http://www.perlmonks.org?node_id=64670

Today I ran across a random link on how organized crime is systematically taking advantage of known security holes. This reminded me of RE (tilly) 2: Warning our Fellow Monks, with the moral being that with port scanning once an error is found, there really aren't fish that are too small to be noticed.

Security is hard because it is not obvious. You can fail to be secure and there are no overt symptoms. Your software still works. You don't know of the hole. But it is there, and you can still suffer for it.

However, hard or not, you still need to do it. Choose reasonable passwords. Keep up on patches. Use taint mode. Whenever you are processing arguments, rather than trying to search for every way of breaking in (an approach that always fail) consistently instead validate that the input is a form that you know is trustworthy. If you can, get someone who is knowledgable to review your security setup before someone "volunteers" to do the job for you.

Now that link talks about Windows. And it is true that Windows has an abysmal track record. However the track record for Windows is due to a combination of Microsoft not prioritizing security, and the belief (which Microsoft has promoted) that you don't need competent admins for Microsoft products. However an NT box with a competent admin is going to be orders of magnitude safer than any *nix with an admin who doesn't know what they are doing. (Home users of Linux are at serious risk.)

This is a general problem, and it is one which many here contribute to in one way or another, as admins, techs, programmers...

Replies are listed 'Best First'.
Re: Stay aware of security
by footpad (Abbot) on Mar 15, 2001 at 20:18 UTC

    I heartily and wholeheartedly agree.

    A friend of mine runs a small ISP and was recently hacked through the recently announced BIND hole and has been trying desparately to clean things up. This has impacted all of his client web sites and caused no end of grief.

    It started simply enough; DNS had been shut down. He restarted it, did a bit of research, and concluded that it had been a "white hack," a warning to beef up his security. Within a few days, though, he discovered that the same flaw had been used to compromise the rest of the system and that further mayhem was ensuing.

    The relevant bit is that even though I had dutifully fowarded the link as soon I learned about it (here, actually), he failed to follow through and implement the patches quickly enough. He got side-tracked by other issues and is now paying the price for that.

    Security needs more than knowledge, it needs action....regardless of your level powers on the machine(s) in question.

    To begin, start learning how people get into your systems. I heartily recommend Hacking Exposed: Network Security Secrets & Solutions (Second Edition) by Joel Scambray, et al. (Osborne/McGraw-Hill, 10/2000). While it will make the most sense to administrators, it's written in a way that should be accessible to nearly everyone. It not only documents server, OS, and browser vunerabilities, it describes hacks in varying degrees of detail *and* provides countermeasures.

    If you're not into the technical details (though I assume that you are, if you hang out here), you may also find Cliff Stoll's The Cuckoo's Egg an entertaining and (through implication) chilling reason to become interested in the gory details. While the book has received some criticism, the very idea should be enough to make the even most pointy-haired of bosses more than a little nervous.

    If you don't have a lot of money, you can still start learning. There are a number of online resources devoted to security, ranging from SecurityFocus to documentation from the other side of the coin. (BTW, if you're using a proxy server that filters content, you may find yourself unable to get to certain sites. Keep digging. Use your personal dialup, if you must. Use care to disable JavaScript and take other basic precautions first.)

    Other random measures:

    • Try to hack the systems you own or administer. As Stoll puts it, "rattle the doorknobs." If you can get in, others certainly can and may already have.

      Note: Do this *very* carefully. If it's a business system, get upper management's support before doing this. One of our own has had no end of trouble because of this very thing.

    • If you're not the admin or do not have root, then make friends with the person that has that access. that way, you'll have a certain amount of credibility when you discover areas of concern.

    • Before shopping at an online merchant, take a moment to view the source of the shopping cart. If they put bad data in hidden fields, flee. Don't trust that site with your credit-card number. If they have weak security in one area, they probably have weak security in others.

    • Before posting data to an online form, try to view the directory containing the script. If you can, flee.

    • Make sure you know what's in your cookies. Accept them sparingly and don't give trusted data to sites that don't handle it well.

    • Patch your browsers and your OS regularly, consistently, and diligently.

    • Don't keep anything on a connected computer that you don't want the rest of the world to see.

    With regard to security, you have to follow Mulder's advice: "Trust No One" (and don't use TRUSTNO1 as a password).

    --f  ...and, yes, I'm an X-Phile.

    Update: Added a few more bits of random advice.

Re: Stay aware of security
by arhuman (Vicar) on Mar 15, 2001 at 19:44 UTC
    I totally agree with you when you say that we must be security aware.

    However, I real life you just CAN'T always setup the adequate security level.

    I mean security is almost always a tradeoff for ease of use...

    Of course you can recompile your kernel adding various security patches, audit your sources, log everything on your box,
    changes your password to a random one every week (and Remember it), disable all unused ports,
    set up a tcpwrapper AND a firewall, use secure protocol (ssh, IMAP(?)) and forbid the insecure ones (telnet, ftp...),
    you can spend 2 hours a day browsing for security holes on vulnerability lists and patching all your proggies to new versions...

    But will it be necessary for single user box, with no sensitive data and connected few hours a day to the net ?
    Even if some of you scream 'YES' the answer is 'no' (mainly beccause of the hours lost in the patching/upgrading work ;-)

    Security must be adapted to the level of security you NEED.

    Enhance the security where it's necessary (or at least where it's the most efficient).

    Don't ge me wrong ! in a perfect world (where I would get paid to do it full time with skillfull user accepting the drawbacks)
    the 'everything should be secure' policy would be fine.
    Sadly, My boss think my job is to code as much as I can, and allow me almost no time to administer 5 servers and several workstations.
    My users say SCP is too complex and that they WANT to use their (unsecure) AceFTP client.
    So in this world I have to carefully use the few time I have to enhance the security with a maximum efficiency (with the little time/resource I have).

    So IMHO, even If you must be always security aware, there are some things that you can't afford to do.

    It remembers me the (Merlyn?) 10/10 rules about 'use strict' stating that any script with more than 10 lines
    or running more than 10 times should be using use strict.
    We should always use the strict pragmata, but we can't afford it for simple case...

    Have you ever wonder why there are so few b1 compliant computers ?
    It's only beccause REAL security make the use of a computer REALLY horrible.

    So even if it's not so clear, here is my message :

    Be security aware, especially beccause you CAN'T reach true security, and try to make things as secure AND easy AS YOU CAN.

    "Trying to be a SMART lamer" (thanx to Merlyn ;-)

      I have really mixed feelings about your thoughts because "It's too hard" is a very slippery slope, one that leads to complacency far too easily. In turn, complacency leads to compromise (in both senses of the word).

      Given the rise of distributed DOS attacks, the practice of using compromised systems as gateways to further mayhem, and other common tactics, I really don't think it's unreasonable to make things a little harder than they need to be in order to add basic and reasonable precuations.

      (I'm reasonably certain that you're aware of this, but I'm trying to point out that many hacks are executed through very common and easily fixed vunerabilities.)

      Yes, of course there's a balance, but I would argue that you need to draw the line a little farther from the knife edge.

      Users will complain about being forced to change their passwords and to mix case, add numbers, and so on. But they eventually learn and adapt.

      They will not do it on their own; you (the admin) must educate them. Given the number of excellent sources and the publicity surrounding certain hacks, this doesn't need to be overly time consuming.

      Your boss wants you to code? Fine, get him to let you code decent starting places for your users. If they're using FormMail, give them a more secure version. Give them packages of convenient, easy-to-use routines designed to be safer.

      Let them use their FTP clients...on realms isolated from data. Don't let them play in a sandbox on the same machine as the one running your database.

      I think part of tilly's warning is that there are far too many basic, easy, and well-known things you can do to prevent most problems. Be sure you use them.

      Do you really want modern versions of Al Capone running through your systems?

      Also, try to get your boss to allow you two hours a day for research to be spent on non-billable projects. Explain to him the benefit of having a more educated admin/programmer. Show him that this is an investment that will pay off over time.

      Yes, there's a balance between total security and reasonable access. Take the time to make sure you've drawn that line as carefully as possible. If you don't know where it is, you will learn...one way or the other.

      (Not trying to flame you or anything. Just trying to make it perfectly clear that it's far too easy to be complacent. Ignorance must be resisted as strongly as possible.)

      "It's too hard" is not a valid excuse in my book. "Acceptable Losses" may be a better term.

      --f

      Update: In response:

      I think we're arguing the same thing viewpoint from different angles. I do agree that 100% security is difficult, expensive, and restrictive. I was really trying to say be very, very careful with your compromises.

      Specific points:

      • "security is easy, you only have to do simple things to secure your machine"

        I agree and if that's how I came across, that is not what I meant. I meant, don't let your compromises prevent you from doing the easy stuff.

      • the recipes are known but they are impractical in real use.

        I would rather say "they can be impractical." I have seen far too many cases where people have taken this idea to the extreme of "Never mind. We'll take that chance." Those extremes are what prompted my reply.

        Yes, of course, take the basic precautions and figure out the balance you're talking about. Again, I'm not disagreeing with you...I'm arguing against the extreme conclusions that I've seen others make, conclusions generally starting with thoughts very similar to yours. You appear to be drawing a good balance.

      • Tell me how do you easily fix production servers which must be runinng 24/24h 7/7j
        (with of course some applications incompatible with the new secure version of other applications)?

        This is true. There's not an easy answer. Or, perhaps more accurately, I don't know how secure sites do this. I know it's done and hope that a monk more versed in Adminsitration matters can offer some hints or a link.

      • OK, but they want the same password for telnet and ftp, anyone with a sniffer on my subnet now has a local access on my box.

        Which is why I suggested using a different realm or box. I would not knowingly advocate dangerous practices. I'm sorry I wasn't more clear on that point.

      • I will now have another box to secure...

        Then that's a risk you find acceptable, one I assume you'll fix when or if you have the opportunity. As I understand it though, my recommendation is considered safest.

        Again, I am not criticizing your choices, just trying to call attention to a couple of ideas that I've come across. It's free advice. Ignore it if you wish.

      • (It IS a huge error if you think in long term effect, but my boss tend to be short sighted...)

        I don't envy your position. You're clearly dealing with several conflicting desires/choices/factors. The presence of a PHB doesn't help.

        As I mentioned earlier, you're doing the best you can and that's all anyone can ask.

        However, that doesn't mean you should give up. Try to socially engineer him. If you're not allowed to experiment, then how can you predict that new changes won't adversely affect production data?

        I'm sure that far wiser and more experience monks can offer other ideas and suggestions.

      • I hope you won't take it as irony or personal attack, but this is MY REALITY, and probably the one a of a lot of sysadmin...

        No, I don't take it as a personal attack, in part because my reality is, in many ways, similar. I freely admit that I'm a programmer, not an admin. but, I have compromises to live with in my work as well.

        However, that doesn't stop me from trying to improve that reality through education, discussion, experimentation, and so on. It doesn't prevent me from trying to help my boss get over some of her pointiness. It doesn't stop me from trying to help others make their professional lives better.

        I know I am not perfect. I continue to try to make a difference. I will not accept my reality as set in stone. I believe I can affect and improve it.

        I'm sure you are doing the same and are as frequently frustrated as I am.

      • Be security aware, especially because you CAN'T reach true security, and try to make things as secure AND easy AS YOU CAN.

        I agree. I also think it's important to try to do better, even after making certain choices. Put another way, a compromise is fine, as long as it's knowingly made. However, it should not remain set in stone. "We can't do that" should be "We can't do that now." This leads to "What needs to happen so we can," which in turn often leads to a solution and a plan for implementing it.

      Again, this is friendly discussion that's not intended to inflame. I'm trying to solve problems, not criticize anyone's decisions, work, or choices. Most of us care enough about our work to keep poking at it after it's "done." That's the attitude that I'm trying to encourage. Do the best you can at the moment, accept your limitations, and try to improve when and where you can--even if that's the next project.


        I must have been VERY unclear:
        I've never said security 'it's too hard' in fact I think security is obvious
        (a large part of the vulnerabilities are known and categorized)

        I only say that most of us can't afford the cost of true security
        I furthermore think that saying "security is easy, you only have to do simple things to secure your machine" is wrong !
        (the easy things to do, provides only weak protection against the clueless script-kiddies)
        It's not only wrong but it has the bad side-effect of (wrongly) making you feel secure.

        Really securing your machine is a constant/heavy process.
        the recipes ar known but they are impractical in real use.

        "I'm trying to point out that many hacks are executed through very common and easily fixed vunerabilities"
        I'd like to do it, just imagine how much time it would take to constantly check for new exploit/version and upgrades.
        Tell me how do you easily fix production servers which must be runinng 24/24h 7/7j
        (with of courses some applications incompatible with the new secure version of other applications) ?

        "Let them use their FTP clients"
        Ok but they want the same password for telnet and ftp, anyone with a sniffer on my subnet now has a local access on my box.

        "Users will complain about being forced to change their passwords and to mix case, add numbers, and so on.
        But they eventually learn and adapt.
        "
        You're right they'll adapt, I can't count the number of time I caught them writing it on a post it (put ON THE SCREEN !!!)

        "Don't let them play in a sandbox on the same machine as the one running your database."
        Another machine ? I can't convince my boss to give me few time,
        how will I convince him to spend hundreds dollars for the box/hosting.
        Worse ! I will now have another box to secure...

        Explain to him the benefit of having a more educated admin/programmer. I've tried he then explained me the benefit for the society of making money, he explained me how much 2 hours of security cost and how much 2 hours of coding bring us
        (It IS a huge error if you thing in long term effect, but my boss tend to be short sighted...)

        That's why I (you'll) have to think in term of efficiency(or cost, which is the right term here, as jeroenes said).

        I hope you won't take it as irony or personnal attack but this is MY REALITY, and probably the one a of a lot of sysadmin...

        All I can say is claim it again :
        Be security aware, especially beccause you CAN'T reach true security, and try to make things as secure AND easy AS YOU CAN.


        "Trying to be a SMART lamer" (thanx to Merlyn ;-)
      arhuman,

      Maybe you better tend to weight security against money! How much does it cost to improve, and how much will it cost me if it goes wrong? For personal use, think about what info can they get from my box? Account numbers, sensitive job-information, etc... For business use: legal stuff, consumer trust, etc, etc....

      The other hand for the equation is the cost to improve. Not a matter of possibility, but of bare costs. Costs in terms of time spend, technology bought, etc.

      Jeroen
      "We are not alone"(FZ)

Re: Stay aware of security
by rpc (Monk) on Mar 15, 2001 at 22:37 UTC
    I fully agree; system and network security are of utmost importance, especially in a threat model which includes large loss of revenue.

    However, most people think that security is reading about the latest exploits and techniques. This is not enough.

    Security must be pro-active. Most public exploits have been known to the blackhat community for a very long time. Devise an overall security architecture that matches your threat model.

    Also, I can't tell you how many times during a security audit I've compromised machines through finding holes in home grown code. Yes, worry about patching and maintaining your daemons, but damnit have someone security audit your source!

    On the Perl front, CGI scripts tend to be the worst in security, and best in accesibility. This is due to the overwhelming amount of novice Perl coders who have web whacking jobs.

    In particular, please, please, please: if you load a template or any dynamic content via a CGI script don't get the template or content filename from the client if you can help it. I have (legally) compromised dozens of websites using insecure template loading alone.

    In short, audit your code!

Re: Stay aware of security
by Albannach (Monsignor) on Mar 15, 2001 at 20:40 UTC
    A meditation like this should be run regularly as a reminder!

    Just to change the flavour a bit, I'd like to mention the human factor in cracking, as even the tightest, most secure site is wide open for inter-personal attacks unless ALL the users are well-trained on security protocols. You never want to hear "Gee it sounded like an IT guy, why shouldn't I have given him my password" or similar. Such old-time cons still work well, are cross-platform portable and immune to any techno defenses.

    My standard plug: read the Risks Digest for plenty of horror stories!

    Update: For an interesting though quite dated collection of cracking stories try Out Of The Inner Circle by Bill Landreth.

    --
    I'd like to be able to assign to an luser

Re: Stay aware of security
by MeowChow (Vicar) on Mar 16, 2001 at 09:20 UTC
    And of course, you should never trust any form input (click the link, vote, and check out my rippin' score to see what i mean)...

    <!--Evil hacker code--> <FORM ACTION="http://www.amiallyourbaseornot.com/default.asp" METHOD=" +POST"> <input type=hidden Name="Rating" value=1000> <input type=hidden name="PicNo" value="2484"> <input type=submit value="0wn B4s3">

       MeowChow                                   
                   s aamecha.s a..a\u$&owag.print
      I think that's been fixed... 5.6, it says.
Re: Stay aware of security
by OzzyOsbourne (Chaplain) on Mar 20, 2001 at 20:29 UTC

    To secure or not secure, that is the question.

    This thread seems to have evolved into to camps: People who lock it all down, and people who think it's too hard to lock it all down.

    I am in camp 3: Lock everything down according to its value. I leave rakes and shovels in my yard, I don't leave my wallet on the window sill, and I always lock my doors.

    Some of my stuff is LOCKED, some is not that locked, and it's all behind a firewall.

    Final points:

    1. If someone wants in, they'll find a way,
    2. You don't have to leave the door open.
    3. As a home user, you are 1 in a Zillion

    Finding an appropriate security policy is the hard part.

    Find balance.

    -OzzyOsbourne

      I am in camp 4. The Internet is the biggest (virtual) metropolis around. One in a zillion is very findable when people have tools like port scanning. But you are never going to be perfect.

      Therefore unles I have a good reason not to, I lock my door. I don't leave valuable lying around without reason. But I am not totally paranoid, and if you want to break the windows, I know you can get in.

      But wherever I reasonably can, I pay attention to security.

      Far too often people confuse being one in a crowd with being safe. That isn't true. In a world with DDoS attacks, if you aren't part of the solution, you are part of the problem...

        I don't know if this appropriate here, but I know a lot of perl monks are penguin lovers also. I was forwarded this PGP signed message from my LUG. It was sent to one of the sysadmins at the university i attend:
        Subject: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
        -----BEGIN PGP SIGNED MESSAGE-----
        Hash: SHA1
        ALERT! A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
        March 23, 2001 7:00 AM
        Late last night, the SANS Institute (through its Global Incident
        Analysis Center) uncovered a dangerous new worm that appears to be spreading rapidly across the Internet. It scans the Internet looking for Linux computers with a known vulnerability. It infects the vulnerable machines, steals the password file (sending it to a China.com site), installs other hacking tools, and forces the newly infected machine to begin scanning the Internet looking for other victims.
        Several experts from the security community worked through the night to decompose the worm's code and engineer a utility to help you discover if the Lion worm has affected your organization.
        Updates to this announcement will be posted at the SANS web site, http://www.sans.org
        DESCRIPTION
        The Lion worm is similar to the Ramen worm. However, this worm is significantly more dangerous and should be taken very seriously. It infects Linux machines running the BIND DNS server. It is known to infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas. The specific vulnerability used by the worm to exploit machines is the TSIG vulnerability that was reported on January 29, 2001.
        The Lion worm spreads via an application called "randb". Randb scans random class B networks probing TCP port 53. Once it hits a system, it checks to see if it is vulnerable. If so, Lion exploits the system using an exploit called "name". It then installs the t0rn rootkit.
        Once Lion has compromised a system, it:
        - - Sends the contents of /etc/passwd, /etc/shadow, as well as some network settings to an address in the china.com domain.
        - - Deletes /etc/hosts.deny, eliminating the host-based perimeter protection afforded by tcp wrappers.
        - - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via inetd, see /etc/inetd.conf)
        - - Installs a trojaned version of ssh that listens on 33568/tcp
        - - Kills Syslogd , so the logging on the system can't be trusted
        - - Installs a trojaned version of login
        - - Looks for a hashed password in /etc/ttyhash
        - - /usr/sbin/nscd (the optional Name Service Caching daemon) is overwritten with a trojaned version of ssh.
        The t0rn rootkit replaces several binaries on the system in order to stealth itself. Here are the binaries that it replaces:
        du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat, ps, pstree, top
        - - "Mjy" is a utility for cleaning out log entries, and is placed in /bin and /usr/man/man1/man1/lib/.lib/.
        - - in.telnetd is also placed in these directories; its use is not known at this time.
        - - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x
        DETECTION AND REMOVAL
        We have developed a utility called Lionfind that will detect the Lion files on an infected system. Simply download it, uncompress it, and run lionfind. This utility will list which of the suspect files is on the system.
        At this time, Lionfind is not able to remove the virus from the system. If and when an updated version becomes available (and we expect to provide one), an announcement will be made at this site.
        Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz
        REFERENCES
        Further information can be found at:
        http://www.sans.org/current.htm
        http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory CA-2001-02, Multiple Vulnerabilities in BIND
        http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer overflow
        in transaction signature (TSIG) handling code
        http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit.
        The following vendor update pages may help you in fixing the original BIND vulnerability:
        Redhat Linux RHSA-2001:007-03 - Bind remote exploit http://www.redhat.com/support/errata/RHSA-2001-007.html
        Debian GNU/Linux DSA-026-1 BIND http://www.debian.org/security/2001/dsa-026
        SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise. http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt
        Caldera Linux CSSA-2001-008.0 Bind buffer overflow http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt
        This security advisory was prepared by Matt Fearnow of the SANS Institute and William Stearns of the Dartmouth Institute for Security Technology Studies.
        The Lionfind utility was written by William Stearns. William is an Open-Source developer, enthusiast, and advocate from Vermont, USA. His day job at the Institute for Security Technology Studies at Dartmouth College pays him to work on network security and Linux projects.
        Also contributing efforts go to Dave Dittrich from the University of Washington, and Greg Shipley of Neohapsis
        Matt Fearnow
        SANS GIAC Incident Handler
        If you have additional data on this worm or a critical quetsion please email lionworm@sans.org
        -----BEGIN PGP SIGNATURE-----
        Version: GnuPG v1.0.4 (BSD/OS)
        Comment: For info see http://www.gnupg.org
        iD8DBQE6u17n+LUG5KFpTkYRAgn9AJ0ffubakBA47teAe9lF92lrS2H+TwCgh3T/
        ek+YCliAS832nnMIzP28ezM=
        =E1SG
        -----END PGP SIGNATURE-----