[Noisebridge-discuss] Security on the network at 83c.

[Dr. Jesus]

On Thu, Jul 30, 2009 at 12:29 AM, Rubin Abdi<rubin at starset.net> wrote:
> Hello members and guests.
>
> I am an admin of Pony and a small number of other machines at 83c. I am
> not an expert at internet security. I am also not overly paranoid at
> getting my machine owned.
>
> Recently a member of our admins had a machine of his rooted, this
> machine isn't one of Noisebridge's but did possibly have credentials to
> access machines within 83c and could most certainly have had the ability
> to maliciously monitor any connections to any machines at 83c. Not going
> to bother stating who this person is, leaving it up to them.

It was me, but I'm sure you all knew that already.

I need to clear a few things up here: at the moment it seems most
likely that that jail was broken into via Dan's web bits, probably
using his password.  This resulted in access to the www user.  I'm
pretty sure at this point they never got root access, see below for my
reasoning.

Even if they did and were an ideal attacker capable of coercing any
hardware to perform any desired action, it seems unlikely they or (or
anyone who broke into zf0 themselves) would choose to do so to the
noisebridge internal network given that they have to know that law
enforcement is likely to be involved now.

There's still a risk using our internal network, but that's no
different than any other day at noisebridge.  I think the computers at
83c are in more danger from metal particulate from the machine shop,
crackheads, comcast's DNS servers getting owned, and BPI+ asymmetric
authentication problems than ub3r haxx0rz. [1]

I'm so sure that no one at noisebridge is going to be impacted that
I'm going to put my money on the line.  If these conditions are met:

* A computer you own suffers harm while physically at noisebridge due
to an attack through your computer's network interfaces, and

* You file a property damage claim against my insurer, Farmer's
Insurance, and they determine that the damage could not have occurred
without data illegally obtained from the www.doxpara.com jail, and

* You did not perform the attack yourself or intentionally allow
someone else to perform it,

Then, in addition to any cash settlement they pay I'm going to throw
in a 15" Macbook Pro, 8 GB of DDR2-1066, and a 24" Dell 2405FPW.  I'm
going to put these items in escrow with a noisebridge officer until
August 26th.  (Whichever officer offers to take the items first.)

I think practical security is about managing your risk so you can open
things up, not shut them down.

Why I think root wasn't obtained:

The forensics dumps are going to take several days to analyze, but at
the moment I have some evidence from the jail management environment
which shows that no process with uid 0 was visible to the kernel
without also being under control of one of the admins of the machine.
It's also worth noting that the session in zf05.txt on www.doxpara.com
was the only one executed as a user ID other than root, and the only
session that didn't include the shadow file.

This isn't proof that full control over the machine wasn't obtained,
but I offer the following argument against them getting it:

1) Other jails on that machine obviously belong to other people in the
security community.  Some of these people are part of Dan's social
network.

2) zf0's mission seems to be to promote change in the security
industry by demonstrating that its targets can't secure their own
boxes, and should therefore not be advising others about computer and
network security.

3) They used root on one of Dan's other boxes to look at other users'
accounts on his machines, such as Jay Beale's.  They also went after
other professionals who they didn't seem to have a problem with, such
as Ronald.

4) Had they had root on www.doxpara.com or the jail management
environment, they would better achieve their goal of embarrassing the
security community by doing the same thing they did to Jay by looking
at the other targets and including them in zf05.txt as well.

5) This didn't happen.

There's lots of other little things that tell me that they didn't get
root, but no hard evidence yet.  It just seems unlikely to me that
they would root all the other machines so thoroughly and noisily but
exercise extreme discretion in the case of my machine.

[1] Because I'm looking at a cable modem in another terminal, it just
occurred to me that all this recent noise about SSL impacts the
encryption the DOCSIS standard uses to keep your neighbor from
repurposing the analog frontend chips from a junked set-top box and
reading your email.  Fortunately, your system operator is supposed to
conveniently patch your device for you, since they're the only ones
allowed to update the firmware using signed modules from the
manufacturer.  Too bad they don't tell you when or if they do it...