Re: US-Cert Update on New Attacks on Computer Infrastructure

Thank you for your feedback, Steve and sorry I did not mean to hurt Microsoft.

"Steve Riley [MSFT]" wrote:

Dan, I have resisted writing a message like the one I'm writing now but I
can wait no longer. I'm not exactly sure what it is that you expect to
accomplish with statements like "web link may be manipulated by others" and
"poster not responsible if someone hacks post" (other than possibly stoking
the fears of other readers) nor do I understand your repeated requests for
me to comment on various things (I am not any kind of Microsoft crystal
ball).

In the newsgroups I avoid religious arguments about software, engaging in
flame wars, or questioning people's motives because none of those activities
do anyone any good. But your exaggerated claims about the realm of possible
attacks, your continued devotion to "internal safety" vs. "external
security" (which are terms NO ONE ELSE in the security field uses), your
frequent invocation of DHS (and your cc-ing the US-CERT in your private
emails to me -- what's up with that?), and your strange occupation with
"source code" is really getting quite tiresome.

In this thread you wonder about some kind of "new source code" that might be
under development. In your thread "Source Code," you lament that, according
to Wikipedia, Windows 7 "will use the Windows NT source code" -- then later
on claim that we've got some sort of secret skunkworks project. Do you
really even understand what source code is? Nowhere in the Wikipedia article
did I see any reference to Windows NT source code. Do you realize that
virtually none of the original NT code still exists in the current versions
of Windows? Much of the architecture (for example -- file storage,
communications, process handling, and memory managememt) is still in place,
of course, but nearly every single element has been rewritten and expanded
to increase reliability and security, and to take advantage of modern
hardware capabilities. In a reply to "Is DNSSEC supported by Windows?" you
claim that DOS is required for "internal safety" -- is this a joke? Do you
understand that DOS is an ancient thing written for a totally different
time -- when there were no networks, no multitasking, no re-entrance
(executing the same piece of code multiple simultaneous times), no
multi-user support, and no concept of virtualizing any of these layers? DOS
HAS ZERO security of any kind. To claim "society and the world are paying
for the mistake" of not using DOS in the current version of Windows is
really rather silly.

Your assertion that "the majority of people here...have...bought the company
line" is intended to indicate what? What "company" do you mean? Information
security practices and philosophies have evolved over time to address
changing business requirements in an age where everything is connected all
the time using public networks. To claim that "the majority" are wrong and
that the development practices (and products) of two decades ago will
somehow save us from all evil shows a fundamental misunderstanding of the
issues and solutions.

Dan, I am not attacking your motives or impugning your character. But I am
asking that you rethink your positions (and your allegiances) as you
continue your journey in field of computer security.


--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F78F1DC8-4ADD-4174-BAEE-7FD50FCF635A@xxxxxxxxxxxxxxxx
Thanks for your reply MowGreen. I really do respect you and consider you
a
great asset to this group. I loved when Apple users were so sure of their
operating system and computers that they claimed they were really safe and
when an Apple, Windows Vista and Ubuntu Linux computer competed against
each
other the first one to be hacked was the Apple. BTW, have you heard
anything
about Microsoft new source code that you can publicly share on this
newsgroup?

"MowGreen [MVP]" wrote:

Where are the Penguin fanbois exclaiming " Linux is the safest OS; it's
impenetrable " ?
C'mon guyz, do your part. You have a role to fill here.

But, seriously, Dan. Anyone with common sense knows that any system that
is exposed to the internet can be compromised. And, it is irrelevant
which OS one runs.
The key is, never drink 'OS koolaid'. Use the one that suits your
purposes but don't tell everyone that it is ' the most secure ' or ' it
can't be hacked '. That's total nonsense.


MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============


Dan wrote:

http://www.us-cert.gov/current/index.html#red_hat_releases_openssh_security

{Note: Web Link may be manipulated by others and smart web surfing is
encouraged like reading in plain text and blocking remote code --
Disclaimer:
Poster is not responsible if someone hacks post and web link is
illegally
changed}

Here is the information from US-Cert.gov which is a part of DHS: all
below
should be considered a quote ". . ."

SSH Key-based Attacks
added August 26, 2008 at 03:41 pm | updated August 27, 2008 at 03:41 pm

US-CERT is aware of active attacks against linux-based computing
infrastructures using compromised SSH keys. The attack appears to
initially
use stolen SSH keys to gain access to a system, and then uses local
kernel
exploits to gain root access. Once root access has been obtained, a
rootkit
known as "phalanx2" is installed.

Phalanx2 appears to be a derivative of an older rootkit named
"phalanx".
Phalanx2 and the support scripts within the rootkit, are configured to
systematically steal SSH keys from the compromised system. These SSH
keys are
sent to the attackers, who then use them to try to compromise other
sites and
other systems of interest at the attacked site.

Detection of phalanx2 as used in this attack may be performed as
follows:


"ls" does not show a directory "/etc/khubd.p2/", but it can be entered
with
"cd /etc/khubd.p2".
"/dev/shm/" may contain files from the attack.
Any directory named "khubd.p2" is hidden from "ls", but may be entered
by
using "cd".
Changes in the configuration of the rootkit might change the attack
indicators listed above. Other detection methods may include searching
for
hidden processes and checking the reference count in "/etc" against the
number of directories shown by "ls".
US-CERT encourages administrators to perform the following actions to
help
mitigate the risks:

Proactively identify and examine systems where SSH keys are used as
part of
automated processes. These keys will typically do not have passphrases
or
passwords.
Encourage users to use the keys with passphrase or passwords to reduce
the
risk if a key is compromised.
Review access paths to internet facing systems and ensure that systems
are
fully patched.
If a compromise is confirmed, US-CERT recommends the following actions:

Disable key-based SSH authentication on the affected systems, where
possible.
Perform an audit of all SSH keys on the affected systems.
Notify all key owners of the potential compromise of their keys.
US-CERT will provide additional information as it becomes available.

US-CERT credits DFN-CERT for their contributions regarding this issue.

{Note: to Microsoft only users: The above is provided as a general
service
announcement and although it affects Linux systems is provided here
publically to raise user's awareness of how serious computer attacks
are
getting --- thank you for any feedback and have a great day}

Also please use Microsoft's own password tool to generate stronger
passwords
that are safe and secure. I hope Steve Riley, MSFT will ocmment for
all of
us to benefit on the issue of new security and safety measures and the
new
source code Microsoft is slowly but surely developing. That new source
code
is what I am super excited about for Microsoft's future.


.

Relevant Pages

  • Re: [Full-disclosure] Re: Security Bug in MSVC
    ... The attacks are launched by way of source code distributions rather than binary code. ... started seeing Microserfs suggest that their security team was working on a never-before-encountered novel class of vulnerability, and the implication was that Microsoft's security competency had finally surpassed both the black hats and all other white hat groups -- since it would be politically valuable for Microsoft to be able to claim that sharing source code is an unsafe behavior, and since there have been no other vulnerabilities disclosed since that time which might have appeared to Microsoft to be entirely new and far-reaching, I suspect that this disclosure prompted those previous statements about work being done by Microsoft. ... How many other attacks can you point to where Microsoft's development tools are exploited to specifically target the unwary programmer who still thinks it's perfectly safe to download arbitrary data from an untrusted source and then open it in a text editor? ...
    (Full-Disclosure)
  • Re: Successful remote AES key extraction
    ... >>should an implementor allow under one AES key before switching keys? ... I think Vernon is asking a reasonable question. ... bet plenty and far more than are vulnerable to network timing attacks. ...
    (sci.crypt)
  • Code Red honeypot + SMTP logger/alerter
    ... logs via SMTP to the email addressof your ... attacks per minute on a single IP address. ... ARIS email notification format ( ... then uncomment the ARIS recipient line in the source code). ...
    (Incidents)
  • Re: Somebody is keep trying to ssh into my systems, how can I stop that?
    ... limit my communication time and switch keys with each login. ... An apology that is followed by insults is NO apology. ... My portknocking was a LEGITIMATE recomendation. ... against MITM attacks does not make me wrong. ...
    (comp.os.linux.security)
  • Re: ssh gives "Permission denied, please try again"
    ... as secure as those Debian generated keys... ... If you always pick passwords whose first four letters are 'A' you're ... The point being that keys are not some panacia and those that think they ... lots of people attack passwords, nobody attacks keys. ...
    (uk.comp.os.linux)