LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 06-14-2011, 09:58 AM   #16
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 419Reputation: 419Reputation: 419Reputation: 419Reputation: 419

Quote:
Originally Posted by softwarelabus
Okay, but I think the only acceptable result is zero noise. Files that change a lot such as log files wouldn't be scanned. Indeed, the hacker could replace a log with a bin and I wouldn't see it, but a main goal is to prevent the web server from being hacked, that includes PHP & Python files, and Apache bin files. The script will scan such files.
Zero noise? Probably not a good idea either, particularly for a web server. I suspect if you go for zero noise, you'll be ignoring directories that you really should be watching. The served files are likely going to change, if for no other reason than for version upgrades. Furthermore, the OS and server will have security upgrades, and you'll need to handle those. You're going to need a process to handle the inevitable changes.

Quote:
Originally Posted by softwarelabus
Sorry. The hacker would pad the file with code, and strip unnecessary bytes to obtain the same net checksum. Very easy!
Quote:
Originally Posted by softwarelabus
Not a waste of time. Hackers can edit a file without changing the entire files checksum. So the script does two things. First, it verifies the previous scan, and obviously it would remember what the previous scan %'s are, e.g., (50-50, 70-30, 51-49). That's easy enough. Second, it records a new scan.
You keep saying that crackers can change the file and not the checksum. Specifically, what algorithm is this vulnerable? md5? sha1? Which one(s)?

Quote:
Originally Posted by softwarelabus
I never said it's "secure code." I have essentially said that customized undisclosed code has the potential of being *more* secure.
And I'm saying that considering code more secure because it is custom and undisclosed is a serious mistake. Some of the most vulnerable systems out there are closed source. Is IIS any more secure than Apache because it is closed source?

Quote:
Originally Posted by softwarelabus
Hmmm, so now you're saying that if a hacker can see the source code, that it does not help them find vulnerabilities. What school of logic is that from? You might want to rethink that one, my friend.
If a cracker can see the vulnerabilities, so can the good guys. What you seem to completely discount is that a lot of people have a very vested interest in keeping software secure, so security audits of open code do happen and bugs do get fixed. The fact that something is open doesn't give the crackers any additional advantage over the good guys, just like the fact that closed code doesn't give the good guys any advantages over the crackers. Security through obscurity has been repeatedly proven to be a failed security model. Unfortunately, we haven't seen the last proof.

Quote:
Originally Posted by softwarelabus
I agree, that's a common and well known attack that's preventable by using SQL prepared statements. It's the uncommon attacks that I'm concerned about. Attacks that hackers don't want the public to know about.
Attackers will take whatever vulnerability they can find, whether common or uncommon. Sure, an poorly known vulnerability may give one cracker group a temporary advantage, but to be honest, programmers make the same mistakes over and over so consistently that classics like SQL injection or buffer overflow remain very viable and popular tools in the cracker arsenal.
 
1 members found this post helpful.
Old 06-15-2011, 01:01 AM   #17
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
softwarelabus, by your logic Windows would be the least vulnerable OS in the known universe, while GNU/Linux and *BSD would be every administrator's worst security nightmare. Your argument about "hackers" having access to free software source code may sound appealing in theory, but in practice it's about as far from reality as you can get. As has already been stated here numerous times, security through obscurity has been historically proven to be a failed model.

You also seem completely convinced that adding your shell script will undoubtedly increase your level of security. This is not true at all. There could be numerous reasons why such an action could actually have detrimental effects. For example, I would argue that the false sense of security you've developed alongside your script idea is your greatest vulnerability of all.

Furthermore, you seem hellbent on re-inventing the wheel, which is not only a waste of time/energy, but can also lead to disaster. The high probabilities of this being the case here are made evident when you make statements like:
Quote:
The hacker would pad the file with code, and strip unnecessary bytes to obtain the same net checksum. Very easy!
...which would indicate a lack of basic understanding on your part of the extreme technical difficulty involved in such a feat (broken algorithms aside). Yet here you are, putting together some dubious shell script based on a technique that has absolutely no factual basis and is festooned with security through obscurity all while there's tons of excellent, full-featured, free software out there which has received years of peer review.

Last edited by win32sux; 06-15-2011 at 01:03 AM.
 
Old 06-15-2011, 08:03 AM   #18
Peufelon
Member
 
Registered: Jul 2005
Posts: 164
Blog Entries: 1

Rep: Reputation: Disabled
Lessons of the HBGary scandal?

Quote:
Originally Posted by softwarelabus
I have no idea who AIDE is or every individual that worked on the code. I'm sure it's trustworthy.
Watch it--- one of the moderators here is a coauthor of another widely used linux security utility. So you might step on toes if you pursue that idea.

... reading on ... oh, I was too late...

Quote:
Originally Posted by Hangdog42
I would strongly urge you to review the HBGary fiasco.
HBGary? Did someone say HBGary? That's like waving a red flag! If anyone would like to discuss the many many lessons of the HBGary scandal, we can start a thread in the General forum. Not here, because the subject is politically charged.

It's been a long day, but there's a connection to Hangdog's point about the dangers of insecure custom code, since I am calling for sysadmins everywhere to exercise their ingenuity by writing custom passive monitoring code they disclose to no-one, with the goal of getting some information about who is really messing with their networks (traditional for-profit-cybercriminals? rogue spycos like HBGary Federal? cyberwarriors foreign or domestic? "hacktivists"?)

Last edited by Peufelon; 06-15-2011 at 08:06 AM. Reason: Penny Leavy wants us to say HBGary FEDERAL, not HBGary
 
0 members found this post helpful.
Old 06-15-2011, 08:15 AM   #19
softwarelabus
LQ Newbie
 
Registered: Jun 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
Sorry, I disagree, but that's not the point of this thread. Fact still remains that having access to source code gives a hacker an advantage. Arguing against such logic only makes you appear a bit suspicious in your intent here.


Quote:
Originally Posted by win32sux View Post
softwarelabus, by your logic Windows would be the least vulnerable OS in the known universe, while GNU/Linux and *BSD would be every administrator's worst security nightmare.
You still don't acknowledge the concept. It's a tendency. Read what it means. You can't point out a company and use that to stereotype a concept. Doesn't work that way. There are not that many commercial OS's, so it's results a bad average. Try using open-source CMS vs commercial to obtain a proper average. Lets at least be scientific here.



Quote:
Originally Posted by win32sux View Post
You also seem completely convinced that adding your shell script will undoubtedly increase your level of security. This is not true at all. There could be numerous reasons why such an action could actually have detrimental effects. For example, I would argue that the false sense of security you've developed alongside your script idea is your greatest vulnerability of all.
Silliness. I already said *adding* my script to existing security would not give me any more sense of security. BTW, you & your friend still have not pointed out a single vulnerability in my script.



Quote:
Originally Posted by win32sux View Post
Furthermore, you seem hellbent on re-inventing the wheel, which is not only a waste of time/energy, but can also lead to disaster.
It's unique in that it's custom & undisclosed code.
 
0 members found this post helpful.
Old 06-15-2011, 08:26 AM   #20
softwarelabus
LQ Newbie
 
Registered: Jun 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
To clarify this thread, I'm advising SA's to *add* custom code, not replace their exiting security.

Essentially, what the opponents want is for SA's to just install existing open-sourced security code, and leave it at that, code that every hacker in the world can analyze. If an SA has some strong programming skills, and some ideas how to write security code that's geared only for his or her server, then go for it. Adding extra security would not make me less cautious.
 
Old 06-15-2011, 08:33 AM   #21
softwarelabus
LQ Newbie
 
Registered: Jun 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Hangdog42 View Post
You keep saying that crackers can change the file and not the checksum. Specifically, what algorithm is this vulnerable? md5? sha1? Which one(s)?
The cksum bin on unix-like OS is easily defeated. As for scanning an entire server with MD5 pretty much means you have a dead server for ages. That does not seem like an option. The checksum bin would have to be comparable to cksum in performance.

Last edited by softwarelabus; 06-15-2011 at 09:18 AM.
 
Old 06-15-2011, 10:18 AM   #22
Peufelon
Member
 
Registered: Jul 2005
Posts: 164
Blog Entries: 1

Rep: Reputation: Disabled
softwarelabus: look for some of my recent posts, discussing pretty much the same things which I think concern you. I even suggested that everyone should write their own code, on the theory that the more variety, the more impossible it will be for our adversaries (conventional for-profit cybercriminals, state-sponsored cyberwarriors, and some would add, spycos working for the Surveillance State, maybe "hacktivists") to keep up.
 
Old 06-15-2011, 10:32 AM   #23
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Okay, if security through obscurity is your thing, then so be it. While most of us disagree with your views, it's not our job to try and change them, and this endless back and forth is getting ridiculous, and now even threatens to enter into TFH territory. So, moving on...
Quote:
Originally Posted by softwarelabus View Post
As for scanning an entire server with MD5 pretty much means you have a dead server for ages. That does not seem like an option.
Is it a hardware limitation you're dealing with? I've had Tripwire set to check using multiple algorithms (SHA256, SHA1, MD5, CRC32, etc.) and have not experienced any deaths. Have you actually tried it or are you just assuming? BTW, keep in mind that using only MD5 would be risky, as it's broken. Using it alongside the other algorithms is fine, though, as it exponentially increases the difficulty of generating a collision (as it would need to trick all checks).
 
Old 06-15-2011, 11:16 AM   #24
softwarelabus
LQ Newbie
 
Registered: Jun 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by win32sux View Post
Okay, if security through obscurity is your thing, then so be it. While most of us disagree with your views, it's not our job to try and change them, and this endless back and forth is getting ridiculous, and now even threatens to enter into TFH territory.
Again, I'm advising the *addition* of custom undisclosed code.



Quote:
Originally Posted by win32sux View Post
So, moving on...Is it a hardware limitation you're dealing with? I've had Tripwire set to check using multiple algorithms (SHA256, SHA1, MD5, CRC32, etc.) and have not experienced any deaths. Have you actually tried it or are you just assuming? BTW, keep in mind that using only MD5 would be risky, as it's broken. Using it alongside the other algorithms is fine, though, as it exponentially increases the difficulty of generating a collision (as it would need to trick all checks).
Yes, MD5, SHA1, etc are terribly cpu intensive compared to cksum. cksum is not cryptographically secure. It has nothing to do with my server, rather everything to do with not bogging down a shared web server. It would have terrible consecutive on websites as the script performed MD5 sums on the entire OS, lol. If you know of a relatively easy way of forcing the server to limit the scripts cpu usage for md5sum scans, then please by all means let me know. Obviously md5 is better than cksum. BTW, limited the number of md5sums per minute is not an option, as each single md5sum per file can take far too long. The only option for me is to somehow limit the scripts cpu usage.
 
Old 06-15-2011, 11:22 AM   #25
Peufelon
Member
 
Registered: Jul 2005
Posts: 164
Blog Entries: 1

Rep: Reputation: Disabled
TFH means..."troll for hire"? Did I guess right?
 
0 members found this post helpful.
Old 06-15-2011, 11:24 AM   #26
softwarelabus
LQ Newbie
 
Registered: Jun 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Peufelon View Post
softwarelabus: look for some of my recent posts, discussing pretty much the same things which I think concern you. I even suggested that everyone should write their own code, on the theory that the more variety, the more impossible it will be for our adversaries (conventional for-profit cybercriminals, state-sponsored cyberwarriors, and some would add, spycos working for the Surveillance State, maybe "hacktivists") to keep up.
That's good to hear. I think this trend will slowly take off in the SA's community. That is, if they care about the data of 1000's of customers.

I also think the *probability* of hackers trying to hit the forums to deter people from doing this is relatively high. My advice is that people start to think for themselves rather than being so influenced by group consensus because that opens a huge vulnerability, as hackers can hit a thread, thus making it appear as if mass majority are against something. People might want to consider the fact that I'm being hammered against even advising people to *ADD* custom undisclosed security scripts. I'm not pointing out names or accusing anyone because you can't be certain, but it is a bit odd. IMO, their premise is just outright illogical.
 
0 members found this post helpful.
Old 06-15-2011, 11:33 AM   #27
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 419Reputation: 419Reputation: 419Reputation: 419Reputation: 419
Quote:
Originally Posted by softwarelabus
The cksum bin on unix-like OS is easily defeated. As for scanning an entire server with MD5 pretty much means you have a dead server for ages. That does not seem like an option. The checksum bin would have to be comparable to cksum in performance.
Seriously, if you think cksum is an appropriate method to use here, there is nothing any of us can do to help you. Good luck on your project, you are really going to need it.
 
2 members found this post helpful.
Old 06-15-2011, 11:43 AM   #28
softwarelabus
LQ Newbie
 
Registered: Jun 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Hangdog42 View Post
Seriously, if you think cksum is an appropriate method to use here, there is nothing any of us can do to help you. Good luck on your project, you are really going to need it.
Again, by all means point out the vulnerability in my script idea.
 
Old 06-15-2011, 11:48 AM   #29
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 419Reputation: 419Reputation: 419Reputation: 419Reputation: 419
Quote:
Originally Posted by softwarelabus View Post
Again, by all means point out the vulnerability in my script idea.

I already have. And win32sux has as well. You just don't seem to be receptive even in the slightest to different ways of thinking, so what is the point in further discussion?
 
1 members found this post helpful.
Old 06-15-2011, 12:02 PM   #30
softwarelabus
LQ Newbie
 
Registered: Jun 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Hangdog42 View Post
I already have. And win32sux has as well. You just don't seem to be receptive even in the slightest to different ways of thinking, so what is the point in further discussion?
Lets please leave the personal ad hominem out of the discussion. If you've already posted it, then why not copy & paste it?
 
0 members found this post helpful.
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Checksum 4 Slackware download - what type of checksum is this. Earnest Lux Linux - Newbie 1 02-02-2008 08:02 PM
checksum juanb Linux - Newbie 1 08-12-2004 03:40 AM
Checksum wonderpun Linux - General 1 08-28-2002 05:04 PM
Checksum? frkstein Linux - General 1 05-04-2002 02:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration