
Matasano hacked. A humbling lesson, even the pros are vulnerable. - olefoo
http://seclists.org/fulldisclosure/2009/Jul/0388.html
======
kevingadd
Why do people insist on giving these idiots the attention they want?

There's nothing valuable or productive about their inane, impossible-to-read
'hack logs' and they're not encouraging any sort of useful discussion.

It's just dick-waving, and it's stupid for people to continually post links to
their latest escapades on sites like HN and reddit.

I mean seriously. How can you feel good about linking to a thread that has
tripe like this in it?

"Death to the Jews, death to the whitehats. All parasites must be destroyed in
kind!"

------
viraptor
I disagree with the summary line completely...

What do you mean by "humbling lesson"? If anyone finds an unpatched flaw and
uses it to exploit some servers, then it doesn't matter who takes care of the
servers. It doesn't matter if it's ptacek or a random admin. It's a new,
unknown problem (if the claim about a 0day is real).

Also they're "hacking" the frontend web server. Is that post really
interesting in any way? They didn't get to any sensitive information (or
didn't publish it). They also didn't get into any personal system, so I doubt
there was any real harm done. (otherwise they would brag about it even more)

~~~
ankp
_What do you mean by "humbling lesson"? If anyone finds an unpatched flaw and
uses it to exploit some servers, then it doesn't matter who takes care of the
servers. It doesn't matter if it's ptacek or a random admin. It's a new,
unknown problem (if the claim about a 0day is real)._

The experts at Matasano should know better than to leave sshd internet-
accessible. That's what is humbling, because exposing the smallest possible
attack surface is exactly how you defend against an unknown problem, and
there's literally no good reason (besides laziness) to leave sshd exposed to
the public internet.

 _Also they're "hacking" the frontend web server. Is that post really
interesting in any way? They didn't get to any sensitive information (or
didn't publish it). They also didn't get into any personal system, so I doubt
there was any real harm done. (otherwise they would brag about it even more)_

Or, they simply didn't bother going further -- owning the front-end web server
is fairly embarassing for a company like Matasano.

Quite a few individuals store their credentials on front-end web servers, or
even SSH to other servers from the front-end servers. Owning -any- server is
often a very big deal.

~~~
defen
I'm a bit confused - how are you supposed to ssh in if sshd is not internet-
accessible? If you're suggesting only allowing access through a VPN, what's
the advantage? Is a VPN significantly less likely to be exploitable than SSH?
Or are you saying that you should only be able to SSH in via the local
network?

~~~
ankp
_Is a VPN significantly less likely to be exploitable than SSH?_

Yes, for a few reasons.

First, a VPN provides defense in-depth -- compromising a server now requires
finding _two_ unpatched vulnerabilities:

* You must find a vulnerability in the VPN implementation that allows you to leverage the VPN or the VPN host to forward your traffic.

* You must then find an additional vulnerability to use against the actual secured hosts made available over the VPN connection.

There should be a firewall between the VPN entry-point and your internal
networks, to limit access to unapproved services.

As a single point of entry, a VPN is also easier to secure. If all servers are
inaccessible except for approved services, then a single server running an
unapproved vulnerable service (or an account with a weak password or key) does
not open the door to immediate external compromise.

This single entry point also allows you to offset the likelyhood of user
failure (such as choosing poor passwords) by using additional two-factor
authentication. RSA SecurID or PKCS#11 are often too heavyweight for using
every time you want to SSH'ing into a host, but they're far more reasonable
for initially connecting to the VPN.

~~~
iuguy
Not necessarily. What about exploiting VPN clients?
<http://www.zerodayinitiative.com/advisories/ZDI-09-024/>

There's also the configuration to consider. Using PSK or aggressive mode for
VPNs can be considered bad but are you really going to deploy a full RADIUS
solution just to access a web server?

Compare this to using public key based auth on SSH, I know which one I'd
rather have for a web server.

~~~
ankp
_Not necessarily. What about exploiting VPN clients?_

IPSec is a disaster, one aspect of which is having a client daemon listening
on an open port for isakmp/ike key exchange.

 _There's also the configuration to consider. Using PSK or aggressive mode for
VPNs can be considered bad but are you really going to deploy a full RADIUS
solution just to access a web server?_

Provisionally "yes", but I'd actually use OpenVPN, wired into our existing
directory infrastructure.

 _Compare this to using public key based auth on SSH, I know which one I'd
rather have for a web server._

Why do you consider it a net win to reduce the entry barrier to only one
exploit, one bad user password, or one misconfigured host?

------
deno
My servers' SSH isn't publicly accessible, you first need to be logged in to
VPN (OpenVPN). I don't why Matasano couldn't secure their system like this,
especially that some "0-day SSH exploit" is circulating around web. And if
you're paranoid (or security expert on war-path with whaddyacallthem anti-sec
movement) you have even more simple ways to secure yourself - port knocking
for example? Your system's security weakest link should be human not software.

~~~
sfk
I don't quite understand. What if there is an exploit for OpenVPN?

~~~
khafra
First, a VPN would best be used as an additional layer of security for the
whole network, not as a shell for one particular box. Second, a group very
publically announced, by hacking imageshack, that they were going after full-
disclosure security blogs. A little later, they warned that they had an ssh
0-day. The prudent thing for a full-disclosure security blog to do would be to
put some additional security around their internet-facing ssh.

------
ddbb
Who says it was a 0-day attack? Looking at the output,it seems they brute
force the password of user adam...

So yes, even the pros sometimes can make mistake.

~~~
hachiya
They made it appear that the exploit somehow was able to determine that a
user-level account with the name of adam existed. SSH shouldn't do this.

Then they made it appear that they were able to log in as adam, and the logs
don't make it look like a brute force.

Then they made it appear that somehow privileges were elevated from adam to
root, but did not provide any supposed log of how this was done.

~~~
olefoo
Well, the posted log, could be a complete fabrication. It certainly doesn't
contain anything useful and may in fact be deliberately misleading.

I'm hoping that Thomas and the rest of the crew do perform an intensive and
public analysis of the exploit. It wouldn't surprise me if the break was in
Wordpress or one of the other application level programs.

------
jrockway
Who cares? It's not like they wrote or consulted on whatever was hacked, and
there isn't enough time in the day to write every piece of software you use
from scratch. This is what you get for writing your OS in high-level assembly.

------
hachiya
Since they are against disclosing vulnerabilities, it seems more likely that
these intruders did not gain access through an unknown SSH exploit, but some
other way. Once obtaining root, they could paste some proof of being on the
system, and simply combine that with the top portion of their log which may be
completely fabricated to appear as a 0-day exploit.

Again, if there really is a SSH 0-day, why is an anti-disclosure group
revealing one exists?

~~~
devicenull
Saying that there is a vulnerability is nowhere close to revealing it. For
example, I can say that Windows has a vulnerability allowing me to crash the
system. If you are a Microsoft developer, does that information help you track
down the issue? Not in the least, as you don't have any idea where to look

------
mcbarry
That hurt to read.

