[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] RE: [cobalt-users] IPs related to hackers
- Subject: [cobalt-security] RE: [cobalt-users] IPs related to hackers
- From: Reinoud van Leeuwen <rvanleeuwen@xxxxxxxxxxxx>
- Date: Wed, 14 Feb 2001 16:22:53 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> > * could they be getting info on RaQ's from this email list?
>
> This list (and others like it, including support newsgroups)
> must be a goldmine for hackers.
> By monitoring this list, they get a target domain name they
> can identify as very probably running a RAQ of some sort.
> Even if you don't use a sig, the info is likely in the email
> headers. If you're asking a question, you'll say what machine
> you have - the standard version of all programs that comes on
> those particular machines is public knowledge. All they need
> to do is test those holes, and if you haven't been up-to-date
> with the patches, they're in again. You might even say you're
> having trouble with version x.x of a inet program. If that
> program has a known exploit, their work is done.
This sounds like a lot of work to me. Why read mails when you can play a
game on your playstation?
Usually the "script kiddies" work in a different way:
- scan a block of IP addresses to find where hosts are running
- use a tool like nmap to find out what OS is running on it
- use a port scanner to find out what version of what services are running
on what port
- use a database of known exploits to try to get a way in
- install a root kit for the OS
- report back to a place where the script kiddie can update his/her list of
0wn3d boxes
These steps can all be fully automated (and are!). Of course you run this
from a host you hacked to begin with so it is harder to trace you back.
After some time scanning you have a database of servers and services. Now
when a new vulnerability comes out, you obtain a exploit (doesn't take long
usually) and add it as a plugin to your tool. Then you give your tool a
command like "run the new exploit on al known hosts that run Bin 8.0".
Al you have to do then is wait a while (play a game on you playstation and
drink a coke), and your list of owned boxes grows.
Owning a lot of boxes servers a few basic purposes:
- your status in the hacker scene might grow
- you have a lot of boxes to start a DOS attack on people you don't like
because they kicked you off an irc channel
- you have a choice where you can host your tools when the original box is
restored by the real owners
Sounds like an easy game doesn't it? Well it really is these days!
So what can we do to protect ourselves? Think like hackers, use their tools.
Install a security scanner like Nessus (http://www.nessus.org/) and look
what is vulnerable on your box. When you are vulnerable, either fix the
hole, stop the service or put a firewall in front of it. Do not wait for
Cobalt, because usually the script kiddies are faster in making their
exploit then a company like Cobalt can release a tested fix that passes all
quality procedures. Script kiddies do not work from 9 to 5. An exploit does
not have to be perfect to release it...
Security is not a status, it is a constant fight...
Reinoud