[opensuse] mRemote users beware: Windows malware wipes linux boxes via mRemote
All, This is a first for me. Per: http://blogs.csoonline.com/malwarecybercrime/2628/symantecs-research-south-k... There is a piece of windows malware that looks for mRemote installs on windows. If found it looks for cached "root" credentials. If those are found it uploads a script to wipeout /kernel, /usr, /etc, and /home. I gather the key vulnerability is that mRemote stores the destination host and credentials in plaintext. (or a easily decoded format). If anyone has mRemote installed on a windows box, I'm curious how the password is stored. The config info is at: %UserProfile%\Local Settings\Application Data\Felix_Deimel\mRemote\confCons.xml fyi: the target of this attack was South Korea, but once malware code like this is made public, it starts to show up in other malware. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 22/03/13 01:01, Greg Freemyer wrote:
All,
This is a first for me. Per:
http://blogs.csoonline.com/malwarecybercrime/2628/symantecs-research-south-k...
There is a piece of windows malware that looks for mRemote installs on windows. If found it looks for cached "root" credentials. If those are found it uploads a script to wipeout /kernel, /usr, /etc, and /home.
I gather the key vulnerability is that mRemote stores the destination host and credentials in plaintext. (or a easily decoded format).
If anyone has mRemote installed on a windows box, I'm curious how the password is stored. The config info is at:
%UserProfile%\Local Settings\Application Data\Felix_Deimel\mRemote\confCons.xml
fyi: the target of this attack was South Korea, but once malware code like this is made public, it starts to show up in other malware.
Greg
Repost this in offtopic, Greg, as not everybody there reads his HELP list. BC -- Using openSUSE 12.3 x86_64 with KDE 4.10.1 & kernel 3.8.3-1 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2013-03-22 at 01:17 +1100, Basil Chupin wrote:
On 22/03/13 01:01, Greg Freemyer wrote:
Repost this in offtopic, Greg, as not everybody there reads his HELP list.
No, the target of this attack is Linux. Important Linux machines, that happen to be accessed by users that work from Windows machines. It would even be appropriate post for the security mail list here, IMO. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFLSfAACgkQtTMYHG2NR9XhhQCfddhjYzHyGzG+TC7vegr57/C8 TC0An1fDKJ4UsARleokxQ5KO0rj9ICUf =Y9yU -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 2013-03-21 at 10:01 -0400, Greg Freemyer wrote:
All,
This is a first for me. Per:
http://blogs.csoonline.com/malwarecybercrime/2628/symantecs-research-south-k...
Is this an accurate summary?: If a windows machine infected with this Trojan also has mRemote installed, and mRemote's configuration contains a root password to a Linux machine, the Trojan ssh's in to the Linux machine as root and erases /kernel, /usr, /etc, and /home. Yikes. I wonder if mRemote tells one that it is storing passwords or if it just does so. No matter I guess. Yours sincerely, Roger Oberholtzer Ramböll RST / Systems Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2013-03-22 at 10:12 +0100, Roger Oberholtzer wrote:
On Thu, 2013-03-21 at 10:01 -0400, Greg Freemyer wrote:
All,
This is a first for me. Per:
http://blogs.csoonline.com/malwarecybercrime/2628/symantecs-research-south-k...
Is this an accurate summary?:
If a windows machine infected with this Trojan also has mRemote installed, and mRemote's configuration contains a root password to a Linux machine, the Trojan ssh's in to the Linux machine as root and erases /kernel, /usr, /etc, and /home.
Yep.
Yikes. I wonder if mRemote tells one that it is storing passwords or if it just does so. No matter I guess.
I have never used "mRemote". Maybe it does so as a way of making life easy for people that log into many machines. I read that it is also an old version of that package. IMO, this looks as a targeted attack against institutions that were known to use this tool, where they have probably some kind of unix/linux servers handled from Windows machines. I wonder why not delete /var, because databases typically reside there. And a targeted attack will, of course, find any kind of vector available to do whatever damage they intend, no matter what operating system you happen to use. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFMIyIACgkQtTMYHG2NR9VjggCeMSK0Q0Tw0XnSrsAiLyXPgm1K jUsAoJXFQj2yWQhEpldJoG1PnPzNeDAy =Zf9a -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Roger Oberholtzer wrote:
If a windows machine infected with this Trojan also has mRemote installed, and mRemote's configuration contains a root password to a Linux machine, the Trojan ssh's in to the Linux machine as root and erases /kernel, /usr, /etc, and /home.
Classically, one never allows root access to an important machine except locally from the console. Even for less important machines, one never allows network root login; an admin must login over the network as himself and then su or sudo to access privileged capabilities. Do as I say, not as I do, of course :) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Roger Oberholtzer wrote:
If a windows machine infected with this Trojan also has mRemote installed, and mRemote's configuration contains a root password to a Linux machine, the Trojan ssh's in to the Linux machine as root and erases /kernel, /usr, /etc, and /home.
Classically, one never allows root access to an important machine except locally from the console. Even for less important machines, one never allows network root login; an admin must login over the network as himself and then su or sudo to access privileged capabilities.
If the bash script is clever enough, it will take this into account and use the found pw for the user to do a sudo. Storing passwords is the not so clever practice here, I think.
Do as I say, not as I do, of course :) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- L. de Braal BraHa Systems NL - Terneuzen T +31 115 649333 F +31 115 649444 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Roger Oberholtzer wrote:
If a windows machine infected with this Trojan also has mRemote installed, and mRemote's configuration contains a root password to a Linux machine, the Trojan ssh's in to the Linux machine as root and erases /kernel, /usr, /etc, and /home.
Classically, one never allows root access to an important machine except locally from the console. Even for less important machines, one never allows network root login; an admin must login over the network as himself and then su or sudo to access privileged capabilities.
If the bash script is clever enough, it will take this into account and use the found pw for the user to do a sudo.
Storing passwords is the not so clever practice here, I think.
Correction: storing password on a windows machine.
Do as I say, not as I do, of course :) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- L. de Braal BraHa Systems NL - Terneuzen T +31 115 649333 F +31 115 649444
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- L. de Braal BraHa Systems NL - Terneuzen T +31 115 649333 F +31 115 649444 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2013-03-22 at 11:09 +0100, Leen de Braal wrote:
Storing passwords is the not so clever practice here, I think. Correction: storing password on a windows machine.
No, stored anywhere in a maner that can be deciphered. You can have a linux machine where you login as user and have passwordless ssh login to several other root accounts. It is strong encription, but if they break into your home account, all the other secure machines are busted. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFMMIgACgkQtTMYHG2NR9VpkACgkMpEmqgTBHZoyWB4BCrVPiGU FsUAni9AuKouuf6HHHbpqPntdeAjDUes =xdJT -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Friday, 2013-03-22 at 11:09 +0100, Leen de Braal wrote:
Storing passwords is the not so clever practice here, I think. Correction: storing password on a windows machine.
No, stored anywhere in a maner that can be deciphered.
You can have a linux machine where you login as user and have passwordless ssh login to several other root accounts. It is strong encription, but if they break into your home account, all the other secure machines are busted.
You are right, Carlos, but I feel better if I can do this kind of work from my linux-laptop, then from a windows machine (where I occasionaly use putty, btw, and never store keys or passwords).
- -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar)
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux)
iEYEARECAAYFAlFMMIgACgkQtTMYHG2NR9VpkACgkMpEmqgTBHZoyWB4BCrVPiGU FsUAni9AuKouuf6HHHbpqPntdeAjDUes =xdJT -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- L. de Braal BraHa Systems NL - Terneuzen T +31 115 649333 F +31 115 649444 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2013-03-22 at 11:27 +0100, Leen de Braal wrote:
You are right, Carlos, but I feel better if I can do this kind of work from my linux-laptop, then from a windows machine (where I occasionaly use putty, btw, and never store keys or passwords).
Of course, me too :-) But this is a targeted attack against some institutions, we really don't know why they work in this way. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFMvNcACgkQtTMYHG2NR9WGKACeLJ8YwnFVUWl1LpreFtGRPS1K ChcAnjYxss1BFv3qEDJ3nhFPqdTdpGXx =W5PP -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Friday 22 March 2013 11:20:55 Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Friday, 2013-03-22 at 11:09 +0100, Leen de Braal wrote:
Storing passwords is the not so clever practice here, I think.
Correction: storing password on a windows machine.
No, stored anywhere in a maner that can be deciphered.
You can have a linux machine where you login as user and have passwordless ssh login to several other root accounts. It is strong encription
It is actually not encryption at all, it is a one-way hash. it is impossible to go backwards from it. The most anyone can do is find a password that generates the same hash -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2013-03-22 at 11:30 +0100, Anders Johansson wrote:
On Friday 22 March 2013 11:20:55 Carlos E. R. wrote:
You can have a linux machine where you login as user and have passwordless ssh login to several other root accounts. It is strong encription
It is actually not encryption at all, it is a one-way hash. it is impossible to go backwards from it. The most anyone can do is find a password that generates the same hash
I mean that if someone gets access to your user account, and you happen to have setup passwordless to other Linux machines via ssh, then the bad guys also get access to those other machines. They don't need to know the passwords of the other machines. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFMvMIACgkQtTMYHG2NR9WmMwCffqF+iUxLhBOh9vQ7pLC3CB/V hPsAoJC8p5WiWjYsGFZfnXNPDyissvqj =u1ym -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
You can have a linux machine where you login as user and have passwordless ssh login to several other root accounts. It is strong encription, but if they break into your home account, all the other secure machines are busted.
You should never allow ssh directly into root. I use a key, instead of passwords on my systems, so if I haven't created the key, I cannot connect. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2013-03-22 at 08:17 -0400, James Knott wrote:
Carlos E. R. wrote:
You can have a linux machine where you login as user and have passwordless ssh login to several other root accounts. It is strong encription, but if they break into your home account, all the other secure machines are busted.
You should never allow ssh directly into root. I use a key, instead of passwords on my systems, so if I haven't created the key, I cannot connect.
At home, I use it. I would not on a company system. But if I have to connect to dozens or hundreds of different machines in the course of the day, I would be tempted to automate things. I don't know what I'd really do or others would do in that situation ;-) - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFMvZEACgkQtTMYHG2NR9VxfgCfSnyVu2S4sDhAF4P8oTqoO/wA DccAnilbcj7OY8zvqTA3r/ZF3kV0NiIY =ED8j -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
There is a piece of windows malware that looks for mRemote installs on windows. If found it looks for cached "root" credentials. If those are found it uploads a script to wipeout /kernel, /usr, /etc, and /home.
How many Linux users ssh directly as root? When I need remote root access, I ssh as a mere mortal and then su to root. I also use passwordless logon, using a key, so there's no password to know and without the appropriate key, there's no way to connect. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott
Greg Freemyer wrote:
There is a piece of windows malware that looks for mRemote installs on windows. If found it looks for cached "root" credentials. If those are found it uploads a script to wipeout /kernel, /usr, /etc, and /home.
How many Linux users ssh directly as root? When I need remote root access, I ssh as a mere mortal and then su to root. I also use passwordless logon, using a key, so there's no password to know and without the appropriate key, there's no way to connect.
I don't know as much about this as I should, but ... Doesn't ssh store your private key in plaintext under ~/.ssh That is using keys is only more secure than a password if the keys are maintained securely. Ssh does not do that (does it?). I don't know about tools like putty etc. So if your keys are not maintained in a encrypted container, once a piece of malware gets access to your keystore, its off to the races. I think keys are harder to break than passwords, but once your private key is stolen... Greg -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Friday 22 March 2013, Greg Freemyer wrote:
Doesn't ssh store your private key in plaintext under ~/.ssh
No, usually the private key is protected by a passphrase. ssh-agent helps you to deal with your private keys. See man ssh-agent man ssh-add and read about option -t life-time BTW in ~/.ssh/authorized_keys you have the ability to configure very detailed what exactly you want to allow for a particular key. For example I have several non-protected keys for root in use where I only allow read-only rsync for pulling backups. cu, Rudi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
I don't know as much about this as I should, but ...
Doesn't ssh store your private key in plaintext under ~/.ssh
That is using keys is only more secure than a password if the keys are maintained securely. Ssh does not do that (does it?). I don't know about tools like putty etc.
No, it is not stored in plain text. There are two parts to the key. One is the private part, id_rsa, that is stored in your .ssh directory and the other, public part is stored on any server you wish to access in a file called authorized_keys. Both keys are long strings of what appear to be random characters, but they are generated by ssh-keygen to be mathematically related. Only the private part can be used to unlock the public. Here is the public part of one of the keys I use. The private part is much longer. ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCl0D+JWAKcaue2s1eO0ZHHbLH6l33VrhzqW03cJ/Gg6idtO5Xn94MOv0DnIYuoXJUJA6apqxHRn9U e8rJgjIcFUcGRHGSEndXnXVMapYtWiHfXOfqixQ9YAZTPMdoi1MQEbI+UsgMzDZJhEtrMEgI+GKDxqWdTgZw3OmR1jzVixcKX+LAd6nip2XSMhB2QCW dLNGpIL/iHLX2ZnyILRJpd/zv5WNglYJqMEnaukGHwzwSRH33ytrf0ustyygE6OMYj5+0r0qc8LFaxa119l5FiJMN8KBzzb8AjZKNqWOIeiAGg7xd0O hEIVpS6lut6sqVuJ0adG5mkYBBPDGzrlpbT//6mJ2GauLZKxjrHn9Nc8+d0oLQDkPznjxPkxMSZ+NAVxNcAkWMc86Y7gPv3DyVYB0Ib89v3HxQYi+bY mC9aS22w8bp3O+397B90flnoPRaRQoKJqZb7BVt3PZW/5pCzoFM9znXrZAMt5TEZZQ4gWxZjF3AE8B6ukCfS9OxrdMO9ggC86Jc083aXQg8QfJRGe8z jjvJZ2jcYd/Z5g7w9gjBDJENNWwjjpwbltSZgXbAOEUtgsYfCMshMpWRlEzVH4dMCqS2numPPtbHtjLVuvPZjvWldirhgx1L9PsKXfX26OvRDayA6NO 9IP6tlB6F9e4uuYJNq+LtEda3w== After the == is the user & host name of the computer the public part came from . Here's some info on the subject: https://en.wikipedia.org/wiki/Ssh-keygen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Mar 22, 2013 at 10:20 AM, James Knott
Greg Freemyer wrote:
I don't know as much about this as I should, but ...
Doesn't ssh store your private key in plaintext under ~/.ssh
That is using keys is only more secure than a password if the keys are maintained securely. Ssh does not do that (does it?). I don't know about tools like putty etc.
No, it is not stored in plain text. There are two parts to the key. One is the private part, id_rsa, that is stored in your .ssh directory and the other, public part is stored on any server you wish to access in a file called authorized_keys. Both keys are long strings of what appear to be random characters, but they are generated by ssh-keygen to be mathematically related. Only the private part can be used to unlock the public.
Here is the public part of one of the keys I use. The private part is much longer.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCl0D+JWAKcaue2s1eO0ZHHbLH6l33VrhzqW03cJ/Gg6idtO5Xn94MOv0DnIYuoXJUJA6apqxHRn9U e8rJgjIcFUcGRHGSEndXnXVMapYtWiHfXOfqixQ9YAZTPMdoi1MQEbI+UsgMzDZJhEtrMEgI+GKDxqWdTgZw3OmR1jzVixcKX+LAd6nip2XSMhB2QCW dLNGpIL/iHLX2ZnyILRJpd/zv5WNglYJqMEnaukGHwzwSRH33ytrf0ustyygE6OMYj5+0r0qc8LFaxa119l5FiJMN8KBzzb8AjZKNqWOIeiAGg7xd0O hEIVpS6lut6sqVuJ0adG5mkYBBPDGzrlpbT//6mJ2GauLZKxjrHn9Nc8+d0oLQDkPznjxPkxMSZ+NAVxNcAkWMc86Y7gPv3DyVYB0Ib89v3HxQYi+bY mC9aS22w8bp3O+397B90flnoPRaRQoKJqZb7BVt3PZW/5pCzoFM9znXrZAMt5TEZZQ4gWxZjF3AE8B6ukCfS9OxrdMO9ggC86Jc083aXQg8QfJRGe8z jjvJZ2jcYd/Z5g7w9gjBDJENNWwjjpwbltSZgXbAOEUtgsYfCMshMpWRlEzVH4dMCqS2numPPtbHtjLVuvPZjvWldirhgx1L9PsKXfX26OvRDayA6NO 9IP6tlB6F9e4uuYJNq+LtEda3w==
After the == is the user & host name of the computer the public part came from .
Here's some info on the subject:
James, You said something about using a key so you don't have to know passwords? I took that to mean you were using a private key without a passphrase. In that specific scenario, if I somehow hack your computer and steal the contents of your private key file, can't I take it to another computer and use the key to log into the various accounts you have setup to use that key? fyi: For the purpose of my question, that wiki article is just about useless. This info from the wiki page in particular needs clarification: "The private key was saved in .ssh/id_rsa file which is the read-only file. No one else must see the content of that file, as it is used to decrypt all correspondence encrypted with the public key." That is, with no passphrase used during key generation, is there any security at all once a unauthorized user grabs that file? What is the situation with a passphrase? Assuming the file is encrypted if a passphrase is provided, how well is it encrypted. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
That is, with no passphrase used during key generation, is there any security at all once a unauthorized user grabs that file? What is the situation with a passphrase? Assuming the file is encrypted if a passphrase is provided, how well is it encrypted.
How are you planning on getting that file? You could sit down at my desk and copy it. Beyond that, you'd have to break ssh to get past that key requirement or you could try to break OpenVPN, which has a key too. Of course, even if you got that private key, it would only get you access to my own account, not root. To become root, you'd have to know the password. That password is not stored in plain text. It's a hash in /etc/shadow, which is readable only by root and the shadow group. Bottom line, if you managed to get my id_rsa, you'd only have access to files in my own directory. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2013-03-22 at 11:50 -0400, James Knott wrote:
Greg Freemyer wrote:
That is, with no passphrase used during key generation, is there any security at all once a unauthorized user grabs that file? What is the situation with a passphrase? Assuming the file is encrypted if a passphrase is provided, how well is it encrypted.
How are you planning on getting that file?
That's the initial problem, getting to your computer and user account. But if they do manage that somehow, they automatically get access to the other computers. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFMvoIACgkQtTMYHG2NR9WhZACcCOg8VcATY1V+iKJJmikAeh7V o+cAmwZ+Kl1SUwm8iBPtUzZ52SU8u1WM =Vewr -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Mar 22, 2013 at 11:50 AM, James Knott
Greg Freemyer wrote:
That is, with no passphrase used during key generation, is there any security at all once a unauthorized user grabs that file? What is the situation with a passphrase? Assuming the file is encrypted if a passphrase is provided, how well is it encrypted.
How are you planning on getting that file? You could sit down at my desk and copy it. Beyond that, you'd have to break ssh to get past that key requirement or you could try to break OpenVPN, which has a key too. Of course, even if you got that private key, it would only get you access to my own account, not root. To become root, you'd have to know the password. That password is not stored in plain text. It's a hash in /etc/shadow, which is readable only by root and the shadow group. Bottom line, if you managed to get my id_rsa, you'd only have access to files in my own directory.
James, You might want to read a little bit about how a "advanced persistent threat" attack works. They have a typical lifecycle. This is one of the better known diagrams (from Mandiant): http://www.discoveringidentity.com/wp-content/uploads/2013/03/mandiant1.png So if one assumes the first breach is a Java exploit that allows the malware to get outside the sandbox, it could just grab your private key that was created without a passphrase. The private key in turn could be exfiltrated back out to a bad guy. They then try to access your network from the outside via ssh and your private key. If that succeeds, they have gotten pretty far into the lifecycle of the attack. They have user privileges on the same machines you do and they can move laterally around the network. Now they just need a vulnerability that lets them escalate privileges to get root access. At that point they can crawl around your network at will. The average time to find this kind of attack currently is about 9 months and they are being reported routinely. Admittedly, most of the attacks are against windows machines, or maybe it is just the attacks that are being detected! Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
So if one assumes the first breach is a Java exploit that allows the malware to get outside the sandbox, it could just grab your private key that was created without a passphrase.
The private key in turn could be exfiltrated back out to a bad guy. They then try to access your network from the outside via ssh and your private key.
If that succeeds, they have gotten pretty far into the lifecycle of the attack. They have user privileges on the same machines you do and they can move laterally around the network.
Now they just need a vulnerability that lets them escalate privileges to get root access. At that point they can crawl around your network at will.
The average time to find this kind of attack currently is about 9 months and they are being reported routinely. Admittedly, most of the attacks are against windows machines, or maybe it is just the attacks that are being detected!
Again, the worst they could do is trash my directory. They still couldn't damage any other user or system files. That article, at the start of this thread, was talking about system files etc. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
That is, with no passphrase used during key generation, is there any security at all once a unauthorized user grabs that file? What is the situation with a passphrase? Assuming the file is encrypted if a passphrase is provided, how well is it encrypted.
That password is hashed, so you'd have to break that. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (10)
-
Anders Johansson
-
Basil Chupin
-
Carlos E. R.
-
Dave Howorth
-
DenverD
-
Greg Freemyer
-
James Knott
-
Leen de Braal
-
Roger Oberholtzer
-
Ruediger Meier