Slashdot Mirror
PCWeek Summarizes hackpcweek.com Test
Banraeth writes "This week's PC Week contains a story about the results from their hackpcweek.com security test site. They explain the object of the test, how many attempts they got, the structure of the attempts and the way someone finally got in. The article reads really well and very clearly explains the anatomy of a break-in for those of us who aren't Linux security gurus.
"
RedHat has the equivelant of a Service Pack available-- the updates. These updates contain a number of bug fixes, etc. And RedHat encourages users to get the updates.
So why don't people do it? Because none of the bugs are "well-known", i.e., they don't get news coverage on ZDNet, with headlines screaming "Sky Is Falling, LINUX Insecure!"
But Microsoft tends to get that. Partially because they write shitty software (let's be honest), and partially because it's a name that people recognize and will relate to. It makes for good sensationalism.
My solution, offered with tongue firmly implanted in cheek, is to sensationalize every exploit for Linux. "crond Found Insecure at 8:00 AM, Bob Young Not Answering Phone at Lunch Time!"
Seriously, though, maybe we need to put just a little more emphasis on getting the updates. Now we have an example-- "Hey, Joe, did you download the RH updates? They say that if PC Week had done that, they wouldn't have been cracked!"
They're correct, there isn't one. But there is a central place to get updates for RedHat Linux:
ftp://updates.redhat.com
They can't make it easier then that, and unlike Microsoft's update site you don't need to click through gobs of advertisements.
US Citizen living abroad? Register to vote!
One Of the Many ACs writes:
."))
I don't think so. For any operating system it is impossible to track all of the patches for every single program for that one operating system in one place, but a good place to start would be:
http://www.securityfocus.com/ (aka: BUGTRAQ)
ZDnet has a point here. I have they same problem they have when keeping my boxen secure. (Of course nothing is more secure than off (Hey, it would be left on if I wasn't on dialup.)) BUGTRAQ is very good, but what they (and I) would like to have would be a freshmeat of security patches. (Call it rancidmeat (it all about bugs, get it? Oh I crack myself up sometimes (but not this time).).) It could be run just like freshmeat, nothing actually there, just links to the patches. Have it summerize BUGTRAQ and several other official and "unoffical" security sites, and provide links to the patches. Sure it's work (so is freshmeat), but certainly it's doable. (Disclaimer: I'm not saying this ficitional site would be perfect, but it would be better than what we have now which is a hodgepodge of several different sites. I ceratainly would like to take part in something like this.)
M$ Propaganda^H^H^H^H^H^H^H^H^H^H^H^HZDnet writes:
The hackpcweek.com site also showed us that some simple security
measures, such as complex passwords, are great in theory but nearly impossible in practice. The hackpcweek site comprised six servers. Imagine how difficult it was to remember passwords such as [Athl!g. We couldn't...
Ahh geez, and they wonder why they had security problems. I"m sorry but this is just stupidity on their part. I have a minimum of 12 different passwords each as arcane as theirs and I have no problem. (For "added security" none of them are based on any sort of mneumonic phrase). Of course if they actually used the passwords on a daily basis, then they would remember them and wouldn't have to have them written down. (Eventually you'll "forget" the password when typing them in becomes automatic. ("What's your password?" "Uhhh... *goes to a keyboard and types* apparently Ghj3$/f
I was happy with the article in general... especially the detailed log of how the hacker broke in. It is true that CGI scripts can potentially be security holes in an otherwise very secure system. My only problem with the article, however, is the treatment of the Red Hat official updates. You mention that there is no central place to find "linux" updates. Well, there is. Red Hat provides a central source for all of their official updates. This is the same thing as Microsoft providing its Service Packs. Red Hat guarantees that these security updates are okay to apply to your system... and, in fact, they don't release them unless you *should* install them on your system. You mention the program "AutoRPM" (I'm the author of this program). The best way to use this program is to have it regularly (i.e. every night) check the official set of updates from Red Hat and apply them if new ones come out. What you do, however, is configure AutoRPM to check the PGP signature of the updates before it applies them. When Red Hat releases security updates, the patches are signed with their private PGP key. If you configure AutoRPM properly, it will use Red Hat's public key to check this signature. In other words, with only a few changes to the default config file, you could have setup AutoRPM to automatically install *official* and *verified* security updates from Red Hat. The only reason this isn't the default configuration is that PGP doesn't come with Red Hat (due to US export restrictions on cryptography). If you would have spent the 5 minutes to properly install and configure AutoRPM, the Red Hat Linux machine would *not* have been hacked (at least not in the way it was) because the cron security exploit would have been automatically patched by AutoRPM. - Kirk Bauer
What I want to know is how they can in one breath say they took all reasonable security procedures that any sys admin worth his/her salt would take and the next say they are going to add the 21 security patches and test again ,,,
If you keep using the latest and greatest stuff then yeah, of course you're going to need someone on staff auditing your system's security all the time. The point they miss, though, is that code matures from people looking at it, fixing holes, and changing the packages to be distributed in a default tightly-locked state. (When was the last time you worried about a vulnerability in finger?)
Admins will always need to be aware of security. But it's getting more and more to the point that you can set it and forget it. Especially if you spend the ten minutes to keep up to date with the new patches on updates.redhat.com.
I notice two statements off the bat that not only are both wrong, but they contradict each other.
First they say there is no single place to get all the updates. Since they are running RedHat, that is wrong, because they could get them from ftp://updates.redhat.com/
Second they say that if you want to keep up with the security updates, your only choice is to run autorpm, but that's a bad idea because it installs software without you knowing what is going on. Leaving aside the fact that this contradicts the first statement, it's also dead wrong. If you set one configuration variable in autorpm, instead of installing the updates, it will just download them, and send you an email advising that they are downloaded. Then you can pick and choose which ones to install using "autorpm --apply", which will show you what the package is, where it got it from, all the rpm info, and let you choose to install, defer installation for now, or remove it from the queue. It doesn't get any simpler than that.
Would you rather get your security patches the day after they are available, or would you rather wait for Microsoft to bundle several security patches up into a Service Pack CD?
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
PC Week Labs went to great lengths to take the same security measures on the Linux and Windows NT servers running the site that any IT manager worth his or her salt would implement.
Well that is very interesting isn't it. Then why weren't the available security fixes for redhat applied. Bah. They went to the trouble of getting service packs for NT, but couldn't rpm -Uhv *
While any operating system needs patches and updates, there is no central repository for testing or approving patches to the Linux system.
Well isn't that special. http://www.redhat.com/corp/support/errata/rh60-err ata-general.html
Kernel patches can be obtained from a verified source such as kernel.org, but most other components have no central infrastructure.
Last I checked, no hole in the kernel was exploited. As for the other components, you buy from redhat to get the central infrastructure. You could roll your own distro if you wanted to worry about updating all of the individual packages. When you buy a distro, you pay a company money to package things for you, so when you need an update, you go to them.
The only option for Linux is to use a utility called autorpm, which polls a server for updates and automatically installs them
Again wrong. I don't use debian myself, but I believe they have a system for doing just that in a much more secure manner.
The bottom line is daunting: Don't let your guard down--ever.
Right. Basically like they did by not applying the fixes put out by redhat and using unaudited cgi scripts.
This sig is false.
If Pankaj was a network admin in charge of securing the system he'd be fired. 'Nuff said? No. To spread the FUD that Redhat is insecure because the patches are difficult to download is a disservice to anyone interested in an alternative to Microsoft. This definitely smells like another Mindcraft. I wouldn't be surprised if prominent members of the open source community refuse to even deal with ZDNet anymore because they recognize that whatever ZDNet is involved with is most likely a hatchet job.
C'mon, this article is actually pretty good. ZD isn't bashing Linux, they are basically summarizing the hacking contest...saying what they did right, and what they did wrong. Notice in the "PCWeek Labs recommends" section they didn't say, "Don't use Linux. It's insecure." They give helpful recommendations to keep any system secure. Install all security patches, DUH!
They note that they didn't apply the patches RedHat had. They are admitting that they made a mistake here. They're saying, basically, "Don't DO that!"
They note that there is no central repository for verified Linux patches. Well, yeah...there isn't. There is one for Redhat's distribution...which of course is what they were using. Apparently they didn't know about the site. They do now, though, and are applying the patches to retest.
The point of the article can be summarized in the first sentance: "Security is hard." Not "Linux is Bad, NT is Good."
The only thing I can find wrong with the article is that they don't describe in enough detail what they did to the NT system (aside from disabling services)
-partap
To quote the article:
Now, the interesting question is whether or not this should be considered to be an inevitable overhead cost of maintaining an internet presence?
In general, I think that security measures are becoming more powerful and easy to configure and administrate. Of course, as the de rigeur features of internet services change and evolve, the number of potential exploits increase.
Unfortunately, I think the "5% of hackers" the article mentioned will *always* be ahead of any automated security measures due to the nature of the security flaws being exploited - those which are due to new code that hasn't been "burn tested" in the real world. Thus, these costs seem to indeed be inevitable.
I think this is actually a corollary to Eric Raymond's apt observation, "Given enough eyes, all bugs are shallow." Consider: a company may have 5 or 6 people testing new code for security flaws before release. There may be over 1000 people trying to find the flaws (to exploit them!) after release. Who do you think is going to have better luck?
What does this test prove?
If you look at this test as a contest between NT and Linux, then it proves nothing. Also, it's not an accurate test of ZD's abilities to secure a web server vs. another company.
It does provide a behind-the-scenes look at how both sides (for lack of a better word) work. Details were provided on how the system was secured and how it was compromised. An admin reading this article might see parallels to his own situation. A clueless newbie might find the details of the crack amusing.
I thought the article was well done. Both NT and Linux can be secured, but most aren't... at least not against a determined and skilled attacker.