On Sat, Jun 23, 2001 at 10:39:38AM -0400, Greg Kettmann wrote: > Hello Greg, and Welcome. Coincidentally my name is Greg as well. > My advice to you is to get your machine OFF THE INTERNET. I've no > doubt the following will get lengthy and that it is flame bait, > however it is based on what I've learned from this very mailing > list. Because of what I've read on this list I've stopped using > Linux with the exception of a server, protected by a firewall. Linux can be a great firewall. And Windows is NOT any more secure. In fact, unless you're running Windows 2000 with all the hotfixes and service packs, it's MUCH harder to secure. Pretty much impossible, actually. The combination of Internet Explorer and MS-Outlook, as installed by default, is enough to give a script kiddie total control of your Windows machine (and may or may not require some action on the part of the user). > After the first breach, when my machine was caught port scanning I > tightened my security, closing all services (FTP, Telnet, etc.) and > put up an IPChains script that I thought would keep God out. The > logs indicated a rank amateur (they had built themselves an ID) so I > deferred reformatting and rebuilding the machine until after Easter > (my only real free time is on Sunday, the next Sunday was Easter). > Big mistake. Several of us emphasized then, and I'll reiterate now, THAT IS NOT ENOUGH. You MUST disconnect your machine and reinstall it from known good media IMMEDIATELY. Most root kits install back doors, some of which initiate the connection ON YOUR END. Most people do not block any outgoing connections from their own machines. Your ipchains script won't help you, in that case. > They did absolutely nothing to try to help me find the intruder, and > most on this list seem to think that appropriate. I don't agree. Not only is it the appropriate action for MediaOne, it's the ONLY one they have, as several of us have explained. They do not have access to your machine, without which identifying the attacker is COMPLETELY AND UTTERLY IMPOSSIBLE. PERIOD. Even if you gave them access, it's still extremely difficult, and odds are there won't be a thing they can do about it even if they find them, since many many of these attacks originate from countries like Russia and China. Good luck going after those guys. And from their perspective, YOU are the problem. YOU have made their network less secure, by not properly securing your machine, even after they informed you of the problem. That is how they will and MUST look at it. Otherwise, they may be held liable for your inaction. > The general consensus us that if you're not willing to spend several > hours a week maintaining your machine, then it shouldn't be on the > Internet. Reports abound, even on dial up connections, of going on > line and immediately being probed for vulnerabilities. And that's true REGARDLESS OF WHAT OS YOU RUN. Unfortunately, because Linux is more powerful, the damage that it can do, and that can be done to it, can be much greater than some other desktop OSes, depending on what you install on them. But other OSes are NOT invulnerable! If you use networking programs on those machines, especially ones that provide services, like Windows shares, ftp servers, IRC servers, Windows Personal Web server, or what have you, your machine becomes an easy target. Note also that if you are a dial-up user, you do not have the benefit of having your NetBIOS traffic filtered (like MediaOne customers do, by their cable modem), so any shares you may have will be visible to ANYONE. ANYWHERE. You have those password-protected, right? > I went to CompUSA and bought a Linksys Router/Gateway/Switch and > have been delighted. For those who do not want to learn how to configure their linux box (or other machine) as a firewall, this is a good option. But it's important to understand that this is only PART of what you should do to protect yourself. Firewalls can be compromised!!! If you use your systems for anything which causes you to store sensitive personal data on your system, then the approach you should take to securing those systems should be defense in depth. If you feel that having that data compromised would put you at unacceptable levels of risk, put you in a potentially compromising position, or make you feel really uneasy, then sticking your machines behind a firewall is NOT ENOUGH. The types of data that this MIGHT include, for some people, would be things like these: * credit card numbers (and possibly PIN and account password information) * investment account information * medical records * personal family information, such as your address book containing the names, addresses, and telephone numbers of all your family members. Some people also include other sensitive data in their address books, like the SSNs of family members, in case they need them for beneficiary purposes or other reasons. * Your appointment book * personal journals or diaries * photographs of family members or loved ones * Sensitive documents or accounting information for your small business or for your job * Information related to your hobbies * evidence of a crime you commited (hopefully this applies to no one here) * other personal information that might embarass you * porn The risks here are of varying types and degrees, ranging from mild embarassment to financial ruin, and you may or may not be sensitive to these things. Ultimately, YOU must decide what level of risk you are sensitive to, and how much effort it is worth to you to keep your systems and your data secure. I'd like to give some examples of how these things might be used against you by attackers, in case you haven't thought of them. Many people overlook these very real risks to their personal safety and well-being, and it is my hope that if you're making judgements about what your level of risk is, you're taking into consideration every possibility which might concern you. ALL OF THESE THINGS HAPPEN IN REAL LIFE. At the SANS conference I attended in April, an example of each of these things was discussed either by the instructors, or by FBI agents who were taking the class at the same time I was. Also, bear in mind that I am not a criminal, and I do not have that devious a mind, nor do I spend time thinking about nasty ways that I or someone could use YOUR computer to royally screw YOU over. But as Agent Hegarty assured us, computer crime is on the rise; there ARE people who do exactly that. And you can be sure they'll have more nasty things they can do to you than just the ones I'm going to list below. Financial information --------------------- Clearly, your financial records can be used against you. An attacker who gains access to your account information can potentially gain access to your accounts, make modifications to them, and most importantly, steal all your money. They also can be used to steal your identity, obtain new credit cards and other financial services (like home loans for example), which they can then default on, leaving YOU in a world of hurt trying to recover from this. Medical Records --------------- With access to your medical records, an attacker can pose as you to obtain medical services. Whatever treatment they receive will become part of your medical history. Also, if you have a medical condition that you do not want people to know about, such as AIDS for example, they may expose you or try to blackmail you. Personal/Family information --------------------------- With access to information about your family members, an attacker can stalk your loved ones. This might even be the entire purpose of their attack. If you keep your appointments on-line, they will know where to look for you, if YOU are the target. They also can leverage the information they learn from you to obtain more sensitive information about your loved ones, such as their financial information. If you keep photos of your family members on your system, your attacker will know what you all look like. Business-related Information ---------------------------- If you have a small business, or a large business, or even if you use your home computer for for work at a business that you do not own, your data may be sensitive, and might be used against you in a variety of ways. Your attacker may find information pertaining to your customers, and leverage it to steal business away from you. They may also gain information about products you're working on, and analyze and improve upon them before they even hit the market. They might also steal your source code. Other personal information -------------------------- These types of things fall mostly into the embarassing category. If you have personal journals on your system, your attacker may tell your secrets to a loved one you've been hiding something from, or to colleagues or other random people. Maybe you're a transexual and you don't want people to know. Maybe you have odd sexual fetishes you'd prefer weren't common knowledge. Maybe you're embarrased about the 40 Gigs of porn on your system... Or, maybe you've committed a crime, and wrote about it. That might even land you in jail. I hope you don't fall into this category. Remember also that if your system is compromised, an attacker can use it to commit other crimes, and/or attack other systems. You may be held liable, OR you might be arrested! Ether way, law enforcement may confiscate your hardware to obtain forensic evidence. Again, it's up to you to determine what level of risk to which you are tolerant, and decide what expense (especially in terms of time) YOU are willing to tolerate to mitigate those risks by securing your systems. If you are sensitive to the types of risks that I've outlined above, then sticking your machines behind a firewall probably isn't enough. You still need to go through the process of hardening your machines individually. Stay on top of patches for your OS, whatever it is. [Note that, according to our Windows desktop guy, it takes about 6 hours to download and install all the fixes for Windows 9x if you have a T1.] You should probably run host-based firewalling ON EACH MACHINE to make them that much more secure. And for Linus' sake, DON'T RUN IT IF YOU DON'T NEED IT, whatever the service may be. Bear in mind also that, especially with Windows, enhanced security features that you get by installing updates often don't take effect untill you DO something; you probably will need to modify configuration files or edit the registry. It is not enough to simply install patches. -- --------------------------------------------------- Derek Martin | Unix/Linux geek [EMAIL PROTECTED] | GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu ********************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **********************************************************
