Zero-day OpenSSH vulnerability?(lists.grok.org.uk) |
Zero-day OpenSSH vulnerability?(lists.grok.org.uk) |
1) Register 'Anti-Sec ' with Free Mail Provider 2) Claims to Full Disclosure 3) ???? 4) PROFIT.
brilliant
In my personal experience, public discloser has legitimate uses in strong arming companies into dealing with security issues that they would rather ignore.
Alfred Pennyworth -> "Some men just want to watch the world burn."
The Joker -> "It's not about money... it's about sending a message. Everything burns!"
Anti-sec with a ssh 0-day would've tripped over itself rm'ing boxes left and right. It's like Bin Laden warning people he is in California and would be causing great mayhem, Real Soon Now.
I'd expect something similar here, because if they release real exploit code, they are violating their own deeply held beliefs on disclosure.
Long story short: don't try running their code.
3) Last but not least, change the default port of SSH from 22 to something your company runs. You can do this in /etc/services or in /etc/ssh/sshd_config
A lot of preventative maintenance helps you secure a system running an ssh daemon. I do these same things on our Cisco routers-- they are just called something else (access lists, etc.)
1) The more we talk about anti-sec the bigger anti-sec gets.
2) These guys are not exactly teen pop idols, ever ready to dispute a rumor or a tabloid story; there is a good bounty on their necks and they seem to have "better" things to do.
3) The more security mailinglists and other communication venues get trolled and haoxed, the more the security industry looks like the joke it is, and that would make anti-sec kinda happy.
Now, can we please flag the "story"?
I just moved ssh daemons that face the internet to non-standard ports. I suggest everybody does the same to prevent dragnetting (just to be safe).
err...sortof. They're just looking at port numbers and cross referencing that to services that are known to live on those ports.
Changing the port that SSH listens on isn't going to stop somebody from performing this exploit against one of your machines, it IS going to prevent you from getting auto-rooted by a bot that goes around looking for machines that ack on port 22.
Think of it like a hidden door, but on the front of your house. To the casual observer driving through the neighborhood, they won't see it. To somebody actively trying to find a way into your house...you're going to need more.
Also, security by obscurity does sometimes work. It's dangerous because you can't depend on it, and often it makes it harder to analyze your security in general. Sometimes, badly implemented security by obscurity can compromise security. In fact, badly implemented security often compromises security, because it is hard to do this stuff. Non-obscure security mechanisms have a distinct advantage -- more eyeballs are looking at them.
So the best policy? I think you should use standard security tools, and then layer simple obscurity over top of that. Keep it minimal so you can make sure it won't mess up some other aspect of your security. It's worth it, just to keep from being the lowest hanging fruit on the tree.
I can't outrun the bear, but I don't have to, because I can outrun you!