Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I read/skimmed this article on an Interview with Charlie Miller and have taken a network security class: I learned about FTP SYN states, firewalls, DMZ, IDS, intrusion testing, social engineering,ports, etc.
I have some questions:
Charlie “Once they have any code running, you’re screwed (unless they’re in a sandbox). ”
How can the code (a script?) still be running after the application is closed?
For brute force attack, how do they keep trying a site that has 3 login attempts, by changing IP addresses?
In regaurds to Sandboxing I wonder if virtual machines are better than application Sandboxing?--It probably depends??
Sorry if this post is too specific, I've been told that security through obscurity doesn't work.
Rico001, these are very good and valid questions. What we can't, and won't do at LQ is discuss details on how to perform such actions. We can however, discuss how to protect against these actions and a valid part of that is understanding what it is that your are defending against.
I was at at local LUG meeting about a month ago and they gave an excellent presentation to demonstrated how to do this. The person who gave the presentation works for a computer security firm and hence knew how to make the this look easy.
They demonstrated on a Windows XP system running service pack 0 to make it easy on themselves. The tools used contain databases of known vulnerabilities and exploits and they were able to make use of them to capitalize on a known vulnerability in the system to get code executing on it. Specifically, there are some known exploits that will cause web based applications to request pieces of code from a client system and begin executing this code. Entering the process and modifying its run time code can make it unstable so they try to move on quickly. Once they were in, the tools allowed them to move amongst the processes and "hide" in them. The presenter said that a lot of times they will try to move a process like svchost.exe (on Windows) that is always running. Other times, they will fork off new processes and sit in those. Another aspect was that once inside a machine like this, they they had access to other LAN based resources and could see the other machines. The important point is that sitting behind a router does not necessarily protect your 'private' machines.
Often times when responding to a request for help with a potential compromise, we suggest that they unplug the network cable or put up a firewall without rebooting the computer. This will keep whatever process have been injected running in memory while removing the connection to the perpetrator. We also ask for a list of open files, processes, and ports. This is to try and identify where they are hiding and conducting their operations from.
The presentation concluded with a discussion of what can be done. They mentioned that things like anti-virus, mal-ware scanners, firewalls, etc help to a small degree. The biggest thing you can do, however, is keep your applications up to date. As I mentioned above, there are databases of known exploits and how to make use of them has been scripted and these scripts get distributed. Consequently, it does not take an expert to make use of them. By keeping your system up to date, you minimize these windows. It is also equally important that you keep your non server machines equally up to date.
This is also where the concept of a sandbox comes in to play. By containing the realm in which they are able to move, the scope of their activities is greatly curtailed. Unfortunately, it is impossible to guarantee that all exploit holes are closed. The fact is that all software has bugs in it. Therefore it is critically important to provide layers of security to make it harder to get to imprortant resources.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.