[lug] Suggested Colo's in Boulder, managed hosting?

Zan Lynx zlynx at acm.org
Tue Mar 4 00:38:08 MST 2003


On Mon, 2003-03-03 at 19:32, Bear Giles wrote:
> Zan Lynx wrote:
> > On Mon, 2003-03-03 at 17:00, Bear Giles wrote:
> > 
> >>Besides that issue, some servers contain sensitive information 
> >>that simply can't be trusted to third-parties.  The crypto keys on 
> >>my CA project, for instance.
>  >
> > One reboot, a rescue disk and a kernel module later, and you don't own
> > your system anymore.
> 
> You need to take a break from reading Slashdot. :-)  Rackmount 
> hardware is not the same thing as desktop PCs, and even the 
> cheapest colocation facility has the racks under 24/7 video 
> survelliance.

Heh.  I do read Slashdot, I admit.  :-)  

But my knowledge comes from reading Bugtraq, 2600, Phrack, and playing
with a couple of root kits I have captured in the wild.  One was just
program replacements for ps, netstat, ls, etc.  But the other had a very
nifty kernel module that intercepted directory reads, file reads, etc. 
It even had support to fool Tripwire (it would exec the trojan, but open
and read the original executable).

I discovered that one because even though the box didn't show network
connections, _someone_ was using almost all my friend's outgoing cable
modem bandwidth (probably part of a DDoS attack) and the kernel module
didn't hide from tcpdump.

I installed a fresh kernel RPM, init scripts and fileutils, rebooted and
searched the drive for everything with recent inode change times.  Then
we reinstalled from scratch just to make sure.

Very educational.

As for the cameras, I'm sure they make a pretty show for customers.  I'd
also make sure they're not recording it to a VCR tape that's been
recorded over 200 times on super extended mode.  Or recording it to a
computer that the admins have access to.  In either case, also make sure
the security guy doesn't let the techs or admins cover for him while he
goes out for a late night snack.

Say we're talking about Simon the BOFH here.  He'd wait to share a night
shift with the new hire tech, make sure the video was bad (or edited)
and tweak the card entry logs.  Then even if he gets caught, the new guy
gets blamed :-)

Okay, maybe that's a bit crazy.  But if you're into security you've got
to be professionally paranoid.  I guess I've read a couple books on
security.  After looking at some security analysis charts and some of
the things security experts put on the lists you'd be paranoid too.

An example from a graph I remember:
Threat:  Data comprimise.
Methods: Physical access.
           Room entry.
             Stealth (cat burglary type stuff).
             Deception (social engineering, pretending to be customer or
employee).
             Force (smash and grab, one man or a team, threat of force
on employee).
     
And so on, with greater levels of detail in a branching tree.
-- 
Zan Lynx <zlynx at acm.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20030304/f14a3baf/attachment.pgp>


More information about the LUG mailing list