What do you mean by "humbling lesson"? If anyone finds an unpatched flaw and uses it to exploit some servers, then it doesn't matter who takes care of the servers. It doesn't matter if it's ptacek or a random admin. It's a new, unknown problem (if the claim about a 0day is real).
Also they're "hacking" the frontend web server. Is that post really interesting in any way? They didn't get to any sensitive information (or didn't publish it). They also didn't get into any personal system, so I doubt there was any real harm done. (otherwise they would brag about it even more)
What do you mean by "humbling lesson"? If anyone finds an unpatched flaw and uses it to exploit some servers, then it doesn't matter who takes care of the servers. It doesn't matter if it's ptacek or a random admin. It's a new, unknown problem (if the claim about a 0day is real).
The experts at Matasano should know better than to leave sshd internet-accessible. That's what is humbling, because exposing the smallest possible attack surface is exactly how you defend against an unknown problem, and there's literally no good reason (besides laziness) to leave sshd exposed to the public internet.
Also they're "hacking" the frontend web server. Is that post really interesting in any way? They didn't get to any sensitive information (or didn't publish it). They also didn't get into any personal system, so I doubt there was any real harm done. (otherwise they would brag about it even more)
Or, they simply didn't bother going further -- owning the front-end web server is fairly embarassing for a company like Matasano.
Quite a few individuals store their credentials on front-end web servers, or even SSH to other servers from the front-end servers. Owning -any- server is often a very big deal.
If anyone finds an unpatched flaw and uses it to exploit some servers, then it doesn't matter who takes care of the servers. It doesn't matter if it's ptacek or a random admin. It's a new, unknown problem (if the claim about a 0day is real).
matasano isn't a firewall or antivirus company, their main business is code auditing and penetration testing. they are paid to find bugs in their customers' code before the "bad guys" do to minimize the risk of 0-day vulnerabilities.
i know it's not practical for them to audit every line of code in every piece of software that their web server runs, but this type of attack looks much worse for this type of company than it probably would for any other.
They didn't get to any sensitive information (or didn't publish it). They also didn't get into any personal system, so I doubt there was any real harm done.
in the output posted on the site, one user has a bunch of zip files in his home directory with "playbook" in the name (playbook is their firewall revision control product). some "real harm" could come from this attacker distributing the source code to their product, if that is indeed what was in those files.
I'd agree that this is mostly a PR problem; but for a security company, having your public site hacked is somewhat embarrassing.
But it is humbling, since this was probably set up much better than the average linux webserver. If these guys can still be vulnerable then noone can be confident. When it comes to computer security we are for the most part working with very poor tools and even less understanding when it comes to building systems that are both tractable and secure.
My servers' SSH isn't publicly accessible, you first need to be logged in to VPN (OpenVPN). I don't why Matasano couldn't secure their system like this, especially that some "0-day SSH exploit" is circulating around web. And if you're paranoid (or security expert on war-path with whaddyacallthem anti-sec movement) you have even more simple ways to secure yourself - port knocking for example?
Your system's security weakest link should be human not software.
Who cares? It's not like they wrote or consulted on whatever was hacked, and there isn't enough time in the day to write every piece of software you use from scratch. This is what you get for writing your OS in high-level assembly.
Since they are against disclosing vulnerabilities, it seems more likely that these intruders did not gain access through an unknown SSH exploit, but some other way. Once obtaining root, they could paste some proof of being on the system, and simply combine that with the top portion of their log which may be completely fabricated to appear as a 0-day exploit.
Again, if there really is a SSH 0-day, why is an anti-disclosure group revealing one exists?
Saying that there is a vulnerability is nowhere close to revealing it. For example, I can say that Windows has a vulnerability allowing me to crash the system. If you are a Microsoft developer, does that information help you track down the issue? Not in the least, as you don't have any idea where to look
[+] [-] kevingadd|16 years ago|reply
There's nothing valuable or productive about their inane, impossible-to-read 'hack logs' and they're not encouraging any sort of useful discussion.
It's just dick-waving, and it's stupid for people to continually post links to their latest escapades on sites like HN and reddit.
I mean seriously. How can you feel good about linking to a thread that has tripe like this in it?
"Death to the Jews, death to the whitehats. All parasites must be destroyed in kind!"
[+] [-] viraptor|16 years ago|reply
What do you mean by "humbling lesson"? If anyone finds an unpatched flaw and uses it to exploit some servers, then it doesn't matter who takes care of the servers. It doesn't matter if it's ptacek or a random admin. It's a new, unknown problem (if the claim about a 0day is real).
Also they're "hacking" the frontend web server. Is that post really interesting in any way? They didn't get to any sensitive information (or didn't publish it). They also didn't get into any personal system, so I doubt there was any real harm done. (otherwise they would brag about it even more)
[+] [-] ankp|16 years ago|reply
The experts at Matasano should know better than to leave sshd internet-accessible. That's what is humbling, because exposing the smallest possible attack surface is exactly how you defend against an unknown problem, and there's literally no good reason (besides laziness) to leave sshd exposed to the public internet.
Also they're "hacking" the frontend web server. Is that post really interesting in any way? They didn't get to any sensitive information (or didn't publish it). They also didn't get into any personal system, so I doubt there was any real harm done. (otherwise they would brag about it even more)
Or, they simply didn't bother going further -- owning the front-end web server is fairly embarassing for a company like Matasano.
Quite a few individuals store their credentials on front-end web servers, or even SSH to other servers from the front-end servers. Owning -any- server is often a very big deal.
[+] [-] there|16 years ago|reply
matasano isn't a firewall or antivirus company, their main business is code auditing and penetration testing. they are paid to find bugs in their customers' code before the "bad guys" do to minimize the risk of 0-day vulnerabilities.
i know it's not practical for them to audit every line of code in every piece of software that their web server runs, but this type of attack looks much worse for this type of company than it probably would for any other.
They didn't get to any sensitive information (or didn't publish it). They also didn't get into any personal system, so I doubt there was any real harm done.
in the output posted on the site, one user has a bunch of zip files in his home directory with "playbook" in the name (playbook is their firewall revision control product). some "real harm" could come from this attacker distributing the source code to their product, if that is indeed what was in those files.
[+] [-] olefoo|16 years ago|reply
But it is humbling, since this was probably set up much better than the average linux webserver. If these guys can still be vulnerable then noone can be confident. When it comes to computer security we are for the most part working with very poor tools and even less understanding when it comes to building systems that are both tractable and secure.
[+] [-] deno|16 years ago|reply
[+] [-] sfk|16 years ago|reply
[+] [-] ddbb|16 years ago|reply
So yes, even the pros sometimes can make mistake.
[+] [-] hachiya|16 years ago|reply
Then they made it appear that they were able to log in as adam, and the logs don't make it look like a brute force.
Then they made it appear that somehow privileges were elevated from adam to root, but did not provide any supposed log of how this was done.
[+] [-] jrockway|16 years ago|reply
[+] [-] jpierce420|16 years ago|reply
[deleted]
[+] [-] hachiya|16 years ago|reply
Again, if there really is a SSH 0-day, why is an anti-disclosure group revealing one exists?
[+] [-] devicenull|16 years ago|reply
[+] [-] mcbarry|16 years ago|reply