Security Basics

1. vulnerabilities
2. exploits
3. attack vectors
4. actual risks
5. payoffs
6. PREVENTION
7. Forensic Analysis - root cause analysis
8. corporate and small business measures

1) vulnerabilities 
You will often read about a new vulnerability in some application or code.  What this means is that the system is doing something it shouldn't.

Typically it means that someone can make the application do something it wasn't intended to do.  It can also be a weakness in the system.  An 
example of this would be a poorly written program that after three attempts lets the user in without a password.  I was going to provide links to
definitions but what I found out there was laden with errors and mistakes.  A vulnerability is just a weak spot, a security hole, a piece of broken code
if you will. That's it.  A vulnerability can exist and nothing bad can happen.  We're vulnerable to lies, yet if no one talks to us or doesn't lie to
us, well, nothing happened.  Same thing with software or hardware vulnerabilties.  They are a unique "feature" that was unintended or happened because
something else broke or wasn't checked.   There are many "undocumented" features in software and operating systems that users often discover quite by
chance.  There is no way that every line of code these days can be tested, and no way that one can exercise all the combinations of inputs, so unless
the code is written very well it'll likely have some "vulnerability" to some input or action.  Finding a vulnerability is NOT a reason to panic.  It would
be best if found that the owners of the system were notified so they could do something about it first, that would be the proper thing to do, and many
trade journals do this, they'll give the developers time to deal with it before announcing it.  Ok, so, lots of vulnerabilities exist, no reason to panic... yet.
A somewhat recent example is the "ShellShock" thing that appeared in the news about the BASH shell not long after another Microsoft virus hit.  You could
just see the folks in Redmond cheering.  Even people that should have known better were commenting about how insecure Linux was.  When I asked how many
attacks had taken place because of this vulnerability... there were no responses.  So... no panic...
2) exploits 
Ok, now you can panic... kind of.  An exploit is a means to take advantage of a vulnerability.  A recent example of this sort of thing is "ShellShock",
the BASH shell vulnerability hyped up (briefly) in the media.  They found a vulnerability that if a certain set of commands were presented one could run a 
command and possibly gain root access to the system.  env x='() { :;}; echo vulnerable' bash -c "echo this is a test" If you see vulnerable you should
update your BASH shell.  But does having a vulnerability AND an exploit REALLY warrant panic?  I have at least two systems that are vulnerable to this exploit.
Am I panicked?  Do I sound panicked?  Really?  Am I being an irresponsible systems administrator?  (Don't answer that.)  Ok, we have a vulnerability, we have
an exploit... cha-ching... right?  Well, even with the vulnerability and an exploit nothing has happened.  I ran the test on a system or two, it failed, then
I read more, tried to pass some creative commands through the test to see if I could hijack my own system... nothing.  Clearly I'm not qualified to be a hacker,
I had the vulnerability and an exploit and couldn't figure it out.  Oh, I'm sure the hackers can and would... however, I'm not panicked.  Why not?  Well...
3) attack vectors
I am not panicked over ShellShock because there are no  attack vectors.  I may be making up my own terms here, and if I'm wrong I'll fix it someday.
Or maybe one of the hackers can use the exploit and fix it for me. Oh wait, they'd need to get on the system.  They need to be able to type or pass that command
to the BASH shell some how.  Can they do it from a web page?  No, no access to the command line via Apache that I know of, with the exception of cgi-bin
scripts using shell scripts, but then they'd be CHROOTED and limited, but that's a possible attack vector.  Basically they'd have to be logged in to the system.
So in order to be logged in they'd have to first hack into an account.  But if they did that they would have other tools once they got in that might give
them root.  Ok, so if they can't get to the command line they can't exercise the exploit.  No attack vector, no attack, simple.  No access, no problem.

But let's say that the hacker was an authorized user on your system.  Let's say this is an ISP with shell accounts.  
The hacker could use the exploit to get root.  Ok, he (or she) used a known vulnerability with an exploit to finally get root access to a system.  Now what?
4) actual risks 
There is a hacker with root access on your Linux system.  What is the  risk?  Guess this is what you have to consider ultimately before panicking.  
The risks are personal information in the form of emails, files with personal content and financial information.  A hacker will get on a system for a few things,
those may include passwords, credit card info, personal information to use for identity theft, or something as benign as a bunch of emails to use to spam for
adverts or for trying to do social engineering via links to get passwords and financial information.  What's at risk on your system?  Information primarily.  Of
course there are two other things that are desirable that could be considered risks, and that is disk space and network access.  A hacker will not deface or
destroy a Linux system typically if they get access.  They will use the available disk and hide things that they can't put any where else, like pirated software,
music files, films, porn, or whatever they want, they just found a free server... The other thing they seek is the network connection, they can use your network
to access and attack other systems in their search for financial information or to setup social engineered "gotchas" to get someone to call, click or email for help.
5) payoffs
So, what is the payoff for the hacker?  Well, the things you have at risk:  financial information, passwords, your contact lists, credit card info, and then of course
disk space and network access.  Hackers are not going to do things that will get them easily caught.  There has to be a payoff for them, maybe it's just the conquest.
The challenge for you is to make sure there isn't a payoff.

 PREVENTION
Ok, so as it's often said, the best defense is a good offense.   Here's a quick checklist of what you can do on a Linux system (or any system really) to prevent
exposure to vulnerabilities, exploits and to reduce or eliminate attack vectors.

 build the system with security in mind - do not install applications you're not likely to use, it's very tempting to install everything
 if you can, create a detailed listing of the system files including dates and sizes and save it; another option is to generate MD5 checksums for future reference
 make sure that you only add user accounts to users you know and trust.  do not provide "guest" access 
 do not setup FTP, and if you do, use VSFTP and do not enable anonymous FTP without a solid CHROOT jail, 
	if you don't understand what I just said, don't install FTP.
 if you don't have time or skill to monitor your log files, enable your firewall from the beginning
 update the system from time to time, check for patches, watch for vulnerabilities and understand what an attack vector might be.
 make sure that you use very solid passwords, do NOT use any dictionary word in any language. 
 change your passwords from time to time 
 do NOT use the same password on other systems
 do not store credit card details on line, especially if you don't have complete control of the system
 learn how to use ssh and encryption if you do need to have financial data on your system
 avoid using contacts stored on major sites... avoid using comcast, google, yahoo, or any other large email provider's contact storage, use Thunderbird or
	your smart phone's email tool.
 learn how to monitor your system and review your log files
 be very, very careful about incoming emails - don't just open attachments
 be very careful when downloading free s/w from the internet - google the link to see if others have reported viruses or malware
 if a strange pop up shows up - DO NOT CLICK ON IT.  Kill the browser by closing, or using xkill.  Clean the cache manually.
 do NOT call numbers listed in pop ups or on pages offering to help.  
 do NOT transmit credit card details to an unknown site or a site not using https.  When in doubt, pay via paypal.  
 google for details on any site you have questions about to see if it's safe.
 ask the question, what would the payoff be for a hacker if they got on your system?  Protect it.
 the biggest hassle of being socially engineering, hacked, impacted by malware or a virus is the unknown.  You just don't know what can be trusted
	after an attack.  It's best to rebuild the system.  
 
 Forensic Analysis - root cause analysis
Seek to understand what happened and how it happened.

Examine the system carefully.  It is highly recommended that if you suspect your system is compromised is to pull the plug, immediately.  Disconnect
from the network, get it turned off.  If you can pull the drive and use a USB type tool to access the drive as a READ-ONLY mount to preserve critical
time stamps and file information. Compare against the list you saved or the MD5 checksums, or if you're like the rest of us and didn't do that,
look at another like system and see if you can spot any thing out of the ordinary.

When a Mac system was hijacked by social engineering I pulled the drive and examined the files, looking for any that had been accessed during the attack.
I found that the hackers looked at every document, contact list and searched the drive using various tools looking for names, finanical information and
so on. If I'm not mistaken they used the system to send email to everyone listed in the address book, but I don't recall getting an email from the infected
system.  It may have been caught by spam or anti-virus at the mail server.  The hackers did not seem to fully understand the Mac system and the log files
indicated nothing really bad happened and no apps were modified or touched.  But I wiped the system and reinstalled anyway.  I'm sure it would have been ok,
but it's not worth the chance of it not being that way.  I saved all the files to a thumb drive and then put them back.

If there was criminal activity involved you'll want to save the log files.

The log files will give an indication of the likely attack vector and may reveal the originating IP address, but look for the MAC address as well
and then try to traceroute it back to the source.  It's likely the attackers used another system previously hijacked to launch the attack, or they used
an anonymizer to make their original location.  But if this was a criminal episode the authorities will have the ability to subpoena the logs of the 
router going into and out of the anonymizer, if there are log files.  But some where along the line there will be records and can be traced.   

So, consider what is worth protecting, then protect it with correct permissions, passwords, even encryption, and put it into a proper directory, then
make sure there are good passwords on your account and an active firewall.  Keep your system up to date and only install what you need.

Think, don't panic.  Oh, and make sure any files you care about are backed up on a different system or a removable device.  Hardware failures can be
as devasting as an attack.  So, when you hear about a virus or malware, consider the attack vectors and block them if possible.

 corporate and small business measures
In a corporate or small business setting with several user logins and business data, often including personal data of customers, one must
be more careful about the configuration and operatings systems.  A firewall, proxy server, and well instructed users are key.

Remember that anti-virus s/w is "reactive" - it only can deal with known viruses - even with adaptive algorithms it may miss a "new" one.
Do NOT count on anti-virus software - you need to educate yourself and users about attachments and web pages.  Do NOT use anti-virus on
Linux or Mac, there's little value and it'll likely hurt performance.  Your best tool is a firewall for any OS.  Microsoft requires anti-virus
and a firewall and complete and utter paranoia.  There are far too many lines of code and too many "features" for it to be secure.  It is a
convenient desktop tool, but very insecure as a corporate server.  If you don't understand computing and want things to work, carefully consider
Mac as a desktop solution, but Linux as a server.  Finding a qualified, competent "consultant" is a challenge, but worth the effort.  

 some tools and practices for small business and corporate settings:

 a router connecting to the internet with a firewall enabled (NAT - network address translator)  (usually built in)
 disable unused ports,  you should only need ports for the web (80) and possibly email  (enable the firewall, open needed ports)
 make sure all systems connected to the internal network have current operating systems and patches
 separate networks so that customer wifi is NOT able to connect or see records or other parts of your network
 separate finance and bookkeeping from daily use by other employees
 set up remote log hosts to record activity on a separate system in a locked area
 use password checking tools to ensure good passwords
 If you have an external website, place it on the other side of your firewall or NAT
 monitor network traffic, record IP and MAC info.
 Avoid using "default" tools in any OS, e.g. Internet Explorer and Outlook for MS, Safari and Mail in Mac, and whatever Linux might offer other 
	than what is recommended, and that is:  Firefox with add-ons and Thunderbird, Chrome by Google is also acceptable, as is Opera
 Avoid placing customer lists in contact lists "on the cloud", keep that information on a locked down system, or better, on a thumbdrive.
 Backup all user data off of that system.  Copy files from local pc's to a central computer, then back up needed data.
 if you need to archive data get a tape backup unit or disk burner and store those records OFF-SITE in a secure, fireproof container
 if you have other requirements such as SOX, HIPPA, FDA, FCC, FAA or other acronym agencies, make sure you are in compliance.
 using a UPS with a shutdown feature will protect your hardware against power surges and outages.
 consider using a hosting service such as dreamhost (let me know so I can refer you, I use their services) or other Linux based systems.
 avoid using anything related directly to Microsoft or using Microsoft systems, it's only a question of when, not if, a compromise will happen.
 minimize exposure of personal information, if you are dealing with proprietary or sensistive material consider using a system that is not on the network.
 a system not on the network would require only physical security. 
 the idea is to isolate systems from the outside world, NATs, routers, subnets, firewalls, all help, but even if it is not on the network it is 
      at risk through installed media, attached devices such as thumbdrives or USB storage... think STUXNET.  
 Consider the value of your information, and the damage that might result if it is exposed, released to the press or available to ID thieves.
 Place higher valued information and data in more secure areas, including the use of encryption on local drives.
 if you have laptops that contain private information, encrypt the drives, be careful what tools you use and carefully archive keys and other info.
 consider using off-site storage companies, if they can ensure secure transmission of data to "the cloud" that might work for you and save money.
 research, read, study, think.  
 Avoid proprietary products if possible. Do NOT lock into a vendor, even if it's based on OpenSource.  
 keep your data in a format that is easily migrated between productive tools.  CSV, Microsoft 97-2003 format, plain text, XML, etc.
 OpenSource tools are less risky to use and better supported by independent people. Many eyes are able to spot weaknesses and suggest fixes.


 typical larger corporation response to a security breach
Each company has a plan for dealing with security breaches. These breaches are handled much differently
than a small business or home user might.  The corporate security folks basically do not want anyone to know
they know.  This isn't to protect the stock price or keep customers from being concerned, but rather in order
to observe what is going on, by whom, and from where.  It's important to monitor and observe without tipping your
hand that you know.  It's easier to analyze and track when it's live, as opposed to cutting the head of the snake off
immediately.  So if you work in a company setting with an IT staff you want to see how they handle issues.

Here's a typical policy for larger corporations:

When a breach is detected or suspected, and unless otherwise directed by your security group, the following generally apply:

            1. Passwords must remain as they were.
            2. The system settings must remain as they were.
            3. Access controls must remain as they were.
            4. Accounts must not be deleted or disabled.
            5. Audit trail information must not be deleted or modified.
            6. The breach should not be discussed with anyone who does not have a need-to-know.
            7. No action should be taken against suspected hackers, there might be an urge to do something back, don't.
            8. The system should remain powered up, this is important so log files aren't lost.
            9. Files should not be deleted.  If you need to change something, make a tar archive of the directory as it is.




PRO PATRIA VIGILANS:


(The motto of the US Army Signal Corps, "watchful for the country" )

12 August 2015
john


 
 some links to notes on various viruses, mostly Microsoft
(these files will be updated and moved onto LinuxMeister at some point, not
permantely linked, or activated...)  (tmp means temporary...)
http://johnmeister.com/tmp/CLEAN_LINUX/MSinfo/VIRUS_INFO/MSBLAST.EXE-info.html
http://johnmeister.com/tmp/CLEAN_LINUX/MSinfo/johns-recommendations.html
http://johnmeister.com/linux/Microsoft/firefox-add-ons.jpg
http://johnmeister.com/tmp/CLEAN_LINUX/MSinfo/VIRUS_INFO/
http://johnmeister.com/tmp/CLEAN_LINUX/MSinfo/CLEAN-VIRUS-n-MALWARE-n-SPYWARE.txt
http://johnmeister.com/linux/Microsoft/Safe-Internet-Use.txt
http://johnmeister.com/tmp/CLEAN_LINUX/MSinfo/SUSPECT-malware-for-MS-Fedex-attachment-Collect_Letter.htm.txt
http://johnmeister.com/tmp/CLEAN_LINUX/MSinfo/VIRUS_INFO/code-red-clean-perl-sh.txt
http://johnmeister.com/tmp/CLEAN_LINUX/MSinfo/VIRUS_INFO/CodeRED-info.txt
http://johnmeister.com/tmp/CLEAN_LINUX/MSinfo/VIRUS_INFO/General_info_viruses.html
http://johnmeister.com/tmp/CLEAN_LINUX/MSinfo/VIRUS_INFO/Microsoft-WEAKnesses-macro-maillissa.html
http://johnmeister.com/tmp/CLEAN_LINUX/MSinfo/VIRUS_INFO/shoho-worm.html
http://johnmeister.com/tmp/CLEAN_LINUX/MSinfo/VIRUS_INFO/sulfnbk-exe-RESTORE.html