Login
Username:

Password:

Remember me



Lost Password?

Register now!

Sections

Who's Online
93 user(s) are online (81 user(s) are browsing Forums)

Members: 0
Guests: 93

more...

Support us!

Headlines

 
  Register To Post  

« 1 (2) 3 »
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
@Mitch

Wow, this does sound scary!

I hope that none of these attacks will happen to me in the future when I surf the world wide web with my Amiga. So far I never had any problems, but who knows, maybe the hackers find new ways to attack Amiga computers?

I hope that one of the developers of the next generation Amiga OS can clarify if there is support for better security functions planned.

Go to top
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
Nessus has a port scanner as its second phase of scanning ( the first phase is a lookup ), it has specific attacks for smb and apache - more if you register the plugins.

I'm not an ignorant.

That is like saying "my webserver has no idea what an Amiga is"

It doesn't have to. Many of the nessus plugins scan for services which are all or mostly written to RFCs, and therefore do have some common exploitation issues. Many more do indeed scan for specific problems with say, Windows or Linux, but as I said it isn't a simple matter of running Nessus.

As you say, nessus is ignorant of what the issues are but by saying "move along nothing to see here" all the time we are never going to change that situation.

The court case is like a thunderstorm after a long humid summer.
Go to top
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
Quote:

Mitch wrote:
There are plenty of opportunities to get hacked on line all you need to do is look at something like securityfocus.

There are a list of possibilities:
tthe
1. Trojan horses - downloaded or executed through accessing a web page or opening/downloading emails or running bad software. Once in, you are reliant on whatever security the OS or the software packages that are interpreting/running the exploit provide.


Look. We are soo few comparing to the Win users, so it doesn't worth the effort to build a trojan for OS4.

Quote:

2. Daemon attacks - anything from remote code exploitation ( running stuff on your machine ), denial of service, forcing it offline or sending it bad information to cause anything from buffer overflows or misallocating the entire memory in your OS.


Are you running any daemons? It could be valid but you have a PPC cpu which is not as popular as the x86. Even if you are using an exploit you should know the offsets where to jump which is different in every OS. And I'm not 100% sure, on OS4 it would work.

Quote:

3. Snooping and fishing for data. By not using the right level of security on your clients ( e.g. using telnet rather than SSL based clients ) they get hold of passwords and usernames just by listening in and seeing the raw plain text data passing.


It's a user related problem.

Quote:

4. Ephemeral security - send emails in plain text rather than using PGP or some other security plugin.


See pont #3.

Quote:

The point is you might not be exposed to any of them, or be exposable, however at the moment there is nothing out there that I have seen that does a risk assessment of the basic OS, the OS with extra packages installed, individual packages, different configurations or provides any advice whatsoever.

Other portals have long been swamped with political wars and it looks like those that want to start arguments for the sake of it will either be steering clear of here or thrown off. So, I think it is high time we started to collate our experiences and advice and stop thinking we are invulnerable.

Just know how vulnerable you are ( or not ).


Only problem could be using echo/chargen/etc services by default. But if I'm correct ther are switched off by default. You can check by using nmap on your winbox targetted with your OS4 machine.

Quote:


Security through ignorance is stupidity. Security through willful ignorance is basically being a sucker.


I aggree.

Quote:


I don't want to get involved in ego trips, I just want to enjoy the hobby.


Enjoy!

Go to top
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
It isn't scary. I'm not saying anything will happen at all. I'm saying we just don't know. There is no information I can find that helps and the OS was never designed to be used on the internet and as far as I am aware does not sandbox tasks. Because of that, it is ripe for exploitation if/when someone wants to.

Because of this there is more onus on those who develop servers ( daemons ) and mail applications and other system automation tools ( whether connected or not to the network ) to provide their own security.

Because we don't know, we are in a state of ignorance. What I can't stomach is the attitude towards the subject.

The court case is like a thunderstorm after a long humid summer.
Go to top
Re: Is AmigaOS secure enough to use online?
Supreme Council
Supreme Council


See User information
This is an important issue, no matter what services amiga os has now or will be able to get in the future.

So try be less negative to each other in this thread and discuss the issue instead.

Vacca foeda. Sum, ergo edo

Mr Bobo Cornwater
Go to top
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
1. Trojan horses writen for AmigaOS (PPC or m68 CPU) ?
Never heard from one.
2. Daemon
Amiga is not Unix there are no daemons to be usesd.
3. Thats a Problem, i use telnet, i do not know a SSH Client or Server for Amiga OS
4. Same Problem, PGP Amiga ?
But 3. and 4. could not harm my Amiga -> outbound.

If you use apache samba and so on, different story.
The Amiga ports are normaly rather old, many security holes have been found.
But there are not many users out there, able to assamble a code for the Amiga.

Packages, sounds also like Unix.

Go to top
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
Quote:

In a chatroom you can see the ip addresses which are connected, and go after them. Even just being able to knock people off the net might be a pain.


Nothing like that can happen under OS4. Even hacking utilities like NMAp can't identify
the host operating system, let alone try to attack OS4.

For the record, I've been running an A1 on the internet for the last 4 years, with a STATIC ip address and without any kind of firewall.
Never had a "security" problem.

Also, not having any open port by default, does certanly help.

Go to top
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
Quote:

Are you running any daemons? It could be valid but you have a PPC cpu which is not as popular as the x86. Even if you are using an exploit you should know the offsets where to jump which is different in every OS. And I'm not 100% sure, on OS4 it would work.


It doesn't come down to offsets or jumps. The field isn't that narrow. You see I am not asking for advice on MY setup I am asking for general advice.

The point being, advice we can give to a new user ( and all users ) out there even if it is:

"Don't run any daemons when connected to the internet unless they are properly firewalled by an external router/gateway".

That is it!

Quote:

Quote:

3. Snooping and fishing for data. By not using the right level of security on your clients ( e.g. using telnet rather than SSL based clients ) they get hold of passwords and usernames just by listening in and seeing the raw plain text data passing.


It's a user related problem.


..... unbelievable. Of course it is a user related problem, but so what? It is still advice! It is still something that some people know the answers on and other people can provide helps to stop people needlessly exposing sensitive data. There are three possible outcomes from this:

1. You continue to treat it like a tennis match, and nothing useful gets developed out of it. We continue to live as isolated islands of information and some get caught out ( "so what, it is a user related problem" ) but tough doodoos eh?.

2. We develop a FAQ on security on the Amiga, and for applications running on the Amiga so the information is there.

3. We do (2) and develop/enhance a security scanner or write some scripts to check for simple things.

I can't see the Freidens or the OS4 development team having the time to redevelop the TCP stack or implement a process security model, so how about we help the users to get smarter as a collective rather than just trying to slap the issue down each time?

The court case is like a thunderstorm after a long humid summer.
Go to top
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
I also don't understand why anyone would program a virus or trojan horse to attack an Amiga system. Unfortunately, Amigas have become very rare, so it isn't really worth the effort to design a trojan horse I think.

Go to top
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
Quote:

Mitch wrote:
Anyone who uses a computer on the net has some basic security advice to follow.


I agree wholeheartedly.

I connect to the Internet and the World Wide Web using my A600 via pcmcia ethernet to my netgear ADSL firewall router.

Even with this high level of security I still need to be on constant alert for fishing sites and freakers.

Go to top
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
Quote:

1. Trojan horses writen for AmigaOS (PPC or m68 CPU) ?
Never heard from one.


First virus a virus checker found on my A1200 was a trojan horse, it was even called "trojan" something. That was before it was ever put on the internet. What is it they say about the stock exchange? Past performance is no indication of future performance.

This applies in spades to security.


Quote:

2. Daemon
Amiga is not Unix there are no daemons to be usesd.


Daemon is a concept as well as an implementation method on UNIX. Apache is a daemon. SMB is a daemon.

Amtelnet is a SSH client, SSHv1, and I won't use it because of that ( insecure ).

Anyhow I feel I'm going round in circles and banging my head on a brick wall - at the very least I think some people aren't reading thoroughly before they reply.

The court case is like a thunderstorm after a long humid summer.
Go to top
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
> In any incarnation is AmigaOS secure enough to risk connecting to the internet with your private data on the system?

If you even have to ask this question, then it's secure.

> Every other OS out there has holes and flaws and I was wondering ( in the light of a lot of people investigating the retro classic market ) if it is worth building a list of what you should and should not do with an Amiga online?

Most other operating systems provide something to the outside world which is deemed a "service", that is, it has got something to offer. If for an outsider there is no point in using your computer, then there's no lever to abuse it either.

> Is the advice always: Use a hardware firewall.

This is generally a good idea, but in the case of an Amiga, not really needed. And it has not even something to do with obscurity, just with the absence of services. So ask yourself what services your Amiga offers to the network. If the answer is "nothing" (which is likely), then there's nothing to worry about.

Go to top
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
How could you execute the code brought in by the security holes ?
How do you stop a "daemon" on AmigaOS?
Code: Amiga OS 3.1(m68), Amiga OS 4(PPC), MorphOS(PPC), AROS(x86),
not every Amiga uses the same OS mostly even not the same CPU.

Best Luck to try it, there are many many security holes in the old ports, but i do not know a way to use them for anything dangerous.

The Trojan horse would not find the way out of the computer

The last virus on my Amiga was on the bootblock of a floppy disk, no floppy disks no virus.
There where some in old archives on the internet, but nothing that could spread.

Go to top
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
For a start all the OS functions are designed for that OS so it isn't a matter of injecting a "binary". If you can call shell commands ( just for example ) you can screw up the system.

Hypothetical scenario:

Web server on Amiga is installed by user and puts it online. This web server runs executables ( CGI ) from the path.

Attacker goes http://my-amiga.online.com/cgi/del%20SYS:%20ALL

Kiss goodbye to sys:

Not saying this will happen with any web servers out there, but just assuming someone was cretinous to write a web server that ran cgi scripts from a path environment variable. It would.

But the point is worse than that. The point is that the person who wrote the web server had to compensate for the lack of group/user permissions protecting the filesystem ( and the processes ). OK?

A common attack of a year ago was to use a bit of portal server code which ran a series of commands like curl, wget etc available in the path to download whatever the hacker wanted to the system. OK? So the point was, the hacker didn't need to care what the architecture of the system was - just the existence of a shell was sufficient - and poorly configured security permissions.

Now take the Amiga. No security permissions whatsoever.

Now do you see my point? "I should be ok" sure. "you are ok so long as you don't open a port" sure. But what if someone does? Do they have to be the sucker for everyone else to exploit or do we provide some words of advice - or at best - contributions to the nessus plugin database to help people scan for flaws.

The amiga has got to be one of the most automatable systems out there besides UNIX, AREXX not only runs scripts but it can address message ports. If it can address message ports there isn't a lot it can't do, including bugger up devices.

So again, once in, a hacker could cause havoc. How they get in, whether trojan or via a daemon on an open port.

Stuff it, why bother? Why ever have virus checkers or scanners, no one will hurt us! No one will mug me as I walk down this dark alleyway after all I am no threat to anyone.....

The clueless use computers too you know.

The court case is like a thunderstorm after a long humid summer.
Go to top
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
Ok, I got your point.
But you should separate some things. AmigaOS4 is a desktop OS. Not a server operating system. For HTTP/etc server I would use Linux or BSD. So daemons should be out of our picture.
You can use them for testing or hobby but not for serious server install. That's a different story and that need multiuser support in lower level.
As a webclient I'd say OS4 is secure. If you are using telnet it's the same as on any other system. It's vulnerable for snooping.
You should be careful with Samba only but if you have knowledge to install and maintain it, you should know what you are doing.

Go to top
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
There is a step by step guide to using samba on the internet for the Amiga. Written by the same Mikey_C. It would help the clueless get it online.

It is possible to set up an insecure samba configuration - especially if you are desperately trying to hack things about.

As there are daemons available on os4depot, people will install them, use them and some will forget they have them live. WindowsXP home is a desktop OS, so was Windows 98, and 95, and ME. All of them are incredibly easy to screw up what little security they have by default and install daemons.

All these words of advice that have been put on this thread need to be put into a faq, or a wiki or something.

I hope amigans.net will provide a wiki facility. If you don't know what danger you are putting yourself in by installing a bit of software, you will end up putting yourself at risk at some point.

That is why spyware scanners also pick up keystroke loggers, the odd trojan and other foolish error. That is why nessus doesn't just test ports that are open, it looks for badly configured software running on them. If we don't ever contribute plugins ( for example ) it never will be able to. If we don't think about it sooner, the task will become mammoth the more software is written and used on our Amigas whatever its internal architecture.

The court case is like a thunderstorm after a long humid summer.
Go to top
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
> Now do you see my point? "I should be ok" sure. "you are ok so long as you don't open a port" sure. But what if someone does?

In one word: Don't.

The Amiga is hardly suited for serving documents to a publicly exposed network, and it is definitely unfit for running CGI scripts -- at least by the means of executing binary code. What I would find myself halfway comfortable with, though, is when the webserver (and all accompanying CGIs) were written in safe scripting languages, i.e. pointer-less, with automatic memory management. But I still wouldn't run such a setup unless I had written every single line of code myself.

Use Linux oder *BSD for serving documents to the outside world, that's what they are made for. Get a VServer-enabled kernel or use 'jails' and setup your software in a virtual environment. You can even mess around with half-finished scripts in a public network then. OS3 and 4 simply lack the needed features for that.

Go to top
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
So a basic FAQ for complete beginners would have topics like:


Personal security and the Amiga

= Basic precautions

= Remote shells and file transfer

= Types of software not to install

= What to check before you connect directly or put your Amiga in a DMZ

= What if I really must run some of the not recommended packages on my intranet/internet

Privacy and the Amiga

= General privacy, and how to get it working under the Amiga

Developing Daemons

= Pitfalls

= Good design patterns

The court case is like a thunderstorm after a long humid summer.
Go to top
Re: Is AmigaOS secure enough to use online?
Amigans Defender
Amigans Defender


See User information
@Mitch
Quote:
...but AmigaOS4.0 I don't think has a SSH v2+ compliant implementation...

It does now. Will take a while to polish it up and test though. Don't want to just throw OpenSSH on the masses without proper testing.

How is that Amiga security FAQ coming along?

ExecSG Team Lead
Go to top
Re: Is AmigaOS secure enough to use online?
Just popping in
Just popping in


See User information
Just need another two weeks ;)

The court case is like a thunderstorm after a long humid summer.
Go to top

  Register To Post
« 1 (2) 3 »

 




Currently Active Users Viewing This Thread: 1 ( 0 members and 1 Anonymous Users )




Powered by XOOPS 2.0 © 2001-2024 The XOOPS Project