 |
You have executable files, you have config files, you have logfiles.
If checksums of executables and configs are unchanged, there is reasonable certainity they weren't altered. (The checksum checker has to be run from trusted media, if you want to be sure, though. Hint: bootable CD to start from, USB drive to store the checksums on.)
The logfiles are known weak spot; tampering with logs is a crucial part of Blackhat 101. Remote logging alleviates this concern quite a lot. There are also logging daemons that cryptographically sign the files, so tampering can be revealed.
I suppose my machines can be broken into. However, I know about only one person capable of doing so (though there are more I don't know); he is one of the world's best handful and makes very good money as a penetration tester for a big security company. Without initial insider knowledge about the machines, I doubt even he would stay undetected.
Vast majority of threats are only just script kids; they rely on automated tools and vulnerability scanners, like Whisker or Nessus. I am using both (and more) routinely in order to assess security of my machines; hey, everyone can do a typo in a firewall setup.
My machines themselves typically aren't worth of the effort to get inside. If you want just a machine to control, there are softer targets around. If you want the data, it should be far easier to physically break into the offices or my home, or sniff on the lines. If you want to prove to me there are holes, yes, I am reasonably sure there are some there - but you have to be quite good to find them, far better than the run-of-the-mill nuisance-level script kids; if you will manage to do so, and will not be destructive, I will buy you a bottle of whiskey.
If you will mess around the machines, searching for the weak spots, you will get detected. An attempt to portscan any of my darlings or to bruteforce the passwords will light up my IDS console like a Christmas tree. Your attempt to go through an apparent vulnerability can be just stepping on a mine - you can't be sure a service with a known-vulnerability banner isn't a trap to catch the intruder. Yes, I faked some system banners; if you will believe them, you will be logged and if you will ignore them and bruteforce through, you will be logged as well. Yes, I am fucking paranoid.
The weak spots I know about are local exploits; if you get into the machine, you have your chance - but you have to get inside first. Even then, you would have to disable the logs first. The feasible route how to get undetected into one of my machines and stay there for until the next audit is to reboot the machine from a floppy or a CD; the other one is to DoS the other machine on which the logs are consolidated and do the job during the time I am blind - which can make me suspicious. There are other ways to disable or weaken my security means, but they all require deep architectural knowledge of the systems I am using. Another way in would be through a kernel-level bug, but I hadn't heard about any remotely-exploitable one for ages. You can get in, but hardly unobserved. Yes, I read the logs daily. In realtime, when I am awake. When I am downtown, the machines page me when they don't feel good.
You can't disable logging until you are inside, you can't get inside without getting logged. Fascist and control-obsessed? Yes.
|
Stories
