Re: S: ssh worms FAQ

From: Joe (joe_at_jretrading.com)
Date: 09/18/04


Date: Sat, 18 Sep 2004 21:56:09 +0100

In message <414C899B.5EC85A8@comtv.ru>, Innocenti Maresin
<av95@comtv.ru> writes
>jayjwa wrote:
>
>> These aren't "worms". "worm" as it's used today is a mis-nomer
>
>I'm not willing to get to discussion on English terms.
>Please, propose a well-understood word to name such phenomenon instead
>of "worm",
>like "scan" or "crack", but no "indiscriminate straight-up attacks"
>nor "semi-automated probing".
>Maybe, "ssh account harvesting"?

I think the distinction here is that a 'worm' is automatic, a program
which spreads by itself, and can attack others from an infected machine.
These recent attacks are from humans, someone is actually sitting at a
computer running the attack program. As far as we are concerned there
may be no difference, but a successful worm can create many more
attackers than there are human crackers in the world.
>
>
>> I don't call making ssh accounts with logins like "test:test"
>> and "guest:guest" a vulnerability, that's just senseless ;)
>
>Do you consider as a severe vulnerability
>only such hidden-deeply-in-the-code things as do_brk flaw
>or different flavours of buffer overflows?
>I saw such thing as "rpc.statd gethostbyname buffer overflow exploit"
>only once,
>but many times € ssh attempts, more or less intensive.
>What does it mean?
>That stupid passwords really _is_ a common vulnerability
>regardless of what do you think about such type of host admins :)
>This is a human vulnerability of course, not technical.

If your machine is successfully attacked, does it matter which kind of
problem it is? It is possible to force users to create good passwords,
to change them often, and not to use a password twice in a certain
period of time. Users hate this. Is it a vulnerability of a certain
Linux distribution if these policies are not already built-in at the
time of installation? Should the user be able to turn them off?

Certainly the serious versions of Windows, logging on to a server, have
this built in as standard. It is easy to dismiss all Windows versions as
having very poor security, but the server versions are capable of good
security. Not great, but good.

Windows has the 'advantage' of allowing people who do not understand
computers to use them. Is this a strength or a weakness? If Linux is to
become a popular desktop OS it must do the same, and some distributions
are moving in that direction. The result must be that more people who do
not understand anything about security are running computers connected
to the Internet. Should the operating system try to protect them from
their own ignorance? How well can it do this?

>You can claim that these admins are "lame" or "brain-dead"
>(as I can say about programmers who permit buffer overflows),
>but now, some migration away from Windows to Linux exists.
>This means, we'll have more and more "lame" admins in UN*X world :)

I think we know this, and we are seeing some of the results. Not only is
Linux attracting the kind of people who might use Windows, but in some
cases they are the same people, who bring bad habits with them.

>In another words, an average UN*X admin become more and more lame.
>It's not a crash of UN*X culture or a crash of Linux.
>We just can realize that some phenomena
>what, as we thought, exist in Windows or Macintosh worlds only,
>now exist also in UN*X world.
>First of all, I mean "admins" who can't control their machines
>and a lot of boxes controlled by remote bad guys.
>Therefore, "ssh worms" will exist.
>IMHO the FAQ on so-called-by-me "worms"
>might help to discriminate possible really non-trivial menaces
>among usual scripty noice.
>Such FAQ should claim: NO menace for GOOD admin from there.
>Also, because _most_ lame people still stay under M$,
>an average BAD admin has a chance to read some FAQs,
>to realize that he is a bad admin, to want to become a good admin
>and to remove his bad admin's vulnerabilities.
>Without such FAQ good UNIX admins spend time
>trying to understand what means these ssh attacks,
>while bad one (and their ISPs' network admins)
>do not know what happens and what to do.
>
There are services which inform about problems as soon as they are
found. CERT (www.cert.org) gives good quality information about security
problems, but they are only interested in big problems. Security Focus
runs a mailing list for this kind of information. Most Linux
distributions have a website or mailing list for security problems. I
think that if someone takes the time to convert all these security
alerts into a FAQ for beginners, the problem will already be over, or
less serious.

There is no easy way. To maintain good security, you must understand the
problems, and look at the information which arrives first. You cannot
wait for someone to convert the information to a simple set of
instructions.

Do you know about http://grc.com, Steve Gibson's Shields Up! site? This
is a fairly simple automatic port scanning program, but the way that the
results are presented is quite dramatic. It uses simple language, and it
scares people who are running open services, and perhaps this is a good
thing. Maybe Microsoft and the Linux distributions should put a link to
this site on the desktop. Even intelligent people who are not involved
in IT work are often totally unaware of the dangers of the Internet.

-- 
Joe


Relevant Pages