LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   [OT] Break and enter analogy (https://www.linuxquestions.org/questions/linux-security-4/%5Bot%5D-break-and-enter-analogy-24426/)

unSpawn 06-27-2002 06:23 AM

[OT] Break and enter analogy
 
Remembering someone (was it Tricky ?) trying desperately to explain the kernels internal workings to some noobs on IRC likening the kernels components to a flan (huh), with custard (arf) and creamy sauce (muhahah) here's one I came across on the vuln-dev list. Someone tries to take it too far and gets this (repr. w/o perms., cred.: K. R. Hofmann) reply:

(...)

> > > hi, My box was compromised, and i cant rm a binary
> > > that listens over tcp, i need help support, watch:
> >
> > S.O.P. (Standard Operating Procedures) describe that a compromised box
> > should be considere lost and be installed from scratch.
>
> S.O.P: Someone broke into my house and stole my TV. Let's just go
> ahead and level the whole building and build a new one. S.O.P in this
> case stands for Severely Overreacting Professional.

This is a poor analogy. A compromised building is very different from a
compromised computer.

For example, suppose that a cracker and a burglar both want to rootkit
something they have compromised. In the cracker's case, it's a computer
system, and in the burglar's case, it's an apartment building.

The cracker's first step is to download a rootkit from a prepared location,
untar it, and run an installation script. The equivalent step for the burglar
is to bring a huge box of tools and gadgets with him and install them all as
he goes. The box can weigh up to five thousand pounds and can carry anything
smaller than a truck. Each gadget takes ten milliseconds to install,
regardless of its physical location, and he already knows in advance where
and how to install them. Each gadget can also replace or disguise itself as
any feature of the apartment building that you'd recognize, and, if the
burglar's friends are good craftsmen, you will not be able to tell the
difference. If the burglar has a gadget that cannot be disguised as part of
the apartment complex, he creates a room and puts it there. You will not be
able to see this room, because while you slept the burglar has broken into
your bedroom and replaced your eyes. If the burglar is no good, you will be
able to find this room by licking the walls. If he is very good, he will
have replaced your tongue, too, along with your fingers, nose, and ears. The
burglar will also install a door in the building which, if one has the right
key, will let you into the manager's office. The inside of this door is
invisible, but once you leave the premises it stands out because nobody ever
paints their doors that color.

The cracker's second step is to secure the service that he entered by so that
other crackers cannot break in the same way, often by disabling the service
or upgrading to a patched version. The burglar, having broken down a door
but not having left any trace, will either have carried a new door with him
in his box of tools, which he will use to replace the old door, or he will
destroy the old door, causing a ten meter thick wall of concrete to spring
up in its place. Passers-by may notice the change from a door to solid
concrete. They may even notice the replacement of the door, though this is
less likely because the burglar is careful to use a door from the same
manufacturer as the old door. In either case, they may attempt to ask the
manager of the apartment complex why the old door is gone, but he will not
hear them, because the burglar has replaced his ears. They may instead hear
the burglar himself speaking, because the manager's new ears direct everything
they hear to the burglar first. The burglar will tell them that nothing is
wrong, and because the burglar is also a master disguise artist, he will be
indistinguishable from the manager.

The cracker's third step is to use the system he has taken over as a base
from which to take over more systems. He often hops through many systems in
an attempt to disguise his trail. Similarly, the burglar will enter the back
door of one apartment building, then walk to another building, enter its back
door, walk to another, etc. The burglar will often walk through a door or
two in East Asia, because none of the door manufacturers write their
instructions in East Asian languages, and consequently East Asian apartment
managers do not know how to lock their doors.

If the cracker is ever caught, he will attempt to remove all the evidence
that leads back to him. In a similar manner, if the burglar is ever caught,
he will raze the building.

Obviously I'm stretching this analogy much too far. It's a pretty good one,
but where it really breaks down are rootkits and the purpose of the invader.
There is no realistic physical equivalent to a rootkit. A perfect rootkit
is completely undetectable and nearly instantaneous to install, both of which
are physical impossibilities. While I don't think there are yet perfect
rootkits out there, there are very good ones, and I wouldn't ever be so
certain of my own analysis of any system that I thought I had found everything
that might be there.

Furthermore, a burglary is usually a one time event: A burglar decides upon
a location, invades it, takes what he can, and leaves. He does not usually
come back night after night. A successful computer intrusion, however, allows
the cracker to pass through the system at will (which is more useful for him
than it would be for the burglar), and allows him to set up DDoS zombies,
autorooters, IRC clients and servers, and so on. The cracked system provides
him with resources just because it is there.

Taken together, the use of rootkits and the resources that a cracked system
provides makes it imperative that any cracked system be rebuilt from scratch
before it is put back into production use. Of course, it need not be put
back into production use immediately--with a proper router configuration and
a packet sniffer, you may be able to use it to track the cracker's movements,
and the information from a proper forensic analysis can be invaluable. At
the very least you need to figure out how you were invaded so that you don't
make the same mistake next time. You probably want to back up your personal
data, too. But eventually the system must be rebuilt from scratch--nothing
else is safe, and I wouldn't want to risk leaving any part of the cracker's
rootkit or back door behind.

(...)


All times are GMT -5. The time now is 05:45 PM.