[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 22/10/10 09:09, Gordon Henderson wrote:
But those problems exist now - and taking away a users control of the application removes 99.9% of possible attacks - and 90% of 'computer administration'. The same lax approach to computing has been adopted by many admins as well. You can set up a machine that cant be rootkitted without physical access quite easily - or you save a couple of pounds a month and loose that privilege. Its your choice - but you can be pretty secure if your prepared to make a little effort. You just have to make sure people follow sensible procedures - which may involve lying to management. You wont ever get rid of all vulnerabilities but you can mitigate most and keep an eye out for all others with defensive programming.On Fri, 22 Oct 2010, tom wrote:We can still run pretty secure web services tho...I don't want to burst your bubble, but ...Do not for one monent think that hackers/criminals/thieves see a server, find out that it's Linux, then leave it alone. On the contrary, the probably attack Linux servers more often than any other type.Right now there is a plague facing VoIP operators - something called sipvicious - it's a SIP hacking tool and it's not a nice one. However to run it, you need the ability to execute code on a server (it's written in Python). There seems to be no shortage of such compromised servers. At any point in time at least one of my customers is under attack from sipvicious. There are 1000's of compromised servers running sipvicious right now - all because someone, or come company (for there is evidence that some dodgy telcos are using it) want to steal free calls.In addition to the kernel and user-land code, servers, etc. are only as secure as the applications running on them. Hackers the world over are constantly probing web sites, looking for vulnerabilities - more-so when the site is running an off-the-shelf application - e.g. wordpress, drupal, phpBB, phpMyAdmin and so on.Over the years these applications have been poked, probed and abused. I doubt there has been a single project that's not had a vulnerability at some point - something that would allow a remote hacker the ability to upload and execute code. Once they have remote code execution ability, it's only a few steps to getting root - or at least trying.Even custom applications aren't immune - one client wrote what they thought was a secure web contact page - it wasn't and was abused.Simon's earlier comment about rootkits was only the tip of it all. I've seen a Linux server 'rooted' in such a way that the programs that were substituted looked like their originals - how to check? Well, you md5sum them and check against a known un-rooted server - but what if md5sum has been compromised and recognises the programs they were checksumming and read the real checksum out of a file? Well, a rootkit that does that does exist, so there are some clever people out there.If you think that's new, then read this:http://scienceblogs.com/goodmath/2007/04/strange_loops_dennis_ritchie_a.php"We" run pretty secure web services because we're aware of what goes on, and we have the tools to (hopefully) detect and fix things before they get out of hand - part of that toolset is open source software, so "we" the community can inspect the tools for vulnerabilities and hopefully patch them when they're found - hopefully much faster than a behemoth of a closed source software company...Gordon
Tom te tom te tom -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq