Re: [SLUG] Sony-BM Rootkit:

From: James Haydon (jhaydon@stewartsigns.com)
Date: Wed Nov 16 2005 - 09:55:41 EST


On Tuesday 15 November 2005 19:54, steve szmidt wrote:
> On Tuesday 15 November 2005 17:50, SOTL wrote:
> > Actually I thought it was completely impossible as a user to put a CD in
> > the computer, hit play, and install a root kit but as I continue to read
> > and thanks to Paul missunderstanding what I was really asking [my fault
> > for not expressing myself well] has shown that users CAN do this on a
> > McIntosh which has a BSD system. Apparently Sony has caught everybody
> > with their pants down as NO ONE expected a major company to ship CDs with
> > root kits on them so not only can root kits be installed on MS Windows by
> > playing music but also on Linus and BSD boxes too.
> >
> > If I understand all this correct Linux and BSD both have a major security
> > issue with CD and DVD drives.
>
> Well, no not exactly. Sorry for not having been specific enough!
>
> It's not the CD or DVD or the software that loads them, that has issues
> necessarily. The point here is that a user CANNOT under normal
> circumstances install a rootkit which has root access.
>
> The problem is so much larger with Windows due to the unalterable flawed
> basics of it. The same problem does not exist in *unices, as they can be
> totally modified, and have been, without rendering it too incompatible.
>
> What I described is that IF, there is a program that is running as root
> (administrator), AND it has a flaw that can be used to execute arbitrary
> (your) code, then that aribtrary code will run as root.
>
> In which case you're done with.
>
> When that is not the case, ONLY the user who's violated can be wiped and/or
> modified. Which it's important to keep the system up to date.
>
> The response time of all the major Open Source software security flaws is
> almost instant. And they have a great record of having them fixed before
> they even appear in the wild as a virus or worm.
>
> There is really NO comparison between the windows model and f.ex. the Linux
> model. MS traditionally handle any kind of bug with more PR. If it's too
> big it's usually not even acknowleged. Well, they used to operate that way
> extensively. These days they have been burned so many times doing it it's
> not done as often. Whereas OSS is honestly acknowledged and handled in a
> responsible manner.
>
> The big difference is that OSS is technology driven, whereas MS is money
> driven and motivated. Money is the lowest of motivators, duty the highest.
> You see OSS living up to the latter all the time.
>
> Now if you are installing software from an infected CD then you can be in
> trouble. This does not happen very often fortunately.
>
> Just look at the trouble you need to go through to maintain up to date s/w
> with windows. When it comes out you cannot just install it. You have to
> install it on a test bed to see what else it breaks. Then try to work out a
> way around these casualties before being able to implement. Just keeping up
> with all the patches and viruses is more than an full time job.
> This is why a serious windows plant only runs one app on each server. Plus
> the fact that MS only certifies s/w to be able to run as the only app.
> (They simply don't know how to keep multiple s/w running reliably at the
> same time.)
>
> Now under Linux I have been doing updates for something like ten years and
> there are not the same worries at all. These days they simply just works.
> Once a year or less, when something is released with a problem it's
> re-released fixed very quickly. I test it mostly out of habit and trying to
> do it right on important 24-7 operations. For all my own I just do the
> update.
>
> That is inconceivable in the big corporate windows world. They know you are
> lying because it "cannot be done safely".
>
> True, XP is in many ways the very best to come out of Redmond, but fixes
> still come out breaking other things, like previous fixes. Having some
> insight into how MS works internally it does not surprise me at all. To
> many independent "groups/teams" fighting/competing with each other.
>
> The type of flaws under windows are often Full System Access, type flaws,
> while OSS are usually more minor which, to be taken advantage of, usually
> have to coincide with other flaws to lead anywhere. Even bigger ones
> usually require other problems to coexcist to be Full System Access type
> flaws.
>
> So, to recap. As a user to break in to the system you need to have
> something running as root which can be gained access through, to get Full
> Access. Unless your password is to easy to figure out of course, then you
> bypass _almost_ everything automatically.
>
> So you keep your system up to date and only run services that are
> accessable to you. Never to the Internet. Of course I'm assuming you are
> running a unice type OS.
>
> When you do need to service the world, that box only has on it what needs
> to be on it. You run s/w which will let you know if imporant files have
> been altered and so on. I.e. you know what you are doing or spend time and
> money to educate yourself to know what you are doing. Good books exist for
> that.
>
> Meanwhile you run md5sum and sha1sum to verify checksums on s/w you
> download. Yum and the likes usually are configured to verify the s/w before
> installing it.
>
> I'm trying to not go into a full security howto here as I simply don't have
> the time. Again the best defense is knowledge, educate yourself if you are
> online. Get so you have a basic understanding of security issues and you'll
> probably be OK. It's not entirely bad. Most attacks are done by people
> executing a program which is only as good as it's written.
>
> The really good criminals always find their own way in. And so if you have
> something important running make yourself a small target. Just like you do
> with your home or car. (Hopefully! : )
>
> I run a seperate computer as a firewall for my LAN and to the best of my
> knowledge it has never been violated. I also never trust commercial
> firewalls. They all suffer from the same flaw of being money motivated.
> Only something like OpenBSD with it's record of only one remote access hole
> in eight years has a proven track record.
>
> I never really worry too much over things, but I run with really tough
> passwords, always think about keeping a minium online profile and make my
> updates as soon as they come out. I leave an ISP to protect my web pages,
> so nothing is available to the outside.
>
> Which reminds me. I once had an IT guy who installed a filesharing program
> on his I.T. computer creating a nice portal. So straight through the two
> firewalls was this shared disk on the LAN. Sharing porn with the world. (He
> did not dare do it at home.) So much for security when people do stupid
> things! Imagine my surprise when I saw these connections from all over the
> world leading into the LAN... But you got to trust someone. I was more
> specific with the new guy though. Haha.
>
> Hopefully that did not just offer a bunch of confusion but some more
> understanding.
>
> Let me know otherwise...

So to have KDE autoplay for CD's configured as root is bad!

-- 
James S. Haydon
Systems Analyst
The J.M. Stewart Corporation
stewartsigns.com
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS).  Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:09:57 EDT