Dreamhost gets hacked, resets all customers’ passwords, has scale issues

• On January 19th, Dreamhost.com detected unauthorized activity in one of their databases
• It is unclear which databases were compromised, if they were dreamhost databases of customer data, or customer site databases
• Dreamhost uses separate passwords for their main web control panel, and individual user SSH and FTP accounts
• Dreamhost ran in to scale issues, where their centralized web control panel could not handle the volume of users logging in and attempting to change their shell passwords
• The fast forced password reset by DreamHost appears to have promptly ended the malicious activity
• Based on the urgency of the reset, there seem to be indications that DreamHost stores users’ passwords in plain text in one or more databases
• This assertion is further supported by the fact that they print passwords to confirmation screens and in emails
• Dreamhost also reset the passwords for all of their VPS customers

Linux root exploit – when the fix makes it worse

• Linux kernel versions newer than 2.6.39 are susceptible to a root exploit that allowed writing to protected memory
• Prior to version 2.6.39 write access was prevent by an #ifdef, however this was deemed to be to weak, and was replaced by newer code
• The new security code that was to ensure that writes were only possible with the correct permissions, turned out to be inadequate and easily fooled
• Ubuntu has confirmed that an update for 11.10 has been released, users are advised to upgrade
• This issue does not effect Redhat Enterprise Linux 4 or 5, because this change was not backported. A new kernel package for RHEL 6 is now available
• Analysis
• Proof of Concept
• Proof of Concept for Android

Feedback

Q: Tzvi asks how to best Monitor employee Internet usage?

A: There are a number of ways to monitor and restrict Internet access through a connection you control. A common suggestion is the use of a proxy server. The issue with this is that it requires configuration on each client machine and sometimes even each client application. This is a lot of work, and is not 100% successful. However, there is an option know as a ‘transparent proxy’. This is where the router/firewall, or some other machine that all traffic to the internet must pass through analyzes the traffic, and routes connections outbound for port 80 or 443 (HTTP and HTTPS respectively, and optional additional ports) through the proxy server, without any configuration required on the individual clients. Then, you can use the firewall to deny all traffic outbound that is not via the proxy.

This is relatively easy to setup, so much so that as part of the final exam in my Unix Security class, students had 2 hours to setup their machine as follows:

• Configure TCP/IP stack
• Download GPG and Class GPG Key
• Decrypt Exam Instructions
• Install Lynx w/ SSL support
• Install a class self-signed SSL certificate and the root certificate bundle to be trusted
• Install and configure Squid to block facebook with a custom error page
• Configure Lynx to use Squid
• Create a default deny firewall that only allows HTTP via squid and FTP to the class FTP server
• Access the college website and facebook (or rather the custom error page when attempting to access facebook)

While they had a little practice, and didn’t have to configure a transparent proxy, it is still are fairly straight forward procedure.

Instead of rolling your own, you can just drop in pfSense and follow these directions

Q: Brett asks, what do you do after a compromise?

A: The very first thing you do after a compromise, is take a forensic image of the drive. A bit by bit copy, without ever writing or changing the disk in any way. You then pull that disk out and put it away for safe keeping. Do all of your analysis and forensics on copies of that first image (but no not modify it either, you don’t want to have to do another copy from the original). This way as you work on it, and things get modified or trashed, you do not disturb the original copy. You may need the original unmodified copy for legal proceedings, as the evidentiary value is lost if it is modified or tampered with in any way.

So your best bet, is to boot off of a live cd (not just any live cd, many try to be helpful and auto-mount every partition they find, use a forensics live cd that will not take any auction without you requesting it). Then use a tool like dd to image the drive to a file or another drive. You can then work off copies of that. This can also work for damaged disks, using command switches for dd such as conv=noerror,sync . Also using a blocksize of 1mb or so will speed up the process greatly.

You asked about tripwire and the like, the problem with TripWire is that you need to have been running it since before the incident, so it has a fingerprint database of what the files should look like, so it can detect what has changed. If you did not have tripwire setup and running before, while it may be possible to create a fingerprint database from a backup, it is not that useful.
The freebsd-update command includes an ‘IDS’ command, that compares all of the system files against the central fingerprint database used to update the OS, and provides quick and powerful protection against the modification of the system files, but it does not check any files installed my users or packages. The advantage to the freebsd-update IDS over tripwire is that it uses the FreeBSD Security Officers fingerprint database, rather than a locally maintained one that may have been modified as part of the system compromise. In college I wrote a paper on using Bacula as a network IDS, I’ll see if I can find it and post it on my blog at appfail.com.

• Ddrescue – GNU Project – Free Software Foundation (FSF)
• DEFT Linux – Computer Forensics live cd

Q: Jono asks, VirtualBox vs. Bare to the metal VMs?

• Xen, KVM and VirtualBox are not bare metal, they requires a full linux host
• XenServer is similar to VMWare ESXi, in that it is bare metal. It uses a very stripped down version of CentOS and therefore far fewer resources than a full host. However XenServer is a commercial product (though there is a free version)
  +The advantage to XenServer over VMWare ESXi (both are commercial but free), is XenServer is supported by more open source management tools, such as OpenStack

Q:Gene asks, IT Control is out of control, what can we users do?

Q: Crshbndct asks, Remote SSH for Mum

• Managed DNS DynDNS
• Labs & Betas | LogMeIn

Roundup

• The EU Signs Controversial ACTA Treaty
• Why are we not seeing nearly as much protest against ACTA like we did with SOPA/PIPA?
• Thousands march in Poland over Acta internet treaty
• ACTA
• Rogers found to be in violation of Canadian Net Neutrality rules, has until Feb 3rd to correct
• Nokia Subsidizing the Lumia 900 With MSFT Cash?
• reddit: January 2012 – State of the Servers
• Symantec: Anonymous stole source code, users should disable pcAnywhere

The post Answers for Everyone | TechSNAP 42 first appeared on Jupiter Broadcasting.

https://original.jupiterbroadcasting.net/2649/linux-backup-roundup-the-linux-action-show-s13e04/ Sun, 22 Aug 2010 14:33:20 +0000 https://original.jupiterbroadcasting.net/?p=2649 It’s top 4 ACTION ways to backup data under Linux, then we’ve got some leaked details about Nokia’s up-coming premier MeeGo device, does it blow us away?

The post Linux Backup Roundup! | The Linux Action Show! s13e04 first appeared on Jupiter Broadcasting.

]]>

This week on The Linux Action Show!

It’s top 4 ACTION ways to backup data under Linux, then we’ve got some leaked details about Nokia’s up-coming premier MeeGo device, does it blow us away? Stay tuned to find out!

PLUS – We take Slashdot to SCHOOL!

All this week on, The Linux Action Show!

Thanks to GoDaddy.com for sponsoring this week’s show! Use our codes LINUX to save 10% at checkout, or LINUX20 to save 20% on hosting!

Direct Download Links HD Video | Large Video | iPod Video | MP3 | OGG Audio | OGG Video | YouTube

[ad#shownotes]

Our iPhone App:
Grab The Linux Action Show! App for your iPhone or iPod touch here!

This week’s show notes:

The new PocketBooks, Run Linux.

Android Pick:
Evernote

• Syncs with rich web client (and Win/Mac/iPhone/iPad/Android apps)
• Will be powering Chris’ & Jeremy’s brain for the next week +
• Results will be discussed on Jupiter@Nite Monday August 31st

This Week’s News:

Google voice and video chat, now support Linux!

• First step to Android video chat?
• Google claims it took quite a bit of changes to work with Pulse Audio

Nokia’s QWERTY-slidin’ N9 shows up running MeeGo!

• The prototype, built in Finland, is said to have an entirely metallic construction
• A couple more pictures here.
• Even more p0r… err.. Pics here.

Critical Security Flaw Silently Patched

• The attack allows a (unpriviliged) user process that has access to the X server (so, any GUI application) to unconditionally escalate to root.
• It doesn’t take advantage of any bug in the X server!
• Been an issue since Kernel 2.6 was released October 8th 2003

Root Privileges Through Linux Kernel Bug (Same story, different angle. Slashdot claims they are not related, despite the fact that they are.)

• More of a conceptual issue.
• The problem is in the memory management area of Linux allows local attackers to execute code at root level.
• SUSE maintainer Andrea Arcangeli provided a fix for the problem in September 2004

https://www.webupd8.org/2010/08/official-statement-steam-not-coming-to.html

Android gets Python Scripting

C# comes to Android via MonoDroid

Linux Backup:

1. fwbackups
   1. Great UI
   2. Supports multiple OSes
   3. Remote backup support
   4. Image backup support (not  positive on this)
2. Mondo Rescue
   1. Backs up your GNU/Linux server or workstation to tape, CD-R, CD-RW, DVD-R[W], DVD+R[W], NFS or hard disk partition.
   2. Allows you to restore your computer from bare metal.
   3. It supports adjustments in disk geometry, including migration from non-RAID to RAID.
3. Back in Time
   1. Inspired from “flyback project” and “TimeVault”.
   2. Keep in mind that Back In Time is just a GUI. The real magic is done by rsync (take snapshots and restore), diff (check if somethind changed) and cp (make hardlinks).
   3. A new snapshot is created only if something changed since the last snapshot (if any).

Chris’ favorite for a network: BackupPC

Data Rescue:
ddrescue – Copies data (best effort) from bad sectors to good sectors
dd_rhelp – A nice tool to make using ddrescue easier.

Not sure what you should be backing up? Read this article.

Download:

The post Linux Backup Roundup! | The Linux Action Show! s13e04 first appeared on Jupiter Broadcasting.

]]>