* Posts by Steve Dommett

5 posts • joined 21 Jan 2008

Open source release takes Linux rootkits mainstream

Steve Dommett

@Ru

"Cunning tricks at the compiler level help catch coding mistakes, but it needs a thorough code audit to actually find all the flaws, some of which will be serious enough that no amount of voodoo will stop you getting rooted."

Yes, I couldn't agree more. My point was rather that on source-based distros everyone's binaries will be different enough to stymie many classes of attack, due the variety of features and options enabled at compile time and disparate version numbers involved. On binary distros everyone's binaries are likely to be identical, so an exploit targetting a specific distro is likely to work on the majority of machines running that distro.

@John Kelly

"Better get yer Mum to fit a lock to the basement window first ;)"

Next time I'm visiting I shall mention that to her, although I doubt it will affect the physical security of my many Gentoo servers which are all hundreds of miles away in secure hosting centres.

Steve Dommett
Linux

WTF?

It's all very well security researchers crafting malicious tools for their own benefit, but when they're packaged to be script-kiddie friendly does the damage not outweigh the benefit?

Immunity Inc. are based in Florida. As such, they are accountable under US law. If the yanks can extradite a UK resident (Gary McKinnon) for cracking, surely they are also capable of bringing someone to account who makes a rootkit toolkit to facilitate this crime? Or is being accessory to cybercrime not yet a felony?

I shall be interested to learn exactly what "burrowing deep inside a server's processor and availing itself of debugging mechanisms available in Intel's chip architecture" means. There have been several disclosures recently about exploits in CPUs' firmware. Obviously, a mere operating system is going to have trouble working around defects in the CPU's design and microcode. The vendors themselves need to release new microcode to resolve this. This vector of attack must be equally applicable to Windows, despite the whole GNUey nature of this disclosure.

Regardless, I shall be sleeping soundly tonight in the knowledge that my address space + stack randomised, hardened with mudflaps Gentoo servers will not be compomised by any attack aimed at less dynamic operating systems. Source-based distros FTW!

PS You're welcome to visit the UK's only realtime art demoscene exhibition: September 12th-14th, Sidmouth, Devon. http://www.sundowndemoparty.org/

FBI rings warnings over VoIP phishing cons

Steve Dommett

@kain preacher

I wouldn't be so confident. Sure, it can't be done via any well configured and administered carrier but you must realise it only takes one carrier (anywhere in the world) to not be so careful for you to be at risk.

Steve Dommett

@kain preacher

Not on any of the ISDN lines I've seen. You need to intruct BT before they will permit you to use even your inbound DDI numbers as outbound CLIs, as they are not enabled by default. Other carriers may differ in their default provisioning for PRI.

ISDN also carries two flags alongside each signaled number to indicate whether or not the supplied CLI is verified to be genuine, and something else closely related that I can't remember the details of currently.

Steve Dommett

VoIP?

Using standard PSTN telephony it's almost impossible to fake your CLI, so CallerID could previously be trusted. In fact at least one financial institution was known to use CallerID to automatically authenticate larger, frequent calling clients.

Using many VoIP providers it is still possible to (illegally) set your choice of CallerID, with no verification that you own the number in question. I'm pleased to report that Asterisk2Billing, a GPL VoIP routing & billing platform, already has the ability to limit customers to CallerIDs they're entitled to use.

For all our sakes let's hope the banks soon realise that authentication is a two-way street. My personal experience of trying to get my bank to tell me something a 3rd party wouldn't know before I divulged the password they sought involved the bank's operative becoming very uncooperative: "I'll just put a note you've refused to speak to us." "You misunderstand me. I'm quite happy to talk to you once you have proven you really are calling from my bank." "<click>"

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2022