Useful factoid

[Robert J. Hansen]

On 10/13/11 10:03 AM, Jean-David Beyer wrote:
> It seems to me that to do much damage to my machine, you need to get a
> shell with root access. And to do that, do you not pretty much need the
> root password?

Nope.  Local exploits are enough.

Take a look at the kernel.org exploit as an example.  The current belief
is that one of kernel.org's legitimate users was sshing in from a
compromised box.  That compromised box was running a keylogger.  From
that keylogger, the attacker discovered this user's login name and ssh
credentials.  The attacker then logged into kernel.org as this user and
ran a local exploit to gain root access.  The attacker dropped a
rootkit, a Trojaned ssh/sshd that was harvesting passwords, and all
other kinds of goodness.

Then, since one of the users on my box sshed in from kernel.org, the
attacker got a login credential on my box.  The attacker logged in using
this stolen credential, used a local exploit, and the next thing I know
sixdemonbag.org was rooted.

As you can guess, I'm not talking about some abstract theory here.  This
was a real attack that really compromised my web server.

People tend to grossly underestimate the risks of malware and pwnage.
We talk about it very little to almost none at all, and honestly, I
think it's the eight hundred pound gorilla in the room that everybody is
trying very hard not to notice in the hopes that if we just pretend not
to see it that it will go away.