On Thu, 6 Jul 2000, Karyn Ulriksen wrote:
Do you think that the car thief scenario comes into play here? Maybe an alarm system wont *really* keep a determined thief from stealing a car, but isn't he more likely to move onto something easier?
It didn't stop mosthateD, who missed his day in federal court because he was in jail for Burglary of a house and auto theft. This kid is the one who gets labeled as the most infamous hacker of recent times. All he did was deface a few websites and talk trash on IRC. That's another story entirely. Seriously though, your argument is a decent one. Hardening systems and networks to attack is a great idea, and it's been talked about many, many times before. It never seems to catch on though. How many OS's out there are proactive about their security? It's certainly not Windows, and to a large extent, it's not the people building the userland side of Linux systems, though there are two or three projects designed to build a secure Linux userland. The OpenBSD project seems to do a hell of a job building secure systems, as do the NetBSD folks, and to some extent, I'm sure FreeBSD benefits from that work as well, though I am less familiar with their security structure. A really nice bunch of guys though. As a prime example, when I started running linux back in 1994, just about every Linux installation came with almost every service in inetd.conf turned on with no tcp wrappers. Lots of boxes were installed with exploitable services, and there was no distribution security list announcing that there was a newer version or a fix available. You were on your own to watch Bugtraq and keep abreast of what might come up. And there were a lot of people who did not read Bugtraq to keep up with security issues. Legacy boxes from installations several generations back can still be found in production with exploitable holes. And, it wasn't just the various linux distributions of the time, as Solaris, SCO, HPUX, IRIX and BSD/OS had similar problems, though the commercial vendors at least had a system for dealing with these issues. But as most of us know, it was not uncommon for vendors to sit on bug reports until the floodgates were open and the exploit code was widely available and being used before things were fixed. Still, you had reccomended patch clusters you could install that fixed a decent chunk of problems, just like we have today. And my, how times have changed. Or, do they really change at all? While most vendors are pretty good at dealing with security issues now, they still occasionally sit on bugs until they cannot be sat on any longer. With the emergence of the Linux start-ups, we've seen the development of individual distributions having their own security groups to handle problem software, but that's reactive security. Distributions no longer come with the mentality that you're generating a "do-everything" server, which was a big step in improving the security of Linux. You can now pick what kind of install you want and prune or add softare as you like to tailor the distribution as you like. However, what happens to the NT admin just given his first copy of RedHat, and installs everything on the new web server because he may need something and doesn't want to have to mess with it once it's installed. Wow, now he's running BIND, sendmail, ftpd, telnetd, and lord knows what else on his web server. It certainly increases the chance that one of those services can be broken to compromise the system. What the internet needs is proactive security. And, unfortunately, that's not in the business model of a lot of people, from the multi-million dollar .com start-ups to the mom and pop ISP. Even in places where it is in the business model, there isn't necessarily adequate clue available to understand what's needed to effectively implement a security policy. This is the reason we still have places with firewalls getting hacked. Each new security product positions itself as the alpha and omega of computer security, and there are a lot of business folks out there who believe the marketing slicks. Unfortunately, security is a continual process, not one or two actions. More importantly, there is no one magic "Security in a box" out there. No one product is a panacea. I believe it really boils down to two root problems: Lack of clue and laziness. Most intrusions can be stopped by following the generally accepted security basics set forth by just about any organization from SANS to your vendor. Turn off any service you don't need. (This includes IIS. Given it's security history, you really don't need it). Simply turning off services like RPC or BIND on machines that don't need them to function will stop most script kiddies in their tracks, and it certainly limits your vulnerability to outside attacks. Then you just have to check yourself by watching your vendors' lists or Bugtraq for problems with what you are running. This one step is included in just about every vendor or interest groups security checklist, and it's ignored more times than it's not. I've seen many people make the mistakes I talk about. I've made many of them myself when I first started out in this field and even over the years. And, for all the good that free software has done (I am a firm believer in free software), it has also allowed lots of people to write some of the worst code imaginable. While it's plausible that there is peer review going on, who's to say the people reviewing the source have any better idea? It seems that the majority of the source code audits are being done by the gray/black hats, with a few stunning white-hat examples like The l0pht and the OpenBSD project out there. Furthermore, it's a modern day Dodge City out there. People are roaming free with "weapons" firing them at will with very little chance for prosecution unless you can claim a decent amount of damage and the investigation is successful in down the culprit with all the evidence being handled properly. The unwritten rule is that if you're talking less than six figures in damage or the theft of national security secrets, the FBI doesn't really want to hear from you. It's not because they don't care, it's just that they already have too much to do. And I'm sure it's hard to keep talent on an FBI salary when the .com world is willing to pay talented people. I don't expect there's going to be a Wyatt Erp coming along anytime soon to tame things, and with the global nature of the Internet, it's quite possible that it may never happen. You stand a better chance of getting a judgement in civil court than relying on the penal system, especially when dealing with anything outside the US.
And, yes, I do understand the mentality of the "bigger challenge". But, I've been able to identify the true source of a forged packet and filter it knowing that they could switch to attacking from another IP. However, I think only once or twice out of thirty or so incidents over the past few years have they come back in anytime soon from anywhere else.
Karyn
Sorry for the soapbox dissertation. __ joseph