[ubuntu-uk] Phishing and linux
I'm not sure what to make of comments about phishing sites I came across here http://www.theregister.com/2007/10/03/ebay_paypal_online_banking/ as follows: These things are incredibly sophisticated, and when they take over a computer, most [users] don't know it, he said. With every single phishing site [Washington Mutual has] shutdown, not one person was aware been aware that their machine was compromised and used for phishing. That includes university servers and company servers and personal PCs and all sorts of things. More interesting is that most of the compromised machines were not Windows machines. The vast majority of [the phishing sites] we saw were on rootkit-ed Linux boxes, which was rather startling. We expected a predominance of Microsoft boxes and that wasn't the case. Any thoughts? -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Phishing and linux
I'm not sure what to make of comments about phishing sites I came across here http://www.theregister.com/2007/10/03/ebay_paypal_online_banking/ as follows: These things are incredibly sophisticated, and when they take over a computer, most [users] don't know it, he said. With every single phishing site [Washington Mutual has] shutdown, not one person was aware been aware that their machine was compromised and used for phishing. That includes university servers and company servers and personal PCs and all sorts of things. More interesting is that most of the compromised machines were not Windows machines. The vast majority of [the phishing sites] we saw were on rootkit-ed Linux boxes, which was rather startling. We expected a predominance of Microsoft boxes and that wasn't the case. Any thoughts? You missed the next line off your quote: This pleased Microsoft's head of Silicon Valley PR, who served as a conference sponsor. Hmmm -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Phishing and linux
Martyn wrote: I'm not sure what to make of comments about phishing sites I came across here http://www.theregister.com/2007/10/03/ebay_paypal_online_banking/ as follows: These things are incredibly sophisticated, and when they take over a computer, most [users] don't know it, he said. With every single phishing site [Washington Mutual has] shutdown, not one person was aware been aware that their machine was compromised and used for phishing. That includes university servers and company servers and personal PCs and all sorts of things. More interesting is that most of the compromised machines were not Windows machines. The vast majority of [the phishing sites] we saw were on rootkit-ed Linux boxes, which was rather startling. We expected a predominance of Microsoft boxes and that wasn't the case. Any thoughts? You missed the next line off your quote: This pleased Microsoft's head of Silicon Valley PR, who served as a conference sponsor. Hmmm Yes, that does make one suspicious. However, does the fact that M$ would be pleased with the outcome mean that it's not true that 'the vast majority of [the phishing sites] we saw were on rootkit-ed Linux boxes'? Assuming they aren't just lying, it could be sampling error - perhaps their sample contained more Linux boxes than M$ boxes to start with. Or it could be that there simply are more Linux machines in those parts of the internet that are more likely to be attacked (more accessible? more attractive? I don't know enough about rootkits to have any idea why this might be). Or it could be that Linux boxes are more susceptible to this kind of attack than we assumed (although, again, I don't know enough to guess why). There may be other explanations. I hope we can just assume this is FUD. Does anyone more familiar with server security have anything consoling thoughts? Mac -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Phishing and linux
Hi, On Wed, 2007-10-03 at 09:05 +0100, Mac wrote: I hope we can just assume this is FUD. Does anyone more familiar with server security have anything consoling thoughts? AIUI most compromised Windows boxes are due to user error, people not installing patches or firewalls on their windows desktops and laptops. AIUI most compromised Linux boxes are due to user error, people not installing patches for server apps and scripted applications on their Linux servers. Do we see a pattern here? At one point, he said, the bank spent a month as the largest phishing target in the country, and in fighting this ongoing problem, it has shutdown countless phishing sites surreptitiously installed on countless machines across the net. Phishing sites are AIUI most often installed on compromised server class machines. The bit that does the real damage is the bot that spits out a zillion spam mails containing the link to the server, through potentially compromised servers, but also predominantly through desktops. If their specification during this witch-hunt was to look at the server space for compromised machines then _of_ _course_ they will find Linux boxen - as we know Linux is popular in the web/mail server space. These were possibly running dodgy old copies of apps like drupal and phpbb with naffed up xmlrpc implementations. Lets see the same test done against desktops and laptops shall we? Cheers, Al. signature.asc Description: This is a digitally signed message part -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Phishing and linux
Mac wrote: I hope we can just assume this is FUD. Does anyone more familiar with server security have anything consoling thoughts? I seriously hope that we DON'T assume this is FUD. I think that Alan has summed up the key issue nicely. Anyone who goes around saying Linux is secure, Windows isn't is, I'm afraid, setting themselves up for a MASSIVE egg-on-face incident. What we CAN say is that Ubuntu contains a good set of tools to keep machines secure that are free. You don't need to worry about installing three different update packages, each with a monthly subscription fee. M. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Phishing and linux
Mac, On Wed, 2007-10-03 at 07:22 +0100, Mac wrote: I'm not sure what to make of comments about phishing sites I came across here http://www.theregister.com/2007/10/03/ebay_paypal_online_banking/ as follows: These things are incredibly sophisticated, and when they take over a computer, most [users] don't know it, he said. With every single phishing site [Washington Mutual has] shutdown, not one person was aware been aware that their machine was compromised and used for phishing. That includes university servers and company servers and personal PCs and all sorts of things. More interesting is that most of the compromised machines were not Windows machines. The vast majority of [the phishing sites] we saw were on rootkit-ed Linux boxes, which was rather startling. We expected a predominance of Microsoft boxes and that wasn't the case. It's not clear to me from the article what was meant by 'machines used for phishing'. There are two aspects, the machines used to send out the millions of e-mail messages for the initial phish and then there is the machine used to host the fake WEB site. I would suspect that the first was on M$ desktop systems. We have certainly seen such compromises at my University in this respect and it is down to users not installing patches, firewalls etc. With the second, the result is not surprising. If I was setting up a fake WEB site I would look for a machine that is already running a WEB server and has plenty of bandwidth. Such machines are more likely to be Linux/Unix. I've seen plenty of Linux boxes get compromised. It's usually because a user's password has become known to the hacker or it's been a poor WEB app (phpbb was well known for this). IN both cases, the hacker has to do some work to break into the machine, but that is probably worth it given what he/she may get from the phishing site. I would not conclude from this, though, that M$ is more secure than Linux! I think the millions of M$ machines that get infected with bots etc., far out way the number of Linux boxes used to set up phishing sites! Regards, Tony. -- Tony Arnold, IT Security Coordinator, University of Manchester, IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL. T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039 E: [EMAIL PROTECTED], H: http://www.man.ac.uk/Tony.Arnold -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Phishing and linux
Alan Pope wrote: snip AIUI most compromised Windows boxes are due to user error, people not installing patches or firewalls on their windows desktops and laptops. AIUI most compromised Linux boxes are due to user error, people not installing patches for server apps and scripted applications on their Linux servers. big snip If their specification during this witch-hunt was to look at the server space for compromised machines then _of_ _course_ they will find Linux boxen - as we know Linux is popular in the web/mail server space. These were possibly running dodgy old copies of apps like drupal and phpbb with naffed up xmlrpc implementations. Mark Harrison wrote: snip Anyone who goes around saying Linux is secure, Windows isn't is, I'm afraid, setting themselves up for a MASSIVE egg-on-face incident. What we CAN say is that Ubuntu contains a good set of tools to keep machines secure that are free. snip Tony Arnold wrote: snip It's not clear to me from the article what was meant by 'machines used for phishing'. There are two aspects, the machines used to send out the millions of e-mail messages for the initial phish and then there is the machine used to host the fake WEB site. snip Al / Mark / Tony I'm consoled! I guessed the sample of machines examined might be biased; and I should have remembered that most security breaches are due to bad practice by users regarding updates and patches. But I also now appreciate the distinction between compromised machines that generate the spam and compromised web servers. As Tony points out, the article conflates the two types (though whether the conflation is due to the reporting or the original is hard to say.) Anyway, many thanks for the clarifications. Mac -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Phishing and linux
Hi Mac wrote: I hope we can just assume this is FUD. Does anyone more familiar with server security have anything consoling thoughts? My guess would be: Lots more Linux servers than Windows ones, probably lots that don't have system security patches applied[0] and lots and lots and lots and lots and lots of PHP code running on them which is even less likely to be getting security love :/ [0] MS are getting very good at annoying people into installing updates. Most Linux server installs don't even try to make you install updates. Cheers, -- Chris Jones [EMAIL PROTECTED] www.canonical.com -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Phishing and linux
My guess would be: Lots more Linux servers than Windows ones, probably lots that don't have system security patches applied[0] and lots and lots and lots and lots and lots of PHP code running on them which is even less likely to be getting security love :/ [0] MS are getting very good at annoying people into installing updates. Most Linux server installs don't even try to make you install updates. Don't forget. Linux is free. Anyone can get a copy of Linux and put a web server up on the internet, it doesn't cost anything so anyone can have a go. Windows servers cost a lot of money. On the whole, the only people putting Windows servers up on the internet are people (who to some extent) work in IT and are supposed to know what they're doing. Wouldn't that create some difference in how well the servers are looked after. Chris -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Phishing and linux
Hi Chris Rowson wrote: Linux is free. modulo hardware costs, of course. Wouldn't that create some difference in how well the servers are looked after. It's entirely plausible, yes :/ Cheers, -- Chris Jones [EMAIL PROTECTED] www.canonical.com -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Phishing and linux
Chris, On Wed, 2007-10-03 at 11:45 +0100, Chris Rowson wrote: My guess would be: Lots more Linux servers than Windows ones, probably lots that don't have system security patches applied[0] and lots and lots and lots and lots and lots of PHP code running on them which is even less likely to be getting security love :/ [0] MS are getting very good at annoying people into installing updates. Most Linux server installs don't even try to make you install updates. Don't forget. Linux is free. Anyone can get a copy of Linux and put a web server up on the internet, it doesn't cost anything so anyone can have a go. Windows servers cost a lot of money. On the whole, the only people putting Windows servers up on the internet are people (who to some extent) work in IT and are supposed to know what they're doing. Wouldn't that create some difference in how well the servers are looked after. It might do, but I think the argument works both ways. I once heard a security person say that the problem with Windows Server was that it was so easy to install, a monkey could do it and unfortunately, thousands of monkeys did! (He was talking about Windows 2000). BTW, it was Fred Beaumert from Microsoft who said it. If you get the chance he is worth listening too! On the other hand, installing a WEB server on Linux requires a certain amount of knowledge/nowse! It's certainly not plug and play! Regards, Tony. -- Tony Arnold, IT Security Coordinator, University of Manchester, IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL. T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039 E: [EMAIL PROTECTED], H: http://www.man.ac.uk/Tony.Arnold -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Phishing and linux
Mac wrote: I'm not sure what to make of comments about phishing sites I came across here http://www.theregister.com/2007/10/03/ebay_paypal_online_banking/ as follows: These things are incredibly sophisticated, and when they take over a computer, most [users] don't know it, he said. Ged Byrom wrote: What's the chance of being taken over by these things ? How can I check for root kits on linux ? Ged. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Phishing and linux
Hi Ged, On Wed, 2007-10-03 at 18:50 +0100, ged wrote: What's the chance of being taken over by these things ? How can I check for root kits on linux ? On a desktop/laptop client slim, very slim. On a server running popular web applications, somewhat higher. On a system running out of date popular web applications, or other applications that require external connectivity inbound with an open firewall, even higher still. It's a real piece of string thing. There are tools to check for rootkits and you can also enable some log watching programs to see when people attempt to intrude. Both are somewhat academic, because once you have found a rootkit or detect that you have been compromised the general consensus is that you should wipe the machine and start again. Trying to find and remove compromised pieces on a system, and then certify confidence it isn't compromised any more is not something I (or many other admins) would do. Cheers, Al. signature.asc Description: This is a digitally signed message part -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Phishing and linux
On Wed, 2007-10-03 at 18:50 +0100, ged wrote: Mac wrote: I'm not sure what to make of comments about phishing sites I came across here http://www.theregister.com/2007/10/03/ebay_paypal_online_banking/ as follows: These things are incredibly sophisticated, and when they take over a computer, most [users] don't know it, he said. Ged Byrom wrote: What's the chance of being taken over by these things ? Slim, if you take all the usual precautions. Firewall, security patches, keep passwords safe etc. How can I check for root kits on linux ? There are two packages: chkrootkit and rkhunter. Regards, Tony. -- Tony Arnold, IT Security Coordinator, University of Manchester, IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL. T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039 E: [EMAIL PROTECTED], H: http://www.man.ac.uk/Tony.Arnold -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/