to refresh his software for a .1 version within months after it comes out, I'm going to say that admin should be able to apply patches when he does so. This is still getting under my skin.
I feel I should also point out that "The hacker bypassed the firewall..." is a horribly ambiguous statement. Was his passing by the firewall authorized, or not? I honestly can read that sentence either way. If I bypass the security of a museum to steal the Jewels, that doesn't mean that I chose to steal the Jewels INSTEAD of attacking the security, does it?
-=Best Viewed Using [INLINE]=-
They put both servers behind Raptor firewall
Open Source. Closed Minds. We are Slashdot.
Have a look for the Linux Administrators Security Guide (LASG), has info on chrooting most of the services which can be chrooted.
Open Source. Closed Minds. We are Slashdot.
It's all very well to come out with explanations, etc, but there's still no excuse -- except cheesy publicity seeking -- for running a head-to-head contest like this in the first place; it does nothing except betray the cluelessness of the ZD journos.
The impression I got from the story was that if someone as knowledgable as Ziff Davis can be hacked, so can anyone. Whereas the 'hackable anywhere' bit is true, it's simply ass-covering on the part of ZD.
What did this test prove? That Linux is less secure? That ZD haven't a clue?
"The bottom line is daunting: don't let your guard down. Ever." And don't ever trust ZD.
"linux" does not have services enabled by default (it can't, it's a kernel). redhat, however, does ship with unneeded stuff enabled.
"..these rediculous(sp), unprofessional.."
ridiculous
"...these feascos(big sp), point..."
fiascos
other than that, PR would be a great think for Linux to have. But your other point, that where they say Linux, they should be saying Redhat, applies to that point as well. Redhat should be pumping out some of those IPO dollar signs to push some PR. At least some. A good press release, perhaps. The quiet period is over, isn't it?
72656B636148206C72655020726568746F6E41207473754A
Yup. What they are basically claiming is that IT managers wouldn't want to apply those patches. C'mon, there is nothing at all of value on any of my three systems, and I keep them up to date on a daily basis. If I were paying someone to do IT for me, and they refused to do something I could do myself (rpm -ivh *) I'd personally clear their desk into the street. To claim that it wouldn't be done because autorpm "doesn't let you know what is going on to your system" is completely disingenous.
~luge
IAAL,BIANLY
One Of the Many ACs writes:
."))
I don't think so. For any operating system it is impossible to track all of the patches for every single program for that one operating system in one place, but a good place to start would be:
http://www.securityfocus.com/ (aka: BUGTRAQ)
ZDnet has a point here. I have they same problem they have when keeping my boxen secure. (Of course nothing is more secure than off (Hey, it would be left on if I wasn't on dialup.)) BUGTRAQ is very good, but what they (and I) would like to have would be a freshmeat of security patches. (Call it rancidmeat (it all about bugs, get it? Oh I crack myself up sometimes (but not this time).).) It could be run just like freshmeat, nothing actually there, just links to the patches. Have it summerize BUGTRAQ and several other official and "unoffical" security sites, and provide links to the patches. Sure it's work (so is freshmeat), but certainly it's doable. (Disclaimer: I'm not saying this ficitional site would be perfect, but it would be better than what we have now which is a hodgepodge of several different sites. I ceratainly would like to take part in something like this.)
M$ Propaganda^H^H^H^H^H^H^H^H^H^H^H^HZDnet writes:
The hackpcweek.com site also showed us that some simple security
measures, such as complex passwords, are great in theory but nearly impossible in practice. The hackpcweek site comprised six servers. Imagine how difficult it was to remember passwords such as [Athl!g. We couldn't...
Ahh geez, and they wonder why they had security problems. I"m sorry but this is just stupidity on their part. I have a minimum of 12 different passwords each as arcane as theirs and I have no problem. (For "added security" none of them are based on any sort of mneumonic phrase). Of course if they actually used the passwords on a daily basis, then they would remember them and wouldn't have to have them written down. (Eventually you'll "forget" the password when typing them in becomes automatic. ("What's your password?" "Uhhh... *goes to a keyboard and types* apparently Ghj3$/f
Dunno. Works just fine for me...
- any known flaws/holes in the technologies you are going to use and how you can circomvent them if necessary,
- how the new app. will interact with your existing secure infrastructre, and
- how your app may get recycled in the future to do something slightly different that could impact your site's security.
These days I figure that any app. written, thats going to go online needs to be checked for security impact before the design is finished. Otherwise it shouldn't make it to a production server. I'd rather do more work up front, and save myself the trouble later when I can't take it down to fix it -'cause its already being used.locust
I've been in the Linux community for a number of years, and yet am amazed about our attitudes. According to the current thought if something isn't "pro-Linux" it's "pro-Microsoft" and "anti-Linux".
The article was informative, and fairly accurate. I'm the sysadmin for a small ISP, and no I haven't had time to apply the 21 patches on all of the redhat boxes, the various BSDI patches, updates to all the '98 boxes, etc. Frankly I'm amazed that the toilet paper manages to stay in the shitter with the pace we keep around here. (Who DOES find time to buy and put that in there?) I've said for years you can only keep 95% of the crackers out there. The others, no matter your effort will eventually get in.
Harping on ZDnet because they only had to do 1 patch to NT and 21 to Linux is unfair. I hate NT as much as the next guy, but let's be *gasp* realistic. I suppose because the guy happened to find an exploit in a CGI on Linux and that was publshed automatically made all of Ziff-Davis Bill Gates lovers. It's a conspiracy to make Linux look bad them publishing that terrible riff-raff, never mind that was the truth.
Yet nobody has made a point of noticing he attacked the Linux box first? Why choose Linux? Was it because he knew ZD would be lax in the RH setup, or perhaps he knew he had a better chance with the RH box?
From what I understood, there were two "essential" parts to this exploit: getting regular user access to execute a cron job, and the easily available crond exploit. Honestly, had it not been for PCWeek's unaudited CGI script, he would have never been able to execute the crond attack.
And what's this BS about not installing the updates from RedHat? It would have taken them 10-15 minutes, compared to ~45 minutes installing NT service packs. Administrator stupidity does not make one O/S inherently less secure than another. It's that simple.
-- Kameron Gasso (kgasso@blort.org)
--
We all know that SP5 is a cumulative fix pack - containing many "hot fixes".
Compare these "hot fixes" to RH "updates" and its the same thing.
Microsoft releases a Service Pack every 6 (?) or so months, so in between, they release hot fixes. Any competent NT administrator would install these hot fixes, just like any competent Linux administrator would install RH updates.
PC Week have clearly contridicted themselves, - its just plain *stupid*.
As for "no central repository" - another contridiction, what makes an update from Microsoft more "trustworthy" than an update from RH? What makes a file downloaded from ftp.microsoft.com more "verified" then one from updates.redhat.com?
nyeah.
www.rancidmeat.com is already taken.
:-)
www.rancidmeat.org isn't. Any takers?
Chief Prosecutor
Advocacy Department
I can't believe everyone has missed this.. To my mind, it's the most significant hole in their setup.!
If you read the description of how the guy broke in, he overwrote a CGI script. To do this, either the directory or the script had to be world writable. (Don't forget Apache runs as "nobody" by default)
Regardless of what patches were applied or what holes there were in the CGI's, this is completely unforgivable. You have to go out of your way to set up a system like this. It's the first and most important rule of setting up a web server.
Cheers... Mike
Originally I was going to say things like how brain dead you are (especially since your running windows and haning out at /.) But then I remember:
"never argue with a fool, people might not know the difference"
So I won't bother arguing with you.
The Truth is a Virus!!!
Christ on a crutch...I just tested this, and Solaris 7's finger relays by default. Sheesh. (My Linux box is running ffingerd-1.21, which does not relay.)
My god you people are full of shit! Did you actually read the article, the exploit, etc?!
This isn't some "set-up" to make Linux look bad. They did a competent job of setting the system up, but a cracker was able to take advantage of subtle exploits in the systems that they were running. It wasn't like anything was BLATANTLY open on the server!
And, i love the comments about the threats of using "closed-source" software...
But, most of all, how many SYSTEM ADMINISTRATORS can go through the source code and find holes like this?! If you can, and you are a SYSADMIN, you are undreemployed.
Unfortunately, most of this stuff is only found by trial and error. They err'd. I imagine there aren't a whole lot of servers out there using a package like they were that have as much as $1k at stake! Sad, but true.
Linux lost. I am sorry it did, but because of the kind of people that have used it for years, there is a lot of information out there about its exploits.
get over it!
Sorry, Bill, but the rules have changed. You can't kill Linux with FUD any more than you can buy it.
:)
This was recognized by Microsoft itself in the infamous Halloween document - at least, some clueful person at MS recognized it. Not Bill, apparently. hehe. "Learn by doing". hehe. Go ahead, Bill, make our day. hehe. Hmm... I'll stop now - too many stupid jokes to write in this small space. The bottom line is: the attempting Fudding of Linux just turns into more free advertising. Hmmm. "Linux: even the advertising is free." hehe. OK, I promised to stop, I'll stop now
Life's a bitch but somebody's gotta do it.
They should get their story straight: Is it: "RedHat has 21 updates out for a few months we didn't apply" or is it "There is no central place to get approved patched to our Linux"? Also, how does a product being OSS revieal problems in YOUR config?
You bet!
They take two pages to describe how he painstakingly went through the process of scanning the Perl scripts, trying to squeeze in an executable under the exact right size, and ultimately gets to a dead end.
And then, in one line, they tell you he got an exploit off Bugtraq and got root access.
They're very quiet about that last bit... Yet it seems to me like it's the essential part of the exploit. Yes, accessing online resources and security websites is one of the main tools in the cracker's arsenal. Far from me to say that these sites should be banned! What I mean is, they should be read as much by the admins than they are by the crackers.
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
Who says the Linux kernel can't have services enabled? Don't forget knfsd! :-)
Only an idiot administrator would expect there to be some magical command to "fix my computer and make it secure" (yes sir, right away, sir!)
;-) Seriously, though - a central resource is fairly difficult to maintain, and I think that the efforts at BUGTRAQ have been well above par - I can remember severeal instances where patches came out in record time for security holes, as opposed to the normal M$ - wait for the SP theory.
How true... installing OpenBSD takes a few commands
UNIX people prefer to pay attention and take responsibility for their own security.
Then there's the continuing trend for Windows hot fixes and service packs - they install, without telling you what they do, or offering any version checking - I know a couple of NT admins who have "fixed" security problems by adding an older hotfix that may have kept the one bug they were worried about closed, but re-opened another one that was fixed later. There's a good reason that DLLs, etc. all have verion info. There's something to be said for proper revision control, and doing a little bit to prevent people from backtracking...
Just my $.015 (I always come up a little short)
"It's tough to be bilingual when you get hit in the head."
From reading the way the cracker finally got in, does anybody know if one of the security fixes that were available would have actually stopped this exploit? It seems more like the CGI was the culprit, and the lack of security patches, while an issue in general security, had nothing to do with this particular break-in.
From what I remember it was the Cron hole that allowed him to exploit the CGI scripts hole, so without the Cron hole he wouldn't have been able to do it, and yes there is a patch out for that.
Kintanon
Check out JoshJitsu.info for Brazilian Ji
If you're working admin on boxen, and you're not skimming Rootshell, Bugtraq, etc. you're just asking to be "owned".
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Answer me this then. If WinNT is so secure, then why does it require very expensive virus protection? Or do rogue programs wandering around screwing up your system not count as security holes?
> C'mon, this article is actually pretty good. ZD isn't bashing Linux, they are basically summarizing the hacking contest.
But is that the message the PHBs will hear? Is that what ZD wants them to hear?
The whole art of FUD or any other sort of propaganda, if you're good at it, is to say things that you can defend in their surface form, but which bear a between-the-lines message that twists the truth to your advantage.
If they had merely wanted to evaluate the difficulty of securing systems, they didn't need a shootout. A single system would have sufficed.
Printing such loaded messages is inexcusable, particularly from a rag that is subject to reasonable charges of conflict-of-interest.
BTW, but I'd be willing to wager that if you did a reader survey on this article, you'd find that more remembered the between-the-lines message than remembered the objective facts presented in the article. Such is the nature of the human mind (and that's why FUD and propaganda often works so well).
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
On a properly designed OS, there can be one.
You were asking PC Week, right?
Personally, I would never use an OS where features are specifically added that allow you to do malicious things, and requires more software, not to "prevent" it, but to stop it ASAP after it happens.
NT Security model is the worst that I could ever imagine. At least security holes in Linux and other Unixes rely on bugs that can be fixed without breaking a lot of legitimate stuff
-Brent--
The Chowder-head writes something about "...Gibraltar, a place known as 'The Rock' because of its impregnability..." Oh yeah? I thought it was known as 'The Rock' because, uh... because it *is* a rock!
(Yeah, so it's pretty impregnable, in military terms [or at least it was, back when fortifications still worked] -- but that is *because* it is a rock, not the other way around.)
What a nitwit, that Pankaj.
Christian R. Conrad
MY opinions, not my employer's - Hedengren, Finland.
Christian R. Conrad
mail me at iki.fi ; same user ID as here
What does this tell you about NT, when they have to put all their security patches onto CD. NT's == consumption of resourses, ridiculous interface, lack of reliability etc... Though i does have one thing, ease of use, whenever I need to fix something in Win all i need to know is Crl+Alt+Del
Still requires user-space which would be distro-enabled. (Besides, I don't think even RedHat enables nfs by default... yikes.)
is autorpm the same thing as the update agent in gnome that comes with redhat 6.1? I think it needs a registration key from a store version of redhat.
;)
Unless we get the source?
---
Who in their right minds would release any operating system into a production server right out of the box, with no patches?
Any system administrator would get the latest Redhat 6.0 disk and put it on a test system so that they could do extensive testing of all the parts. As patches come out s/he would apply them to the test box and see what breaks.
Only once a new operating system has been out for a number of months would the system administrator even dare to roll the system out into production.
I would recomend burning a new cd with all the security patches in place right from the begining. Installing a system and then apply patches can lead to security holes.
The administrator would then install only the software that is needed on any server and turn off all other services.
As new patches come out, test them on your test box and then roll them into production. Check first thing in the morning, and be prepared to blow off everything else that day if a new security hole has been found.
There is no real reason to upgrade from 5.2 + updates to 6.0 if 5.2 is currently in production and is working just fine.
Just my 2 cents worth.
What is even more amazing to me, is that the author of this article then goes on to give his opinion of circuit proxies vs. stateful inspection firewalls. Wow! This guy knows everything and he can even work in 40 hours or less. As an analysis for the breakdown this guy is great, but since I work in network securty, no one is going to ask me for the next great advertising idea. It's unqualified opinons that have people all over the world afraid their money is just going to disappear on 1/1/00 because they fear, they have uncertainty now, and they doubt.
I've got an idea... If you're working heavily in "E-commerce," why don't you hire someone (or a team) to work security full-time. That way you can take your $1000/month and get almost $5,500/month worth of work. And if your sysadmins cannot type rpm -Uvh, but they can click on an icon, I suggest you get new sysadmins.
No one who is going to "do business" on the web should under-estimate security. That would be like doing business with a bank that had one of their tellers watching the door on a heavy-deposit day.
"I've learned that it takes years to build trust and only suspicion and doubt to destroy it."
Yeah, that autorpm comment is pretty bogus if you consider the 'fact' (my opinion, really) that knowing what an NT service pack does to your system is probably trickier (sure, there's a list of fixes, but it seems there's always a 'numerous other minor fixes' item).
-beme
1971
and the NT box survived... guess that's not mentioned since Linux LOST. if you look at the early version of this article, it mentions the shootout aspect... http://www.zdnet.com/pcweek/stories/news/0,4153,23 36675,00.html
No, autorpm is a third party program. I've been using it since RedHat 4.2.
You can get it from ftp://ftp.kaybee.org/pub/redhat/RPMS/noarch
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
Wouldn't chrooting the web server have stopped the root exploit? Is there an easy way to do this? I haven't seen a chroot-HOWTO....
Actually, this is not the case.
Because M$ is again throwing out all that came before and rapidly building new code to do everything better than everyone else, their code will have so many bugs and security holes that you would have to be stupid to be the first to upgrade to it.
There will be dozens of huge gaping holes that will need to be fixed in Y2K, oops sorry, W2K.
Do you know how these people got into your site? Do you only use SSH to allow people to connect between boxes?
Here is a clue people. Turn off all services. Every one of them. If your box is a web server, update that software and bring up web services. Install ssh to allow people to connect between boxes.
Do use a firewall so that you are not exporting nfs and samba to the entire world.
Do not depend on the firewall protecting you. Otherwise you will be a hard cruchy shell with a soft and chewey center! Assume that attacks will be launched by employees or by a compromised box against your other boxes.
Allow ssh access through the firewall to a single sign-in box, then let them go to their work boxes from the sign-in box. If you setup ssh correctly, they will be able to bring up xterms directly into the proper boxes with no logins! And all Xwindows protocol will be automatically directed through this secure channel.
Do use tcp wrappers around all services. If you think someone is trying to get in, deny that IP ASAP.
Never use ftp or telnet or (shudder) rsh. If you do you might as well be bent over with a huge sign that says enter here.
Read the security bulletins first thing every morning and afternoon. Takes all of 5 minutes. If something is listed as a problem fix it right then!!! If you wait a month there will be too many patches to fix in a day so you won't do it. Most of the time you can get the actual source code and the patch and fix your systems within a few hours of when the exploit actually occured.
If you are not willing to do this then don't call yourself a system administrator. Cause you're not.
-- Just because someone is paraniod doesn't mean that someone isn't out to get them.
I'm using W95 and Netscape 4.61. I had trouble copying text also. It will work though. If you use your mouse to select the text, it will not show up as highlighted, however if you hit copy it will copy that text.
I'm curious about why this happens.
Check out AbiWord.
...but not that advanced. A truly advanced hacker finds his own exploits instead of going on to rootshell or bugtraq to find one.
ZD says that they are going to apply the 21 rpms sometime soon and do the whole thing over again to make the matter more fair. Sounds like a good idea to me.
emufreak
www.kontek.net/pp
It's that simple and not mentioned anywhere in the article. OpenBSD hasn't had a security patch in the last year after its rigorous auditing. Hajo PS: http://www.openbsd.org/ "Sending Kiddies to /dev/null since 1995"
Hajo Monogamy: Belief so strong that millions of people end perfectly good relationships in order to start a new one.
Speaking of which, at some point in the near future I'll probably need some help cataloging updates(I'll eventually start using bots to help). If anyone is interesed, e-mail me.
Nobody should run publically accessible CGI scripts that don't have taint mode enabled. Just start off your scripts with
#!/path/to/perl -T
and fix everything that breaks.
You will close off a lot of security holes that way...
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
It's that simple and not mentioned anywhere in the article.
/dev/null since 1995"
OpenBSD hasn't had a security patch in the last year after its rigorous auditing.
Hajo
PS: http://www.openbsd.org/
"Sending Kiddies to
Hajo Monogamy: Belief so strong that millions of people end perfectly good relationships in order to start a new one.
as a sysadmin for a huge NT network (Server and workstation) applying 21 patches would be nice and easy! Let's see, each new pc that comes in..
Apply SP-3 (no higher because sp4&5 are severly unstable) add 13 hotfixes and the Y2K hotfixes, patch I.E., patch Office, patch Outlook... That's a total of 23 things to do where most of these "patches" take 1-2 hours to download, force a fix to be applied because to fix what the fix broke.
This "contest" was a huge joke. PC mag has never EVER had any clout with me or anyone I know, 90% of the time they either do basic things like an article on "how to turn on your computer" or " the mouse really isnt a foot-pedal" basically a useless mag except for the inept that really shouldnt be using a computer to begin with.
This test proved one thing to me.... they wanted to scream "MEE TOO! MEE TOO!" with the ranks of other real mags.
Do not look at laser with remaining good eye.
There's no story unless there are winners and losers! Somebody had to emerge defeated / victorious. There's no point in putting a narrative form on information, unless there's a conclusion, an endpoint to bring "the sense of closure" to the story. Even more basically, there's no action to narrate --even inconclusive action-- unless there's at least a prtial compromise of one system. These folks have to write something on a regular basis y'know --and that's not as easy as it sounds.
Everything they did follows logically from that --even if they proceeeded irrationally and without overt intention: no break-in, no story--so which box is it going to be? Well, this box over here is from the devil-we-know, which pays us money to write stories and volunteers to come out and fix things up for us...OTOH this other one doesn't...
Which raises an interesting point: how does LINUX succeed in the world without the ability to draw loyalty and advocacy from related industries like the opinion creation/validation industry?
For example:
Two of the updates are Netscape fixes. Is their server running a copy of Netscape ? Not likely ! Therefore, we're down to (19) fixes.
Two more are updates for XFree86. Well, they probably are running X ! You know, they are used to pointy-clicky administration!
Another is an update for "mars-nwe". Isn't that a client type program for logging into Netware servers ? Again, probably doesn't apply to their setup.
A fix for KDE...okay, that can make Linux look like Windows, so, they probably are using it!
A fix for gnumeric, a Gnome spreadsheet program.
How many more of the RedHat updates don't apply?? If I don't have the RPM for "pump" installed, I certainly am not going to install the "fix" for it!
I was happy with the article in general... especially the detailed log of how the hacker broke in. It is true that CGI scripts can potentially be security holes in an otherwise very secure system. My only problem with the article, however, is the treatment of the Red Hat official updates. You mention that there is no central place to find "linux" updates. Well, there is. Red Hat provides a central source for all of their official updates. This is the same thing as Microsoft providing its Service Packs. Red Hat guarantees that these security updates are okay to apply to your system... and, in fact, they don't release them unless you *should* install them on your system. You mention the program "AutoRPM" (I'm the author of this program). The best way to use this program is to have it regularly (i.e. every night) check the official set of updates from Red Hat and apply them if new ones come out. What you do, however, is configure AutoRPM to check the PGP signature of the updates before it applies them. When Red Hat releases security updates, the patches are signed with their private PGP key. If you configure AutoRPM properly, it will use Red Hat's public key to check this signature. In other words, with only a few changes to the default config file, you could have setup AutoRPM to automatically install *official* and *verified* security updates from Red Hat. The only reason this isn't the default configuration is that PGP doesn't come with Red Hat (due to US export restrictions on cryptography). If you would have spent the 5 minutes to properly install and configure AutoRPM, the Red Hat Linux machine would *not* have been hacked (at least not in the way it was) because the cron security exploit would have been automatically patched by AutoRPM. - Kirk Bauer
I am a little confused by the mentioning of their use of the Raptor firewall. A quick trip to that website and it would seem that Raptor Firewall is only available for NT not Linux. Did they bother to run squid at all? I thought the test was to find out which is better out of the box. Unless I'm mistaken they applied all the service packs for NT but no patches for Red Hat and then they hid NT behind a commercial firewall product. To suggest that there is no central location for the Red Hat patches is completely laughable. I am a complete Linux newbie and even I would rather update via RPM. They suggest that the only way to apply these is through autorpm and then criticize it for doing exactly what an MS service pack would do. Couldn't they have downloaded and applied the Red Hat patches individually? Doesn't this mean that this criticism should have been launched at NT not RH? "What, me worry."
"The only option for Linux is to use a utility called autorpm, which polls a server for updates and automatically installs them. But no administrators in their right minds would use this sort of utility because they would have no idea what was being installed on their servers."
if the community is going to be taken seriously it needs to get better about handling comments outside of its worldview.... I've got win2000 rc1 and it looks really nice though... not sure when they're going to ship
Anyone who sells NT is loving this article. It now gives them something to printout and hand to corporate no-nothings whose own IT department is pushing Unix. They can cut, paste and quote the article's numourous misreprensentations of Linux. They don't even have to twist the truth becuase the no-nothing journalist (not admins) who ran the test already did that for them. This article does great great damage. It doesn't matter how inaccurate the test were or how badly ZD screwed them up, they did and this is going to be a major thorn in the side of Unix supporters. It really doens't matter how good something is if someone else has better marketing. I think it is clear that MS is now moving hard against ALL Unix, not just Sun or Linux, but all. They have a massive marketing arm that can and plan to squash even the largest foes. Let us all think back to the OS2 war. We really need to join together (Linux, BSD, Solarios, etc...) and market our virtues. We can not win by whining about how unfair the tests were. We can only win by proving our software is actually better. Linux is on the rise as is BSD, but the war is only beggining. Gaining popularity is only a very small step towards winning. Let us not get overconfident the war is going to be a long one.
I just read the article, and am not sure anything was really learned from the whole test. Every bit of info was really stuff that we all should have known anyway. In the end, all I got was that if you ask for it, they will come. And come they did.
-- Moondog
In the article he complains that there is no central location to get patches. My question is how does he know there are EXACTLY 21 patches that he needed to install if, as he says, there is no location to find all the patches?
autorpm can be set up to poll a RPM repository for updates and then notify the sysadmin via E-mail when there are updates that need to be applied.
Default, "out-of-the-box" behavior for autorpm is to install nothing automatically, or without human intervention. You have to explicitly change the default configuration in order to allow automatic, unattended installation of RPM updates.
I think you've hit the nail on the head here. The problem is, if I hear that there's a new exploit to hack a W2K/WNT/W9x site I either:
a. wait a month to get the SP; or
b. download it from their possibly compromised site
Since they don't give me source, I can't be sure that someone hasn't hacked their site and replaced the code that I'll be applying with a Trojan Horse exploit if I go to MSFT.
If, on the other hand, I actually ftp the files from Red Hat, I can look at the code and make sure no exploits exist.
Or, if I'm used to MSFT-level security, I just let it autodownload. It amounts to the same level of security.
But: it's MY choice. Not like on the MSFT site, where I have NO choice, but have to hope noone put up a file that had a viral attachment or was replaced by a bogus file. And I have NO guarantees about it if I go the MSFT route.
Will in Seattle
I don't think so. For any operating system it is impossible to track all of the patches for every single program for that one operating system in one place, but a good place to start would be:
http://www.securityfocus.com/ (aka: BUGTRAQ)
Only an idiot administrator would expect there to be some magical command to "fix my computer and make it secure" (yes sir, right away, sir!) The more professional approach is to learn about everything that is running on your computer, and bookmark the web pages where your software comes from and pay attention to security related mailing list archives like BUGTRAQ.
Being a blind dimwit with no clue how your computer works is the Windows approach to system administration. UNIX people prefer to pay attention and take responsibility for their own security.
What I want to know is how they can in one breath say they took all reasonable security procedures that any sys admin worth his/her salt would take and the next say they are going to add the 21 security patches and test again ,,,
If you keep using the latest and greatest stuff then yeah, of course you're going to need someone on staff auditing your system's security all the time. The point they miss, though, is that code matures from people looking at it, fixing holes, and changing the packages to be distributed in a default tightly-locked state. (When was the last time you worried about a vulnerability in finger?)
Admins will always need to be aware of security. But it's getting more and more to the point that you can set it and forget it. Especially if you spend the ten minutes to keep up to date with the new patches on updates.redhat.com.
I notice two statements off the bat that not only are both wrong, but they contradict each other.
First they say there is no single place to get all the updates. Since they are running RedHat, that is wrong, because they could get them from ftp://updates.redhat.com/
Second they say that if you want to keep up with the security updates, your only choice is to run autorpm, but that's a bad idea because it installs software without you knowing what is going on. Leaving aside the fact that this contradicts the first statement, it's also dead wrong. If you set one configuration variable in autorpm, instead of installing the updates, it will just download them, and send you an email advising that they are downloaded. Then you can pick and choose which ones to install using "autorpm --apply", which will show you what the package is, where it got it from, all the rpm info, and let you choose to install, defer installation for now, or remove it from the queue. It doesn't get any simpler than that.
Would you rather get your security patches the day after they are available, or would you rather wait for Microsoft to bundle several security patches up into a Service Pack CD?
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
notice how they use "linux" where it should say "redhat". for example, not all linux dists ship with ftp servers and other nonsense enabled by default.
they're trying to discredit linux as a whole. MS has deep pockets for advertising, and naturally, zdnet wants to play nice with them ("look, we love windows, linux sucks! give us more ad dollars!)
this whole zdnet thing is right up there with the mindcraft "study". they're both biased and totatly unscientific, making any and all results worthless and bogus.
zdnet is helping MS fight linux with FUD. unfortunely, most people who read zdnet believe what they say (people believe things unless they know of a reason not to).
what i would love to see, is redhat spend some of those intel, etc. dollars on debunking these rediculous(sp), unprofessional, FUD stunts from zdnet, mindcraft, and everyone else who's in MS's pocket.
what we need is a central PR site that debunks each and everyone of these feascos(big sp), point by point, and also shows linux advantages. (ie, don't just debunk, but show linux vs. NT features, performance, etc). the site could also run benchmarks. i'd like to see redhat and some others get together and fund a site like this.
"At the time we began the tests, Red Hat Software Inc. had 21 security updates available for Red Hat 6.0, which had been out for only a couple of months."
Only a couple of months!? Feh! Here's a scoop: security administration requires digilence. If your admin ain't on his toes, don't even hope to consider your boxen immune to attack, simple as that.
-Seth
www.pdamusic.com
PC Week Labs went to great lengths to take the same security measures on the Linux and Windows NT servers running the site that any IT manager worth his or her salt would implement.
Well that is very interesting isn't it. Then why weren't the available security fixes for redhat applied. Bah. They went to the trouble of getting service packs for NT, but couldn't rpm -Uhv *
While any operating system needs patches and updates, there is no central repository for testing or approving patches to the Linux system.
Well isn't that special. http://www.redhat.com/corp/support/errata/rh60-err ata-general.html
Kernel patches can be obtained from a verified source such as kernel.org, but most other components have no central infrastructure.
Last I checked, no hole in the kernel was exploited. As for the other components, you buy from redhat to get the central infrastructure. You could roll your own distro if you wanted to worry about updating all of the individual packages. When you buy a distro, you pay a company money to package things for you, so when you need an update, you go to them.
The only option for Linux is to use a utility called autorpm, which polls a server for updates and automatically installs them
Again wrong. I don't use debian myself, but I believe they have a system for doing just that in a much more secure manner.
The bottom line is daunting: Don't let your guard down--ever.
Right. Basically like they did by not applying the fixes put out by redhat and using unaudited cgi scripts.
This sig is false.
If Pankaj was a network admin in charge of securing the system he'd be fired. 'Nuff said? No. To spread the FUD that Redhat is insecure because the patches are difficult to download is a disservice to anyone interested in an alternative to Microsoft. This definitely smells like another Mindcraft. I wouldn't be surprised if prominent members of the open source community refuse to even deal with ZDNet anymore because they recognize that whatever ZDNet is involved with is most likely a hatchet job.
Obviously the job you want is to be IT Manager at PC Week...hold the salt.
C'mon, this article is actually pretty good. ZD isn't bashing Linux, they are basically summarizing the hacking contest...saying what they did right, and what they did wrong. Notice in the "PCWeek Labs recommends" section they didn't say, "Don't use Linux. It's insecure." They give helpful recommendations to keep any system secure. Install all security patches, DUH!
They note that they didn't apply the patches RedHat had. They are admitting that they made a mistake here. They're saying, basically, "Don't DO that!"
They note that there is no central repository for verified Linux patches. Well, yeah...there isn't. There is one for Redhat's distribution...which of course is what they were using. Apparently they didn't know about the site. They do now, though, and are applying the patches to retest.
The point of the article can be summarized in the first sentance: "Security is hard." Not "Linux is Bad, NT is Good."
The only thing I can find wrong with the article is that they don't describe in enough detail what they did to the NT system (aside from disabling services)
-partap
Do you belive everything in pcweek,I dont. PCweek is still a part of zd ,look in the corner you'll see the Zd/softbank company logo on there magazines. So it should really be no suprise to see a article that misses the point.Once again zd proves to the world that they want to sell out to the wonks in Redmond.
Anybody notice a similar tone from the PCWeek article and the anti-linux M$ page? Mainly from the skewing things to make one OS look better than the other. ,like the above poster mentioned, you roll your own distro.
Mainly "While any operating system needs patches and updates, there is no central repository for testing or approving patches to the Linux system." which is true, but irrelevent unless
And one thing they didn't mention. Did any of you get to audit the code on SP5 before you added it? Or did you get a sacrificial lamb to test it on?
(Sorry for the anti-M$ sentiments, but today I upgraded a basic win95 install with win98se since the app on that machine was recently upgraded and told us to, and it won't run on NT. The upgrade was fine, no problems, just keep clicking ok. Until the restart, now it blue screens (the "your machine may become unstable" one) and dies automatically after restart. Since I got all those error messages earlier I have tons of info to start troubleshooting. At least everyone else in the office hates M$ now too, subtle mind control on my part.)
+&x
After getting severly lambasted for his previous flippant response to this hack, this Pankaj Chowdry character has the nerve to serve up more obfuscating, deflecting drivel.
...there is no central repository for testing or approving patches to the Linux system. My god this man is a boob. "The Linux system" in question here is RedHat, specifically version 6.0. Redhat lists the errata for each version that they release, complete with cross-referenced bugs and resolution comments. How is this any different than accepting a Service Pack from Microsoft (which Pankaj conveniently forgets to acknowledge were applied to the NT box by, guess who...Microsoft) ? Did Pankaj retest each of the bug fixes included in the Service Packs. I would suspect that he didn't. Yet, all of a sudden Pankaj wants to be Super Administrator and retest each of the bug fixes that Redhat has already certified.
Once again he talks about the Linux server needing 21 patches for the RedHat 6.0 release which had been out for only a couple of months. Is he for real? Is this some kind of excuse for not doing his job and performing an adequate security check on the box?
He goes on to say
Pankaj then goes on to disparage the autorpm utility because no administrators in their right minds would use this sort of utility because they would have no idea what was being installed on their server.
I would like to request that Pankaj release his testing methodology used to verify what was included on Microsoft's Service Packs and whether they a) fixed everything that was broken and b) did not introduce new avenues of exploitation into his system
I don't understand how this person was able to get this past his boss. But then I forget that his boss is John Taschek who has lost any ounce of credibility that he ever had in his handling of this any other "independent" comparisions of Microsoft and Linux products.
Keep up the good work Zdnet and Ziff-Davis. Just keep it up.
Hates people who have stupid little sigs
I guess that ZDNet's exercise proves this statement. Think of all the eyes that were looking at the site, and notice that to one pair (jfs'), the bug was shallow.
...would this guy have been caught? I mean, assuming normal logging and whatever else goes on in the server, would he have gotten away with it like this, or would he have gotten caught? What steps could the cracker have taken to make getting caught less likely?
For e-mail, s/DONTSPAMME/lmco/
Keep up with patches on a weekly basis...
*bah*. There is no excuse for him (read: someone with assigned responsibility under his command, but answerable to him directly) not to keep up with them on a DAILY basis. It is simply not that hard:
1. Run a cron job that downloads the updates overnight. First thing you do in the morning is check your inbox *and* the Debian/Redhat site, just in case the script kiddies have gotten into your system and deleted the patch. (Info theory 101: if you don't see a patch locally that you *should* see, you *really* need to know about it. now!)
2. Run a cron job that launches 'mirror' to update your local mirror of Debian/Redhat. Since you're only mirroring the stable dist the only thing that changes should be security patches which you somehow missed in part 1. Each of your workstations periodically checks it package versions against the versions in your local cache.
3. Subscribe to BUGTRAQ and put it all into one of the standard mailing-list-to-web-page tools. At least once a week scan the list personally (the IT manager, not the subordinates who should track it daily) to get a feel for the current problems.
It's not difficult, and once you get it set up it's not that time consuming. It's certainly *far* less time consuming than fixing the mess left by a cracker and explaining your incompetence to *your* boss.
Alot of posts are focusing on the lack of patches applied to the RedHat box. While that is a big issue, nobody has touched on this yet:
They are attacking Open-Source/Free Software as well. And doing it with blatant but subtle lies, no less. They go to all the trouble to point out that it's an Open Source CGI ad app, when in fact it's NOT. It's source VIEWABLE, and editable. Very important distinction. You cannot contribute fixes back, and cannot share those fixes with your neighbor. The community cannot collectively pound out holes and bugs in this package.
As much as I appreciate OSI's work, the term Open Source is just a can of worms. How many people now have it in the back of their minds that Open Source is just less secure? Baseless FUD.
ZDNet sickens me more each day. Sigh.
Sure it's work (so is freshmeat), but certainly it's doable. (Disclaimer: I'm not saying this ficitional site would be perfect, but it would be better than what we have now which is a hodgepodge of several different sites. I ceratainly would like to take part in something like this.)
I'm working on this. I registered linuxpatch.com (not hosted yet) last week. E-mail me if you'd like to help. I'm still in the very early stages, though.
You keep using that phrase.
I do not think it means what you think it means.
Nice article, but the guy who cracked the box wrote up a detailed account of *exactly* how he did it, complete with code:
http://hispahack.ccc.de/en/mi019en.htm
Very interesting reading.
-jason
http://www.kottke.org
"home of fine hypertext products"
buying the win2k beta
Sorry, but I can't help but laugh at this concept.
I know plenty of places running linux that have been hacked
I know of plenty of Linux sites that have had numerous attempted cracks and sucessfully denied them all.
even my security-conscious place full of linux/unix admins was comprimised a couple months ago
Where do you work oh Anonymous Coward?
I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
Seems to me that PC Week is leaving holes in their article large enough to drive a truck through. For example, their server CERTAINLY should not be running all the services that there are patches for on RedHat. So when you run autorpm or whatever your should even have an upgrade option associated with these services, right? How many patches are really needed for an http server? 4? 5? And look at all the configuration changes they made for NT! It's HUGE compared to what they did for Linux. It seems to me that admining all of these is far worse than admining 21 patches FOR WHICH YOU HAVE THE SOURCE CODE.
These guys are a bunch of bozos. Sigh.
smtp.innova.net is 208.211.173.3 Check it out on ORBS - it's already been abused by spammers.
To quote the article:
Now, the interesting question is whether or not this should be considered to be an inevitable overhead cost of maintaining an internet presence?
In general, I think that security measures are becoming more powerful and easy to configure and administrate. Of course, as the de rigeur features of internet services change and evolve, the number of potential exploits increase.
Unfortunately, I think the "5% of hackers" the article mentioned will *always* be ahead of any automated security measures due to the nature of the security flaws being exploited - those which are due to new code that hasn't been "burn tested" in the real world. Thus, these costs seem to indeed be inevitable.
I think this is actually a corollary to Eric Raymond's apt observation, "Given enough eyes, all bugs are shallow." Consider: a company may have 5 or 6 people testing new code for security flaws before release. There may be over 1000 people trying to find the flaws (to exploit them!) after release. Who do you think is going to have better luck?
I don't see any ads on MS Update... you must be using AOL or some other site.
But they also applied a special hotfix to
cure IIS of the major remote hack.
So if they could apply that then why not
the updates from redhat?
We do need a uncrackable central archive for
just security fixes with a secure way of installing these. This would make security an easy task!
just because it is in common use doesn't mean that it is correct (see Microsoft)
NT is based on the premise that anyone who can manipulate a mouse can administer a system. Huh?!?
..which of course come a) without source b) with additional 'features' (like more bugs) c) without the ability to test each 'fix' individually to see if it's actually worth applying and d) far too late to be worth the trouble (your system has already been compromised.. sorry).
Personally, I wish ZD would get a clue. The choice is rather obvious. Patches that include only (wow!) the one patch you need to fix the one problem seem almost.. useful.. to me. Especially since you can look at the source, etc. How much more careful can you possibly be? =P
~ Kish
I work at McDonalds, or was it Boeing? Why does it matter to you, do you think I want my bosses knowing I discuss their security problems in public? Use some damn common sense.
As for you know lots of sites that stay up, great. I know ONE that was hacked here, and that's enough when you're a large company.
why laugh at the concept of buying the beta? Pure FUD on your part, since it seems at this point to have better security than linux.
hmmm...my original msg was 'moderated' [censored] out. Here it is again:
----------------------------------
What does the results of this test, and the success of win2ktest so far tell your lowly webadmin? Anyone not wed to a particular platform should right now be looking at buying the win2k beta, since it doesn't seem crackable.
Crashable, maybe, but at least someone won't change your front page into a porn site knockoff.
I know plenty of places running linux that have been hacked...even my security-conscious place full of linux/unix admins was comprimised a couple months ago - they changed the front page of our high traffic site, something one would think is impossible.
Looking at this another way, doesn't windows 2000 coming out as a security alternative pose a threat to anyone who can break into a unix box? I mean, the rules change; your old employer or other target is now a little harder to hit. It seems like all you would have to do is check the linux security sites religiously, trying every hole that shows itself, hoping you get to it before your target has been patched.
This is not a game every sysadmin wants to play on a daily basis.
Looking at this:
http://www.hackpcweek.com/exploit.html
He says:
> $filename =~ s/.+\\([^\\]+)$|.+\/([^\/]+)$/\1/;
> We see, if the $filename matches the regexp,
> it's turned to ascii 1 (SOH).
This is wrong. The \1 in the replace part will return the first register. This is contrary to the rest of Perl, but a documented special case.
It's kind of sad that he had to look in Phrack to see the flaw in the regex. It seems pretty plain to me. If your path contains a backslash (for, ugh, Windows NT compatibility) then it will take everything from the final backslash to end of the string as the file name, allowing you to have absolute paths like:
foo\/etc/passwd%00.gif
Which would overwrite the password file...
I wish they would give Debian a try on one of these tests. Hell, install debian with apt(apt-get etc) and it doesn't get any easier to upgrade your stuff. Add security.debian.org to your source.list file and you get all the security updates with one command.
Dave
-- No matter how great your triumphs or how tragic your defeats, approximately one billion Chinese couldn't care less.
I've noticed all the Linux stuff has disappeared from the newsagents (I'm an Aussie), including dedicated mags; but more importantly the articles which flooded the mainstream PC mags a few months ago comparing Linux to M$oft have dried up. As well, the cover CDs don't carry the same amount of Linux stuff. Have the editors been given the word? Of course, most of their advertising comes from M$oft products - try pushing AU$3000 Java Development software when the article surrounding the advert extols the virtues of free software! I have seen a few articles openly bagging Linux (including one editorial where the editor claimed to have spent an entire weekend trying to install RH6.2! You'd think he'd at least check the misinformation before printing it!) What they don't realise is the power of the online community - it's leaving the print media for dead - and making their silly games a little pointless.
Actually I'm curious why you would want to wait for Microsoft to bundle the hot fixes into a service pack when you could just go and download them.
That seems odd to me.
How can they reconcile these two statements:
"PC Week Labs went to great lengths to take the same security measures on the Linux and Windows NT servers running the site that any IT manager worth his or her salt would implement."
and
"Also contributing to the hacker's success were incomplete security updates on our test site."
As other articles about this topic have pointed out, they deliberately only did half the job, but here PCWeek is trying convince us that they did a great job. Personally, I think "any IT manager worth his or her salt" would try to keep up with the latest patches on a weekly basis. This was not an objective test, this was using the buzzwords of the moment to sell magazines and generate page views. Considering how many PHBs read PCWeek, I can't see this article as being anything but damaging to efforts to convince managment that Linux is "as good or better" than NT.
Dirk
"All I wanted was a Pepsi, just one Pepsi....."
From reading the way the cracker finally got in, does anybody know if one of the security fixes that were available would have actually stopped this exploit? It seems more like the CGI was the culprit, and the lack of security patches, while an issue in general security, had nothing to do with this particular break-in.
For e-mail, s/DONTSPAMME/lmco/
This is annoying... why can't I select and copy any of the text in that article...?
I've seen it a lot lately.
/me fires up "view source"