lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: markjw at lightlink.com (Mark J. Walborn) Subject: w32.frethem.k@mm and good reading Has anyone encountered the above mentioned worm? Several anti-viral software companies have posted updates as of midnight.. Also, I found the following article of interest. By Robin Miller, NewsForge.com > Posted: 06/06/2002 at 12:10 GMT > [724.gif] Here's an interesting way to secure an Internet-connected > computer against intruders: Make sure the operating system and > software it runs are so old that current hacking tools won't work on > it. This was suggested by Brian Aker, one of the programmers who works > on Linux.com, NewsForge, Slashdot, and other OSDN sites; he runs > several servers of his own that host a number of small non-profit > sites in the Seattle area. "I have one box still running a version of > Solaris that's so old none of the script kiddies can figure it out," > Brian says. "They tend to focus on the latest and greatest, and don't > have the slightest idea how to handle my old Sun box." > Brian points out that some of the most secure Department of Defense > Web sites -- ones that don't make headlines by getting cracked all the > time -- run old versions of Mac OS and the venerable WebSTAR server > suite. "[Mac is] a great operating system for that application," he > says. "No scripting or remote capability at all, so there's no way for > them to get in." > Not only that, the hacker/cracker crowd is fixating, as usual, on the > latest versions of everything, like Windows 2K/XP, Mac OS X, the most > recent Linux kernels and BSDs, the newest Solaris, and so on. What fun > is there in breaking into a system running something so ancient only a > dad would even consider using it? There's also an obscurity factor to > consider here, and not the one proprietary software advocates usually > trot out when discussing security issues. > True "security through obscurity" > Most Web site takedowns and system intrusions make use of known > vulnerabilities in a particular operating system or server software > package. These vulnerabilities are typically discovered, a little at a > time, by thousands of bad hackers who poke and prod at systems, > port-scanning and probing them, sharing the information they gain from > their (mostly failed) attempts with each other. A million monkeys with > Internet connections may not reproduce any Shakespeare plays -- they > need to use old-fashioned typewriters to do that -- but they sure as > bleep are going to find vulnerabilities in any host they contact > sooner or later simply by sheer weight of numbers, especially if the > operating system or software they attack is popular enough that they > have many instances of it out there to look and poke at. It doesn't > matter whether the operating system and server software under attack > is proprietary or Open Source. Sooner or later, with enough monkeys > scratching at it, every single chink or opening can be discovered and > exploited. > Imagine a custom operating system used by only a few servers, running > server software so oddball that cracking lessons learned on mainstream > servers don't apply to it at all. Or imagine running a DOS variant or > an OS like AIX that has never been widely used for Net-attached > servers but is adequate for handing out simple Web pages and receiving > responses through online forms and handling email, which are the > primary tasks performed on most publicly-accessible servers. > Now imagine your local script kiddie trying to crack a box running an > operating system and server software he's never seen before, about > which no information is available in the usual online hacker hangouts. > Chances are, he's going to move on to an easier target. > This is security through obscurity at its finest. Even if the custom > operating system and server software are Open Source, low-level > attackers aren't going to bother poring over the code thoroughly > enough to find its vulnerabilities, and those few who have the skill > level needed almost certainly have better things to do with their time > -- like work -- and won't bother. > Really dumb stuff > Never forget, most intrusions and defacements exploit really stupid > administrator or user mistakes, like using "password" as the password > for remote access or running all kinds of unnecessary services that > create security holes so big a whale could dive through them. These > lapses have nothing to do with the operating system or software being > used. No operating system or application ever written is immune to > user stupidity. Some just take more stupidity to botch than others, > you might say. But that's enough about that. Let's go back to talking > about old operating systems. > Age before beauty > One advantage of mature software is that lots of people have already > tried to crack it and lots of patches have been written. A smart > sysadmin like Brian, running an ancient version of Solaris, has kept > up with security updates over the years and has installed all of them > he has found. What some people might sneer at as "obsolete" software, > others might call "carefully tested" or "proven." Indeed, Debian Linux > users often point to the fact that Debian's stable branch does not > include the latest kernel or software as one of its great strengths; > Debian lets others explore the latest and greatest -- and fall victim > to the latest and greatest exploits -- before all the kinks are worked > out to the Debian maintainers' satisfaction. > Note that an awful lot of servers out there are still running on Red > Hat 6.1 or 6.2, not Red Hat 7.x, and that it takes a long time for the > latest version of Apache to trickle out into the world full-strength. > Because these programs have zero licensing cost attached to updates, > why would so many sysadmins keep using old versions when new ones no > doubt offer more and slicker features? Obviously, those sysadmins have > the same outlook as delivery truck fleet managers who refuse to buy a > new model during its first year or two in production. They prefer to > wait until all the kinks are worked out and all the defects and > maintenance tricks have been discovered and applied by early adopters > before jumping from the tried and true into something new. > This is sane behavior for a conservative business manager whether she > is running a fleet of Web servers or a fleet of trucks -- or even a > fleet of Web servers for a trucking company. But it may be even more > sane to hold on to the same servers and trucks even when others sneer > at them as being old, even if new versions are smoother and easier to > administer or drive. Quite simply, once you have worked with a piece > of software or a truck for a number of years, you know its quirks > inside and out. When it acts up in a subtle way someone not used to it > might not even notice, long experience with it can point an observant > sysadmin or mechanic straight to a problem, thereby saving downtime > and repair costs. > Because "Total Cost of Ownership" is the big management buzz phrase > that cuts across all business areas, and anything new requires a > learning curve, sometimes it is best to just keep on using the old > whatever as long as it does its job reasonably well. > At some point -- hopefully before Microsoft stops supporting it -- > Windows NT may be reasonably secure against most common exploits. If > nothing else, by that time there will be hundreds of thousands of > sysadmins who have learned how to secure it as hard as possible, even > if they had to learn some lessons the hard way -- by getting cracked. > At the same time, the script kiddies and malicious hackers who ran > roughshod over NT servers when they first appeared have aged. Most of > them probably have jobs and responsibilities by now, and aren't > getting their kicks playing in other people's systems but are busily > securing ones they run themselves. > The next generation of bad-kid hackers probably won't mess much with > NT -- or pre-X Mac OS or Linux pre-2.5 kernels or Apache pre-2.x or > any of the other operating systems and server applications their > fathers or older siblings ran "back in the day," while those same > fathers and older siblings will have piled up endless experience > securing those old, now-obscure programs, making them harder targets > than the latest stuff. > You never read about this kind of "security through obscurity," which > can just as correctly be called "security through obsolescence." > Despite this lack of publicity, it may be as effective a tactic as any > other, and it can be implemented without spending a dime. > ? Newsforge. All rights reserved
Powered by blists - more mailing lists