Re: 90% of Linux Systems Have Never Been Infected ...

On Wednesday 28 July 2004 08:43 pm, captgoodnight@acsalaska.net wrote:
> On Wednesday 28 July 2004 02:41 pm, Royce Williams wrote:
> > On 7/28/2004 2:11 PM, Matthew Schumacher wrote:
> > > While I agree with this, there is a way that you can be pretty
> > > darn sure you have not been compromised. If you install tripwire,
> > > learn to use it correctly, then meticulously audit every change
> > > on the system you can say with reasonable certainty that the
> > > system has not had any unauthorized changes. It's a huge pain,
> > > but it does work.
>
> Tripwire is a breeze to get around, pretty much, if a skilled user
> gets root, they, if they know better than to release their tools
> public, WILL stay under cover! Kernel level rootkits are totally
> ruthless, and 0 day root level kits are undetectable! Bottom line! If
> you use tripwire, run the binaries from a cdr, and move those reports
> quickly to a safe area for inspection. This is easy to automate with
> pop3s, ntp, fetchmail.
>
> Another thing is this, let's say a "baddie" has fingerprinted a
> machine as let's say Mandrake, and has a unknown stack based
> bufferoverflow for some service. So he lurks the mandrake security
> mailing list, waiting for a horde of updates. The user goes ahead and
> downloads the massive amount of rpms, then the baddie goes ahead and
> slips in, hiding his first moves in the middle of the massive
> tripwire report the user has to run though and update. I know not all
> of us check EVERY single replace file after a update in those
> reports! lol. So easy to hide something in there after so much
> activity.
>
> > Unfortunately, there are techniques to modify kernels to get in the
> > middle of the system calls that ask for filesystem data, and pass
> > arbitrary answers back to those calls. This can neatly circumvent
> > most of Tripwire, since Tripwire relies on the operating system to
> > stat the file. Even the multiple checksums that Tripwire uses
> > can be planned for, if the file being replaced can be predicted and
> > has known checksums (in theory). I'm sorta talking through my hat
> > here, as I've never seen any of this in practice, but that's how
> > it's been explained to me.
>
> Your right on target and then some.
>
>
> Oh dear, I can't leave this one alone. This is the stuff I study and
> play with on my lab. Admins, be scared, if a skilled user gets root,
> she/he can stay undetected if they want to. While playing with kernel
> level key loggers, relay back doors, firewalking and .... this stuff
> is ruthless. How about icmp for communications instead of tcp/udp; no
> netstat. At kernel level, EVERYTHING is possible to hide, with NO
> mods to present binaries. Cleaning the logs is really the only thing
> left to do; easy. Think, what ever prevention we come up with, there
> is a group working on getting around it. It works like that. Phrack
> labs; these users know their stuff. No admin would want to tangle
> with a group and skill set like that.
>
> Check this.
> I find it amazing, that people commonly tell me what OS and services
> they admin at their place of work (my job, not lists). I've heard so
> many admins fingerprint their services to strangers! This is nuts!
> I've seen passwords written on stickies stuck to drawers. I even,
> visited a NON I T conference room, on a weekly bassis, that on the
> marker board, was drawn out the topo of their ENTIRE network, left
> from a old meeting (over a month!), for the janitors and
> horticulturists to see. CRAZY! I've even had legit ftp access, given
> to me from a worker of a MAJOR corporation, so he could share a game
> with me! So, with these kinds of mistakes common place, know, it's
> only a matter of time before some jerk moves with skill where they
> shouldn't. Know, those who know me, I only thrash about my own
> systems. And I've enjoyed/learned from every meeting with you.
>
> The biggest weakness I see in security, on a DAILY basis, from
> workplace to workplace, is the admins ego. It seems, that most
> admins, when speaking to a person who by illusionary monetary
> standards, isn't equal, will speak very librally about their job,
> maybe thinking that this person, who MUST make very little, can't
> possibly use the information past the given word; MISTAKE! The
> easiest way in, is social engineering, the liquor is our ego. That's
> a mistake. I remember reading about pen tests, where the social engy
> group used (pardon me) HOT bodies to gain information, it was a
> successful tactic. And what about employees using services like
> pc-anywhere, and other style programs; easy way in. So, social engy,
> and common employees; security policy! Howa about auto run windows
> boxes and usb drives (no matter the box is pass locked!).
>
> Gosh this topic gets me going.
>
> I remember thinking that there couldn't exist this "elite hacker"
> skill set. That was a refreshing wall to tear down. These individuals
> get to a point in skill, that if they choose too, and take their
> time, they have a good chance of compromising just about anything
> that stands in their path; it's impressive. The thing is, they got
> time. To these individuals, it's not can or can't, it's should I or
> not. The funny thing is, when they do, they usually harden the system
> to keep others out, lol, they "own" it. No matter how long you been
> working with computers, there are better.

So their are different views of 'security' for computers, not just
Linux. One thing I do know is as a business user with an IPCOP
firewall, AFAIK, I am resonalbly secure. On the other hand Debian's
servers were compromised this spring so no scenario is without serious
concern.

-- 
Greg Madden
Precision Air Balance, Inc.
Phone: 907-276-0461
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.