[Klug-general] Linux security to start thinking outside the box
Stephen Ryan
sryan at intrench.com
Thu Nov 29 11:17:56 GMT 2007
Someone once said, you know guy - you really think outside the box.
To which he replied, "what box?".
At the risk of becoming increasingly painfully nauseating, I say to you
again.
Can you build the most securist Linux laptop in the world?
When you think about it - the question is indeed a valid one - all it needs
is the desire and smarts to find the answer.
I am not suggesting that the technology is the only component of the most
securiest Linux laptop in the world!
My proposal is that KLUG consider seeking a grant from Government for such a
project.
With the right help we would be able to demonstrate the most securist laptop
in the world in approximately 1 year from today.
Please read the stuff about Virgil Griffith; cause he will be one of the
people in the race to achieve this
http://intrench.blogspot.com/search/label/information%20leakage
also
http://intrench.blogspot.com/2007/11/hacker-race-is-on-to-find-most-secure.h
tml
Happy to discuss in more detail if you can set-up a KLUG meeting in Hythe..
Stephen Ryan
www.intrench.com
www.brandspy.org
-----Original Message-----
From: kent-bounces at mailman.lug.org.uk
[mailto:kent-bounces at mailman.lug.org.uk] On Behalf Of
kent-request at mailman.lug.org.uk
Sent: 28 November 2007 18:56
To: kent at mailman.lug.org.uk
Subject: Kent Digest, Vol 146, Issue 9
Send Kent mailing list submissions to
kent at mailman.lug.org.uk
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.lug.org.uk/mailman/listinfo/kent
or, via email, send a message with subject or body 'help' to
kent-request at mailman.lug.org.uk
You can reach the person managing the list at
kent-owner at mailman.lug.org.uk
When replying, please edit your Subject line so it is more specific than
"Re: Contents of Kent digest..."
Today's Topics:
1. Re: Linux to offer a paradigm-shift in computer security
(Peter Childs)
2. Re: Linux to offer a paradigm-shift in computer security
(Karl Lattimer)
3. A friend got script kiddied... (Karl Lattimer)
4. Re: A friend got script kiddied... (Karl Buckland)
5. Re: A friend got script kiddied... (Karl Lattimer)
6. Re: A friend got script kiddied... (Dan Attwood)
7. Re: Linux to offer a paradigm-shift in computer security
(Peter Childs)
----------------------------------------------------------------------
Message: 1
Date: Wed, 28 Nov 2007 15:34:49 +0000
From: "Peter Childs" <peterachilds at gmail.com>
Subject: Re: [Klug-general] Linux to offer a paradigm-shift in
computer security
To: "Kent Linux User Group - General Topics" <kent at mailman.lug.org.uk>
Message-ID:
<a2de01dd0711280734v73745965ha2e5db97b2915a8f at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
On 28/11/2007, Karl Lattimer <karl at qdh.org.uk> wrote:
>
> OK, this is bad advice ^^ see bad advice... The firewall in windows is
> the only thing stopping the slammer worm and a bunch of others. Don't
> switch it off because it is added bloat!!!! It isn't, the standard
> windows firewall is an adequate solution its not ideal but it WORKS
> for the purposes it is intended, protecting windows' penchant for
> opening ports on LAN networks.
>
>
If its a worm the virus protection should have stopped it. A Firewall will
not stop a worm.
A *firewall* is a dedicated
appliance<http://en.wikipedia.org/wiki/Computer_appliance>,
or software <http://en.wikipedia.org/wiki/Software> running on another
computer, which inspects network traffic passing through it, and denies or
permits passage based on a set of rules.
see http://en.wikipedia.org/wiki/Firewall_(networking)
The windows "Firewall" does do something useful in that it stop certain
types of Spyware, Viruses, Worms etc but it is not a Firewall the the
original sense of the work and there is no reason why a too calling its self
Spyware protection will not in fact do the same job.
Peter Childs
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mailman.lug.org.uk/pipermail/kent/attachments/20071128/95237e08/attac
hment-0001.html
------------------------------
Message: 2
Date: Wed, 28 Nov 2007 16:21:20 +0000
From: Karl Lattimer <karl at qdh.org.uk>
Subject: Re: [Klug-general] Linux to offer a paradigm-shift in
computer security
To: Kent Linux User Group - General Topics <kent at mailman.lug.org.uk>
Message-ID: <1196266880.6530.83.camel at despair>
Content-Type: text/plain
On Wed, 2007-11-28 at 15:34 +0000, Peter Childs wrote:
>
>
> On 28/11/2007, Karl Lattimer <karl at qdh.org.uk> wrote:
> OK, this is bad advice ^^ see bad advice... The firewall in
> windows is
> the only thing stopping the slammer worm and a bunch of
> others. Don't
> switch it off because it is added bloat!!!! It isn't, the
> standard
> windows firewall is an adequate solution its not ideal but it
> WORKS for
> the purposes it is intended, protecting windows' penchant for
> opening
> ports on LAN networks.
>
>
> If its a worm the virus protection should have stopped it. A Firewall
> will not stop a worm.
>
The biggest load of shit I've ever heard!!!!
A WORM/REMOTE EXPLOIT CAN ATTACK USING A BUFFER OVERFLOW EXPLOIT AGAINST AN
OPEN PORT FOR INSTANCE, A FIREWALL BLOCKS THIS INITIAL ATTACK RATHER THAN
REMOVING THE MALWARE AFTER INFECTION HAS TAKEN PLACE!
Anti-virus is a damage limitation tool (and by no means perfect, generally
leaving a few twitching tendrils of malware), not an active interrogator of
incoming traffic like DEEP PACKET INSPECTION, firewalls ultimately prevent
services being exploited in the most part by blocking access to certain
ports.
> A firewall is a dedicated appliance, or software running on another
> computer, which inspects network traffic passing through it, and
> denies or permits passage based on a set of rules.
appliance meaning... a computer with software in it? And why does it need to
be dedicated? I mean if my web server is in a DMZ its gonna have ip tables
on it!
> see http://en.wikipedia.org/wiki/Firewall_(networking)
Of course, you get all your knowledge regarding firewalls from wikipedia,
not erm... I dunno Cisco internetworking systems (great free as in beer
book) or the netfilter mailing list, or the countless white papers on IP
Tables you've read.
Oh right, so you're an authority, that makes everything different!
> The windows "Firewall" does do something useful in that it stop
> certain types of Spyware, Viruses, Worms etc but it is not a Firewall
> the the original sense of the work and there is no reason why a too
> calling its self Spyware protection will not in fact do the same job.
Now, can you please not tell me things like "The windows "Firewall" does do
something useful in that it stop certain types of Spyware, Viruses, Worms
etc" after saying "A Firewall will not stop a worm." because it only
reflects badly on yourself.
The truth of the matter is the general attack vector for spyware is the web
browser. Viruses are generally transmitted by people via email scams and
other social engineering attacks (although it was floppy discs and boot
sectors), worms propagate themselves using in built exploitation techniques
across networks, not unlike a lone cracker would although automated.
The sasser worm attacked the LSASS service on windows systems via an open
port, it injected a heap overflow if memory serves and then downloaded a
bunch of crud in the background and loaded the machine up with crap. By
simply blocking the affected port using a firewall the attack could have
been prevented, windows XP SP1 was effected by it and that's when MS decided
to bundle a firewall in SP2.
The windows firewall is a port blocker, it blocks ports, which is exactly
what you need from it. Nothing more nothing less, if you'd like to debate
firewalls further then by all means in private. I've actually developed 2
commercially successful firewall products in the past, using ipchains and
iptables so I do know a thing or two about them.
K,
PS. I did actually mean to mention the sasser worm in my initial post re the
worth of firewalls, but slammer and sasser sound so similar! :P
PPS. Sorry about the excessive caps, but bad advice and inaccurate
information regarding security is one of my pet peeves, its this kind of
willful ignorance and to some degree arrogance that causes wide spread
misconception which leads to security becoming a joke.
------------------------------
Message: 3
Date: Wed, 28 Nov 2007 16:58:02 +0000
From: Karl Lattimer <karl at qdh.org.uk>
Subject: [Klug-general] A friend got script kiddied...
To: Kent Linux User Group - General Topics <kent at mailman.lug.org.uk>
Message-ID: <1196269082.6530.98.camel at despair>
Content-Type: text/plain; charset=UTF-8
One of my mates got skiddied last night by an insecure expose module in
joomla.
We tracked down his MSN address...
------------------
16:47 <us>
next time you hack a website, make sure you clean up after yourself...
silly mistakes get people caught
16:47 [b] | | C�y HacKeR StingS | |[/b] disconnected
------------------
Hope that entertained you...
K,
------------------------------
Message: 4
Date: Wed, 28 Nov 2007 17:25:12 +0000
From: Karl Buckland <karl at digital-end.com>
Subject: Re: [Klug-general] A friend got script kiddied...
To: Kent Linux User Group - General Topics <kent at mailman.lug.org.uk>
Message-ID: <474DA478.2090205 at digital-end.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Karl Lattimer wrote:
> One of my mates got skiddied last night by an insecure expose module
> in joomla.
>
> We tracked down his MSN address...
>
> ------------------
> 16:47 <us>
> next time you hack a website, make sure you clean up after yourself...
> silly mistakes get people caught
>
> 16:47 [b] | | C�y HacKeR StingS | |[/b] disconnected
> ------------------
>
> Hope that entertained you...
>
> K,
>
>
How did you manage to track him down? I assume he left some sort of
information.... that would be fairly stupid...
------------------------------
Message: 5
Date: Wed, 28 Nov 2007 17:56:31 +0000
From: Karl Lattimer <karl at qdh.org.uk>
Subject: Re: [Klug-general] A friend got script kiddied...
To: Kent Linux User Group - General Topics <kent at mailman.lug.org.uk>
Message-ID: <1196272591.26767.6.camel at ganja.nncc.info>
Content-Type: text/plain; charset=utf-8
On Wed, 2007-11-28 at 17:25 +0000, Karl Buckland wrote:
> Karl Lattimer wrote:
> > One of my mates got skiddied last night by an insecure expose module
> > in joomla.
> >
> > We tracked down his MSN address...
> >
> > ------------------
> > 16:47 <us>
> > next time you hack a website, make sure you clean up after yourself...
> > silly mistakes get people caught
> >
> > 16:47 [b] | | C�y HacKeR StingS | |[/b] disconnected
> > ------------------
> >
> > Hope that entertained you...
> >
> > K,
> >
> >
> How did you manage to track him down? I assume he left some sort of
> information.... that would be fairly stupid...
It happened like this, firstly I started back tracing the logs, most of what
he did was automated, looks like a joomla worm of some sort. Here's the BUT!
He made a posting to a forum of a series of domains he'd defaced, as people
from the forum clicked back trough it left us a click trail to follow, right
back to his boasting post which we were unable to read, however the forum's
policy was to display certain contact info even in private forums, so we
nabbed it there.
Pretty simple really.
This is the third time we've had a joomla worm hit us, and it looks like the
same exploit had been used on the server on 5 separate occasions by 5
different worms, time was where you closed the security whole properly
behind you so you could continue to use it and nobody noticed, that is the
essence of ownage.
K,
------------------------------
Message: 6
Date: Wed, 28 Nov 2007 18:35:53 +0000
From: "Dan Attwood" <danattwood at googlemail.com>
Subject: Re: [Klug-general] A friend got script kiddied...
To: "Kent Linux User Group - General Topics" <kent at mailman.lug.org.uk>
Message-ID:
<1d69f4860711281035g5f2fb030t6c1cee60ebc38849 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
this is part of the reason i'm dumping joomla and learning drupal - I have
no real faith in joomla anymore
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mailman.lug.org.uk/pipermail/kent/attachments/20071128/a412b9da/attac
hment-0001.html
------------------------------
Message: 7
Date: Wed, 28 Nov 2007 18:55:49 +0000
From: "Peter Childs" <peterachilds at gmail.com>
Subject: Re: [Klug-general] Linux to offer a paradigm-shift in
computer security
To: "Kent Linux User Group - General Topics" <kent at mailman.lug.org.uk>
Message-ID:
<a2de01dd0711281055x1cff7e79ja029ac5739ad94d3 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
On 28/11/2007, Karl Lattimer <karl at qdh.org.uk> wrote:
>
>
> On Wed, 2007-11-28 at 15:34 +0000, Peter Childs wrote:
> >
> >
> > On 28/11/2007, Karl Lattimer <karl at qdh.org.uk> wrote:
> > OK, this is bad advice ^^ see bad advice... The firewall in
> > windows is
> > the only thing stopping the slammer worm and a bunch of
> > others. Don't
> > switch it off because it is added bloat!!!! It isn't, the
> > standard
> > windows firewall is an adequate solution its not ideal but it
> > WORKS for
> > the purposes it is intended, protecting windows' penchant for
> > opening
> > ports on LAN networks.
> >
> >
> > If its a worm the virus protection should have stopped it. A
> > Firewall will not stop a worm.
> >
>
> The biggest load of shit I've ever heard!!!!
>
> A WORM/REMOTE EXPLOIT CAN ATTACK USING A BUFFER OVERFLOW EXPLOIT
> AGAINST AN OPEN PORT FOR INSTANCE, A FIREWALL BLOCKS THIS INITIAL
> ATTACK RATHER THAN REMOVING THE MALWARE AFTER INFECTION HAS TAKEN
> PLACE!
>
> Anti-virus is a damage limitation tool (and by no means perfect,
> generally leaving a few twitching tendrils of malware), not an active
> interrogator of incoming traffic like DEEP PACKET INSPECTION,
> firewalls ultimately prevent services being exploited in the most part
> by blocking access to certain ports.
>
> > A firewall is a dedicated appliance, or software running on another
> > computer, which inspects network traffic passing through it, and
> > denies or permits passage based on a set of rules.
>
> appliance meaning... a computer with software in it? And why does it
> need to be dedicated? I mean if my web server is in a DMZ its gonna
> have ip tables on it!
>
> > see http://en.wikipedia.org/wiki/Firewall_(networking)
>
> Of course, you get all your knowledge regarding firewalls from
> wikipedia, not erm... I dunno Cisco internetworking systems (great
> free as in beer book) or the netfilter mailing list, or the countless
> white papers on IP Tables you've read.
>
>
Actually this is what I was taught at University. Its the standard
definition of a firewall.
Just like not all things people call viruses are in fact viruses they may be
worms, trojan horses etc etc but all covered by what is a now a standard
tool that protects against many things.
All I'm trying to say is that most windows firewall software is badly set up
and usually people just blindly click Yes when asked.
If used properly its a useful too but most people don't understand whats
what...
Peter.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mailman.lug.org.uk/pipermail/kent/attachments/20071128/f0ebd12d/attac
hment.html
------------------------------
_______________________________________________
Kent mailing list
Kent at mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/kent
End of Kent Digest, Vol 146, Issue 9
************************************
More information about the Kent
mailing list