The Mental Militia Forums

Please login or register.

Login with username, password and session length
Pages: [1]   Go Down

Author Topic: New Linux worm - EEEK!  (Read 1821 times)

MamaLiberty

  • Administrator
  • Sr. Member
  • *****
  • Offline Offline
  • Posts: 25985
  • Non aggression, self ownership
    • The Price of Liberty
New Linux worm - EEEK!
« on: December 01, 2013, 07:38:30 am »

Can you geeks please translate this for the rest of us. Sounds very ominous, but maybe I'm over reacting.

New Linux worm targets routers, cameras, “Internet of things” devices
Too many Internet-connected devices run code that's woefully out of date.
http://arstechnica.com/security/2013/11/new-linux-worm-targets-routers-cameras-internet-of-things-devices/
Logged
The lust to control the lives and property of others is the root of all evil.

Bear

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 7943
  • Curious Bear
Re: New Linux worm - EEEK!
« Reply #1 on: December 01, 2013, 11:21:54 am »

The problem is that cheap/lazy developers have made products with obsolete
software and not allowed an upgrade path to fix it. Combine that with consumers
who are not inclined to set passwords, and you have an open door.

As consumer, the solution is simple.

1. When you buy a gadget like a router, read the box to see if it can
    be updated later. If you can't tell, ask a sales droid. If they don't know,
    go somewhere else with competent help.

2. When you get the device home and install it, CHANGE THE PASSWORD
    to something you can remember, and then write it down and put the paper
    in the box it came in. (And save the box).

3. If the device supports encryption, use it.

4. If the device has options you don't think you'll need, turn them off.

Bear
Logged
"There is no good idea so perfect, so pure,
that Government can't do it badly."
-- Bear

MamaLiberty

  • Administrator
  • Sr. Member
  • *****
  • Offline Offline
  • Posts: 25985
  • Non aggression, self ownership
    • The Price of Liberty
Re: New Linux worm - EEEK!
« Reply #2 on: December 01, 2013, 11:53:16 am »

Ok, but can you list a few of the "devices" you're talking about? I'm not sure if I even have any. My DSL box was installed by the phone company, and belongs to them. I know it has a "password" it gives to the ISP, but know nothing else about it.
Logged
The lust to control the lives and property of others is the root of all evil.

Bear

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 7943
  • Curious Bear
Re: New Linux worm - EEEK!
« Reply #3 on: December 01, 2013, 06:38:37 pm »

Ok, but can you list a few of the "devices" you're talking about? I'm not sure if I even have any. My DSL box was installed by the phone company, and belongs to them. I know it has a "password" it gives to the ISP, but know nothing else about it.

I don't think your DSL box has an x86 chip in it, so the vulnerability does not currently apply.
If you have questions about it, you can call them (tech support) and ask. I'm not sure what
anyone would get out of this to a dsl box.

Truth be told, most of the things this applies to most of us are not likely to have, other than
a network router, or maybe a webcam (maybe).

Bear
Logged
"There is no good idea so perfect, so pure,
that Government can't do it badly."
-- Bear

Adventurer, Explorer, Inquiring Mind.

  • Given up.
  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 3222
Re: New Linux worm - EEEK!
« Reply #4 on: December 02, 2013, 02:40:40 am »

Can you geeks please translate this for the rest of us. Sounds very ominous, but maybe I'm over reacting.

New Linux worm targets routers, cameras, “Internet of things” devices
Too many Internet-connected devices run code that's woefully out of date.
http://arstechnica.com/security/2013/11/new-linux-worm-targets-routers-cameras-internet-of-things-devices/

As one of the users said "in other words, check the dd-wrt compatibility list".

I am inclined to agree, though, your typical user won't be able to navigate the entirety of a dd-wrt setup in one afternoon.  DD-WRT is enterprise grade, actually, if run by the right user on good high end consumer hardware.  ("small" enterprise, but you'd be amazed what you can do with a good extended network of wireless AP's acting as controllers and plain AP's.)

I will second the fact that your everyday linux box is highly unlikely to get nailed, especially with proper iptables setup and its updates done, and unless you're running a server, most of your worries are small, as your attack footprint is tiny by comparison.
Logged
Understeer is when you hit the wall with the front of the car and oversteer is when you hit the wall with the rear of the car.
Horsepower is how fast you hit the wall, torque is how far you take the wall with you.

MamaLiberty

  • Administrator
  • Sr. Member
  • *****
  • Offline Offline
  • Posts: 25985
  • Non aggression, self ownership
    • The Price of Liberty
Re: New Linux worm - EEEK!
« Reply #5 on: December 02, 2013, 05:50:55 am »

Truth be told, most of the things this applies to most of us are not likely to have, other than
a network router, or maybe a webcam (maybe).

Thanks, Bear. I won't worry about it then. :)
Logged
The lust to control the lives and property of others is the root of all evil.

Bear

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 7943
  • Curious Bear
Re: New Linux worm - EEEK!
« Reply #6 on: December 02, 2013, 11:14:27 am »

Truth be told, most of the things this applies to most of us are not likely to have, other than
a network router, or maybe a webcam (maybe).

Thanks, Bear. I won't worry about it then. :)

Thanks for the heads up, though. This was an issue I hadn't considered.

Bear
Logged
"There is no good idea so perfect, so pure,
that Government can't do it badly."
-- Bear

Adventurer, Explorer, Inquiring Mind.

  • Given up.
  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 3222
Re: New Linux worm - EEEK!
« Reply #7 on: December 21, 2013, 10:23:34 pm »

Truth be told, most of the things this applies to most of us are not likely to have, other than
a network router, or maybe a webcam (maybe).

Thanks, Bear. I won't worry about it then. :)

Thanks for the heads up, though. This was an issue I hadn't considered.

Bear

Firmware driven, slow updated, internet connected devices are always at greatest risk.  The issue and risk is twofold.  First, there's the automatic update, and the chance that it either breaks or is hijacked and intentionally broken by attackers.  This happens.  Second is the manual update, and the risk that your user or his admin won't do it or even bother about it.  We're all guilty of this one.  Here's the next one... thirdly, there's that nastiest bit.  Company goes out of business and/or discontinues product support.  Donate some money to your favorite DD-WRT developer, or a few kind words.  If your discontinued device is supported by DD-WRT, you're in amazing luck.  Of course, you may as well be a Linux server admin to properly setup DD-WRT.  And way too many people just throw firmware on a router and don't configure / or outright misconfigure it.  Oh yeah, that was point 4 on the no no list.

Microsoft is actually to be commended on this, since while they don't upgrade your OS the way RedHat or others might, they at least provide LONG critical updates support for their old versions.  You can still upgrade Windows XP for security issues.  That's pretty astounding.  But that is why you PAY for stuff.  So the manufacturer or code house will support it and be able to pay their guys to actually do it.  Free stuff is great, but in the end, many people just accept the free stuff, and don't even bother to pay lip service, nevermind the occasional donation to someone who did them a boon.

While we're on the subject of unsupported free stuff, lets face it, this is the #1 failure of the open source movements.  We taught people that free code is okay.  We should have stressed FREE AS IN SPEECH but because everyone who ran a F/OSS project mostly distributed binaries, most everyday Shlomos got FREE AS IN BEER out of it instead.  Then they expected FREE SUPPORT too... because while growing up, most of us "helped" our friends and families with support... and later, as is the case with EVERY entitlement movement, they grew to feel themselves entitled to free support too.  When a kid says "hey, it'll be 75/85/95/100 bucks to clean out all those naughty porn site virus and trojan hits off your machine" the user got pissed.  "You used to do it for free!  You're just some kid, I ain't payin' you!" And went to Best Buy or Comp USA or Radio Shack, paid 100 bucks to put their machine on the bench, or 25/hour (with a minimum of 3 or 4 hours anyways, since most virus scans on a 300 to 500 gig drive with a smattering of everyday user files will take around that long to begin with.  Cleanup and restoration, another 50 bucks, and before they're done, that geek kid would've saved them money, but they were outraged because he had the AUDACITY to ask for money for what he used to do for free.)

And scenarios like that play out everyday in America.  People expect you to do for a case of beer or a pizza, what any shop would charge two to three times more than your highest rate.  This is why we're stuck competing on price with guys in hindustan, and then, after someone misunderstands their instructions because those guys speak hindi-british hybrid english, and your client speaks good old boy amerikun english, you get contracted to "fix" the misunderstood design specs, but they want you to do it at the other guy's rate!

I see such shenanigans every day.  Seen them freelancing, seen them working a job, seen them everywhere.  And I've even seen unskilled dumbasses poison a client someone else is in discussions with, they proceed to put thousands of dollars of business data on a USB stick rather than proper backups, they later lose the data and blame YOU not the dumbass who poisoned that conversation and their own stupidity and greed that caused them to take that idiot's advice.  And they trash talk you halfway into the next county, as if YOU did it wrong!

And it doesn't stop at software, hardware and computing, either.  But this conversation is on that topic, so I just absolutely had to blow that one out of the water.  Used to piss me off to no end, living in the middle of nowhere, and some smartass dumbass comes up and tries to show off and show them a "cheaper" way to do a business data backup (oh yeah, I put my pr0n files on a usb stick, so you should put your irreplaceable business data on one too using a simple unverified copy and paste!)  These days, the moment they get ubercheap or want to have their nephew's niece's daughter "do it on the cheap" I smile, suggest that if they feel tempted to do that, they should indeed do that, (since I'm loath to get competitive or aggressive when dear darlin' little freebie giver is introduced, at which point they get emotionally invested, and I'm not in it to pay to soothe other people's feelings) and suggest that I probably have some of the near freebie hardware they want in stock, though I would personally do it differently if that were my money up for grabs.  (Hey, I run a server or two with multiple RAID containers of undisclosed configurations (lets say more than 6 drives) on varied and sundry power backups and such.))

I figure when (not if) the data gets lost or bungled, they'll call me if they have need of my services later, and that I am in business to provide a service AND make money while doing so (since the government won't stop taxing me for what I supposedly OWN, the water services guys won't pump my water for free nor anything along those lines just because I'm a really swell guy and give away my services to everyone), and that if they need my services or have further questions, I won't hesitate to take their call.  I'll say this, we, who worked on F/OSS projects and did all sorts of nerdery and geekage for free, shot ourselves in our own dumb ass feet by doing it for fun.  We can blame our commie teachers in school, or we can just blame ourselves.  In the end, the truth is, we did it to ourselves.  And it will take generations of smart geeks refusing to do freebies to clear that mess up.  (Might swap services or favors with someone, but free or donated labor for no reason is professional suicide, and you don't only hurt yourself, you hurt others too.)

So in reality, that's why you pay excessive amounts of money for support contracts and that's why you pay a few hundred to a few thousand for an enterprise grade managed switch or router, rather than a cheap 20 dollar home router, and that is why you shop good manufacturers with proven track records, but still keep an eye out that they are still on top of the ball.  So that you can get updates, upgrades and maintenance to your firmware.  That is also why you hire a competent admin who stays on top of your configuration, logs and traffic, and actually calls your suppliers and suggests or requests updates or fixes.  This is why you pay 3000 a year for a Red Hat support contract, rather than use CentOS (assuming your company makes money enough to pay for it, otherwise you risk it and support yourself only.)  That's why you get an Ubuntu server install and pay for the support contract from Ubuntu.  That's why you pay Novell for Suse Enterprise Linux.  So you can call someone and ask for an update, or a fix, and so you can find someone that knows what they are doing and stands behind their product.
Logged
Understeer is when you hit the wall with the front of the car and oversteer is when you hit the wall with the rear of the car.
Horsepower is how fast you hit the wall, torque is how far you take the wall with you.
Pages: [1]   Go Up