By Bruce Garlock
With all the recent worms, viruses, and other little tricks the blackhats use, we are all becoming familiar with terms like; "buffer overflows", "privilege escalation", "sym link attacks", and other terms used in the security world. There are a number of security related websites that announce security vulnerabilities, for a variety of Operating Systems, but the problem is that there are too many. Here are some links to a few of the more popular ones:
I like the last site the best. Securiteam.com integrates various OS's, and lots of the more obscure opensource programs have security announcements, with proof of concept exploits posted.
About two years or so ago, I was hit at home by, what I thought was a cracker. I was at work one day, and decided I needed to scp a file of my system at home that I was working on for a project at work. Since my home system uses a dialup (still to this day!, but Comcast is coming soon!), sometimes the response was awfully slow. Usually, I attribute this to 'fetchmail' grabbing mail for me, or possibly someone looking at my website at the time (my website has since been moved to a "real" server). After about a half hour or so, and receiving no response, I hopped in the car to head home and see what was up. When I got there, my modems lights were dancing about, indicating that someone was looking at something on my computer. I logged in, did a 'ps -ef|less' and looked at all my processes. Wow! someone was running 'netcat' to an IP address I was not familiar with! My first step? Archive all my log files, and not let the person now I was on to them. Then I thought, how did they get through? Well, I only had port 80, and port 22 opened up to the world, so I concentrated on that. Looking at my webserver log files, using 'grep' with the IP address that 'netcat' was to, I discovered that the "cracker" used a hole in the phpNuke web portal system I was running. I found this out by searching securiteam.com Without that site, I would not have known that phpNuke had an exploit out, and a fix.
But why didn't I know? Simple. I was not watching the site regularly, and was uninformed. This happens to many SysAdmins. They run packages for which they may not know there is a fix for, or an exploit is being used by crackers. I put the word cracker in quotes for my intruder, because he/she was really a script kiddy. His 'netcat' session revealed that he had several C programs in a webserver directory for FreeBSD, SCO, and even Windows that he was trying to compile and run on my system. The one program he finally got to compile was for a wu-ftp exploit for FreeBSD. He only had the uid of Apache, so he was running these to try and get root. Too bad I caught him in the act, looked up the WHOIS record for his IP, and reported it to his ISP, complete with logs, times, and everything else. Since he/she was from Bosnia, I don't know how things turned out. I should have tried a packet injection to really scare the heck out of him, but I don't like to sink to the level of script kiddies, and other black hats.
I also use RedHat network, which keeps me informed of security patches, and I apply this ASAP. The problem is that with many systems, you need to break out of the shell that the OS vendor has given you, to add more features to your system. Often, this requires installing packages that are not part of the base OS, and are not covered by the OS's reporting facilities for exploits, and other security related bugs. I mentioned various websites above that provide this information, but if you have ever subscribed to the mailing lists, you would see a heck of a lot of traffic, for a lot of programs you might not even care about.
I really think we need a centralized db, for all OS's, and all programs out there. The user can then subscribe to the security announcements for only the programs they run on their system, and keep informed of the possible exploit running around the net. Having a centralized db, would also help keep things organized. I can't tell you the number of emails I get from the mailinglists on the websites above. It is too much, and takes to much time to parse through all the emails. A central db, would inform me of the base OS that I am currently running, and any additional programs that I decide to subscribe to.
Every opensource author, commercial author, anybody writing programs, would be required by law to register their program with this database, since their program could ultimately be the hole that a cracker uses to create havoc on the Internet. I know this sounds a bit radical, but what other choices are there? How many lives have to be lost due to computer failures, because of exploits traveling the Internet, taking advantage of SysAdmins being ignorant? My first encounter with a script kiddie really opened my eyes to computer security, and now I am a bit more paranoid. I wonder how the department of homeland security purposes we fix this problem.
The one problem I see are for custom programs, for which may never be registered with the db. For example, I have written cgi scripts in perl to accomplish a task, but since I have not given these programs back to the community, the inner workings have never been audited, and pose a possible hole if exposed to the net. I usually don't put these kinds of things on webservers exposed to the net, but keep them in a "secured" network. Maybe I don't do enough input checking with my script, and it would be possible to overflow the buffer, and spawn a shell as the UID of the script. What if the script is running as root? Wham!
There are many theories out there on how to fix the problem of insecure OS's, and how to get admins to patch their systems. The trouble is, the word is somehow not getting out, or not getting out in a timely fashion. A centralized db, could prioritize information, by sending a page to the SysAdmins pager, that their system had better get patched quickly, or it may be used as a possible worm transmission point. Personally, I would feel awful, if one of my systems was used in the propagation of a worm or virus, because I left it unpatched.
Although this idea may seem a bit crazy at first, how else can we get information to SysAdmins quick enough? The Internet sprawl has really created a bit of a mess out there with ignorant SysAdmins being responsible for systems that they really shouldn't be responsible for. With so many systems being connected to the Internet, and not protected properly, lives are at risk. Usually with loss of life, a lawsuit follows. After the lawsuit comes the law, to further protect people. This may be one way we can get the information out to SysAdmins quicker, and in an orderly, centralized fashion.
I welcome your comments!
Got something to add? Send me email.
More Articles by Bruce Garlock © 2009-11-07 Bruce Garlock