Attacking Linux

March 26, 2001, 04:12 PM —  LinuxWorld.com — 

Shortly before covering security analyst Craig Ozancin's LinuxWorld Conference & Expo session on Linux security, I wandered into the Geek Bowl quiz competition in progress. Through an odd bit of synchronicity, the two events segued rather nicely: One of the many questions the panelists blew completely was "In the movie Tron, the lead character Flynn's voice was provided by what actor?"



I told Eric Raymond we'd have to send him back to the geek reeducation camps, for missing that one. But it helped put me in the proper frame of mind for a security panel -- once you correct the movie's minor flaw of depicting the wrong side as the heroes. In a nutshell, you (the system administrator) are in the villain's role in that computerist's classic, the Master Control Program. Your problem: How do you keep out Jeff Bridges (the outside attacker)?


Sniff, sniff



Ozancin's talk dwelled at length on the methods and tools an attacker (a term he advocates over hacker) uses to select you as his target and worm his way in.


The attacker may also use specialized network-vulnerability scanners (see Resources): Nessus, the older SATAN and SAINT packages, Firewalk (which probes and identifies a network's firewall ruleset), or proprietary scanners such as Internet Security Systems' Internet Scanner and Axxent Technologies' NetRecon -- as well as checking Websites on the target network for known-exploitable CGI scripts.



Or the attacker may skip the fancy network scanners and concentrate on stealing one of your passwords. In my experience, that is the bad guys' usual way in and absurdly easy on most systems. If one of your users uses Telnet or (nonanonymous) FTP, or POP3 to reach your system remotely, the user's login name and password can be snagged with trivial effort at any point between the two machines. Alternatively, the malefactor may use as low-tech a means as shoulder surfing (watching the login as it's being typed in), or a variety of social engineering techniques. People are often astonishingly willing to give their passwords over the telephone to a stranger with a plausible reason for asking. Or they email passwords and other confidential data across the open Internet, ripe for interception.1 At the minimum, the attacker may telephone the firm to glean people's names and positions, or get that information from the company Webpages. He may then be able to predict valid usernames and try them with likely password combinations.



Then there are the truly embarrassing password techniques that amount to walking into an open, unguarded bank vault. There are still services that ship with default remote administrative passwords, as evidenced by Red Hat Software's recent Piranha gaffe, as well as sites reckless enough to use null passwords, the username as the

I like it!
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
Free books

Essential JavaFX
Get started building rich Web apps quickly with an introduction to the power of JavaFX key features -- scene node graphs, nodes as components, the coordinate system, layout options, colors and gradients, custom classes with inheritance, animation, binding, and event handlers.Enter now!

The Nomadic Developer
Consulting can be hugely rewarding, but it's easy to fail if you are unprepared. To succeed, you need a mentor who knows the lay of the land. Aaron Erickson is your mentor, and this is your guidebook. Enter now!

Featured Sponsor

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Marketplace