PCWeek Summarizes hackpcweek.com Test

Banraeth writes "This week's PC Week contains a story about the results from their hackpcweek.com security test site. They explain the object of the test, how many attempts they got, the structure of the attempts and the way someone finally got in. The article reads really well and very clearly explains the anatomy of a break-in for those of us who aren't Linux security gurus. "

AutoRPM info incorrect

[kaybee]

I was happy with the article in general... especially the detailed log of how the hacker broke in. It is true that CGI scripts can potentially be security holes in an otherwise very secure system. My only problem with the article, however, is the treatment of the Red Hat official updates. You mention that there is no central place to find "linux" updates. Well, there is. Red Hat provides a central source for all of their official updates. This is the same thing as Microsoft providing its Service Packs. Red Hat guarantees that these security updates are okay to apply to your system... and, in fact, they don't release them unless you *should* install them on your system. You mention the program "AutoRPM" (I'm the author of this program). The best way to use this program is to have it regularly (i.e. every night) check the official set of updates from Red Hat and apply them if new ones come out. What you do, however, is configure AutoRPM to check the PGP signature of the updates before it applies them. When Red Hat releases security updates, the patches are signed with their private PGP key. If you configure AutoRPM properly, it will use Red Hat's public key to check this signature. In other words, with only a few changes to the default config file, you could have setup AutoRPM to automatically install *official* and *verified* security updates from Red Hat. The only reason this isn't the default configuration is that PGP doesn't come with Red Hat (due to US export restrictions on cryptography). If you would have spent the 5 minutes to properly install and configure AutoRPM, the Red Hat Linux machine would *not* have been hacked (at least not in the way it was) because the cron security exploit would have been automatically patched by AutoRPM. - Kirk Bauer

Two contradictory wrong statements

[ptomblin]

I notice two statements off the bat that not only are both wrong, but they contradict each other.

First they say there is no single place to get all the updates. Since they are running RedHat, that is wrong, because they could get them from ftp://updates.redhat.com/

Second they say that if you want to keep up with the security updates, your only choice is to run autorpm, but that's a bad idea because it installs software without you knowing what is going on. Leaving aside the fact that this contradicts the first statement, it's also dead wrong. If you set one configuration variable in autorpm, instead of installing the updates, it will just download them, and send you an email advising that they are downloaded. Then you can pick and choose which ones to install using "autorpm --apply", which will show you what the package is, where it got it from, all the rpm info, and let you choose to install, defer installation for now, or remove it from the queue. It doesn't get any simpler than that.

Would you rather get your security patches the day after they are available, or would you rather wait for Microsoft to bundle several security patches up into a Service Pack CD?

Inconsistancies in the article.

[Dast]

PC Week Labs went to great lengths to take the same security measures on the Linux and Windows NT servers running the site that any IT manager worth his or her salt would implement.

Well that is very interesting isn't it. Then why weren't the available security fixes for redhat applied. Bah. They went to the trouble of getting service packs for NT, but couldn't rpm -Uhv *

While any operating system needs patches and updates, there is no central repository for testing or approving patches to the Linux system.

Well isn't that special. http://www.redhat.com/corp/support/errata/rh60-err ata-general.html

Kernel patches can be obtained from a verified source such as kernel.org, but most other components have no central infrastructure.

Last I checked, no hole in the kernel was exploited. As for the other components, you buy from redhat to get the central infrastructure. You could roll your own distro if you wanted to worry about updating all of the individual packages. When you buy a distro, you pay a company money to package things for you, so when you need an update, you go to them.

The only option for Linux is to use a utility called autorpm, which polls a server for updates and automatically installs them

Again wrong. I don't use debian myself, but I believe they have a system for doing just that in a much more secure manner.

The bottom line is daunting: Don't let your guard down--ever.

Right. Basically like they did by not applying the fixes put out by redhat and using unaudited cgi scripts.

Just plain wrong

[scumdamn]

What's with every ZDNet writer thinking they're a pundit lately? Check these two quotes out:

Companies that don't keep on top of application fixes will be at the mercy of hackers who do.

While any operating system needs patches and updates, there is no central repository for testing or approving patches to the Linux system. Kernel patches can be obtained from a verified source such as kernel.org, but most other components have no central infrastructure.

If Pankaj was a network admin in charge of securing the system he'd be fired. 'Nuff said? No. To spread the FUD that Redhat is insecure because the patches are difficult to download is a disservice to anyone interested in an alternative to Microsoft. This definitely smells like another Mindcraft. I wouldn't be surprised if prominent members of the open source community refuse to even deal with ZDNet anymore because they recognize that whatever ZDNet is involved with is most likely a hatchet job.

A little bit defensive...

[BabyP]

...aren't we?

C'mon, this article is actually pretty good. ZD isn't bashing Linux, they are basically summarizing the hacking contest...saying what they did right, and what they did wrong. Notice in the "PCWeek Labs recommends" section they didn't say, "Don't use Linux. It's insecure." They give helpful recommendations to keep any system secure. Install all security patches, DUH!

They note that they didn't apply the patches RedHat had. They are admitting that they made a mistake here. They're saying, basically, "Don't DO that!"

They note that there is no central repository for verified Linux patches. Well, yeah...there isn't. There is one for Redhat's distribution...which of course is what they were using. Apparently they didn't know about the site. They do now, though, and are applying the patches to retest.

The point of the article can be summarized in the first sentance: "Security is hard." Not "Linux is Bad, NT is Good."

The only thing I can find wrong with the article is that they don't describe in enough detail what they did to the NT system (aside from disabling services)

-partap

Re:BFD

[A+Big+Gnu+Thrush]

What does this test prove?

If you look at this test as a contest between NT and Linux, then it proves nothing. Also, it's not an accurate test of ZD's abilities to secure a web server vs. another company.

It does provide a behind-the-scenes look at how both sides (for lack of a better word) work. Details were provided on how the system was secured and how it was compromised. An admin reading this article might see parallels to his own situation. A clueless newbie might find the details of the crack amusing.

I thought the article was well done. Both NT and Linux can be secured, but most aren't... at least not against a determined and skilled attacker.