Cracked Series Complete 131
Quite a number of people have written in recently with the news that the Cracked Series has come to close with Feature #7. The series has been pretty interesting from a storytelling perspective - check it out on rootprompt.
The problem with script kiddies (Score:5)
The aura of arrogance that these kiddies have is really quite shocking. They have no perception of what it is like to actually run a system and defend it against real hackers/crackers. They just get their kicks by annoying hardworking people, and wasting their time and money.
And don't argue that the problem is admins leaving their systems unsecured -- if you notice someone left their door unlocked, it's not your duty to go inside, rearrange all the furniture, and leave cryptic notes saying how you "0wn3d" his house.
Re:OT: UID's being shown? (Score:3)
Hemos is not a troll!
Or is he ... hmmm?
Re:Cracking (Score:5)
I helped clean up when a cracker was discovered on static IP Linux box my Sister put up.
The cracker was only doing "harmless exploration" (running bind scans against lots of other boxes on the local subnet and installing rootkits and trojans).
This clean up cost me about 20 hours that I would rather have been spending with my wife and two year old son... which is the most precious thing I have.
After the second crack, I told her to pull the plug. One less Linux server on the internet (she was using it for a bug tracking database for a startup company she was working with, her husband was using it to give free accounts for students at a local community college where he teaches).
On less corporation Linux had penetrated, 20 fewer students every quarter that can have a free account to learn to create web pages on *nix based systems. Congratulations, cracker boy.
I am a professional programmer, and in my spare time a humble open source developer (backburner, check freshmeat). Guess how many bugfixes have been released to backburner in the last year... Exactly 0. Why? Because I have had to spend all my time cleaning up cracked boxes and setting up firewalls just to keep my systems from being invaded, destroyed, or used to attack other systems (stealing precious time from others).
If you want to explore, set up your own network. 486's are a dime a dozen, NIC's can be found for about $15 each.
The moment you touch a system you have not been invited onto, you are stealing precious time from somebody, period. Somebody had to initially secure the system to keep you out, somebody has to monitor your crack attempts, and somebody has to respond to your actions.
Next time you are on a system you don't own, think about the fact that you are not just exploring, but taking a VERY high chance that you will force somebody somewhere to respond to your actions, and thereby steal that persons time.
I am telling you from personal experience, that theft REALLY hurts.
Bill
Re:Translation (Score:2)
Noel
RootPrompt.org -- Nothing but Unix [rootprompt.org]
Re:sys admins was at fault (Score:1)
Your first point: Not having adequate backups. If you'd read the entire series, and read the entirety of #7 as well, you'd know that they aren't running a business, but donating their time and efforts, and using donated equipment. They can't exactly be choosy. They seem to have gotten webpage files and config files, but lost mailspools and most other user files. Not fun, but overall not the world's largest tragedy.
Second point: This cracker showed up on the IRC server they run. Noel didn't go looking to talk to the guy, the cracker ended up coming to him. Also, when they were originally cracked, after moving all their equipment, they DID go through and rebuild EVERY machine from scratch, updating everything, restructuring, etc.
Third point: See above. They did that the first time. They thought they were up to date enough that they wouldn't be vulnerable to something as stupid as a compromisable rpc.statd. Obviously they were wrong. They were overconfident, and it was a mistake. But they were trying.
Final point: This cracker is smart enough to connect via several intermediate hosts. Makes him kinda harder to track. Once again, I say go back and read the ENTIRE series. You'll get a better idea of the situation.
_____
Re:Cracking (Score:1)
The article at rootprompt is an re-attempt of The Cuckoo's Egg [amazon.com] by Clifford Stoll. Otherwise, nothing more.
The only thing it teaches sysadm is that they have to be more clueful and no other technical value.
Re:Interesting even for newbies (Score:1)
If you have any others, reply to this post, or e-mail me personally, and I'll try to answer your questions.
_____
Re:My own story... (Score:2)
I feel your pain in being cracked, etc., and I hope it never happens to me. But you have to understand by now that securing a *nix box isn't the kind of thing you could just relay to someone over the phone in 5 minutes, or even 1/2 hour. If you're not willing to go out and research this on your own, etc, you really have no business running linux. I don't mean this to sound snooty, it's just the amount of work it takes, if I was working a tech support line and someone asked me that, I'd probably tell them the same thing.
I just don't understand the motivation. (Score:1)
Destruction is easy. People do it all the time by accident. If you think you're so cool, try improving something.
You never see these twits producing anything useful. They don't make better applications. They don't come up with sophisticated new algorithms. They don't even figure out how to fix the bugs they find, they just work out how to trigger them, a far less complicated problem.
How can that make them feel powerful?
*BSD vs. Linux (Score:2)
Now, I will agree it is a shame that RedHad doesn't take more time to make the default installs secure....
Re:Cracking (Score:1)
Bullshit!
If I break into your house and look through your stuff - even if I didn't damage anything, not even the locks - I bet you're going to be pissed off. And rightly so.
I agree that if you want to put a system up on the internet you should learn about security and spend 5 hours securing the box. But I'm just so fucking sick and tired of the whole "blame the victim" mentality.
I'd even be tempted to help out if any sysadmins were planning to pay a late night visit with a two-by-four to a cracker's house.
I had no clue (Score:1)
But please, leave more suggestive descriptions of the articles at hand.
Mike Roberto (roberto@soul.apk.net [mailto]) -GAIM: MicroBerto
Re:It's for moderators... (Score:3)
Re:OT: UID's being shown? (Score:1)
P.S. - turning off +1 for this OT post
Re:complete? (Score:2)
I always liked MAD Magazine better!!! (Score:1)
Besides, I always liked Don Martin and Sergio Aronges.
Turn it all off! (Score:1)
A new user by default, is not ready to accept the responsibility of running services. Hence, by default, do not start the fucking services. Just because someone you offer Joe Newbie the pleasure of INSTALLING a web server does not mean you should turn it on. Complete idiots will still turn everything on themselves but this will save many people with a moderate clue!
Re:Ummm, Moderators smoking crack again ? (Score:1)
Re:Cracking (Score:2)
That's your personal ethics. Are you willing to impose them on the others? Are you willing to convert them into law?
Guess how many bugfixes have been released to backburner in the last year... Exactly 0. Why? Because I have had to spend all my time cleaning up cracked boxes and setting up firewalls just to keep my systems from being invaded, destroyed, or used to attack other systems (stealing precious time from others).
Now that's a bullshit argument. If you are dealing with computer security at work, this is your job and how intense it is has nothing to do with posting bugfixes for your project which you do in your spare time. If you tell me all your spare time is taken by cleaning up cracked boxes, I'll tell you that (1) I don't belive you, and (2) you should learn to prioritize your time.
The moment you touch a system you have not been invited onto, you are stealing precious time from somebody, period.
So? An inept clerk at a store is stealing my time. A person who stopped me to ask for directions is stealing my time. Windows' registry being fucked up steals my time and a lot of it. IRS steals huge chunks of my time every April.
My point is that engaging in activities has costs, and one of those costs is time. If you are running a publicly-accessible server, time to secure it and deal with vandals is one of the costs. Sure it would be nice not to have to deal with it. But think of the alternatives. We already have the War on Drugs where being caught with a bag of pot can land in your jail for many years. Do you want to live in a society where being caught at portscanning will lead to same results?
Kaa
Re:Trivial Hardware solution. (Score:2)
WWJD -- What Would Jimi Do?
Surprise, surprise, I know Noel! (Score:1)
Re:Cracking (Score:1)
it's all the same in the eyes of the general populus and therefore in fact. since the general public doesn't get the difference trying to push it just confuses stuff more.
Re:Cracking (Score:3)
No problem. They do have the right to be suspicious and to take measures to defend their systems.
However some people are taking the next step which I am uncomfortable with, that is: if sniffing around (pinging, portscanning) is causing busy hardworking people to waste their time and worry too much, why then, just make it illegal. Make portscanning a federal crime and add War on Hackers (yes, hackers) to War on Drugs. Sure, that will make sysadmins' life easier. I also think that this would be a very Bad Thing to happen.
If I see sombody sitting in a car outside my house observing it, I may walk up to him and talk to him, I may walk out and stare at the guy through binoculars, I may call the cops. I am NOT going to lobby for a new law forbidding people to sit in parked cars outside other people's houses.
Kaa
My own story... (Score:5)
Some time after I moved in, I discovered Linux, and Unix. (Mostly from working on SGI's. I wanted to be able to run ANSYS without going down to the labs.)
VERY soon after I discovered Linux, I discovered what rootkits were. I woke up about 7 in the morning because my cdrom drive (an old noisy Mitsumi) was going nuts. I was certainly no guru at this point, and I had no idea what was going on. I did a ps aux, but I didn't see anything happening, so I just took the cdrom out and went back to bed.
Two days later I noticed that my ethernet connection wasn't working anymore. I called down to the computer center and was informed that my connection had been shut off and that there were charges pending against me for "cracking" attempts on PSU's servers. It took me 3 months to get my connection back.
When I asked PSU for help securing my machine, I was told to use a different operating system.
In addition to my own machine being cracked, my friend who was also running linux for the first time got cracked (probably thru my machine) and had nasty emails sent from his machine to a couple of government agencies. He and I were both in some deep shit for a while, and had done NOTHING.
So, cracking DOES hurt. I'd like to extend a big FUCK YOU to the kind of people who think that getting others in trouble is funny. Another big F*** You to every little clone virus writer who make life for tech support a living hell. You don't advance knowledge. You aren't doing anyone any favors. You prove nothing except that you are the same as vandals with a can a spraypaint. God help you if I ever find one of you.
Why talk to him? (Score:3)
You might respond "but maybe you can befriend the cracker and set him straight". Yeah, maybe. Or maybe he'll start realizing you are getting too close and he'll lash out by typing "rm -rf
BTW, Slashdot trolls are the same way. Don't moderate them (esp down past 0), don't respond to them (even "just once"). Just ignore. Like your mother said "eventually they will get bored and leave you alone". And this isn't theory. I've gone through several cycles of trolls (or one troll with many names) targetting me for idiotic responses or unfair moderation (which reminds me, could we have some meta-mod power over "underrated" and "overrated"?). Once I realize what's going on, I don't even bother reading the responses. 24-48 hours later the "attack" is over.
--
Another positive comment for Open Source (Score:4)
I am currently involved in major battles with my line manager who seems to have this idea that Open Source = Unsupported. He doesn't realise that a product that is supported by thousands of developers who have a vested interest in solving problems is going to be better supported than one whose only backup is a handful of developers whose managers not only have a vested interest in hiding any flaws found but also want them involved in adding the newest whizz-bang features.
Based on articles I've read it looks like the equation is really Open Source = Secure and Supported.
five part trilogy? - proud Hitchiker tradition (Score:2)
At least they did add, "increasingly inappropriately named," to the trilogy reference.
Re:It occurs to me... (Score:2)
But I wonder what he makes of the general disapproval. This especially comes from cracking a community system. Kind of like robbing a soup kitchen. He picked the wrong target.
Re:My own story... (Score:2)
Essentially, I didn't even know I had to secure anything. I would have been happy with a decent source of information, but I didn't even get that from PSU security.
RedHat needs to make their system more secure (Score:3)
I think one of the major causes of this problem is that RedHat (and others) do not go to much effort to make their distribution secure. RedHat could be considerate and do the following:
- No unneeded services running by default. This means, for example, there should not be a network service of lpd needed just so someone can print a file. Any services running should be services the user specifically asks for during the install.
- The default version of X should not bind to port 6000-6020, or, in a default system, ports 6000-6020 should be ipchained off.
- Programs with more than a given number of reports on Bugtraq should not be installed by default. What percent of new RedHat Linux users are going to actually run mh? Why does RedHat insist on having mh installed in the default install, despite the number of patches this has in a desperate attempt to make mh's suids not local root holes.
- ftpd-BSD, IMHO, should be the default ftp server (my version [samiam.org] a patch that makes the default umask something sane). If not ftpd-BSD, at least anything besides wu-ftpd.
- Come September 20, RedHat will be able to make OpenSSH part of their distro. Hopefully, this will mean that they don't run telnet unless the user asks for it.
Little things like this would do much to make it so people just struggling to learn Linux and Unix don't have to worry about securing their systems at the same time.- Sam
Re:Cracking (Score:2)
Get root on my box and I find you? I am looking at a BUNCH if time looking for rootkits and backdoors regardless if you have installed them or not.
And thats only if you're not healthily net-paranoid... get root on my box and I find out then I'm not looking for anything but read-only install media and a fresh download of all patches from a trusted source.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
Re:Cracking (Score:1)
I'm unclear by about what you're saying here when you state you cleaned up. Unless you did a completely fresh re-installation from a cdrom or some other medium that is known to be safe and cannot be altered you did not clean anything up.
Before going back on the network you should:
Perform fresh install, then disbale all unnecessary services. Perform a suid audit and determine which suids are needed and which aren't. Consider changing the umask on the system to something a bit more secure. A umask of 027 will yield the following permissions rwxrw---- for newly created files.
Set up your hosts.deny to ALL:ALL Configure IP Chains to do what you want them to do. I believe gfcc [www.suse.de] is a nice gui frontend to make this easier.
For a company based implementation maybe even another step further and have another box in front of this one as a dedicated firewall.
Never assume you have gotten everything cleaned up on a cracked box unless you have wiped the disk, or even better backed the disk up then wiped the original for re-use. Go back and look at the old disk in a safe environment to see what went wrong.
Installing tripwire is also a good idea so if it happens again you know what was touched.
Might even be beneifical to have a sniffer out there to see what's going on on your network.
And of course there's always the obvious:
No telnetd and ftpd
USE SSH!!!
Portscan your box before others do and remove the unecessary daemons running on your system.
I completely removed inetd form the equation after I read up on why it's bad for people like me who don't need ***ANY*** of the services it provided.
And as always good strong encryption and frequent password changes will increase the likelihood of not getting cracked.
Remember, the crackers are always one step ahead of you, stay on your toes and get all the latest security fixes and releases when they come out.
Nothing is foolproof, so even after you do all this, prepare to be cracked and provide your system with a method of recovery should such an event happen. This means keeping a secure immutable backup of the system somplace safe and updating frequently enough for it to be useful.
Laters, Dan O'Shea
just my two cents (Score:1)
Re:Cracking (Score:3)
Um yes.
"Are you willing to convert them into law?"
Yes, I believe "Laws" are what imposing ethics onto people is called.
"Now that's a bullshit argument. If you are dealing with computer security at work, this is your job and how intense it is has nothing to do with posting bugfixes for your project which you do in your spare time. If you tell me all your spare time is taken by cleaning up cracked boxes, I'll tell you that (1) I don't belive you, and (2) you should learn to prioritize your time."
Who said anything about work? I thought this was for his wife or something? And in any case, just because you are PAID to do a job, doesn't mean it is ok for people to burn your time unnecessarily. If I'm preventing somebody from getting real work done, then I *should* be ignored.
"So? An inept clerk at a store is stealing my time."
Well, not really. He, and the store, is providing YOU a service. If you don't like that service go to a different store. If anything, the inept clerk is stealing the company's time by pissing you off.
"A person who stopped me to ask for directions is stealing my time."
Yes. Because you are not mandated to provide that service to him. Are we perhaps getting it now?
"Windows' registry being fucked up steals my time and a lot of it."
Yup, bitch to MS or switch operating systems. Same deal as the inept clerk. You just now have an inept OS.
"IRS steals huge chunks of my time every April."
Ditto. Bitch to government and try to change the situation.
"My point is that engaging in activities has costs, and one of those costs is time. If you are running a publicly-accessible server, time to secure it and deal with vandals is one of the costs."
Of course, but that doesn't make it acceptable for vandals to eat up your time. You have to weigh the benefit of the service to the cost of maintanence. Apparently the service the wife was providing just cost too much in security risk.
"Do you want to live in a society where being caught at portscanning will lead to same results?"
No, but are you saying that cracking into a system (secure or not), and destroying data or using it as a base for DOS attacks is acceptable? I sure as hell hope not. If you do that you *should* be thrown in jail (albiet probably with not so large a sentence as many of the criminals that have been made "examples" of *cough* Mitnick *cough*)
Re:Stallman (Score:1)
Re:Their only mistake... (Score:1)
Reading earlier chapters tells you that they avoided blowing the whistle for as long as they could, in a bid to secure the system before the cracker realised they were discovered. This cracker was on a power trip long before they started talking to him(her?), and he/she was obviously better at *nix than the average script-kiddie (very few kiddies bother writing their own rootkit). If I was that cracker, I'd have probably played dumb for a bit, rather than laying all the aces down so early.
Yes, malicious cracks are usually the work of sad, bored individuals, but I don't think that boosting their esteem will cause them to commit more damage. Usually, damaging the system is de rigeur after discovery, and most malicious crackers have it as part of their post-busted MO. I suspect that asking for a sanctioned set of platforms to continue spoofing and cracking was a stalling tactic while the rm's were being planted. The cracker knew that the system was being locked down, and that they only had one exploit left (statd). This cracker had a good thing going before they were shut down, and wanted to be remembered after they were.
Just my 2 pence....
Re:OT: UID's being shown? (Score:2)
Re:The problem with script kiddies (Score:1)
Just like many warez d00dz argue that their existence is what pushes the demand for increasing bandwidth and computing power, couldn't the cracker argue that A) their existence pushes the demand for increasingly better security models, and B) they keep many network admins employed?
I do tech support, and while I'll never stop complaining about all the users I have to deal with, at the same time I realize that without them, I'd be out of a job.
Running cable/dsl/ethernet from diald (Score:3)
The only truly safe interface is either offline, or disconnected.
Re:Trivial Hardware solution. (Score:2)
Granted, this should prevent any rootkits from finding their way onto the system, but it's not an end-all beat-all, and a malicious cracker could still wipe out all the user directories (as did the guy in this story).
Re:Trivial Hardware solution. (Score:1)
I used to think this was a pretty secure solution until I ran a VB install that wrote on my write-protected disk. Sure, that was WIN31, but it's the same hardware that any other OS could run on.
Just because there's a hardware piece involved doesn't mean that it's really a hardware implementation.
Re:Unix security model flawed (Score:1)
and the black helicopters came and swooped up Elvis and JFK just before the aliens landed in Area 51. But no one knows anything about that because its all been covered up by the Proctor and Gamble corporation because it jacks with their plans to turn the entire world over to a satanic cult. It doesnt matter though because the NSA controls most of the US population through subliminal messages and will put an end to all that mess as soon as the Chinese take over the world.
Jason
www.cyborgworkshop.com [cyborgworkshop.com]
Re:sys admins was at fault (Score:1)
Justify security expenditures to management and you'll solve the internet's "security problem" lock, stock and barrel.
Re:Cracking (Score:1)
The "attempting" part there worries me, where do you draw the line? I portscan hosts every once in a while, I don't think it's wrong or bad - yes I do it.. hell sometimes I telnet to an open smtp port, and try to fake mail.. is this a bad thing? If someone does the same to me, I don't really care. Is this an attempt to crack into a box?
I also use a portscanner (Ostrosoft internet tools) at work a LOT. I use this to check duplicate IP addresses out (ie - our printers have ftp enabled - no workstations have nt enabled, this is a quick check to see if maybe a printer snagged a workstations IP addy). I also use it when we get a new application on line - new server, hmm, lets see what's open. I've used a service account to retrieve a passwd file - it wasn't shadowed, cracked it, never touched the accounts. I used this same service account to retrieve the default shell script that runs on login for the account (we don't get a shell prompt) and see what it does. There are unix machines we access to reset passwords, supposed to type command to get the shell script to walk us through it, I poke around the directories of those servers. We use Reflection X to access a different application, I open an xterm and poke around there. Never once have I caused a system problem, nor have I ever done anything to change the default behaviours.
Are these cracking attempts?
Re:Turn it all off! (Score:1)
Why don't RedHat (and MicroSoft) ship these things with everything turned off? The box should be unable to respond to any command from the outside world.
I am serious. People are willing to follow directions to mess with config files in order to get something they need turned on. Why? Because it is intuitively obvious when they need to turn something on (because something they want to do does not work) and it is intuitively obvious when they have suceeded (because that thing is now working). Also, they need to do this to get the box to work the way they want.
But turning something off, knowing that they need to turn it off, and confirming it is off, are all much more difficult and opaque, even if the instructions are no more complicated. And the complex instructions are likely to make them give up, even if they ever attempt it, because the box "works" without doing this.
Re:wrong message (Score:1)
Besides, it's so much easier to write a trojan that uses the e-mail program or the paperclip "assistant" to foul the network or erase the drive.
I know, I know, you specifically mentioned the server OSes, but I couldn't resist.
Re:just my two cents (Score:2)
Out of curiosity, what do your comments have to do with this story? This is a story about a cracker who had compromised several of their machines, were using them to launch attacks and gain access to who knows how many other systems, and ultimately ended up doing an 'rm -rf
Granted, this guy Noel made some mistakes and had some unfounded assumptions, and paid dearly for them. (The moral I learned from this story? Don't bother trying to communicate with the person who cracked your system; just secure and/or rebuild your systems and plug the holes that they got in before.)
But your comments about "oh, some people are poking around because they're curious and don't mean any harm" just don't apply to this situation. As someone else said, if you want to learn how systems work, buy a PC, install Linux (or the *BSD of your choice) on it and use that for testing. If you meddle around in machines that you don't have legitimate access to, you deserve whatever punishment you get.
Jay (=
Re:Cracking (Score:1)
I think that cracking should be illegal full stop (but this would be hard to police accross the world). I also think there should be laws against attepmting to crack someones box, even if it is for curiosity.
Analogy Alert!!!!!
Think about it you leave your car in the street. Someone comes along and thinks, "I might be able to break into that, Even though I don't want to rob his wallet or the radio, let give it a try...No can't pick the lock, but I can put this brick though his window". You later come back to your car, you see that some one has tried to get in, the first thing you is to worry and check every thing is OK.
This is the same thing the sys admin will do, he will check his logs, see that some one has attempted to break into his system, he/she will then have to do alot of checks to make sure that no harm has been done, even if the person was just curious. The cracker has then essentially caused enough trouble, because they have wasted the admins time in forcing them to do the checks, possibly causing disrubtion to the end user.
Hope I have made my point clear.
Paul Kinlan
-
Re:Cracking (Score:1)
There is an incomplete list on this site [happyhacker.org]
Looking for a carreer in security. (Score:1)
I've seen how lax many major organisations are when it comes to security (hey, we'll install a firewall, that will fix it), having worked with some sites that were a nightmare. Getting some customers to install ciritical patches was impossible until we refused to take any more telephone calls until they planned an upgrade.
Unfortunatly, there's not much scope in the security field at my current place of work (too much NT). Anyone with any ideas on how to progress - BTW I'm based in Yorkshire, England.
Re:Cracking (Score:2)
I understand your position but I do have a question.. When your sisters linux box was cracked the first time I presume you helped her make sure that it was operating a "default deny" type of access control - that the system wasnt running services she didnt need etc - did the cracker get in the second time by exploiting an unpatched hole in one of the services she did need or by a back door you'd missed in the first cleanup? If everything needed was patched to current and everything else was closed off then you were right to tell her to pull the plug - if not then perhaps it was the wrong advice and helping her fix the underlying problem would have been more appropriate.
Other than that I have to agree with you on every point.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
Interesting even for newbies (Score:1)
-ryry
Re:Cracking (Score:2)
Three years without a remote hole in the default install! Two years without a localhost hole in the default install!
.sigs are dumb!
Re:It's only the beginning.. (Score:2)
file level? system-wide? more like linux (BSD, NT, QNX, ad infinitum)?
Rami James
Guy that's curious
--
31337 ~= ELEED (Score:2)
From dictionary.com [dictionary.com] and acronym finder [acronymfinder.com].
(I REALLY should get back to work.)
Rami James
Guy with too much work
--
Re:'1337 5P34K (Score:2)
1. Shorthand for concepts. I mean, we could say "someone who enjoys figuring out how things work, or is a good coder or adept at coming up with solutions to problems," but we say "hacker" instead.
2. Differentiation from the masses. To geeks phrases like "I don't have the bandwidth to read fiction these days" or "How should I know how to put the swingset together? RTFM" make sense, but to the outsider they can be as unintelligible as Cockney slang. (Misuse of jargon is also a red flag that someone doesn't belong, or is trying too hard to fit in.)
So 31337 5P34k is both of the above for the script kiddie. However, in this case, there's a third dimension to it -- marking someone as a sad, pathetic individual who thinks that being able to read and write a simple substitution cipher and click a couple of buttons in a pre-built dialog box is a substitute for technical mastery of a computer and its operating system.
--
wrong message (Score:1)
When to pull the plug? (Score:2)
I don't understand what Noel was thinking. The first thing to do when you are cracked is _not_ to leave your system open! He should have disconnected from the net (perhaps leaving a secured mail box running), and immediately backed up the home directories. He should have _verified_ the backups. Since the only irreplaceable data on a well-maintained unix system is in the home directories, it should be trivial to back it up properly.
I can only assume that you haven't read the whole series. The system Noel works on is a heavily used collection of machines needed round the clock. While attempts to assess the damage were done early, the major cleanup (and securing) of the machines was done during a relocation, including backups - sometimes even though you have been cracked, you have to sit on your hands a little while you work out how to fix it. In an environment where lots of people need those machines for real work, pulling the plug on everybody is not going to make you friends and may leave you with a Cracker who knows that he/she/it has been spotted. That might (as Noel feared) bring about damaging action sooner rather than later.
This brings up several interesting problems though for a network sysadm. Just when is the situation so serious that you have to disconnect and stop everyone else working? In a software company, losing the servers is a massively expensive problem - you effectively stop 90% of the possible work straight away, and you are going to have a large workforce twiddling their thumbs while the system is off-line. If this downtime is repeated or extended, the sheer number of working hours lost for a workforce of 1000 people can get very pricey very quickly.
Assuming that your back ups are up to date, you can to a certain extent run the risk of 'rm -rf /' and only lose at worst a days work. From the system admins perspective, things only get really bad when you are being used as the launch platform for the next attack. At that point, even finding a sniffer could be sufficient reason to pull the plug, and finding a Trinoo or TFN master server or client would definitely be time to consider that disconnection.
Cheers,
Toby Haynes
Re:My own story... (Score:1)
Re:wrong message (Score:1)
Re:It's only the beginning.. (Score:1)
Re:wrong message (Score:1)
I think it is because when an WinNT or Win00 box is hacked (Don't let anyone tell you they arn't being hacked.) the box crashes, and is then reinstalled. *nix boxes have extensive logging right from the moment you start the install process, so you have a way to find out what happened.
Re:Turn it all off! (Score:1)
This is also part (a big part) of why people will claim that OpenBSD is difficult to install and use. If you want 'dangerous' third-party software and services, you have to actively choose to install them.
Re:Trivial Hardware solution. (Score:1)
Re:Interesting even for newbies (Score:1)
How do you set/unset the setuid bit? Is it something that's compiled in, or a mode you can (un)set as a superuser?
For all of the information I can find on the internet for Linux, there seem to be some intersting holes...
Jay (=
Re:Unix security model flawed (Score:1)
90% of unix sysadmin is accidentailly arcane, and nobody has ever bothered to fix it because it has indirectly brought about profitable support contracts and the job security and loyalty of sysadmins (who incidentally tie up their mastery of Unix with their personal self-worth).
Translation (Score:2)
Translation into k1dd13 sp33k: "C'mon, I dare you to rm -rf me!"
The mistake? Talking to him at all.
Re:The problem with script kiddies (Score:2)
These kiddies are not pushing the limits of security: more often than not, they merely write (or leech) scripts that exploit weaknesses that are publicly known. Perhaps one might conclude that this encourages admins to download the latest security patches, but it is very rare to see a script-kiddie-induced attack trigger a major security breach.
Network admins will always be necessary, if only to meet the demands of constantly upgrading software and dealing with user and technical problems. (Some programs break without any script intervention, thank you very much.) Script kiddies keep network admins frustrated and angry, something I think we can all live without.
hoW t0 be aN El1te hAcker (Score:1)
Ah, there it is.... [unc.edu]
Enjoy. And use your powers wisely.
w/m
Poor sysadmin in the first place.... (Score:2)
Re:hoW t0 be aN El1te hAcker (Score:1)
I repeat, I am not an elite hacker. I'm simply an extinct mammal. Wait, that's even cooler. Hmm...
w/m
Re:Cracking (Score:1)
Deja vu? (Score:1)
Cracking (Score:3)
What? (Score:2)
Re:Cracking (Score:5)
Their only mistake... (Score:4)
It's just like I tell people who are being stalked online, NEVER talk to the person, just ignore them. If you ignore them, they don't know what effect their actions are having on you, and whether they are succeeding in pushing your buttons or not.
This isn't a substitute for securing your own systems, of course.
Breaking windows helps the glass industry? Doh. (Score:2)
You will in fact be spending more resources on just repairing stuff.
Would you prefer to have a stupendously huge window making industry, or rather have lots more people/industries doing fun and useful stuff?
Yes, most glass windows are insecure, but people have got better things to do than ensure that all their windows are vandalproof.
If your windows get broken regularly it means your neighbourhood is going down the drain, not that you are a poor houseowner.
If I do come across an insecure system (I've seen many), I don't break stuff. I notify the owner, sometimes show them how its done and how to fix things and perhaps how to better do things.
I believe that's the difference between being a good neighbour and a vandal.
But one must be aware that there is a danger of being prosecuted for trepassing if you try to change stuff.
There's a difference between seeing a door is open (through legitimate access), and walking down the footpath and actually shutting the door without the owner's permission. If you know the owner, then you could get away with that.
But if you are strangers it is best to just notify the owner ("Anyone home?" "Your door's unlocked"), or the landlord/police. If not touchy people could prosecute you. Heh, not nice to lock someone out of their own house too
In this day and age it is more and more evident that we are all neighbours. Most of us here are just seconds away from each other at most.
I suppose living in a nice friendly village is out of the question but do we want to live in a War Zone? I suppose we can put up with a few nosey neighbours, but I don't think we should tolerate vandals going around burning down houses and kicking doors in. It's too late to say "no need for better security", but it's not too late to say : Vandalism is wrong, and we will not tolerate it.
Remember: first it's vandalism. Then it often goes on to theft, robbery or worse.
Cheerio,
Link.
Re:hoW t0 be aN El1te hAcker (Score:2)
(Note:This was a few years back on UK BBS's. The broken shift key-ism just seemed to stick.......
Re:Cracking (Score:2)
Call a friend with a big black car and have him come park behind them and pretend he's talking on a handset.
--
Re:Cracking (Score:2)
The simple fact of the matter is that other people wasted his time by snooping around property that wasn't theirs. He wasn't railing against the laws of physics, so having "reality" shoved in his face is pointless.
There is always someone smarter, who knows more or has a better exploit -- saying that it's simply "reality" that they will break into your system and waste your time unless you spend 24 hours a day securing your personal web server is at best offensive and at worst actively destructive to our society.
Take some damn responsibility -- if you're cracking a system you're being an asshole and wasting other people's time and property. Reality has jack to do with it, and we shouldn't have to unplug our computers to satisfy your elitist view of who should and shouldn't be "allowed" to connect to the internet.
The poster's original point was that there is no such thing as "harmless" hacking when it involves someone else's system. Even if he'd been totally secured, you still waste his time and network resources with vain attempts, and if you do succeed you waste even more...
I'm an investigator. I followed a trail there.
Q.Tell me what the trail was.
Unix security model flawed (Score:3)
This model needs to be rethought from the ground up - perhaps retaining some of what exists but scrapping most of it becasue it is indeed worthless. In my opinion, 90% of unix sysadmin is intentionally arcane for the job security of sysadmins. The so-called "elite club" of unix sysadmins resembles more than anything the "tech men" in Asimov's Foundation. They understand little and innovate not at all, but carry on a tradition of maintaining their own power and restricting access to this arcande mumbo-jumbo among others.
Some things like the method of authenticating users with passwords, the useleness of keeping unix systems built around a core of remote shell account logins which 99% of users never employ, though they once did in the old telenet days, etc., and the list goes on. Sendmail is a prime example of a program which has been patched and patched beyound recognition, and each patch or fix or enhancement is likely to create new exploits and bugs which don't show up until later. Why is sendmail the default even on single user boxes for home users? I think it is to create work for sysadmins who have "learned the ropes" and thereby justify their positions to employers and/or to clients for whom they do consulting work.
While I do not particularly care for the methods and lifestyles of crackers and script kiddies who contribute little of value to the community, at least they contribute one thing. They usually can beat sysadmins at their own game with ease and even without much knowledge or skill.
If the unix security model and other aspects of unix system administration were really well designed, much of what sysadmins do would be unnecessary. It is a crying shame that Linux and other open source systems mimic the flawed model of commercial unix instead of doing really innovative things to change it. Well, they have done a few things, but progress seems to move at a snail's pace.
Perhaps I have been overly critical. Some sysadmins are very knowledgeable and do care about meeting the needs of their users. But even these don't seem to be doing much to change the entire nature of unix system administration, which requires active efforts to work with those who develop systems, not just patching this or that vulnerability in the systems they administer personally.
I am sure some people have thought hard about this and come up with ways to modify unix at a deeper level to make it a more robust and sleek and easier to administer as well. Have specific suggestions for change in the unix standard arising from such studies ever been taken seriously?
Re:Cracking (Score:2)
After that, I did what I could to clean house, and am pretty sure I found everything, and removed all back doors. The system was clean for a month or two, and used
Then we got a serious crack by some sort of pro. To this day, I have no idea how they got in, and we only spotted them because their rootkit was defective (and ls -l showed
I told her to pull the plug until I set up a firewall for her. It is hard enough to set up a secure firewall, much less try and set up a full secure server. I said pull the plug because it was eating too much of our time.
I would much rather have spent all the time devoted to the whole thing developing open source software, but until I can secure my systems effectively, everything else is on hold.
Bill
Re:Cracking (Score:5)
Invasion is invasion. Perhaps he could have worked a little more proactively at security (no numbers, so I don't think anybody should make presumptions), but even if he didn't, that doesn't give anybody the right or excuse to crack the system.
"If you don't know how, then what business do you have putting systems on the Internet anyway?"
This is disturbing, I consider it akin to stating to a rape victim "You were wearing sexy clothes, so you were asking for it."
Yes, people should take adequate precautions when exposing a system to any sort of connectivity, but hacking/cracking is still an unwanted invasion.
There still seems to be an underlying acceptance of hacking for curiosity with the geek community. I think this is partly the problem with the lack of success in tracking and prosecuting hackers/crackers. Until it is truly accepted that any attempted breakin should be punished, the situation will likely not improve. As an analogy, most of the locks on doors and windows in my last few apartments have been shit. Fortunatly, I have not had to install the latest and greatest dead-bolts, because B&E is actually recognized as a crime by all parties. Nobody blames the victim of a B&E and says "Well, if you don't know how to install a 6" Deadbolt, you have no business living in an apartment..."
sys admins was at fault (Score:2)
First he did not have adequate backups. While I know that this happens at many sites, I personally have backups of my home system. At most I'd have to reinstall, but most of my config files I back up often enough that reconfiguring my system would be at most a few hours. Granted I have one system, and he has many, but that being the case is just more of a reason to make sure that you have adequate backups of your system.
Second why did he talk to the hacker in the first place? He should have just started going through machine by machine and make sure that they were secure. Checking ALL of the software and looking to see what he was using that may have exploits. Yes a good place to go to find this info is on the net as the hacker said, but that is probably where the hacker went to find this out.
Thirdly the sys admins should have been rebuilding and updating their system when they first found out they had been hacked. Box by box.
Lastly if they did not catch this hacker and lock him away, I am sure that they have not heard the last of him, and if they are not careful they are going to get hacked again.
send flames > /dev/null
Trivial Hardware solution. (Score:5)
Hugh's systems are all built with at least two drives. The boot volume is read-only. (I don't mean it's mounted read-only, I mean it's READ ONLY. After installing the OS, he pulls the write-protect jumper.)
Right now, the machines that the FreeS/WAN project are hosted on are configured with a very clever device: it's a toggle switch. In one position, the boot volume is R/W. In the *other* position, the ethernet connection is live.
A big part of the problem in trying to secure UNIX is that we keep trying to solve issues in the wrong domain.
-jcr
What was the sysadmin thinking?? (Score:3)
Only when a complete, verified backup has been made should he reconnect to the net (after cleaning up the cracks). The mere fact that he didn't check the backups first, when data hadn't been deleted, makes him liable for the damage. Quite simply, he didn't take obvious and common-sense measures to ensure his customer's data integrity.
Am I wrong here?
Re:Trivial Hardware solution. (Score:2)
A big part of the problem in trying to secure UNIX is that we keep trying to solve issues in the wrong domain.
Dang, ain't that true? If a fraction of the energy devoted to overclocking / fps / video hardware & driver issues by the community was devoted instead to hardware-based solutions to security problems, a lot of the software problems might be a lot easier. Cool.
WWJD -- What Would Jimi Do?
What's the point? (Score:2)
Backups that weren't backing everything up? And the admin wasn't aware?
Dissimilar tape drives? Donated tape drives?
Must not be a very serious business..
Re:Number are not letters! (Score:4)
They're obviously demonstrating the amount of redundancy in our alphabet and numeric system by showing just how few characters you can use whilst still remaining intelligible (just!). Rather than being "childish" they are in fact demonstrating a deep and intuitive understanding of information theory and entropy, one which we, as foward thinking people, should admire and indeed emulate!
Or maybe not :)
---
Jon E. Erikson
Re:OT: UID's being shown? (Score:2)
I noticed this earlier. Is it perhaps a precursor to a feature that will allow filtering out of comments with a UID above a specific number(eg 50000)? Could be interesting...
So because some of us lurked for a lot longer before signing up for an account, we're somehow less qualified to comment than someone who signed up for account number 2 but does nothing with it but troll?
interesting logic going on there...
kid, but not a script kid. Re:script kiddie... (Score:2)
IF you liked this, I suggest 'Know your enemy' (Score:3)
Included are useful details from somebody who could secure his machines to keep out the script kiddies, but instead choose to leave a few otherwise-unused machines undefended and log the results.
Re:wrong message (Score:5)
The main reason why UNIX-like systems are featured in stories like this is because there's an element of suspense as the cracker types many commands, and the superuser can look at every move he makes. Even NT's Event Logger doesn't catch every damaging command, and from the exploits I've seen it's possible to take down a poorly safeguarded NT box without even logging into it.
The scene of watching and dealing with a cracker is good drama, at least to Slashdot-reading geeks like myself.
Re:What's the point? (Score:2)
I still don't blame the sysadmin. Sure, he could have done a better job, but thats sort of like telling a victim of a mugging "Hey, it's your fault because you coulda learned karate."
Let's not absolve the cracker of his obvious guilt by "blaming" the sysadmin.
Re:Did you read the entire series? (Score:2)
I can only plead inexperience and that I was a part time volunteer with a real job and a family.
In hindsight I see many things I should have done differently.
Noel
RootPrompt.org -- Nothing but Unix [rootprompt.org]
complete? (Score:2)
soap storyline (Score:2)
'1337 5P34K (Score:5)
It's only the beginning.. (Score:2)
I don't know if EROS will ever become mainstream, but it's capability model sure looks interesting.