SSH glitch gives 'skeleton key' to networks

ZDNet ^ | September 18, 2003, 11:10 BST | Patrick Gray

[Bush2000]

SSH glitch gives 'skeleton key' to networks

Patrick Gray
ZDNet Australia
September 18, 2003, 11:10 BST

A patch for the Unix remote management shell has been re-released after suggestions attackers have for months been exploiting the vulnerability to gain access to systems

A critical security flaw in SSH has been revealed that threatens servers worldwide.

SSH is a widely used encrypted remote management shell for Unix, Linux and BSD platforms. Experts say attackers have been exploiting the vulnerability to gain access to systems illegally for months.

What started as quiet mumblings and rumours turned into screaming warnings this week as the security community slowly learned of the threat. Chief hacking officer of US-based eEye Digital Security told ZDNet Australia by phone the vulnerability should be taken very seriously. "It's pretty close to a skeleton key to most networks," he said.

[Bush2000]

Repeat after me: Open source cures cancer...

[DallasMike]

Repeat after me: Open source cures cancer...

Prepare to be flamed by all those who insist that a security hole in *nix could never, ever happen. They'll explain patiently (and not so patiently) how the remote management shell isn't really a part of *nix at all so it's all a big like that *nix has a problem.

[Jumper]

Code is code, and any product that becomes popular with the legions of hackers will be attacked. Microsoft is a popular liberally hated product which represents capitalism; UNIX is also a paid product, but liberals love LUNIX because its free. I've seen lots of attacks and security patches this year ranging fron CISCO IOS, UNIX, MS, SUN, etc. Only MS seems to get bad press. MS problems are brought on by it being written code for everything - literally everything. Most other products have limited application. Besides, #1 is like being nominated as a target.

[TomServo]

Open source cures cancer...

lol....

[New Horizon]

I installed our first Linux RedHat system earlier this year...it was "hacked unusable" within 48 hours. This was from behind a firewall, with just HTTP and SSH open.
Everybody thought I was nuts...Linux is unhackable. Bullshit.
I have 30+ MS servers, mostly for streaming, with one leg outside of the firewall. I prefer to patch these easily and regularly through Microsoft than to wallow through Linux patches.
I have no Microsoft servers that have been hacked...with or without a firewall. I just keep up on patches. Sometimes this seems like a pain, but it's been worth the time.
At least the MS folks are on top of it...maybe to save their asses. Linux is a free-for-all nightmare to me.

[HAL9000]

It's a serious problem, no question about it.

Fortunately, Linux is only affected by issues of this magnitude about once per year. It's almost a daily occurrence with Windows.

[Gee Wally]

but liberals love LUNIX because its free

I guess that makes Jim Robinson one of the liberal, anti-capitalist, Linux-loving communists since Freerepublic.com, according to Netcraft, is running Apache on Linux. Netcraft What's That Site Running.

Maybe you guys can persuade him to host this site with Windows/IIS. I don't know how you will be able to live with your principled selves for visiting a Linux hosted site. ;-)

[Doug Loss]

I installed our first Linux RedHat system earlier this year...it was "hacked unusable" within 48 hours.

Then you didn't know how to do it correctly. A properly installed Linux/FreeBSD/NetBSD/OpenBSD system is at least an order of magnitude more secure than a Windows system. As for this SSH vulnerability, there were patches for all the widely-used versions of Linux available within hours of its announcement. But any competent sysadmin was already running all network ports throuth TCPwrappers, which precluded the vulnerability anyway.

I prefer to patch these easily and regularly through Microsoft than to wallow through Linux patches.

On RedHat systems, you just register with the RedHat network and then set up a scheduled job to run "up2date -u" every day (more often if you're really paranoid). How hard is that?

[battousai]

"but liberals love LUNIX because its free"

I'm sorry but I'm not a liberal and I like linux, I agree with your other points that more people target MS since they are the most popular, but to say only Liberals like linux is kind of silly.

Linux has its uses and so does windows.

[Bush2000]

Then you didn't know how to do it correctly.

Yeah, blame the user. It couldn't possibly be the fact that the default server settings were too insecure ... /SARCASM

On RedHat systems, you just register with the RedHat network and then set up a scheduled job to run "up2date -u" every day (more often if you're really paranoid). How hard is that?

Thanks for the example of utopian confusion. Admins in the real world actually have to evaluate whether they're going to accept patches. They don't just install whatever Redhat or Microsoft spews at them. Quite often, there are incompatibilities between patches which make it impossible to simply stream patches day-to-day. Here's a suggestion: Get a job as an admin before you comment on things you don't understand.

[ThinkDifferent]

Prepare to be flamed by all those who insist that a security hole in *nix could never, ever happen.

These people tend to exist primarily in the imaginations of Microsoft advocates.

Open source software has bugs. Closed source software has bugs. Neither of these statements should be surprising to anyone with a quarter of a clue. Nor should they prevent people from comparing the relative frequency and severity of exploits against different systems.

[Doug Loss]

Yeah, blame the user. It couldn't possibly be the fact that the default server settings were too insecure ... /SARCASM

More evidence for my point. Any sysadmin who accepts the default server settings without making sure they're what is needed doesn't know how to set up a system correctly. Case closed.

Thanks for the example of utopian confusion. Admins in the real world actually have to evaluate whether they're going to accept patches. They don't just install whatever Redhat or Microsoft spews at them. Quite often, there are incompatibilities between patches which make it impossible to simply stream patches day-to-day. Here's a suggestion: Get a job as an admin before you comment on things you don't understand.

Know who you're speaking to before putting your foot in your mouth. I'm a network administrator for a state university in Pennsylvania, with approximately 5000 nodes on our network. We run automated patching on all our Linux, Solaris, and AIX servers, with no problems. The patch incompatibilities you speak of are a Windows phenomenon; such things seldom if ever happen in the Unix world.

[Bush2000]

These people tend to exist primarily in the imaginations of Microsoft advocates.

BWAHAHAHAHAHAHAHAHAHAHAHAHAHAH!

Thanks for the gut-wrenching laugh. You Mac and Linux guys are hilarious. Especially when you're trying to deny reality.

[DallasMike]

These people tend to exist primarily in the imaginations of Microsoft advocates.

They're pretty common here at FR!

[Bush2000]

More evidence for my point. Any sysadmin who accepts the default server settings without making sure they're what is needed doesn't know how to set up a system correctly. Case closed.

I'll try to keep that sentiment in mind the next time your side tries to foist the idea that Windows is insecure. "It is secure! You simply don't know what you're doing!"

I'm a network administrator for a state university in Pennsylvania, with approximately 5000 nodes on our network.

Oh, a state university. Welcome to La La Land. I should have known. The most backward pile on the planet. Sorry, pal, no sale. You're not running mission-critical operations where real $$$ are at stake. Let me know when you upgrade to the real world and join private industry.

The patch incompatibilities you speak of are a Windows phenomenon; such things seldom if ever happen in the Unix world.

Did you even bother to read this article ("A patch for the Unix remote management shell has been re-released..."), troll?!? Of course incompatibilities and useless patches exist. Geezus, GAFC!

[ThinkDifferent]

Glad I could amuse you. Now, show me where anyone has made the claim that no security holes exist in Unix. Note that this is distinct from claiming that Unix is more secure than Windows.

[Doug Loss]

I'll try to keep that sentiment in mind the next time your side tries to foist the idea that Windows is insecure. "It is secure! You simply don't know what you're doing!"

There's no substitute for competent system administration. If it's done on Windows systems, I'm sure they are quite a bit more secure than incompetently administered ones. It just doesn't happen as often in the Windows world, because too many people there have been convinced that there's no skill or special knowledge involved in the tasks.

Oh, a state university. Welcome to La La Land. I should have known. The most backward pile on the planet. Sorry, pal, no sale. You're not running mission-critical operations where real $$$ are at stake. Let me know when you upgrade to the real world and join private industry.

You clearly have no clue what you're talking about. We run financials for the entire university and its students that run into millions of dollars. A university is a business, just like the ones in private industry you think so superior. And just what is your technical background, besides innuendo, non sequiturs, and the occasional outright falshood?

Did you even bother to read this article ("A patch for the Unix remote management shell has been re-released..."), troll?!? Of course incompatibilities and useless patches exist. Geezus, GAFC!

GAFC? Point to a non-Windows system patch that broke a previous patch. Go ahead, we'll wait...

[DallasMike]

Now, show me where anyone has made the claim that no security holes exist in Unix.

Hyperbole -- a commonly-used literary device.

But it's not hyperbole by much. This post, as one example, certainly seems to imply that Linux has no security holes.

[ThinkDifferent]

Hyperbole -- a commonly-used literary device.

Fair enough, then we're agreed that hardly anyone seriously claims that Unix has no security flaws. There are quite a few, including myself, who claim that Unix generally has a better security record than Windows, which this vulnerability doesn't disprove.

[Bush2000]

There's no substitute for competent system administration.

Admins can't competently administer crappy software and hardware.

A university is a business, just like the ones in private industry you think so superior.

Lemme guess. They gave you your own cube, gave you a nameplate, you did "team-building" exercises like falling backward into your co-workers arms, the dean told you that you're irreplaceable, and they even gave you a fruit basket (that the admin forgot she had in the storage closet for two years), and they send you to a few classes. Suddenly, you're running .... drumroll .... financial reports! Ooooooooooooohhh. Aaaaaaaaaaaaaaahhhh. Have a little downtime? Who cares! The state picks up the tab. Can't get those reports out in time? No problem! The administration is on sabbatical. Kids can't get their schedules? Oh, just print up some crap and put it in the quad. They'll just have to make do. Welcome to La La Land.

GAFC? Point to a non-Windows system patch that broke a previous patch. Go ahead, we'll wait...

It's not just a matter of breaking a previous patch, maroon. A patch may address a threat which you've already mitigated -- and installing it will introduce unknowns into your environment which haven't been tested. If you simply install all patches, you're throwing up your hands like a drooling moron. There's no point in even having human intervention under those terms.