[GTALUG] Linux servers attacked!

[Alvin Starr]

On 5/9/20 5:22 PM, D. Hugh Redelmeier via talk wrote:
> <https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf>
>
> This describes a lot of attacks, starting with a Linux server victim.
> Sounds like juicy stuff.  I didn't find it so.
>
> It didn't clearly say what vulnarabilities were being exploited.

>
> The article hinted that a foothold was established via brute-force
> password guessing at logins.  My servers only allow SSH logins, so
> this would not work on my machines.  Does anyone still use passwords
> for logins facing the internet?  Consumer crap (wireless routers,
> baby monitors, ...), I guess.
There are buffer overflow hacks that crop up on a semi-regular basis.
There are sloppy PHP,Ruby,Perl,Python,C,C++ ... programmers who do 
things that allow arbitrary command execution.
There are occasional bugs that allow privilege escalation.
There are bugs that allow data to be extracted from virtual machines 
running on some hypervisors.
There have been bugs in cryptography protocols that have allowed 
information extraction and other attacks.

These tend to get plugged but often the software running on real systems 
does not get updated nearly enough.

I had a system hacked 20 years ago from having a system accidentally  
running sendmail which had a buffer overflow problem.
It can easily happen and not just through bad passwords.

>
> After the login, a kernel module is installed.  Where does the
> privilege come from?  An unmentioned hole?
All you need is a single set UID script with 777 permissions and I know 
of at least 1 company that would run chmod -R 777 /somedir to get around 
having to manage user/group ids.
Also over the years there have been privilege escalation bugs.

>
> There is a claim that this stuff is widespread and has been for a long
> time.  I don't think any quantitative evidence is revealed.
Most all the above are sloppy systems admin and apply to just about 
every OS not just Linux.
I found the repetition of the words "Open Source" a bit annoying.
And the citing of hacks up to 10 years old.
But I am sure the intent of the document is to scare people into buying 
BlackBerry security services.
Its clearly trading on the current trend in China bashing.

I have no doubt that China is sponsoring state hacking but then so is 
just about every other country in the world so in Canada we should be 
worried about China, Russia, U.S.A. equally.
There are also criminals and corporate sponsored hackers to worry about.
Add to that political groups aggressively targeting opposing political 
groups in the same country.

There is WAY more to worry about than just China.

I would say it was a crappy "dog whistle messaging" kind of article that 
is trying to leverage current fears to push a business agenda.

> ---
> Post to this mailing list talk at gtalug.org
> Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

-- 
Alvin Starr                   ||   land:  (647)478-6285
Netvel Inc.                   ||   Cell:  (416)806-0133
alvin at netvel.net              ||