×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Honeynet Project: Blackhat Attack Stats

Hemos posted more than 13 years ago | from the shivers-down-your-spine dept.

The Internet 143

edsonw writes "The Honeynet Project published an interesting paper about their work. They say: "We are psyched to announce our newest paper , Know Your Enemy: Statistics. Based on eleven months of data, we analyze the past and attempt to predict the future (...) We demonstrate just how aggressive the blackhat community is.""

Sorry! There are no comments related to the filter you selected.

Re:DAMN! (1)

Anonymous Coward | more than 13 years ago | (#2190373)

Between April and December 2000, seven default installations of Red Hat 6.2 servers were attacked within three days of connecting to the Internet. Based on this, we estimate the life expectancy of a default installation of Red Hat 6.2 server to be less then 72 hours. The last time we attempted to confirm this, the system was compromised in less than eight hours. The fastest time ever for a system to be compromised was 15 minutes. This means the system was scanned, probed, and exploited within 15 minutes of connecting to the Internet. Coincidentlly, this was the first honeypot we ever setup, in March of 1999.

Ok, that's good. Using the scientific method.

A default Windows98 desktop was installed on October 31, 2000, with sharing enabled, the same configuration found in many homes and organizations. The honeypot was compromised in less than twenty four hours. In the following three days it was successfully compromised another four times. This makes a total of five successful attacks in less than four days.

BULLSHIT. The Redhat server gets tested default install, out of the box. For the Win98 PC, they perform a default install and then, "oh, let's turn on file sharing, because that's what every newbie user does when they set up Win98". NOT. File sharing is NOT enabled out of the box on Win98. You might as well say "Well, let's take this FreeBSD default install, and we'll set the root password to 'password', and then we'll change the prompt info for all the daemons to say enter 'root' for username and 'password' for password you l33t h4XX0r!! yes, let's do that and see how long the box survives."

This is what we call a double standard. However, they can't say that the NT box was 0wn3d, and they didn't even try Win2k's grip (it's a bad mother fucker).

Blackhats or S'kiddies? (1)

Anonymous Coward | more than 13 years ago | (#2190374)

I was under the impression that you distinguished between Blackhats and Script-kiddies, but the white paper seem to assume that all attacks are from blackhats. The attack without OS-ID seems kiddish to me, as does scanning for specific vulnerabilities.
Enlighten me, s'il-vous-plait...

Re:Corelation with bugtraq (1)

Anonymous Coward | more than 13 years ago | (#2190375)

Uh, I think we all added
127.0.0.1 goatse.cx
to our /etc/hosts long ago.

Thanks for inquiring about open source. Keep it up!

Re:Distros (1)

Anonymous Coward | more than 13 years ago | (#2190376)

So, basically what you're saying is that you don't want to put in the effort to learn enough to put your boxes on the Internet and not be compromised.

I look forward to receiving sunrpc scans from your machines.

Big Deal (3)

Anonymous Coward | more than 13 years ago | (#2190377)

The fastest time ever for a system to be compromised was 15 minutes.

So what? Nearly all /. stories are compromised within 21 seconds of being posted.

OpenBSD does a LOT better (4)

Anonymous Coward | more than 13 years ago | (#2190378)

I put a pair of OpenBSD systems up naked (no firewall, no router, no IPF) and untouched on the net a year and a half ago. I'd patch within a couple of days when something was posted; but no remote root exploit was ever in the patches, so I wasn't too paranoid.

Result: 0 breakins for a huge number of attempts. NetBIOS, rpc, dns, and a LOT of ftp attempts.

Not surprisingly I'm AC'ing this post to preserve a) bandwidth b) sanity and c) track record.

I'm VERY grateful to Theo DeRaadt and his crew and the contributors for doing such an amazingly good job. More power to them.

Re:DAMN! (1)

farrellj (563) | more than 13 years ago | (#2190379)

Naw, they just painted them red!

ttyl
Farrell

I must just get the dumb hackers (2)

Sabalon (1684) | more than 13 years ago | (#2190382)

All of our apache servers were hit about 29-35 times with the recent IIS bug (the .ida one). Several times from the same client.

Our NT IIS servers where hit 0-2 times.

Duh!

Re:Corelation with bugtraq (1)

wampus (1932) | more than 13 years ago | (#2190383)

The only difference for most of us is that the giver is first, and it loads much faster.

Re:Answer for the little guys: firewall. (1)

zenray (9262) | more than 13 years ago | (#2190385)

My FreeSCO system is an old Packard Bell 486DX2/66 with 20MB of RAM just sitting on a cardboard shelf I made inside a bookcase I use as my system rack. This system has only one ISA slot that holds my NIC and COM1 has an external US Robotics 56K baud modem. No monitor, mouse, or keyboard required. I just turn it on first and turn it off last. It work great!

Red Hat 6.2 (basic install lockdown) (2)

Mr. Flibble (12943) | more than 13 years ago | (#2190387)

For RH 6.2, before you even connect it to a network, I reccomend you have a copy of Bastille Linux [bastille-linux.org] (Which is actually a script, not a distrobution) on hand. This is great for newbies.

As a general rule:
run the "ntsysv" tool, and disable portmap, httpd, bind... hell disable EVERYTHING, and begin turning on things as you need them. (If you don't know what it does, turn it off, if something stops working, you know what that was and can turn it back on.)

Comment out everything in the /etc/inetd.conf file (which only appears in a server install).

Have nmap [insecure.org] on hand, and scan 127.0.0.1 (yourself) with it, to make certain your ports are closed. Nmap should only find port 113 (and 22 if you install SSH). Sure, you can have more open ports after that - but that is providing you know what they do.

There is no way I can give you enough advice on how to secure a machine on a simple /. post, but the above is a good start for Red Hat 6.2.

Re:Wow! (2)

Mr. Flibble (12943) | more than 13 years ago | (#2190388)

Wow. If that's true, this is just crazy.

It is true. I witnessed the very same happen to a Red Hat 6.2 machine in 10 min. The next fastest I saw was 4 hours. I have 20 Rh machines now, and when I first started with them I did not know how to secure them properly.

I found out just how fast someone could "own" them.

I agree, the services should be OFF by default, just like Open BSD. Maybe the powers that be will listen one day.

For now, I install on a non-networked machine, install the patches off CD, and secure the machine before attaching a network cable.

Re:DAMN! (1)

ethereal (13958) | more than 13 years ago | (#2190389)

The SDMI consortium? No, wait, that was something else...

Remember: it's a "Microsoft virus", not an "email virus",

Re:But... but... (1)

ethereal (13958) | more than 13 years ago | (#2190390)

Not an "emacsitor". Not a "viitor". Those aren't even words! [gnu.org]

Remember: it's a "Microsoft virus", not an "email virus",

Re:Distros (5)

ethereal (13958) | more than 13 years ago | (#2190391)

Some ideas:

  • Get on the security mailing list for your distribution, and religiously update. Some distros are better than others at keeping you informed; Debian seems to do pretty well. I don't know about RedHat.
  • You can mount /usr and /usr/local read-only to avoid some simple automated attacks, but you have to first move the /share directories off of those onto your /var partition. I tried this strategy for a while but ultimately gave it up as too cumbersome to use in the long run. I'd be interested in seeing a distribution adopt that approach in general, though.

The 15-minute compromise was a little scary - at that rate, you don't have time to download RH 6.2 updates and apply them before your box is 0wn3d. Maybe start off with a more up-to-date distro so as to decrease the risk of attack during the install process? Or, you could download all the security updates onto an existing machine, then take down your external connection, install from the RH 6.2 CD, copy over and apply security updates, and only then bring up the link to the outside world.

Remember: it's a "Microsoft virus", not an "email virus",

A statistical analysis I would like to see (4)

B.D.Mills (18626) | more than 13 years ago | (#2190392)

A simple analysis I would like to see would be to correlate the probes and attacks over the time of the week when they occurred, with granularity measured to the hour, possibly with a 3-hour moving averages. This is likely to provide significant results.

I once analysed the spam I received over the course of a month, and even this very limited data set revealed clearly that more spam is sent on weekends, with Sunday recording twice as much spam as Thursday. Probes and attacks are likely to follow a similar statistical pattern, in part because spammers and blackhats are an overlapping community.
--

Re:think (2)

PigleT (28894) | more than 13 years ago | (#2190393)

You're missing 4 things ;)

a) stay uptodate - apply patches like there's no yesterday

b) use an IDS like snort

c) run logchecker and AIDE

d) use libsafe around net-listening daemons.

Then you'll be in the right league; whenever you get emails off these you're expected to *read* them, too.

Me, I'm getting portmapper, FTP and DNS in approximately that order; I've also had quite a few telnet scans following the recent vulnerability in telnetd as well.
~Tim
--
.|` Clouds cross the black moonlight,

Re:Distros (2)

halbritt (30189) | more than 13 years ago | (#2190394)

The fact remains that you shouldn't connect an insecure system to the Internet. It will get cracked in less time than you think. I used to send an email to abuse@* for every attempted connect to my webserver on port 111 (rpc). It got so tiresome, that I stopped bothering. I did get to hear some interesting stories though. A guy in Israel left his laptop on over the weekend, etc. Most of the compromised boxes were default redhat installs on a dedicated connection, i.e. ethernet in a dorm room, dsl or cable. Here's one of my favorites, I received this from a security admin that works at a very prestigious school with a really good CS program with some really bright students, whom you would think are better than this, somewhere in the silicon valley, in the vicinity of Palo Alto ;).

You are receiving this in reply to your message last week alerting us

to a port 111 scan originating from as system in our residential dorm
network, *.*.*.* (hostname.domain.edu). Our investigation
indicates that the system had been compromised by an outside intruder
within hours of being installed through a port scan similar to the
one subsequently launched from that system. The system has been
removed from the network and is being reinstalled with a more secure
configuration. We will be attempting to trace the intruder and may
contact you again if successful.


So here's a hint, learn how to use your OS before you put it on the Internet. If you're a linux fan, figure out IPTables and implement it. If you're into BSD or Solaris, use IPF and really learn it. Download the security updates for your system and apply them before you put it on the Internet. Air gap security is the best time. When you're done with your box, you should only be running a late version of (Open)SSH and whatever services you explicitly want people to connect to. Inetd should be turned off, for the most part. Unfortunately, system security is not easy. This is why it pays to be a script kiddie. They don't have to know how something works, they just need to use a script against as many boxes as possible until they find a weak one.

Re:Are Black Hats incredibly nice? (3)

ryanr (30917) | more than 13 years ago | (#2190395)

Yes, I bought a bumper sticker at Defcon that reads "My other computer is your linux box."

Re:Are Black Hats incredibly nice? (5)

Restil (31903) | more than 13 years ago | (#2190396)

What makes you think that they're not USING your system? Certainly, they might not be formatting your HD or erasing your files, but consider the fact that if they have root access to your machine and you don't know about it, then its a perfect location to work from while they scan and exploit other systems.

While they have access to your systems, they can also sniff out passwords and gain access to other systems on your network, they can eavesdrop or log outgoing traffic and listen for something interesting, all of which they can do without ever making themselves known to the victim.

The attacker may never do anything "malicious" to a system that he comprimises, but I can tell you for sure, no part of his activities can be attributed to "good will".

-Restil

Re:Answer for the little guys: firewall. (1)

zmooc (33175) | more than 13 years ago | (#2190397)

I don't think a firewall is good enough a reason not to care about the security of the backend network.

Re:Oh, just great. More encouragement. (1)

mefus (34481) | more than 13 years ago | (#2190398)

please, someone encourage me to hack the RSA challenge [slashdot.org] ! I need the money.

Re:Distros (2)

slickwillie (34689) | more than 13 years ago | (#2190399)

Are there any distros with security tools installed by default?

Mandrake now ships with Bastille.

Re:Distros (2)

slickwillie (34689) | more than 13 years ago | (#2190400)

Bastille is a way to beef up your system security. I believe it was actually developed for Red Hat, but RH doesn't include it. It is a script, and I think it probably has a GUI front end by now.

Re:A philosophical question (2)

Garpenlov (34711) | more than 13 years ago | (#2190401)

If you put up a machine to get hacked (a honeypot), aren't you partially responsible for any attacks to other machines that blackhats launch from that machine?

This is explained in the main paper:
http://project.honeynet.org/papers/honeynet/ [honeynet.org]

To sum it up: they don't let spoofed packets out of their network, and limit a machine to 5 outbound connections (over some time period, I suppose, although it doesn't really say), after which the system is marked as compromised and can then be reloaded, or whatever...

Re:Wow! (2)

miracle69 (34841) | more than 13 years ago | (#2190402)

My question is, when are distros going to start shipping with all services turned off by default? I can't imagine that any newbie is going to want to have finger, ftp, sendmail, etc running on their box. And for power users (like me), the very first thing I always do is go and turn off every single service.

Mandrake 8.0 ships like that. It even warns you before installing about what services are running.

And, I've found the firewall to be tighter than gnat-booty.

HI Mom!

I think their numbers a flawed (1)

Nemix (35844) | more than 13 years ago | (#2190403)

Let me get this straight. They put a box on the Net and it gets cracked. They don't expect that when they re-install and bring it back up that the SAME person wasn't going to hack it again? Or tell his friends about it?

They say they don't try to determine unique attackers but that is just because they can't, not because they shouldn't.

John

Re:Wow! (2)

ajs (35943) | more than 13 years ago | (#2190404)

I love this kind of response.

Look, the statistics are for a default install of Red Hat 6.2, which is about 1.5 years old now, but is still pretty secure if you perform the "desktop" install and then apply all of the updates.

If you install 7.1, and then all of the (many fewer than 6.2) updates, it's even more secure owing to: 1) Red Hat 7.1 ships with an ipchains configuration 2) xinetd allows finer grain control over many of the less secure services, should you wish to turn them on.

Red Hat is not the world's most secure OS, but let's be fair and admit that they do an excellent job of staying on top of what's out there, and providing updates to their customers. It's relatively easy to be an OpenBSD and say "our OS is secure as long as you don't install a web server", but companies like Red Hat are actually trying to solve the hard problem of general-purpose, secure operating systems and server software. If, after over a year of everyone beating on it, exploits are found in the default, unpatched version of their OS, I can live with that, as long as they have addressed the problems.


--
Aaron Sherman (ajs@ajs.com)

Re:Answer for the little guys: firewall. (2)

HerrNewton (39310) | more than 13 years ago | (#2190405)

And hey, if you ever have to move, you won't need to pack that machine up at least. Just write, "Fragile: Computer" on the outside.

----

Re:Distros (2)

Slak (40625) | more than 13 years ago | (#2190406)

Use OpenBSD.

I am trying to figure out... (2)

cr0sh (43134) | more than 13 years ago | (#2190407)

OK - I admit I only scanned this article - but in their explanation of the honeypot, they seem to indicate that there was no form of a firewall set up in front of the machines in the honeypot.

I currently run FreeSco on my homebrew firewall, which is a simple NAT affair. It seems to run well, but sometimes I tend to wonder if it (and associated connected systems) might get rooted.

I check the logs on occasion - but I am not a grand admin - so while I can tell from the logs when a portscan for 138/139 is occurring (SMB) - other possible probes would elude me.

Or am I reading this wrong - was the honeypot protected with a cheapo (read "consumer") firewall product (like a DLink or Linksys router/firewall)?

If not, what would the statistics have looked like if it was?

Worldcom [worldcom.com] - Generation Duh!

Re:Results that prove (2)

interiot (50685) | more than 13 years ago | (#2190410)

The last paragraph of the paper:
  • ...The first goal was to demonstrate just how aggressive the blackhat community can be. The numbers demonstrate the hostile threat we all face. Remember, the Honeynet used to collect this information had no production systems of value, nor was it advertised to lure attackers. ...

Re:Distros (1)

LinuxHam (52232) | more than 13 years ago | (#2190411)

Are there any distros with security tools installed by default?

Actually, RedHat 7.1 has some pretty good firewall options available at install time. Even when installing a server, its a good idea to set the firewall security to 'high' to buy some time while customizing it and downloading updates. Then to erase the install-time IPChains rules when you feel safe, enter

ipchains -F
service ipchains save

One thing I *love* about the RH7.1 workstation install is that sendmail is installed, BUT the sendmail.cf is actually missing a line to bind the sendmail listener to the public interface. It only includes a line to bind a listener to the loopback interface. Perfect for pointing Netscape Communicator, pine, or mutt to localhost, and even to support fetchmail without hanging sendmail out on a public interface.

It made me a little nervous when I had to research and explain the situation to my RHCE instructor when none of us in class could route mail to each other. :)

Finally, I swear by PMFirewall at www.pointman.org. Even for single interface hosts. That's been my firewall-building script for a couple of years. It configures masquerading as needed, and even knows about NTP's needs. Awesome script.
--
Steve Jackson

Re:Distros (3)

robl (53384) | more than 13 years ago | (#2190412)

o There doesn't really exist a distro in the Linux realm that has a high focus on security. There are things like Bastille Linux which is a good overall Q&A tool that will really help you, but I eventually ended up learning ipchains from the command line.

o Snort appears to be the defacto Intrusion Detector right now. There are a couple of different snort rulesets that you can use out there. You won't have much luck interpreting them unless you find a TCP/IP book to read them.

o No. I don't know of an easy way. I think it's pretty hard.

o What's the point?

The point was that the HoneyNet leaves holes in their firewalls and their boxes. They turn on sharing in the Win98 box so they can monitor and detect the traffic and the new techniques. A default RedHat 6.2 box not firewalled is pointless. A RedHat 6.2 box with the latest security updates and with a firewall or with some nifty IPchains rules is still pretty good.

The point is that if you use 6.2, you need to lock it down before you go letting it serve your email, or your webpage, or your dns domain. Heck, and it's not just 6.2. Both 7.0 and 7.1 do have security flaws in them.

How you can be 0w3nd in 15 minutes... (2)

yellowstone (62484) | more than 13 years ago | (#2190414)

  1. Connect your new machine to your dsl/cable modem/whatever, and boot up.
  2. Your computer says hallo DHCP server, Mac address <fiddly foo> here, what's my IP?
  3. DHCP server responds hallo <fiddly foo>, you're 192.168.1.1
  4. [H4x0r3d system on the same ISP eavesdropping: a-ha! another victim!]
    hallo 192.168.1.1, how 'bout a nice juicy apple?
  5. Your machine: what is thy bidding, my master?


--
I have no fin
no wing no stinger
no claw no camouflage
I have no more to say...

Re:Answer for the little guys: firewall. (2)

dboyles (65512) | more than 13 years ago | (#2190416)

I just got around to "installing" MonMotha's iptables firewall [dyndns.org] . I'm really quite pleased with it considering I had it configured and running within 5 minutes. It's really just a configurable script to apply iptables rules, and I hardly had to make any changes. For example, I need NFS and FTP within my LAN, but I don't want the outside world to be able to see it. Easily done with this script. Plus it has other features, like protection from ping flooding. It's not the last word in security, but for someone on a little dialup system with a few computers connected, it's a hell of a lot better than nothing at all.

Re:Yeah, whatever (2)

dboyles (65512) | more than 13 years ago | (#2190417)

Even though they made "no attempt to publicize" it, they also made no attempt to hide it.

But that was the point of their experiment. I'll be you dollars to dimes that the number of computer users who throw out-of-the-box machines up on a network far outnumber the users who secure their boxes before putting them in public reach.

It's true that having all these machines on the same network can cause inflation of their numbers. If I were a script kiddie and discovered a variety of machines with a default installation on a network, you can bet I'd have a post-it note on my computer with that network's address. The Honeynet Project looks far from being truly scientific, but it provides a view of the worst-case scenario.

Re:WOW (1)

themassiah (80330) | more than 13 years ago | (#2190421)

You have to remember, these people knew WHERE to look to attack this thing. Comparing the attack to your fire dept or something similar isn't fair, just because they don't know where exactly the emergency is going to break out. I guess in the same vein, they are pretty sure they are not going to get called for a fire on the opposite coast or something.
Food for thought.

Re:Wow! (2)

^DA (82715) | more than 13 years ago | (#2190422)

"My question is, when are distros going to start shipping with all services turned off by default? I can't imagine that any newbie is going to want to have finger, ftp, sendmail, etc running on their box. And for power users (like me), the very first thing I always do is go and turn off every single service."

Trustix does this. Or at least with very few (and securely configured) services by default.

Yeah, whatever (4)

Apotsy (84148) | more than 13 years ago | (#2190424)

These numbers are meaningless. Take a look at this paragraph:
The Honeynet network, the network used to capture data, is a basic network of commonly used operating systems, such as Red Hat Linux or Windows NT, in a default configuration. No attempts were made to broadcast the identity of the Honeynet, nor was any attempt made to lure attackers. Theoretically this site should see very little activity, as they have little value. However, attack they do, and in extremely aggressive manner.
Even though they made "no attempt to publicize" it, they also made no attempt to hide it. Crackers would surely figure out very fast machines with IP address in a certain range are part of this project. Boxes that are set up as some sort of a "challenge" always receive more attacks than ordinary machines. Therefore, these numbers are skewed.

A better project would be one that had a lot of machines from various volunteers all over the internet set up and collecting statistics. That way, no one could tell just by looking at the IP address whether a machine was part of the project or not. A more random sampling like that would give a much more accurate picture of how often the average machine-on-net can expect to be attacked.

Re:Distros (2)

ct (85606) | more than 13 years ago | (#2190426)

Bastille is a set of Perl scripts that walk you through the process of securing/'hardening' your system. Very much like a wizard, it asks you if you want to do 'A' with an quick explanation of why you should an when you shouldn't do so.

http://www.bastille-linux.org/ [bastille-linux.org]

Mandrake 8.0 does include a GUI front end for it, however it does have a text mode 'menu-ish' system if you don't want the Graphics.

Re:Fascinating paper - blackhat determination is.. (1)

Gill Bates (88647) | more than 13 years ago | (#2190427)

I hope this paper serves as a wakeup call to users, but it must be covered in mainstream media outlets for that to happen

But Slashdot is mainstream media ... oh, sorry ... you must have meant MSNBC [msnbc.com] .

Re:Nice work - anyone like to automate it?? (2)

Col. Panic (90528) | more than 13 years ago | (#2190428)

Try Mandrake - it allows you to select a security level on installation. You don't have to be a guru to harden the system, just select the level of paranoia at which you would like to operate.

Or if you are really concerned about security install OpenBSD.

Are Black Hats incredibly nice? (1)

Telemain (91811) | more than 13 years ago | (#2190429)

It seems though Black Hats are described as "aggressive", they aren't particularly damaging; if you are a nobody, then you will be attacked and exploited quickly. However, lots of nobodies live without noticing this (?). Certainly it's unsettling, but something wierd is going on if all these "malicious" people have lots of power and don't use it. Makes me more friendly towards protocols that depend on goodwill for success. There's lots of stuff that is easier to do insecurely than securely, and sometimes this straddles feasible and infeasible.

FAQ No. 5 (3)

renard (94190) | more than 13 years ago | (#2190430)

Good question - in fact it's the Honeynet's FAQ No. 5 [honeynet.org] .

To summarize: Yes, but you can't launch outgoing attacks from any of the honeynet machines (they're careful that way).

-Renard

Re:The economy is bad... (1)

Ziviyr (95582) | more than 13 years ago | (#2190431)

I think Linux is already bankrupt. I'm not sure why it hasn't filed yet... :-)


Re:Distros (1)

JJore57 (97953) | more than 13 years ago | (#2190432)

Aw heck. Why not just go run OpenBSD which is secure by default? There are still root comprimises for local attackers but a few patches later that's taken care of. All in all... it's easy when you use a superior tool

Re:Are Black Hats incredibly nice? (1)

Mendax Veritas (100454) | more than 13 years ago | (#2190434)

The problem is that you don't know what they're doing with your system.

A co-worker of mine discovered earlier this year that his Red Hat workstation had been rooted. They had taken over an infrequently used user-level account and were using it to run an IRC server with which to coordinate automated DDOS attacks. So his machine wasn't seeing a whole lot of traffic, nor was it, itself, damaged, but it was being used to cause a lot of trouble for other people.

Interestingly, also, apparently some kernel patches had been applied, because commands like "top", "ps -ef", and "ls /proc" did not show the IRC server process, which nevertheless was there if you knew very specifically what to look for.

Re:owned during install (1)

ehack (115197) | more than 13 years ago | (#2190438)

Are services up during an install ? Maybe one should ALWAYS have a firewall for the initial install and patch period.

Re:Distros (3)

lamontg (121211) | more than 13 years ago | (#2190439)

The 15-minute compromise was a little scary - at that rate, you don't have time to download RH 6.2 updates and apply them before your box is 0wn3d.

Set the machine up behind NAT. Or, install it and turn off all of the services (use lsof -i to check) and then download the patches.

Re:Distros (1)

delong (125205) | more than 13 years ago | (#2190441)

You're a damn fool if you install an OS on a box live on the network. Install the OS off the network, secure it, then put it on the network.

You're also a damn fool if you run public services that aren't nice and cozy between two firewalls in a DMZ. You can't stop all attacks, but you don't have to spread your legs and beg for one either.

Derek

Re:Distros (1)

delong (125205) | more than 13 years ago | (#2190442)

I can pack down a RedHat box as tight as any other distro. If you expect ANY OS to be default secure and don't make an effort to lock it down, you deserve to be cracked.

Derek

Re:OpenBSD does a LOT better (1)

CptnHarlock (136449) | more than 13 years ago | (#2190445)

I started using OpenBSD as my desktop machine after getting sick of checking logs and updates for my RH box. I Still use my RH box (xhost), but it's behind a firewall now. The OpenBSD is on the outside and I've had no problems with it. The uptime is also impressive BTW. I've only rebooted it when I had to move it. Once you get to know OpenBSD you get addicted, it's easy to update and the package system is a blessing. I was happy though that I had my previous SunOS/Solaris ski11z to get me through the partitioning and network setup... But after that it's eaaaasy. Try it! You'll like it!
--
$HOME is where the .*shrc is

Re:Distros (1)

Majix (139279) | more than 13 years ago | (#2190446)

Anyone have suggestions for references an easy-to-install intrusion detection system? Maybe with a GUI?

Shameless plug: Check out my Firestarter [sourceforge.net] GNOME firewall/monitoring software. The first step in breaking in is always surveying the ports of the machine, Firestarter lights up like a christmas tree when someone sweeps over your ports. Integration with the GNOME panel makes the program as easy to ignore as an ICQ client in normal operation, but still allows the program to alert you when necessary. Sort of like ZoneAlarm or BlackIce for That Other OS.

It works on both Linux 2.4 and 2.2 systems. I would say that the scripts the wizard generates for 2.4 are better than the 2.2 ones.

Note the ulterior motive of the project: (2)

Rimbo (139781) | more than 13 years ago | (#2190447)

The Honeynet project was set up to demonstrate the threat of hacker attacks. I noticed throughout the report a certain amount of rile-'em-up sensationalism. In other words, although the data collected and their analyses are certainly important and extremely valuable, they should be taken with a grain of salt.

Although I'm probably going to clean my unprotected RedHat 6.2 box before I connect it to the 'net again. :)

Corelation with bugtraq (3)

cfreeze (146454) | more than 13 years ago | (#2190451)

I would like to see a corelation study of this information against postings to BugTraq. Information can be a two edge sword.

Re:Wow! (1)

Drone-X (148724) | more than 13 years ago | (#2190452)

Of course a resonable admin can turn of those unnecesary services himself/herself. A newbie OTOH is not likely to install OpenBSD.

Re:I am trying to figure out... (2)

ivan37 (149147) | more than 13 years ago | (#2190453)

Or am I reading this wrong - was the honeypot protected with a cheapo (read "consumer") firewall product (like a DLink or Linksys router/firewall)?

It didn't say, but I doubt it...even the really cheap firewall/routers block all incoming traffic by default. Blocking everything would pretty much defeat the purpose of having a honeynet (to learn from getting cracked).

Re:Nice work - anyone like to automate it?? (5)

Pinball Wizard (161942) | more than 13 years ago | (#2190454)

The problem with secure Linuces is they are pretty boring for most people. With Red Hat, you get so many bells and whistles with the basic install. In case you haven't noticed, features sell software, not security.

In fact, the best, most secure OS's have hardly any features at all other than basic command line programs. To create a secure system, you should start with a stripped down OS and only turn on the services and run programs that you need. That way, you know your system and everything that is running on it.

Start out with the basic Debian system(~15MB), and add the software you want. You'll have to understand any services you run(HTTP, FTP, SSH, etc) and you'll have to install and enable those services yourself.

Even better, go with OpenBSD. There hasn't been an OpenBSD box(default install anyway) that has been rooted in the last 4 years. With this report that shows how boxes are routinely scanned in the first 72 hours they are on the net, the OpenBSD statistic looks very impressive.

As long as bells and whistles sell software, we will always have security problems. I don't see the emphasis on features going away anytime soon either. Thus, security professionals will always be in demand and stories about crackers and virus authors will continue to be commonplace.

think (1)

johnnyfever (166279) | more than 13 years ago | (#2190455)

OK, it's not that difficult. Yes, the information here is very interesting, but not that surprising to anyone who looks through their firewall logs every so often. I see several attempted netbios attacks every single day, not to mention attempts at named, mail servers, IIS, etc etc etc. Similarly, my server is only used for personal use and to post the odd photo for friends/family...ie it's not advertised at all. Don't plug in the network cable until you have ipchains (or iptables now) running with the default policy on the input and forward chains set to deny. Or am I missing something here?

and the moral of the story is... (1)

child_of_mercy (168861) | more than 13 years ago | (#2190457)

release early, patch often.

Seriousy though the predicatbility of attack given certain scanning pattersn should be usable... (except i suppose the buggers would change their patterns, maybe weekly updates would be in order)

Re:WOW (1)

kz45 (175825) | more than 13 years ago | (#2190458)

It's too bad we can't get people that dedicated to their work on customer support staffs


you can, just look at any GNU software based company.

Re:Nice work - anyone like to automate it?? (2)

duffbeer703 (177751) | more than 13 years ago | (#2190459)

Wow, so a Unix-like operating system without any services running is free of security holes?? Amazing.

I heard the other day that no powered-down Windows NT system has ever been remotely compromised. That's almost as impressive.

Re:Wow! (3)

Alien54 (180860) | more than 13 years ago | (#2190460)

My question is, when are distros going to start shipping with all services turned off by default?

Of course, it is not Linux, but there is always OpenBSD [openbsd.org] . OpenBSD supports binary emulation of most programs from SVR4 (Solaris), FreeBSD, Linux, BSD/OS, SunOS and HP-UX.

That said, I tend to advocate being exposed to as many distros and variants as possible. Load em up on a spare box, blow them up, etc.

Educational, if nothing else.

Re:owned during install (2)

Erasmus Darwin (183180) | more than 13 years ago | (#2190461)

Are services up during an install ?

Unless things've radically changed since when I installed RH 6.1, the answer is no. You're running off a barebones system that has the software required to do the install and very little else.

If you're paranoid (with that 15 minute figure implies that you should be), you can force the first boot session of the new Redhat system to be at a runlevel that doesn't start up networking. Then you can leisurely edit config files so that no services get started. Kick the machine into a regular runlevel, download the patches, apply them, and then carefully reenable services that you really, really need.

I will admit that it's not the easiest solution, but it should work (barring a remotely exploitable networking bug in the kernel or client software), and it doesn't require a firewall.

Re:Results that prove (3)

Erasmus Darwin (183180) | more than 13 years ago | (#2190462)

i would be interested how well they hide them - that is is the domain name of the network something which would attract their attention ?

If it's anything like what happens where I work (we're a manufacturing company in a non-tech related company), even the machines without DNS entries get scanned regularly. Most of the time, it looks like they're just scanning a single port on a range IP addresses in order (our firewall has a pair of sequential addresses assigned to it, so both attempts show up right next to each other in the log file). My guess is that they aren't even bothering with DNS -- they're just scanning anything and everything that might have a security hole in it.

Re: Intrusion Detection Systems (1)

Octoberfest (199167) | more than 13 years ago | (#2190466)

Hello electroniceric,

Some of the talks at this year's Defcon 9 were worthwhile, including Thomas Munn's talk on AIR IDS, his method of designing an intrusion detection system. Use a bit of creativity and cover all your bases, and you should have a great IDS that will really work.

If you just want easy to use, then get something like LIDS (Linux IDS), and Tripwire. The free version of tripwire still helps a little, but the best way is to make your own IDS. I'd advise contacting Thomas Munn to see if he has a product that's available to the public.

Best of luck to you :)

Justin Cheung [ocamd.com]

Re:Distros (1)

pruneau (208454) | more than 13 years ago | (#2190469)

NAT has _never_ been a security measure : you need either _no_ connection or a real firewall.
And btw, netstat -anp is something usefull also...

I'm currently beeing massively port-scanned by some imbecile that probably believes that nmap is an intrusion system...

Re:Results that proves... (1)

pruneau (208454) | more than 13 years ago | (#2190470)

Well well, it's not because you are [not] paranoid that they are not after you...

From a professional experience, I tend to agree with the conclusions of the article.

Even if their main point is more:

"how to use statistics methods to predict intrusion attempt"
than

let's demonstrate the aggressivity of our beloved blasthat community.

But to get back to my experience, we sat up a firewall between our intranet and some inter-universities research network. The outcome was pretty scary.
The box was first connected to the external research net (and internet through it). We did not set up the DNS configuration before three week
It took about only two days to reach "cruising scan speed". In fact, having a dns existence did not change the things very much. Right now, our probe rate is about 5000/7000 DENY packets per week. And yes, our box is responding to icmp echo, but not forward...

My 3.14 cents.

Re:Wow! (2)

GigsVT (208848) | more than 13 years ago | (#2190471)

RedHat 7.1 ships with very few services on with the "workstation" install. Xinetd is not even part of the install AFAIK.
-

Re:The four Yorkshire men go firewalling (1)

aussersterne (212916) | more than 13 years ago | (#2190472)

Well I meant to get a proper case, but when I got to Auntie Wainwright's, the cardboard box was all I could afford...

Answer for the little guys: firewall. (5)

aussersterne (212916) | more than 13 years ago | (#2190473)

I'm a fairly proficient Unix/Linux admin, and I was fighting script kiddies left and right on my home machine for several years (I got rooted twice over three years). I was running my main Linux box with masquerading and filtering for a couple of other PCs and my laptop, at first on ISDN and then on cable. The only reason I didn't install a dedicated firewall at home all that time was because it felt cumbersome, like it would take up extra space and electricity and just be overkill for the small "home" network sitting behind it.

But finally I just got tired of being scanned all the time and seeing people always trying things, so (not wanting to shell out $$$ for a commercial firewall/router), I got some spare parts: a 486DX4/100 board, 16MB ram, a floppy, and two 3Com 3c509 cards. Basically, spare parts.

I bolted the parts all into a cardboard box (it works, just find a stiff box, poke holes in it with a screw driver, and use washers with your screws). Then, I put Freesco [freesco.org] (which is Linux-based) on a floppy disk and put the box between my local network and the outside world.

It's been running for a year now and I haven't even thought about it since. Not a single outsider has even come close to touching my PCs -- the Freesco 486-cardboard-box firewall/router has worked very well and I have yet to have to manually reboot it.

Re:DAMN! (1)

hearingaid (216439) | more than 13 years ago | (#2190474)

Actually, a lot of OEM setups I've seen have file-sharing set up by default.

There are a lot of packages that you can get for Win9x that turn on file sharing, too. IIRC, doing a DUN upgrade often turns it on.

Most people don't realize... (4)

sfe_software (220870) | more than 13 years ago | (#2190476)

...just how often attempts are made on systems. My webserver runs RedHat 6.2 and ipchains, and so does my home firewall (cable modem). I constantly see NetBIOS attempts, which of course have no effect. My home system has a dynamic IP, but I get about the same number of attempts on both setups (about 30 attempts per day), all unique source IPs, most resolving to DSL and cable providers.

A friend using dialup receives about 20 attempts per day, also Linux/ipchains, and of course also dynamic IP. This is most likely random scans for vulnerable Windoze boxen...

I have to wonder, with 20 to 30 attempts per day on my own systems, how many Windoze boxen are comprimized each day, with the owner probably knowing nothing about it? I suspect the attackers would install a trojan of some sort for later use...

I also log other attempts, but it seems the NetBIOS ones are the most common. They all follow the same pattern, with three attempts. The second attempt is 2 seconds after the first, and the third 1 second later (mind you, ipchains is set to DENY, so the attacker apparently has a very short timeout set). The pattern suggests either the same hacker tool in use, or (more likely IMO) perhaps a worm seeking more systems to infect...

I just find this disturbing; more and more home users run Windoze with cable/xDSL and are staying connected all the time, with no firewalling. Some run home networks and thus have NetBIOS enabled over TCP/IP...

I'm not sure what my point is, other than to corroborate with the article. Security by obscurity especially doesn't apply in this case (I have a dynamic IP thus it's not likely I'll be attacked - which is no longer the case). Not to mention the false sense of security some Linux users have (eg, those who install RedHat 6.2 and keep all defaults, with FTP/telnet open, etc). I've seen many a stock RH box comprimised in less than a week.

- Jman

Fascinating paper - blackhat determination is... (5)

hillct (230132) | more than 13 years ago | (#2190478)

I'm not all that suprised at the agressiveless of blackhats. There are some extremely frightening statistics though:
we estimate the life expectancy of a default installation of Red Hat 6.2 server to be less then 72 hours. The last time we attempted to confirm this, the system was compromised in less than eight hours. The fastest time ever for a system to be compromised was 15 minutes. This means the system was scanned, probed, and exploited within 15 minutes of connecting to the Internet.
I've been doing home network consulting in an unofficial capacity, for my co-workers at a major telecom equipment company - where you'd epect the engineering staff to be extremely technically knowlegable - and I've been frightened to find the number of home users - even technical people - who don't realize the need for proper security. It indicates a great failure of user education in the internet comunity. I hope this paper serves as a wakeup call to users, but it must be covered in mainstream media outlets for that to happen

--CTH

A philosophical question (2)

MeowMeow Jones (233640) | more than 13 years ago | (#2190479)

If you put up a machine to get hacked (a honeypot), aren't you partially responsible for any attacks to other machines that blackhats launch from that machine?

Trolls throughout history:

Theres nothing like physical security (4)

YoGi Beretta (240183) | more than 13 years ago | (#2190482)

Really there isn't, I always keep a good old ax right next to the cat5 going to the router, and if theres ever hacking going on, BAM chop dat sucka into peices and the bitch never knows what happened

Honeypot (2)

3prong (241218) | more than 13 years ago | (#2190483)


How to set up your own honeypot
This [rootprompt.org] is another interesting article on building your own honeypot.
Or paste: http://www.rootprompt.org/article.php3?article=210

Re:Results that prove (1)

WindowsTroll (243509) | more than 13 years ago | (#2190484)

>>No surprise really - the statistics indicate that they have a high rate of attack on their unsecured systems yet i would be interested
>>how well they hide them - that is is the domain name of the network something which would attract their attention ?
>>Ceratinly the average home user would be very scared reading these statistics which is the point i guess but makes me wonder
>>are we scare mongering here ?

My home machine uses an ADSL connection to a local ISP. I am typically logged onto the net for 10-12 hours a day from that machine. As a firewall, I use ZoneAlarm - which throws up a dialog box when someone hits your machine. During a typical day, I get hit 4-8 times. Mostly due to random port scanners, I suspect. So, to answer your question, I don't believe that we are scare mongering here - I believe that there is a real issue with all of these script kiddies who have automated tools for finding vulnerable servers.

Re:Yeah, whatever (2)

Demerara (256642) | more than 13 years ago | (#2190485)

Crackers would surely figure out very fast machines with IP address in a certain range are part of this project.

Seems to me that the Honeypot boys (and, of course, gerls) might have put some flagitiously powerful boxes emulating some more modest boxes on their little lan.

Even their website is so, well, modest, anyone would be taken in.

I take it that the IP of honeypot is a world away from their actual honypot?

And on to a security question - is TurboLinux Server harder than RH or Debian? I don't want to spend the dollars without knowing. Answers on a postcard please to McDermott, Guyana (seriously - there are only two persons with that surname in the country - I'm one and the other is my wife!)

(-1, Redundant) (1)

Fat Casper (260409) | more than 13 years ago | (#2190486)

Hey, this is amazing! A box was scanned, probed and exploited within 15 minutes of being put up on the net. The blackhats are really aggressive, all right.


"You know, the golf course is the only place he isn't handicapped."

The real enemy (5)

Rick the Red (307103) | more than 13 years ago | (#2190488)

Know Your Enemy: Statistics

I don't need a Honeynet Project whitepaper to tell me that Statistics is my enemy. I learned that in school years ago!

DAMN! (1)

MxTxL (307166) | more than 13 years ago | (#2190489)

Between April and December 2000, seven default installations of Red Hat 6.2 servers were attacked within three days of connecting to the Internet. Based on this, we estimate the life expectancy of a default installation of Red Hat 6.2 server to be less then 72 hours. The last time we attempted to confirm this, the system was compromised in less than eight hours. The fastest time ever for a system to be compromised was 15 minutes. This means the system was scanned, probed, and exploited within 15 minutes of connecting to the Internet. Coincidentlly, this was the first honeypot we ever setup, in March of 1999.

Holy Shit! Who painted the big red 'Crack me' sign on those servers?

Re:OpenBSD does a LOT better (2)

Waffle Iron (339739) | more than 13 years ago | (#2190491)

I was happy though that I had my previous SunOS/Solaris ski11z to get me through the partitioning and network setup

A word of warning if you try to use your Linux and/or Windows skills to partition OpenBSD for the first time. I figured that all 'fdisk' programs work pretty similar, so I didn't RTFM. It turns out that they have a completely different concept of 'partition', and I blew away all of the other OSes on the box. Live and learn.

It's a nice little OS, though, if a little spartan.

WOW (1)

Supa Mentat (415750) | more than 13 years ago | (#2190493)

I had no idea the Black Hat, "community," was so damn efficient and quick. Honeynet said that one of their systems was hooked up to the net for 15 minutes and then attacked. That response time is better than the police and fire departments where I live. It's too bad we can't get people that dedicated to their work on customer support staffs.

The four Yorkshire men go firewalling (3)

blang (450736) | more than 13 years ago | (#2190498)

I bolted the parts all into a cardboard box (it works, just find a stiff box, poke holes in it with a screw driver, and use washers with your screws).

A cardbox box? What extravaganza! In my day we were lucky to find a grocery bag to throw the parts in.

A grocery bag? What luxury! When I was a kid, we were lucky if we had a nail to bolt the motherboard to the wall.

Nail and board? When I was a kid, we had to make our own transistors, write an assembler, nick a car battery, and if we were lucky, we'd find a piece of string to hold the bits together.

Nice work - anyone like to automate it?? (4)

astaines (451138) | more than 13 years ago | (#2190499)

Two points :-
  • It is insane to continue shipping Linux distros as presently formulated. No disrespect to projects like Bastille, but ordinary users shouldn't have to do this stuff. Would someone (RedHat are you listening...) like to ship a hardened Linux. I'll buy it.
  • The statistical results are fascinating. It looks like very simple (therefore automatable...) statistical methods could give a very useful warning of impending doom.

    Anthony Staines

Wow! (4)

Ulwarth (458420) | more than 13 years ago | (#2190502)

"The fastest time ever for a system to be compromised was 15 minutes. This means the system was scanned, probed, and exploited within 15 minutes of connecting to the Internet."

Wow. If that's true, this is just crazy.

My question is, when are distros going to start shipping with all services turned off by default? I can't imagine that any newbie is going to want to have finger, ftp, sendmail, etc running on their box. And for power users (like me), the very first thing I always do is go and turn off every single service.

Re:Wow! (1)

GdoL (460833) | more than 13 years ago | (#2190504)

If you read the paper carefully, you will see a lot of windows of all type, home server home-office servers, etc. That are not meant to be secure, they are meant to be open, universal. So the stat is a bit off. But I really thing the security off real servers are being neglected, mostly nt servers, but also a lot of linux/unixes because of lack of managment and supervision.

Results that prove (2)

q-soe (466472) | more than 13 years ago | (#2190505)

That non preparation and non attention to security leaves you with a vulnerable and insecure network.

No surprise really - the statistics indicate that they have a high rate of attack on their unsecured systems yet i would be interested how well they hide them - that is is the domain name of the network something which would attract their attention ? Ceratinly the average home user would be very scared reading these statistics which is the point i guess but makes me wonder are we scare mongering here ?

If they have gone out and setup a honeypot domain that looks very attractive to the script kiddies then im not surprised that they are attracting attention - having said that my organisation is about the most boring thing on the planet and we have a large amount of intrusion attempts (christ knows if they managed to get in we would get sued for boring hackers to death).

I still cant help but wonder if this stuff is simple setup to attract publicity and attention ?

Re:Results that prove (2)

q-soe (466472) | more than 13 years ago | (#2190506)

Good point on the cable modem one but i pose the questions for a good reason - im an @home user and i run Zone Alarm or Black Ice (depending on system rebuild status) - permanently on line and works all day pulling down shit (including ahem warez) average 2 scans a week and thats it.

My concern is that this threat to home user stuff is like negative media stories on web shopping or credit card hacking, sure it happens but how often ? what are we doing here - scaring the customer shitless ?

Being security concious is a good thing but i have friends on dial up who worry about being hacked (they might have somm important pron pictures is guess) and they wont buy or pay for anything on line because 'hackers' might get me.

Have we convinced users that there is such a threat to the point where they will believe any line they are fed ? this would explain why third rate software like Norton Home Firewall is so popular.

I would like to see some proof these guys have nothing on their systems that appears like a 'hack me' sign to the cript kiddies out there ?

Myabe i am just cynical

Re:Corelation with bugtraq (1)

hivolt (468311) | more than 13 years ago | (#2190507)

Because the information has been made public, it has likely become partially invalid as crackers change their tactics. I think approaching the problem from a psychological rather than a statistical standpoint would be more beneficial. A machine cannot predict how an attacker will act until it becomes capable of thinking like the attacker.

Re:The Foundation.... (1)

hivolt (468311) | more than 13 years ago | (#2190508)

Now, now, you must remember that Asimov wrote that psychohistory would only be effective at predicting the future of an entire galactic empire. For individuals, it would be much harder.

Re:Hackers Unite ! (1)

hivolt (468311) | more than 13 years ago | (#2190509)

Don't worry. They probably have Code Red running on their machines, and their staff sending out SirCam's who bear away information on what they *really* use Echelon for (you didn't think it was used to spy on crooks or private citizens, now did you?)

Re:Distros (1)

electroniceric (468976) | more than 13 years ago | (#2190510)

Pardon my ignorance - is Bastille an app a distro?Hopefully a wizard-like thing?
I was thinking of switching to Mandrake anyway, as they seem to offer better support for KDE.

Re:Distros (1)

electroniceric (468976) | more than 13 years ago | (#2190511)

I actually considered using OpenBSD, but I felt more comfortable wrestling with getting two old NIC cards in the box under Linux than BSD - especially as OpenBSD has only vi as a default editor (and by design), and I have anger management problems with vi.

I also like to follow the strategy of learning packet filtering and ipchains by using a GUI and then figuring out what it did, and that seems easier under Linux. OpenBSD is a longer term goal.

Good idea tho. Thanx.

Distros (4)

electroniceric (468976) | more than 13 years ago | (#2190512)

While informative, the paper was a little above the level of reading for those of us who are uhhh "budding" security experts. I've found this problem when trying to install an intrusion detection system on my RH6.2 486 box.

Anyone have suggestions for references an easy-to-install intrusion detection system? Maybe with a GUI?
Are there any distros with security tools installed by default?
Anyone know of an easy way to image a system setup I like, boot it off a CDROM then mount in disks for data?

Besides, if these boxen were compromised in hours, what's the point?

Re:Are Black Hats incredibly nice? (5)

Tloluvin (471275) | more than 13 years ago | (#2190514)

They _do_ use your system.

In _exactly_ the way Restil speculates.

I do security work at a large, stable not.dot.com. I'm the guy who goes through the IDS and firewall logs. Every single working day. Every day, I see anywhere from two to a dozen probes. _Every_ _friggin_ _day_! Blackhats just scan and scan and scan. Looking for the chump who left his network services turned on after a default install (Redhat version). Or the chump who didn't turn off file sharing (NT version). The ones whose handiwork falls under my eyes generally know very little about the systems and networks they target. They really don't need to. They make up for it in volume and persistence. See a new netblock? Scan it on port 111! You might get lucky! Some box you check out may have that port open! If so, try a nice rpc.statd exploit! The facts that _this_ netblock consists entirely of boxes with that service turned _off_, and that the firewall is configured to drop packets sent to port 111 on the floor anyway, is not a problem. The Internet is just _full_ of populated netblocks! Two seconds later, your script just checks out the next one on the list. While _you_ chat on IRC with your fellow lowlives. :-)

Once a vulnerable box is found, exploitation is swift. 0wned.

And then? Well, you probably have no _idea_ of the number of host sweeps like the above mentioned, that I have seen the firewall log records of, where the source and destination ports are identical and privileged (i.e., below 1024). That almost always means that the IP this traffic came from has, itself, been compromised. The poor bastard who is the owner-of-record has no clue what purposes the iron he payed good money for is being used for. None.

The first time I ever spotted a host sweep in a log, I made a point of finding out as much as possible about the IP of origin. I scanned it, I checked out whether I could connect to ports 21, 23, and 25 (ftp, telnet and mail .. I could), etc. I didn't try to gain _access_. That _is_ hacking, which I despise. But I _did_ try to gain _information_. It was so fucking sad, the picture I finally assembled. The attack came from a RedHat 6.0 box run out of a little one-lung web hosting company in Anaheim. The place was so small that the Administrative, Technical, and Billing contacts I saw in the whois output were all the same guy! No firewall that I could find. The DNS records just _sitting_ _there_, all the routers with router-type names, and functionality blurted out in HINFO records, for Christ's sake! The RedHat itself box was just completely wide open. The connect to port 23 just gave the OS major and minor revisions away. Ditto port 25. And port 21 just about made me fucking cry. It was .. you guessed it .. wuftpd. The banner gave up the branding and version .. which was vulnerable as hell to remote root compromise. How long do you think the blackhat that rooted this box took to get in? 10, maybe 15 minutes, from first discovery? Less?

That's the picture which has formed in my mind. A world just _full_ of boxes put together by very busy well-meaning, trusting people who just don't _understand_ just how _fast_ they will be rooted if they don't spend some serious quality time to think about how they are going to secure what they build.

Its the Wild West out there folks. Really.

BTW, much as I love Linux, OpenBSD-based firewalls just _ROCK_! Ipfilter is _so_ much better than even iptables that there is absolutely no comparison. My firewall resides on an old Pentium-90 shitbox that I bought for $50. It's fast enough for my dialup line. If you have a 24/7 broadband connection, consider an IDS. If snort is good enough for Stephen Northcutt ("Mr. IDS" to peons like me and most of the folks reading this :-), then its bloody well good enough for others. And the price is right. :-) If you are looking for an Industrial Strength IDS for the enterprise, I have only one word of advice: stay the HELL away from RealSecure. _Really_.

"Let's stay safe out there."

BTW, Hemos: thanks a million for the link. I printed out the whole article (5 pages) and tacked it to the outside of my cube. I also sent the link to my boss, my bosses boss, and the lady who is in charge of security awareness in my outfit. Yes, that means that the dozen or so folks I work with now know my Secret Identity. :P

Constituents of the Blackhat Community (1)

SovBob (471280) | more than 13 years ago | (#2190515)

Everybody knows that the majority of people on the internet are not technically inclined (I once spent nearly half and hour explaining FTP to someone.) This is at least partially true for hackers.

Your typical blackhat is just a script-kiddie who enjoys the thrill of the forbidden fruit (anybody ever sneak out of their parent's house late at night?) Breaking and entering into an even marginally secure machine is not worth their time or else is beyond their ability.

The true threats are professional hackers. Competant, motivated, and very careful. Fortunately, they are relatively sparse in the blackhat community.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?