Microsoft confirms Russian pill-pusher attack on its network Microsoft has confirmed that two devices on its corporate network were compromised to help a notorious gang of Russian criminals push Viagra, Human Growth Hormone, and other knockoff pharmaceuticals. The admission came in response to an article The Register published on Tuesday. It reported that two internet addresses belonging …
Linux does nothing special to keep an application from being compromised; it merely makes it unlikely for a compromised program to elevate itself to root privileges. This isn't as restrictive as it seems - it's entirely possible for an unprivileged program to do everything described in the article, provided it avoids most ports below 1024 or so(though I'm pretty sure that restriction's limited purely to receiving and that it could send to a low port without hassle).
I also wonder if the boxes in question were up to date with respect to patches. There has been some scary holes plugged in recent months.
By the way, keeping a Linux server up to date with respect to security patches is generally less hassle than doing so for Windows. In Windows, almost any patch requires a reboot, in Linux this is generally needed only for updates to the lowest-level components, like the kernel or libc.
According to the linked blog the compromised machine was being used as a DNS server. While i don't quite get the reasoning behind the attack described on the page I'm pretty shure that microsofts boxes where pwnd pretty hard. Given the excellent track record of their own operating systems security this is no big surprise.
Use Linux day in, day out, nothing better or worse about Linux than Windows. You stick stupid password like [blank] on the root or any other high admin user account, connect it to the big 'ole web and watch it get pwned 3 sec flat!
The best O/S is one configured correctly by someone who knows what they are doing. Even as a Penguinista, I would happily put a good Windows admin up against a Unix admin.
The trouble is the world and his wife use Windows at home, have for years, when they get in the workplace they put down on the CV that they can admin a Windows box, just 'cos they managed to find the network configuration dialogs in control panel! Then there are the muppets who think just 'cos they installed Windows Vista at home, configuring Windows server is the same thing.
A good, well trained Windows admin is the match for any system admin on any other system, there's just a lot more cowboys working in the WIndows field, so finding good admins is not easy.
Oh God I just stuck up for Windows, I feel all dirty now...
As a friend, former co-worker and fellow Windows engineer was fond of saying "Any idiot can run Setup!"
I am certain the percentage of Windows back office systems being installed by idiots is much higher than Linux. I've worked with a lot of Linux admins and by and large they are some smart folks. Thank goodness I get to compete against the Windows guys for jobs. :-)
Bill
(fixing Windows for 20+ years and loving it!)
No one ever said a badly configured box couldn't be pwned. In fact a badly configured *nix box is likely to offer more opportunity to the cracker than a windows box because windows protects you from being an idiot, whereas *nix assumes you know exactly what you're doing.
Of course as has been suggested, MS probably have excellent skills at securing windows and not much at securing *nix. So the box was likely not patched or configured with some insecure services running with bad config (like maybe NFS sharing the root filesystem to the world without mapping root to a different user, which is a common mistake).
If you want to get the "frother" community going, maybe we should mention that MS who WRITE their own operating systems, firewalls, mail, web and other software STILL feel the need to have Linux in their environment. Presumably because whatever they've paid millions to write and punt to the rest of the world isn't up to the job.
I don't think there is a single bit of software where MS haven't stuck their oar in, so what do they need Linux for? Unless their offering isn't actually any good... "Froth at will"
"...so what do they need Linux for?"
Testing to make sure Windows will talk to Linux and vice-versa..? A Linux client on a Windows domain, a Linux server in a Windows domain etc.
But I'd imagine you the sorta guy that keep quiet when you out a MS product doesn't work very well with a FOSS product...
This post has been deleted by its author
I'm not saying it's a conspiracy or anything, but I just think that MS would have given a higher priority to shutting down the compromised servers if they were running their own OSes rather than the enemy's. Of course, I also have to agree that MS probably doesn't understand Linux security very well, or they'd have gotten around to securing their own OSes, eh?
How about that Windows Phone OS, eh? Okay, so I shouldn't kick them when they're down--like that so-called OS.
Microsoft is note a monolithic entity, it's made of tens of thousands individuals.
Being blinkered into using and understanding only MS products is "probably" not a prerequisite to be employed there.
It's just a workplace. I'm 100% there are plenty of Linux, *BSD and *gasp* Apple enthusiasts employed at Microsoft, and many with deep understanding of those. These are techies after all.
People always read too much into these events. As suggested above, being a test environment it was probably configured with root/root as username and password or something similar. Accidents happen, lessons are learned.
"Microsoft is note a monolithic entity, it's made of tens of thousands individuals." off-topic but the same is true of any large organisation including governments.
When all's said and done it's individuals who make decisions and enforce policy. Those individuals (to use a time-worn phrase) put their trousers on one leg at a time like everyone else. They have bad days, careless moments or just don't know quite enough. Same as the rest of us. When designing complex systems you always need to bear that in mind.
Maybe MS do understand Linux security. In fact, I'd lay odds that they do (know your enemy and so on), but the user plugging the hardware in may not have known it had a public facing IP. Also, even if he did, it could have been an unpatched vuln in the firmware that the hackers were able to use.
Non of which excuses the three weeks it took them to respond.
It is not conspiracy, it is a very plausible explanation to a scenario that can only happen at Microsoft. This is aided by the fact that they did not remove the devices from their network for 3 weeks and only after the issue was in print, or on-line.
This was a lab experiment in a controlled environment, at Linux's arch enemy, designed to be discovered, compromised and consequently, exposed in media. There is only one beneficiary from this: Microsoft.
Of course these could have been standard Linksys (for example) DSL router boxes (running linux) rather than servers or PCs. That being the case, then the misconfiguration could simply have been to let in an unauthorised connection from elsewhere, rather than a fault or virus or rootkit etc.
Microsoft called the things "Network Hardware Devices", which sounds more like an ADSL router or some such to me than a Linux Server. These days most commodity network kit is running Linux, and sadly the people that throw together the firmware for these things are often reasonably clueless and rushed embedded hardware engineers, who have no interest in whether the result of their efforts is secure, as long as it provides the main functionality that they've been told to implement. Then they kick it out of the door and forget about it, more often than not failing to provide the board manufacturer with the source, thus setting the manufacturer up for a GPL violation case.
If MS had such a widget in their test lab, well that's no surprise, they were probably checking that uPnP worked on it or some such. Being in their test lab, it probably had the Admin/Admin password still set. I suppose, depending on what exactly they were testing, it's even reasonable that it had to really be plugged into the Internet with no intervening firewall.
The problem is likely to be that quite a lot of these devices default to having ports like FTP and Telnet open on the outside. That is the fault of the rushed engineer that knocked up the firmware. There is also the person that set the kit up, and probably didn't immediately check that it had no port open on the outside, and didn't bother changing the password. The only thing you can really blame Microsoft for is not tracking the problem down more quickly after they were told about it.
Trying to use any of this to draw conclusions about the security or otherwise of GNU/Linux in general is moronic.
There is nothing unreasonable about ill-informed internet ranting -- it is our human right to make broad sweeping judgements without full knowledge of the facts.
We thank the great demigod Berners-Lee for allowing our opinionated pub politics to be spread with the whole wide world. I will now sacrifice a mouse in his honour.
(Oh wait, someone's already nicked my mouse and reception have no spares...)
As well as not being able to design a secure system themselves they obviously don't know how to securely operate a real operating system.
Perhaps they should go to a forced training camp that can explain such things as iptables, IPS systems, etc
Or maybe they were running everything as root.... (like in windows)
I suppose it depends what you're testing but I'm surprised it's even possible to connect test machines to the outside world. We can but only by putting in a special request or going to the trouble of setting up a proxy on a machine that does have external access. Even then ordinary users have various standard ports (like 110, 25 etc) blocked. We had to set up an FTP server last year and we had to jump through a lot of hoops to get it visible outside our WAN. Since then we've even had two emails from IT asking if we still need the ports open.
Yeah, I'm pretty suspicious about the claim that it was in a testing lab.
What are the chances that this was down to some PHB buyng a shiny new router, and plugging it in in defiance of company policy, utterly failing to secure it, and then forgetting that they'd done it (hence making it difficult to find the thing)?
When such a scenario comes to light, do you:
a) declare that you have a moron in middle management, who plugged something unauthorised in near his desk (thus also admitting that your infrastructure has more general security issues).
b) describe the location as a test lab
You mean amidst what's gotta be the world's largest collection of Windoze servers teh n0rty h4x0rs chose to target a couple of the few Linux based appliances on offer?
The assembled lintards who were so quick to take the piss when the story broke so owe me a keyboard. Best laugh I've had in ages.
OK, 3 weeks is a little protracted, but you can figure a few days before anyone even processed the original message warning about the infected IP. (I'm betting M$ gets a lot of "warnings" and just sifting through all of them for real issues is a challenge. Once you start processing a given message, you still have to actually validate that it is actually legitimate). Once you know something is legitimate, you have to give it to someone to actually chase it down - 2 devices in a company that probably has a couple hundred thousand machines - that's pretty freaking trivial.
Also, If this thing was some sort of ADSL router / user appliance it is pretty small. They may have struggled just to identify the physical location of the hardware. I mean they should have been able to trace it back to the specific managed switch above it via the network. Of course once you know that specific switch, you have to locate it physically, which may be easier said than done in a building with a high density of network equipment. Once you identified the physical location of said switch and hopefully the associated physical port the devices were connected into, you stil have to trace it down to through any un-managed switches, network cabling, etc. (assuming there are no random wireless links thrown in there) - one bad installation contractor with a dyslexic technician and you have a cabling nightmare (I have experienced this first hand). Let's assume they get through all those hurdles fairly easily - have you guys ever seen a typical hardware testing lab? The guy looking for these pwnd devices likely didn't know what he was physically looking for - he just had an IP address. You could look over a small consumer device several times because you were thinking you were looking for a computer/workstation/server. (If you are a network admin used to managing Windows machines and you are looking for a malfunctioning "device" are you even thinking about a small consumer appliance running Linux?) Heck, that is of course assuming these units were even clearly visible in the testing lab - if they were small, their physical location could be obfuscated.
I'm betting 2 machines were a pretty minor worry in the grand scheme of things.
Q1-How come this doesn't happen to Red Hat, Canonical, Mandriva, Novel or Oracle...?
A1- Because it is in Microsoft's best interest to put on-line, Linux devices in a compromise-able state so we can all read about it.
Q2- How come "... the machines weren't unplugged from Microsoft's network until Tuesday, almost three weeks later, shortly after The Register article was published. "??
A2-See A1 and "...shortly after The Register article was published" : Mission accomplished.
Believe me, Microsoft's Marketing Engineers know exactly what they're doing.
Microsoft loves to invent new words for things already having inherently simple explanations, albiet using the real words that have been used, for some time, to describe those same things.
Whether or not you'd happen to understand my explanation of this long-standing practice of theirs, all that air-headed conceptual inventiveness of Microsoft's is just another approach to Microsoft branding - and I, for one, find it very distracting, let alone that i wonder how far it's crept in as to needlessly complicate the very designs of Microsoft systems.
There are so many comments here focused on the specific individual boxen involved in this event. Were they running Windoze or Linux? Was this really just an extraordinarily clever reverse psychology ploy by MS, trying to convince the world that Linux ain't safe? Was it probably next to impossible to track down the little bugger in a lab filed with a massive ugly tangle of wires? (Yes.)
But I just want to remind everyone that if you look downwards, with a microscope, looking for tiny details, all you are going to see is your shoes and a bunch of ugly worms. (No pun intended.) Everyone should instead raise their eyes, and look to the broader import of this story.
One or maybe two obscure machines got seriously futzed with. Yea so? Everybody wants to know: Who was the dumb ass engineer, or the dumb ass PHB, or the exceptionally clever marketing dept. person at Microsoft who plugged this box into the network without securing it. That's NOT what I want to know. I want to know: Where were the NETWORK security administrators? It really ain't that difficult to run Nmap, or even vastly more trivial tools, such as those I myself have written, and to find out in 15 minutes or less the IPs of all of the boxes on the whole of Microsoft's network that are responding to well-formed DNS packets sent to UDP port 53 and that SHOULDN'T be running any kind of DNS server. The same goes for TCP ports 22, 25, 80, 8080 and so on. This isn't rocket surgery. So where were the _network_ security dudes? Forget about the individual machines themselves. Think about the network, and _its_ overall security. Who was asleep at the switch who should have been watching THAT?
Furthermore, this whole thing is only news because it happened to be in Microsoft's IP space. That makes it at once funny, ironic, and tragic. But mostly gives up a vivid illustration of yet another important point that can only be grasped by raising your eyes and looking at the Bigger Picture.
The fact that this was Microsoft is really troubling, _not_ because they make 90% of everything the Universe of electronics runs on these days, but rather because Microsoft, as a company, can't give anybody the excuse that ``Oh, well, our company just makes ball bearings and so we are technologically naive, and we actually didn't have the first clue about how to secure our network, even if we had spend any time thinking about do that, we haven't/didn't.'' No, Microsoft can't say that they are naive or ignorant, or that they don't know diddly pooh about software or networking. That is the _other_ thing that makes this story poignant, and after we all get done laughing at Microsoft over this, it is the only thing that people should keep on thinking about, tomorrow and the next day and the next day. Because if this can happen to a Microsoft, which _does_ itself make and ship both software and networking products, then the inference that should be drawn... once you stop laughing at the small details of this event... is that this little event is really only the tip of the iceberg with respect to the Internet as a whole. I mean seriously... Do we think that the ``network security'' smarty pantses at companis that actually _don't_ make & sell software and networking stuff for a living are doing any better at catching or stopping stuff like this? I mean you know, the network security smarty pantses at garden variety ball bearing or widget manufacturers at places like, you know, General Electric or General Motors or Samsung or Sanyo or The China National Railway, or Tata, or other places that don't even make ball bearings, like The University of Alberta, or the Department of Education, or Ticketron, or Starbucks or whatever. Do we have any realistic hope at all that there are competent, knowledgeable, hard-working network security dudes and/or ladies at any of THOSE places who are routinely scanning their networks for this kind of network-visible anomaly? Don't bet your milk money on it! If Microsoft, which _does_ know something about software and networking, ain't finding and killing this kind of stuff on their own network, e.g. before some outside dude like me finds it, then you'd be dumb to believe that most, or even anything other than a tiny fraction of the other owners of big IP address blocks on the Internet are doing so either.
So virtually none of the holders of non-trivial IP address blocks on the Internet are even bothering to sweep their own networks (which can be done quite trivially) looking for this kind of ``That shouldn't be there'' stuff, either on a routine basis, or in most cases ever. And worse, even if some well-meaning white-hat like me comes along and does it for them... without spending months getting prior approval, in triplicate, signed off on by both legal and the CTO... then that act, unlike most others, *will* likely awaken the slumbering ``network security'' admins, who will thence immediately e-mail your provider _and_ the FBI and everybody else who will listen, to tell them all that you are really an evil hacker ``attacking'' them and that they will settle for nothing less than castration.
The bottom line is that with the exception of banks, the CEOs and other PBHs _everywhere else_ don't see spending money on securing the corporate network properly as a profit center, so they won't pay for it, and they won't even allow even the competent and caring local network admins to even try to do it as long as there are higher things on the priority list, like explaining to Sally down in accounting for the 87th time that no, the mouse DOES NOT plug in to the RJ11. (Important high priority task like that are obviously what the PHBs want their network ``engineers'' spending all of their time on, and if they want to work on securing the network, that's fine, but they have to do that on their own time, after they punch out for the day.)
Everybody should read the article that was put up right here today at TheReg and that quotes Richard Clark as saying that the current state of Internet security is ludicrous. He points out that we could probably secure the whole damn thing for only a fraction of the development costs of the next X-Box. He's right, but only in the engineering sense. Problem is that securing the Internet is really only 10% engineering. It is 90% politics and convincing PHBes in their own fiefdoms that they should even give a damn. One can only hope that pointing to the example of the BP oil spill might make them see things clearly. It is dramatically cheaper to clean up the mess _before_ you have a big corporate PR disaster sticking to you like a mat of tar.
P.S, If anybody who has at least a /20 wants a free scan of any kind... and you can't manged to just install Nmap on your own... call me or e-mail me. I'll try to help.
I'm with Ron Guilmette on this one -- I find it much more troubling that it took 3 weeks to bring down 2 boxes than that they were pwned to begin with. If this was a test lab (which it sounds like it was) probably they selected poor passwords -- the amount of ssh traffic trying dictionary attacks is truly astounding, and I don't know if any distro has something like denyhosts (that bans IPs temporarily that after too many failed login attempts) preinstalled.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
