By Andy McCue, 27 October 2003 14:10
NEWS This is the second part of our interview with two UK hackers dryice and frixion who were implicated in testimony during a recent trial over a denial of service attack on one of the largest ports in the US. Here they reveal how businesses are still leaving themselves woefully exposed to even the most inexperienced script kiddies.
frixion, who now holds down a steady and respectable job in public sector IT, said that the sheer volume of patches that need applying in order to close the vulnerabilities that are exposed in equally worrying volumes are a headache for administrators.
"Take your standard Windows install for example, you need to apply dozens of patches as soon as you install it to make it even half secure. IÂ’ve just taken a look at the content directory on our Microsoft Software Update Services server here at work and there are over 600Mb of security updates, some critical. Granted theyÂ’re not all pertinent to a particular system, but it gives you a good idea," he wrote in an email.
And there are still plenty of familiar and common system vulnerabilities that are easily exploitable by both experienced and inexperienced hackers using freely available source code and tools on the internet, he said.
"The standard overflow techniques are still as widespread as ever. Be it heap/buffer/integer overflow, these probably make up over 90 per cent of new exploits discovered, and with so much open source and a copy of your favourite debugger, it doesnÂ’t take long to work out exactly what shellcode to send a vulnerable system."
A technique known as SQL injection is also a problem that leaves many companies exposed, according to dryice – who also now works in the IT industry. This is where information in a database can be compromised by manipulating queries, often through things like HTML forms on websites.
One reason why denial of service attacks are so common is because it is so easy for script kiddies and hackers to download the necessary tools to execute it. But frixion said many could easily be prevented by more responsible action from internet service providers (ISPs).
"ISPs play a vital role in preventing denial of service attacks. It is usually very easy for administrators to apply rules to filter such attacks, for both inbound and outbound attacks. We have systems for this in place at our co-location centre, and have yet to see any of our hosted servers go down during an attack," he said.
The other option, of course, is to go with the geek and hacker's favourite operating systems of choice. frixion said that Unix and Linux have become even harder to penetrate, saying that even out of the box "most become practically impenetrable" with just a small amount of configuration.
"Gone are the days where you could just compile some readily available source and just give it an IP (that you found with your ultra-fast banner scanner) on the command line, and drop a root shell in the newest distribution of RedHat," he said.
A bigger threat facing businesses and home users, and one that anti-virus companies have been warning about for some time is the 'blended threat' virus with a devastating payload. One security source recently told us that some of the recent attempts such as Sobig were just one step away from having a payload that would erase the victim's hard drive.
dryice said: "One of the most frightening concepts that possibly looms on the horizon, is the creation of a worm similar to Blaster/Nachi/Sobig, but with a potentially lethal payload. So far the symptoms suffered by people affected by these worms have been pretty mild, just imagine what would happen if someone made one that irreversibly deleted files or dropped database tables."
Both hackers still put the blame for breaches at those who perpetrate the crimes, and not the businesses for failing to have adequate security.
"If youÂ’re walking down the street and see an empty car with its keys in the ignition, does that give you the right to drive away in it?"
But frixion warned that for businesses today it is a case of when rather than if its systems will come under attack.
"The bottom line is no matter whom you are, someone will try and gain access to your system at some point in existence, and whether or not they are successful is down to you or your administrator."
Tell us whether you agree with dryice and frixion in our Reader Comments section below
Comments
There are 16 comments. Join the discussion
1. anonymous
Maybe that virus with a lethal payload isn't such a bad thing. Like Darwin said, the strongest will survive. If you're weak and fail to patch your system regularly then you deserve to have "NO OPERATING SYSTEM" loom from your monitor. Hey, if you fail to change your oil every 3000 miles in your car then you're begging for your motor to fail.
-CM
2. anonymous
"If you’re walking down the street and see an empty car with its keys in the ignition, does that give you the right to drive away in it?"
No, it doesn't give you the right to drive it away. But, if you leave the keys in the ignition and someone does drive your car away, who gets blamed then? You do.
Case closed.
3. anonymous
Unfortunately standard windows can be compared to a car with no locks that needs a week of fixing to be able to take the key out of the ignition. In that case I can understand the owner of the car and I would blame the manufacturer.
4. anonymous
Of course it always helps if the car manufacturer fitted door locks when the car was made, rather than have the customer fit them as an after-market add-on.
BTW Do you really have to change the oil in American cars every 3000 miles?
5. anonymous
In reference to the previous comment, I thought that Darwin said that it wouldn't be the strongest or the most intelligent that would survive, the survivors would be the ones that were most adaptable to change.
How right he was in general & his remarks are so appropriate to the current virus issues. He must have been a computer geek way ahead of his time.
6. anonymous
The locksmith who made the lock is usually the one who cracks it later, so buy an aftermarket lock to be totally secure as it was made by an independent locksmith whose engineers are honest & trustworthy...DOH
7. anonymous
Let's get some perspective, shall we?!
Hacking and spreading malicious viruses and worms etc is clearly cyber-terrorism and should be punished unequivocally as such. I walk down the street without a crash helmet on - that doesn't make it ok for some nutcase to hit me over the head with a baseball bat just because he can. I expect a degree of business freedom to exist without harrassment, as I do not expect harrassment walking to the shops. If you hackers are bored, find some good to do in the world, rather than spoil it for others. Grow up.
8. Jeremy Chatfield
There's a compound set of problems here, confused by multiple motives for hackers. Some want fame - defacement attacks are good for that. Some want revenge (personal, political, technological) and DoS/DDoS are good for that. Some like the intellectual challenge - beating W2K3/SuSE/whatever. Some want money.
The security industry hasn't responded well in public to the multiple types of threats. This is partly because all hackers get the same label. Anti-virus vendors still claim success based on matching thousands of viruses that have never been seen in the wild, rather than the dozens that have had real impact. But these viruses exist because Microsoft Personal Operating Systems have no notion of security. Even when MS adds a security feature (adding a popup message each time a message is locally emailed) they break it (by adding a knowledge base article on how to avoid triggering the popup - Duh!).
Microsoft still doesn't get it - I remember Gates speaking at the launch of Windows 3.11/WfW and claiming it was more secure (crashed less) - so this recent "conversion" to a security stance is less than convincing.
The writers on evlution clearly don't grok what it is. It's why MS has a problem. The multiple competing Linux/UNIX distros form an ecosystem. Microsoft has multiple competitors (W95 based, WNT based) but they share a similar design ethos. Solaris, FreeBSD and Linux don't have the same design ethos and they share genes. This makes their descendant versions more likely to produce a descendat, because they solve security issues.
You see crap about Linux systems having more security issues than an MS system. Umm, yes, in a limited way - they also offer more services out of the box. With four to six CD's worth of executable code versus the one for an MS OS, I'd expect something in the range of more than four times the bugs - because many of the projects that are represented are nowhere near final and so they *should* have bugs. They are being exposed to get rid of the problems.
The big downer on this is that you need to know what's good and what's not. That's where the distro's have value, putting together compatible sets of late generation code.
9. anonymous
It's a game between the crackers and the admins. You want in, I want to keep you out because I don't need the systems I've been slowly building up for months/years trashed. I don't mind being beaten by a real hacker whos found a geuine exploit, researched it, wrote the code for the exploit and broke into my machine. In this case, I deserve what I get, and its up to me to try to keep you out.
What irritates me are the thousands of script kiddies using gui tools on windows, and more commonly linux (maybe a widely-avaliable, well-developed unix clone wasn't such a good idea after all...), who can't read C much less code it cluttering my logs, and when I do make a mistake and fail to patch a machine *the day* the patch is released, I get setup as an IRC relay, and usually cause such gross instabilities in the system it becomes unusable. Really, its our own fault... We need to stop making our tools so god damn user friendly. It's allowed idiots and morons to cost billions of dollars a year. Then again, it keeps me gainfully employed... Onwards with the jackasses!
10. Lachek
Let's get some perspective on the perspective!
Exploring people's backyards and peeking into their windows etc is clearly terrorism and should be punished unequivocally as such.
If you marketers are bored, find some good to do in the world, rather than let your linguistic perversions take people on imaginary rollercoaster rides where everyone who doesn't think like your boss is a terrorist.
11. Cauly
"If you hackers are bored, find some good to do in the world, rather than spoil it for others. Grow up".
HERE HERE!
Although I agree with those sentiments generally, if those people where not out there who would alert us to the holes? CERT? huh! I am a freeware programmer (although not a particularly good one) I find it unbelievable how easy it is to write programs (or viruses) to manipulate the Windows OS's, all those API functions written by Microsoft (in fairness written quite well but too easy to use)to facilitate programming on the 'Microsoft' platforms hence getting all the programmers using the MS OS's to write their programs on and a haven from Virus writers.
Another interesting angle to look at is what if Linux was the worlds most widely used platform for home and business, would it still be as 'hole free' as it is now, I doubt it, the more people using the platform the more chance of retaliatory attacks on the OS cos somebody would be cheesed of that Redhat, SUSE or whoever is making money (whether from manuals or whatever!) and want to dent there egos or get back at an ex employer!
Remember Slammer hit Linux OS not that long ago just after it was gaining popularity with business for it's Open Source alternative to MS!
Fair doos! Linux/Unix is probably the most stable OS platform but alot of people still have reservations about using open source software just because it is free and has been written by people passionate about the OS, but most people think well why is it free, wheres the catch?
Writing stuff on Linux is not as easy as on Microsoft cos you really need to know your stuff b 4 getting stuck in. On MS OS's all you need is a couple of hours and Visual Basic, BINGO, virus written in a couple of hours!
Just remember programs and Operating Systems are NEVER bug free and anyone thinking they can write one bug free is living in LA LA LAND.
Lets face it holes, bugs, viruses and patches are here to stay.
Cauly
12. John Briggs
There were some very interesting comments made by both hackers. System security should be a major concern for all users. If a car manufacturer produced cars with as many faults as Microsoft software they would have to do a recall of all faulty vehicles and repair or replace them. What makes Microsoft so special?? The Free Software Foundation and Open Source Software have got it right why can't Microsoft. For a major software manufacturer it appears to spend more on marketing and telling everyone how wonderful their products are rather than investing in the research and developement of their software. I do acknowledge that it is impossible to produce perfect software because there is always some young smart person under the horizon that will break the best software for the sheer pleasure of their accomplishment. But any brain dead person seems to be able to hack a VB script and break into a Microsoft system.
13. Kevan Chippindall-Higgin
I agree entirely with what this fellow says. Regardless of how wrong it might be, if you do leave your car in teh street with teh keys in it, it probably will be nicked.
To retierate my comments of yesterday, if people are too stupid or mean to implement proper security measures, then they deserve no symmpathy when it all goes wrong.
Techno vandals are here to stay. I have no idea what motivates them beause they are clearly reasonably bright, but reality must be faced.
14. Knut Boehnert
Microsoft made it easier over the years to produce code for the Windows platform.
Producing good code was and is never easy but the productivity gains through the MS tools were asked/cried/begged for and developed. Now people ask that the same tools disappear because a minority misuses them.
Ehem. Please also no further car production then as well. Cars are misused and people come to damage through the misuse (speeding, drink driving etc). As such because cars can and are misused _all_ of us have to stop using them. Likely? I don't think so.
Same analogy applies to writing code. Whether it is easier to write code under one platform or the other is irrelevant. At the moment Linux has an advantage on the secure development because less people are involved and less development tools are in circulation.
Wouldn't you think that with all the brain power out there that the same range of easy-to-use tools would exist for the Linux platform if Linux would be the dominant OS? I definitely think so. And the more programs exist the more attack vectors exist.
The one advantage Linux really has over MS is that there are more people out there knowing what they are doing and able to respond to security issues faster and better than a company needing to organise infrastructure first.
15. Leigh (frixion)
I agree entirely with Mr. "coder of many tongues".
(Comment starting "It's a game between the crackers and the admins")
16. anonymous
Yes, I agree with these dudes, and maybe, as a desktop alternative to Windows, Linux's new offerings should get more aggressive in their marketing departments....