Hackers send Sendmail a message [Open Source Software Hacked]</

CNET News.com ^ | October 9, 2002, 4:21 PM PT | Robert Lemos

[B Knotts]

Sendmail has had a rather spotty security history, although this is the first major problem in a while, and has more to do with server administration than with their actual code.

But the same thing happened to a Microsoft service pack, so this has little to do with open/closed source code.

The other open source project with atrocious security was the old BIND. BIND 9 was totally rewritten, and has been much better in that regard. Sometimes, it does make sense to go back to the drawing board and throw out old, outdated code.

There are shadowy figures out there, though, who can do amazing things to even relatively well-maintained servers running whatever OS you choose.

http://www.viacorp.com/auditing.html

Friday, our Japanese participants discover that a computer on their company network has been cracked into, one very secure Linux box running only SSH and Apache 1.3.4. Now this would definitely send a chill up your spine if you knew just how fanatic our friends are when it comes to network security. Furthermore, they only detected the intrusion three days after the fact, which is unbelievable when you consider the insane monitoring levels they've been keeping since they agreed to participate in the scan. They would have noticed any funny stuff, and in fact, they did, lots of it, but none of which came close enough to a security breach to raise any alarms.

Readers should also note how although a key binary in the cracked machine had been modified, tripwire and an assortment of other booby traps failed to detect this had happened. Even a close-up manual inspection (comparing file contents with a trusted backup, playing with it's name) could not detect any odd behavior. This trick, and others equally spooky were achieved by clever manipulation of the OS's kernel code (dynamicly, through a module).

...

How the NT box was cracked into in the first place is still a mystery. The logs weren't helpful (surprise! surprise!) and the only way we were even able to confirm this had happened was by putting a sniff on the NT's traffic (following a hunch) and catching those sneaky packets redhanded, transmitting our SSH identification down under.

We never liked NT before, being generally suspicious of propriety blackbox OS, from a company with a long history of poor quality bloatware. But realizing just how helpless we were against an attacker that obviously knew the ins and outs of this can-of-worms OS, the company recognized that NT was a serious security hazard and changed it's security policies to keep it as far away from it's systems as possible, and this included restricting employees from using it from at home to log into the company network (even with SSH).

2) The attacker is using a custom built software penetration agent.

This is only an hypothesis, but is strongly supported by the fact that the entire attack only lasted an incredible 8 seconds! During which the attacker manages to log on (over an employee's SSH account, no less), gain root privileges, backdoor the system, remove any (standard) traces of it's activity and log off.

And they probably would have gotten away with it too, if it wasn't for those meddling kids!

Who thoughtfully installed a crude old tty surveillance-camera hack that trapped IO calls to and from isatty(3) file descriptors, in realtime, saving them on file along with a timestamp for neato it's-almost-as-if-you-were-there playback qualities.

Scary stuff, that.

[dwollmann]

[Open Souce Software Hacked]
"open source software has security issues..."

Someone replaced the original sendmail source code distribution archive file with a bogus copy which included malicious code that opens a TCP connection to an outside server on port 6667 and waits for input from parties unknown.

This code runs as part of the build process, it does not affect the sendmail program, ancillary utility programs or support/configuration files.

The intruder replaced the file on the ftp server, but not the copy kept on the http server.

The MD5 checksum files were not altered. The PGP/GPG signatures were not altered (nor is it likely that they could have been). Anyone bothering to validate the checksums or check the cryptographic signatures would have discovered that the file was not genuine.

What can we infer from these facts? Someone gained unauthorized access to the sendmail.org ftp server and replaced the source distribution tarball with a bogus copy containing malicious code. Do you know which ftp server was in use at the time of the compromise and which platform it was running on? If not, then to claim that the fault lies with open source software is ill-informed, at best. Based on past experience I would attribute it to willful ignorance on your part. If you tried a little harder to get the facts straight and draw credible conclusions instead of acting like someone who's determined to spin every incident into a repudiation of something he hates, your words might hold more weight with those of us who actually know the subject and you might even find yourself involved in constructive dialogs. Your habit of starting and engaging in flamewars does not serve your purported cause very well. It takes real effort to constantly remind oneself that your behavior is not typical of all advocates of Microsoft software and culture. The average reader is not willing to make that distinction and will either agree with you or not based upon purely subjective criteria (and the choir says "Amen!"). Are you comfortable knowing that those who agree with you do so only because they're members of your camp? I certainly wouldn't be.

I'm troubled by the recent spate of compromised source tarball incidents (OpenSSH, BitchX IRC client, etc.) and all the more determined to make sure that none of my systems fall victim. I recently enabled GPG signature validation on the package management system on a couple of my systems but I'm not pleased with the results: several of the packages I've tried to install are not signed. This particular system does the right thing and refuses to install the unsigned packages (even though the MD5 checksums are valid) but why aren't the packages signed in the first place? While the MD5 checksums are checked against pre-existing local copies of the MD5 sums, reducing the likelihood that the MD5 sums could be falsified, I'm not comfortable relying only on this method of validation and would prefer the GPG cryptographic signatures.

There is a problem here, and users of open source and Free (libre) software (including Microsoft) should be concerned about the authenticity of the source code they use. A strong signature-validating package management system like RPM adds some protection, assuming the builder of the packages has taken due care to validate the source code used to create the package in the first place, but this isn't good enough, and a better system will have to be devised. Given my past experience with open source I'm optimistic that these issues will be addressed in the near future. Perhaps it's time to consider adding MD5 checksum and GPG signature validation directly to the BSD and GNU implementations of the ubiquitous tar(1) archive utility (the sectar project aims to be a "secure tar").

The problem of ensuring the authenticity of source code distributions is only the tip of the iceberg. What are we to do about this problem? Is Palladium (or something like it) the answer? I don't know. Sooner or later someone is going to figure out how to make Ken Thompson's nightmare scenario a reality (if it hasn't happened already) and I doubt anyone is equipped to detect such a compromise and deal with it effectively.

[snooker]

When you download open source, know the source. The very best way is just to simply sign up for a distro with one of the reputable companies. I use Red Hat and Mandrake distros and Ximian redcarpet desktop. All have mdsum verification tools. For office apps it is hard to beat OpenOffice and the big brother, Star Office. WORD TO THE WISE ... leave the developer sites alone if you aren't a developer.

I also instal and run Win98 Win2000 and WinXP/SP1/PRO. So I see it all. Right now I can boot all the above, plus the Linux mentioned in the first paragraph, plus Solaris 8.

The new Red Hat 8.0 Linux is a keeper. I would recommend it to the first time user.

If you want no hassle downloads, let the company you get it from test it first. All the majors have upgrade services similar to MS. Just buy one in the box. Install is simpler than Windows. And Linux/UNIX doesn't crash endlessly.

When I want to test new stuff I put it on my playpen system before any of my production systems or the customers I support get it. Disk trays are a simple way to do this.

snooker

[for-q-clinton]

As far as this being "very informative" or "good"? How? 200 people may have downloaded it? Wow. Make it 2000. Stop the presses? So I guess you're only interested in MS issues. I say that a bit of tongue-in-cheek, but the point is if it's quantity that matters then obviously MS is at the head of your list. I'm curious does it also only matter if hack is exploited? I know large software companies get a black eye everytime they patch their software (even for bugs they find and they haven't even been exploited in the wild).

As far as not liking Bush2000 posts, I have a simple suggestion. Just don't read them and post on them. Kind of like if a tree falls in a forest and no one is there to hear it...does it make a sound?

[for-q-clinton]

I don't think you understood my question. Since the value of source code is that you the user/admin can review the code and make sure it's safe.

If you aren't doing that you are taking for granted that the code is good. I'm not talking about making sure it's authentic, but rather is it sound code (no bugs and such).

If you rely on others to do that, the argument of "I can review the code myself and make sure it's safe is bogus". My point is that you always rely on others. Open-source has many more people looking at the code than MS does. That has advantages and disadvantages. Black hats just as much as white hats can use that code to hack systems. According to the post (a couple of this one) it mentions Linux/Apache being hacked even though the admins were anal about security. And then it mentions NT had a similiar hack (not sure if they meant win2k or NT4), and the person is quoted as saying he does't trust MS products because it can be attacked like this. But wait, what about the apache/linux box that was hacked, which was probably acheived because of the open source code.

So it's back full circle. And the question is, which software can patch their software reliably and quickly? Can the open source community produce a patch fast enough and distribute it effectively to millions of users when a bug is found. Can MS or ther large software houses do the same?

[for-q-clinton]

oops.

(a couple of this one) = (a couple ABOVE this one)

Hey their both prepositions, so it was close enough

[Woodman]

Look I have used MS Exchange/Outlook since 1996 and have gotten exactly one virus in six years (A word macro virus sent by the president of the company in a news letter) and that was my fault be reading mail FIFO, three emails later was a warning not to open the doc.

Mail is what you make of it, I get 100’s of emails everyday and I am cautious as to what I open. I keep security patches and virus update current religiously. People need to take personal responsibility, but I would guess that the average user would not be verifying check sums of programs they download from a source they know.

[isthisnickcool]

So I guess you're only interested in MS issues.

Nope. As I have posted before, we ran across Linus in 1991 and have been using Linux for years. From those early hacked out kernels or the early distributions that took 50+ floppies to the current stuff like RH 8.0. I have developers that do java work and .NET. Started an eval. project considering ASP.NET as a solution just last night.

This sendmail "event" is not so significant that it warrants a big red banner from Bush2000 and another thread for him to use this site to bash what is not Microsoft. It's like calling the cops about a broken barn door that was fixed last week because you are not sure if one cow is still walking around outside.

As far as your "simple suggestion? You are welcome to consider the suggestion yourself regarding my posts back to Bush2000. Which won't cease as long as he uses this forum to "troll" for people to start fights with. Not discussions, but fights among Freepers. That's why he does these posts. He has indicated that to me in freepmail. He thinks it's funny. I don't.

[Bush2000]

Simple solution. Trust but verify.

Trust is irrelevant when your server gets hacked. At best, hackers can replace your crypto signature verification routine with one more of their own liking. At worst, you no longer have a functional server.

[Bush2000]

Meanwhile...

LMFAO! You can't seem to let go of your Paul Allen-envy. Face it: The guy could lose his entire investment in Charter and he'd still have more coin than you'll ever see in your lifetime.

[Bush2000]

That's the best part. With mailling lists and user groups, you have many eyes, some better some not, looking at the source code.

That is, of course, unless nobody is interested in your particular problem.

[Bush2000]

Someone gained unauthorized access to the sendmail.org ftp server and replaced the source distribution tarball with a bogus copy containing malicious code. Do you know which ftp server was in use at the time of the compromise and which platform it was running on? If not, then to claim that the fault lies with open source software is ill-informed, at best.

What would you be willing to bet that the source code for Sendmail's FTP server was open source? I'm betting it was. I'll take that bet if you're willing to put some money where your mouth is.

[Bush2000]

As far as not liking Bush2000 posts, I have a simple suggestion. Just don't read them and post on them. Kind of like if a tree falls in a forest and no one is there to hear it...does it make a sound?

Funny, I don't see troll-boy complaining about threads that publicize Windows holes ... Maybe he simply needs an attitude adjustment.

[snooker]

You missed the point ... Trust the software source.

Not irrevelant if the company that runs the distro server is on their toes. User access from the distro company side to the server is controlled by user access control lists, otherwise known as ACLs. All accesses are handled by trace control, so the evil ones get fired and their work gets undone. Open Source development machines don't use any real control lists and it is a free for all for intents and purposes. That is why they are developers.

The failures of most severity is human access to something they shouldn't have access to. Proceedures and policies are what control this. Only thing that can. Ever heard of SQA?

Been there done that. Developed one of the first government certified secure OSes. And yes it was UNIX.

snooker

[Bush2000]

You missed the point ... Trust the software source.

Oh, please. Give it a rest. If the software source has been hacked, game over. Sell your snake oil somewhere else, pal.

[snooker]

And if the company with the closed source won't add the feature you want to use in the business you run, what then. A big TS. But with the source code you or someone you hire can, make the mods you want.

Do you trust the gas station to have gas in their tanks and not water?

In life unless you know evrything, trust is a necessary point of functioning in society. Someone can always do you harm, like hitting your car headon on the drive home.

Get your open source software from someone who does read the code and has a real SQA process. Else you are on your own.

And bugs, why we all know closed source software doesn't have bugs because they test it, right? And if they won't fix the bug in the feature you need, too bad.

The humans can't be fixed, live with it, deal with it. To cotrol other humans is natural. It's just when companies do it, you don't have to sit still for it. You don't have to use the media 9 plaer which neuters mp3s when there are other choices to be had.

snooker

[Dominic Harr]

From my experience with others in the past on this kind of question, I believe the actual goal of MS trolls is to "shout down" any criticism of MS. That's why they flame the way they do.

They're actively trying to turn the bulk of the thread into a flame war because they know that 80% of the people who see the flames will just turn and leave the thread, and not read the substance of the thread.

There are 2 basic methods:

• Find a thread containing criticism of MS, and burn it to the ground so the majority will never read the criticism of MS.

• Start a thread with a headline that defends MS (like this one) and then burn that thread to the ground as soon as people point out the errors, so that the majority never read the truth.

His entire point with this thread is, clearly, to try and make the claim, "See, MS is no worse than anyone else -- everyone has security problems".

Then when people with knowledge come in to point out the flaws with that reasoning, he tries to answer with posts that will drive away the casual observer.

It's "FUD" standard operating procedure. It is on purpose, and it achieves the desired goal.

[toupsie]

That is, of course, unless nobody is interested in your particular problem.

Security should be everyone's interest! I can't think of one problem I have had in my years and years of use of UNIX that someone else or the author hasn't encountered. With so many varients on various processors, someone is bound to have stumbled on it.

[Bush2000]

From my experience with others in the past on this kind of question, I believe the actual goal of MS trolls is to "shout down" any criticism of MS. That's why they flame the way they do.

Blah, blah, blah... The article is news. That's what FR is about: News and commentary. I realize you don't like getting your face shoved in your own hypocrisy. But it's good for you.

[Bush2000]

Security should be everyone's interest! I can't think of one problem I have had in my years and years of use of UNIX that someone else or the author hasn't encountered. With so many varients on various processors, someone is bound to have stumbled on it.

It's been my experience that people are willing to help when a bug occurs in a piece of code that either (a) is widely used or (b) has some glamour to it. But it all falls apart when you're dealing with some unglamorous or boring (ie. some kind of LDAP or help issue). So, I will both agree and disagree with you on this one. Just don't be deluded into thinking that there's going to be somebody out there who has an answer for every issue that you encounter. If that's your expectation, you're living in fantasyland. Sometimes, you simply have to pay for answers; whether that means hiring an independent contractor or putting one of your own people on the problem.