Intrusion Detection was Re: Ethics Question

foodog plug-discuss@lists.PLUG.phoenix.az.us
Sun, 06 May 2001 11:55:39 -0700 

JLF remarked:
...
> <RANT>
> 
> The question that begs asking is this:
> 
> Why aren't SysAdmin, NetAdmins, Companies, Govts, etc. doing
> something to make this stop?
> 
> Is there really that much incompetance/apathy/naievete out there
> about whats happening?

My hunch is that the order of incidence is: naiveté, apathy,
incompetence.  I can think of a couple more factors.  There's the daily
time commitment required to keep up with new holes, exploits and fixes. 
Another strike is the volume of background information needed to
meaningfully evaluate the information available.  Just as my interest in
the Wall Street Journal is measured in nano give-a-f#cks, most people
feel the same way about the security lists and web sites.  

Another problem is the number of admins who've been in the business for
a long time developing habits and comfort levels.  For the better part
of a decade my only internet-connected box ran VAX/VMS.  It was nicely
secured, virtually never patched and was compromised only once.  The
population of "ethically challenged" 'leet haxors would have fit into an
auditorium.  The only prerequisite now is a lack of ethics.  I'm all for
full disclosure BTW.

> 
> Does Linux really need to go the way of the *BSD development to
> make security updates a "one stop shop" for code and binaries?

I expect the non-MS vendors to continue tightening up their
distributions and making updates painless for the masses.  I ran the
stock workstation install of Redhat 7.1 last night for fun.  It ended up
with only rpc-statd and sendmail running (IIRC), and nmap didn't come
back with any information after about 8 minutes - way longer than kiddie
attention span ;-).  I haven't tried the server install yet but I expect
it to show similar improvement.  I was also directed to their website
where I was able to sign up for free email notification of errata. 
Compared to RH 6.2 or 5.2 they've made dramatic progress.

For the MS shops there's a growing (that is, "still unstomped") industry
in providing after-market protection.  Packages like ZoneAlarm for home
users, BlackICE, and SecureIIS from Eeye was just released.  I think
3rd-party hacks and firewalling are a MS shop's only hope.

MS itself is hopeless.  They've never considered security, much less
engineered for it.  Now they've got 50 zillion lines of bad code that
reverse engineers are auditing from the binaries.  Look at IIS 5.0, on
every flavor of Win2k - "pathetic" is too charitable a term.  Even if
they were magically granted a clue from now on, there's too much old
code and too many people out to break them.  Sux to be MS.

> ...
> So, fellow list members, now that this is becoming epidemic what can be done?
> See the graphs at www.incidents.org for an eye candy view of what we are
> up against.

IMHO, a Jane Sixpack home install of Linux should have no services
running with the possible exception of sshd.  It should have a good
stock firewall script with a friendly way to tweak it.  Make it easy to
add specific services later instead of coming out of the gate with
dozens of open ports.

Would my mom (if she wasn't a Windows user) have *any* reason to run
pidentd, rpc.statd, fingerd, talkd, gpm, telnetd, ftpd, etc. etc.?  Give
her a good kernel, X, TCP/IP and some nice apps and she'd be a happy
camper.

Steve
> 
> </RANT>
> 
> On Sat, May 05, 2001 at 09:44:37AM -0700, Lowell Hamilton wrote:
> > Yeah ... the whole "Hack the US" idea is growing more popular.  I host a
> > website about the Armenian Genocide, and I get a good 100 attacks (not
> > just probes/scans) a day from Turkish IP's.... Not to mention the
> > attacks from China, Sweden, Taiwan, and all the other people grumpy at
> > the US for something.  Most of the time they do a couple scans of ports
> > 53, 111,and 137 which will give them enough info to see if they're
> > dealing with Win or Unix boxes, then try a couple specific exploits.
> >
> > James Bell wrote:
> > >
> > > Shoot, if you're not getting at least 10 portscans a week from China,
> > > Korea, and Taiwan, it's time to check if you're still connected to the
> > > net. Latest one I've been seeing a lot at work is a lot of sunRPC and
> > > DNS version scans from Italy.
> > >
> > > kyle wrote:
> > > >
> > > > Uh dude... You know that one of these portscans came
> > > > from china right?
> > > > It is the week we are supposed to be getting attacked
> > > > so...
> > > > Just thought i would let you know that these probably
> > > > arnt your run of the much script kiddies.
> > > > And they probably dont care if you post there ip,
> > > > although that means we can have a little fun tho :)
> > > > -Kyle
> > >
> > > ________________________________________________
> 
> Jean Francois - JLF Sends...
> MagusNet, Inc. - Design * Develop * Integrate
> Doing my part to educate the Clubie Illiterati.  One LART at a time!
> 

Steve
P.S.  I'd be *very* interested in which lists or sites you deem worthy
of monitoring.