Re: Visited by a cracker
From: Herman F. Ebeling Jr. (hfebelingjr_at_lycos.com)
Date: 07/15/04
- Previous message: Mario Ohnewald: "Re: Visited by a cracker"
- Maybe in reply to: Per Christian B. Viken: "Visited by a cracker"
- Next in thread: Herman F. Ebeling Jr.: "RE: Visited by a cracker"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: focus-linux@securityfocus.com Date: Wed, 14 Jul 2004 20:00:49 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ya know that IS the exact same argument that Dr. Cliff Stoll made
when he was "hunting" his hacker/cracker. That once a system has
been invaded the legit users can never be 100% or even reasonably
sure that their data IS theirs, and that it hasn't been altered or
corrupted in any way.
And try as he might he couldn't get anyone at the FBI to recognize
that the lose of trust was NOT something that could be measured in
dollars and cents. All they wanted to know was how much money (and
more then the $0.75) they lost) had they lost because of this
"hacker." I guess IF he had stopped a process that was controlling
one of the cyclotrons when it was being used to treat a PT and that
PT had lost their life that the FBI would have taken notice then. . .
Also as he tried to say how can one put a "true" dollar and cents
figure on an astronomer's or other research scientist's data? To
that particular astronomer/scientist the value of their data is
immeasurable but to someone who doesn't understand what they are
doing it is worthless.
He did however point out something that I consider to be a "gaping"
security flaw, and that is that the software that encrypted "his"
password file "always" encrypts any given password the same way all
of the time, i.e. if one uses "wyvern" as their password it would be
encrypted as "9e3k1w0" or what have you on any system. I would think
that each time it encrypts "wyvern" that it does so with a different
outcome, that way IF a cracker d/ls a particular systems password
file they wouldn't be able to use "brute force" and a dictionary file
to "crack" the passwords. Of course it also goes to say that users
should NEVER choose a password that can be readily found an the
English or ANY dictionary, and that a password SHOULD be at a minimal
6 alphanumeric characters, as well as shifted keys such as !" as well
as capital and lowercase letters.
And believe it or not, but as I would presume that most of you read
2600 as well as other "hacking" magazines to stay on top of exploits
as well as the mind set of those who are trying to break into
your/our systems. That "the powers that be" at 2600 do not think
that someone who has been found guilty of "hacking" should face a
"severe" punishment, as well as thinking that if a person or business
didn't "lock down" their system(s) that they have no one else to
blame but themselves. For anything that happens to their system(s),
I'm sorry but that is like saying that the person who is/was walking
down the street minding their own business is somehow to blame IF
they get robbed/mugged/assaulted/killed. Just because they didn't
take the "precaution" of having a team of bodyguards surrounding them
as they walked down the street.
We can only work with what we have/know, and IF we do not know about
a particular exploit, security hole/flaw, patch then how the bloody
hell, are we suppose to "fix" the problem IF it is fixable??? I mean
IF we do not know about it in the first place how are we supposed to
"fix it???"
Herman F. Ebeling Jr.
- ----- Original Message -----
From: "Christian" <serialkiller@thedeadsquad.com>
Date: Tue, 13 Jul 2004 19:54:16 -0400
To: "Arthur Chan" <axc@andrew.cmu.edu>,"Alan Hicks"
<alan@lizella.net>
Subject: Re: Visited by a cracker
> Hi
> Sorry to hear about your vistor. I have been around the security
> field a while, and from that and my time working with isp's i can
> say this.
>
> 1. Wipe the box! Restore from backup that is trusted, or completely
> redo from scratch. These guys here in the newsgroups know alot,
> but no matter how deep, and how far you go looking at this box, YOU
> CAN NEVER TRUST ONE PIECE OF SOFTWARE ON IT! You have customers
> and they are depending on you to be 1000% secure. If this was a
> personal box, hell ya.. for the excitiment go for it! I am not a
> Die hard programmer that eats sleeps dreams code, and i know that i
> use code writen by others, so i dont pretend to be able to check
> it.
>
> 2. Conatct all customers to varify thier account. If it cant be
> varified then dont set it up! I doubt your cracker want you
> calling him at home to confirm his/her info.
>
> 3. Understand that you did nothing wrong. No one (sane) invits a
> cracker to them. Most find themselve in the crackers eye, by
> chance ( script kiddie ) or by reason ( Diligent cracker who is
> using you for a purpose, either singled out by DOMAIN, NETWORK your
> connected into, What your organization does, or to use you as a
> launch pad to somewhere else )
>
> Its a tuff lesson to learn, but that is why we backup.. :)
> ----- Original Message -----
> From: "Arthur Chan" <axc@andrew.cmu.edu>
> To: "Alan Hicks" <alan@lizella.net>
> Cc: <focus-linux@securityfocus.com>
> Sent: Tuesday, July 13, 2004 11:20 AM
> Subject: Re: Visited by a cracker
>
>
> > Is it at all possible that the cracker tampered his .bash_history
> > and left it there to fool you?
> >
> > .arthur
> >
> >
> >
> > On Sun, 11 Jul 2004, Alan Hicks wrote:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > My first suggestion would be to ask the good people in
> > > alt.os.linux.slackware for a bit of advice. Specifically I
> > > posted this recent addendum to the FAQ there:
> > >
> > > http://wombat.san-francisco.ca.us/faqomatic/cache/124.html
> > >
> > > On Jul 11, 2004, at 10:45 AM, Per Christian B. Viken wrote:
> > > > Is there anything else I should check out? Anywhere else some
> > > > nasty exploits
> > > > or trojans might be hiding? And should I try to find this
> > > > guy? Or is
> it
> > > > probably hopeless?
> > >
> > > As mentioned in that article crackers often like to hide
> > > binaries in strange places so searching /dev /tmp /var/tmp
> > > /usr/src/linux et cetera isn't just paranoid, it could be a
> > > good idea. However in this case I don't think you've got that
> > > much to worry about. The cracker obviously wasn't smart enough
> > > to remove his own .bash_history, and probably didn't insert
> > > that kmod either (I still wouldn't trust modprobe, insmod, or
> > > that kernel however. A little paranoia never hurt anyone). Of
> > > course the only way to be 100% certain that you don't have any
> > > backdoors open is to wipe the box clean and re-install.
> > >
> > > Finding the guy is probably hopeless given that all his IPs are
> > > in other countries (I'm going by the whois info on
> > > angryadmin.net here). Still, you could give it a shot, and at
> > > least alert whoever owns those boxen that they have a cracker
> > > among their ranks. I'd say as a good netizen you have that
> > > obligation at least.
> > >
> > > - --
> > >
> > > It is better to hear the rebuke of the wise,
> > > Than for a man to hear the song of fools.
> > > Ecclesiastes 7:5
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.2.2 (Darwin)
> > >
> > > iD8DBQFA8d29lKR45I6cfKARAjrZAJ91Q2RiPS0Z9N21H5gDIDcESEWynQCfWert
> > > oA0psjuIOJNBg1YIQHtVnFc=
> > > =HDZe
> > > -----END PGP SIGNATURE-----
> > >
> > >
> > >
> >
> >
> >
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3 - not licensed for commercial use: www.pgp.com
iQA/AwUBQPXW5R/i52nbE9vTEQKWuwCghKO/8N1Ftwo6eDURMp8BMWGzUxAAnirA
NykG/yHV4fxgdO4DXU9kCJnE
=BxcU
-----END PGP SIGNATURE-----
- Previous message: Mario Ohnewald: "Re: Visited by a cracker"
- Maybe in reply to: Per Christian B. Viken: "Visited by a cracker"
- Next in thread: Herman F. Ebeling Jr.: "RE: Visited by a cracker"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
