Re: US-Cert Update on New Attacks on Computer Infrastructure
- From: "Tom [Pepper] Willett" <tom@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 29 Aug 2008 15:42:48 -0500
CLAP! CLAP! CLAP!
Thanks, Steve.
"Steve Riley [MSFT]" <steve.riley@xxxxxxxxxxxxx> wrote in message
news:33716B98-3D29-4499-9573-7A4FB4558358@xxxxxxxxxxxxxxxx
: Dan, I have resisted writing a message like the one I'm writing now but I
: can wait no longer. I'm not exactly sure what it is that you expect to
: accomplish with statements like "web link may be manipulated by others"
and
: "poster not responsible if someone hacks post" (other than possibly
stoking
: the fears of other readers) nor do I understand your repeated requests for
: me to comment on various things (I am not any kind of Microsoft crystal
: ball).
:
: In the newsgroups I avoid religious arguments about software, engaging in
: flame wars, or questioning people's motives because none of those
activities
: do anyone any good. But your exaggerated claims about the realm of
possible
: attacks, your continued devotion to "internal safety" vs. "external
: security" (which are terms NO ONE ELSE in the security field uses), your
: frequent invocation of DHS (and your cc-ing the US-CERT in your private
: emails to me -- what's up with that?), and your strange occupation with
: "source code" is really getting quite tiresome.
:
: In this thread you wonder about some kind of "new source code" that might
be
: under development. In your thread "Source Code," you lament that,
according
: to Wikipedia, Windows 7 "will use the Windows NT source code" -- then
later
: on claim that we've got some sort of secret skunkworks project. Do you
: really even understand what source code is? Nowhere in the Wikipedia
article
: did I see any reference to Windows NT source code. Do you realize that
: virtually none of the original NT code still exists in the current
versions
: of Windows? Much of the architecture (for example -- file storage,
: communications, process handling, and memory managememt) is still in
place,
: of course, but nearly every single element has been rewritten and expanded
: to increase reliability and security, and to take advantage of modern
: hardware capabilities. In a reply to "Is DNSSEC supported by Windows?" you
: claim that DOS is required for "internal safety" -- is this a joke? Do you
: understand that DOS is an ancient thing written for a totally different
: time -- when there were no networks, no multitasking, no re-entrance
: (executing the same piece of code multiple simultaneous times), no
: multi-user support, and no concept of virtualizing any of these layers?
DOS
: HAS ZERO security of any kind. To claim "society and the world are paying
: for the mistake" of not using DOS in the current version of Windows is
: really rather silly.
:
: Your assertion that "the majority of people here...have...bought the
company
: line" is intended to indicate what? What "company" do you mean?
Information
: security practices and philosophies have evolved over time to address
: changing business requirements in an age where everything is connected all
: the time using public networks. To claim that "the majority" are wrong and
: that the development practices (and products) of two decades ago will
: somehow save us from all evil shows a fundamental misunderstanding of the
: issues and solutions.
:
: Dan, I am not attacking your motives or impugning your character. But I am
: asking that you rethink your positions (and your allegiances) as you
: continue your journey in field of computer security.
:
:
: --
: Steve Riley
: steve.riley@xxxxxxxxxxxxx
: http://blogs.technet.com/steriley
: http://www.protectyourwindowsnetwork.com
:
:
:
: "Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
: news:F78F1DC8-4ADD-4174-BAEE-7FD50FCF635A@xxxxxxxxxxxxxxxx
: > Thanks for your reply MowGreen. I really do respect you and consider
you
: > a
: > great asset to this group. I loved when Apple users were so sure of
their
: > operating system and computers that they claimed they were really safe
and
: > when an Apple, Windows Vista and Ubuntu Linux computer competed against
: > each
: > other the first one to be hacked was the Apple. BTW, have you heard
: > anything
: > about Microsoft new source code that you can publicly share on this
: > newsgroup?
: >
: > "MowGreen [MVP]" wrote:
: >
: >> Where are the Penguin fanbois exclaiming " Linux is the safest OS; it's
: >> impenetrable " ?
: >> C'mon guyz, do your part. You have a role to fill here.
: >>
: >> But, seriously, Dan. Anyone with common sense knows that any system
that
: >> is exposed to the internet can be compromised. And, it is irrelevant
: >> which OS one runs.
: >> The key is, never drink 'OS koolaid'. Use the one that suits your
: >> purposes but don't tell everyone that it is ' the most secure ' or ' it
: >> can't be hacked '. That's total nonsense.
: >>
: >>
: >> MowGreen [MVP 2003-2008]
: >> ===============
: >> *-343-* FDNY
: >> Never Forgotten
: >> ===============
: >>
: >>
: >> Dan wrote:
: >>
: >> >
http://www.us-cert.gov/current/index.html#red_hat_releases_openssh_security
: >> >
: >> > {Note: Web Link may be manipulated by others and smart web surfing is
: >> > encouraged like reading in plain text and blocking remote code --
: >> > Disclaimer:
: >> > Poster is not responsible if someone hacks post and web link is
: >> > illegally
: >> > changed}
: >> >
: >> > Here is the information from US-Cert.gov which is a part of DHS: all
: >> > below
: >> > should be considered a quote ". . ."
: >> >
: >> > SSH Key-based Attacks
: >> > added August 26, 2008 at 03:41 pm | updated August 27, 2008 at 03:41
pm
: >> >
: >> > US-CERT is aware of active attacks against linux-based computing
: >> > infrastructures using compromised SSH keys. The attack appears to
: >> > initially
: >> > use stolen SSH keys to gain access to a system, and then uses local
: >> > kernel
: >> > exploits to gain root access. Once root access has been obtained, a
: >> > rootkit
: >> > known as "phalanx2" is installed.
: >> >
: >> > Phalanx2 appears to be a derivative of an older rootkit named
: >> > "phalanx".
: >> > Phalanx2 and the support scripts within the rootkit, are configured
to
: >> > systematically steal SSH keys from the compromised system. These SSH
: >> > keys are
: >> > sent to the attackers, who then use them to try to compromise other
: >> > sites and
: >> > other systems of interest at the attacked site.
: >> >
: >> > Detection of phalanx2 as used in this attack may be performed as
: >> > follows:
: >> >
: >> >
: >> > "ls" does not show a directory "/etc/khubd.p2/", but it can be
entered
: >> > with
: >> > "cd /etc/khubd.p2".
: >> > "/dev/shm/" may contain files from the attack.
: >> > Any directory named "khubd.p2" is hidden from "ls", but may be
entered
: >> > by
: >> > using "cd".
: >> > Changes in the configuration of the rootkit might change the attack
: >> > indicators listed above. Other detection methods may include
searching
: >> > for
: >> > hidden processes and checking the reference count in "/etc" against
the
: >> > number of directories shown by "ls".
: >> > US-CERT encourages administrators to perform the following actions to
: >> > help
: >> > mitigate the risks:
: >> >
: >> > Proactively identify and examine systems where SSH keys are used as
: >> > part of
: >> > automated processes. These keys will typically do not have
passphrases
: >> > or
: >> > passwords.
: >> > Encourage users to use the keys with passphrase or passwords to
reduce
: >> > the
: >> > risk if a key is compromised.
: >> > Review access paths to internet facing systems and ensure that
systems
: >> > are
: >> > fully patched.
: >> > If a compromise is confirmed, US-CERT recommends the following
actions:
: >> >
: >> > Disable key-based SSH authentication on the affected systems, where
: >> > possible.
: >> > Perform an audit of all SSH keys on the affected systems.
: >> > Notify all key owners of the potential compromise of their keys.
: >> > US-CERT will provide additional information as it becomes available.
: >> >
: >> > US-CERT credits DFN-CERT for their contributions regarding this
issue.
: >> >
: >> > {Note: to Microsoft only users: The above is provided as a general
: >> > service
: >> > announcement and although it affects Linux systems is provided here
: >> > publically to raise user's awareness of how serious computer attacks
: >> > are
: >> > getting --- thank you for any feedback and have a great day}
: >> >
: >> > Also please use Microsoft's own password tool to generate stronger
: >> > passwords
: >> > that are safe and secure. I hope Steve Riley, MSFT will ocmment for
: >> > all of
: >> > us to benefit on the issue of new security and safety measures and
the
: >> > new
: >> > source code Microsoft is slowly but surely developing. That new
source
: >> > code
: >> > is what I am super excited about for Microsoft's future.
: >>
.
- References:
- Prev by Date: Re: VPN Client Security
- Next by Date: Re: VPN Client Security
- Previous by thread: Re: US-Cert Update on New Attacks on Computer Infrastructure
- Next by thread: Re: US-Cert Update on New Attacks on Computer Infrastructure
- Index(es):
Relevant Pages
|
