Honeynet Project: Blackhat Attack Stats 143
edsonw writes "The Honeynet Project published an interesting paper about their work. They say: "We are psyched to announce our newest paper
, Know Your Enemy: Statistics. Based on eleven months of data, we analyze the past and attempt to predict the future (...)
We demonstrate just how aggressive the blackhat community is.""
Re:DAMN! (Score:1)
Ok, that's good. Using the scientific method.
A default Windows98 desktop was installed on October 31, 2000, with sharing enabled, the same configuration found in many homes and organizations. The honeypot was compromised in less than twenty four hours. In the following three days it was successfully compromised another four times. This makes a total of five successful attacks in less than four days.
BULLSHIT. The Redhat server gets tested default install, out of the box. For the Win98 PC, they perform a default install and then, "oh, let's turn on file sharing, because that's what every newbie user does when they set up Win98". NOT. File sharing is NOT enabled out of the box on Win98. You might as well say "Well, let's take this FreeBSD default install, and we'll set the root password to 'password', and then we'll change the prompt info for all the daemons to say enter 'root' for username and 'password' for password you l33t h4XX0r!! yes, let's do that and see how long the box survives."
This is what we call a double standard. However, they can't say that the NT box was 0wn3d, and they didn't even try Win2k's grip (it's a bad mother fucker).
Blackhats or S'kiddies? (Score:1)
Enlighten me, s'il-vous-plait...
Re:Corelation with bugtraq (Score:1)
127.0.0.1 goatse.cx
to our
Thanks for inquiring about open source. Keep it up!
Re:Distros (Score:1)
I look forward to receiving sunrpc scans from your machines.
Big Deal (Score:3)
So what? Nearly all
OpenBSD does a LOT better (Score:4)
Result: 0 breakins for a huge number of attempts. NetBIOS, rpc, dns, and a LOT of ftp attempts.
Not surprisingly I'm AC'ing this post to preserve a) bandwidth b) sanity and c) track record.
I'm VERY grateful to Theo DeRaadt and his crew and the contributors for doing such an amazingly good job. More power to them.
Re:DAMN! (Score:1)
ttyl
Farrell
Re:Blackhats or S'kiddies? (Score:2)
Re:The four Yorkshire men go firewalling (Score:2)
-Paul Komarek
I must just get the dumb hackers (Score:2)
Our NT IIS servers where hit 0-2 times.
Duh!
Re:Corelation with bugtraq (Score:1)
Re:Distros (Score:1)
--
Re:Answer for the little guys: firewall. (Score:1)
These stats don't really surprise me. (Score:1)
Red Hat 6.2 (basic install lockdown) (Score:2)
As a general rule:
run the "ntsysv" tool, and disable portmap, httpd, bind... hell disable EVERYTHING, and begin turning on things as you need them. (If you don't know what it does, turn it off, if something stops working, you know what that was and can turn it back on.)
Comment out everything in the
Have nmap [insecure.org] on hand, and scan 127.0.0.1 (yourself) with it, to make certain your ports are closed. Nmap should only find port 113 (and 22 if you install SSH). Sure, you can have more open ports after that - but that is providing you know what they do.
There is no way I can give you enough advice on how to secure a machine on a simple
Re:Wow! (Score:2)
It is true. I witnessed the very same happen to a Red Hat 6.2 machine in 10 min. The next fastest I saw was 4 hours. I have 20 Rh machines now, and when I first started with them I did not know how to secure them properly.
I found out just how fast someone could "own" them.
I agree, the services should be OFF by default, just like Open BSD. Maybe the powers that be will listen one day.
For now, I install on a non-networked machine, install the patches off CD, and secure the machine before attaching a network cable.
Re:DAMN! (Score:1)
The SDMI consortium? No, wait, that was something else...
Remember: it's a "Microsoft virus", not an "email virus",
Re:But... but... (Score:1)
Not an "emacsitor". Not a "viitor". Those aren't even words! [gnu.org]
Remember: it's a "Microsoft virus", not an "email virus",
Re:Distros (Score:5)
Some ideas:
The 15-minute compromise was a little scary - at that rate, you don't have time to download RH 6.2 updates and apply them before your box is 0wn3d. Maybe start off with a more up-to-date distro so as to decrease the risk of attack during the install process? Or, you could download all the security updates onto an existing machine, then take down your external connection, install from the RH 6.2 CD, copy over and apply security updates, and only then bring up the link to the outside world.
Remember: it's a "Microsoft virus", not an "email virus",
A statistical analysis I would like to see (Score:4)
I once analysed the spam I received over the course of a month, and even this very limited data set revealed clearly that more spam is sent on weekends, with Sunday recording twice as much spam as Thursday. Probes and attacks are likely to follow a similar statistical pattern, in part because spammers and blackhats are an overlapping community.
--
Re:think (Score:2)
a) stay uptodate - apply patches like there's no yesterday
b) use an IDS like snort
c) run logchecker and AIDE
d) use libsafe around net-listening daemons.
Then you'll be in the right league; whenever you get emails off these you're expected to *read* them, too.
Me, I'm getting portmapper, FTP and DNS in approximately that order; I've also had quite a few telnet scans following the recent vulnerability in telnetd as well.
~Tim
--
Re:Distros (Score:2)
So here's a hint, learn how to use your OS before you put it on the Internet. If you're a linux fan, figure out IPTables and implement it. If you're into BSD or Solaris, use IPF and really learn it. Download the security updates for your system and apply them before you put it on the Internet. Air gap security is the best time. When you're done with your box, you should only be running a late version of (Open)SSH and whatever services you explicitly want people to connect to. Inetd should be turned off, for the most part. Unfortunately, system security is not easy. This is why it pays to be a script kiddie. They don't have to know how something works, they just need to use a script against as many boxes as possible until they find a weak one.
Re:Are Black Hats incredibly nice? (Score:3)
Re:Are Black Hats incredibly nice? (Score:5)
While they have access to your systems, they can also sniff out passwords and gain access to other systems on your network, they can eavesdrop or log outgoing traffic and listen for something interesting, all of which they can do without ever making themselves known to the victim.
The attacker may never do anything "malicious" to a system that he comprimises, but I can tell you for sure, no part of his activities can be attributed to "good will".
-Restil
Re:Answer for the little guys: firewall. (Score:1)
Re:Oh, just great. More encouragement. (Score:1)
Re:Distros (Score:2)
Mandrake now ships with Bastille.
Re:Distros (Score:2)
Re:A philosophical question (Score:2)
This is explained in the main paper:
http://project.honeynet.org/papers/honeynet/ [honeynet.org]
To sum it up: they don't let spoofed packets out of their network, and limit a machine to 5 outbound connections (over some time period, I suppose, although it doesn't really say), after which the system is marked as compromised and can then be reloaded, or whatever...
Re:Wow! (Score:2)
Mandrake 8.0 ships like that. It even warns you before installing about what services are running.
And, I've found the firewall to be tighter than gnat-booty.
HI Mom!
I think their numbers a flawed (Score:1)
They say they don't try to determine unique attackers but that is just because they can't, not because they shouldn't.
John
Re:Wow! (Score:2)
Look, the statistics are for a default install of Red Hat 6.2, which is about 1.5 years old now, but is still pretty secure if you perform the "desktop" install and then apply all of the updates.
If you install 7.1, and then all of the (many fewer than 6.2) updates, it's even more secure owing to: 1) Red Hat 7.1 ships with an ipchains configuration 2) xinetd allows finer grain control over many of the less secure services, should you wish to turn them on.
Red Hat is not the world's most secure OS, but let's be fair and admit that they do an excellent job of staying on top of what's out there, and providing updates to their customers. It's relatively easy to be an OpenBSD and say "our OS is secure as long as you don't install a web server", but companies like Red Hat are actually trying to solve the hard problem of general-purpose, secure operating systems and server software. If, after over a year of everyone beating on it, exploits are found in the default, unpatched version of their OS, I can live with that, as long as they have addressed the problems.
--
Aaron Sherman (ajs@ajs.com)
Re:Answer for the little guys: firewall. (Score:2)
----
Re:Distros (Score:2)
I am trying to figure out... (Score:2)
I currently run FreeSco on my homebrew firewall, which is a simple NAT affair. It seems to run well, but sometimes I tend to wonder if it (and associated connected systems) might get rooted.
I check the logs on occasion - but I am not a grand admin - so while I can tell from the logs when a portscan for 138/139 is occurring (SMB) - other possible probes would elude me.
Or am I reading this wrong - was the honeypot protected with a cheapo (read "consumer") firewall product (like a DLink or Linksys router/firewall)?
If not, what would the statistics have looked like if it was?
Worldcom [worldcom.com] - Generation Duh!
Re:I am trying to figure out... (Score:2)
Worldcom [worldcom.com] - Generation Duh!
So... (Score:2)
"If you run a system without a firewall and it is hooked up to the internet, be prepared to be cracked at some point, sooner rather than later."
All I have to say about this is "Duh!".
Actually, learning the techniques and tools used could be helpful - I will give it that much.
Worldcom [worldcom.com] - Generation Duh!
Re:Results that prove (Score:2)
Re:Distros (Score:1)
Actually, RedHat 7.1 has some pretty good firewall options available at install time. Even when installing a server, its a good idea to set the firewall security to 'high' to buy some time while customizing it and downloading updates. Then to erase the install-time IPChains rules when you feel safe, enter
ipchains -F
service ipchains save
One thing I *love* about the RH7.1 workstation install is that sendmail is installed, BUT the sendmail.cf is actually missing a line to bind the sendmail listener to the public interface. It only includes a line to bind a listener to the loopback interface. Perfect for pointing Netscape Communicator, pine, or mutt to localhost, and even to support fetchmail without hanging sendmail out on a public interface.
It made me a little nervous when I had to research and explain the situation to my RHCE instructor when none of us in class could route mail to each other.
Finally, I swear by PMFirewall at www.pointman.org. Even for single interface hosts. That's been my firewall-building script for a couple of years. It configures masquerading as needed, and even knows about NTP's needs. Awesome script.
--
Steve Jackson
Re:Distros (Score:3)
o Snort appears to be the defacto Intrusion Detector right now. There are a couple of different snort rulesets that you can use out there. You won't have much luck interpreting them unless you find a TCP/IP book to read them.
o No. I don't know of an easy way. I think it's pretty hard.
o What's the point?
The point was that the HoneyNet leaves holes in their firewalls and their boxes. They turn on sharing in the Win98 box so they can monitor and detect the traffic and the new techniques. A default RedHat 6.2 box not firewalled is pointless. A RedHat 6.2 box with the latest security updates and with a firewall or with some nifty IPchains rules is still pretty good.
The point is that if you use 6.2, you need to lock it down before you go letting it serve your email, or your webpage, or your dns domain. Heck, and it's not just 6.2. Both 7.0 and 7.1 do have security flaws in them.
Re:The real enemy (Score:1)
//rdj
How you can be 0w3nd in 15 minutes... (Score:2)
hallo 192.168.1.1, how 'bout a nice juicy apple?
--
I have no fin
no wing no stinger
no claw no camouflage
I have no more to say...
Re:Answer for the little guys: firewall. (Score:1)
Re:Answer for the little guys: firewall. (Score:2)
Re:Yeah, whatever (Score:2)
But that was the point of their experiment. I'll be you dollars to dimes that the number of computer users who throw out-of-the-box machines up on a network far outnumber the users who secure their boxes before putting them in public reach.
It's true that having all these machines on the same network can cause inflation of their numbers. If I were a script kiddie and discovered a variety of machines with a default installation on a network, you can bet I'd have a post-it note on my computer with that network's address. The Honeynet Project looks far from being truly scientific, but it provides a view of the worst-case scenario.
Re:Nice work - anyone like to automate it?? (Score:2)
You've obviously not tried RedHat 7.1 then (I forget if it was in 7.0 or not). Very slick installer, and on the way it asks you what kind of firewall you want "secure, medium, none", and has an option for specifying rules by hand if you know what you're doing. Exactly what you want. :)
Of course, that's not the only thing that needs doing, and RedHat has come under fire in the past about services running by default etc. IME they take this very seriously and continue to improve all the time. Part of the problem is newbies who get RedHat, cos that's what they've heard of, do a full install (which yes, does install everything - including all those daemons), don't bother keeping up to date with patches (which is now very easy to do with RedHat's up2date agent), and then get rooted. Hopefully with the way things are going this won't be so much of a problem.
Re:Corelation with bugtraq (Score:1)
________________________
Re:Fascinating paper - blackhat determination is.. (Score:2)
Re:WOW (Score:1)
Food for thought.
Re:Wow! (Score:2)
Trustix does this. Or at least with very few (and securely configured) services by default.
Re:Distros (Score:1)
I would suggest using Snort (http://www.snort.org). It is not very hard to setup and the footprint on the box is pretty light weight. Also the user community around Snort is very responsive, there is a mailing list that is heavy traffic but good answers to questions can be found there (http://lists.sourceforge.net/mailman/listinfo/sn
As for a distro that has security built in? There is always OpenBSD (http://www.openbsd.com). Also Linux-Mandrake contains Bastille (http://www.bastille-linux.org/) which is a Linux hardening script.
Yeah, whatever (Score:4)
A better project would be one that had a lot of machines from various volunteers all over the internet set up and collecting statistics. That way, no one could tell just by looking at the IP address whether a machine was part of the project or not. A more random sampling like that would give a much more accurate picture of how often the average machine-on-net can expect to be attacked.
Re:Red Hat 6.2 (basic install lockdown) (Score:1)
Re:Distros (Score:2)
http://www.bastille-linux.org/ [bastille-linux.org]
Mandrake 8.0 does include a GUI front end for it, however it does have a text mode 'menu-ish' system if you don't want the Graphics.
Re:Fascinating paper - blackhat determination is.. (Score:1)
But Slashdot is mainstream media ... oh, sorry ... you must have meant MSNBC [msnbc.com].
Re:Nice work - anyone like to automate it?? (Score:2)
Or if you are really concerned about security install OpenBSD.
Are Black Hats incredibly nice? (Score:1)
FAQ No. 5 (Score:3)
To summarize: Yes, but you can't launch outgoing attacks from any of the honeynet machines (they're careful that way).
-Renard
Re:The economy is bad... (Score:1)
Re:Distros (Score:1)
Re:Wow! (Score:1)
--
Re:Are Black Hats incredibly nice? (Score:1)
A co-worker of mine discovered earlier this year that his Red Hat workstation had been rooted. They had taken over an infrequently used user-level account and were using it to run an IRC server with which to coordinate automated DDOS attacks. So his machine wasn't seeing a whole lot of traffic, nor was it, itself, damaged, but it was being used to cause a lot of trouble for other people.
Interestingly, also, apparently some kernel patches had been applied, because commands like "top", "ps -ef", and "ls /proc" did not show the IRC server process, which nevertheless was there if you knew very specifically what to look for.
Re:Are Black Hats incredibly nice? (Score:1)
Re:Nice work - anyone like to automate it?? (Score:1)
why is it that the program/application cannot open the port when it is ran and then close the port when i kill the program???
Re:owned during install (Score:2)
Re:owned during install (Score:1)
Re:Distros (Score:3)
Set the machine up behind NAT. Or, install it and turn off all of the services (use lsof -i to check) and then download the patches.
Re:honeynet (Score:4)
Re:Distros (Score:1)
You're also a damn fool if you run public services that aren't nice and cozy between two firewalls in a DMZ. You can't stop all attacks, but you don't have to spread your legs and beg for one either.
Derek
Re:Distros (Score:1)
Derek
Note the ulterior motive of the project: (Score:2)
Although I'm probably going to clean my unprotected RedHat 6.2 box before I connect it to the 'net again.
Outbound connections (Score:2)
Corelation with bugtraq (Score:3)
Re:I am trying to figure out... (Score:2)
It didn't say, but I doubt it...even the really cheap firewall/routers block all incoming traffic by default. Blocking everything would pretty much defeat the purpose of having a honeynet (to learn from getting cracked).
Re:Nice work - anyone like to automate it?? (Score:5)
In fact, the best, most secure OS's have hardly any features at all other than basic command line programs. To create a secure system, you should start with a stripped down OS and only turn on the services and run programs that you need. That way, you know your system and everything that is running on it.
Start out with the basic Debian system(~15MB), and add the software you want. You'll have to understand any services you run(HTTP, FTP, SSH, etc) and you'll have to install and enable those services yourself.
Even better, go with OpenBSD. There hasn't been an OpenBSD box(default install anyway) that has been rooted in the last 4 years. With this report that shows how boxes are routinely scanned in the first 72 hours they are on the net, the OpenBSD statistic looks very impressive.
As long as bells and whistles sell software, we will always have security problems. I don't see the emphasis on features going away anytime soon either. Thus, security professionals will always be in demand and stories about crackers and virus authors will continue to be commonplace.
Re:Nice work - anyone like to automate it?? (Score:2)
I heard the other day that no powered-down Windows NT system has ever been remotely compromised. That's almost as impressive.
Re:Wow! (Score:3)
Of course, it is not Linux, but there is always OpenBSD [openbsd.org]. OpenBSD supports binary emulation of most programs from SVR4 (Solaris), FreeBSD, Linux, BSD/OS, SunOS and HP-UX.
That said, I tend to advocate being exposed to as many distros and variants as possible. Load em up on a spare box, blow them up, etc.
Educational, if nothing else.
Re:owned during install (Score:2)
Unless things've radically changed since when I installed RH 6.1, the answer is no. You're running off a barebones system that has the software required to do the install and very little else.
If you're paranoid (with that 15 minute figure implies that you should be), you can force the first boot session of the new Redhat system to be at a runlevel that doesn't start up networking. Then you can leisurely edit config files so that no services get started. Kick the machine into a regular runlevel, download the patches, apply them, and then carefully reenable services that you really, really need.
I will admit that it's not the easiest solution, but it should work (barring a remotely exploitable networking bug in the kernel or client software), and it doesn't require a firewall.
Re:Results that prove (Score:3)
If it's anything like what happens where I work (we're a manufacturing company in a non-tech related company), even the machines without DNS entries get scanned regularly. Most of the time, it looks like they're just scanning a single port on a range IP addresses in order (our firewall has a pair of sequential addresses assigned to it, so both attempts show up right next to each other in the log file). My guess is that they aren't even bothering with DNS -- they're just scanning anything and everything that might have a security hole in it.
Re: Corrected URL for Linux Summer, Justin Cheung (Score:2)
Linux Summer, by Justin Cheung [ocamd.com]
I'll post some more info about Linux security over at http://www.ocamd.com/articles [ocamd.com]
Re:Corelation with bugtraq (Score:2)
It's true - the best, most original hackers probably read BugTraq religiously, looking for possible avenues to exploit. The best security admins are also looking at it (ex-hackers?). Within a day of posting, the experts know about possible exploits.
In a short while, the expert hackers could use this information to break into vunerable systems. It would be nice to say that all systems vendors are now patching their systems, but it depends on the system...
Within weeks, others are automating the bug detection - either for the purposes of security (detecting it) or intrusion (exploiting it). Scripts and other tools become availible.
Script kiddies get a hold of them, and you see a dramatic rise in the number of attempted exploits - this takes 1 to 2 months (I've seen a graph somewhere). It takes time for an exploit to go from a theoretical exploit on BugTraq to a program-driven exploit that your standard hacker can use.
At this point, the software or systems programmers of certain companies simultanously gear up their patch efforts and PR efforts.
After some time, the patch is availible (hopefully, before the script-kiddie exploit curve reaches the critical point). Good system administrators and users apply the patches. The script-kiddie curve goes down, because they get bored scanning for the few systems that haven't installed the patch.
And then, there's the poor administrator or user that never checks for patches, or simply has to try out patches for a while before applying them across the enterprise. Eventually, the script-kiddie and this guy's system will meet.
That's probably the corelation that will be found - a nice curve showing exponentially rising exploit attempts after a post to BugTraq, reaching critical after a month or two, then a sharp dampning after the patch is released, never declining to zero. If you search, you may even find a similar graph or study.
The answer isn't to restrict information, just be aware of this extra information, and place yourself further up the curve.
Re:Wow! (Score:2)
-
Answer for the little guys: firewall. (Score:5)
But finally I just got tired of being scanned all the time and seeing people always trying things, so (not wanting to shell out $$$ for a commercial firewall/router), I got some spare parts: a 486DX4/100 board, 16MB ram, a floppy, and two 3Com 3c509 cards. Basically, spare parts.
I bolted the parts all into a cardboard box (it works, just find a stiff box, poke holes in it with a screw driver, and use washers with your screws). Then, I put Freesco [freesco.org] (which is Linux-based) on a floppy disk and put the box between my local network and the outside world.
It's been running for a year now and I haven't even thought about it since. Not a single outsider has even come close to touching my PCs -- the Freesco 486-cardboard-box firewall/router has worked very well and I have yet to have to manually reboot it.
Most people don't realize... (Score:4)
A friend using dialup receives about 20 attempts per day, also Linux/ipchains, and of course also dynamic IP. This is most likely random scans for vulnerable Windoze boxen...
I have to wonder, with 20 to 30 attempts per day on my own systems, how many Windoze boxen are comprimized each day, with the owner probably knowing nothing about it? I suspect the attackers would install a trojan of some sort for later use...
I also log other attempts, but it seems the NetBIOS ones are the most common. They all follow the same pattern, with three attempts. The second attempt is 2 seconds after the first, and the third 1 second later (mind you, ipchains is set to DENY, so the attacker apparently has a very short timeout set). The pattern suggests either the same hacker tool in use, or (more likely IMO) perhaps a worm seeking more systems to infect...
I just find this disturbing; more and more home users run Windoze with cable/xDSL and are staying connected all the time, with no firewalling. Some run home networks and thus have NetBIOS enabled over TCP/IP...
I'm not sure what my point is, other than to corroborate with the article. Security by obscurity especially doesn't apply in this case (I have a dynamic IP thus it's not likely I'll be attacked - which is no longer the case). Not to mention the false sense of security some Linux users have (eg, those who install RedHat 6.2 and keep all defaults, with FTP/telnet open, etc). I've seen many a stock RH box comprimised in less than a week.
- Jman
Fascinating paper - blackhat determination is... (Score:5)
--CTH
A philosophical question (Score:2)
Trolls throughout history:
Theres nothing like physical security (Score:4)
Honeypot (Score:2)
How to set up your own honeypot
This [rootprompt.org] is another interesting article on building your own honeypot.
Or paste: http://www.rootprompt.org/article.php3?article=21
Re:Yeah, whatever (Score:2)
Seems to me that the Honeypot boys (and, of course, gerls) might have put some flagitiously powerful boxes emulating some more modest boxes on their little lan.
Even their website is so, well, modest, anyone would be taken in.
I take it that the IP of honeypot is a world away from their actual honypot?
And on to a security question - is TurboLinux Server harder than RH or Debian? I don't want to spend the dollars without knowing. Answers on a postcard please to McDermott, Guyana (seriously - there are only two persons with that surname in the country - I'm one and the other is my wife!)
The real enemy (Score:5)
I don't need a Honeynet Project whitepaper to tell me that Statistics is my enemy. I learned that in school years ago!
Favourite quote:- (Score:2)
Re:OpenBSD does a LOT better (Score:2)
A word of warning if you try to use your Linux and/or Windows skills to partition OpenBSD for the first time. I figured that all 'fdisk' programs work pretty similar, so I didn't RTFM. It turns out that they have a completely different concept of 'partition', and I blew away all of the other OSes on the box. Live and learn.
It's a nice little OS, though, if a little spartan.
Re:I am trying to figure out... (Score:2)
First off, I want to make the distinction that those popular NAT boxes aren't actually firewalls. They let you share a single IP, a firewall would protect a whole range of IPs. Just a pet peeve.
Anyway, if your concern is that a hacker might break through your NAT router, you can generally relax. At it's default setting, these boxes are very secure, IP packets just don't get through them. Of course there are a few caveats. The first is that the box itself can't be flawed. I've never heard of someone hacking one but it could be possible if the engineers that designed it really screwed up badly. More likely though, the only method of attack a hacker can realisticly do would involve any static routes you had set up.
For example, if you set all traffic to port 80 to route to your server because you wanted to host your own web site, and the web server you were using had a security flaw in it, then the hacker could still exploit it. So there really isn't any get-out-of-being-hacked-free card here, but it does cut down on the number of possible entry points.
My point is that buying a cheap NAT box is a very good security decision, I encourage everyone who doesn't have something already in place to get one.
The four Yorkshire men go firewalling (Score:3)
A cardbox box? What extravaganza! In my day we were lucky to find a grocery bag to throw the parts in.
A grocery bag? What luxury! When I was a kid, we were lucky if we had a nail to bolt the motherboard to the wall.
Nail and board? When I was a kid, we had to make our own transistors, write an assembler, nick a car battery, and if we were lucky, we'd find a piece of string to hold the bits together.
Nice work - anyone like to automate it?? (Score:4)
Anthony Staines
Wow! (Score:4)
Wow. If that's true, this is just crazy.
My question is, when are distros going to start shipping with all services turned off by default? I can't imagine that any newbie is going to want to have finger, ftp, sendmail, etc running on their box. And for power users (like me), the very first thing I always do is go and turn off every single service.
Results that prove (Score:2)
No surprise really - the statistics indicate that they have a high rate of attack on their unsecured systems yet i would be interested how well they hide them - that is is the domain name of the network something which would attract their attention ? Ceratinly the average home user would be very scared reading these statistics which is the point i guess but makes me wonder are we scare mongering here ?
If they have gone out and setup a honeypot domain that looks very attractive to the script kiddies then im not surprised that they are attracting attention - having said that my organisation is about the most boring thing on the planet and we have a large amount of intrusion attempts (christ knows if they managed to get in we would get sued for boring hackers to death).
I still cant help but wonder if this stuff is simple setup to attract publicity and attention ?
Re:Results that prove (Score:2)
My concern is that this threat to home user stuff is like negative media stories on web shopping or credit card hacking, sure it happens but how often ? what are we doing here - scaring the customer shitless ?
Being security concious is a good thing but i have friends on dial up who worry about being hacked (they might have somm important pron pictures is guess) and they wont buy or pay for anything on line because 'hackers' might get me.
Have we convinced users that there is such a threat to the point where they will believe any line they are fed ? this would explain why third rate software like Norton Home Firewall is so popular.
I would like to see some proof these guys have nothing on their systems that appears like a 'hack me' sign to the cript kiddies out there ?
Myabe i am just cynical
Distros (Score:4)
Anyone have suggestions for references an easy-to-install intrusion detection system? Maybe with a GUI?
Are there any distros with security tools installed by default?
Anyone know of an easy way to image a system setup I like, boot it off a CDROM then mount in disks for data?
Besides, if these boxen were compromised in hours, what's the point?
Re:Are Black Hats incredibly nice? (Score:5)
In _exactly_ the way Restil speculates.
I do security work at a large, stable not.dot.com. I'm the guy who goes through the IDS and firewall logs. Every single working day. Every day, I see anywhere from two to a dozen probes. _Every_ _friggin_ _day_! Blackhats just scan and scan and scan. Looking for the chump who left his network services turned on after a default install (Redhat version). Or the chump who didn't turn off file sharing (NT version). The ones whose handiwork falls under my eyes generally know very little about the systems and networks they target. They really don't need to. They make up for it in volume and persistence. See a new netblock? Scan it on port 111! You might get lucky! Some box you check out may have that port open! If so, try a nice rpc.statd exploit! The facts that _this_ netblock consists entirely of boxes with that service turned _off_, and that the firewall is configured to drop packets sent to port 111 on the floor anyway, is not a problem. The Internet is just _full_ of populated netblocks! Two seconds later, your script just checks out the next one on the list. While _you_ chat on IRC with your fellow lowlives.
Once a vulnerable box is found, exploitation is swift. 0wned.
And then? Well, you probably have no _idea_ of the number of host sweeps like the above mentioned, that I have seen the firewall log records of, where the source and destination ports are identical and privileged (i.e., below 1024). That almost always means that the IP this traffic came from has, itself, been compromised. The poor bastard who is the owner-of-record has no clue what purposes the iron he payed good money for is being used for. None.
The first time I ever spotted a host sweep in a log, I made a point of finding out as much as possible about the IP of origin. I scanned it, I checked out whether I could connect to ports 21, 23, and 25 (ftp, telnet and mail
That's the picture which has formed in my mind. A world just _full_ of boxes put together by very busy well-meaning, trusting people who just don't _understand_ just how _fast_ they will be rooted if they don't spend some serious quality time to think about how they are going to secure what they build.
Its the Wild West out there folks. Really.
BTW, much as I love Linux, OpenBSD-based firewalls just _ROCK_! Ipfilter is _so_ much better than even iptables that there is absolutely no comparison. My firewall resides on an old Pentium-90 shitbox that I bought for $50. It's fast enough for my dialup line. If you have a 24/7 broadband connection, consider an IDS. If snort is good enough for Stephen Northcutt ("Mr. IDS" to peons like me and most of the folks reading this
"Let's stay safe out there."
BTW, Hemos: thanks a million for the link. I printed out the whole article (5 pages) and tacked it to the outside of my cube. I also sent the link to my boss, my bosses boss, and the lady who is in charge of security awareness in my outfit. Yes, that means that the dozen or so folks I work with now know my Secret Identity.