|Main||In Other News||Security Roundup||Tips of the Trade|
They might not have hacked the planet, but a group of blackhat crackers armed with rootkits and dictionary attacks taught some seasoned Unix admins that sloppy NFS configuration, unpatched systems, and weak user passwords are an open invitation, no matter what OS the host is running.
Sometimes, when things are slow around Roundup Ranch, we pop some popcorn, curl up on the sofa, and enjoy select scenes from the best movie about computer security ever: “Hackers.” Does it get any better than when our rag-tag band of hackers … er … crackers take to the streets and hack The Gibson? Not for our money. “Hack the planet!” dudes.
Back in the real world, last week, a small and intrepid band of blackhats hacked the planets of as many as 20 supercomputing installations. If the post-mortem offered up by Stanford University, which was one of the victims, is any indication, the hack required little more than a few compromised accounts and a venerable and common piece of password auditing software that the victims should have been using in the first place.
Oh, right: They also took advantage of known vulnerabilities in Linux and Solaris as well as systems configured to use Network File System (NFS) in a deliberately insecure manner. In other words, it was a fairly routine cracking run, noteworthy mainly because it was so widespread and targeted a grid computing project that would have given the blackhats serious firepower for a denial of service attack.
The incident was so humiliating that the Washington Post reports admins working on the case have promised to not name all the
institutions involved for fear that the victims will try to hide from the media.
That’s probably par for the course. We’ve seen a few compromised sites in our day, and the first reaction from those involved is usually to clam up so no one ends up looking bad. What got our dander up about this particular situation, though, was one comment from a Stanford Security Officer:
“This incident is definitely giving us an opportunity to re-evaluate the maintenance and protection we provide to our Unix systems … When you’re completely focused on widespread attacks on Windows systems, it’s certainly startling.”
So even when Microsoft isn’t to blame, it’s somehow to blame: We’re all so distracted by Code Red, Nimda, Slammer, and whatever else that we can’t be bothered to patch our Unix boxes. And to think just last week we said the Paradigm Wars were over.
None of us are perfect when it comes to keeping up on our patches. Few of us are willing to put up with the pushback from users when we institute password policies that involve enforced periodic password changes, or install software that ensures users choose secure passwords. Almost every Unix graybeard, confronted with the need to move files from one server to another, has probably cheated and relaxed security on an NFS share just “that one time.” We know one Unix admin who was shocked to realize an NFS server he inherited was not only sharing files for his local users, but was also a voluminous warez site for someone in Denmark who took advantage of its open permissions.
If that security officer, who was “startled” that sloppy NFS configuration, unpatched systems, and weak user passwords allowed the blackhats to get inside the wire is any indication, there’s a frightening amount of complacency in the Unix world about just how secure things really are.
A certain euphoric reaction is not unusual the first time a former Windows admin realizes she has far fewer chances of unwittingly running some sort of malware on her Unix system. We also believe experienced professionals are well-aware of the need to set that euphoria aside because they know the security advantages Unix confers aren’t so much bulletproof armor as they are speed bumps that fail in the face of bad management and undisciplined users.
That said, the Stanford post-mortem offers a useful collection of Unix security tips, including how to detect some rootkits once they’re installed, how to enforce better password choices, and how to look for suspicious activity. We can’t think of a better opportunity to set aside hubris and benefit from someone else’s hard-gained wisdom.
» Too late for last week’s edition,
Sun announced a Solaris 10 beta release. The new
release allows users to try out Sun’s N1 Grid Containers. It also includes support for Sun’s V20z and other Opteron servers, and Sun’s UltraSparc IV processors.
» The CEO of Green Hills Software made some waves when he singled Linux out as
vulnerable to, er, Communist takeover because of its open source nature. “Now that foreign intelligence agencies and terrorists
know that Linux is going to control our most advanced defense systems, they can use fake identities to contribute subversive software that will soon be incorporated into our most advanced defense systems,” he fumed. As long as they don’t change everyone’s mail signature to “Hack the planet!”
» Red Hat announced it is the first Linux vendor to attain Internationalization Runtime
Environment Certification from the Free Standards Group. What this means: Red Hat’s product runs in a wide variety
of localized languages.
» SCOWatch: There really wasn’t any SCO news this week, which, in and of itself, qualifies as news.