question about security

question about security

[Justin Mattock]

Hello; First I need to start with a status: SELinux seems to be
handling nicely with the latest git, and refpolicy. You guys really do
a good job.
Now for the question: I noticed reading the New York Times that
Comcast was hacked into, after reading the article I couldn't help but
ask the question
of "If comcast was using Linux with SELinux would this have happened".
So the question to SELinux is: If Comcast was using Linux, with
SELinux on there servers
would this attack have been prevented? What should Comcast have had
with there set up to better protect them from this type of
attack?(even though they probably use windows)
How would regular users and small businesses protect themselves from
this type of terrorism?
regards;
-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about security

[Matthew Hammer]

On Fri, 30 May 2008 17:04:41 +0000
"Justin Mattock" <justinmattock@gmail.com> wrote:

> Hello; First I need to start with a status: SELinux seems to be
> handling nicely with the latest git, and refpolicy. You guys really do
> a good job.
> Now for the question: I noticed reading the New York Times that
> Comcast was hacked into, after reading the article I couldn't help but
> ask the question
> of "If comcast was using Linux with SELinux would this have happened".
> So the question to SELinux is: If Comcast was using Linux, with
> SELinux on there servers
> would this attack have been prevented? What should Comcast have had
> with there set up to better protect them from this type of
> attack?(even though they probably use windows)
> How would regular users and small businesses protect themselves from
> this type of terrorism?
> regards;

My understanding of the comcast hack was that the hackers altered
Comcast's registration information with the vendor that registers their
domain. So no, the problem wasn't anything internal with comcast's own
system.

--
Matthew Hammer

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about security

[Justin Mattock]

On Fri, May 30, 2008 at 5:51 PM, Matthew Hammer
<matthewhammer89@gmail.com> wrote:
> On Fri, 30 May 2008 17:04:41 +0000
> "Justin Mattock" <justinmattock@gmail.com> wrote:
>
>> Hello; First I need to start with a status: SELinux seems to be
>> handling nicely with the latest git, and refpolicy. You guys really do
>> a good job.
>> Now for the question: I noticed reading the New York Times that
>> Comcast was hacked into, after reading the article I couldn't help but
>> ask the question
>> of "If comcast was using Linux with SELinux would this have happened".
>> So the question to SELinux is: If Comcast was using Linux, with
>> SELinux on there servers
>> would this attack have been prevented? What should Comcast have had
>> with there set up to better protect them from this type of
>> attack?(even though they probably use windows)
>> How would regular users and small businesses protect themselves from
>> this type of terrorism?
>> regards;
>
> My understanding of the comcast hack was that the hackers altered
> Comcast's registration information with the vendor that registers their
> domain. So no, the problem wasn't anything internal with comcast's own
> system.
>
> --
> Matthew Hammer
>

AAhh I see, the vendor that registers their domain.

-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about security

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Justin Mattock wrote:
| On Fri, May 30, 2008 at 5:51 PM, Matthew Hammer
| <matthewhammer89@gmail.com> wrote:
|> On Fri, 30 May 2008 17:04:41 +0000
|> "Justin Mattock" <justinmattock@gmail.com> wrote:
|>
|>> Hello; First I need to start with a status: SELinux seems to be
|>> handling nicely with the latest git, and refpolicy. You guys really do
|>> a good job.
|>> Now for the question: I noticed reading the New York Times that
|>> Comcast was hacked into, after reading the article I couldn't help but
|>> ask the question
|>> of "If comcast was using Linux with SELinux would this have happened".
|>> So the question to SELinux is: If Comcast was using Linux, with
|>> SELinux on there servers
|>> would this attack have been prevented? What should Comcast have had
|>> with there set up to better protect them from this type of
|>> attack?(even though they probably use windows)
|>> How would regular users and small businesses protect themselves from
|>> this type of terrorism?
|>> regards;
|> My understanding of the comcast hack was that the hackers altered
|> Comcast's registration information with the vendor that registers their
|> domain. So no, the problem wasn't anything internal with comcast's own
|> system.
|>
|> --
|> Matthew Hammer
|>
|
| AAhh I see, the vendor that registers their domain.
|
Of course the next question is whether the vendor who registers their
doimains had been running SELinux, could it be stopped, and there is a
good possibility.

Depending on the Version, SELinux prevents most buffer overflow attacks
on confined domains.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkhAVPQACgkQrlYvE4MpobPWSwCfQnk59XT5A7vZ/hL8JtHJGBj5
9fkAoJ+RKyeW/Vcd86U7syYUK9T17zwR
=tzTL
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about security

[Justin Mattock]

On Fri, May 30, 2008 at 7:27 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Justin Mattock wrote:
> | On Fri, May 30, 2008 at 5:51 PM, Matthew Hammer
> | <matthewhammer89@gmail.com> wrote:
> |> On Fri, 30 May 2008 17:04:41 +0000
> |> "Justin Mattock" <justinmattock@gmail.com> wrote:
> |>
> |>> Hello; First I need to start with a status: SELinux seems to be
> |>> handling nicely with the latest git, and refpolicy. You guys really do
> |>> a good job.
> |>> Now for the question: I noticed reading the New York Times that
> |>> Comcast was hacked into, after reading the article I couldn't help but
> |>> ask the question
> |>> of "If comcast was using Linux with SELinux would this have happened".
> |>> So the question to SELinux is: If Comcast was using Linux, with
> |>> SELinux on there servers
> |>> would this attack have been prevented? What should Comcast have had
> |>> with there set up to better protect them from this type of
> |>> attack?(even though they probably use windows)
> |>> How would regular users and small businesses protect themselves from
> |>> this type of terrorism?
> |>> regards;
> |> My understanding of the comcast hack was that the hackers altered
> |> Comcast's registration information with the vendor that registers their
> |> domain. So no, the problem wasn't anything internal with comcast's own
> |> system.
> |>
> |> --
> |> Matthew Hammer
> |>
> |
> | AAhh I see, the vendor that registers their domain.
> |
> Of course the next question is whether the vendor who registers their
> doimains had been running SELinux, could it be stopped, and there is a
> good possibility.
>
> Depending on the Version, SELinux prevents most buffer overflow attacks
> on confined domains.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkhAVPQACgkQrlYvE4MpobPWSwCfQnk59XT5A7vZ/hL8JtHJGBj5
> 9fkAoJ+RKyeW/Vcd86U7syYUK9T17zwR
> =tzTL
> -----END PGP SIGNATURE-----
>

So if the vendor was protected with SELinux, the hacker would have had
to really work hard at trying to tweak the numbers
inside the vendors computer to cause this(edit a file), or is it  a
wire tap scenario i.g. similar to arp spoofing.

-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about security

[Justin Mattock]

On Fri, May 30, 2008 at 10:10 PM, Charles, Theodore <txc5810@lausd.net> wrote:
> From what I've read, there was an exploit in the way Comcast registers and updates its DNS records with the domain registar (I've already forgotten the name). And, it was this exploit that the "hackers" reported to Comcast, but Comcast ignored. Regardless, this is not a question of whether or not Comcast should be using SELinux or UNIX or Windows Server 2008 or <insert OS here>. This is a question of properly secured methods of communication between two computers on the Internet. I don't think that's applicable to SELinux in the general sense, because most policies deal with objects interacting with the local machine. I would suspect this is more applicable to something like ipfw / iptables / netfilter and possibly their interaction with the SELinux policies. If you really wanted to prevent anyone from connecting to your computer (and making it practically unusable), you could try something like this:
>
> iptables -t nat -A PREROUTING -i eth0 -J DROP (not tested)
>
> But then you'd pretty much have an unusable internet connected machine (well, technically, you'd still be able to connect out, but diagnosing network problems might be a pain). If I am wrong, please bring it to my attention. :)
>
> Last I noticed, Comcast is in fact back up, but I'm sure they're holding their tale between their legs, and let's hope this does not happen again.
>
>
> -----Original Message-----
> From: owner-selinux@tycho.nsa.gov on behalf of Justin Mattock
> Sent: Fri 5/30/2008 1:29 PM
> To: Daniel J Walsh
> Cc: Matthew Hammer; selinux@tycho.nsa.gov
> Subject: Re: question about security
>
> On Fri, May 30, 2008 at 7:27 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Justin Mattock wrote:
>> | On Fri, May 30, 2008 at 5:51 PM, Matthew Hammer
>> | <matthewhammer89@gmail.com> wrote:
>> |> On Fri, 30 May 2008 17:04:41 +0000
>> |> "Justin Mattock" <justinmattock@gmail.com> wrote:
>> |>
>> |>> Hello; First I need to start with a status: SELinux seems to be
>> |>> handling nicely with the latest git, and refpolicy. You guys really do
>> |>> a good job.
>> |>> Now for the question: I noticed reading the New York Times that
>> |>> Comcast was hacked into, after reading the article I couldn't help but
>> |>> ask the question
>> |>> of "If comcast was using Linux with SELinux would this have happened".
>> |>> So the question to SELinux is: If Comcast was using Linux, with
>> |>> SELinux on there servers
>> |>> would this attack have been prevented? What should Comcast have had
>> |>> with there set up to better protect them from this type of
>> |>> attack?(even though they probably use windows)
>> |>> How would regular users and small businesses protect themselves from
>> |>> this type of terrorism?
>> |>> regards;
>> |> My understanding of the comcast hack was that the hackers altered
>> |> Comcast's registration information with the vendor that registers their
>> |> domain. So no, the problem wasn't anything internal with comcast's own
>> |> system.
>> |>
>> |> --
>> |> Matthew Hammer
>> |>
>> |
>> | AAhh I see, the vendor that registers their domain.
>> |
>> Of course the next question is whether the vendor who registers their
>> doimains had been running SELinux, could it be stopped, and there is a
>> good possibility.
>>
>> Depending on the Version, SELinux prevents most buffer overflow attacks
>> on confined domains.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkhAVPQACgkQrlYvE4MpobPWSwCfQnk59XT5A7vZ/hL8JtHJGBj5
>> 9fkAoJ+RKyeW/Vcd86U7syYUK9T17zwR
>> =tzTL
>> -----END PGP SIGNATURE-----
>>
>
> So if the vendor was protected with SELinux, the hacker would have had
> to really work hard at trying to tweak the numbers
> inside the vendors computer to cause this(edit a file), or is it  a
> wire tap scenario i.g. similar to arp spoofing.
>
> --
> Justin P. Mattock
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
>

It sounds like a nice idea, but if there will be problems connecting,
and so forth then I'll pass, I was just wondering if they were using
SELinux
would this have been a better outcome.  As for what happened at
comcast, I really don't know, I just don't like hearing story's like
that, The positive side is the hackers exposed holes which can then be
fixed, but in this case the hackers exposed the holes, they just chose
to ignore them,(if this is the case) causing a more of a wakeup call
later in time.
regards;

-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about security

[Russell Coker]

On Saturday 31 May 2008 10:34, "Justin Mattock" <justinmattock@gmail.com> 
wrote:
> would this have been a better outcome.  As for what happened at
> comcast, I really don't know, I just don't like hearing story's like
> that, The positive side is the hackers exposed holes which can then be
> fixed, but in this case the hackers exposed the holes, they just chose
> to ignore them,(if this is the case) causing a more of a wakeup call
> later in time.

http://en.wikipedia.org/wiki/Comcast
http://en.wikipedia.org/w/index.php?title=Comcast&oldid=216058661

According to the above page (I give the URLs for the latest page and the 
specific version that I cite) the comcast hack was based on "gained control 
of Comcast's domain management console at Network Solutions".

http://blog.wired.com/27bstroke6/2008/05/comcast-hijacke.html

The Wikipedia page cites the above Wired article which says "the pair used a 
combination of social engineering and a technical hack to get into Comcast's 
domain management console at Network Solutions. They declined to detail their 
technique, but said it relied on a flaw at the Virginia-based domain 
registrar".

Sufficiently advanced/dedicated/lucky social engineering can get through 
almost any defence.  A majority of such attacks involve tricking someone into 
giving away their password.

It is claimed that there is a flaw with Network Solutions software but no 
evidence is presented.  If the claim is correct then there would be nothing 
that Comcast could have done in software as the problem would be some 
combination of Comcast people and procedures combined with NetSol software.

Web Apps are a problem area.  One question I have been asked a few times is 
about how to use SE Linux to secure a Web App that does something important.  
The question often is effectively "how can I make a program which is designed 
for the specific purpose of managing sensitive data not have the ability to 
mis-manage it".  The answer is that if you have multiple sets of data that 
you want to keep separate then you can do it, but if you have it all together 
then there's not much that can be done.

I do however have some ideas for ways that it might be possible to use SE 
Linux to improve the security of Wordpress, I'll have to blog about that.  
But first I want to get a proof of concept.  I expect that like most people 
the Wordpress developers aren't enthusiastic about suggestions like "here's a 
way that you could do a heap of work to solve something that you might not 
even consider to be a bug, I'm not even sure it'll work but I'll tell you 
anyway".

Finally one lesson that can be learned from Comcast is that if some data which 
is important to your operation unexpectedly gets changed to include profanity 
then you need to take it as proof of a serious problem which requires 
immediate action.  Also if someone who has no good reason to know your job 
calls you at home to discuss it then you should listen to what they have to 
say - once they have demonstrated that they have access to secret data you 
have to assume that there is more and you need to know what it is.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about security

[Justin Mattock]

On Sat, May 31, 2008 at 12:47 PM, Russell Coker <russell@coker.com.au> wrote:
> On Saturday 31 May 2008 10:34, "Justin Mattock" <justinmattock@gmail.com>
> wrote:
>> would this have been a better outcome.  As for what happened at
>> comcast, I really don't know, I just don't like hearing story's like
>> that, The positive side is the hackers exposed holes which can then be
>> fixed, but in this case the hackers exposed the holes, they just chose
>> to ignore them,(if this is the case) causing a more of a wakeup call
>> later in time.
>
> http://en.wikipedia.org/wiki/Comcast
> http://en.wikipedia.org/w/index.php?title=Comcast&oldid=216058661
>
> According to the above page (I give the URLs for the latest page and the
> specific version that I cite) the comcast hack was based on "gained control
> of Comcast's domain management console at Network Solutions".
>
> http://blog.wired.com/27bstroke6/2008/05/comcast-hijacke.html
>
> The Wikipedia page cites the above Wired article which says "the pair used a
> combination of social engineering and a technical hack to get into Comcast's
> domain management console at Network Solutions. They declined to detail their
> technique, but said it relied on a flaw at the Virginia-based domain
> registrar".
>
> Sufficiently advanced/dedicated/lucky social engineering can get through
> almost any defence.  A majority of such attacks involve tricking someone into
> giving away their password.
>
> It is claimed that there is a flaw with Network Solutions software but no
> evidence is presented.  If the claim is correct then there would be nothing
> that Comcast could have done in software as the problem would be some
> combination of Comcast people and procedures combined with NetSol software.
>
> Web Apps are a problem area.  One question I have been asked a few times is
> about how to use SE Linux to secure a Web App that does something important.
> The question often is effectively "how can I make a program which is designed
> for the specific purpose of managing sensitive data not have the ability to
> mis-manage it".  The answer is that if you have multiple sets of data that
> you want to keep separate then you can do it, but if you have it all together
> then there's not much that can be done.
>
> I do however have some ideas for ways that it might be possible to use SE
> Linux to improve the security of Wordpress, I'll have to blog about that.
> But first I want to get a proof of concept.  I expect that like most people
> the Wordpress developers aren't enthusiastic about suggestions like "here's a
> way that you could do a heap of work to solve something that you might not
> even consider to be a bug, I'm not even sure it'll work but I'll tell you
> anyway".
>
> Finally one lesson that can be learned from Comcast is that if some data which
> is important to your operation unexpectedly gets changed to include profanity
> then you need to take it as proof of a serious problem which requires
> immediate action.  Also if someone who has no good reason to know your job
> calls you at home to discuss it then you should listen to what they have to
> say - once they have demonstrated that they have access to secret data you
> have to assume that there is more and you need to know what it is.
>
> --
> russell@coker.com.au
> http://etbe.coker.com.au/          My Blog
>
> http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
>

Thanks for the response, After reading through I get mixed emotions,
but coming down to conclusions,
personally the hackers responsible should take more responsibility for
there actions and come out and admit
how they performed the attack, and so forth. (but then I would be
asked to get a reality check)
overall It seems maybe they need a job. I can't tell you how many
people have told me "the only way to get a job in computers is to hack
into a big company, or government entity" I always responded "yeah
right fuck that shit",  "Don't do the crime if you can't do the time".
Anyways the best would  be to learn from the mistakes, or holes in
this case and grow stronger.
regards;

-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.