Should've gone with *BSD
Weird PHP-poking Linux worm slithers into home routers, Internet of Things
Symantec has stumbled across a worm that exploits various vulnerabilities in PHP to infect Intel x86-powered Linux devices. The security biz says the malware threatens to compromise home broadband routers and similar equipment. However, home internet kit with x86 chips are few and far between – most network-connected embedded …
-
-
-
-
-
Thursday 28th November 2013 12:09 GMT Roo
@ alleged legion of AC trollops (eg: 11:51)
""Can't see Server 2012 running a set top box, can you?"
You must have missed the Xbox One launch then....same OS kernel...
The Windows kernel already scales down to for example mobile phones (and is more efficient and less memory hungry than say Android)..."
Awesome, so you can put your money where your mouth is.
All you need to do is to publish the IP of the windows server you have connected directly to the Internet and then we can all test to see how secure it really is. I figure that you won't do that because you really don't believe a word you say about Windows being the OS with the least vulnerabilities.
Nothing to hide, nothing to fear, right ? :)
-
-
Thursday 28th November 2013 12:21 GMT Lee D
Re: @ alleged legion of AC trollops (eg: 11:51)
I highly doubt MS has a couple of thousand Windows Servers just sitting direct on a leased line without security hardware in between (almost certainly Cisco), so that's as daft as saying "try google.com" for a Linux test. (And, if memory serves, microsoft.com is behind an Akamai cache which also performs security functions, and they tend to use Linux, so... whatever).
Fact is, thinking you're any better off with ANY product is really blind faith. What matters is response time and public knowledge - just because you have seen no published vulnerabilities on the Microsoft mailing list means NOTHING in terms of the actual security of the product. And when there are some, MS can takes months to get around to fixing them while they are STILL public knowledge... and that's quite dangerous.
Nobody's immune. And "my product is better than yours" is as stupid as saying "my systems are secure - attack them..."
-
Thursday 28th November 2013 18:17 GMT Vic
Re: @ alleged legion of AC trollops (eg: 11:51)
> as stupid as saying "my systems are secure - attack them..."
Russell Coker put his root password on his website. I don't know if the machine is still up - I'm at work, and can't ssh out of the building.
It was pretty secure last time I logged in (as root) and tried stuff...
Vic.
-
Friday 29th November 2013 05:55 GMT Wzrd1
Re: @ alleged legion of AC trollops (eg: 11:51)
"Fact is, thinking you're any better off with ANY product is really blind faith."
True enough. One is taking it on blind faith that the vendor will patch their hardware and not claim that there isn't enough memory, it's too slow, etc.
I'll not even to into the cheap, fly by night Chinese hardware vendors. Here today, gone next year after pissing off tens of thousands of customers with shitty software, vulnerability laden firmware or in one instance, infected at the factory hardware (USB drive that was a promotional give-away for one US state's National Guard, it had a CD image built in that contained windrives.b worm on it. One soldier was married to a recruiter from that state, he gave one to her, she plugged it into one of our installation's computers and I received an antivirus alert. We'll suffice it to say that the CIO of the National Guard Bureau was quite upset over the unauthorized hardware vendor, unauthorized hardware giveaway and the presence of that worm after I alerted him to the issue).
I still have that drive around here somewhere, as the soldier did not want the infected, unauthorized device and she gave it to me to add to my collection. Great educational tool!
-
-
Thursday 28th November 2013 12:49 GMT Skrrp
Re: IIS
I prefer my web servers to work, thanks.
telnet> o www.microsoft.com 80
Trying 64.4.11.42...
Connected to www.microsoft.com.
Escape character is '^]'.
OPTIONS * HTTP/1.1
Host: microsoft.com
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Thu, 28 Nov 2013 12:44:17 GMT
Connection: close
Content-Length: 1245
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>
Connection closed by foreign host.
-
Thursday 28th November 2013 18:18 GMT Roo
Re: @ alleged legion of AC trollops (eg: 11:51)
"Sure - try www.microsoft.com"
-1 for trolling, -1 for failing to put *your money* where your mouth is. Microsoft's servers are non-applicable for this one - unless of course you are on the MS payroll. ;) It wouldn't be the first bit of astroturfing and FUDing that MS has engaged in.
To do a fair test you need a Windows box that you value connected directly to the service provider - no filtering inbound or outbound, and while you are comparing to LAMP stacks add the all that AMP bit too so you are comparing like with like.
-
-
Thursday 28th November 2013 12:40 GMT Anonymous Coward
Re: @ alleged legion of AC trollops (eg: 11:51)
"you really don't believe a word you say about Windows being the OS with the least vulnerabilities."
I don't think anyone claimed that. BSD has a better record. The point is that Windows has a much lower vulnerability count in recent years than an Enterprise Linux distribution...That's a verifiable fact. Not just an opinion.
-
Thursday 28th November 2013 13:40 GMT Anonymous Coward
Re: @ alleged legion of AC trollops (eg: 11:51)
Post links to your INDEPENDENT sources (no pro Microsoft, or pro Linux /BSD) of these facts then. And that they specifically are due to vulnerabilities in Apache, Linux and BSD, and not incompetent administration. Then we can start to have a sensible conversation.
-
Thursday 28th November 2013 14:14 GMT Anonymous Coward
Re: @ alleged legion of AC trollops (eg: 11:51)
"Post links to your INDEPENDENT sources (no pro Microsoft, or pro Linux /BSD) of these facts then"
Here you go: http://www.zone-h.org/news/id/4737
(Even after adjusting for market share, you are several times more likely to be hacked on Linux - mostly due to kernel vulnerabilities...)
-
Thursday 28th November 2013 15:21 GMT Paul Crawford
Re: @ AC 14:14
Ah yes, a report from 2010 is conclusive evidence of Linux vs Windows today?
And did you actually read it?
"But should be the out-of-date Linux server the only reason of this huge amount of defacements?
Yes and no.
We were talking about local kernel exploits, but the first problem is in the website code. For example, we received too many single defacements due a remote upload flaw in OsCommerce CMS, that allows the defacers to upload anything to the CMS folder without a proper credential check. When this flaw became public, the developers had a too much time to fix it, but the fix appeared few months later. Pity.
Year after year, the developers are still coding by an unsafely, keeping tons of the remote and local file inclusion and the SQL injections, that the attackers use as the first step to gain the access into the server OS."
That read to me as if the web developers and tools are the biggest part in such attacks. But hey, you don't care when having a good rant?
-
-
Friday 29th November 2013 03:14 GMT Ilsa Loving
Re: Re:But hey, you don't care when having a good rant?
Why did this get downvoted? It's completely true. Windows used to be a security joke. But as Microsoft beefed things up, hackers have been going after 3rd party targets that are easier to hit, such as Adobe flash.
You need only one exploit to get from outside to local, and only one local exploit to hose the whole box. That means any OS... ANY OS.... is only 2 exploits away from being compromised.
Linux is getting exploited the most because it's the single most popular web stack out there. Linux is to web what Windows is to desktop. And the article itself said it.... virtually all the root-access hacks have been through things like 3rd party CMSes, and the kernel itself compromised by exactly 1 exploit.
So maybe we should focus less on how big everyone's OS-penis is, and more on the fact that far too many people write crap code.
And I will opine that it's because companies have made it FAR too easy for someone to sit down, bang a few commands on a keyboard, and suddenly think they know how to code. Until programmers are put through the same level of rigor as, say, engineers, this problem will never get better.
-
Thursday 28th November 2013 17:40 GMT Eddy Ito
Re: @ AC 14:14
Oh, here I thought the take-away from the article was that the most secure OSs were Novell Netware and AS/400 but it seems TheVogon is right in that IIS 8 and 8.5 were invulnerable a few years before they were released. Seriously it really would be nice for sites like this to have unrestricted information and access to all the data on a single page so you could get useful metrics, perhaps one that indicated the area of the target surface and not just the number of hits on the target. Also if "Heh…just for fun!" and "I just want to be the best defacer" make up 79% of the reasons for defacing a site, it means there are a lot of bored skiddies out there.
-
-
Friday 29th November 2013 15:04 GMT Anonymous Coward
Re: @ alleged legion of AC trollops (eg: 11:51)
"Here you go: http://www.zone-h.org/news/id/4737"
Yes, seen that zone-h article thank you, embarrassing isn't it.
Embarrassing for you, that is, if you really have nothing more relevant to quote than reported website defacement statistics, and nothing more recent to quote than than defacement data from 2010 in an article from 2011, and no better logic than you have just displayed.
What kind of halfwit logic leads from lots of defaced websites, many sharing the same underlying problem, to "Linux is generically less secure than Windows"?
Still, at least the article refers to CVE, which is more than you and your fellow travellers have managed so far.
Readers who follow the referenced CVE link [1] will see that the problem isn't even a generic Linux problem, it's one only exposed in the context of an x86-32 application running on certain versions of the x86-64 Linux kernel (which admittedly may have been a quite common situation).
It's also 'only' a possible elevation of privilege exploit rather than the (common with Patch Tuesday) generic unauthenticated remote code execution exploit.
It's also one which had long ago been patched (in 2007) but somehow managed to re-emerge in 2010 (more detail in the CVE article and its references, not reproduced here), and because it was a set of circumstances in widespread use, there were lots of vulnerable websites and they were widely defaced and widely reported.
So, what logic leads from lots of defaced websites, many sharing the same underlying problem, to "Linux is generically less secure than Windows"?
Anyone got anything better to offer? And remember, facts good, logic good, hearsay bad.
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3301
2007 description: "The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register"
-
-
Thursday 28th November 2013 23:34 GMT sisk
Re: @ alleged legion of AC trollops (eg: 11:51)
And that they specifically are due to vulnerabilities in Apache, Linux and BSD, and not incompetent administration
In my experience most successful attacks are due to bad administration, regardless of the platform. Any platform can be locked down pretty securely these days.
The one in the article is a pretty good example: it attacks PHP apps that can't grok the query strings properly. Personally I regard that sort of vulnerability in this day and age as an incompetent or lazy web developer. Honestly it's stupid easy to escape special characters in query strings in pretty much any language that would be dealing with them.
My servers have come under SQL injection attacks several times a day for several years now and never been compromised. Why? Because I teach my apps how to cleanse their input so the attacks are stripped out of the input before it goes into a query. I consider this to be as basic as using whitespace in your code.
-
-
-
-
Thursday 28th November 2013 20:54 GMT Charles Manning
Sorry AC, Windows CE ain't Windows
"The Windows kernel already scales down to for example mobile phones (and is more efficient and less memory hungry than say Android)..."
Having spent years working deep in the Windows CE OS and in Linux (writing drivers etc for both), I can assure you that Windows CE might be able to run with less memory, but is incredibly inefficient in CPU usage.
Windows CE is also very stunted. It is not scaled down Windows but an entirely different kernel that lacks most of the Windows services and has a completely pathetic security model.
-
Friday 29th November 2013 09:52 GMT Anonymous Coward
Re: Sorry AC, Windows CE ain't Windows
"Having spent years working deep in the Windows CE OS and in Linux <Crap snipped>"
My condolences, but who said anything about Windows CE. The conversation is about the current Windows kernel used in Xbox One, Windows Phone, Windows 8.1, Server 2012 R2, etc....
-
-
-
-
-
Thursday 28th November 2013 12:03 GMT TheVogon
"Yes, because IIS exploits are of course largely theoretical..."
IIS has a very good security record - one of the more secure platforms....current versions (IIS 8 / 8.5) have zero known vulnerabilities I believe....and before that you have to go back years to find anything that affected a default installation of an IIS webserver...
As per website defacement statistics - you are several times more likely to be hacked running say Linux....
-
-
-
Thursday 28th November 2013 12:25 GMT Chemist
"Richto was my previous name on here - changed because of confusion it was some sort of boast about wealth - not a new account"
Most regulars know that - apart from anything else your tedious style, idiotic references that often actually disprove the point you are trying to make and general pro-Windows, anti Linux rants are rather obvious even when posting as AC
-
-
-
-
-
Monday 2nd December 2013 00:25 GMT Anonymous Coward
Re: Only if you're a Windows Administrator who doesn't know how to configure a *NIX type OS.
@sabroni
Ah, it makes sense now. It's the Windows Administrators that are responsible for all the Linux defacements....
Are you sure about that?
Only I know several Windows administrators who are quite capable of correctly configuring a *NIX type OS, I even know some who have qualifications in configuring both Linux and Windows systems.
-
-
-
Thursday 28th November 2013 17:12 GMT Anonymous Coward
Not hard to explain..
"As per website defacement statistics - you are several times more likely to be hacked running say Linux...."
A quick glance at any actual statistics tells you exactly why that is - there are 4 times more Internet-facing websites running HTTP servers on open source platforms than there are running IIS on Windows. Malware writers target popular platforms; on the desktop that is Windows, in the web server market that means LAMP, and increasingly, LEMP (and lest we forget the goal of those server compromises, the aim is to target Windows boxes with appropriate malware payloads). Sorry to disappoint, but it's not a reflection on the security of Windows or Linux, only a reflection of their popularity in a market.
-
Thursday 28th November 2013 20:42 GMT Anonymous Coward
Re: Not hard to explain..
"A quick glance at any actual statistics tells you exactly why that is - there are 4 times more Internet-facing websites running HTTP servers on open source platforms"
I guess you missed the part that said:
(Even after adjusting for market share, you are several times more likely to be hacked on Linux - mostly due to kernel vulnerabilities...)
And actually for LAMP to IIS it's under 2:1 - as per the latest Netcraft survey, IIS is on 24.1% and Apache is on 44.33%...
-
Friday 29th November 2013 09:07 GMT Anonymous Coward
Re: Not hard to explain..
"I guess you missed the part that said: (Even after adjusting for market share, you are several times more likely to be hacked on Linux - mostly due to kernel vulnerabilities...)"
I guess you missed it too because there's no reference to market share to be found in the article you cite. The only mention of it is by you in your post, which makes it an opinion, not a source. The other problem is that you cited an article where Zone H break down the defacement stats THEY have by OS.
Three million-odd Linux defacements recorded on Zero-H since 2000? - no doubt there are many millions more compromises of other types every year as not every attacker is am immature script kiddy out to boast. Still, even if you were to (incorrectly) assume a similar rate for EVERY year Linux has ever existed, the Bredolab Windows botnet alone makes that figure pale into insignificance. 30 million compromised machines, in one botnet, in one year.
http://en.wikipedia.org/wiki/Botnet#Historical_list_of_botnets
Whether part of a Botnet or not 58 million PCs were infected in the US alone last year, and you can be certain the number of PCs involved that were not running Windows was a very small number indeed. That's why market share matters:
http://www.darkreading.com/privacy/consumer-reports-58-million-us-pcs-infec/240154081
I don't like being rude, but you're cherry-picking figures out of context and ignoring the huge volume of other types of compromise. You are to put things bluntly, talking rubbish.
Computers are usually compromised because of decisions made (or not made) by humans, whether that's the decision to set a good password or to not bother patching OSes and updating AV signatures, or not following good coding practice in the kernel or on the web server. When that is the default situation, how secure an OS is becomes almost irrelevant in the face of failure to apply common sense to security.
-
Friday 29th November 2013 11:02 GMT Anonymous Coward
Re: Not hard to explain..
"there's no reference to market share to be found in the article you cite. The only mention of it is by you in your post, which makes it an opinion, not a source."
Perhaps you could just Bing it? I then named the source - as you are clearly a bit of an idiot, here is a URL: http://news.netcraft.com/
"Bredolab Windows botnet alone makes that figure pale into insignificance. 30 million compromised machines"
Those are client PCs infected by user interaction - not servers infected by remote exploits which we are discussing here - completely different scenario...
"but you're cherry-picking figures out of context and ignoring the huge volume of other types of compromise"
You are the one taking things out of context and are spouting irrelevant rubbish. We are discussing worms / remote exploits here - not user interaction based exploits. However if you want to consider how Linux would cope in that scenario if it ever made it over 1% market share on the desktop, just look at the Malware infected mess that is Android...
-
Friday 29th November 2013 17:46 GMT Anonymous Coward
Re: Not hard to explain..
"Perhaps you could just Bing it? I then named the source - as you are clearly a bit of an idiot, here is a URL: http://news.netcraft.com/"
Searching news.netcraft.com for 'market share' in any context results in 235 hits. None of them appear to refer to market share in the context of vulnerabilities in the Linux kernel. So again, cite your source. Also thanks for the insult, always a good indicator when a certain variety of person knows their argument has had the legs knocked out from under it.
"Those are client PCs infected by user interaction - not servers infected by remote exploits which we are discussing here - completely different scenario..."
There are 42000-odd cases for 2010 in the report you cite which used unpatched vulnerabilities as their vector - there is no indication how that breaks down by OS. By comparison the five places above that and amounting to almost 1m defacements are all directly related to human error, just as clicking on an infected attachment or visiting compromised sites, resulting in Botnet client infection is an example of human error. Enough with the nonsense - either cite the actual source you're using or admit it doesn't exist.
"We are discussing worms / remote exploits here - not user interaction based exploits.
Then stop using user-based issues in your claims, because the majority in the article you did cite are the result of actions by a human.
"However if you want to consider how Linux would cope in that scenario if it ever made it over 1% market share on the desktop, just look at the Malware infected mess that is Android..."
Android is not a Linux distribution, stop changing the subject again.
-
-
-
-
-
-
-
Thursday 28th November 2013 23:24 GMT sisk
Or Windows Server for anything Internet facing. Both have far lower vulnerability counts than a LAMP stack....
First, that's only true if you count the vulnerabilities for every package in a given distros repository, which is the equivalent of counting every single vulnerability in every single application available for Windows. No system runs every package in it's distro's repository. In fact even attempting to do so would be an exercise in frustration. Try having two wireless management systems that compete for the same resources for example.
Second, even if it were true of just the core files needed to get a Linux system off the ground a vulnerability count is a meaningless number when taken on its own. More important factors are severity, access, and time to patch. Go learn a little about security before you try to comment on it.
-
Friday 29th November 2013 10:48 GMT Anonymous Coward
First, that's only true if you count the vulnerabilities for every package in a given distros repository, which is the equivalent of counting every single vulnerability in every single application available for Windows"
Nope - Jeff Jones already proved numerous times that this is still true even in a "package adjusted" Linux distribution to match Windows - with Linux there are far more vulnerabilities, and far more critical vulnerabilities that on average take longer to be fixed (more days at risk)....
-
Friday 29th November 2013 11:36 GMT Anonymous Coward
Re: Jeff Jones already proved numerous times
"Jeff Jones already proved numerous times"
Says who (other than the Jeff Jones fan club)?
That would be Jeff Jones, Microsoft's Director of Trustworthy Computing, would it?
Same Jeff Jones who was claiming in 2007 that, after a whole six months out in the wild, Vista was more secure than Linux and OS-X?
Feel free to quote any more recent references you feel may clarify matters, but in the meantime here's one from 2007, from http://www.pcmag.com/article2/0,2817,2149851,00.asp
"According to the numbers given in a new report from Microsoft, Windows Vista has blown away all the major enterprise Linux distributions and Mac OS X as far as having the smallest amount of serious security vulnerabilities in the six months since its release. The numbers were compiled by Jeff Jones, the security strategy director in Microsoft's Trustworthy Computing Group.
"The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer High severity vulnerabilities at the 6-month mark compared to its predecessor product Windows XP (which did not benefit from the SDL [Secure Development Lifecycle] and compared to other modern competitive workstation OSes (which also did not benefit from an SDL-like process)," Jones wrote in a blog posting about the report on June 21. " (continues)
Jones' blog article:
http://blogs.csoonline.com/windows_vista_6_month_vulnerability_report
-
-
-
-
-
Thursday 28th November 2013 11:39 GMT Anonymous Coward
Update the firmware
I'd love to if the support from most major router vendors wasn't complete shit, specifically I'm looking at you Netgear for failing to patch reported bugs and security holes. It's sell us a router then fuckety-bye. Given that a router is such an important piece of the security chain I would like to see mandatory five year bug and security updates legislated for.
-
-
-
Thursday 28th November 2013 17:37 GMT Anonymous Coward
Re: can't see Symantec launching AV for STBs
"I can't see Symantec launching AV for STBs....Don't think there is particularly a commercial angle here..."
You can't see it, I can't see it, but apparently McAfee convinced Intel that Intel needed an AV company, so Intel bought McAfee (the company).
Maybe Symantec want a share too.
-
Friday 29th November 2013 09:34 GMT Alan Brown
"What does that mean "may" be availabe"
It's a PHP exploit - that part is portable. It would need to be crafted to target other CPUs.
PHP and wikis are the stuff of nightmares from a security standpoint. I'm sure a 3year using duplo could producce better code than a lot of the "authors" out there.
-
-
-
Thursday 28th November 2013 13:15 GMT diodesign
Re: Is it 1998 already
Spreading Linux worm; not exactly common. Targeting crappy home broadband kit defaults (which your parental unit hasn't changed). Potential for far worse damage. Article not blowing it all out of shape. World dodges a bullet because this odd worm targets x86 not ARM in the wild.
Situation normal but interesting enough for an article I think :-)
C.
-
Thursday 28th November 2013 13:27 GMT Chemist
Re: Is it 1998 already
"Spreading Linux worm"
Not exactly spreading - infects via php vuln, so it needs a running webserver to allow the infection, and then it tries to infect, using a binary from a single, known server, any other networked webserver using a small, motley collection of usernames/passwords. After that where does it go ?
Even Symantec rate it low
Threat Assessment
Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Medium
Deletes Files: Deletes files.
Distribution
Distribution Level: Low
Agree that it may yet be the tip of the iceberg but the real problem is poor passwords on devices
-
Thursday 28th November 2013 14:16 GMT TheVogon
Re: Is it 1998 already
"Not exactly spreading - infects via php vuln, so it needs a running webserver to allow the infection, and then it tries to infect, using a binary from a single, known server, any other networked webserver using a small, motley collection of usernames/passwords."
Sounds like spreading to me
"After that where does it go ?"
To more similarly vulnerable devices presumably....
-
-
-
-
-
-
-
Thursday 28th November 2013 20:28 GMT Adam 1
Re: Most folk are not El Reg readers
> anyone who allows that probably shouldn't be allowed to configure a web server.
Not to discount your correct statement, but we are talking about embedded devices here and manufacturers at the moment seem more interested in recording what channel our TV is playing to " improve our experience" than good security practices.
When was the last time you upgraded your router's firmware? Yeah it didnt work for mine either. Just saying.
-
Friday 29th November 2013 09:06 GMT The BigYin
Re: Most folk are not El Reg readers
"we are talking about embedded devices here and manufacturers at the moment seem more interested in recording what channel our TV is playing to " improve our experience" than good security practices."
And that's what a firewall is for. The TV can still send its snoop report, but it is not public facing.
-
-
-
-
-
-
Thursday 28th November 2013 13:29 GMT Callam McMillan
Re: Wiping a load of system files?
The domestic routers that I have seen are upgradable, therefore will have some form of flash. It may therefore be possible for a malicious piece of software to overwrite core parts of the software on the EEPROM to disable access and persist across reboots / factory resets.
-
-
Thursday 28th November 2013 13:26 GMT regadpellagru
wrong argument police caught you
"However, home internet kit with x86 chips are few and far between – most network-connected embedded devices are powered by ARM or MIPS processors – so the threat seems almost non-existent."
Hmmm, there is a bit of merit to this argument but not a lot.
First, a PHP exploit can and will move to ARM and MIPS.
Second, x86 being outside da net of things is a rapidly vanishing argument, seeing how some NAS vendors are moving to X86 those days, like Synology for example, who is discontinuing ARM in favor of X86 for better virtualisation support.
-
-
Thursday 28th November 2013 17:44 GMT Anonymous Coward
Re: ironically
"building your own router which almost certainly would use an x86 chip"
You're utterly insane (or trolling, ie both).
There are plenty of homegrown router firmwares available for those who want to use existing SoHo router hardware with different firmware. You could use one of those as a starting point for a DIY setup. How many of those are x86 based?
There are plenty of low cost ARM based compute engines intended for things other than routers which use a handful of watts and therefore a few cents worth of electricity per day. An x86 solution would either be based on readily available x86 kit (desktop, laptop) costing ten times as much to run because of electricity costs, or it would be based on one of a tiny handful (comparatively) of x86 boards aimed at the "embedded PC" market, which cost a fortune (comparatively) to buy.
Insane, I tells you.
-
Friday 29th November 2013 15:14 GMT Anonymous Coward
Re: ironically
"You can mitigate this by building your own router which almost certainly would use an x86 chip. "
Did you know that the vulnerability referenced in teh zone-h defacements article now being touted as 'look how vulnerable Linux is' testimony was *only* applicable on x86 boxes ? Not ARM, not MIPS, not PowerPC, not SPARC (etc). Only applicable on an x86-64box running an x86-64 Linux of a particular version range, running a widely used x86-32 app stack.
You didn't know? Thought not.
Insane, I tells eee.
-
This post has been deleted by its author
-
Thursday 28th November 2013 16:02 GMT TopOnePercent
Attackers IQ
Given this is the 25th anniversary of the Morris worm, I thought I might take a moment to divide the warring clans (*nix Vs Win).
The central issue with Windows security was always that at the end of installation there was a button saying "Finish" when what it should have said was "Start configuration". Later versions of the OS are fundamentally more secure out of the box, but still have further to go.
I'm not wholly convinced one stack is more or less secure than another, as both are weak when poorly implemented, and both can be mostly secure (can anything connected ever be wholly safe?). What I have noticed, down a long career, is that *nix attacks frequently have a more cerebral context than the majority of script kiddie / tools based attacks that typify a Windows attack.
I'd say the new worm definately fits the more cerbral mould of the Morris worm than a toolz attack by the l33terz?
My career turned out Windows based, by the way, before anyone gets upset and mistakes my comments regarding the IQ of *nix attackers Vs Windows attackers for being a comment on their users IQ.
-
Thursday 28th November 2013 21:02 GMT Charles Manning
Snake Oil Salesman gotta sell oil
If it runs on x86 and needs PHP, it won't threaten home routers or IoT. None of these use x86 or PHP.
It would be interesting to dig deeper to understand if the threat could even theoretically manifest of other architectures or embedded systems, many of which lack the resources (both software and hardware) for some exploits to happen.
-
Friday 29th November 2013 12:50 GMT Anonymous Coward
Re: Public-facing webserver?
The thing is that all the routers I've ever come across only allow access to the web-based admin interface from the internal LAN, and not from outside or even from WiFi...?
The router I have at home is about the most basic, and it's over 10 years old (it's a Belkin). I've seen quite a few others in my time as well.
-
Friday 29th November 2013 13:24 GMT Chemist
Re: Public-facing webserver?
"The thing is that all the routers I've ever come across only allow access to the web-based admin interface from the internal LAN"
Some do and indeed are set by default to allow access from outside - very dangerous esp. with poor default username/password. I manage mine when away from home (~1/2 the year) by ssh into the system to my fileserver and admin the router from there. The ssh port, which is the only exposed port, is a non-standard and the only username allowed is very unusual and the password is 20 digit hideous. In 10 years I've never had a port scan that hit the ssh port although I used to get lots going for 22 until I blocked most low ports off at my ISP
-
-
-
Friday 29th November 2013 02:53 GMT Henry Wertz 1
">But the security company warns that ARM and MIPS flavours of the Linux worm may be available,
What does that mean "may" be availabe ? There "might" also be a new supervirus capable of destroying mankind. There "may" also be no need to purchase anything from Symantec.
"
I took it to mean the exploits of PHP are not relying on code injection or stack smashing or the like that is platform-specific, and the x86 ELF binary it is currently pulling also is not doing anything x86-specific. So, the exploit could just as easily try MIPS and ARM binaries as well.
-
Friday 29th November 2013 09:02 GMT The BigYin
How?
Surely this requires access to a public site? Surely any public site is in a DMZ and heavily firewalled from the local network?
People shouldn't run their routers with remote admin available (unless they know what they are doing). People should also disable UPnP on the router's firewall to prevent remote access.
As this is all either default/most-basic-of-basics, how is this worm any threat?