Penetration Testing mailing list archives
RE: root kit detection/penetration
From: "Omar A. Herrera" <omar.herrera () oissg org>
Date: Thu, 15 Sep 2005 23:31:05 -0500
-----Original Message----- From: Javier Fernandez-Sanguino [mailto:jfernandez () germinus com] cdewitt () indepthsec com wrote:What are the best practices for penetration testing the viability of placing root kits on a client's external servers - vpn, web, app...?If you did not write it yourself _and_ are confident that its impact in business critical systems is 0 don't do it.
This is golden rule indeed.
And, while I'm asking - what are the best practices or countermeasures for root kit placement?Properly bastion hosts and severly limit the capabitilies of the users the services exposed to the Internet as running at (i.e. defense in depth, chroot jails, up-to-date patched systems, etc.) including host-IDS with (in Windows) updated antivirus (which will carry rootkit signatures too) or (in UNIX) rootkit detectors.
I just wanted to add some comments here. I'm not really sure if it is considered a best practice, but it has been clear for some time that there are much better controls that all anti-xxxxx ware. Security controls relying on regular updates for detecting known malware or dangerous behavior are not effective against new threats, particularly to specially developed (or modified) malware to be used against specific targets. Therefore, in my opinion, some host-IDS, chroot-jails and all controls implementing some kind of "white list" are far more effective against these threats. I'm not saying that everyone should just throw away their antivirus. Obviously, my mom will prefer to use an AV than trying to configure a Personal Firewall that implements application execution white lists. However, in the case of critical equipment of an organization big enough to have its own security team, relying only on anti-xxxxs technology to counter rootkits, Trojans and all custom made malware is definitely going to fail. By the way, there is an article by Marcus Ranum called "The Six Dumbest Ideas in Computer Security" (http://www.ranum.com/security/computer_security/editorials/dumb/); it also says something about this (ineffectiveness of blacklist security controls). I don't fully support all the statements of Mr. Ranum. In fact, Pentesting IS in the list :-). Pentesting is in some way "turd polishing" as he says, but it was never meant to discover all possible vulnerabilities or to detect problems at the most abstract levels of security architectures. Yet, pentesting should be able to identify at least the most obvious exposures caused by vulnerabilities (even the best designed system in terms of security isn't free from vulnerabilities). Kind regards, Omar Herrera ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- root kit detection/penetration cdewitt (Sep 14)
- RE: [lists] root kit detection/penetration Curt Purdy (Sep 14)
- Re: root kit detection/penetration Javier Fernandez-Sanguino (Sep 15)
- RE: root kit detection/penetration Omar A. Herrera (Sep 16)
- <Possible follow-ups>
- RE: root kit detection/penetration Chris Fahey (Sep 16)