Chaos Manor Mail 88 February 14, (original) (raw)
Wednesday, February 16, 2000
Continuing:
It seems Roland Robbins is ignoring a few facts...
* Windows has known buffer overflow security faults that can be exploited to invade the machine.
* The NetBIOS services can be used to easily invade Windows machines.
* That Windows is highly vulnerable has been demonstrated again and again by virii such as Melissa. Even though these virus are detected early, the fact remains that a great amount of machines (relative to what is needed for a DDoS attack) remains contaminated. That these virus have not been written, to date, to stay as dormant servers waiting for instructions to awake and perform the attack is just luck.
* It is not necessary to keep track of which computers have been infected with trojan programs. A simple broadcast on DSL or cable lines has a good chance of awakening a good number of trojans.
Most importantly, Robbins did not say computers running Windows were invulnerable. He only said they weren't likely to be attacked. Your article on Byte says:
"NT and Windows machines won't do as clients."
they do. They weren't used in _this_ attack, as far as we know, and that's a very different thing.
I was going to search for links pertaining Windows vulnerability, but you already provided one yourself:
-- Daniel C. Sobral (8-DCS) dcs@newsguy.com dcs@freebsd.org
"If you consider our help impolite, you should see the manager."
Your aphorism is probably accurate. Roland wasn't ignoring something, he was avoiding writing an essay. I had asked for specific comments on a specific incident, not a general purpose discussion of security, however much that may be needed. It isn't necessary to begin quite that way.
In any event, the real debate is on the meaning of "easily". You say things are easy that perhaps are for you, and which I could learn to do; but that's not in the same league of "easiness" as what happened with the DDoS attacks this week. Those were truly "easy" in the sense that nearly anyone could download some software and have at it.
To get into Windows for this kind of thing one must either have physical access to the machine, or get an executable into the machine. That latter, as you point out, can be done sometimes with Trojans and virus like programs like Melissa, but how "easily" that is done without leaving traces isn't so clear, at least to me. (Incidentally, not to quibble, but "amount" usually refers to a continuous variable, not a number of discrete machines.)
As to my own essay, I said "won't do" because that's what I meant. Given the techniques used in the DDoS attacks -- which was the subject under discussion -- Windows machines wouldn't do. Perhaps I can be accused of being unclear here, and I'll make a note of that, but I never in a million years said Windows machines aren't vulnerable to something; just not this.
As to going to www.grc.com and finding out your vulnerabilities, that was the point of the article. If the user community doesn't clean up its own act, then the government will do it for us, and their heavy handed approach will really cause problems. If the FDA can use SWAT teams with machineguns to raid a vitamin supply house accused of making unwarranted claims for one product out of thousands, what might they do to you and me if they think we have a machine used as a relay for an attack on a Big Government Client---
Thanks for your letter. You remind me that when we have to write briefly a lot gets left out.
And Roland replies (at length):
There are lots of vulnerabilities in various flavors of Windows, in IIS, IE, etc. We learn more about them every week, it seems. And, unfortunately, Microsoft aren't as good about up-front testing, nor about issuing fixes, as we'd like.
Having said that, I take issue with your characterization of both Dr. Pournelle's article and my follow-up email message on his personal Web site to the effect that 'It seems Roland Robbins is ignoring a few facts...' (my last name is, in fact, Dobbins). I'm not ignoring them at all. What I'm pointing out is that, given the DDoS tools that we've seen and the classes of DDoS tools that we know are easiest to code, deploy, and operate, it's likely that *NIX will be the preferred platform for this sort of thing for quite some time.
There are exceptions. Back in December, one organization's Windows users received an email message with forged headers stating that it originated from Microsoft, and urging them to install an executable which purpoted to be an update to Internet Explorer. When those machines were rebooted, they then proceeded to flood a telephone company in Bulgaria's network with UDP. It took a while to get it straightened out, of course; when everything was said and done, it was revealed that the author of the DDoS tool in question stated in comments in the code that he was doing this as a specific act of revenge against the victimized Bulgarian firm.
Obviously, this chap did some up-front research before coding his trojan. He must've done some port-scanning to determine that there were Windows users at the site in question, and then targeted his attack mechanism accordingly. And it wasn't very elegant - he had no way to marshal all the machines he'd infected in order to turn them all on or off at once, or to re-target them at other sites.
This is different from what happened last week. And there are certainly mechanisms such as firewalls, email-based attachment-scanners, etc. which should've (and hopefully now are) been implemented at the innocent third party's site which would've prevented their site from being used as a launching pad for this sort of thing.
I personally would never directly expose a Windows box to the Internet. Nor would I directly expose an unpatched, unaudited *NIX box to the Internet. I wouldn't even do this last on a private WAN. I don't approve of using IIS on the Internet; it's fine for private nets, but just isn't ready for exposure to unfettered public access. Same for Exchange.
Poorly-administered *NIX boxes, because of their remote interactive shell capability, are far easier to crack than Windows boxes. Well-administered *NIX boxes can be an order of magnitude more secure than Windows boxes; unfortunately, a lot of *NIX sysadmins are lazy/ignorant/incompetent/indifferent, and therefore don't do even the bare minimum in terms of securing their hosts. Sysadmins are often people who have other, 'real' jobs, and so are expected to fit in their administration duties in their copious free time. They're often underpaid and overworked, and therefore simply haven't the incentive nor the time to perform even the most basic security-releated maintenance and audits.
A lot of Windows users and administrators are lazy/ignorant/incompetent/indifferent, as well. There are all sorts of resources publicly available which people can peruse in order to ensure that their Windows boxes are secure. I doubt there's anyone who owns a computer in the United States who doesn't have at least a vague notion that there are some bad people out there who wish to do them ill via their Internet-connected computers; in my mind, there is no excuse for not being proactive about such matters.
The *NIX vendors are to blame, here, too. I don't know of a single commercial or open-source *NIX distribution which doesn't install 'broken' out-of-the-box. Far more broken, relatively speaking, than Windows 98 SE2 or Windows NT Workstation SP3 or Windows 2000 Professional (I've yet to install Windows 2000 Advanced Server RTM). Given the tools and services that are by default installed on, say, Red Hat Linux 6.1 - broken wuftpd, broken sendmail, finger/chargen/echo/daytime nonsense, plus gcc and fairly recent libs - Red Hat installed out-of-the-box is a script-kiddie's dream-target. This is true to some degree of Caldera, Corel, SuSE, Slakware, and TurboLinux, as well.
FreeBSD is better about this than Linux - I've often said that Linux isn't an OS, it's more of a kernel, modules, and associated libs, whereas FreeBSD is actually an OS. OpenBSD is better about this than FreeBSD, out of the box. Solaris, SCO, HP-UX, and AIX are all broken out-of-the-box. DG-UX is somewhat better, but one ought to bear in mind that they've a lot of experience with security, having worked with bdm.com to develop a B2-secure version of DG-UX at the behest of NSA.
As for directed broadcasts, if the network infrastructure folks are doing their jobs, those ought to be disabled on the routers. If not, that's another set of problems, entirely. Egress filtering, rate-limits on ICMP, disabling source-routing, and so on can be implemented on a site-by-site basis to ensure that if hosts are compromised on said sites, they can't be used to hose someone else. IPv6 does a lot to lessen the risk of forged source-addresses; there are also several proposals for handling a lot of IPv4 weaknesses currently being circulated. None of this has anything to do with Windows.
In the recent past, one of my clients, a medium-sized hosting ISP, was targeted by crackers. They'd taken most of the normal precautions one takes being in the hosting business; however, one of their users was a bit lax about using an internal password on an external system, and they also weren't completely up-to-date on their Solaris patches. They wound up with about 30 SPARC boxes and about 60 Solaris on Intel boxes getting owned as a result.
We had to rebuild about 90 Solaris machines from scratch. We couldn't trust a single *NIX box on their entire network, and yet we needed a way to be able to download uncompromised Solaris patches, TripWire binaries, etc. from a local repository (so as to facilitate a script-based installation, patching, and security process).
So, do you know what we did? We took a Windows NT Workstation 4.0 box, put a Windows ftpd on it, and set it for read-only access. It didn't matter if our cracker could sniff the file-contents we were downloading; what mattered was that he not be able to somehow break into the local file-repository and pollute the patches and TripWire binaries with his own, trojanned versions. Since NT doesn't have a remote interactive shell, we didn't have to worry about that. It was the quickest and easiest way to get the job done, and it worked very well, indeed.
Interestingly enough, their NT Server 4.0 boxes, their Exchange box, etc., came through the incident unperturbed. The cracker had installed sniffers on various Solaris boxes and had a week in which to try his hand at the NT machines - and yet, they weren't compromised.
Having said all this, I see nothing in either Dr. Pournelle's article on byte.com, my security memo on byte.com, nor in my further comments on Dr. Pournelle's Web site which ought to give rise to the objections you've posited. Besides the fact that you can't seem to bother to get my name right, you are using straw-man arguments which have no bearing on the context of the original remarks which seemed to spark your (to me, inexplicable) complaints.
What I sense here is in fact an attempt to vent blind anti-Microsoft prejudice by nitpicking, taking remarks out of context, etc. It is very disappointing to me - someone who's been using various flavors of *NIX for 20 years, who runs Linux on his desktop machine and dual-boots Windows 2000 and Linux on his notebook while building and securing boxes running most any flavor of *NIX you can name as part of his job, and who is himself an open-source advocate - to come across yet another example of seemingly thoughtless demagoguery from someone apparently associated with an important open-source project, in this instance FreeBSD.
Do you really expect to make converts to your cause by resorting to disingenuous sophistry, rather than nuanced persuasion?
I will personally stake $100 on the proposition that not a single Windows box was used in last week's spate of DDoS attacks against yahoo.com, cnn.com, ebay.com, buy.com, datekonline.com, and zdnn.com.
Care to match me?
I do know for a fact that at least one Red Hat Linux 6.0 box -was- used in those attacks, along with Solaris boxes, and God knows what else.
How much do you care to wager that a FreeBSD box wasn't used, as well?
I await your reply with great anticipation.
Roland Dobbins
And then comes:
Jerry,
I agree with most of what Roland says about this subject, but I think he's wrong about the future. With lots and lots of computers going on-line 24x7 (cable or DSL) the vast majority of them are going to be Windows. With this many machines, I can't see the crackers essentially ignoring such a huge potential target. There are just too many of them to not try and hack.
And once hacked, the user of a Windows box is even less clueful than most Unix users/admins. Combine this with the fact that it's very very easy to hide processes and tasks in Windows, and I can guarantee you that trojans and viruses that allow this type of thing are going to be very common on Windows boxes in the near future.
To support this conclusion, I've got a couple of things for you to think about. I'm sure you've heard stories of people hooking up to a cable modem service, opening up their Network Neighborhood, and finding all their neighbors machines readily read-writable via Widows shares. I personally have never seen this (I'm on a cable modem), but I don't doubt that it's true. Basically, people setup Networking on their Windows boxes, and they just don't configure passwords.
This is a wide open door into hundreds if not 1000's of machines, at known IP address ranges (@Home, RoadRunner, etc), usually online 24x7, with good connections to the net. It can be easily scanned for by connecting to port 139, and using source from the Samba tools and extract the code from there to try and do an anonymous connect to the box. It's almost as easy as scanning a university network, but the admins are less clued in, and the security is probably much looser.
Second, look at all the viruses that exist in the Windows world. Most of the time, the only way you find out they are there is that they do something. What if, instead of popping silly windows up on your screen, or deleteing files, they just installed themselves, maybe sent a registration msg to a central server to let it know that it's installed, and waited for a master to come and tell them what to do. This would be virtually identical to what these current DDoS slave programs are doing, the only difference being the delivery.
With very little work, I can see a virus being created that is the Windows equivalent of these DDoS slave utils. The source code for the DDoS programs is already available, it's only problem is that it's written for Unix, which would probably not be very hard to port to Windows. After that, the only problem is getting them onto people machines. Well, how about as an email attachment of a make-money-fast email, guaranteed to cross the internet and back in 12 hours or less. Or maybe even a Melissa type email/Word doc, but less obvious about it - if Melissa had been slower operating, and hadn't had the porn site list, it probably would have been days before people even noticed. Or even better, attached to the recent email hoax that's spreading around that actually made the evening news last night: http://cbs.kgan.com/now/story/0,1597,161076-223,00.shtml I've gotten so many of these type of things in just the last few months I want to scream about how GULLIBLE/LAZY people are about not spending 10 seconds checking something out before reacting. And we all know people who blindly click on any attachment without scanning it.
Given how many virus writers are out there, and now that they see the power of these DDoS utils (I'm convinced this recent set of attacks on Yahoo, et al, are just "power trips" by the perps), I don't see how the virus writers could NOT do something like it, especially the good ones.
Expect these to start showing up (if they haven't already) in the next 6 months. I'm tempted to do it just to prove it can be done, which is what I'm sure many virus writers are thinking as well.
The moral of this: while *NIX boxes may be the current platform of choice for crackers for many reasons, as more and more Windows boxes get high speed access, their well known security holes will quickly make them the "slave" box of choice, due to their wide availability, ease of cracking, and unlikelyhood of being caught (mainly due to the cluelessness of the users).
The other moral: endsystem security is going to be even more and more important. It's critical that companies, including MS, RedHat, Caldera, etc ship OSes that default to HIGH security. Yes, it's often a pain, but as soon as Yahoo can make the liability stick (to the tune of several 100 million dollars) to the owners of the poorly administered machines that helped in the recent attack, they'll be going after the OS companies next time.
Pete Flugstad
Agreed, particularly about the DEFAULTS as SHIPPED. Let's start a campaign. I will in the next BYTE column. Thanks.
Lots to think about here. Thank you for sending this.
Jerry-
Whenever I get or build a new system, I set up a pendaflex file, with a few file-folders inside. In one folder goes all the receipts for everything that goes with that particular system (networking stuff, new video cards, etc.) In another goes all the manuals. In the last, all the CD's and floppies that came with the system. It's a complete overkill, but when I need something I spend less time scratching my head wondering where something is that I need right now. I'll also drop in a CD-R of any patches for the hardware that I may need, should I have to rebuild.
Of course, this all presumes that you have the time to do when building/upgrading/maintaining a system, and I've never had to care for or feed more than two at once, your mileage may vary.
-Ryan Greene
Actually, I tend to use a clear plastic "sweater box" as a "project box" into which I put everything relevant, manuals, disks, spare hardware, the cables that came with the motherboard (Iwill cables are the only ones well thought out; everyone else ships cable with motherboards that seem to have been designed by a puzzle expert to force twists and turns nearly impossible to make), small parts, screws, instrucions, and all the stuff that accumulates from the motherboard, chip, memory, video, sound card, etc. when you open the boxes.
Alas, this time the Tyan book was over on the table with the Tyan, and when we wanted to use Mohican for something I cleaned off that table with a lot of software recently installed or about to be installed into a "table box" (at least everything is kept together) instead of sorting the relevant parts into the Mohican Project Box. I.e., I violated my own procedures, and paid the price. Eventually I figured out what happened.
Official reply from Microsoft re problems about the IE 5.5 website from a reader:
Subj: Question regarding IE 5.5 and Windows Update
Hi Jerry, hope all is well. Your question regarding problems IE 5.5 beta testers are having with Windows Update was passed on to me. Sorry for the delay, but had to some checking to make sure I understood all the particulars. Here is what I know and have for you to date.
Your reader is correct, beta testers were able to access Windows Update until a couple of weeks ago. At that time Microsoft began a redesign of the site to better accommodate users of all the different flavors of IE, including beta testers. Up until now, all IE related items went into one "catalog" but with the redesign, there will be separate catalogs for IE 5, IE 5.01 and IE 5.5 beta. As a result, Windows Update support for beta testers had to be suspended during the redesign. We expect support for beta users to be restored fairly soon, within the next 3-6 weeks.
If someone needs to regain support sooner they should restore their system to its pre-IE 5.5 state using the backup files they should have made before installing the beta. They can then access Windows Update via IE 5. While on this point, there is an issue with the uninstall of IE 5.5 beta and that will be addressed in the next release. I don't have timing for that. So as I'm sure you are quite familiar with, a good precaution for everyone using beta software is to back up their systems before installing any beta code.
I appreciate how this can be annoying or frustrating for users, but it's beta, that's why we do the testing and why we warn users about the risk they take in using beta software.
And finally to the last point your reader mentioned,you do need to use IE to take use of Windows Update. That doesn't mean folks can't have another browser as their default, they just can't use Windows Update with that browser. They can still access Windows Update, they just have to do so via their Start Menu, click on Windows Update which will then launch IE and take the user to the site.
Let me know if you have any other questions or whether my mail has spawned more questions on your part.
Waggener Edstrom
(Emphasis added by me.)
Unfortunately, porting from Unix to Windows is no longer as difficult as it once was. Cygnus has been working for some time on a dll that provides the Unix API in a Windows environment, and the last release is rather bug free. This makes for some interesting possibilities for the script kiddies - since anything in a dll may also be staticly linked. I suspect it's only a matter of time.
Tom Genereaux
That or some other way. As my article said, the first thing to do is go to www.grc.com and see if your system is vulnerable, and if it is, do something about it. It is certainly that case that when enough attention is turned to the problem, ways to facilitate compromising Windows systems will be developed and published.
No one I know thinks Windows systems will stay unaffected for long. It's a bit harder to get them to respond to the kind of instructions used in the DDoS attacks (some would say because of the limits of such machines) but it is certainly not impossible; and there will come a time when automated attack systems will be easily found on the web. When that happens, we need to be ready.
And that is the important point here: look to your security, because if you don't someone else will.