On 18/10/10 22:38, Ralph Corderoy wrote:
Hi John,
Which type of hacker represents the highest risk to your network?
A. Disgruntled employee
B. Black-hat hacker
C. Grey-Hat hacker
D. Script kiddies
All 4 do define their ability. A kiddie with Black-hat skills is a
Black hat. There is one correct answer.
OK, I'll bite. :-) I'd say A, since they often exist and they've easy
access to "private" systems.
Two cases I can think of off the top of my head. A sys. admin. employee
was cracking encrypted passwords, fair enough, helps highlight poor
passwords. I could tell he was since some machines were slow and he
didn't hide it, e.g. argv[0]. After he left, disgruntledly, he guessed
that some of those users may use the same, non-trivial but crackable,
passwords on rented machines on the Internet and from there got access
to a database he wanted to examine.
The other one is an intern at a company, bright enough, learning his way
around Unix, decided to create, e.g. /tmp/{ls,sl} for those with a PATH
that looks in the current working directory, just to gain that user's ID
for a bit of fun with his colleagues. Completely non-malicious, I'm
sure. The scripts were found, their existence went upwards and across
to personnel and he was escorted off site. Unfortunate since the
company was helping fund his way through university. (Yes, perhaps the
company could have handled it better, but people cover their backsides.)
I've only experience any of the others once. Someone used a flaw in an
old Red Hat system that was still on the net. It should have been
updated and wasn't. That got him a root shell prompt, but I suspect he
was a script kiddie because he did little of note other than pull down a
rootkit and fail to cover his tracks. (I was watching his actions by
then since it broke the system in an odd way.) He removed .bash_history
and then logged out. He should have known .bash_history is written on
exit and done `kill -9 $$'. :-)
Cheers,
Ralph.
Correct! The book says A. and I agree. It is far easier to hack a system
when you already work there!
The writing of the bash history after you have logged out was a clever
move and well worth knowing (a colleague told me that in 2005 and
something I check).
I've only had my website hacked once and that was due to an old version
of Moodle which I'd forgot about. It was a kiddie scripter as all they
did was modify the index.html with "hacked by ..". I restored a backup
anyway.
My home system was potentially hacked in to recently. rkhunter said
everything was fine but chkrootkit picked up a modified init. I couldn't
find any other files associated with the trojan but Bitdefender for
Unices found a couple of malware. I had someone using a proxy to access
one of my websites which DNS name was "." and therefore could not find
the IP address in the logs. I'm sure by me just going to some of the
proxies to find their IP addresses introduced the malware and probably
lured an attack.
My advice
1. Don't use anon proxies, especially from a Windows box
2. Run chkrootkit and rkhunter.
3. Run a virus checker like Bitdefender for Unices (free for non
commercial use)
4. Install denyhosts and fail2ban if you are connected to the internet
for SSH,http etc.
5. Install OSSEC . This monitors file changes and logs, very useful, and
would have picked up the init change.
John.
--
--------------------------------------------------------------
Discover Linux - Open Source Solutions to Business and Schools
http://discoverlinux.co.uk
--------------------------------------------------------------
--
Next meeting: Crown Hotel, Blandford Forum, Tuesday 2010-11-02 20:00
Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/
How to Report Bugs Effectively: http://goo.gl/4Xue
