http://www.tomshardware.com/reviews/...ck,2254-5.html

I read/skimmed this article on an Interview with Charlie Miller and have taken a network security class: I learned about FTP SYN states, firewalls, DMZ, IDS, intrusion testing, social engineering,ports, etc.

I have some questions:
Charlie “Once they have any code running, you’re screwed (unless they’re in a sandbox). ”

How can the code (a script?) still be running after the application is closed?

For brute force attack, how do they keep trying a site that has 3 login attempts, by changing IP addresses?

In regaurds to Sandboxing I wonder if virtual machines are better than application Sandboxing?--It probably depends??

Sorry if this post is too specific, I've been told that security through obscurity doesn't work.

--Thanks for your time.

You can use nohup and & to run in the background, and to keep running without its parent terminal

You can mask the original IP address by spoofing and counter measures.

Yes, it depends on what you are doing, and the setup.

Hope this helps,

Josh

Rico001, these are very good and valid questions. What we can't, and won't do at LQ is discuss details on how to perform such actions. We can however, discuss how to protect against these actions and a valid part of that is understanding what it is that your are defending against.

I was at at local LUG meeting about a month ago and they gave an excellent presentation to demonstrated how to do this. The person who gave the presentation works for a computer security firm and hence knew how to make the this look easy.

They demonstrated on a Windows XP system running service pack 0 to make it easy on themselves. The tools used contain databases of known vulnerabilities and exploits and they were able to make use of them to capitalize on a known vulnerability in the system to get code executing on it. Specifically, there are some known exploits that will cause web based applications to request pieces of code from a client system and begin executing this code. Entering the process and modifying its run time code can make it unstable so they try to move on quickly. Once they were in, the tools allowed them to move amongst the processes and "hide" in them. The presenter said that a lot of times they will try to move a process like svchost.exe (on Windows) that is always running. Other times, they will fork off new processes and sit in those. Another aspect was that once inside a machine like this, they they had access to other LAN based resources and could see the other machines. The important point is that sitting behind a router does not necessarily protect your 'private' machines.

Often times when responding to a request for help with a potential compromise, we suggest that they unplug the network cable or put up a firewall without rebooting the computer. This will keep whatever process have been injected running in memory while removing the connection to the perpetrator. We also ask for a list of open files, processes, and ports. This is to try and identify where they are hiding and conducting their operations from.

The presentation concluded with a discussion of what can be done. They mentioned that things like anti-virus, mal-ware scanners, firewalls, etc help to a small degree. The biggest thing you can do, however, is keep your applications up to date. As I mentioned above, there are databases of known exploits and how to make use of them has been scripted and these scripts get distributed. Consequently, it does not take an expert to make use of them. By keeping your system up to date, you minimize these windows. It is also equally important that you keep your non server machines equally up to date.

This is also where the concept of a sandbox comes in to play. By containing the realm in which they are able to move, the scope of their activities is greatly curtailed. Unfortunately, it is impossible to guarantee that all exploit holes are closed. The fact is that all software has bugs in it. Therefore it is critically important to provide layers of security to make it harder to get to imprortant resources.