Bryan Phinney wrote:
On Saturday 21 August 2004 01:21 pm, Vincent Voois wrote:
And, since this is a Mandrake Linux mailing list, you should be aware that a
Firewall wizard is built-in that is fairly complete and very good for setting up a standard default firewall. So again, I would say that setting up Linux correctly with a firewall would be at least as easy as mucking it up.
Or by leaving it as it is. I believe Mandrake Linux is delivered with default firewall settings in a similar way XP's firewall is set by default. (turned off)
Not nessesarily damage, but opening backdoors for ways of intrusion may be
sufficient. Specially if you want to hack a company server to retreive
data.
You really should qualify. On the one hand, you mention htting company servers to retrieve data, on the other, you make assumptions about no firewalls, no monitoring, no security. If you are aware of any company that is running Linux for these types of systems and leaving them that wide open, you must be working with a lower class of enterprise than am I. Companies can afford to hire people to do things right and usually must do so. Individuals are more likely to have open phpmyadmin setups, however, they are also much less likely to have any valuable data.
I sometimes service server hardware of small business offices and none of the inside staff has any idea how this server operates. They just switch the tapes because that's what they supposed to do at the end of each they (how they were instructed). The real server managers are third party service companies that do remote service and support for those offices. They sometimes screw up and don't even notice it, the local users neither, since they haven't got a clue what's going on.
But no most companies have their server park pretty well secured, use private ip range addresses, if they have to expose their lan / wan to the internet, they set up secured VPN server.
Indeed, individuals are most likely to forget or overlook security measures, but i believe this list contains a lot of individual subscribers.
But don't forget:some individual home users have access to their company network through VPN (when enabled).
I've seen backdoor infiltrations in company LAN's thanks to the laptops or private desktops of their employees that hosted the backdoor, which could infiltrate their system on regular basis.
But this can also be covered by supplying a machine configured with a COE (Common Operating Environment).
Though the Blaster and Korgo virus ( and variants) didn't care about restricted local user-policies on Windows 2000 desktops with COE and thus infiltrated anyway. As the same was with Sasser which even teased some of the unpatched desktops in our own office, they weren't infected, but the LSASS driver didn't liked Sasser's intrusion attempts either. As with some ACD-servers which didn't seemed to be patched either.
Some viruses can really cause a pain in the ass, no matter how well company backbones are protected from within their networks.
So it's pretty well important to protect machines that connect from outside the network as well as the machines from within.
(also meaning that each company should have a COE policy that no user may enter a network with a non-company desktop or containing a self-installed OS)
Like simple security exploits of MySql databases (and using a non-secured PHPMyAdmin environment :P, just browse google for a "welcome to
phpMyAdmin" term and find out if there are unsecured servers, you don't
even need to spoof IP in some cases)
Well, I can also google the entire net for web servers and try to find unsecured web servers as well. Suggesting this type of activity is pretty much pointless. First of all, if the unsecured server is indexed by Google, I really doubt that you will be the first one to find it. So, assuming that there is anything other than a smoking crater left, we might guess that the server is not trivially insecure, again, assuming that it is actively being indexed by Google and has had however many hundreds of visitors.
Personally, I would have been much more likely to suggest doing a port scan for MySQL databases to try to find unsecured servers, but I suppose that Google is the hacker's most understated friend in that regard. I must be out of the loop.
It was a simple example anybody can check, i do not really feel tempted to post complex hack or crack tricks including the servers these tricks work on, on a forum like this. (Which in many cases involve hack or crack attempts of Cisco hardware that forms the first protection bound)
And simple portscans won't do that much on company routers either lately since most routers and firewalls are instructed to drop the package and don't send replies.
But still individual machines may be reachable (as there are probably many registered on this list).
In the case of a worm, the whole point is to infect and propagate. So, you have to make another leap and assume that whatever you can cause to happen is complex enough to turn off all additional protections, notifications to sysadmin, and continue to spread to other boxen.
On Linux this is harder to accomplish.
I would probably file that one into the "understatement" column.
Depending on how well the box is being protected.
I'm a moron, i had no troubles installing Linux on an average PC working
without needing to do much handwork.
Well, I rather doubt that your company would appreciate your advertising the skill levels of their field service engineers in those glowing terms but I don't have any first hand knowledge to contradict. However, if you have Linux up and running on an average PC without much handwork, I will say this. I have known moron's, I currently know morons, and you sir, are no moron. If you would like, I could introduce you to some of the others that I know that tried to install Linux and gave up, and you might gain a whole new respect for yourself.
I don't know if it is fair to classify people with a rank based upon their success of installing or not installing Linux.
FAFAIK, unsupported hardware has been one of the big barriers for newbie users to install Linux.
Your "morons" might have ran into a hardware compatability issue they couldn't resolve easily, while i did not had to do anything but insert the CD, fill in the questions as far as given and then let the system start up.
I had the same problem with Redhat 5.2 in the past, it didn't support my graphics card since it was a bit too new for the Linux kernel that came with it.
I don't see a newbie user quickly recompile a Linux-kernel with the latest AGP driver for their graphics card just to be able to run X11 and i certainly shall never classify such a user a moron if that is truely the case.
For me that was a true pain in the ass considering i had to install all proper libraries to be able to at least make the compiler do what i want and then second, filling in the right list with hardware that my system contained.
I'm already happy that current Linux distributions around really act a whole lot smarter since then.
Leaving it that way unattended and unconfigured (besides defaults) maybe isn't a problem for now, but when
leaks become known in a later period and i the same moron don't pay
attention to update security, my box becomes more vulnerable for certain
attacks. They don't nessesarily have to cause very much damage (as i said
earlier)
I would be the first to admit that with all the Windows boxen that are available to all and sundry and oh, so easy to compromise, there is some level of security provided to Linux machines. Again, however, I would also venture a guess that the majority of Linux boxen, setup purely by default and with default services running, are still more secure and would be harder to compromise and even if compromised, would be much harder to spread to others.
In that agree in full.
However, If I were to compare a runaway skateboard travelling at 80 mph to a Volvo traveling at the same speed, in terms of safety, I doubt that I would arrive at a conclusion that they are the same because they both involve some risk. I would not classify such a statement to really be painting an accurate portrait of reality.
Which of the mobile devices in your metaphore is classified as windows?
For AFAIK, it always has been plain simple to hack a windows platform using *NIX techniques and this is what i often do
on occasion when SID tables of NT servers got that corrupted that local
admin isn't able to log anymore with the local password. (The well known
Linux bootflop and it's extra flop with SCSI drivers) And it still works,
wether it's NT 4.0, 2000, XP and even local admin password hacking util
works on Windows Server 2003. Either Microsoft has this tool as part of
their disaster recovery kit, or they have their eyes wide shut.
Well, in my own experience, you don't even need techniques relating to Linux, there are thousands of black hat MS tools out there that will happily perform that function for you.
Yeah, thousands of black has MS tools, but not many of them survive updates or patches to the kernel that protects the SAM hive.
I had a tool called locksmith coming with the Super ERD cd, well i don't know what it's supposed else than resetting local admin passwords, but it did anything except that on NT 5.0 or higher version platforms.
Nordahl's bootflop is the one i'll stick to.
Though currently there is one XP issue Nordahl's tool cannot cirumvent which is EFS encrypted files.
> For your average hacker, web site defacement is done for fame in his
community. What better way to gain fame than be the guy that took down Google, not by DoS attack that takes them down for 30 minutes, but by massive compromise on boxen that leaves them trying to clean up for years.
Yeah, it's the nightmare of any sysadmin, if it happens, how many earlier backups must he go back to undo the situation.
i wanted to point out that
Linux has other security flaws than Windows and that no OS is specifically
safer than the other.
And, just in case you missed the point, I was expressing my disagreement with your point. Linux, by design, in implementation, with existing security flaws, is specifically safer than Windows. Also, blanket statements like no
But i already stated Linux is safer than windows in the first mail.
OS is specifically safer than the other is demonstrably false. Even MS
It may be demonstratible, but can you point out each security bug of each OS and compare the severity of them with eachother? Though "Generally" would have been the wiser choice for me to pick instead of specifically.
doesn't advertise its products by saying that no OS is specifically safer than the other and IMO, that would be a step up for them.
MS give demonstrations about how their OS can crash at the most undesired moments.
I still laugh about the introduction-show of Windows 98 where loads of camera's captured the blue screen when the demonstrator made an attempt to do something spectaculair with his laptop.
Neither systems are really safe, but they get safer each update. But every
new feature also introduces new (maybe security) bugs. It's part of the
development cycle that is hardly unavoidable.
Well, since the term "safe" is somewhat relative, I will just have to let that one go. In comparison terms, Linux is incredibly safer than Windows. For any number of reasons but some of which go all the way back to architecture level design decisions that were made by MS. Those types of things are not easy to fix and certainly can't be corrected in a simple update.
But the old line about Linux being just as bad as Windows and we just don't know it because Linux isn't an active or worthy target is simply MS FUD. Plain and simple. If you bought into the FUD, you really should try to educate yourself but I wouldn't expect to post that type of drivel to this list without being challenged.
I don't if Linux is "as" bad as windows or "as" good. At many points it is better but it's not my goal to sum up the issues that make one better or worse than the other.
The goal was making people aware every OS has it's share of security issues and some of them relate to configuration.
And it is always wise to browse documentation and see if there are any specific configuration measures that has to be taken to tighten up security (no matter which platform one is using).
I have enough experience with Windows environments and i know their flaws, but i also know how to shut down vulnerabilities, with or without help of MS patches.
With Linux, i know what to watch out for and i can secure my accounts well enough to keep visitors with unwanted desires of my box, i've not made myself aware yet of what kind of patch or upgrade method is used with Mandrake. This is currently because i don't really care. I don't have sensitive data on it and any mess-up i can recover with the initial full backup i made (and it's differential which is being updated until no configuration changes are being made anymore).
It is running and there will be no dramatical changes made.
And if it goes down because of a security flaw, i'll restore the backup and patch the hole.
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
