Security of GNU/Linux Systems

I was surprised to see Brazil in the list of systems compromised by “Anonymous” recently. To demonstrate the compromise, /etc/passwd from some systems was published. GNU/Linux has a simple and reliable system of authentication which should prevent access to that file except by root, the administrative user. The actual passwords are not revealed but the usernames and real names of accounts are in there as well as user and group id numbers and /home directories.

A clue to the nature of the compromise comes from others in the list, Zimbabwe, Anguilla, Mosmon Council in Australia,… The latter included MySQL database dumps from “teens.mosmanlibraryblogs.com” and other sites. Mosmon Council also ran Lose 2K until 2008 when they switched to GNU/Linux on web servers. They have announced the breach:
Mosman Council is aware that an organisation has hacked Council’s websites and is making that content available for download.
However, no ratepayer information from Council’s internal systems has been accessed.
The hack was made via an sql injection exploit on a subsidiary website deployed some years ago. The hack was able to initiate a ‘data dump’ of some of our public-facing websites. The information being made available is essentially what you are able to access when browsing our websites. The web editors’ passwords are encrypted, and are now being changed.
There has been no unauthorised access to Council’s internal systems.
. In other words, Anonymous has likely picked some low-hanging fruit on the web. It happens. One weak password is all it takes. One web application allowing in SQL injections is all it takes. One discarded hard drive not properly wiped is all it takes.

That Anonymous had to reach so far to find low-hanging fruit gives us hope that more challenging targets are a lot more challenging. It’s passed the time where everyone has to work towards better security.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

3 Responses to Security of GNU/Linux Systems

  1. Visitors to a website should not have permission to read that file. That is, Apache or other web service should have its “document root” be a directory like /var/www and not the whole file system including /etc/. A web server probably should not have any “normal user” accounts, because they are not necessary.

  2. Nux says:

    The /etc/passwd file is readable by any user in the system; it’s not that critical of an issue.

  3. kolter.online says:

    sanitize your inputs, people.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>