Date: Sun, 10 Jul 2005 14:08:08 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Brett Glass" <brett@lariat.org>, <questions@freebsd.org> Subject: RE: Has this box been hacked? Message-ID: <LOBBIFDAGNMAMLGJJCKNGEPNFBAA.tedm@toybox.placo.com> In-Reply-To: <6.2.1.2.2.20050710122345.07d0c3c8@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
It isn't a question of saving them money, to be perfectly frank it is a case of you defrauding a customer or not. You cannot assume that the previous admin, who left on good terms, didn't insert a back door. THEY can assume this if they want, but YOU can't. Thus you cannot guarantee to this customer that their system is secure. The best you can do is tell them that you don't see anything obviously wrong, but that since you didn't set it up you cannot guarantee that the prior admin didn't deliberately or inadvertently insert a back door, unless you nuke and repave it. If they are bringing you in for a security audit this response is what they need to hear. If you tell them anything else then your defrauding them because you are lying. This kind of thing actually illustrates one of the Achilles heels of Open Source software as compared to Windows. With Windows, since it's all delivered in binary, every single Windows install on the face of the earth of a particular language and version has the same files. Thus it is fairly easy to write a security audit tool that compares all the key Windows executables and DLL's which can be used to install back doors, with a set of known file checksums. With Open Source, no such tool exists because there are so many different options to compiling code. Different versions of gcc can generate different sized executables, different link options can do this, etc. etc. Thus you have no way to look at a daemon, such as httpd, and compare it's binary executable file against a set of checksums for "known good ones" to see if the daemon has been perhaps recompiled with a back door inserted. You can of course, recompile all daemons that listen to network sockets with known good source files. But by the time you do that you have spent as much time as if you just reinstalled everything from scratch. And as for if what your seeing is common on rooted boxes - well if the intruder is knowledgeable then you won't know he's been there so you have to assume it's been rooted. And if the intruder is clumsy enough to leave traces behind, well then you cannot know how far he got, so you still have to assume the worst that it has been rooted. So either way, the second that the customer says "we aren't sure if this server is secure, can you tell us if it's been rooted or not" the only correct answer is to tell them "The only way I can guarantee this server is secure is by rebuilding it myself" Brett, you have to understand the big picture here. This is all about trust, it isn't about whether or not a particular file has been modified or not. The fact that you are in there talking to this customer at all about security on this server indicates that they don't have trust in whoever setup this server, whether or not that person left on good terms. If this customer has trust in you, then that is more trust than they had in the previous admin, don't you get it? You have an obligation to tell them the truth, even if the truth isn't something they want to hear. (like, the truth is Mr. Customer that you are gonna have to spend a lot of money) An organization simply cannot have a secure network if they do not trust the people that put that network together. And that isn't just the trust that the people building their network aren't a bunch of thieves. There is also the trust that the people putting it together are knowledgeable enough to put it together the right way. I have customers who I tell point blank that there is not a snowballs chance in hell that they will ever have a secure network - because the way they want me to construct it and the type of services they want their network to offer their employees are such that it is impossible to secure. Such as they want their employee laptops setup without passwords, so a single click dials the laptop right into their corporate network, on a dialup server that is plugged directly into their inside network. Yet those customers still proceed forward with having me build their networks this way - and some of these customers have been successfully attacked in the past as a matter of fact - because the kind of business they are in they feel mandates that they have to do it this way. But at least my customers know the truth, and have no illusions that they are running an insecure network that sure as atomic decay is going to get cracked into one day. So it is your choice, you can make up something that your customer wants to hear, then live with your conscience, or you can tell them the truth and sleep soundly at night. Whether the truth costs your customer more money is frankly not your concern. All you can do is present the alternatives, their costs, and if the customer wants to save money by assuming that the previous admin didn't deliberately or inadvertently leave a back door, that is their decision to make. Ted >-----Original Message----- >From: owner-freebsd-questions@freebsd.org >[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Brett Glass >Sent: Sunday, July 10, 2005 11:26 AM >To: Ted Mittelstaedt; questions@freebsd.org >Subject: RE: Has this box been hacked? > > >The person who set the system up did not leave on bad terms. >However, before taking the system down and setting it up >from scratch (and charging them to do so) I'd like to know >if anyone is aware of whether what I saw is common on boxes >that have been rooted. Is that "shutdown" entry cause for >concern? Is there a way in which it could have happened >innocently (e.g. due to a power failure that left the disk >inconsistent)? > >--Brett Glass > >At 02:31 AM 7/10/2005, Ted Mittelstaedt wrote: > > >>When I am in that same position as a rule I tell the customer >>that I would assume the system was rooted. >> >>The reason is that all of the times I've been called in on >>this type of job it has been because the previous admin was >>fired and they wanted to make sure he wasn't getting back >>in remotely and causing problems. >> >>You didn't say the circumstances behind this job of yours, but >>clearly, since this is a FreeBSD 4.11 system it's been built >>within the last 6 months. Now, the person that built it isn't >>around? Otherwise why would they be callin you in? You should >>assume the previous person that setup this system left some back >>doors. >> >>Ted > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to >"freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNGEPNFBAA.tedm>