# Can anyone be hacked?

## ManDay

As crude as this question may appear: What are the chances, that if I pick an arbitrary linux computer, a server or a private PC, it shouldn't matter, that box can be hacked?

I'm surprised by the ease by which certain people ("Anonymous" comes to mind) compromise certain servers and how even highly secure facilities become victims of such attacks.

Even cruder: If a group of high-profile hackers were interested in compromising (invading) my private gentoo box, would they likely succeed? I have no big experience with security, I run a minimal, clean and well maintained system with not a single daemon running besides those which ship in rc by default, my kernel has no fancy security measures, cgroups, not to mention I do not run SELinux. I run X11 and am behind one of those personal Router/AP/DSL-Modem boxes, provided by my ISP.

To my understanding, 99.99% of the attacks succeed because of either user errors or critical exploits in software. Almost always it's first intrusion and then escalation. In my naive world, I don't even offer any entry point for intrusion in the first place, and, assuming neither my ISP nor any of the servers I trust have been compromised (man-in-the-middle on my ISP, for instance) I find it rather impossible that anyone could possibly intrude.

How effective can a (group of) hacker possibly become? Can one rightfully say most of the victims of such attacks are to blame themselves or the complexicity of their setup, which they lost control of?

----------

## lexflex

 *ManDay wrote:*   

> As crude as this question may appear: What are the chances, that if I pick an arbitrary linux computer, a server or a private PC, it shouldn't matter, that box can be hacked?
> 
> 

 

It does matter somewhat: If you install a new server and connect it to the internet permanently, there is a large chance hackers will try all kinds of attacks. 

Most notably are random login attempts on the ssh-port with random names and passwords.

There are ways to defend against this (such as deny-host or fail-2-ban), but some people tent to look into this only after they discover there are many random login attempts.

(look at your auth logfiles, there might be many warnings like " Failed password for invalid user" if your system has been on the internet for a couple of days; Sometimes hundreds of attempts per hour).

If it is just a regular desktop computer without ssh-access and without permanent access to the internet, chances are less of such a type of hack to take place.

 *ManDay wrote:*   

>  I run X11 and am behind one of those personal Router/AP/DSL-Modem boxes, provided by my ISP.
> 
> 

 

If you actually make sure the relevant ports are closed then this should definitely help.

Another problem is people not regularly applying security-updates: Once an update is issued, the hackers will also know about the 'weak spot  in the system, and will try to abuse it.

Alex.

----------

## ManDay

Hi Alex,

yes, I've been maintaining servers myself and know about the random SSH attempts. That's not what I meant. I'm talking about professionals having a genuine interest in intruding the box - not the casual "let's see whether we can find a server which has an obvious weakness" snooping arround.

I tried to express this by speaking of high-profile hackers. I could also ask: If the government of <insert random highly developed country here> would like to intrude my PC (by the usual means, only, of course), would they succeed?

This is more a academic question. I'm not really concerned about my own safety, of which I think I have a solid understanding to all that it concerns for people who are *not* explicit targets.

I don't consider random ssh username/password guesses a real threat, for everyone who is directly connected to the net should know how to apply the according countermeasures, such as you named them.

I think you misunderstood the question in that regard, which is exactly, whether those who do *not* make such rather obvious mistakes can be hacked. I don't know how to phrase it any more explicit. Please re-read my introductory post if this one still could not make it completely clear to you.

----------

## phajdan.jr

Don't forget attacks on client software - browser exploits, document viewer exploits (pdf, doc, odf), media (image, video, audio formats - the codecs frequently have lots of bugs).

----------

## ManDay

I think you are thinking of buffer overflow? And that's all the magic?

----------

## phajdan.jr

 *ManDay wrote:*   

> I think you are thinking of buffer overflow? And that's all the magic?

 

Yeah, code execution in general.

----------

## Jaglover

Those world-famous hacks are not direct hacks of a POSIX server. They are done via some executive Windows desktop by stealing credentials.

Imagine the simplest setup. There is hardware firewall and two computers behind it. One is *NIX server and the another one is Windows desktop of someone who has full access to the databases in server. It's quite clear you have to open a tunnel from inside to eliminate firewall. You send an malicious email to that desktop or if that doesn't work you do a little XSS in local newspaper site. Once the victim's Windows computer is infected what's the next step? Try direct attack on that server or use credentials from infected computer to steal whatever you wanted?

----------

## Goverp

 *ManDay wrote:*   

> As crude as this question may appear: What are the chances, that if I pick an arbitrary linux computer, a server or a private PC, it shouldn't matter, that box can be hacked?
> 
> ...
> 
> How effective can a (group of) hacker possibly become? Can one rightfully say most of the victims of such attacks are to blame themselves or the complexicity of their setup, which they lost control of?

 

It's a question of economics.  It depends on what resources the attacker can afford to throw at the attack, and how much its success is worth to them.  For enough value, e.g. disrupting a county's uranium enrichment program, who knows how much another government might throw at it?

Ultimately all systems can be hacked, if only by persuading the sysop to divulge root's password.  The intelligent defence is to apply cost-effective countermeasures.  The defence has the advantage; it's cheaper to plug holes than to find them.

----------

## atmosx

Nice topic. If a computer lies within a network which contains valuable information for third parties, then it's very probable that you might receive several attacks.

 *Jaglover wrote:*   

> Those world-famous hacks are not direct hacks of a POSIX server. They are done via some executive Windows desktop by stealing credentials.
> 
> Imagine the simplest setup. There is hardware firewall and two computers behind it. One is *NIX server and the another one is Windows desktop of someone who has full access to the databases in server. It's quite clear you have to open a tunnel from inside to eliminate firewall. You send an malicious email to that desktop or if that doesn't work you do a little XSS in local newspaper site. Once the victim's Windows computer is infected what's the next step? Try direct attack on that server or use credentials from infected computer to steal whatever you wanted?

 

The most notorious hacks we know off are:

1) Cuckoo's egg

2) Stuxnet Virus [2011]

3) The Athens Affair 

(too lazy to post links, google them)

None of them has been achieved via stolen credentials. So to which hacks are you referring too?

----------

## krinn

The answer looks obivious, everyone could be hack.

Even if you take a security expert as admin, he will be the admin and as such he will then be kept under the rule : you're hack, you fill the hole, but you've been hack to see the hole. You cannot have a 0 holes system.

----------

## NeddySeagoon

ManDay,

Security is like layers of an onion.  The idea is not so much to keep attackers out, its to make it clear that their are easier targets to attack, so they go away and play somewhere else.

The layers of the security onion both make it harder for them to get in and restrict what they can do when they get in.

For high profile hackers, its a question of motive and money.  Your government would not bother to hack you.  They would send the boys round to pick up your hardware and if its all encrypted, beat you to a pulp until you divulged the pass phrase.

As has been said its a two step process - intrusion and maybe escalation.  Many attackers don't need root. It depends what they want your system for.

The easiest way in is social engineering. Direct external exploits against services are rare but not unknown.

----------

## krinn

 *NeddySeagoon wrote:*   

> They would send the boys round to pick up your hardware and if its all encrypted, beat you to a pulp until you divulged the pass phrase.
> 
> 

 

lmao NeddySeagoon, intimidation should be enough for common people (a "gave the passphrase or will jail you with a pedo status"), where do you live ?

----------

## ManDay

 *NeddySeagoon wrote:*   

> ManDay,
> 
> Security is like layers of an onion.  The idea is not so much to keep attackers out, its to make it clear that their are easier targets to attack, so they go away and play somewhere else.

 

This is exactly not the topic. The question is in the possiblity, in your words: Whether that onion can possibly be made "unpeelable".

 *Quote:*   

> For high profile hackers, its a question of motive and money.

 

That's exactly what I doubt. Putting it provocatively: I think even if hundreds of thousands of highly skilled hackers were tasked to intrude my system, they would not succeed (I, of course, don't believe that, but just to illustrate my point): The only attack vector which is exposed by my system is brute force. I run a minimal set of services in which I assume no exploits, particularly none which can be made use of through any sort of networking socket.

And if I defend myself against brute-force, which I can easily do by a minimum of maintanance, there is no way anyone could possibly hack me.

And yes, "the boys" and "social engineering" are of course outside of the scope of my question ;)

PS: Of course, I cannot defend myself against a compromised network on the outside, so if someone hacked my ISP, they could of course infect the things (executables and binaries) which I obtain from outside. But let me put that in the category of "the boys" - means which I have no control of.

----------

## PaulBredbury

 *ManDay wrote:*   

> The question is in the possibility

 

And the answer is obvious - yes, it's possible. Because it's practically impossible to prove that there are no exploitable bugs in your system, even down to the BIOS level.

You've been given the answers to the similar questions that you should be asking  :Wink: 

So be afraid, very afraid, run e.g. apparmor as an additional layer of comfort, and hire a personal bodyguard (don't tell him/her the password though)  :Laughing: 

----------

## krinn

I think he cannot be hack

And he should ask anything in OTW to get please, we have Masters there that could battle him to death

----------

## CrankyPenguin

Just to weigh in for kicks, I tend to think of it as an economic question as well.  I also divide attacks into two classes, motivated and speculative.  

Motivated attacks are driven by the specific system in question or a target associated with it and are typically carrid out by state actors or other individuals acting for economic goals.  Stuxnet is an example of this, as are the attacks discussed in the Cuccoo's Egg.  Here you have to think about your system.  What does it do or hold?  Does any of that make it a worthwhile target?  And just as importantly, where can it get you?  One of the interesting parts of Clifford Stoll's attack mentioned by atmosx is that the attackers compromised fairly unimportant systems (at least according to their users) because they were a gateway to more interesting items.  A set of recently-reported attacks on U.S. Satellites followed this model where the attackers sought to control a ground-based weather station in Norway not because they cared about the view of the fijords but because it could get them in to the weather satellites.  

So in assessing the likelyhood of motivated attacks you have to consider what you have or what someone thinks you have and plan accordingly.  The catch with these kinds of attacks is that a truly motivated actor, particularly a state actor has high reserves of time and patience and could choose to target you over so long a period and in so many ways that the question is not if but when.  This is where the Onion analogy becomes important.  As does considering the fact that as you specifically are being targeted, the attackers will choose many different vectors and likely engage in things like spear-phishing which are specific to you alone.  

Most of the attacks that I have had to deal with are the other kind, speculative attacks.  In my experience, the instant any box is online it is subject to scans and regular probes most of which do no more than look for well-known holes.  Based upon the frequency of the probes I have received, and the fact that none has done more than check for relatively obvious problems (e.g. unsecured telnet servers), these are opportunistic attacks by individuals looking to add to their botnets or just sate their boredom.  I regard these attacks as not just likely but constant and have thus adopted a policy of: a) never running services on any box that are unneeded; b) securing all unneeded ports with firewalls; c) updating regularly; and d) periodically taking my box down and scanning it with chkrootkit.  

I also make it a point to never ever open e-mail especially from people I know and, for good measure, have personally severed all cables connecting the box to the internets.   If I ran boxes with regular users I would probably add to this by banning all of them from surfing the web and telling them not to talk to strangers.

In general I believe that, unless you are carrying serious information or can be a conduit to it via your users, that attacks will be speculative but constant and that you can keep the odds of serious compromise low by adopting the regular approaches I discuss above but I do think that there is value in planning for someone to pierce a layer or two of onion and being ready if they do.

----------

## cach0rr0

 *phajdan.jr wrote:*   

> Don't forget attacks on client software - browser exploits, document viewer exploits (pdf, doc, odf), media (image, video, audio formats - the codecs frequently have lots of bugs).

 

this is the one he seems to overlook

once something is compromised from the inside, it can be compromised from the outside 

 *ManDay wrote:*   

> 
> 
> The only attack vector which is exposed by my system is brute force. I run a minimal set of services in which I assume no exploits, particularly none which can be made use of through any sort of networking socket. 

 

"assume no exploits" is a significant gaffe 

even sshd has a history of being exploited, remotely, due to one code flaw or the other

Look at your attack footprint. If you have any, you can be attacked. 

It boils down to two kinds of attacks:

-ones that can be exploited remotely without any user intervention/fuck-up

-ones that can be exploited remotely via errant user interaction

vulns in sshd, or any of the other services on which a remote host is capable of connecting to you inbound, fall into the former category

vulns in software that you launch interactively, which make remote connections, fall under the latter category

so audit yourself: what kind of connections can be made from the outside world, inbound, to your machine, without you initiating them? Whatever programs these remote hosts can connect to, are their avenues of exploitation. Yes, brute-forcing is one of them, but not the only. Any number of undiscovered memory handling problems (e.g. buffer overflows), any remote file inclusion vulnerability, any software bug in general that as of yet hasn't been discovered, could well potentially be exploited. Even if your only listening service is sshd, it can be exploited. It's not a question of possibility, but rather difficulty - and without a juicy enough target, nobody is going to waste their zero-day on your little home box, unless you really, really, really piss them off. 

When you have a picture of those, you know your footprint for that type of attack. Then comes time to audit what interactive things you do that initiate remote connections. It could be something as common as a browser vulnerability that lets someone arbitrarily execute code on your system. Or, it could be something a bit more interesting, like a bug in your machine's DNS resolver library, such that even doing a DNS lookup leaves you vulnerable (e.g. malformed response to a DNS query that allows a rogue DNS server to execute arbitrary code on your machine). Maybe it's not even something you physically do with keyboard and mouse, maybe someone hijacks the DNS server you use, and redirects common NTP servers to their own rogue NTP server, allowing them to exploit some zero-day vuln in your NTP client. 

If it's on the network, and can connect to the outside world, it's vulnerable to remote exploits. Period. No, that isn't some cliched hyperbole. People generally shorten their responses to "if you want it to be 100% secure from network-bourne attacks, unplug it". Often times, this annoys whoever hears it. Often times, they hear it because the person they're asking doesn't feel like going into a long diatribe explaining every possible attack vector. But therein lies a bit of contradiction - you aren't going to be 100% impervious, the reality is you aren't going to be so long as you're on a network, so do you want someone to lie and say "yes, 100%", when the answer is definitely *not* "100%", but rather "the difficulty involved for the minimal gain makes you an unlikely target"? Security is not a binary state of "yes" or "no", just as NeddySeagoon has said, it's like an "onion". If you think you can reach 100% without unplugging your machine from the network, I can guarantee this minute you will have a false sense of security. If you think you can make yourself such a difficult target that what you have is simply not worth the amount of pain and effort, you're doing it right. Any security professional worth his salt will refuse to give you the "100%" sign-off, but rather will explain how many layers there are to your "onion", and the likelihood of you as a target given your defenses/layers.

----------

## NeddySeagoon

ManDay,

Just as a large number of monkeys can eventually reproduce the Complete works of Shakespear, so can you be hacked given enough time.

If your box is completely secure today (which you cannot prove), its only a matter of time until an update includes an accidental security hole.

That will become someones zero day exploit ...  Maybe that exploit is on your box today ?

Look how long the kernel vmsplice problem existed. 

That answers the question you actually asked.

The more important question is "how have you prepared to defend against the attacks to which your system is/will be open to"?

----------

