Slashdot Log In
Ongoing Linux/Solaris Compromise Epidemic
Posted by
timothy
on Tue Apr 13, 2004 07:39 PM
from the active-malice dept.
from the active-malice dept.
An anonymous reader writes to point out that Stanford's Information Technology Systems and Services "has written a summary of a series of compromises that have been happening at universities, research institutions, and high performance computing centers, for the last month or more. The attackers are using known vulnerabilities in Linux and Solaris, along with compromised user accounts, to gain access and control of systems, from standalone servers to HPC clusters ... (the attacks are still ongoing)."
This discussion has been archived.
No new comments can be posted.
Ongoing Linux/Solaris Compromise Epidemic
|
Log In/Create an Account
| Top
| 366 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Nothing to worry about (Score:5, Funny)
(http://rapidhomeoffer.com/ | Last Journal: Wednesday April 14 2004, @06:20PM)
Re:Nothing to worry about (Score:4, Insightful)
(http://www.sff.net/people/Daniel.Dvorkin | Last Journal: Friday October 12, @01:42PM)
When Windows is being compromised, that's cause for Microsoft to ignore, deny, and lie about the problem, and if that fails, spend a few billion dollars on PR. When Linux is being compromised, that's for knowledgeable programmers to study, work on, and fix the vulnerability.
Check out a good substitute for all your Linux (Score:3, Funny)
Here [microsoft.com] - those guys make a kernel, kickass GUI environment (faster than GNOME and easier to use than KDE) plus some office word editors and educational stuff like encyclopedias and maps.
I'm just glad... (Score:4, Funny)
aQazaQa
Win 95 to the rescue! (Score:5, Funny)
Security through boredom, my new secret weapon take th^454&*%2^$^^^B
Windows is not the only vulnerable OS (Score:3, Insightful)
(http://goat.cx/ | Last Journal: Wednesday August 18 2004, @02:34PM)
Assuming that Unix/Linux is invulnerable to security holes is deadly. Though the OS may have more security features and "more eyes" on the code than closed source operating systems, we must not rest on our laurels watching Windows implode while our own house is burning.
Re:Windows is not the only vulnerable OS (Score:4, Insightful)
All the vulns mentioned have patches/fixes/replacements for the faulty code.
The System Administrators are at fault FOR NOT MAINTAINING THEIR SYSTEMS PROPERLY.
Re:Windows is not the only vulnerable OS (Score:5, Insightful)
(Last Journal: Wednesday October 20 2004, @05:23AM)
Re:Windows is not the only vulnerable OS (Score:5, Interesting)
Wrong. People rail because Microsoft rarely gets it right the first time, and are damned slow and arrogant about fixing security holes. Oh, sorry. They did speed up their response time on security issues after realizing that the public was noticing and they were losing a little market share in IIS.
Re:Windows is not the only vulnerable OS (Score:5, Insightful)
(http://alec.restontech.com/ | Last Journal: Monday March 06 2006, @12:54AM)
There is a well founded fear many Windows admins have about MS patches. They tend to break things. Patch Win2k, and MS-SQL does not work upon reboot. Or that third party medical charting software suddenly does not work.
Windows is very complex (many would say "too complex"), and certainly suffers from the "integration" of its parts. Therefore, unintentional side effects of patches are envitable. With Unix(ish) systems, the descrete parts can be patched, well, descretely. You can patch Sendmail, or MySQL, or OpenSSL all by itself (although sometimes you must recompile applications that depend on shared libraries, such as OpenSSL).
Re:Windows is not the only vulnerable OS (Score:5, Interesting)
(http://agileartisans.com/ | Last Journal: Saturday June 18 2005, @08:11AM)
The p;roblem, among others, is that we don't have enough real punishment going on for hacking activities.
The internet has become the equivalent to living in a slum. Sure, the property is cheap, but if you don't have bars on your windows, you can count on a break in. And lots of people will tell you it's your own fault for not putting bars on your windows and living in a walled compound with broken glass on the tops of the walls.
I agree that the systems should be patched, but the real problem is that there are communities of thugs who feel at liberty... NO, who ARE at liberty (due to the lack of a cohesive international enforcement) to do what ever they want to you machine.
I vote for real international difficult (I know that's not going to be trivial) and hard jail time when people are caught. And, just like Kevin Mitnick, they should not be allowed to work with computers when they get out.
Re:Windows is not the only vulnerable OS (Score:5, Insightful)
(http://www.etoyoc.com/yoda | Last Journal: Tuesday June 10 2003, @10:53AM)
Now that said, you have an interesting slant on ethics. By that mindset, a burglar is perfectly entitled to break into your apartment because your door could be kicked in. A theif can swipe your radio because, hey, it was only glass between him and what he wanted.
Yes, there is a certain amount to be said for not painting a target on yourself. But regardless of how much you "had it coming" it's still a crime to break into your dwelling, steal your property, or damage your person or posessions. System intrusion is a crime, and a matter for law enforcement.
Re:Windows is not the only vulnerable OS (Score:4, Funny)
(http://www.hyperlogos.org/ | Last Journal: Wednesday July 18, @08:19PM)
How's the reformation coming?
Re:Windows is not the only vulnerable OS (Score:5, Insightful)
Why not?
Well, what happens if that system just happens to be the payroll system, for example? What happens if the patch just manages to break the system so that the fortnightly payroll run doesn't happen? What happens when that money, which you expected to be in your bank account, doesn't appear? What happens when your mortgage provider goes to pull out your fortnightly mortgage repayment, and finds that there's no money in there to grab?
It isn't as simple as "Here's a patch, you're now secure as long as you apply it." We're talking real-world systems, with real-world conflicts and requirements. If you step outside the known and tested, you're liable to break things.
In other words: have a second system which you can throw patches onto and pound away on for a week or two, to make sure that those patches don't break anything important. Then throw the patches onto the live, production system. Doing it any other way could cause serious problems.
Sometimes, it's a case of having a choice: either you're secure, or your business is functioning. This is not a choice that I would want anybody to have to make, but you need to know that that choice is entirely possible, every time a new patch is released from your vendor, whether that vendor be Microsoft, Sun, IBM, HP, SGI, Apple, or Linus. Note that I'm not talking about deliberately (or through slacking off) avoiding application of patches; I'm talking about verifying that the patches still let you function as a business.
Or, in other words: IT exists to serve the business. The business does not operate to serve IT. Most of the time, there is no conflict between the two, but when there is, you need to make damn sure that the right one wins.
In other words (Score:5, Insightful)
In other words, Stanford doesn't keep its Linux boxes up to date. These exploits have been fixed. Linux too requires maintenance and patching, not just Windows.
Re:In other words (Score:5, Insightful)
(http://www.networkmirror.com/ | Last Journal: Thursday July 05, @04:34PM)
Re:In other words (Score:5, Informative)
(http://ameoba.0pi.com/)
There's no excuse, when putting up a several hundred node cluster to not get an extra machine through which it needs to be accessed that is not part of the cluster. That machine can trivially be kept secure & the cluster can then be updated as is convenient (IE - not replacing the kernel in the middle of a 3-week long computation; even at that, tho, anything that's going to take 3wk should be able to checkpoint itself without loosing much).
Re:In other words (Score:4, Insightful)
Academic computing is the epitome of *available* computing, in the sense that availability is the highest priority. Financial institutions may prioritise (or at least, should prioritise) security and a good administration over availability, but by its nature, academic computing involves disparate infrastructures, various levels of admins with various goals, and so forth. All students, faculty, and staff need access; frequently, granting loose, unsecure access is simply more efficient for the time being than making things secure. Such is life.
Re:In other words (Score:4, Insightful)
(http://randyrandy.net/)
The attacks start with the compromise of an unprivileged local user account. Usually this is because the attacker's captured the password from somewhere else: it's been sniffed off the network (through the use of insecure protocols like telnet), it's been collected when the user signs on to or from another compromised machine, it's been harvested from the password file on a compromised system.
So, we have user passwords as the source, which users freely give away by (1) using telnet instead of SSH, (2) just being very uninformed or gullible users, enough to plug in his/her unix password to a web form, and (3) once-removed version of (1) or (2) since these are just obtained from other compromised machines.
(1) and (2) are arguably the same problem, so that boils down to: users breaking rules -- surprise! But, that's easy to say, but hard to fix without more power . What to do? Seriously? Fine users for breaking rules?
If you read to the VERY end of the article... (Score:5, Informative)
(http://www.oldos.org/)
We know this.
No more default last 4 digits of SSN as a password.
Make them use something more secure! And disable telnet, for goodness sakes.
Inconvieience (sp?) your students in order to secure your system. It's all fun and games until someone uses a rootkit to play with GPAs.
IMO all of these attacks are related (Score:4, Interesting)
(Last Journal: Tuesday September 25, @04:26AM)
Just a feeling.
Washingtonpost.com has the complete story (Score:5, Informative)
Hmm, doesn't seem very unusual. (Score:5, Informative)
(http://greengeek.pitas.com/)
Don't send passwords in plain text on the network, and enforce proper password policies (8 char minimum, numbers, letters and symbols etc).
Re:Hmm, doesn't seem very unusual. (Score:4, Informative)
(http://achurch.org/index-e.html)
enforce proper password policies (8 char minimum, numbers, letters and symbols etc).
I've always been against this, or at least the more anal implementations of it, in that forcing people to choose hard-to-remember passwords typically leads to writing the passwords down--often in obvious places--which makes the problem worse instead of better. Good encryption (e.g. ssh instead of telnet) and good security measures (e.g. shadow passwords) are much more effective than draconian policies that don't achieve their ends anyway.
(And as for numbers and symbols making passwords less crackable--admit it, how many of you use 1337speak to make up the number/symbol quota?)
Re:Hmm, doesn't seem very unusual. (Score:4, Funny)
Doh, how did you know my password was 1337speak? I better change now that you've posted it on Slashdot!
Note to self (Score:5, Funny)
Re:Note to self (Score:5, Funny)
Sloppy work all around (Score:5, Insightful)
If the sysadmins had actually patched their servers with the appropriate security patches the "hackers" would have never gotten in, in the first place. If you read the counter measure section this isn't anything new that they shouldn't be doing every day and enforcing.
If you look at the section entitled Evidence of compromise you can see that the people breaking into the systems are leaving a pretty big trail to follow. In my job, when customers start complaining that their servers are working quite right, when you take a look at whats going on you can see a root kits been installed. The whole idea of a root kit is to cover your tracks. If these guys did a better job you'd never know you were hacked. Its quite sad really. Laziness is the biggest security problem if you ask me.
Been hitting Caltech too (Score:4, Informative)
Yeah, so? (Score:5, Interesting)
(http://ameoba.0pi.com/)
HPC Clusters? (Score:4, Funny)
My opinion (Score:3, Interesting)
(http://www.peopleforchange.net/forums)
they wanna know WHAT? (Score:4, Insightful)
Never mind the compromised machines. Let's try social engineering instead. I know! We'll make a security alert, get it on Slashdot, and the poor trusting souls will beat a path to our POP3 account!
Seriously, you might as well just hand them your hard drive and credit card number.
HPC question (Score:2, Insightful)
Libsafe protects against buffer overflow exploits (Score:5, Interesting)
(http://www.maxmind.com/)
If more sysadmins installed this, perhaps we wouldn't have problems with so many Linux compromises? Of course it's no substitute for patching, but seems like a good additional security measure.
This is from the gnu.org software directory [gnu.org]
The exploitation of buffer overflow and format string vulnerabilities in process stacks are a significant portion of security attacks. 'libsafe' is based on a middleware software layer that intercepts all function calls made to library functions known to be vulnerable. A substitute version of the corresponding function implements the original function in a way that ensures that any buffer overflows are contained within the current stack frame, which prevents attackers from overwriting the return address and hijacking the control flow of a running program.
The true benefit of using libsafe is protection against future attacks on programs not yet known to be vulnerable. The performance overhead of libsafe is negligible, it does not require changes to the OS, it works with existing binary programs, and it does not need access to the source code of defective programs, or recompilation or off-line processing of binaries.
Re:Libsafe protects against buffer overflow exploi (Score:5, Interesting)
(http://www.etoyoc.com/yoda | Last Journal: Tuesday June 10 2003, @10:53AM)
I still use libsafe. It is the greatest thing since sliced bread. Ok, that and distcc. Distcc and rsync... and ssh... DOH!
Imagine... (Score:5, Funny)
From the Stanford article:
And further down...
To paraphrase a cliche without any attempt at humor:
Imagine a Beowulf cluster running John the Ripper.
Now, wait a moment ... (Score:5, Interesting)
(http://www.fallingyou.com/)
Now, my opinion of MS is not that great, but this just seems wrong.
Regards,
John
Re:Now, wait a moment ... (Score:4, Informative)
Re:Now, wait a moment ... (Score:4, Interesting)
(http://forums.boiledfrog.us/ | Last Journal: Friday February 21 2003, @01:08PM)
This article is about incompetent admins and actual security breaches using exploits that have had fixes for ages. Thus, security. The windows item was on patches for actual bugs and didn't mention any specific exploit instances: thus, bugs.
It all makes sense now, doesn't it?
Oh, I misunderstood... (Score:2)
Oh well.
academic machines? (Score:4, Interesting)
(http://www.rogertheshrubber.net/)
I can see why they would want to target academic boxen if they wanted high-powered computers to do some serious slaved number crunching. If they are just going to launch a DDoS attack or send a bunch of spam though, academic computers are not the best. Most academic sysadmins have fairly limited budgets, and spend a fair amount on bandwidth. As such, they rule their bandwidth with an iron fist in many cases. The Admins at my particular college have bandwidth flags on certain ports and a global flag of somewhere around 1gb/day over 3 days. Break that, and the admin gets very interested in what you are doing with your boxen.
I'm sure other colleges have similar schemes, and I've heard of many colleges which are even more strict with their bandwith (200mb/day limit, etc). These academic boxes may make good targets because of their relatively user intervention and user experience, but they don't have that great of a pipe on them, relatively speaking. If it was me, I would have gone after servers that also run wireless access points. Hard to tell where the bandwidth goes in some cases with those.
this just in... (Score:4, Funny)
and in other news...
cheerio's get soggy in milk
Sad Mind (Score:5, Funny)
I thought it was some kind of nasty name for a hacking daemon - until I found out that sadmind was the "Solaris ADMIN Daemon"
I've said it before and i'll say it again.... (Score:2)
Strategic issues (Score:4, Interesting)
(http://www.animats.com)
I see a day coming when, in one day, half the computers in the US have their disks erased.
If a Linux box is insecure... (Score:2)
(http://slashdot.org/ | Last Journal: Saturday November 03, @04:58AM)
If you're worried about system crackers, install SE-Linux as your kernel, throw on a few of the NSA's utilities, disable unrequired access to software and finally make sure daemons don't have privs they don't need.
Security isn't hard, it merely takes a little more effort than most are willing to put in.
The Washington Post has more coverage (Score:4, Informative)
Washington Post has more coverage in this article, Hackers Strike Advanced Computing Networks [washingtonpost.com].
Does anyone on the inside... (Score:2, Informative)
(http://technocrat.net/ | Last Journal: Thursday November 15, @03:58PM)
Or do you (anyone who might have some more AC insider info) have any other pertinent data not covered in the articles?
Not a security guru here, but last time I remember anything like this was like around 2 years ago or so when banks were targeted, something like that anyway.
Re:Does anyone on the inside... (Score:5, Interesting)
A few things to try..... (Score:5, Informative)
1. Patch your system! As soon as a patch comes out, get it applied and reboot if you have to! Also, stay up to date on security issues by subscribing to mailing lists that are related to the software your using. One good general purpose site is cert.org [cert.org]. Keep in mind that while mailing lists are great ways of being notified, they arent fool proof. If your subscription expires and you dont know about it, you wont be exactly up to date in the community now will you?
2. Use grsecurity [grsecurity.net]. This is a kernel patch that is briefly lagged behind official Linux kernel versions. It has many great features for protecting against stack attacks/buffer overflows. ie: Those latest greatest scripts your local script kiddie just downloaded wont likely do anything against you since special addresses are randomised. It can also hide files on your computer such as intergrity checkers so nobody except you know they exist. Plus it can stop insert code into a running kernel by making kernel memory readonly (which btw, would have prevented at least one of the attacks they mentioned).
3. Install a filesystem intergrity checker. Aide, integrit and tripwire all come to mind and essentially all do the same thing but with different config file syntax. Besides, how can you tell if a file is changed if you dont actually check? Also, dont forget to hide the existence of this program using something like grsec's gradm filesystem ACL util and be careful of automating checks in the crontab!
4. Read a good linux securing article. One such article I have read is called Securing & Optimizing Linux: The Ultimate Solution [tldp.org]. It will teach you how to lock a system down a fair bit and how to remove unused/unneeded services from your computer.
5. Watch those logs! Log files provide a wealth of information, but administrators rarely check them (well, not all). If you dont know what a log entry means, research it, or else you may be looking at an attack and not even realise it. Now I know some of you are thinking I am nuts considering just how many logs even a small system generates, but there are tools to help you. One way is to use a program called swatch (a perl script). It can parse existing and old archived log files using a perl regex syntax and trigger actions based on found text. Start by configuring the system to ignore any log entries that are known to be friendly and show you everything. Then slowly eliminate each friendly entry one at a time. What will be left is a list of purely evil enteries
Now I know I could go on forever with suggestions, but I think that these few things should give anyone a kick in the right direction. I hope this has been helpful.
what are some constructive solutions for this? (Score:2, Interesting)
I'm not sure it really has to be this way. It seems to me, that it is a major design flaw that if there is a small error in one of the *many* programs from *many* different parties being run as root, that it can be exploited so that an arbitrary attacker can end up getting root access or executing arbitrary code or whatever. For that matter, it seems silly that (for desktop systems) disastrous effects can come from code run by Joe user. After all, desktop users store all their important files in some place they *don't* have to authenticate as root to get to.
Rather than just assuming that the ever watchful eyes of open source uber hackers are the only remedy for this as well as all of life's problems, maybe it is possible to come up with some easy solutions, or at least partial solutions, to this problem?
1. Use software that watches the beginning and end of every stack frame for an overflow. If an app overflows *kill it dead*. Similarly, the beginning and end of every block allocated on the heap can be watched. Software like this exists, and it is about time it is built directly into the standard distributions and *turned on by default*.
2. Develop a new security model. The current system sucks out loud. Really, access lists (a la microsoft) are a step in the right direction. Finer grained and more flexible controls are good, but a totally new security model would be better. I've seen some things like this developed as academic projects, but it would be nice to see a patch available for a main stream OS like linux.
3. It might also be useful to have virtualization (think VMWare) built into standard distros and used by default for services like apache that need to run some stuff as root. My understanding is that you can do something like this with chroot currently, but that it is a clumsy and dangerous tool.
I'm not a big security buff, but even I can see that there are some things we can actually *do* about this problem.
Good work! (Score:2)
(http://rixstep.com/)
google (Score:1)
keep in mind, these are local exploits (Score:2)
(Last Journal: Monday April 12 2004, @04:18AM)
This is tech tower control ... (Score:2)
(http://www.rsvpair.com/)
There are also some jackals from Microsoft who'd like to speak with you in the lobby, after they're done spreading nails on the tarmac.
Hmm, poor Linux security, huh... (Score:2)
(http://slashdot.org/)
I don't know who to bother about getting this implemented but I assume someone at RH would have to adopt it. A few votes might get it recognized.
For real. (Score:1, Interesting)
Whats the big deal? (Score:2)
(http://attrition.org | Last Journal: Tuesday August 10 2004, @01:03PM)
The proud hacker ethic of yesteryear promotes user patching : the laissez faire school of security. Most major schools have no firewalls and scientists dictate IT policy. There is no staging prior to production. No patch management. No administrative oversight. Imagine buggy half-assed builds scaling to superclusters. This is not your mommas locked down corporate environment.
The only defense is to secure your department as much as you can - the "Islands in the Stream" model of network security. This will complicate your users lives. Depending on where you work, this may be a Career Limiting Move (CLM) in Academia OR the real world. However, the upside of all this malicious intent is the great opportunity for security exposure. Only firewall teams are usually schooled in active attacks. Fuck the corporate bootcamp cram session. This is live fire. Believe me, Honeyd and Tarpits are a godsend.
Of course universities are targets of hack attacks. The student segments are swarming with virii and backdoors. You wanna go tell Joe Jr $40k pa he's not allowed to use his laptop? One successful compromise will lead to a hackers paradise. Windows PCs on University address blocks are everyday targets. All we see here is someone targetting *nix boxes. This is a surprise?
NOO! Kiddies are targetting insecure machines with known vulnerabilities? Users/Admins didn't stay on top of their security patches? Why is this even news?
not always .edu's fault (Score:3, Interesting)
(Last Journal: Monday June 17 2002, @10:06PM)
Re:Lazy Admin ? (Score:1)
(http://www.macidol.com/jamroom/Tempest | Last Journal: Sunday May 28 2006, @11:40PM)
Re:Attacks against universities? (Score:3, Interesting)
Nothing is written to a hard drive with this OS.
If so, how would this apply to the story on these attacks? How would anyone "gain control" of my computer under these circumstances.
BTW, Damn Small has a limit of 50 Mb, mine runs a little over 60 MB, and I put Mozilla Firefox and Wvdial in the remaster, as well as some office applications from the Debian list of over 8000 items.
Re:That's some scary stuff (Score:1)
Re:Lazy Admin ? (Score:2, Interesting)
Of course, most Windows users are clueless, so the Linux/Unix admins are pretty much guilty in this situation.
To confess (anonymously), where I work we are pretty slack about security as well.. we use ssh and pam, wasn't there a known security risk with these 2 a few months ago?
Re:Attempts easy to guess passwords (Score:5, Interesting)