|
|
|
|
|
|
| Author |
Message |
jwshea
*nix forums beginner
Joined: 04 May 2006
Posts: 3
|
 Posted: Wed Jul 19, 2006 4:16 am Post subject:
Re: Linux server hacked, response time very slow, now I'm in a intercompany war...
|
|
|
extremesanity wrote:
| Quote: |
I hope one day to work in a real organization that takes personal
responsibility, professionalism, and ethical conduct as primary
concerns. Call me an idealist. 
|
Most 'corporations' have the primary concern of making money for
stockholders; however many are yet to realise operating without the
above mentioned concerns (can/will/has) often lead to disastrous
consequences. It's all a matter of trade-offs; usability/security,
cost/benefit, etc.
Having said that though, wouldn't an ideal world be less interesting?
 |
|
| Back to top |
|
 |
extremesanity
*nix forums beginner
Joined: 25 Apr 2006
Posts: 8
|
| Posted: Tue Jul 18, 2006 7:56 pm Post subject:
Re: Linux server hacked, response time very slow, now I'm in a intercompany war...
|
|
|
| Quote: | By now, of course, that meeting will have come and gone - so what happenned?
|
The meeting was pushed back to today.
Basically 2 other IT guys (who are good friends) and their
unexperienced manager defended their 15 hour window by playing down the
actual damage, and basically saying they were not going to take the 5
minutes to block the machine at the router because the risk was not
significant enough.
Now the 4 IT groups take risk assessments individually and are
responsible for their own LANs. Pretty shitty resolution if you ask
me.
I hope one day to work in a real organization that takes personal
responsibility, professionalism, and ethical conduct as primary
concerns. Call me an idealist. |
|
| Back to top |
|
|
Rick Moen
*nix forums Guru
Joined: 20 Feb 2005
Posts: 439
|
| Posted: Tue Jul 18, 2006 5:53 am Post subject:
Re: Linux server hacked, response time very slow, now I'm in a intercompany war...
|
|
|
extremesanity <extremesanity@gmail.com> wrote:
| Quote: | Now I have to go into a meeting and explain why that IT guy was not
doing his job properly. What are possible implications of a rooted
server, sitting on a 10 mbps fiber line to the internet? Of course it
has a public ip that is tracked right back to us.
|
I touch on this question in passing in an old article I did for IDG
called "Attacking Linux
(http://security.itworld.com/4352/LWD000829hacking/pfindex.html). I
hope it's useful to you.
Some of those processes will be spy programs, running to capture
login information entered by local users for remote systems elsewhere.
Those will be logged and conveyed back to the attacker, giving him new
targets. Some may be network sniffers, monitoring the traffic passing
nearby, to or from other nearby machines, and likewise capturing private
information for the bad guys. Those work by putting your network
interface in promiscuous mode, in which the normal disregarding of other
machines' network traffic gets disabled. Some may be clandestine network
services, such as file-swapping, that are useful for the attacker and
his friends. Most distressing of all, some may be carrying out attacks
on other systems. The older variety of those involved flooding distant
machines with either normal or deliberately malformed network traffic
(ping, ping of death, smurf, SYN flooding, teardrop, land, bonk), as a
denial of service (DoS) attack. Then starting last year, the
more-organized DDoS tools (trinoo, Tribal Flood Network, stacheldraht,
Trank, and so on) came to sudden public attention when they were used to
overwhelm popular Internet sites. The third-party, subverted machines
(zombies) used to carry out those attacks appear to have been university
machines, favored for their lax security and high Internet bandwidth,
but your Linux hosts could be the attackers' next tools.
Even if your machines don't cause you that order of embarrassment, the
other risks are equally grim: you can reveal confidential data with
business and/or personal consequences, lose that data entirely, see it
corrupted or sabotaged, be involved in wrongful or even criminal
activity, lose access to your computing resources, and indirectly cause
harm to your staff and business associates. Your Website can be defaced
or modified, or visitors might be redirected by sabotaged company DNS
servers to entirely different sites.
Basically, the bad guys are given carte blanche to do basically _any_
wrongful act with impunity, and implicate your firm in the process.
The less diligently your firm acts to end and mitigate the incursion,
the more likely it is to be held responsible as a negligent participant. |
|
| Back to top |
|
|
Colin McKinnon
*nix forums Guru
Joined: 19 Feb 2005
Posts: 410
|
| Posted: Sun Jul 16, 2006 10:19 pm Post subject:
Re: Linux server hacked, response time very slow, now I'm in a intercompany war...
|
|
|
Flash Gordon wrote:
| Quote: | Juha Laiho wrote:
"extremesanity" <extremesanity@gmail.com> said:
[case of slaggy response from IT staff, when a compromised server
should've been taken offline quickly]
Now I have to go into a meeting and explain why that IT guy was not
doing his job properly. What are possible implications of a rooted
server, sitting on a 10 mbps fiber line to the internet? Of course it
has a public ip that is tracked right back to us.
The primary implications are technical; I think I might be able to
outline some of these. The secondary implications are juridical,
and so depend on your local jurisdiction. I won't be commenting on
these.
|
I think that we can all imagine scenarios which could be very damaging for
your company - it may be worth pointing out a few of them and discussing
liability, You have observed use of the site for phishing but the fact that
the machine has been compromised means that it could have been used for
*anything* (even if they got no further than one machine with no non-public
data on it, it could be used for terrorism, drug money laundering, kiddie
pr0n) and you may never be able to find out what.
But its important not to loose sight of the real issue - the length of time
it took before any action was taken to address a known security breach. Too
much conjecture about what may have happened or what anybody can say did
happen is a great tactic for misdirection. Timescales and action paths are
the key stones of a security policy - it should also cover policy on
notification and seizure. And if they are not documented in your policy or
you have no such policy then the person responsible for the policy should
also being getting keel-hauled.
If this is unfamiliar territory, I'd recommend reading
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
By now, of course, that meeting will have come and gone - so what happenned?
C. |
|
| Back to top |
|
|
Flash Gordon
*nix forums Guru
Joined: 28 Feb 2005
Posts: 1258
|
| Posted: Mon Jul 10, 2006 12:47 pm Post subject:
Re: Linux server hacked, response time very slow, now I'm in a intercompany war...
|
|
|
Juha Laiho wrote:
| Quote: | "extremesanity" <extremesanity@gmail.com> said:
[case of slaggy response from IT staff, when a compromised server
should've been taken offline quickly]
Now I have to go into a meeting and explain why that IT guy was not
doing his job properly. What are possible implications of a rooted
server, sitting on a 10 mbps fiber line to the internet? Of course it
has a public ip that is tracked right back to us.
The primary implications are technical; I think I might be able to
outline some of these. The secondary implications are juridical,
and so depend on your local jurisdiction. I won't be commenting on
these.
I'd concentrate to the implications on your site;
It could be that this compromised server has some access to company
internal machines that an outside machine does not - so this machine
could in that case be used to launch an attack to internal machines,
which have been presumed to be protected by a perimeter firewall.
It could be that the machine contained data confidential to the company
(or even worse, data confidential to customers of business partners of
the company). With a compromised server, you have to assume that all
confidential data on this server is now in unknown hands.
|
I think one should also emphasise the financial implications.
If you pay for internet traffic by the MB, of have caps beyond which you
pay extra, then you potentially have someone using your bandwidth via
that server increasing your costs.
Then there is the risk of you being black listed. For example, if the
machine is your outbound mail server and someone starts sending spam
through it then it could be blacklisted causing the emails you send to
be bounced instead of reaching customers.
Then there is the risk of your ISP blocking your service if they receive
complaints about attacks and/or spam and/or your server being used to
host phishing sites.
Then there is the risk of being help legally responsible, especially if
you have not dealt with the problem once you know the server has been
rooted and it is used for illegal activity.
Of course, there is also your moral responsibility.
--
Flash Gordon, living in interesting times.
Web site - http://home.flash-gordon.me.uk/
comp.lang.c posting guidelines and intro:
http://clc-wiki.net/wiki/Intro_to_clc |
|
| Back to top |
|
|
Juha Laiho
*nix forums Guru Wannabe
Joined: 22 Feb 2005
Posts: 139
|
| Posted: Mon Jul 10, 2006 11:41 am Post subject:
Re: Linux server hacked, response time very slow, now I'm in a intercompany war...
|
|
|
"extremesanity" <extremesanity@gmail.com> said:
[case of slaggy response from IT staff, when a compromised server
should've been taken offline quickly]
| Quote: | Now I have to go into a meeting and explain why that IT guy was not
doing his job properly. What are possible implications of a rooted
server, sitting on a 10 mbps fiber line to the internet? Of course it
has a public ip that is tracked right back to us.
|
The primary implications are technical; I think I might be able to
outline some of these. The secondary implications are juridical,
and so depend on your local jurisdiction. I won't be commenting on
these.
I'd concentrate to the implications on your site;
It could be that this compromised server has some access to company
internal machines that an outside machine does not - so this machine
could in that case be used to launch an attack to internal machines,
which have been presumed to be protected by a perimeter firewall.
It could be that the machine contained data confidential to the company
(or even worse, data confidential to customers of business partners of
the company). With a compromised server, you have to assume that all
confidential data on this server is now in unknown hands.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison) |
|
| Back to top |
|
|
M. Trimble
*nix forums beginner
Joined: 05 Apr 2005
Posts: 35
|
| Posted: Mon Jul 10, 2006 4:11 am Post subject:
Re: Linux server hacked, response time very slow, now I'm in a intercompany war...
|
|
|
extremesanity wrote:
| Quote: | My question:
Now I have to go into a meeting and explain why that IT guy was not
doing his job properly. What are possible implications of a rooted
server, sitting on a 10 mbps fiber line to the internet? Of course it
has a public ip that is tracked right back to us.
|
I rather tend to doubt there will be much consequence directly to you, given
one caveat: What was the timeline between the attack and your receipt of
the e-mail regarding the site? If you can demonstrate, for example by means
of e-mail printouts, written documents, etc., that you responded more or
less immediately (defined as within less than one business day), then you,
personally should off the hook. Emphasis on 'should be'.
I see three major implications. Company data might have been compromised;
other servers might have been compromised through yours, and your company
might be held liable; there might be negative publicity; and there could
conceivably be some financial loss, owing to the above. There might be
others of which I'm not aware.
HTH |
|
| Back to top |
|
|
extremesanity
*nix forums beginner
Joined: 25 Apr 2006
Posts: 8
|
| Posted: Mon Jul 10, 2006 2:27 am Post subject:
Linux server hacked, response time very slow, now I'm in a intercompany war...
|
|
|
Some background:
My company is one large company with multiple sister companies. The
sister companies are just like siblings, so none of them get along so
we have 4 distinct IT groups that share one network.
Last Thursday one of the other IT guy's server was hacked. It was a
linux plesk test server. The hacker installed a couple of phishing
sites for ebay and paypal. I received an email from ebay informing me
of the phishing sites. I informed the IT guy at 10 pm, expecting him
to take it off the network or shut the server down almost immediately.
Seems he just looked at it, then went to sleep.
Fast forward to the next day, the phishing sites are still up. I get
back on the phone and start getting more assertive with that IT group,
and around 1 pm, 15 hours after identification of a compromised server,
the phishing sites were taken down.
I had the IT guy come into my office and basically try to start a fight
with me because I told him his response times were unacceptable for
this kind of security breach. Now I'm smack in the middle of a
intercompany IT war.
The actual damage from this security breach was low, because it looks
like the hacker (or cracker depending on how specific you are ) had
not yet released his mass emails for these phishing sites. Besides two
contacts from ebay, and a contact from an unknown observer, there were
no repercussions.
My question:
Now I have to go into a meeting and explain why that IT guy was not
doing his job properly. What are possible implications of a rooted
server, sitting on a 10 mbps fiber line to the internet? Of course it
has a public ip that is tracked right back to us. |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Sat Nov 22, 2008 9:00 am | All times are GMT
|
|
Free Ajax Scripts | Mortgage | Online Loans | Best Credit Cards | Loans
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
*nix
»
Linux
»
security
