Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause
Date: Fri Jan 16 2004 - 18:49:25 CST
> > It can actually drive me mad to see how many Linux users entirely trust in
> > their assumption that they're more secure by default simply because they
> > don't run a Windows system.
> A Linux user running a default installation of a modern Linux distribution
> *IS* more secure by default than someone running a default installation
> of Windows XP.
Read again - I didn't actually say it wasn't. My point is rather the blind
trust in that, assuming a certain invincibility due to the fact they're
running something else.
> Modern Linux distros don't run many (or even any) services by default,
> and they usually implement packet-filtering firewall rules. WinXP does not.
Yeah, I agree, but that was also a pretty steep learning curve and a lesson
that e.g. Redhat had to learn the hard way. I believe in 2001 Redhat 6.2 had
more severe security alerts that w2k.
Microsoft seem to learn this lesson too, only it takes a lot longer and they
appear not to see why things like DCERPC are generally bad. However, when
you look at w2k3, you see things like a (yeah, canary based) stack execution
protection and in terms of services, they've sort of turned away from their
"just switch it all on by default" policy.
> With Windows, you have no choice but to do that, because there's very
> little open-source software available for Windows.
You're right. But again, I wasn't claiming anything else, I was just
shrugging at the fact that a lot of Linux folks do the exact same thing
without even the faintest second thought, *despite* having the ability to do
> > ELF infectors do exist, and just because it's not quite so common, doesn't
> > mean it doesn't happen.
> But unless you run as root, it's not possible to infect system binaries
> (without also exploiting a local root hole.) The barrier to entry is
> simply higher in *NIX than Windows.
Erm, have to disagree here. Of course you can't manipulate system binaries
without root privileges, but there's a lot of things you can do as a normal
unprivileged user already. Plus - now I'm just throwing in my biased opinion
derived from pen test practice - once you're a local user on a Linux system,
you very often somehow manage to escalate privileges.
> > Also - wild theory - I'd say that people are less
> > likely to notice a malware infected Linux box than a Win32 one, simply
> > because of blind trust.
> I strongly disagree. People expect Windows boxes to be slow, cantankerous
> and crash-prone.
Haha, I knew this would provoke somebody :) Oh, and yes, they are slow,
cantankerous and crash-prone.
> When a Linux box starts acting wonky, people notice
> immediately. One of my servers started going nuts the other day,
> and I noticed very quickly. (It was a bad hard drive, not an attack,
> but still...)
The point is, if you start fiddling around with Win32 in Ring 0, you're very
likely to fuck the system up for good, since it's really flakey. With Linux
(or a lot of other given Unices), kernel interfaces are better documented
and easier accessible, ironically leading to more stable rootkits and
backdoors, so your box won't behave flakey (unless you're the dumb kid that
ran suckit on the Debian boxen).
> I didn't say that. I said that if our colocation server got compromised,
> it wouldn't compromise our work machines (which are on another network.)
Well yeah, but that's a question of reasonable network design, not OS
> > It's what you do with it, how you handle it, and how much you assume.
> Look, I'm sorry, there are fundamental flaws with Windows that make
> it practically un-securable.
Can we get a bit more specific here? Off the top of my head, I can think of
- Shatter attacks
- named pipe impersonation
The other usual attack vectors (which I agree are plenty) can be fixed if
you have a clue about Windows, which unfortunately a lot of Windows people
*don't*. That, to me, is the biggest problem: People run it without even
having the slightest clue about the risks and attack vectors they're exposed
to, not even mentioning the lack of knowledge of how to fix them.
This problem is definitely more present in the Windows world, since people
tend not to know their systems as well as the usually more enthusiastic and
in-depth technical Unix folks.
> Linux has its bugs, but they are *bugs*, not
> *design flaws*. So-called "security experts" who don't admit that are
> doing a disservice to everyone.
Oh well. Actually neither Linux nor Windows were built to be secure
operating systems. One could even go so far and name the concept of SUID
binaries and root's omnipotency a design flaw. You can implement RBAC
through SELinux or whatever, but still, I wouldn't qualify Linux as such as
a highly secure OS. Neither Windows, naturally.
Let me sum up quickly what I originally trying to state:
Linux/Unix people often seem to have a false sense of security simply due to
the fact that they're running something else than Windows, which even my mum
knows has problems with ubiquituous malware.
The sheer fact you're running something else than a Microsoft operating
system doesn't make you secure. Basta la pasta.
I've written a lot more than I wanted. Sorry. I don't want these mails on
the list, so please reply in private if you want to :)
Full-Disclosure - We believe in it.