US-Cert Update on New Attacks on Computer Infrastructure

[Dan]

http://www.us-cert.gov/current/index.html#red_hat_releases_openssh_security

{Note: Web Link may be manipulated by others and smart web surfing is
encouraged like reading in plain text and blocking remote code -- Disclaimer:
Poster is not responsible if someone hacks post and web link is illegally
changed}

Here is the information from US-Cert.gov which is a part of DHS: all below
should be considered a quote ". . ."

SSH Key-based Attacks
added August 26, 2008 at 03:41 pm | updated August 27, 2008 at 03:41 pm

US-CERT is aware of active attacks against linux-based computing
infrastructures using compromised SSH keys. The attack appears to initially
use stolen SSH keys to gain access to a system, and then uses local kernel
exploits to gain root access. Once root access has been obtained, a rootkit
known as "phalanx2" is installed.

Phalanx2 appears to be a derivative of an older rootkit named "phalanx".
Phalanx2 and the support scripts within the rootkit, are configured to
systematically steal SSH keys from the compromised system. These SSH keys are
sent to the attackers, who then use them to try to compromise other sites and
other systems of interest at the attacked site.

Detection of phalanx2 as used in this attack may be performed as follows:


"ls" does not show a directory "/etc/khubd.p2/", but it can be entered with
"cd /etc/khubd.p2".
"/dev/shm/" may contain files from the attack.
Any directory named "khubd.p2" is hidden from "ls", but may be entered by
using "cd".
Changes in the configuration of the rootkit might change the attack
indicators listed above. Other detection methods may include searching for
hidden processes and checking the reference count in "/etc" against the
number of directories shown by "ls".
US-CERT encourages administrators to perform the following actions to help
mitigate the risks:

Proactively identify and examine systems where SSH keys are used as part of
automated processes. These keys will typically do not have passphrases or
passwords.
Encourage users to use the keys with passphrase or passwords to reduce the
risk if a key is compromised.
Review access paths to internet facing systems and ensure that systems are
fully patched.
If a compromise is confirmed, US-CERT recommends the following actions:

Disable key-based SSH authentication on the affected systems, where possible.
Perform an audit of all SSH keys on the affected systems.
Notify all key owners of the potential compromise of their keys.
US-CERT will provide additional information as it becomes available.

US-CERT credits DFN-CERT for their contributions regarding this issue.

{Note: to Microsoft only users: The above is provided as a general service
announcement and although it affects Linux systems is provided here
publically to raise user's awareness of how serious computer attacks are
getting --- thank you for any feedback and have a great day}

Also please use Microsoft's own password tool to generate stronger passwords
that are safe and secure. I hope Steve Riley, MSFT will ocmment for all of
us to benefit on the issue of new security and safety measures and the new
source code Microsoft is slowly but surely developing. That new source code
is what I am super excited about for Microsoft's future.

 

[MowGreen [MVP]]

Where are the Penguin fanbois exclaiming " Linux is the safest OS it's
impenetrable " ?
C'mon guyz, do your part. You have a role to fill here.

But, seriously, Dan. Anyone with common sense knows that any system that
is exposed to the internet can be compromised. And, it is irrelevant
which OS one runs.
The key is, never drink 'OS koolaid'. Use the one that suits your
purposes but don't tell everyone that it is ' the most secure ' or ' it
can't be hacked '. That's total nonsense.


MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============


Dan wrote:

> http://www.us-cert.gov/current/index.html#red_hat_releases_openssh_security
>
> {Note: Web Link may be manipulated by others and smart web surfing is
> encouraged like reading in plain text and blocking remote code -- Disclaimer:
> Poster is not responsible if someone hacks post and web link is illegally
> changed}
>
> Here is the information from US-Cert.gov which is a part of DHS: all below
> should be considered a quote ". . ."
>
> SSH Key-based Attacks
> added August 26, 2008 at 03:41 pm | updated August 27, 2008 at 03:41 pm
>
> US-CERT is aware of active attacks against linux-based computing
> infrastructures using compromised SSH keys. The attack appears to initially
> use stolen SSH keys to gain access to a system, and then uses local kernel
> exploits to gain root access. Once root access has been obtained, a rootkit
> known as "phalanx2" is installed.
>
> Phalanx2 appears to be a derivative of an older rootkit named "phalanx".
> Phalanx2 and the support scripts within the rootkit, are configured to
> systematically steal SSH keys from the compromised system. These SSH keys are
> sent to the attackers, who then use them to try to compromise other sites and
> other systems of interest at the attacked site.
>
> Detection of phalanx2 as used in this attack may be performed as follows:
>
>
> "ls" does not show a directory "/etc/khubd.p2/", but it can be entered with
> "cd /etc/khubd.p2".
> "/dev/shm/" may contain files from the attack.
> Any directory named "khubd.p2" is hidden from "ls", but may be entered by
> using "cd".
> Changes in the configuration of the rootkit might change the attack
> indicators listed above. Other detection methods may include searching for
> hidden processes and checking the reference count in "/etc" against the
> number of directories shown by "ls".
> US-CERT encourages administrators to perform the following actions to help
> mitigate the risks:
>
> Proactively identify and examine systems where SSH keys are used as part of
> automated processes. These keys will typically do not have passphrases or
> passwords.
> Encourage users to use the keys with passphrase or passwords to reduce the
> risk if a key is compromised.
> Review access paths to internet facing systems and ensure that systems are
> fully patched.
> If a compromise is confirmed, US-CERT recommends the following actions:
>
> Disable key-based SSH authentication on the affected systems, where possible.
> Perform an audit of all SSH keys on the affected systems.
> Notify all key owners of the potential compromise of their keys.
> US-CERT will provide additional information as it becomes available.
>
> US-CERT credits DFN-CERT for their contributions regarding this issue.
>
> {Note: to Microsoft only users: The above is provided as a general service
> announcement and although it affects Linux systems is provided here
> publically to raise user's awareness of how serious computer attacks are
> getting --- thank you for any feedback and have a great day}
>
> Also please use Microsoft's own password tool to generate stronger passwords
> that are safe and secure. I hope Steve Riley, MSFT will ocmment for all of
> us to benefit on the issue of new security and safety measures and the new
> source code Microsoft is slowly but surely developing. That new source code
> is what I am super excited about for Microsoft's future.

 

[Dan]

Thanks for your reply MowGreen. I really do respect you and consider you a
great asset to this group. I loved when Apple users were so sure of their
operating system and computers that they claimed they were really safe and
when an Apple, Windows Vista and Ubuntu Linux computer competed against each
other the first one to be hacked was the Apple. BTW, have you heard anything
about Microsoft new source code that you can publicly share on this newsgroup?

"MowGreen [MVP]" wrote:

> Where are the Penguin fanbois exclaiming " Linux is the safest OS it's
> impenetrable " ?
> C'mon guyz, do your part. You have a role to fill here.
>
> But, seriously, Dan. Anyone with common sense knows that any system that
> is exposed to the internet can be compromised. And, it is irrelevant
> which OS one runs.
> The key is, never drink 'OS koolaid'. Use the one that suits your
> purposes but don't tell everyone that it is ' the most secure ' or ' it
> can't be hacked '. That's total nonsense.
>
>
> MowGreen [MVP 2003-2008]
> ===============
> *-343-* FDNY
> Never Forgotten
> ===============
>
>
> Dan wrote:
>
> > http://www.us-cert.gov/current/index.html#red_hat_releases_openssh_security
> >
> > {Note: Web Link may be manipulated by others and smart web surfing is
> > encouraged like reading in plain text and blocking remote code -- Disclaimer:
> > Poster is not responsible if someone hacks post and web link is illegally
> > changed}
> >
> > Here is the information from US-Cert.gov which is a part of DHS: all below
> > should be considered a quote ". . ."
> >
> > SSH Key-based Attacks
> > added August 26, 2008 at 03:41 pm | updated August 27, 2008 at 03:41 pm
> >
> > US-CERT is aware of active attacks against linux-based computing
> > infrastructures using compromised SSH keys. The attack appears to initially
> > use stolen SSH keys to gain access to a system, and then uses local kernel
> > exploits to gain root access. Once root access has been obtained, a rootkit
> > known as "phalanx2" is installed.
> >
> > Phalanx2 appears to be a derivative of an older rootkit named "phalanx".
> > Phalanx2 and the support scripts within the rootkit, are configured to
> > systematically steal SSH keys from the compromised system. These SSH keys are
> > sent to the attackers, who then use them to try to compromise other sites and
> > other systems of interest at the attacked site.
> >
> > Detection of phalanx2 as used in this attack may be performed as follows:
> >
> >
> > "ls" does not show a directory "/etc/khubd.p2/", but it can be entered with
> > "cd /etc/khubd.p2".
> > "/dev/shm/" may contain files from the attack.
> > Any directory named "khubd.p2" is hidden from "ls", but may be entered by
> > using "cd".
> > Changes in the configuration of the rootkit might change the attack
> > indicators listed above. Other detection methods may include searching for
> > hidden processes and checking the reference count in "/etc" against the
> > number of directories shown by "ls".
> > US-CERT encourages administrators to perform the following actions to help
> > mitigate the risks:
> >
> > Proactively identify and examine systems where SSH keys are used as part of
> > automated processes. These keys will typically do not have passphrases or
> > passwords.
> > Encourage users to use the keys with passphrase or passwords to reduce the
> > risk if a key is compromised.
> > Review access paths to internet facing systems and ensure that systems are
> > fully patched.
> > If a compromise is confirmed, US-CERT recommends the following actions:
> >
> > Disable key-based SSH authentication on the affected systems, where possible.
> > Perform an audit of all SSH keys on the affected systems.
> > Notify all key owners of the potential compromise of their keys.
> > US-CERT will provide additional information as it becomes available.
> >
> > US-CERT credits DFN-CERT for their contributions regarding this issue.
> >
> > {Note: to Microsoft only users: The above is provided as a general service
> > announcement and although it affects Linux systems is provided here
> > publically to raise user's awareness of how serious computer attacks are
> > getting --- thank you for any feedback and have a great day}
> >
> > Also please use Microsoft's own password tool to generate stronger passwords
> > that are safe and secure. I hope Steve Riley, MSFT will ocmment for all of
> > us to benefit on the issue of new security and safety measures and the new
> > source code Microsoft is slowly but surely developing. That new source code
> > is what I am super excited about for Microsoft's future.
>

 

[Steve Riley [MSFT]]

Dan, I have resisted writing a message like the one I'm writing now but I
can wait no longer. I'm not exactly sure what it is that you expect to
accomplish with statements like "web link may be manipulated by others" and
"poster not responsible if someone hacks post" (other than possibly stoking
the fears of other readers) nor do I understand your repeated requests for
me to comment on various things (I am not any kind of Microsoft crystal
ball).

In the newsgroups I avoid religious arguments about software, engaging in
flame wars, or questioning people's motives because none of those activities
do anyone any good. But your exaggerated claims about the realm of possible
attacks, your continued devotion to "internal safety" vs. "external
security" (which are terms NO ONE ELSE in the security field uses), your
frequent invocation of DHS (and your cc-ing the US-CERT in your private
emails to me -- what's up with that?), and your strange occupation with
"source code" is really getting quite tiresome.

In this thread you wonder about some kind of "new source code" that might be
under development. In your thread "Source Code," you lament that, according
to Wikipedia, Windows 7 "will use the Windows NT source code" -- then later
on claim that we've got some sort of secret skunkworks project. Do you
really even understand what source code is? Nowhere in the Wikipedia article
did I see any reference to Windows NT source code. Do you realize that
virtually none of the original NT code still exists in the current versions
of Windows? Much of the architecture (for example -- file storage,
communications, process handling, and memory managememt) is still in place,
of course, but nearly every single element has been rewritten and expanded
to increase reliability and security, and to take advantage of modern
hardware capabilities. In a reply to "Is DNSSEC supported by Windows?" you
claim that DOS is required for "internal safety" -- is this a joke? Do you
understand that DOS is an ancient thing written for a totally different
time -- when there were no networks, no multitasking, no re-entrance
(executing the same piece of code multiple simultaneous times), no
multi-user support, and no concept of virtualizing any of these layers? DOS
HAS ZERO security of any kind. To claim "society and the world are paying
for the mistake" of not using DOS in the current version of Windows is
really rather silly.

Your assertion that "the majority of people here...have...bought the company
line" is intended to indicate what? What "company" do you mean? Information
security practices and philosophies have evolved over time to address
changing business requirements in an age where everything is connected all
the time using public networks. To claim that "the majority" are wrong and
that the development practices (and products) of two decades ago will
somehow save us from all evil shows a fundamental misunderstanding of the
issues and solutions.

Dan, I am not attacking your motives or impugning your character. But I am
asking that you rethink your positions (and your allegiances) as you
continue your journey in field of computer security.


--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Dan" <Dan@discussions.microsoft.com> wrote in message
news:F78F1DC8-4ADD-4174-BAEE-7FD50FCF635A@microsoft.com...
> Thanks for your reply MowGreen. I really do respect you and consider you
> a
> great asset to this group. I loved when Apple users were so sure of their
> operating system and computers that they claimed they were really safe and
> when an Apple, Windows Vista and Ubuntu Linux computer competed against
> each
> other the first one to be hacked was the Apple. BTW, have you heard
> anything
> about Microsoft new source code that you can publicly share on this
> newsgroup?
>
> "MowGreen [MVP]" wrote:
>
>> Where are the Penguin fanbois exclaiming " Linux is the safest OS it's
>> impenetrable " ?
>> C'mon guyz, do your part. You have a role to fill here.
>>
>> But, seriously, Dan. Anyone with common sense knows that any system that
>> is exposed to the internet can be compromised. And, it is irrelevant
>> which OS one runs.
>> The key is, never drink 'OS koolaid'. Use the one that suits your
>> purposes but don't tell everyone that it is ' the most secure ' or ' it
>> can't be hacked '. That's total nonsense.
>>
>>
>> MowGreen [MVP 2003-2008]
>> ===============
>> *-343-* FDNY
>> Never Forgotten
>> ===============
>>
>>
>> Dan wrote:
>>
>> > http://www.us-cert.gov/current/index.html#red_hat_releases_openssh_security
>> >
>> > {Note: Web Link may be manipulated by others and smart web surfing is
>> > encouraged like reading in plain text and blocking remote code --
>> > Disclaimer:
>> > Poster is not responsible if someone hacks post and web link is
>> > illegally
>> > changed}
>> >
>> > Here is the information from US-Cert.gov which is a part of DHS: all
>> > below
>> > should be considered a quote ". . ."
>> >
>> > SSH Key-based Attacks
>> > added August 26, 2008 at 03:41 pm | updated August 27, 2008 at 03:41 pm
>> >
>> > US-CERT is aware of active attacks against linux-based computing
>> > infrastructures using compromised SSH keys. The attack appears to
>> > initially
>> > use stolen SSH keys to gain access to a system, and then uses local
>> > kernel
>> > exploits to gain root access. Once root access has been obtained, a
>> > rootkit
>> > known as "phalanx2" is installed.
>> >
>> > Phalanx2 appears to be a derivative of an older rootkit named
>> > "phalanx".
>> > Phalanx2 and the support scripts within the rootkit, are configured to
>> > systematically steal SSH keys from the compromised system. These SSH
>> > keys are
>> > sent to the attackers, who then use them to try to compromise other
>> > sites and
>> > other systems of interest at the attacked site.
>> >
>> > Detection of phalanx2 as used in this attack may be performed as
>> > follows:
>> >
>> >
>> > "ls" does not show a directory "/etc/khubd.p2/", but it can be entered
>> > with
>> > "cd /etc/khubd.p2".
>> > "/dev/shm/" may contain files from the attack.
>> > Any directory named "khubd.p2" is hidden from "ls", but may be entered
>> > by
>> > using "cd".
>> > Changes in the configuration of the rootkit might change the attack
>> > indicators listed above. Other detection methods may include searching
>> > for
>> > hidden processes and checking the reference count in "/etc" against the
>> > number of directories shown by "ls".
>> > US-CERT encourages administrators to perform the following actions to
>> > help
>> > mitigate the risks:
>> >
>> > Proactively identify and examine systems where SSH keys are used as
>> > part of
>> > automated processes. These keys will typically do not have passphrases
>> > or
>> > passwords.
>> > Encourage users to use the keys with passphrase or passwords to reduce
>> > the
>> > risk if a key is compromised.
>> > Review access paths to internet facing systems and ensure that systems
>> > are
>> > fully patched.
>> > If a compromise is confirmed, US-CERT recommends the following actions:
>> >
>> > Disable key-based SSH authentication on the affected systems, where
>> > possible.
>> > Perform an audit of all SSH keys on the affected systems.
>> > Notify all key owners of the potential compromise of their keys.
>> > US-CERT will provide additional information as it becomes available.
>> >
>> > US-CERT credits DFN-CERT for their contributions regarding this issue.
>> >
>> > {Note: to Microsoft only users: The above is provided as a general
>> > service
>> > announcement and although it affects Linux systems is provided here
>> > publically to raise user's awareness of how serious computer attacks
>> > are
>> > getting --- thank you for any feedback and have a great day}
>> >
>> > Also please use Microsoft's own password tool to generate stronger
>> > passwords
>> > that are safe and secure. I hope Steve Riley, MSFT will ocmment for
>> > all of
>> > us to benefit on the issue of new security and safety measures and the
>> > new
>> > source code Microsoft is slowly but surely developing. That new source
>> > code
>> > is what I am super excited about for Microsoft's future.
>>

 

[Tom [Pepper] Willett]

CLAP! CLAP! CLAP!

Thanks, Steve.

"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
news:33716B98-3D29-4499-9573-7A4FB4558358@microsoft.com...
: Dan, I have resisted writing a message like the one I'm writing now but I
: can wait no longer. I'm not exactly sure what it is that you expect to
: accomplish with statements like "web link may be manipulated by others"
and
: "poster not responsible if someone hacks post" (other than possibly
stoking
: the fears of other readers) nor do I understand your repeated requests for
: me to comment on various things (I am not any kind of Microsoft crystal
: ball).
:
: In the newsgroups I avoid religious arguments about software, engaging in
: flame wars, or questioning people's motives because none of those
activities
: do anyone any good. But your exaggerated claims about the realm of
possible
: attacks, your continued devotion to "internal safety" vs. "external
: security" (which are terms NO ONE ELSE in the security field uses), your
: frequent invocation of DHS (and your cc-ing the US-CERT in your private
: emails to me -- what's up with that?), and your strange occupation with
: "source code" is really getting quite tiresome.
:
: In this thread you wonder about some kind of "new source code" that might
be
: under development. In your thread "Source Code," you lament that,
according
: to Wikipedia, Windows 7 "will use the Windows NT source code" -- then
later
: on claim that we've got some sort of secret skunkworks project. Do you
: really even understand what source code is? Nowhere in the Wikipedia
article
: did I see any reference to Windows NT source code. Do you realize that
: virtually none of the original NT code still exists in the current
versions
: of Windows? Much of the architecture (for example -- file storage,
: communications, process handling, and memory managememt) is still in
place,
: of course, but nearly every single element has been rewritten and expanded
: to increase reliability and security, and to take advantage of modern
: hardware capabilities. In a reply to "Is DNSSEC supported by Windows?" you
: claim that DOS is required for "internal safety" -- is this a joke? Do you
: understand that DOS is an ancient thing written for a totally different
: time -- when there were no networks, no multitasking, no re-entrance
: (executing the same piece of code multiple simultaneous times), no
: multi-user support, and no concept of virtualizing any of these layers?
DOS
: HAS ZERO security of any kind. To claim "society and the world are paying
: for the mistake" of not using DOS in the current version of Windows is
: really rather silly.
:
: Your assertion that "the majority of people here...have...bought the
company
: line" is intended to indicate what? What "company" do you mean?
Information
: security practices and philosophies have evolved over time to address
: changing business requirements in an age where everything is connected all
: the time using public networks. To claim that "the majority" are wrong and
: that the development practices (and products) of two decades ago will
: somehow save us from all evil shows a fundamental misunderstanding of the
: issues and solutions.
:
: Dan, I am not attacking your motives or impugning your character. But I am
: asking that you rethink your positions (and your allegiances) as you
: continue your journey in field of computer security.
:
:
: --
: Steve Riley
: steve.riley@microsoft.com
: http://blogs.technet.com/steriley
: http://www.protectyourwindowsnetwork.com
:
:
:
: "Dan" <Dan@discussions.microsoft.com> wrote in message
: news:F78F1DC8-4ADD-4174-BAEE-7FD50FCF635A@microsoft.com...
: > Thanks for your reply MowGreen. I really do respect you and consider
you
: > a
: > great asset to this group. I loved when Apple users were so sure of
their
: > operating system and computers that they claimed they were really safe
and
: > when an Apple, Windows Vista and Ubuntu Linux computer competed against
: > each
: > other the first one to be hacked was the Apple. BTW, have you heard
: > anything
: > about Microsoft new source code that you can publicly share on this
: > newsgroup?
: >
: > "MowGreen [MVP]" wrote:
: >
: >> Where are the Penguin fanbois exclaiming " Linux is the safest OS it's
: >> impenetrable " ?
: >> C'mon guyz, do your part. You have a role to fill here.
: >>
: >> But, seriously, Dan. Anyone with common sense knows that any system
that
: >> is exposed to the internet can be compromised. And, it is irrelevant
: >> which OS one runs.
: >> The key is, never drink 'OS koolaid'. Use the one that suits your
: >> purposes but don't tell everyone that it is ' the most secure ' or ' it
: >> can't be hacked '. That's total nonsense.
: >>
: >>
: >> MowGreen [MVP 2003-2008]
: >> ===============
: >> *-343-* FDNY
: >> Never Forgotten
: >> ===============
: >>
: >>
: >> Dan wrote:
: >>
: >> >
http://www.us-cert.gov/current/index.html#red_hat_releases_openssh_security
: >> >
: >> > {Note: Web Link may be manipulated by others and smart web surfing is
: >> > encouraged like reading in plain text and blocking remote code --
: >> > Disclaimer:
: >> > Poster is not responsible if someone hacks post and web link is
: >> > illegally
: >> > changed}
: >> >
: >> > Here is the information from US-Cert.gov which is a part of DHS: all
: >> > below
: >> > should be considered a quote ". . ."
: >> >
: >> > SSH Key-based Attacks
: >> > added August 26, 2008 at 03:41 pm | updated August 27, 2008 at 03:41
pm
: >> >
: >> > US-CERT is aware of active attacks against linux-based computing
: >> > infrastructures using compromised SSH keys. The attack appears to
: >> > initially
: >> > use stolen SSH keys to gain access to a system, and then uses local
: >> > kernel
: >> > exploits to gain root access. Once root access has been obtained, a
: >> > rootkit
: >> > known as "phalanx2" is installed.
: >> >
: >> > Phalanx2 appears to be a derivative of an older rootkit named
: >> > "phalanx".
: >> > Phalanx2 and the support scripts within the rootkit, are configured
to
: >> > systematically steal SSH keys from the compromised system. These SSH
: >> > keys are
: >> > sent to the attackers, who then use them to try to compromise other
: >> > sites and
: >> > other systems of interest at the attacked site.
: >> >
: >> > Detection of phalanx2 as used in this attack may be performed as
: >> > follows:
: >> >
: >> >
: >> > "ls" does not show a directory "/etc/khubd.p2/", but it can be
entered
: >> > with
: >> > "cd /etc/khubd.p2".
: >> > "/dev/shm/" may contain files from the attack.
: >> > Any directory named "khubd.p2" is hidden from "ls", but may be
entered
: >> > by
: >> > using "cd".
: >> > Changes in the configuration of the rootkit might change the attack
: >> > indicators listed above. Other detection methods may include
searching
: >> > for
: >> > hidden processes and checking the reference count in "/etc" against
the
: >> > number of directories shown by "ls".
: >> > US-CERT encourages administrators to perform the following actions to
: >> > help
: >> > mitigate the risks:
: >> >
: >> > Proactively identify and examine systems where SSH keys are used as
: >> > part of
: >> > automated processes. These keys will typically do not have
passphrases
: >> > or
: >> > passwords.
: >> > Encourage users to use the keys with passphrase or passwords to
reduce
: >> > the
: >> > risk if a key is compromised.
: >> > Review access paths to internet facing systems and ensure that
systems
: >> > are
: >> > fully patched.
: >> > If a compromise is confirmed, US-CERT recommends the following
actions:
: >> >
: >> > Disable key-based SSH authentication on the affected systems, where
: >> > possible.
: >> > Perform an audit of all SSH keys on the affected systems.
: >> > Notify all key owners of the potential compromise of their keys.
: >> > US-CERT will provide additional information as it becomes available.
: >> >
: >> > US-CERT credits DFN-CERT for their contributions regarding this
issue.
: >> >
: >> > {Note: to Microsoft only users: The above is provided as a general
: >> > service
: >> > announcement and although it affects Linux systems is provided here
: >> > publically to raise user's awareness of how serious computer attacks
: >> > are
: >> > getting --- thank you for any feedback and have a great day}
: >> >
: >> > Also please use Microsoft's own password tool to generate stronger
: >> > passwords
: >> > that are safe and secure. I hope Steve Riley, MSFT will ocmment for
: >> > all of
: >> > us to benefit on the issue of new security and safety measures and
the
: >> > new
: >> > source code Microsoft is slowly but surely developing. That new
source
: >> > code
: >> > is what I am super excited about for Microsoft's future.
: >>

 

[FromTheRafters]

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:F78F1DC8-4ADD-4174-BAEE-7FD50FCF635A@microsoft.com...
> Thanks for your reply MowGreen. I really do respect you and consider you
> a
> great asset to this group. I loved when Apple users were so sure of their
> operating system and computers that they claimed they were really safe and
> when an Apple, Windows Vista and Ubuntu Linux computer competed against
> each
> other the first one to be hacked was the Apple. BTW, have you heard
> anything
> about Microsoft new source code that you can publicly share on this
> newsgroup?

I can.

It won't support file system and registry virtualization for
legacy programs. Software developers should keep this
in mind when writing or porting for Vista. Average users
should consider this when purchasing software they want
to use on the next Microsoft offering.

XP was pretty forgiving of those who didn't follow the
guidelines, Vista less so, and the next even less so.

I think I saw the new OS's codename somewhere, but
I fogot it already.

 

[Dan]

Thank you for your feedback, Steve and sorry I did not mean to hurt Microsoft.

"Steve Riley [MSFT]" wrote:

> Dan, I have resisted writing a message like the one I'm writing now but I
> can wait no longer. I'm not exactly sure what it is that you expect to
> accomplish with statements like "web link may be manipulated by others" and
> "poster not responsible if someone hacks post" (other than possibly stoking
> the fears of other readers) nor do I understand your repeated requests for
> me to comment on various things (I am not any kind of Microsoft crystal
> ball).
>
> In the newsgroups I avoid religious arguments about software, engaging in
> flame wars, or questioning people's motives because none of those activities
> do anyone any good. But your exaggerated claims about the realm of possible
> attacks, your continued devotion to "internal safety" vs. "external
> security" (which are terms NO ONE ELSE in the security field uses), your
> frequent invocation of DHS (and your cc-ing the US-CERT in your private
> emails to me -- what's up with that?), and your strange occupation with
> "source code" is really getting quite tiresome.
>
> In this thread you wonder about some kind of "new source code" that might be
> under development. In your thread "Source Code," you lament that, according
> to Wikipedia, Windows 7 "will use the Windows NT source code" -- then later
> on claim that we've got some sort of secret skunkworks project. Do you
> really even understand what source code is? Nowhere in the Wikipedia article
> did I see any reference to Windows NT source code. Do you realize that
> virtually none of the original NT code still exists in the current versions
> of Windows? Much of the architecture (for example -- file storage,
> communications, process handling, and memory managememt) is still in place,
> of course, but nearly every single element has been rewritten and expanded
> to increase reliability and security, and to take advantage of modern
> hardware capabilities. In a reply to "Is DNSSEC supported by Windows?" you
> claim that DOS is required for "internal safety" -- is this a joke? Do you
> understand that DOS is an ancient thing written for a totally different
> time -- when there were no networks, no multitasking, no re-entrance
> (executing the same piece of code multiple simultaneous times), no
> multi-user support, and no concept of virtualizing any of these layers? DOS
> HAS ZERO security of any kind. To claim "society and the world are paying
> for the mistake" of not using DOS in the current version of Windows is
> really rather silly.
>
> Your assertion that "the majority of people here...have...bought the company
> line" is intended to indicate what? What "company" do you mean? Information
> security practices and philosophies have evolved over time to address
> changing business requirements in an age where everything is connected all
> the time using public networks. To claim that "the majority" are wrong and
> that the development practices (and products) of two decades ago will
> somehow save us from all evil shows a fundamental misunderstanding of the
> issues and solutions.
>
> Dan, I am not attacking your motives or impugning your character. But I am
> asking that you rethink your positions (and your allegiances) as you
> continue your journey in field of computer security.
>
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:F78F1DC8-4ADD-4174-BAEE-7FD50FCF635A@microsoft.com...
> > Thanks for your reply MowGreen. I really do respect you and consider you
> > a
> > great asset to this group. I loved when Apple users were so sure of their
> > operating system and computers that they claimed they were really safe and
> > when an Apple, Windows Vista and Ubuntu Linux computer competed against
> > each
> > other the first one to be hacked was the Apple. BTW, have you heard
> > anything
> > about Microsoft new source code that you can publicly share on this
> > newsgroup?
> >
> > "MowGreen [MVP]" wrote:
> >
> >> Where are the Penguin fanbois exclaiming " Linux is the safest OS it's
> >> impenetrable " ?
> >> C'mon guyz, do your part. You have a role to fill here.
> >>
> >> But, seriously, Dan. Anyone with common sense knows that any system that
> >> is exposed to the internet can be compromised. And, it is irrelevant
> >> which OS one runs.
> >> The key is, never drink 'OS koolaid'. Use the one that suits your
> >> purposes but don't tell everyone that it is ' the most secure ' or ' it
> >> can't be hacked '. That's total nonsense.
> >>
> >>
> >> MowGreen [MVP 2003-2008]
> >> ===============
> >> *-343-* FDNY
> >> Never Forgotten
> >> ===============
> >>
> >>
> >> Dan wrote:
> >>
> >> > http://www.us-cert.gov/current/index.html#red_hat_releases_openssh_security
> >> >
> >> > {Note: Web Link may be manipulated by others and smart web surfing is
> >> > encouraged like reading in plain text and blocking remote code --
> >> > Disclaimer:
> >> > Poster is not responsible if someone hacks post and web link is
> >> > illegally
> >> > changed}
> >> >
> >> > Here is the information from US-Cert.gov which is a part of DHS: all
> >> > below
> >> > should be considered a quote ". . ."
> >> >
> >> > SSH Key-based Attacks
> >> > added August 26, 2008 at 03:41 pm | updated August 27, 2008 at 03:41 pm
> >> >
> >> > US-CERT is aware of active attacks against linux-based computing
> >> > infrastructures using compromised SSH keys. The attack appears to
> >> > initially
> >> > use stolen SSH keys to gain access to a system, and then uses local
> >> > kernel
> >> > exploits to gain root access. Once root access has been obtained, a
> >> > rootkit
> >> > known as "phalanx2" is installed.
> >> >
> >> > Phalanx2 appears to be a derivative of an older rootkit named
> >> > "phalanx".
> >> > Phalanx2 and the support scripts within the rootkit, are configured to
> >> > systematically steal SSH keys from the compromised system. These SSH
> >> > keys are
> >> > sent to the attackers, who then use them to try to compromise other
> >> > sites and
> >> > other systems of interest at the attacked site.
> >> >
> >> > Detection of phalanx2 as used in this attack may be performed as
> >> > follows:
> >> >
> >> >
> >> > "ls" does not show a directory "/etc/khubd.p2/", but it can be entered
> >> > with
> >> > "cd /etc/khubd.p2".
> >> > "/dev/shm/" may contain files from the attack.
> >> > Any directory named "khubd.p2" is hidden from "ls", but may be entered
> >> > by
> >> > using "cd".
> >> > Changes in the configuration of the rootkit might change the attack
> >> > indicators listed above. Other detection methods may include searching
> >> > for
> >> > hidden processes and checking the reference count in "/etc" against the
> >> > number of directories shown by "ls".
> >> > US-CERT encourages administrators to perform the following actions to
> >> > help
> >> > mitigate the risks:
> >> >
> >> > Proactively identify and examine systems where SSH keys are used as
> >> > part of
> >> > automated processes. These keys will typically do not have passphrases
> >> > or
> >> > passwords.
> >> > Encourage users to use the keys with passphrase or passwords to reduce
> >> > the
> >> > risk if a key is compromised.
> >> > Review access paths to internet facing systems and ensure that systems
> >> > are
> >> > fully patched.
> >> > If a compromise is confirmed, US-CERT recommends the following actions:
> >> >
> >> > Disable key-based SSH authentication on the affected systems, where
> >> > possible.
> >> > Perform an audit of all SSH keys on the affected systems.
> >> > Notify all key owners of the potential compromise of their keys.
> >> > US-CERT will provide additional information as it becomes available.
> >> >
> >> > US-CERT credits DFN-CERT for their contributions regarding this issue.
> >> >
> >> > {Note: to Microsoft only users: The above is provided as a general
> >> > service
> >> > announcement and although it affects Linux systems is provided here
> >> > publically to raise user's awareness of how serious computer attacks
> >> > are
> >> > getting --- thank you for any feedback and have a great day}
> >> >
> >> > Also please use Microsoft's own password tool to generate stronger
> >> > passwords
> >> > that are safe and secure. I hope Steve Riley, MSFT will ocmment for
> >> > all of
> >> > us to benefit on the issue of new security and safety measures and the
> >> > new
> >> > source code Microsoft is slowly but surely developing. That new source
> >> > code
> >> > is what I am super excited about for Microsoft's future.
> >>
>

 

[Dan]

Thank you. This new Microsoft source code as far as I can remember is a
small project within Microsoft and I read about it during the summer but I
sadly do not recall the data. Steve, from what I have read about Windows 7
is that it will not use an entirely new source code but will have additional
functionality added on top of Windows Vista and I use Windows 98 Second
Edition for legacy support so that is a non-issue about compatibility and I
encourage users to use Windows 98 Second Edition if they need the
compatibility with old dos games because I enjoy them so much and they were
designed and programmed so well. Remember, with King's Quest 1 by Sierra on
Line for the IBM PCjr that Sierra had to fit the entire program on 1 5.25
inch floppy disk and the computer itself had no hard drive. It was so cool
because it allowed you to use the IBM keyboard without a wire with only 2
double AA batteries. The reason I mention this is because I feel the
industry has moved too far away from its roots in the past and has forgotten
some important parts of the past and my hope is for the future that Microsoft
can lead the way in developing an entirely new source code for businesses and
consumers to use alike in true harmony which is just a pipe dream on my part
I guess but at least I can dream and hope, right.

"FromTheRafters" wrote:

>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:F78F1DC8-4ADD-4174-BAEE-7FD50FCF635A@microsoft.com...
> > Thanks for your reply MowGreen. I really do respect you and consider you
> > a
> > great asset to this group. I loved when Apple users were so sure of their
> > operating system and computers that they claimed they were really safe and
> > when an Apple, Windows Vista and Ubuntu Linux computer competed against
> > each
> > other the first one to be hacked was the Apple. BTW, have you heard
> > anything
> > about Microsoft new source code that you can publicly share on this
> > newsgroup?
>
> I can.
>
> It won't support file system and registry virtualization for
> legacy programs. Software developers should keep this
> in mind when writing or porting for Vista. Average users
> should consider this when purchasing software they want
> to use on the next Microsoft offering.
>
> XP was pretty forgiving of those who didn't follow the
> guidelines, Vista less so, and the next even less so.
>
> I think I saw the new OS's codename somewhere, but
> I fogot it already.
>
>
>