Results 1 to 2 of 2
I have a customer interested in purchasing a preinstalled Ubuntu Linux desktop PC. In the past he has had problems with a highly skilled cracker targeting and successfully exploiting his ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 05-27-2008 #1
- Join Date
- May 2008
remote packet injection exploits browser vulnerability to run artibrary code as root
I have a customer interested in purchasing a preinstalled Ubuntu Linux desktop PC. In the past he has had problems with a highly skilled cracker targeting and successfully exploiting his systems. The cracker's goal appears to be to cause as much grief as possible, without stealing money or committing identity theft, usually by catastrophically damaging the OS and in one case corrupting the BIOS.
Without being a security expert, my best guess is that under the following conditions:
- hardware firewall with no forwarded ports
- PC's OS has no open ports
- victim has not run any exploit code on his machine
- victim has not visited a maliciously crafted web site
- attacker has no physical access
- attacker knows victim's ISP, IP address, name, address, etc.
- attacker has possibly compromised the ISP's network
web site packet injection is the only remaining method of compromising the customer's system. In other words, the victim is browsing the web, the attacker is monitoring the victim's traffic, the attacker sends a packet to the victim masquerading as traffic from the web site, the victim's web browser receives the malicious data and runs the payload using the victim's sudoer privileges.
Is this scenario plausible? If so, how can the victim protect himself? Are there older versions of browsers that are "feature frozen" but are fully security patched?
I realize this is an extremely unusual situation, being that the security problem is due to a personal vendetta rather than just implementing best practices. And about the BIOS exploit... Yes it sounds crazy, but it would be possible if the attacker wrote boot sectors (or OS startup processes) to flash the BIOS on next reboot. This has been ongoing for over five years, to give you an idea of the attacker's relentlessness.
Thanks so much everyone.
- 05-28-2008 #2
Welcome to the forums Kevin
What you are describing sounds a bit far-fetched to me. Problems with application and OS crashes, general virus code execution and random hardware failure etc are much more likely to explain symptoms. There are some simple steps which can be taken to enhance security of a Linux system.
Functional separation and preferably physical separation of the net from sensitive/valuable data is advised (data is usually more valuable than the OS). Do not give the normal system user sudo rights will prevent gaining system wide access. Use only wired network connections. Disable unused services and facilities and disable remote login facilities. Although performance will be reduced loading the OS from a live CD would prevent the execute code on reboot problem (but may introduce additional security issues if others have access to the system). There is no such thing as a fully security patched system, not keeping a system up to date brings its own security issues.
I am not clear of how many machines you are talking about, if this is a company or individual being targeted or what options there are for switching ISP and IP address. I don't know if your customer has a web site, has changed e-mail address etc.
You will find useful information on security including on the forums, for example here. The weakest part of the system is likely to be the user.
Hope this helps.