Re: [PLUG] 'Linux devices are under attack by a never-before-seen worm' - ArsTechnica
One of the problems of having up to date backups wis the prevalence of online backup solutions out there. The problem, Russell, is that if an organization has online backups, and a cyber criminal gets a ransomeware injected, the modern ransomeware can reach out over the Internet and destroy the backups. I've seen this happen. It is also SOP for ransomeware to destroy local backups so if an org has a "junkebox tape changer" or NAS or disk array, that's the very first thing targeted. Only air-gapped, local backups are secure from a ransomeware attack IMHO and too many orgs think local backups are passe, or they use NASes that have a jumbo just a bunch of dumb disks online, or USB attached disks, etc. Remember, if the backup media is not physically disconnected from the network it can be targeted and destroyed. It it can be turned off by software it can be turned back on by software. The author of the original Star Wars movie was right - where Ben Kenobi had to go to the actual tractor beam transfer switches and physically put them out of commission, so that the controllers in the Death Star sitting at a console couldn't just switch back on the tractor beam. It's funny to me how such obvious knowledge in computers dating from 47 years ago that it went into a popular movie, is lost on the modern IT manager. But no doubt they are assured they are secure by some AI-bot, a-la Microsoft Bob. LOL Ted -Original Message- From: PLUG On Behalf Of Russell Senior Sent: Saturday, January 13, 2024 12:40 PM To: Portland Linux/Unix Group Subject: Re: [PLUG] 'Linux devices are under attack by a never-before-seen worm' - ArsTechnica It is a pet peeve of mine the kind of vulnerability journalism that seems to predominate today, which is all about the DANGER and not about modality or mitigation. You have to read far into the article (if it is there at all) to get any idea of what the vulnerability actually is and whether you are actually vulnerable, how to tell, and what you should do about it. Another good example is journalism around ransomware. To me, no story about ransomware should omit the kind-of-obvious mitigation of having up-to-date backups, and yet I NEVER see that mentioned. Just yesterday, I heard a story about cybersecurity that cited the huge number of "attacks" happening daily on the Internet. Probably (WAG) 95% by volume are brute force password guessing against ssh services. I see them a lot in my own logs of public facing machines, but at the rate passwords are being tried, my math suggests it will take many centuries to guess a decent password. Answer: have a decent password. -- Russell Senior russ...@personaltelco.net On Thu, Jan 11, 2024 at 12:29 PM Russell Senior wrote: > TL;DR, this is using password guessing. Solution: use better passwords > or turn off passwords altogether and use ssh authorized_keys. > > On Thu, Jan 11, 2024 at 12:13 PM MC_Sequoia > wrote: > >> "For the past year, previously unknown self-replicating malware has >> been compromising Linux devices around the world and installing >> cryptomining malware that takes unusual steps to conceal its inner >> workings, researchers said. >> >> The worm is a customized version of Mirai, the botnet malware that >> infects Linux-based servers, routers, web cameras, and other >> so-called Internet of Things devices. Mirai came to light in 2016 >> when it was used to deliver [record-setting distributed >> denial-of-service attacks]( >> https://arstechnica.com/information-technology/2016/09/why-the-silenc >> ing-of-krebsonsecurity-opens-a-troubling-chapter-for-the-net/) >> that [paralyzed]( >> https://arstechnica.com/information-technology/2016/10/inside-the-mac >> hine-uprising-how-cameras-dvrs-took-down-parts-of-the-internet/) >> key parts of the Internet that year. The creators soon released the >> underlying source code, a move that allowed a wide array of crime >> groups from around the world to incorporate Mirai into their own attack >> campaigns. >> Once taking hold of a Linux device, Mirai uses it as a platform to >> infect other vulnerable devices, a design that makes it a worm, >> meaning it self-replicates." >> >> Article link - >> https://arstechnica.com/security/2024/01/a-previously-unknown-worm-ha >> s-been-stealthily-targeting-linux-devices-for-a-year/ >> >> Sent with [Proton Mail](https://proton.me/) secure email. > >
Re: [PLUG] 'Linux devices are under attack by a never-before-seen worm' - ArsTechnica
And/Or use password protected keys, disable passwords on the ssh service, require 2FA, and/or temporarily block IPs that are trying to guess passwords. You can also setup ssh key expiration dates via the authorized_keys file. `man sshd` for details. Regards, - Robert On Sat, Jan 13, 2024 at 1:40 PM Russell Senior wrote: > I see them a > lot in my own logs of public facing machines, but at the rate passwords are > being tried, my math suggests it will take many centuries to guess a decent > password. Answer: have a decent password. > > -- > Russell Senior > russ...@personaltelco.net
Re: [PLUG] 'Linux devices are under attack by a never-before-seen worm' - ArsTechnica
This is similar to reports that determine how secure a given software platform is based on the total number of CVE's reported for that platform. Such numbers never take into account the severity of the exploits or how quickly a patch was released. I think a lot of what you described has to do with our elitist guided implementation of capitalism. The "Expert" (read: person who knows how this stuff works) is never the "Decision Maker". Instead the person deciding what we spend time working is operating under the assumption that they are smart because they graduated from some Ivy League university. Truth is that they are probably just of average intelligence and are no more competent than the barista at your local starbucks... They only know how to act on quantifiable data, without any of the technical expertise required to understand what those numbers actually mean. They also don't know where to obtain said data and are easily tricked into accepting falsified numbers. So it all ends in Death by Powerpoint. Case in point, the CEO of Walgreens issued an apology not that long ago for bad decision making. After a bunch of videos of people shoplifting when viral on social media, he reacted by beefing up security due to a perceived increase in theft. Turns out, this had no measurable effect since there was no real increase theft at Walgreens, it was a small number of incidents that fall within normal rates that got pumped up into a bigger thing. Sooo the pattern of behavior is this - CEO acts out of fear because he is too stupid to recognize that social media does not equal reality. That same fear response applies to cybersecurity. -Ben On Saturday, January 13th, 2024 at 12:40 PM, Russell Senior wrote: > It is a pet peeve of mine the kind of vulnerability journalism that seems > to predominate today, which is all about the DANGER and not about modality > or mitigation. You have to read far into the article (if it is there at > all) to get any idea of what the vulnerability actually is and whether you > are actually vulnerable, how to tell, and what you should do about it. > > Another good example is journalism around ransomware. To me, no story about > ransomware should omit the kind-of-obvious mitigation of having up-to-date > backups, and yet I NEVER see that mentioned. > > Just yesterday, I heard a story about cybersecurity that cited the huge > number of "attacks" happening daily on the Internet. Probably (WAG) 95% by > volume are brute force password guessing against ssh services. I see them a > lot in my own logs of public facing machines, but at the rate passwords are > being tried, my math suggests it will take many centuries to guess a decent > password. Answer: have a decent password. > > -- > Russell Senior > russ...@personaltelco.net > > On Thu, Jan 11, 2024 at 12:29 PM Russell Senior russ...@personaltelco.net > > wrote: > > > TL;DR, this is using password guessing. Solution: use better passwords or > > turn off passwords altogether and use ssh authorized_keys. > > > > On Thu, Jan 11, 2024 at 12:13 PM MC_Sequoia mcsequ...@protonmail.com > > wrote: > > > > > "For the past year, previously unknown self-replicating malware has been > > > compromising Linux devices around the world and installing cryptomining > > > malware that takes unusual steps to conceal its inner workings, > > > researchers > > > said. > > > > > > The worm is a customized version of Mirai, the botnet malware that > > > infects Linux-based servers, routers, web cameras, and other so-called > > > Internet of Things devices. Mirai came to light in 2016 when it was used > > > to > > > deliver record-setting distributed denial-of-service attacks > > > that paralyzed > > > key parts of the Internet that year. The creators soon released the > > > underlying source code, a move that allowed a wide array of crime groups > > > from around the world to incorporate Mirai into their own attack > > > campaigns. > > > Once taking hold of a Linux device, Mirai uses it as a platform to infect > > > other vulnerable devices, a design that makes it a worm, meaning it > > > self-replicates." > > > > > > Article link - > > > https://arstechnica.com/security/2024/01/a-previously-unknown-worm-has-been-stealthily-targeting-linux-devices-for-a-year/ > > > > > > Sent with Proton Mail secure email.
Re: [PLUG] 'Linux devices are under attack by a never-before-seen worm' - ArsTechnica
It is a pet peeve of mine the kind of vulnerability journalism that seems to predominate today, which is all about the DANGER and not about modality or mitigation. You have to read far into the article (if it is there at all) to get any idea of what the vulnerability actually is and whether you are actually vulnerable, how to tell, and what you should do about it. Another good example is journalism around ransomware. To me, no story about ransomware should omit the kind-of-obvious mitigation of having up-to-date backups, and yet I NEVER see that mentioned. Just yesterday, I heard a story about cybersecurity that cited the huge number of "attacks" happening daily on the Internet. Probably (WAG) 95% by volume are brute force password guessing against ssh services. I see them a lot in my own logs of public facing machines, but at the rate passwords are being tried, my math suggests it will take many centuries to guess a decent password. Answer: have a decent password. -- Russell Senior russ...@personaltelco.net On Thu, Jan 11, 2024 at 12:29 PM Russell Senior wrote: > TL;DR, this is using password guessing. Solution: use better passwords or > turn off passwords altogether and use ssh authorized_keys. > > On Thu, Jan 11, 2024 at 12:13 PM MC_Sequoia > wrote: > >> "For the past year, previously unknown self-replicating malware has been >> compromising Linux devices around the world and installing cryptomining >> malware that takes unusual steps to conceal its inner workings, researchers >> said. >> >> The worm is a customized version of Mirai, the botnet malware that >> infects Linux-based servers, routers, web cameras, and other so-called >> Internet of Things devices. Mirai came to light in 2016 when it was used to >> deliver [record-setting distributed denial-of-service attacks]( >> https://arstechnica.com/information-technology/2016/09/why-the-silencing-of-krebsonsecurity-opens-a-troubling-chapter-for-the-net/) >> that [paralyzed]( >> https://arstechnica.com/information-technology/2016/10/inside-the-machine-uprising-how-cameras-dvrs-took-down-parts-of-the-internet/) >> key parts of the Internet that year. The creators soon released the >> underlying source code, a move that allowed a wide array of crime groups >> from around the world to incorporate Mirai into their own attack campaigns. >> Once taking hold of a Linux device, Mirai uses it as a platform to infect >> other vulnerable devices, a design that makes it a worm, meaning it >> self-replicates." >> >> Article link - >> https://arstechnica.com/security/2024/01/a-previously-unknown-worm-has-been-stealthily-targeting-linux-devices-for-a-year/ >> >> Sent with [Proton Mail](https://proton.me/) secure email. > >
Re: [PLUG] 'Linux devices are under attack by a never-before-seen worm' - ArsTechnica
Contrary to often repeated "use only ssh key login, disable passwords" - I find the act of copying ssh keys all over my portable devices rather insecure action to take. Also, I consider using a corporate owned pc as last resort backup for logging in. I really dislike the idea putting any of my personal stuff on there, especially login keys. Just a food for thought, -T On Thu, Jan 11, 2024, 18:08 MC_Sequoia wrote: > "TL;DR, this is using password guessing. Solution: use better passwords or > urn off passwords altogether and use ssh authorized_keys." > > Indeed and this is probably obvious and easy for high level users, but not > everyone is and also there might be folks who've setup rsync and/or use scp > with simple passwords for ease of management or might have take over admin > of legacy systems that haven't been documented well and they might not be > aware of all connections and their configurations. > >
Re: [PLUG] 'Linux devices are under attack by a never-before-seen worm' - ArsTechnica
"TL;DR, this is using password guessing. Solution: use better passwords or urn off passwords altogether and use ssh authorized_keys." Indeed and this is probably obvious and easy for high level users, but not everyone is and also there might be folks who've setup rsync and/or use scp with simple passwords for ease of management or might have take over admin of legacy systems that haven't been documented well and they might not be aware of all connections and their configurations.
Re: [PLUG] 'Linux devices are under attack by a never-before-seen worm' - ArsTechnica
On Thu, 11 Jan 2024, Russell Senior wrote: TL;DR, this is using password guessing. Solution: use better passwords or turn off passwords altogether and use ssh authorized_keys. Or, if some local operations rely on passwords but you want remote users to use keys instead, then add a Host stanza to sshd_config, e.g., # most of sshd_config here, then at the end, altering the # cidr block as necessary PasswordAuthentication no PermitRootLogin no Match Address 192.168.30.0/24 PasswordAuthentication yes PermitRootLogin yes -- Paul Heinlein heinl...@madboa.com 45°22'48" N, 122°35'36" W
Re: [PLUG] 'Linux devices are under attack by a never-before-seen worm' - ArsTechnica
TL;DR, this is using password guessing. Solution: use better passwords or turn off passwords altogether and use ssh authorized_keys. On Thu, Jan 11, 2024 at 12:13 PM MC_Sequoia wrote: > "For the past year, previously unknown self-replicating malware has been > compromising Linux devices around the world and installing cryptomining > malware that takes unusual steps to conceal its inner workings, researchers > said. > > The worm is a customized version of Mirai, the botnet malware that infects > Linux-based servers, routers, web cameras, and other so-called Internet of > Things devices. Mirai came to light in 2016 when it was used to deliver > [record-setting distributed denial-of-service attacks]( > https://arstechnica.com/information-technology/2016/09/why-the-silencing-of-krebsonsecurity-opens-a-troubling-chapter-for-the-net/) > that [paralyzed]( > https://arstechnica.com/information-technology/2016/10/inside-the-machine-uprising-how-cameras-dvrs-took-down-parts-of-the-internet/) > key parts of the Internet that year. The creators soon released the > underlying source code, a move that allowed a wide array of crime groups > from around the world to incorporate Mirai into their own attack campaigns. > Once taking hold of a Linux device, Mirai uses it as a platform to infect > other vulnerable devices, a design that makes it a worm, meaning it > self-replicates." > > Article link - > https://arstechnica.com/security/2024/01/a-previously-unknown-worm-has-been-stealthily-targeting-linux-devices-for-a-year/ > > Sent with [Proton Mail](https://proton.me/) secure email.
[PLUG] 'Linux devices are under attack by a never-before-seen worm' - ArsTechnica
"For the past year, previously unknown self-replicating malware has been compromising Linux devices around the world and installing cryptomining malware that takes unusual steps to conceal its inner workings, researchers said. The worm is a customized version of Mirai, the botnet malware that infects Linux-based servers, routers, web cameras, and other so-called Internet of Things devices. Mirai came to light in 2016 when it was used to deliver [record-setting distributed denial-of-service attacks](https://arstechnica.com/information-technology/2016/09/why-the-silencing-of-krebsonsecurity-opens-a-troubling-chapter-for-the-net/) that [paralyzed](https://arstechnica.com/information-technology/2016/10/inside-the-machine-uprising-how-cameras-dvrs-took-down-parts-of-the-internet/) key parts of the Internet that year. The creators soon released the underlying source code, a move that allowed a wide array of crime groups from around the world to incorporate Mirai into their own attack campaigns. Once taking hold of a Linux device, Mirai uses it as a platform to infect other vulnerable devices, a design that makes it a worm, meaning it self-replicates." Article link - https://arstechnica.com/security/2024/01/a-previously-unknown-worm-has-been-stealthily-targeting-linux-devices-for-a-year/ Sent with [Proton Mail](https://proton.me/) secure email.