On Wed, 26 Jun 2002, Alvin Oga wrote: > >hi all > >if an attacker got in ... as a user .... game over... they got in ??? > - question is what damage can they do as "user" ...
that's what happened--the EPIC hole gave user. monkey.org (Dug Song) was using standard security practice at that point, it's just for convenience's sake, the user had a few things screened, including a rootshell, probably because of the traditional Conventional Wisdom of not permitting any remote logins of root. I find this kind of ironic in another sense, as Dug Song is the author of a Man in the Middle tool that works against older SSHes.... >if an attacker get in the same way as root... game is really over... >as they now have complete control of yoru machine.. > - i prefer to disallow root logins... > >( assumption in the above is that they can get in thru an existing >( vulnerability .. either as root or a user .. > >-- patch the original vulnerability .... fix it first ... > worry about the "follow-me around folks" later ... > ( like those in the van outside your home/office listening > ( to the wireless connections... This "wisdom" is where things start to fall flat. The only successful security approach is layered--don't run unnecessary services, patch things immediately, use strong authentication wherever possible, and maintain strict separation of privileges via ACLs, capabilities, or other methods. other layers can include external things like IPSEC, switched networks, firewalls, and such. The most obvious rule here is don't rely on any one layer. Your above statement really relies on the patch vulnerabilities layer, which means you violated the obvious rule. >c ya >alvin > > >On Wed, 26 Jun 2002, John Galt wrote: > >> >> That's how monkey.org got taken over--they SCREENed a su, and the attacker >> reattached it after getting as user via EPIC... >> >> On 26 Jun 2002, Christian Egli wrote: >> >> > >> >Simon Kirby <[EMAIL PROTECTED]> writes: >> > >> >> Using "su root" later is worse than just logging in as root with a key. >> > >> >I cannot understand why using "su root" later would be worse. Can you >> >enlighten me? >> > > -- FINE, I take it back: UNfuck you! Who is John Galt? [EMAIL PROTECTED], that's who! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]