Security

Place to discuss Fedora and/or Red Hat
byrdman
administrator
administrator
Posts: 225
Joined: Thu May 08, 2003 1:59 pm
Location: In the cloud

Security

Post by byrdman » Thu Sep 23, 2004 11:06 pm

I decided to start a new topic that should get the interest of many: Security. I took a SANS class not to long ago and our instructor pretty much said if you want to be secure, format the MS and go to linux. Even in our training material, it would have one or two pages on MS utils that would make your windows box more secure but chapters on open-source stuff that would make your network like Fort Knox. Currently, we only have linux machines that are accessible from the Internet. I am curious to what everyone else has done to secure themselves. What kind of utilities have you built? What kind of network configs do you have set up?
Just being curious...

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Fri Sep 24, 2004 6:03 am

It's sad but true about being better off formatting the M$ boxen. In the last few days I have written a couple of sniffer applications that watch M$ ISA firewall traffic (using Linux, pcap, Perl, MySQL, and PHP of course). I can pick out IP address, machine name, user name, and application executable name of any program trying to talk to an outside machine. I enter each of these things into a database with first and last seen times and have a web front end on it. You would not believe the amount of virus/adware/spyware/trojan related traffic coming from supposedly fully patched machines. It's really sad. We have a number of engineers dedicated to running around the company with pooper scoopers cleaning up the messes I detect.

We also noticed the Korgo virus floating around which means we had a number of unpatched machines. I wrote an app similar to the one I mentioned before that shows real time what machines are seen on the network that have Korgo or Netsky.Z (another one we found floating around). It's been over 2 weeks and it's still not completely cleaned up.

Yesterday some exploits were posted for that if you haven't installed the latest patches can 0wn your Windows boxen just by viewing a trojan *.jpg file. Some virus detectors can detect it because I set ours off when testing out the exploit. :) One of the exploits posted will create a new user on your system in the administrators group. It looks like nothing more than a 1 pixel JPG in IE. This could be really bad if attached to a piece of SPAM email for instance.

Yep, fun stuff. I just keep my Linux systems updated from cron nightly and I never have a worry. You have to wear a rain coat when using M$ machines.

byrdman
administrator
administrator
Posts: 225
Joined: Thu May 08, 2003 1:59 pm
Location: In the cloud

Post by byrdman » Fri Sep 24, 2004 7:32 am

Would you be willing to donate your program for our benefit? Of course you would be paid by us, so it really would not be a donation...!! :D

Tux
guru
guru
Posts: 689
Joined: Wed Jan 08, 2003 10:40 am

Post by Tux » Fri Sep 24, 2004 8:00 am

I'm kinda interested in this too. I can shore up a Linux server well enough, but i'd like to hear any pointers for achieving pretty tough workstation security (using X) if you guys have any :D

I don't really mean external security though, I mean protection from local exploits and cracking.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Fri Sep 24, 2004 8:57 am

byrdman wrote:Would you be willing to donate your program for our benefit? Of course you would be paid by us, so it really would not be a donation...!! :D
Well, the programs I have written pretty specifically require that you are running MS ISA Proxy/Firewalls and use the MS Proxy client on all your machines. If you have this setup then much of this stuff will already be being logged in the ISA logs. From there you can parse up a lot of info many different ways. Unfortunately in my company I don't have direct access or control over these ISA servers. Our platform group manages these. Even more unfortunately they don't really have a clue about the interesting things they could find in the logs. I do have access to the entire physical corporate network though so I have set up a span port to watch the VLAN that all the ISA servers are plugged in to. I can pick the proxy packets off the wire and build my own database of things I am interested in. One actual nice benefit of using the MS proxy client is it adds a lot of bonus information (like the executable name on the client computer that is trying to make the connection).

Here's a nice article that explains the MS Proxy packets:

http://www.isaserver.org/articles/Under ... annel.html

So for instance, for my "appz" database I just watch for all packets talking to the ISA servers on port 1745. I then look into the packet and pick out the "Hello" packets (0x500) in the command field. I then pick out the user name, machine name, and executable name and log it to the database along with the IP address. If this entry was already in the database I update the "last seen time" field, otherwise I set the "first seen time" and "last seen time" to "now()".

There is a lot of information you can infer from browsing though this simple database depending on how you slice and dice and color code it on your web interface.

For the Korgo sniffer I look for requests in the MS Proxy packets to destination port 445 outside of our network. You can be 99.9% sure that this is Korgo or some similar virus trying to exploit machines that are vulnerable to the LSASS buffer overflow (all unpatched M$ boxen). I log the same information to another table similar to the one I mentioned above for the "appz" sniffer and view it on a PHP web page sorted by most recently seen and highlight the ones seen in the last 2 minutes. Makes spotting and fixing machines rather easy.

Of course all of this is "reactionary" and not "preventative" which is what Tux is more interested in. Preventative measures would be like keeping all machines patched daily (that can be very painful on M$), having good network policies (inbound/outbound firewall policies) and good local system security and software installation policies, etc. It's still an eye opening experience to see what is really floating around your network. I have a feeling we are just scratching the surface. It's like turning the lights on in a dark room and seeing all the cockroaches scattering. Finding boatloads of viruses, adware, spyware, etc.

I don't think there would be any problem with posting the code. There's not much to it, would just have to clean it up a little so it wouldn't be so embarrassing. :)

byrdman
administrator
administrator
Posts: 225
Joined: Thu May 08, 2003 1:59 pm
Location: In the cloud

Post by byrdman » Fri Sep 24, 2004 11:44 am

Well, I don't run ISA, just Squid. I use SARG to filter out the logs. Works pretty good but it is not transparent, yet. Still tweaking. Unfortunately, at our company, we don't have policies about firewall/browsing/downloads, etc. Really the only policy we have is that our upper management can get email and browse the internet any time they want!! We have a pretty good perimeter as far as intrusion, but it is really hard to stop the virus, spyware, etc. Anyone have any favorite log parsers/reporting they use for squid? Good, Bad, Ugly...

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Fri Sep 24, 2004 12:53 pm

But you don't actually do any egress filtering right? You don't block any outbound connections, or do you? I don't mean just port 80. For instance, if you were to get some Korgo variant that wasn't detected by your virus scanner because these viruses spread faster than DAT files these days would your firewalls disallow your clients from trying to infect machines in China on port 445? That's just one example. If you don't filter this sort of stuff your machines could be downloading and installing all sorts of garbage without even the user of the machine knowing about it. Worse yet, they could be sending out sensitive company information. In our environment, you don't get unfettered access to the outside world and anything that does go out is heavily scrutinized.

byrdman
administrator
administrator
Posts: 225
Joined: Thu May 08, 2003 1:59 pm
Location: In the cloud

Post by byrdman » Fri Sep 24, 2004 1:59 pm

yes we do do filtering both ingress and egress. Both at the FW and at our Border router. We just switched our whole frame to Private IP so now we have to watch even closer. That is why I am trying to get more security ideas. It shouldn't hurt to have more guards around your fence, right? Except for the fact that there are more mouths to feed. (patching)

agent007
administrator
administrator
Posts: 254
Joined: Wed Feb 12, 2003 11:26 pm

Post by agent007 » Sat Sep 25, 2004 1:04 pm

Just wondering...how do the XP systems get infected? They're on an inside network right?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Sat Sep 25, 2004 1:31 pm

They are Windows. They will get infected no matter where they are. If they aren't patched for things like the LSASS vulnerability then any infected machine coming up on your network (dialup, laptops, etc) will infect any other unpatched systems. This has been going on from the beginning of Microsoft and I predict will continue until the end of Microsoft. Now there is a MUCH nastier problem. A newer vulnerability will cause your machine to be owned any number of ways just by viewing a specially crafted JPEG file with an overflow and some shell code. The trojan JPEG file could be hidden on web sites or included in SPAM email messages. I was playing with one that when viewed would create a USER account in the administrators group on your WinXP machines. The exploits have been disclosed here:

http://www.k-otik.com/

worker201
guru
guru
Posts: 668
Joined: Sun Jun 13, 2004 6:38 pm
Location: Hawaii

Post by worker201 » Sat Sep 25, 2004 4:07 pm

What exactly is it about windows that allows this stuff to go on? Is it some kind of subsystem that has full control of the computer? Is it awful permissions? Or what? Viruses are going out, and even computers behind firewalls are getting them. Does windows somehow invite the viruses in?

More to the point, what about Linux makes it more secure? If worms were written to propagate to Linux machines, would they get through? Why or why not?

I'm interested in what exactly it is about windows (APIs, component integration, permissions, or some kind of messed up thing where windows /wants/ to bypass its own security measures) that makes it virus prone, and what steps the *nix community has historically (past and present) taken to prevent this from happening to itself.

Feel free to pontificate greatly, this is a topic of huge interest to me.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Sat Sep 25, 2004 5:08 pm

It's actually very many things that cause Windows to be so vulnerable. First and foremost it is shoddy coding by Microsoft. Poor coding with lots of holes that don't get fixed until Microsoft decides to fix them (could take years). Very poor separation of user and system privileges. Administrators and users who don't have a clue about security (Microsoft likes to keep administrators and users clueless, that's how they sell their software).

So currently there are at least 3 or 4 major ways I can think of off the top of my head that you can get infected in Windows.

1) Through email, usually an infected attachment is executed by a user and kicks off the whole virus process. This should never, ever, ever happen for many reasons but it probably the #1 way viruses get into corporate networks. Microsoft is mostly to blame for this although they would like to put most of the blame on the user.

2) Through a vulnerable (poorly programmed) service (LSASS buffer overflow on port 445) which viruses like KORGO take advantage of to install itself and start looking for other machines to infect via the same vulnerability, eating up all of your network bandwidth in the process.

3) This new JPEG exploit is interesting because you could be infected just by viewing a trojan JPEG either on a web site, in an email message, or a number of other ways. This JPEG doesn't have to be any more than 1 pixel that you would never even notice.

4) Poorly configured machines. It's really a shame how poor the configurations are of Microsoft machines on most corporate networks. If you work in a corporation just for grins ask the person in the cube next to you for their machine name or IP address and on your machine click Start->Run and enter:

\\MachineNameOrIPaddress\c$

Chances are you have complete access to your neighbors hard drive and can change anything you want. Users don't have a clue that everyone in the company has access to their hard drive. Some might become outraged. So if you executed a virus in an attachment whos to say that the virus writer might not just start going through all computers on the local network and start trashing things? Not to mention a disgruntled employee. Chances are you can remotely edit the registry on your neighbors computer and a host of other things. Having desktop systems configured so severely insecure is partly Microsoft's fault and partly the local administration.

Microsoft operating systems are so poorly configured security wise out of the box that it takes a lot to get them properly secured to the extent that you can. Once you do get them secure it becomes a huge pain to administrate them, which is why many companies just forget about security.

The entire patching/updating process is flawed on Windows. Every time you change a windows component you really need to reapply the service packs and hot fixes otherwise you'll be running old vulnerable code.

Linux from day was built with privilege separation, permissions, and security in mind. It uses the same model as UNIX. A user does not have permission to add, modify, or delete executable system programs. They do not have permission to change the configuration of those programs. Only the root user has the ability to do this.

You can't click on an email attachment in Linux and have it execute a program that will infect the other executable programs on your hard drive. The OS will not allow it. In fact you can't even execute a program by clicking on an attachment in any of the mailer programs I have used, just as it should be.

Linux would still be susceptible to a poorly coded service that listens on the network similar to what is mentioned in #2 above but you configure your system to have as few network listening programs running as possible, and those that you do need to keep running you should restrict to specific addresses with firewall (iptables) rules. Even for the ones that are listening, most services today do not run with root authority. Even if it was exploited it would not be able to damage the system.

Also, once an exploit is discovered it's usually patched within a day and if you have your system set up to update itself daily (which you should) then you'll be patched long before an exploit is likely to be released. With Windows you are at the mercy of Microsoft on this one. It is trivial to set up your Linux systems to keep themselves up to date with at least all the security updates. "apt" is excellent for this. Also, if you use "apt" to manage your system and you remove or add components you will be adding the latest secure version of the component. No need to reapply any service pack or hot fix.

The primary thing that makes security easier in Linux in my opinion is that everything is out in the open. Nothing is being hidden from you (ultimately right down to the source code if you need to learn more about how to secure it). I could go on and on with this subject but I have beat this thing to death so many times I'm sure there are a few other threads around here on it. There surely is an Internet load of info indexed at Google on the subject.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Sat Sep 25, 2004 8:25 pm

Regarding the ISA sniffer code I have put it here in all it's ugliness:

http://voidmain.is-a-geek.net/files/isasniffer/

Please keep in mind that I quickly hacked this together to solve an immediate problem. I think it has great potential to become something much bigger but right now it's a dirty little infant. Also, I forgot one other PHP script for viewing the virus table. The appz table script is there. I'll try and remember to get it Monday. I really hate putting this code out because it is poorly written, not well thought out and ugly. But it *does* work. :) Again, it won't do you any good if you don't use the MS Proxy client with the ISA firewall, unless you are just looking for another "Net::RawIP" example.

agent007
administrator
administrator
Posts: 254
Joined: Wed Feb 12, 2003 11:26 pm

Post by agent007 » Sun Sep 26, 2004 1:04 pm

According to Microsoft, the viruses/worms are usually released after they post a patch on Windows Update. The patches are reverse engineered & the exploits are then released.

So, I think its a chicken & egg situation.. 8)

worker201
guru
guru
Posts: 668
Joined: Sun Jun 13, 2004 6:38 pm
Location: Hawaii

Post by worker201 » Sun Sep 26, 2004 2:09 pm

Well, of course Microsoft would say that. They only say things that are in their best interests. There are no holes before the patches are released, right? :P

Post Reply