D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] budget cuts

 

On Fri, 22 Oct 2010, tom wrote:

We can still run pretty secure web services tho...

I don't want to burst your bubble, but ...

Do not for one monent think that hackers/criminals/thieves see a server, find out that it's Linux, then leave it alone. On the contrary, the probably attack Linux servers more often than any other type.

Right now there is a plague facing VoIP operators - something called sipvicious - it's a SIP hacking tool and it's not a nice one. However to run it, you need the ability to execute code on a server (it's written in Python). There seems to be no shortage of such compromised servers. At any point in time at least one of my customers is under attack from sipvicious. There are 1000's of compromised servers running sipvicious right now - all because someone, or come company (for there is evidence that some dodgy telcos are using it) want to steal free calls.


In addition to the kernel and user-land code, servers, etc. are only as secure as the applications running on them. Hackers the world over are constantly probing web sites, looking for vulnerabilities - more-so when the site is running an off-the-shelf application - e.g. wordpress, drupal, phpBB, phpMyAdmin and so on.


Over the years these applications have been poked, probed and abused. I doubt there has been a single project that's not had a vulnerability at some point - something that would allow a remote hacker the ability to upload and execute code. Once they have remote code execution ability, it's only a few steps to getting root - or at least trying.

Even custom applications aren't immune - one client wrote what they thought was a secure web contact page - it wasn't and was abused.

Simon's earlier comment about rootkits was only the tip of it all. I've seen a Linux server 'rooted' in such a way that the programs that were substituted looked like their originals - how to check? Well, you md5sum them and check against a known un-rooted server - but what if md5sum has been compromised and recognises the programs they were checksumming and read the real checksum out of a file? Well, a rootkit that does that does exist, so there are some clever people out there.

If you think that's new, then read this:

  http://scienceblogs.com/goodmath/2007/04/strange_loops_dennis_ritchie_a.php


"We" run pretty secure web services because we're aware of what goes on, and we have the tools to (hopefully) detect and fix things before they get out of hand - part of that toolset is open source software, so "we" the community can inspect the tools for vulnerabilities and hopefully patch them when they're found - hopefully much faster than a behemoth of a closed source software company...

Gordon

--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq