“Operation Windigo” Attack Infects 10,000 Unix Servers!!

Chat about Linux in general

Re: “Operation Windigo” Attack Infects 10,000 Unix Servers!!

Postby mike acker on Fri Mar 21, 2014 9:29 am

Home assembled box using ASUS M5A88-M motherboard and x64 AMD Phenom II X4 3.4GHz cpu; 4x4MB DDR3 RAM
User avatar
mike acker
Level 4
Level 4
 
Posts: 347
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Linux Mint is funded by ads and donations.
 

Re: “Operation Windigo” Attack Infects 10,000 Unix Servers!!

Postby viking777 on Fri Mar 21, 2014 11:15 am

I don't think Mike has already posted this one yet, but I know he will like it :)

http://www.forbes.com/sites/andygreenbe ... -timeline/

And if you haven't had enough of conspiracy theories just recently with the events in Malaysia, then compare and contrast Forbes response to their hack from a couple of months ago with kernel.org's response to their hack of a couple of years ago and which, to the best of my knowledge, has still not been publicly explained (or if it has I haven't spotted it), this from Sept 2013:

For three weeks in September and early October, officials kept kernel.org closed so the servers that run it could be rebuilt. When the site reopened on October 4, a message on the front page prominently warned of the breach and noted the steps taken to rebuild the site. "Thanks to all for your patience and understanding during our outage and please bear with us as we bring up the different kernel.org systems over the next few weeks," the message concluded. "We will be writing up a report on the incident in the future."

Almost two years later, the report has yet to be delivered. The promise to deliver an incident report remained on kernel.org as recently as March 1 of this year, before being quietly pulled the following day. To this day, officials have yet to provide key details, including exactly how many machines were compromised, how the attackers were able to gain root access to them, and what they did once they seized control. The delay contrasts sharply with autopsies that were delivered promptly following two similar compromises of Apache.org, the official distributor of the open-source Apache Web server.


Open Source anybody??
Fujitsu Lifebook AH532. Intel i5 processor, 6Gb ram, Intel HD3000 graphics, Intel Audio/wifi. Realtek RTL8111/8168B Ethernet.Lubuntu 13.10,Ubuntu12.10 (Unity), Mint16 (Cinnamon), Manjaro (Xfce).
Image
User avatar
viking777
Level 14
Level 14
 
Posts: 5153
Joined: Mon Dec 01, 2008 11:21 am

Re: “Operation Windigo” Attack Infects 10,000 Unix Servers!!

Postby mike acker on Fri Mar 21, 2014 7:17 pm

thanks Vike, that's a good add for my files!!

as soon as you start reading through this you'll recognize the main issue: failure to authenticate

1, The link led to a spoofed webmail login where she shared her email credentials.


2. “The imprimatur of [the senior executive] suggested something was actually going on here,” he says. “I’ve been kicking myself black and blue over this.”


also in this chat section I have started a thread on GnuPG (PGP or Public Key Encryption ) . In this thread I mention authentication, and also Trust Models.

It is my feeling that much of our difficulty lies in this area. I could create a web-site that looks similar to some important site and then get a x.509 certificate for it from some off center agency. you browser will display my similar looking site and mark it secure.

this is because the people who have pushed out x.509 have disparaged Phil Zimmerman's instructions on Trust Models.

this is why I have offered my thread on GnuPG/PGP . Trust Models are a critical component of Public Key Encryption.

when you get a whole pile of x.509 certificates in your browser* -- you should mark all of them for MARGINAL trust. then, authenticate and sign ONLY those certificates you actually need to use.

unfortunately, to my knowlege you can't do this. if you could then the web browser would need a more prominent indicator related to this Level of Trust-- I'm sure we can could up with some idea that would work. for people who haven't had their coffee yet.

it is my view that this is a matter that needs to enter the public consciousness. if we can twitter pictures we can also check and sign x.509 certificates. but people need to know what's going on,-- and what's at stake.

someplace i have that thread on PayPal using PGP for this sort of thing. I'll try again to find it, but the bottom line was : it worked well for them to kill spoofed e/mails.

thanks again for a most interesting add to this thread!!

~~
*to view your certificates on FireFox: select: edit | preferences | advanced | certificates | view certificates | servers + authorities
Home assembled box using ASUS M5A88-M motherboard and x64 AMD Phenom II X4 3.4GHz cpu; 4x4MB DDR3 RAM
User avatar
mike acker
Level 4
Level 4
 
Posts: 347
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: “Operation Windigo” Attack Infects 10,000 Unix Servers!!

Postby mike acker on Fri Mar 21, 2014 8:41 pm

here is the reference to PayPal and digital signatures

Dated April 9, 2011
Michael Barrett, chief information security officer at PayPal:
A few years ago we started digitally signing all our outbound e-mail and we worked with Yahoo and Google so if they saw e-mail that purported to come from us but wasn't signed they would block it. That has been stunningly successful. Now we're trying to get the whole industry to take up that type of approach. But it will take several more years of pushing to get the rest of the industry to do that.


IMHO it's an approach that could be beneficial to most of us in many circumstances. As Michael notes -- it's a learning curve type thing
Home assembled box using ASUS M5A88-M motherboard and x64 AMD Phenom II X4 3.4GHz cpu; 4x4MB DDR3 RAM
User avatar
mike acker
Level 4
Level 4
 
Posts: 347
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: “Operation Windigo” Attack Infects 10,000 Unix Servers!!

Postby viking777 on Sat Mar 22, 2014 7:33 am

to view your certificates on FireFox: select: edit | preferences | advanced | certificates | view certificates | servers + authorities


Now the thing is Mike that for somebody like myself that has more than a passing interest in security, I have never looked in that location before in my life :shock: . I was absolutely horrified to find what was in there, and yet I haven't the slightest idea what to do about it. I scrolled down the list, and saw entries from all sorts of people I have no idea about (like authorities in Turkey) as well as people I know about but have no dealings with (AOL for instance). I daren't scroll any further than the letter M in case I have a dozen or so certs from the NSA allowed.

It is all too obscure isn't it, dealing with something like this requires a level of knowledge that most users do not possess and will never possess. Therein lies the problem, any certification system needs to be completely transparent or blindingly simple to the end user or it will never be of any use. To my eyes these solutions are too complex. MOST solutions are too complex. For example people argue for two factor authentication as a security model. A bank I was using introduced that a while back - and I changed banks because of it. Linux introduces SELinux and AppArmor, but they are so complex that outside of corporate environments nobody will ever use them, so they are useless. The other oft quoted model is encryption either disk or file it doesn't matter. As a long time forum user I have seen so many people crying that "I encrypted X then did Y and now I can't access X any more - Help" that I consider the cure worse than the disease.

Edit. The type of user friendly security model that I know of and use is the Web of Trust addon for Firefox. You probably know about it already, in case anybody doesn't, it flags untrusted sites with a red warning icon. So for instance, when I do a 'Startpage' search for 'linux security' most of the first page entries are unflagged, but the sponsored link from a dating agency is red flagged. That is something anybody can understand and implement and is far more valuable because of that.
Fujitsu Lifebook AH532. Intel i5 processor, 6Gb ram, Intel HD3000 graphics, Intel Audio/wifi. Realtek RTL8111/8168B Ethernet.Lubuntu 13.10,Ubuntu12.10 (Unity), Mint16 (Cinnamon), Manjaro (Xfce).
Image
User avatar
viking777
Level 14
Level 14
 
Posts: 5153
Joined: Mon Dec 01, 2008 11:21 am

Re: “Operation Windigo” Attack Infects 10,000 Unix Servers!!

Postby mike acker on Sat Mar 22, 2014 8:58 am

thanks for the notes, Vike! good stuff, as ever!!

I added Web of Trust to my Firefox this morning. thanks. on the windmills here we have Norton/360 -- which does the same thing. but, iaw Linux advice -- i don't run any AV on my Nix box.

one would be aware of course that "Malvertising" is one means by which the Bad Guys get malware into what folks would normally think would be a respectable site.

you really have to laugh at people who promote biometric IDs or some kind of two-factor ID is the solution to hacking. when you understand that hackers generally use the victim's credentials -- e.g. phishing as in the Forbes story -- or the RSA Hack , -- or -- they bypass security completely by exploiting a bug of some kind -- as in buffer overflow, hidden back door passwords, SQL injections, and such.

Bruce Schneier notes that "Complexity is the enemy of security" and you instinctively touch on that in your note here this morning. Looking through the list of Certificate Authorities -- that are allowed to approve x.509 certs (secure web sites) you note, -- What a MESS!!

yep
the bad guys already got DigiNotar and Comodo
and now Intel wants to incorporate the same thinking into their UEFI process

full disk encryption is a good idea if your computer may be stolen -- or seized by The Goons. but it is useless against phishing: the phisher gets you to do the Dirty Deed. ( Dirt Cheap, tee hee ) .

I really like your thought: security needs to be simple enough so as to be available. Personally I don't see that using PGP is all that tough.....the basic steps are

1. get the software ( included in Linux -- use GPG on terminal )
2. get a GUI interface: Included in the ENIGMAIL plug-in for Thunderbird -- which is included in Linux. Winmill operators will need to download GnuPG -- or install PGP/Desktop.
3. generate a key-pair. be sure to set an expiration date and generate a revoke certificate. save your keyrings and certificates in a safe place. including your passphrase.
4. practice sending secure mail or encrypting text files.
5. learn about trust models

trust models are the key to good use of PGP

you can download my public key from the keyserver -- using the PGP GUI in Thunderbird if you have the ENIGMAIL plug-in installed. I'll show code for it later this morning -- I have to help my daughter shoot a video now.

while I'm doing that, here's the Critical Question: how you you -- or anyone -- satisfy themself that they have a correct copy of my key ?

this is the key to understanding the Trust Model. you need to separately verify the key fingerprint -- and then countersign my key. which is what you have not done with all those x.509 certs you found in your browser.
Home assembled box using ASUS M5A88-M motherboard and x64 AMD Phenom II X4 3.4GHz cpu; 4x4MB DDR3 RAM
User avatar
mike acker
Level 4
Level 4
 
Posts: 347
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: “Operation Windigo” Attack Infects 10,000 Unix Servers!!

Postby viking777 on Sat Mar 22, 2014 9:36 am

Here is another one:

http://blogs.cisco.com/security/mass-co ... -obsolete/

Lesson here is - update your server occasionally. The interesting thing about this post is that part way down the comments they provide links to all the addresses that they know to be compromised. I had a scan through and they looked like fairly obscure sites, I only recognised one of them - a freecycle site in a .fr domain. Not one I am likely to have visited.
Fujitsu Lifebook AH532. Intel i5 processor, 6Gb ram, Intel HD3000 graphics, Intel Audio/wifi. Realtek RTL8111/8168B Ethernet.Lubuntu 13.10,Ubuntu12.10 (Unity), Mint16 (Cinnamon), Manjaro (Xfce).
Image
User avatar
viking777
Level 14
Level 14
 
Posts: 5153
Joined: Mon Dec 01, 2008 11:21 am

Re: “Operation Windigo” Attack Infects 10,000 Unix Servers!!

Postby d00med on Sat Mar 22, 2014 1:53 pm

mike acker wrote:ummmmmmm....Check that

Talk to the hand.
d00med
Level 4
Level 4
 
Posts: 333
Joined: Fri Nov 26, 2010 9:55 am

Re: “Operation Windigo” Attack Infects 10,000 Unix Servers!!

Postby ashtongj on Sun Mar 23, 2014 10:07 am

I notice the attack subverted ssh. I'm a newbie, and I see that I have an ssh-agent process on my Petra Cinnamon 64 bit machine. The only devices I normally have on my home network are a Windows 8.1 machine, an Android phone, and the Petra machine.

Is there any cool stuff I can do between the various machines that I need ssh for? If not, how do I disable ssh?

Gerry
ashtongj
Level 1
Level 1
 
Posts: 11
Joined: Sun Feb 23, 2014 10:03 am

Re: “Operation Windigo” Attack Infects 10,000 Unix Servers!!

Postby mike acker on Sun Mar 23, 2014 11:38 am

ashtongj wrote:I notice the attack subverted ssh. I'm a newbie, and I see that I have an ssh-agent process on my Petra Cinnamon 64 bit machine. The only devices I normally have on my home network are a Windows 8.1 machine, an Android phone, and the Petra machine.

Is there any cool stuff I can do between the various machines that I need ssh for? If not, how do I disable ssh?

Gerry


you might ask on the newbie forum--
i just run a firewall in my wireless router that prevents communication from starting from the outside
Home assembled box using ASUS M5A88-M motherboard and x64 AMD Phenom II X4 3.4GHz cpu; 4x4MB DDR3 RAM
User avatar
mike acker
Level 4
Level 4
 
Posts: 347
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: “Operation Windigo” Attack Infects 10,000 Unix Servers!!

Postby viking777 on Sun Mar 23, 2014 12:01 pm

ashtongj the easiest way to disable it is to remove it, as long as you don't need it. That used to be simple you just uninstalled openssh-client, but for some reason if you try that now it tries to install the server instead which is 50 times worse so you have to do it like this:

First uninstall sshfs (if it is installed), then uninstall ssh-askpass-gnome, then uninstall openssh-client.

I should point out here though that although ssh is a major attack vector in the Linux world, it is usually the server that is attacked not the client and Mint does not install the server by default so you could just leave it as it is.

Getting rid of those will get rid of ssh-agent too (when you reboot).
Fujitsu Lifebook AH532. Intel i5 processor, 6Gb ram, Intel HD3000 graphics, Intel Audio/wifi. Realtek RTL8111/8168B Ethernet.Lubuntu 13.10,Ubuntu12.10 (Unity), Mint16 (Cinnamon), Manjaro (Xfce).
Image
User avatar
viking777
Level 14
Level 14
 
Posts: 5153
Joined: Mon Dec 01, 2008 11:21 am

Re: “Operation Windigo” Attack Infects 10,000 Unix Servers!!

Postby ashtongj on Sun Mar 23, 2014 12:23 pm

viking777 wrote:...
I should point out here though that although ssh is a major attack vector in the Linux world, it is usually the server that is attacked not the client and Mint does not install the server by default so you could just leave it as it is....


Thanks, as long as the server isn't installed by default, I can leave well enough alone.

Gerry
ashtongj
Level 1
Level 1
 
Posts: 11
Joined: Sun Feb 23, 2014 10:03 am

Linux Mint is funded by ads and donations.
 
Previous

Return to Chat about Linux

Who is online

Users browsing this forum: No registered users and 2 guests