2001-03-29 14:11:20

by Richard B. Johnson

[permalink] [raw]
Subject: Linux connectivity trashed.


This is for information only.

Last week a standard RH distribution of Linux was rooted from what looks
like a Russian invasion. The penetration used the method taught in the CERT
Advisory CA-2000-17.

The intruder(s) then attempted to perform additional penetrations from this
site. One of the sites attacked was alleged to be Raytheon. Raytheon makes
products for national security such as guided missiles.

I was told that Raytheon is now suing this company. Therefore all Linux
machines
are being denied access to the Internet.

The penetration occurred because somebody changed our firewall
configuration
so that all of the non-DHCP addresses, i.e., all the real IP addresses had
complete
connectivity to the outside world. This meant that every Linux and Sun
Workstation
in this facility was exposed to tampering from anywhere in the world. This
appears
to be part of a plan to remove all non-DHCP machines by getting them
trashed.
In other words, we were set up to take a hard fall because no machine that
allows
NFS mounts can be safely exposed to the outside world without blocking
portmap.

There is a concerted effort to eliminate both Sun Workstations and Linux
machines
as tools in this facility. This happens as the "yuppies", who have never,
ever, contributed
to product development are Peter-Principled into positions of authority.

The email addresses of those who have declared that only Windows machines
will
be allowed access to the outside world are:

Thor T. Wallace [email protected]
David Pothier [email protected]

David Pothier was a beta tester for Windows/NT. Of course he wants all
machines to
be Windows and, naturally, under his control.

Thor Wallace is our new "security" administrator so I am told.

The only Linux advocate in a position of authority is:

Alex Shekhel [email protected]

So, now I hooked up my lap-top, installed Windows.... and here I am. Only
windows
machines are allowed to access the outside world.


Cheers,

Richard B. Johnson
Formally [email protected]




2001-03-29 14:55:12

by J.A. Magallon

[permalink] [raw]
Subject: Re: Linux connectivity trashed.


On 03.29 Richard B. Johnson wrote:
>
> The penetration occurred because somebody changed our firewall
> configuration
> so that all of the non-DHCP addresses, i.e., all the real IP addresses had
> complete
> connectivity to the outside world. This meant that every Linux and Sun
> Workstation
> in this facility was exposed to tampering from anywhere in the world. This
> appears
> to be part of a plan to remove all non-DHCP machines by getting them
> trashed.
>

See the cleverness of his network admins, that spent their time configuring
a firewall to MAKE HOLES where there are not any...

--
J.A. Magallon # Let the source
mailto:[email protected] # be with you, Luke...

Linux werewolf 2.4.2-ac27 #1 SMP Wed Mar 28 23:27:18 CEST 2001 i686

2001-03-29 16:31:43

by Jesse Pollard

[permalink] [raw]
Subject: Re: Linux connectivity trashed.

"J . A . Magallon" <[email protected]>:
> On 03.29 Richard B. Johnson wrote:
> >
> > The penetration occurred because somebody changed our firewall
> > configuration
> > so that all of the non-DHCP addresses, i.e., all the real IP addresses had
> > complete
> > connectivity to the outside world. This meant that every Linux and Sun
> > Workstation
> > in this facility was exposed to tampering from anywhere in the world. This
> > appears
> > to be part of a plan to remove all non-DHCP machines by getting them
> > trashed.
> >
>
> See the cleverness of his network admins, that spent their time configuring
> a firewall to MAKE HOLES where there are not any...

And obviously not tell anyone they were doing so....

-------------------------------------------------------------------------
Jesse I Pollard, II
Email: [email protected]

Any opinions expressed are solely my own.

2001-03-29 16:52:23

by John Jasen

[permalink] [raw]
Subject: Re: Linux connectivity trashed.

On Thu, 29 Mar 2001, Richard B. Johnson wrote:

>snipped<

First mistake:
your security administrator relied on the firewall for protection.
It is an _aid_ to security; not the 'be all and end all'. IOW, the hosts
weren't hardened to resist penetration in case the firewall didn't cover
it.

Second mistake:
your security administrator didn't make known the changes taking
place, so that clueful users could have taken some preventative steps on
their UNIX boxes.

Third mistake:
your security administrator either didn't know about; didn't care
about; or didn't act on security problems for linux and solaris -- which
have been posted, discussed, and addressed on many general or OS-specific
security lists.

Fourth mistake:
your security administrator, rather than address the problems, is
sticking his head in the sand and mumbling 'Windows' -- which, as an OS,
is a christmas tree where every bauble says 'please hack me!'.

In short, your security administrator needs to be dragged out, shot, and
left hanging by the front door as a warning to his replacement.

Or, at least fired.

--
-- John E. Jasen ([email protected])
-- In theory, theory and practise are the same. In practise, they aren't.

2001-03-29 18:57:35

by Doug Ledford

[permalink] [raw]
Subject: Re: Linux connectivity trashed.

John Jasen wrote:
>
> On Thu, 29 Mar 2001, Richard B. Johnson wrote:
>
> >snipped<

>more snippage<

> In short, your security administrator needs to be dragged out, shot, and
> left hanging by the front door as a warning to his replacement.
>
> Or, at least fired.

That, or have all the Unix using/loving people at Analogic turn in their
resignations. When IS takes on too much of a Gestapo air about them, the only
thing to do is leave them to do not only all the administration, but all the
development as well. It's usually about then that CEOs actually pay attention
to how much distress IS is causing the rest of the company and give them a
swift kick in the ass to straighten things out (assuming you have a CEO worth
a damn, that assumption could be totally wrong).

--

Doug Ledford <[email protected]> http://people.redhat.com/dledford
Please check my web site for aic7xxx updates/answers before
e-mailing me about problems

2001-03-29 20:24:28

by Roger Larsson

[permalink] [raw]
Subject: Re: Linux connectivity trashed.

Hi,

I assume that it is ok to sue any company that forwards viruses too...
(not only the author...)

Are Raytheon suing the company were you work, or some
unknown/unnamed company made up by Microsoft?
(you were not specific about this)

/RogerL

On Thursday 29 March 2001 15:34, Richard B. Johnson wrote:
> This is for information only.
>
> Last week a standard RH distribution of Linux was rooted from what looks
> like a Russian invasion. The penetration used the method taught in the CERT
> Advisory CA-2000-17.
>
> The intruder(s) then attempted to perform additional penetrations from
> this site. One of the sites attacked was alleged to be Raytheon. Raytheon
> makes products for national security such as guided missiles.
>
> I was told that Raytheon is now suing this company. Therefore all Linux
> machines
> are being denied access to the Internet.

>
> The penetration occurred because somebody changed our firewall
> configuration
> so that all of the non-DHCP addresses, i.e., all the real IP addresses had
> complete
> connectivity to the outside world. This meant that every Linux and Sun
> Workstation
> in this facility was exposed to tampering from anywhere in the world. This
> appears
> to be part of a plan to remove all non-DHCP machines by getting them
> trashed.
> In other words, we were set up to take a hard fall because no machine that
> allows
> NFS mounts can be safely exposed to the outside world without blocking
> portmap.
>
> There is a concerted effort to eliminate both Sun Workstations and Linux
> machines
> as tools in this facility. This happens as the "yuppies", who have never,
> ever, contributed
> to product development are Peter-Principled into positions of authority.
>
> The email addresses of those who have declared that only Windows machines
> will
> be allowed access to the outside world are:
>
> Thor T. Wallace [email protected]
> David Pothier [email protected]
>
> David Pothier was a beta tester for Windows/NT. Of course he wants all
> machines to
> be Windows and, naturally, under his control.
>
> Thor Wallace is our new "security" administrator so I am told.
>
> The only Linux advocate in a position of authority is:
>
> Alex Shekhel [email protected]
>
> So, now I hooked up my lap-top, installed Windows.... and here I am.
> Only windows
> machines are allowed to access the outside world.
>
>
> Cheers,
>
> Richard B. Johnson
> Formally [email protected]
>
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/

--
Roger Larsson
Skellefte?
Sweden

2001-03-30 01:43:47

by David Ford

[permalink] [raw]
Subject: [OT] Re: Linux connectivity trashed.

Might I suggest seeking a new employer whose IT department doesn't seek
the smell of fresh fertilizer compounds about their head and neck.

-d

Richard B. Johnson wrote:

> This is for information only.
>
> Last week a standard RH distribution of Linux was rooted from what looks
> like a Russian invasion. The penetration used the method taught in the CERT
> Advisory CA-2000-17.
> [...]


2001-03-31 17:21:13

by John Kodis

[permalink] [raw]
Subject: Re: Linux connectivity trashed.

On Thu, Mar 29, 2001 at 08:34:06AM -0500, Richard B. Johnson wrote:

> So, now I hooked up my lap-top, installed Windows.... and here I am.
> Only windows machines are allowed to access the outside world.

That is a shame. I can think of two things that might be of use under
these circumstances:

- Recent MS operating systems offer a limited version of IP
masquerading;

- Monster.com has numerous jobs available.

Best luck for a speedy resolution.

--
John Kodis <[email protected]>
Phone: 301-286-7376

2001-04-02 17:44:09

by Richard B. Johnson

[permalink] [raw]
Subject: Re: Linux connectivity trashed.

On Thu, 29 Mar 2001, Doug Ledford wrote:

> John Jasen wrote:
> >
> > On Thu, 29 Mar 2001, Richard B. Johnson wrote:
> >
>
> > In short, your security administrator needs to be dragged out, shot, and
> > left hanging by the front door as a warning to his replacement.
> >
> > Or, at least fired.
>

I have now gotten three linux machines back "on-the-air". The security
people insist on doing "NAT", so these machine are now using a phony
internal address, but we are up.

Another crisis created and resolved.

Cheers,
Dick Johnson

Penguin : Linux version 2.4.1 on an i686 machine (799.53 BogoMips).

"Memory is like gasoline. You use it up when you are running. Of
course you get it all back when you reboot..."; Actual explanation
obtained from the Micro$oft help desk.