Themes.org Cracked 220
sammoth writes: "themes.org was hacked [CT:Cracked] and
replaced with a rather vulgar logo. The intruder makes some bold statements about the security, or lack there of, on several sites. " Of course I'm still in Tokyo right now, so your guess about what's happening is just as good as mine. And 5000ms ping times to the U.S. East Coast sure makes posting this story tricky ;) Apparently the cracker managed to get into SourceForge and Apache.org too ... and he posted user accounts and passwords on t.o along with a rant that I haven't seen. Update: 05/31 02:40 PM by T : Here's an informative explanation on apache.org of the break-in on that site.
Re:Interesting (Score:1)
Slashdot IS an orphaned defacement.
Re:the rant that CmdrTaco mentioned .... (Score:1)
If you disable X forwarding by default (edit
ssh -X user@host.name
Why not Microsoft? (Score:1)
Re:Why not Microsoft? (Score:1)
Re:the rant that CmdrTaco mentioned .... (Score:1)
I know this guy. I remain anonymous to avoid being nailed.
Do you think this guy has something related to the author of Fluffy the PK Chicken [savagesoftware.com.au]? Well, I didn't say he IS the guy, you choose what to believe.
The game was distributed with a trojan, and I got a copy from his site and infected - it was a fun game to play anyway.
It was a shame; it's such a great game...and I think the Digital Tome who hired him may not realize he used the game to distribute trojan.
Duh (Score:1)
The other end is an SSH server, so he replaced that with something very trivial to maybe just log the decrypted passwords to a file. All in all, the weak link here was the stupid ISP. If a hacker compromises SSH then it's a rollercoaster ride since your passwords are out in the open.
Maybe it's time for tripwire?
Yet another mouth-breathing kiddie (Score:1)
Let's see: Illiterate, anonymous script kiddie who's figured out how to sniff for passwords and how to talk big on Web forums. I know I'd believe him implicitly. Wouldn't you?
And if you do, I'll be glad to spin for you a few tall tales of my own.
Re:Out come the Wolves... (Score:1)
Re:Jail time (Score:1)
Re:Jail time (Score:1)
had I read your reply before my last set of points on that account expired, I wouldn't have felt so bad. Anyway I'll probably have some more this week; for some reason I get them almost every friday(?) which means I only have a few hours to use them (I have better things to do on weekends than slashdot)
Anyway I like sigs, in general, and thus don't want to eliminate all of them. However, your sig and a few others annoy me to no end.
old Apache server on Themes.org (Score:2)
link [netcraft.com]
monitoring (Score:1)
monitoring what actually happens on the servers is the only sure way to make sure nothing is misused. real-time tools like cylantsecure that output information based on what actually happens on the machine will let you see whether everything that the administrator does is legit. it's sorta like if you straced all the activity of the system you would actually have the data to know if an administrator logged in and trojanned services, however, there's too much to monitor by hand so i would recommend a tool based on measurement of the system's execution.
currently, to really go all out monitoring you'd have a team of admins that watch every time a file is modified and every time a process is run or opens a port, or changes permission levels, but there's way too much data to handle and it's far too expensive to have such a trained team. right now you just install the tools you need and pray for the best, and have enough constant data so you can tell when something gets fucked up.
Re:I'm more worried about the precompiled binarys (Score:1)
"What do you if you're owned" (Score:3)
Rule #2: don't give any indication that you're aware the box has been rooted before you engage rule #1.
Rule #3: Don't trust anything that might have gone through that box for a reasonable period of time. Re-password, check other machines, reinstall software, etc. Good luck.
Rule #4: Run OpenBSD and don't get rooted.
Re:The rant (Score:1)
Evil Overlord List, item #401 (Score:5)
Re:Mmm.... Infowar. (Score:2)
What do you think the chances are that what dudle is doing with Debian will work automatically with the default install of OpenBSD? IIRC the default install runs the following list of services: inetd. I think most people probably want more services running on their server than that. Also the problem with sourceforge (and probably t.o too, I haven't looked) was bad password/shared password with another system/password transmitted cleartext, which BSD certainly won't fix.
The original author was not stating that BSD wasn't more secure out of the box than Debian; he was saying that their security was similar enough that having a competent admin on a Debian server is more secure than an incompetent admin on a BSD server running the same services. OpenBSD well be the most secure Unix on the face of the earth, but no system is so secure that it solves ignorance.
Re:sigh (Score:1)
Re:Rewarding the Hacker? (Score:1)
YES!
By rewarding the hacker and putting a little more egg on the faces of both the site owners and the authors of the software (I'm generalizing here) you are essentially forcing them to fix it.
This is what makes the software world go round. Both MS type monopolies and the 'little' guys like VA, apache and Themes.org
We as users and them as providers are better off in the long run because of it.
- Xabbu - Sysop: clockworkorangebbs.org
- Tradewars - LoRD - FidoNet and much more!
Re:Apache.org's announcement (Score:1)
Yes, but someone else clearly wasn't. What on earth was anyone doing running OpenSSH 2.2 in the middle of May? Were they doing something else so as to eliminate the known remote root exploit prior to OpenSSH 2.3.0? (said exploit having been discovered in February) If not, then they were almost asking for trouble.
This is the part that puzzles me. I'm having trouble reconciling the use of such good security practices (nightly audits that are more than just window dressing) with making the almost newbie mistake of not updating known vulnerable software. What happened here?
Re:Rewarding the Hacker? (Score:2)
I kind of wondered if this wasn't in part why attrition.org finally shut down. While they were helping to publicize problems, they also sort of encouraged the problems by giving them publicity.
Re:Out come the Wolves... (Score:2)
But on a positive note, at least it will keep the Linux zealots quiet for a week or two about how superior they think Open Source is.
Re:Out come the Wolves... (Score:2)
My point was essentionally, what offers a juicier target to most hackers? Little known "Hi my name is Joe" sites, or various commercial ops?
As such in the grand scheme of things, there are far more IIS websites running commercial ops than there are Apache, so it makes since they would be a more likely target.
It all depends on so many factors. I also suspect the script kiddies tend to be more familiar with Windows.
Re:netcraft (Score:2)
Notice how I said SSL survey?
You missed that part, didn't you?
Re:Apache.org's announcement (Score:2)
Re:Out come the Wolves... (Score:2)
Calling the point irrelevant has no bearing on the discussion. It may be irrelevant to you but that is only because you are either incapable or unwilling to understand the point.
Re:Out come the Wolves... (Score:2)
Honestly I think this discussion is rather pointless in this forum. We're not talking about the quality of software, but rather sociological issues. The typical
Re:Out come the Wolves... (Score:2)
The primary goal to defacements is to have it noticed. Clearly "Hi my name is Bob" website which is likely unvisited and unmaintained is not going to get much notice.
Defacing a commercial website which obtains many hits does get noticed. The vast majority of these use SSL.
In the past several months there have been a number of worms in the Linux and Solaris worlds which have gone through and defaced probably thousands of websites. Now in these cases, the worm is non-discrimanatory and attacks whatever it finds is open. In this situation, your understanding is correct.
As far as implying your stupid, I have no need to do that. You keep responding.
Re:Out come the Wolves... (Score:3)
Microsoft has around 50% of the commercial web server space according to the Netcraft SSL survey. That's a fairly large chunk considering the next competitor is Apache with 30%.
Apache is certainly used for a lot of hosted web sites... you know the routine "Hi my name is Joe and this is my website!"
Now one could probably argue that it's easier to knock off the small websites. After all they probably aren't maintained frequently.
But on the other hand, they also aren't accessed frequently so who would notice?
Much more fun to hit the high profile sites. Especially if there are some juicy credit card numbers to be had because of poor site design.
Re:Slashdot under attack as well? (Score:2)
Re:All OSes are insecure... (Score:3)
In other areas of life, security isn't that big of a deal. It's easy to break into cars, it's easy to break into stores. I can deface just about any building in town if I wanted to. However, fewer people consider this allowable behavior, so you don't need the same kind of security to prevent this.
In the same way, you could probably murder entire buildings worth of people simply by putting dangerous chemicals in their air-conditioning system, because most air-conditioning systems aren't well-guarded at all. However, most people have more of a respect for life than that. On the internet, there isn't much respect for anything. So, you can either accept that you're going to get hacked, or spend all day keeping up with updates.
Re:Interesting (Score:3)
Re:Interesting (Score:3)
Some ideas for securing a public access Linux (Score:3)
We try to keep While(1).org fairly secure. Here is a general overview of our security process. It should be helpful for many novice UNIX admins.
Re:Rewarding the Hacker? (Score:4)
Why not reward the hacker by posting their conquest on Slashdot? Especially since they've proved their talent in such a benign way. And, of course, they've done the community a service by exposing vunerable security holes... which will hopefully be patched before some site of actual significance is hacked, sending the world into economic depression.
(I sure wish someone had cracked the Florida electoral system beforehand...)
Re:Rewarding the Hacker? (Score:2)
Cryptograph authentication does indeed improove security vastly. As long as the password / private key is SAFE then you will have no problems. The use of smart cards that include their own host processor is the way to go.
Eliminating passwords would save the world a whole lot of grief, IMHO.
Pan
Re:Mmm.... Infowar. (Score:2)
Thats news to me, and I am in a group that would know.
--
Re:Rewarding the Hacker? (Score:2)
Caution: Now approaching the (technological) singularity.
Re:Someone should... (Score:2)
Consider this to be an official offer of bounty. Hack goatse.cx, post fluffy bunnies and a public key. I, for one, will contribute to whoever pulls it off. GO FOR IT!
-- Michael Chermside
PS: This offer is not actually intended to violate any laws.
This is why 4.4BSD invented the immutable bit (Score:4)
---
the rant that CmdrTaco mentioned .... (Score:2)
The site's "shell server" was compromised May 22 after a SourceForge employee logged on to an outside Internet service provider that had already been taken over by the intruder, said Pat McGovern, site director of SourceForge.net. When the staff member logged on to SourceForge remotely, the intruder captured the password.
Well some of that is true, I mean I did trojan ssh but I did it about 5 months a go, so kudos to the admin you sir are awesome..
"What happened was the (ISP) was compromised and had not known it," McGovern said, adding that the site's administrator quickly noticed the intruder and shut systems down. "Basically we had to go through and rebuild the machine, and then we checked the log file of everyone who used the machine."
hrm I guess that could also be considered true, if by true you mean, finding out every box on your network is owned 5 months after the fact and only due to my own boredom that consisted of me ircing it infront of the admin, by the way good job of auditing your network, wait thats just too much sarcasm for one sentence..
After the attack, VA removed the shell service until workers could reinstall the software and data on the server.The shell server allowed SourceForge members to type commands into the system remotely. On Thursday, the company posted an alert that the shell server couldn't be used because of an "unscheduled maintenance event."
It also allowed me to sniff my way onto apache.org and sourceforge webserver and leave all sorts of goodies in the code..
In this case, they only got into a shell server," McGovern said.
Hey, theres no disputing that, I mean.. wait.. Whats this I'm defacing ?
The company also decided to shut down its "compile farm," a collection of computers running different operating systems on which SourceForge developers can test their software.
Why would they shut down other boxes, if only the shell server was hacked ?
Although illicit modifications to the programming projects are a concern, McGovern said the intruder didn't get that far.
oh come now, you're just being silly..
Its ok thought I dont blame you guys, I mean atleast you admited to being schooled, thats more then I can say for akamai, but thats a different story all together.. But never the less, I'd like to thank valinux.. apache.. akamai and ofcourse exodus without their poor security and refusal to make security breaches known to the public I wouldnt be sitting atop a mountain of roots and oodles of proprietary software.. This is the fluffy bunny signing of.. beep..
-fluffy@#blackpanthers on efnet(the scourge of efnet)
Re:A better hack... (Score:2)
--
Re:My Complaint Against Slashdot (Score:2)
Re:Who modded this troll? (Score:2)
or do you not ever step outside M$'s marketing department?
Re:the conspiracy theory (Score:2)
That's classic Microsoft FUD. It has taken the US federal and state governments years and millions of dollars to take Microsoft to court, and they still don't have a decisive result. What chance does anyone else have of proving them "liable", even leaving aside the EULA's exclusion of liability?
Personally, I can run a diff of my Apache and other source checkouts against what's currently in the tree, and know for sure what's changed. I find that much more reassuring that you handwaving about "check digits".
Re:Rewarding the Hacker? (Score:5)
When it was announced that Sourceforge had been hacked, I was the only one that ventured the idea [slashdot.org] that it wasn't a technical hack, but a social one (okay, that sounds like I've got a swollen head, but the point is, most people lept to the conclusion that it was a technical hole, rather than a social one).
Most likely, this will not be the only other OSDN and related sites that is defaced - if they got into Sourceforge and Themes.org on stolen passwords, they are probably collecting passwords, looking through history files, hammering through, searching for passwords to other sites. Since it's a fairly small pool of admins that all work together, it is likely that there are some overlap between admins. Plus the odd (and stupid) admin that uses the same passwords at multiple sites.
Social engineering, stealing a password or swiping a laptop does not beneficially expose security holes unless the password was negligently left out, or the social engineering targeted somebody who shouldn't have had the password anyway. I know a large ISP (one of the, oh, say, top two) where most of the sales force knows the NT Admin password for all machines on the network. That's negligence.
Having a laptop in session get swiped at Comdex means you better know what's on that laptop (and deal with it quickly), but at that point, can just be a race. And if you leave it at a restaurant, come back the next day to pick it up, unaware that the busboy is a 133t d00d, is that negligence (in a perfect world, yes. In reality, it's a bit more fuzzy).
And of course, the tendancy towards smart cards (which aren't) will only make this problem worse. A bit of biometrics might help: a thumbpad on the side of the card, maybe.
--
Evan
Apache.org's announcement (Score:3)
====
Earlier this month, a public server of the Apache Software Foundation (ASF) was illegally accessed by unknown crackers. The intrusion into this server, which handles the public mail lists, web services, and the source code repositories of all ASF projects was quickly discovered, and the server immediately taken offline. Security specialists and administrators determined the extent of the intrusion, repaired the damage, and brought the server back into public service.
The public server that was affected by the incident serves as a source code repository as well as the main distribution server for binary release of ASF software. There is no evidence that any source or binary code was affected by the intrusion, and the integrity of all binary versions of ASF software has been explicitly verified. This includes the industry-leading Apache web server.
Specifically: on May 17th, an Apache developer with a sourceforge.net account logged into a shell account at SourceForge, and then logged from there into his account at apache.org. The ssh client at SourceForge had been compromised to log outgoing names and passwords, so the cracker was thus able get a shell on apache.org. After unsuccessfully attempting to get elevated privileges using an old installation of Bugzilla on apache.org, the cracker used a weakness in the ssh daemon (OpenSSH 2.2) to gain root privileges. Once root, s/he replaced our ssh client and server with versions designed to log names and passwords. When they did this replacement, the nightly automated security audits caught the change, as well as a few other trojaned executables the cracker had left behind. Once we discovered the compromise, we shut down ssh entirely, and through the serial console performed an exhaustive audit of the system. Once a fresh copy of the operating system was installed, backdoors removed, and passwords zeroed out, ssh and commit access was re-enabled. After this, an exhaustive audit of all Apache source code and binary distributions was performed.
The ASF is working closely with other organizations as the investigation continues, specifically examining the link to other intrusion(s), such as that at SourceForge (http://sourceforge.net/) [ and php.net (http://www.php.net/). ]
Through an extra verification step available to the ASF, the integrity of all source code repositories is being individually verified by developers. This is possible because ASF source code is distributed under an open-source license, and the source code is publicly and freely available. Therefore, the ASF repositories are being compared against the thousands of copies that have been distributed around the globe. While it was quickly determined that the source code repositories on the ASF server were untouched by the intruders, this extra verification step provides additional assurance that no damage was done.
As of Tuesday, May 29, most of the repository has been checked, and as expected, no problems have been found. A list of verified modules will be maintained, and is available here: http://www.apache.org/info/hack-20010519.html
Because of the possible link of the ASF server intrusion to other computer security incidents, the investigation is ongoing. When complete, the ASF will offer a complete and public report.
The Apache Software Foundation strongly condemns this illegal intrusion, and is evaluating all options, including prosecution of the individual(s) responsible to the fullest extent of the law. Anyone with pertinent information relating to this or other related events should contact root@apache.org. Anyone from the media with further interest should contact press@apache.org.
Thanks.Brian Behlendorf
President, Apache Software Foundation
====
Re:"What do you if you're owned" (Score:5)
A better hack... (Score:5)
and then chuckle in a maniacal way as the slashdot effect works as a DOS attack on those sites...
Re:Been here, seen that (Score:2)
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Re:the rant that CmdrTaco mentioned .... (Score:2)
sigh (Score:2)
Viruses (Score:2)
Taco on "Crack" (Score:5)
Mmm.... Infowar. (Score:5)
Is it just me, or are these sorts of things on the rise- not only the frequency, but the profile of the target? How long until a *really* high profile, high volume portal or site such as Amazon, Ebay, or Yahoo gets 0wn3d?
It's geurilla warfare- a war without soldiers, ammunition or human casualties. The attackers cannot be easily found, and even when they are, prosecuting them is difficult, if not impossible (extradition treaties, diplomatics, etceteras). From what I've seen, all of the major targets have been hosted on US soil- I wouldn't be surprised if many of the attackers were overseas. Firewalls don't seem up to the task, and neither do many sysadmins.
What sort of tools exist to prevent this sort of thing (aside from simply using OpenBSD)? Any Gibsonian Black Ice? The TCP/IP equivalents of radar and surface-to-air missiles? Are any of them open sourced, and what is the state of their development?
Mirror (I think) (Score:5)
Re:Interesting (Score:2)
Re:Someone should... (Score:2)
--
Re:Rewarding the Hacker? (Score:2)
This is the problem that was faced with the airline hijackings a decade ago. Eventually, the major news organizations agreed to report only that a plane had been hijacked: they refused to disclose by whom or their demands. Of course, with a more distributed news apparatus in the internet, this sort of thing might be more difficult today (especially considering responses like comment #33 [slashdot.org]). I suppose the only option available to us is increased airport security, so to speak.
Re:the rant that CmdrTaco mentioned .... (Score:2)
Re:Out come the Wolves... (Score:2)
-------------
Re:the rant that CmdrTaco mentioned .... (Score:2)
Re:Mmm.... Infowar. (Score:5)
That's not right! You don't get protected from viruses just by installing Norton Antivirus, you have to constently update it, make sure you run the newest version, etc.
Securing a system requires deep knowledge about that said system. I don't know shit about OpenBSD. Do you really think I will be more secure if I were to use OpenBSD tomorrow rather than Debian that I know pretty well? I don't think so either.
Any Gibsonian Black Ice? The TCP/IP equivalents of radar and surface-to-air missiles? Are any of them open sourced, and what is the state of their development?
Snort, logcheck and the like do help, as long as you stay up to date with BugTraq and you keep you head cold. The minute you think you are secure, you get screwed. All the tools in the world won't help you if you don't know how to use them.
So what can we do? Well here is my humble opinion:
Before you get owned
Once you realize you're owned
- Unplug the box
- Get the hot spare and restore the data on it (you do have a hot spare I hope)
- Analyse the system in a post-mortem mode
- Reinstall the compromised system from scratch
Good Luck.Re:The rant (Score:5)
apache.org and sourceforge.com those are the first places I go to get my proprietary software.
Re:Mmm.... Infowar. (Score:2)
[Insert security-is-a-process-not-a-product rant here.]
Properly engineer the interface to everything an outsider can get their hands on (parameters to cgi scripts, random services that shouldn't be running or exposed to the outside world at all, physical security, etc) and make sure you can trust your insiders.
Unfortunately it's very difficult to turn 100000 lines of crap thrown together over six weeks of all-nighters (or 1000000 lines of crap thrown together over six years) into a properly engineered system. In fact it's usually significantly easier to throw it out and start over.
Re:Mmm.... Infowar. (Score:2)
Re:Interesting (Score:3)
Re:Apache.org's announcement (Score:2)
Well, at least someone is doing their job properly, but why are people sshing to other machines only to ssh into another machine from there? Where's the point in such stupidity?
Re:the rant that CmdrTaco mentioned .... (Score:2)
You're saying that if I use a local ssh client, with X forwarding turned on, to connect to an untrusted remote sshd server, then that untrusted remote server can connect an X client back to my X server, and through that X client can run arbitrary code on my X server?
Damn. That sucks.
Is this a theoretical attack, or is this real?
Re:This is really disheartening... (Score:2)
I must say this is somewhat understated. Dude, I'm not trying to flame you here, I am way more upset with by the stupidity of the Apache developer that gave up his password. So I am apologizing in advance, this is just the "right" place for my comment.
Guys with access to ASF machines should never under any circumstance feed their password into an untrusted system. With Apache running on 60%+ of the WWW it is way too fucking big of a risk. Since fluffy bunny claims s/he rooted machines at Exodus 5 months ago, the question now exists, um geez, are all my Apache boxes trojaned?.
The ASF is right to verify the integrity of their source by going back to the many many distributed copies of the source they have, however, I believe this might be an insufficient effort because the source could have been trojaned way in the past.
Re:Like it matters... (Score:2)
Re:SSH/ISP (Score:2)
SealBeater
Re:Out come the Wolves... (Score:2)
When has it ever in the past? No, this will be spun into being "proof" as to how much better Open Source is when it comes to security than Closed Source software.
The rant (Score:5)
The site's "shell server" was compromised May 22 after a SourceForge employee logged on to an outside Internet service provider that had already been taken over by the intruder, said Pat McGovern, site director of SourceForge.net. When the staff member logged on to SourceForge remotely, the intruder captured the password.
Well some of that is true, I mean I did trojan ssh but I did it about 5 months ago, so kudos to the admin you sir are awesome..
"What happened was the (ISP) was compromised and had not known it," McGovern said, adding that the site's administrator quickly noticed the intruder and shut systems down. "Basically we had to go through and rebuild the machine, and then we checked the log file of everyone who used the machine."
hrm I guess that could also be considered true, if by true you mean, finding out every box on your network is owned 5 months after the fact and only due to my own boredom that consisted of me ircing it infront of the admin, by the way good job of auditing your network, wait thats just too much sarcasm for one sentence..
After the attack, VA removed the shell service until workers could reinstall the software and data on the server. The shell server allowed SourceForge members to type commands into the system remotely. On Thursday, the company posted an alert that the shell server couldn't be used because of an "unscheduled maintenance event."
It also allowed me to sniff my way onto apache.org and sourceforge webserver and leave all sorts of goodies in the code..
In this case, they only got into a shell server," McGovern said.
Hey, theres no disputing that, I mean.. wait.. Whats this I'm defacing ?
The company also decided to shut down its "compile farm," a collection of computers running different operating systems on which SourceForge developers can test their software.
Why would they shut down other boxes, if only the shell server was hacked ?
Although illicit modifications to the programming projects are a concern, McGovern said the intruder didn't get that far.
oh come now, you're just being silly..
Its ok thought I dont blame you guys, I mean atleast you admited to being schooled, thats more then I can say for akamai, but thats a different story all together.. But never the less, I'd like to thank valinux.. apache.. akamai and ofcourse exodus without their poor security and refusal to make security breaches known to the public I wouldnt be sitting atop a mountain of roots and oodles of proprietary software.. This is the fluffy bunny signing of.. beep..
-fluffy@#blackpanthers on efnet (the scourge of efnet)
Greets to: dianora.. tsk.. squrl.. cumstud.. glitch.. snow.. dwalrus.. cotton butt.. JAIL MITNICK! / FREE THE SHDWKNGHT!!!!!
/etc/passwd file at the end of this. Thought it would be nicer that way.
Note: I removed the
------------
Someone should... (Score:5)
Re:the rant that CmdrTaco mentioned .... (Score:2)
That's why there's a provision for disabling X forwarding. Other things to do to help close down the hole are having your 'ssh' X NOT connect back to your real X server, but to an XNest or mxconns [home.cern.ch] instead.
This is really disheartening... (Score:2)
I'd like to know what's broken, I wonder who else is vulnerable.
Re:Rewarding the Hacker? (Score:2)
Well, exactly are you going to send a thumbprint when you're logging on remotely ? As a binary stream... ? (then it too can of course be exploited in the same way as the password).
Bioinformatics may work fine when you're at the fysical location, but remotely.. hardly.
Rewarding the Hacker? (Score:5)
Sort of between a rock and a hard place here. we need to inform the affected users, but we do not want to reward the hacker with the notoriety they crave.
Check out the Vinny the Vampire [eplugz.com] comic strip
Re:All OSes are insecure... (Score:2)
So instead of saying that they're incompetent, consider the fact that they may be busy doing other unrelated tasks.
Re:Rewarding the Hacker? (Score:4)
And of course, the tendancy towards smart cards (which aren't) will only make this problem worse. A bit of biometrics might help: a thumbpad on the side of the card, maybe.
As someone who designs and implements high-security access control systems for a living, I disagree that smart cards make the problem worse (and they are actually pretty smart). Yes, cards can be stolen, but in any reasonable implementation the cards perform access control on the usage of their stored secrets, requiring password or biometric authentication (actually, I'm not aware of any real-world, secure implementations that use biometrics because unless the matching is done either on the card or in another secure device that shares keys with the card, then biometric authentication is extremely weak).
Even without a second authentication factor, and even without a secure token, the use of a cryptographic authentication mechanism does vastly improve security over weak, reused and occasionally even sniffable passwords. Applying two-factor authentication, with a secure token as one factor essentially eliminates a whole class of attacks. Use of a host security module on the server is also of great benefit, making it impossible for the attacker to get at the most valuable secrets in the event they manage to compromise the server.
The tendency towards smart cards does in fact go a very long way towards solving this problem.
Re:the rant that CmdrTaco mentioned .... (Score:3)
X server - what actually displays stuff, runs on your local machine
X client - program that runs on remote machine
SSH daemon - program that runs on remote machine giving you shell access
SSH client - program that runs on your local machine that allows you to connect to SSH daemon on remote machine.
Right, now we've got that clear, let's see what these programs actually allow us to do in terms of potential exploits.
SSH - allows us to run (gasp!) ARBITARY CODE on the remote machine. Except that it runs as the user we're logged in as, which presumably will be a low enough level only to cause problems to ourself (unless there are unpatched programs). This is really only a problem if we've already got root, in which case there are already plenty of naughty things we can do.
Running an X client when logged in via SSH allows one to run X clients (ie X applications) on the remote server, but have them display on our local X server. The code is still running on the remote server, just like it is when we execute a program via SSH. Just like when we use SSH, the output from the program is sent to our screen rather than the machine it's actually running on.
So, to conclude - there is no extra security risk from running X apps remotely. The programs are still running on the remote machine, they're just displaying on your local X server.
The security vulnerability here came about because there was a cracked SSH executable on a machine which one of the Sourceforge guys then used to log in to Sourceforge. The cracker didn't go into details, but I'm willing to bet it's some ancient vulnerability that was expolited - like the portmapper one that a couple of worms have used, or a wu-ftpd issue. Or maybe something bind-related.
Hope this stops anyone from panicing unnecessarily.
--
Re:Taco on "Crack" (Score:2)
Well, your fingers weave quick minarets; Speak in secret alphabets;
Re:Rewarding the Hacker? (Score:2)
Likewise I'm very appreciative of the local youngsters, who rattle my doorknob, checking to see if there is a security hole with my house.
Or the time they jimmied the lock, showing its vulnerability to common tools, and helpfully left a note, spray-painted on my wall.
Yes indeed, where would I be without all this wonderful community service?
-----
D. Fischer
Re:Extra risk? (Score:2)
Actually, everything you are doing on a remote compromized machine can be monitored by the attacher.
Re:Taco on "Crack" (Score:5)
Remember when the word hacker used to mean someone who breaks into networks or writes code? And crackers were the ones who cracked the copy protection on software and had the "s3r1a1 #'s". They were always grouped with anarchy, virii, and wares all over the net.
Who cares if "good" and "bad" hackers are called hackers? Most people can understand who you are if you take two minutes to explain which type you are . . . people are surprisingly able to understand these things if someone explains them to them. Most people are willing to listen; just talk to them.
Like it matters... (Score:2)
I find that every change in a familiar site rubs me the wrong way, for a week or so. I try to give it a couple of months before complaining. But themes.org has been getting less usable with each update, and a couple of years later I continue to miss OctoberX's original design.
It's a shame - I used to check it out at least once a week, I downloaded a lot and contributed quite a few. But it's been months since I last looked at the site.
As long as I'm bitching, the Freshmeat facelift has been a step back for me, too. I hope the VA folks don't decide Slashdot neds improving. Better hosting (especially during the EST late afternoon/early evening) will be fine, thanks.
Unsettling MOTD at my ISP.
Re:Interesting (Score:3)
But, http://defaced.alldas.de/ [alldas.de] should have it soon.
Nuke the planet from orbit--only way to be sure (Score:3)
The big remaining questions are how many sysadmins at sites "trusted" by a compromised box should be looking for rootkits and dusting off backup CDs... and how many man-hours will it take to audit the hosted code to regain confidence that there ISN'T a backdoor somewhere...
--Ken
Re:Interesting (Score:3)
Security (Score:4)
Oh, yeah...
Re:Out come the Wolves... (Score:2)
That may be true when you're looking at the SSL survey, but overall Apache is far and away ahead of NT/IIS. Not everybody is running an e-commerce site off their web servers.
Much more fun to hit the high profile sites. Especially if there are some juicy credit card numbers to be had because of poor site design.
That might be true for a small number of crackers, but the overwhelming majority of sites that get cracked are victims of simple exploit-and-deface maneuvers.
Re:Out come the Wolves... (Score:2)
But that is irrelevant to this discussion. We are talking about number of overall exploits/cracks/defacement incidents as a percentage relative to overall marketshare. In that arena, MS definitely scores the highest. Period. There is no wiggling out of it by citing SSL surveys instead of overall. SSL-enabled sites are not the only ones that get exploited! Your statement regarding Microsoft's marketshare according to the Netcraft SSL survey is about as relevant here as me pointing out that the average human head weighs 8 pounds.
Re:Out come the Wolves... (Score:2)
Calling the point irrelevant has no bearing on the discussion. It may be irrelevant to you but that is only because you are either incapable or unwilling to understand the point.
I explained this to you once before but you didn't get it, so I will explain this to you yet again...in detail:
It may be true that SSL protected/e-commerce sites provide a more attractive target for some crackers (those who are financially motivated), but the vast majority of servers that are being cracked are not targeted for financial gain. They are simple exploit and deface tricks. They are script kiddies who want to show someone that they can exploit a well-publiscized security hole and see their name up in lights.
If the majority of security breaches were in fact finanically motivated or had some sort of financial component, then your excuse about MS having a hgiher marketshare among SSL enabled sites might be relevant. But since the overwhelming majority of security breaches are not financially motivated and are simple site defacements then obviously the "financial motivation" theory that you posit is not applicable to those cases.
Trying to insult me by implying that I'm stupid won't change that.
Re:Out come the Wolves... (Score:2)
Blah blah blah...yeah, we know. But your argument that only "hit my name is Joe sites" are the ones running Apache is somewhat flawed. Lots of commercial sites run Apache. Beyond that, there are a large number of business-oriented web sites that are not e-commerce sites. They may simply be online brochures for companies or a places to find more news and information about a company (like McDonald's and Burger King, two sites that were relatively recently cracked and defaced).
It all depends on so many factors. I also suspect the script kiddies tend to be more familiar with Windows.
And now you contradict yourself by implying that script kiddies are going out to hack commercial sites. They're not. Script kiddies are out to see their name in lights. If it's by defacing Burger King's online brochure, so be it. If it's by defacing Amazon.com and disrupting that days transactions, so be it. The business (or non-business) purpose of the site is irrelevant.
Go research the kinds of sites that have been breached over the past year. Start at attrition.org or alldas.de and keep going. I think that you'll find that very few of them are actually big "commercial operations" (or e-commerce sites). Most of them will be companies or organizations that you're probably never even heard of.
Re:Out come the Wolves... (Score:5)
Please...the absolute last thing MS wants to do is to actually get people started comparing the number of cracked web servers between NT/IIS and anything else. Even their corporate PR droids know that NT/IIS is by far the most exploited/cracked web server combination in the world (and disproportionately so when you consider that they have such a small percentage of the web server marketshare).
This worries me... (Score:4)
That's right, any of them. After all, they're keeping very quiet about it and just about everything of OSDN's is getting cracked lately.
Whoever this is, they must have root or access to sniff network traffic. It seems like whatever they don't already have access to, they can get it.
Should you be worried? Yes. Is it overreacting? No.
We rely on these people to keep our source (relatively) secure and disclose the problems that may be occuring...br>
Will I be using SourceForge to store my code? No. I'll use a local box behind a firewall with no services, except a secure FTP daemon, allowed.
If nothing else, at least keep a local backup, as many people don't seem to be doing this. They may have even installed a trojan into the box to insert code into the applications.
Or maybe even a trojaned build of 'make.'
You never know...
Re:Taco on "Crack" (Score:2)
That's when you slap the bitch and tell her to shut the fuck up,
and that if she fucking listened she might fucking learn something once in a while.
She sounds like a great catch, someone you can really talk to about anything...
Me? I occasionally call myself a hacker, and if someone doesn't 'get it',
I explain to them the difference between white hats and black hats,
and that hackers are like Jedi.
I am, however, a cracker(as in chickenshit whiteboy) hacker.
Cracker? Fuck no. Sites do get cracked, but the act is still hacking.
"ScriptKiddie" is appropriate for a lot of defacements tho, as many of the people that
deface sites just use r00t kits and never actually do any work or have any real knowledge.
Mr. P3n1z.
Low Moral Fiber (Score:2)
Re:Anyone have a mirror of the hack? (Score:2)
a lot of info there...
31337= Alienated, anger teenager who compensates voids in his/her life by making him/herself believe that s/he is 'elite' ( a good way to fight an inferiority complex, and an obious lack of ablity to commit her/himself to meaningful relationships ). In other words: a boring pissed off teenager who craves attention because nobody listens to him/her.