Re: 90% of Linux Systems Have Never Been Infected ...

From: <captgoodnight@acsalaska.net>
Date: Wed Jul 28 2004 - 20:43:11 AKDT

On Wednesday 28 July 2004 02:41 pm, Royce Williams wrote:
> On 7/28/2004 2:11 PM, Matthew Schumacher wrote:
> > While I agree with this, there is a way that you can be pretty darn sure
> > you have not been compromised. If you install tripwire, learn to use it
> > correctly, then meticulously audit every change on the system you can
> > say with reasonable certainty that the system has not had any
> > unauthorized changes. It's a huge pain, but it does work.

Tripwire is a breeze to get around, pretty much, if a skilled user gets root, they, if they know
better than to release their tools public, WILL stay under cover! Kernel level rootkits are totally
ruthless, and 0 day root level kits are undetectable! Bottom line! If you use tripwire, run the binaries
from a cdr, and move those reports quickly to a safe area for inspection. This is easy to automate with
pop3s, ntp, fetchmail.

Another thing is this, let's say a "baddie" has fingerprinted a machine as let's say
Mandrake, and has a unknown stack based bufferoverflow for some service. So he lurks the
mandrake security mailing list, waiting for a horde of updates. The user goes ahead and downloads
the massive amount of rpms, then the baddie goes ahead and slips in, hiding his first moves in the
middle of the massive tripwire report the user has to run though and update. I know not all of us check
EVERY single replace file after a update in those reports! lol. So easy to hide something in there after
so much activity.

> Unfortunately, there are techniques to modify kernels to get in the
> middle of the system calls that ask for filesystem data, and pass
> arbitrary answers back to those calls. This can neatly circumvent
> most of Tripwire, since Tripwire relies on the operating system to
> stat the file. Even the multiple checksums that Tripwire uses
> can be planned for, if the file being replaced can be predicted and
> has known checksums (in theory). I'm sorta talking through my hat
> here, as I've never seen any of this in practice, but that's how it's
> been explained to me.

Your right on target and then some.

Oh dear, I can't leave this one alone. This is the stuff I study and play with on my lab. Admins, be scared,
if a skilled user gets root, she/he can stay undetected if they want to. While playing with kernel level key loggers,
relay back doors, firewalking and .... this stuff is ruthless. How about icmp for communications instead of tcp/udp; no netstat. At kernel level,
EVERYTHING is possible to hide, with NO mods to present binaries. Cleaning the logs is really the only thing left to do; easy.
Think, what ever prevention we come up with, there is a group working on getting around it. It works like that. Phrack labs; these
users know their stuff. No admin would want to tangle with a group and skill set like that.

Check this.
I find it amazing, that people commonly tell me what OS and services they admin at their place of work (my job, not lists). I've heard so many
admins fingerprint their services to strangers! This is nuts! I've seen passwords written on stickies stuck to drawers. I even,
visited a NON I T conference room, on a weekly bassis, that on the marker board, was drawn out the topo of their ENTIRE network,
left from a old meeting (over a month!), for the janitors and horticulturists to see. CRAZY! I've even had legit ftp access, given to me from a
worker of a MAJOR corporation, so he could share a game with me! So, with these kinds of mistakes common place, know, it's only
a matter of time before some jerk moves with skill where they shouldn't. Know, those who know me, I only thrash about my own systems.
And I've enjoyed/learned from every meeting with you.

The biggest weakness I see in security, on a DAILY basis, from
workplace to workplace, is the admins ego. It seems, that most admins, when speaking to a person who by illusionary monetary standards, isn't equal,
will speak very librally about their job, maybe thinking that this person, who MUST make very little, can't possibly use the information
past the given word; MISTAKE! The easiest way in, is social engineering, the liquor is our ego. That's a mistake. I remember reading about pen tests,
where the social engy group used (pardon me) HOT bodies to gain information, it was a successful tactic. And what about employees using services
like pc-anywhere, and other style programs; easy way in. So, social engy, and common employees; security policy! Howa about auto run windows
boxes and usb drives (no matter the box is pass locked!).

Gosh this topic gets me going.

I remember thinking that there couldn't exist this "elite hacker" skill set. That was a refreshing wall to tear down.
These individuals get to a point in skill, that if they choose too, and take their time,
they have a good chance of compromising just about anything that stands in their path; it's impressive. The thing is, they got time.
To these individuals, it's not can or can't, it's should I or not. The funny thing is, when they do, they usually harden the system to keep
others out, lol, they "own" it. No matter how long you been working with computers, there are better.

> > [...] Further, 78% of Linux developers say that
> their
> > Linux systems have never been hacked [...]

They have no clue. Their mistake is they stand on the illusionary pillar of "Developer". That's their mistake.
The heady man, is the monkeys friend. http://www.monkey.org/~dugsong/dsniff/

My rule of thumb, anything I can grab, I can pick up ;)
bests, can't believe I pressed send! lol
eddie

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Jul 28 20:43:36 2004

This archive was generated by hypermail 2.1.8 : Wed Jul 28 2004 - 20:43:37 AKDT