lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <03c201c22c49$994e3770$1031020a@home.barrington.com>
From: markjw at lightlink.com (Mark J. Walborn)
Subject: w32.frethem.k@mm and good reading

Has anyone encountered the above mentioned worm? Several anti-viral software
companies have posted updates as of midnight..

Also, I found the following article of interest.

By Robin Miller, NewsForge.com
>    Posted: 06/06/2002 at 12:10 GMT
>    [724.gif] Here's an interesting way to secure an Internet-connected
>    computer against intruders: Make sure the operating system and
>    software it runs are so old that current hacking tools won't work on
>    it. This was suggested by Brian Aker, one of the programmers who works
>    on Linux.com, NewsForge, Slashdot, and other OSDN sites; he runs
>    several servers of his own that host a number of small non-profit
>    sites in the Seattle area. "I have one box still running a version of
>    Solaris that's so old none of the script kiddies can figure it out,"
>    Brian says. "They tend to focus on the latest and greatest, and don't
>    have the slightest idea how to handle my old Sun box."
>    Brian points out that some of the most secure Department of Defense
>    Web sites -- ones that don't make headlines by getting cracked all the
>    time -- run old versions of Mac OS and the venerable WebSTAR server
>    suite. "[Mac is] a great operating system for that application," he
>    says. "No scripting or remote capability at all, so there's no way for
>    them to get in."
>    Not only that, the hacker/cracker crowd is fixating, as usual, on the
>    latest versions of everything, like Windows 2K/XP, Mac OS X, the most
>    recent Linux kernels and BSDs, the newest Solaris, and so on. What fun
>    is there in breaking into a system running something so ancient only a
>    dad would even consider using it? There's also an obscurity factor to
>    consider here, and not the one proprietary software advocates usually
>    trot out when discussing security issues.
>    True "security through obscurity"
>    Most Web site takedowns and system intrusions make use of known
>    vulnerabilities in a particular operating system or server software
>    package. These vulnerabilities are typically discovered, a little at a
>    time, by thousands of bad hackers who poke and prod at systems,
>    port-scanning and probing them, sharing the information they gain from
>    their (mostly failed) attempts with each other. A million monkeys with
>    Internet connections may not reproduce any Shakespeare plays -- they
>    need to use old-fashioned typewriters to do that -- but they sure as
>    bleep are going to find vulnerabilities in any host they contact
>    sooner or later simply by sheer weight of numbers, especially if the
>    operating system or software they attack is popular enough that they
>    have many instances of it out there to look and poke at. It doesn't
>    matter whether the operating system and server software under attack
>    is proprietary or Open Source. Sooner or later, with enough monkeys
>    scratching at it, every single chink or opening can be discovered and
>    exploited.
>    Imagine a custom operating system used by only a few servers, running
>    server software so oddball that cracking lessons learned on mainstream
>    servers don't apply to it at all. Or imagine running a DOS variant or
>    an OS like AIX that has never been widely used for Net-attached
>    servers but is adequate for handing out simple Web pages and receiving
>    responses through online forms and handling email, which are the
>    primary tasks performed on most publicly-accessible servers.
>    Now imagine your local script kiddie trying to crack a box running an
>    operating system and server software he's never seen before, about
>    which no information is available in the usual online hacker hangouts.
>    Chances are, he's going to move on to an easier target.
>    This is security through obscurity at its finest. Even if the custom
>    operating system and server software are Open Source, low-level
>    attackers aren't going to bother poring over the code thoroughly
>    enough to find its vulnerabilities, and those few who have the skill
>    level needed almost certainly have better things to do with their time
>    -- like work -- and won't bother.
>    Really dumb stuff
>    Never forget, most intrusions and defacements exploit really stupid
>    administrator or user mistakes, like using "password" as the password
>    for remote access or running all kinds of unnecessary services that
>    create security holes so big a whale could dive through them. These
>    lapses have nothing to do with the operating system or software being
>    used. No operating system or application ever written is immune to
>    user stupidity. Some just take more stupidity to botch than others,
>    you might say. But that's enough about that. Let's go back to talking
>    about old operating systems.
>    Age before beauty
>    One advantage of mature software is that lots of people have already
>    tried to crack it and lots of patches have been written. A smart
>    sysadmin like Brian, running an ancient version of Solaris, has kept
>    up with security updates over the years and has installed all of them
>    he has found. What some people might sneer at as "obsolete" software,
>    others might call "carefully tested" or "proven." Indeed, Debian Linux
>    users often point to the fact that Debian's stable branch does not
>    include the latest kernel or software as one of its great strengths;
>    Debian lets others explore the latest and greatest -- and fall victim
>    to the latest and greatest exploits -- before all the kinks are worked
>    out to the Debian maintainers' satisfaction.
>    Note that an awful lot of servers out there are still running on Red
>    Hat 6.1 or 6.2, not Red Hat 7.x, and that it takes a long time for the
>    latest version of Apache to trickle out into the world full-strength.
>    Because these programs have zero licensing cost attached to updates,
>    why would so many sysadmins keep using old versions when new ones no
>    doubt offer more and slicker features? Obviously, those sysadmins have
>    the same outlook as delivery truck fleet managers who refuse to buy a
>    new model during its first year or two in production. They prefer to
>    wait until all the kinks are worked out and all the defects and
>    maintenance tricks have been discovered and applied by early adopters
>    before jumping from the tried and true into something new.
>    This is sane behavior for a conservative business manager whether she
>    is running a fleet of Web servers or a fleet of trucks -- or even a
>    fleet of Web servers for a trucking company. But it may be even more
>    sane to hold on to the same servers and trucks even when others sneer
>    at them as being old, even if new versions are smoother and easier to
>    administer or drive. Quite simply, once you have worked with a piece
>    of software or a truck for a number of years, you know its quirks
>    inside and out. When it acts up in a subtle way someone not used to it
>    might not even notice, long experience with it can point an observant
>    sysadmin or mechanic straight to a problem, thereby saving downtime
>    and repair costs.
>    Because "Total Cost of Ownership" is the big management buzz phrase
>    that cuts across all business areas, and anything new requires a
>    learning curve, sometimes it is best to just keep on using the old
>    whatever as long as it does its job reasonably well.
>    At some point -- hopefully before Microsoft stops supporting it --
>    Windows NT may be reasonably secure against most common exploits. If
>    nothing else, by that time there will be hundreds of thousands of
>    sysadmins who have learned how to secure it as hard as possible, even
>    if they had to learn some lessons the hard way -- by getting cracked.
>    At the same time, the script kiddies and malicious hackers who ran
>    roughshod over NT servers when they first appeared have aged. Most of
>    them probably have jobs and responsibilities by now, and aren't
>    getting their kicks playing in other people's systems but are busily
>    securing ones they run themselves.
>    The next generation of bad-kid hackers probably won't mess much with
>    NT -- or pre-X Mac OS or Linux pre-2.5 kernels or Apache pre-2.x or
>    any of the other operating systems and server applications their
>    fathers or older siblings ran "back in the day," while those same
>    fathers and older siblings will have piled up endless experience
>    securing those old, now-obscure programs, making them harder targets
>    than the latest stuff.
>    You never read about this kind of "security through obscurity," which
>    can just as correctly be called "security through obsolescence."
>    Despite this lack of publicity, it may be as effective a tactic as any
>    other, and it can be implemented without spending a dime.
>    ? Newsforge. All rights reserved

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ