by Hello all!
Today (Monday 12/20) at work, a message came down from "on high"
that we had to remove all Linux installations company-wide because
of an alleged Y2K threat...something embedded in Linux that would
cause a denial-of-service attack by flooding the network with traffic.
Let me state right up front that I don't believe it, and my purpose
here is to find information that will refute that allegation.
As far as I know, we don't have any Linux running on our production
servers. However, I do know that several developers (including
myself) and sysadmins have installed Linux on their desktop PCs
at the office.
A manager forwarded me a copy of of the message he received, which
is appended below. He asked me not to reveal the company I work for
or people's names, which is why those have been clipped from what
appears below. I realize this is a credibility hit. Please contact
me in private email if you have concerns about this.
I work in the USA, but as you may be able to tell from the writing
style, the original message came from someone who works for our UK
operations.
Reading through the messages, I see the following points...
* It starts out as a comment on the danger of allowing "unsupervised"
machines on the network, and cites a case where someone interrupted
operations by putting a misconfigured DHCP server on an office LAN.
The author admits that 'this was not Linux related' but uses it to
make his point about "unsupervised" machines.
* The second message cites an unattributed warning from the FBI that
says there is a "rogue program embedded in Linux (and some mainstream
UNIX languages)" that creates a DoS attack when activated. Unix isn't
a language, it's an OS. The manager that forwarded me the mail
telephoned the local FBI office. The person that answered the phone
couldn't find anything about this in their general database and also
commented that the FBI didn't generally issue warnings like that. But
they said they would check with the computer-crime division in the FBI
and get back to the manager tomorrow. I checked the FBI's Web site -
despite general mentions of the Y2K bug in their "Project Megiddo"
report, nothing specific about Unix is mentioned. Punching "Unix"
into the site search engine yields three irrelevant hits and punching
in "Linux" yields no hits.
* The third message re-alleges that there is a "rogue program" in all
"favours" (sic) of Unix.
* One of the comment-with-forward messages seems to think Linux is an
application and not an OS... "it's [sic] runs on virtually all Unix
platforms".
* The final comment-with-forward is from my boss' boss and tells us to
yank Linux.
IMHO it looks like the genesis of a classic urban legend, with unverified
cites of law enforcement and general confusion over what exactly is
being discussed. It also looks like it may be a way for an Information
Security person with a dislike of Linux to order it removed from our
machines under the guise of Y2K.
I mentioned to the manager that forwarded me the mail that many of the
"big" Linux distributors have claimed Y2K compliance in public statements
on their Web site. I also looked in DejaNews and didn't see anything like
this in the past few weeks.
I realize that Linux (and many other OSes) can be used to launch DoS
attacks, and Linux (and many other OSes) have been shown to have
vulnerabilities to DoS attacks in the past. I'm just questioning
the implication that *all* versions of Linux, and possibly some
"commercial" Unixes, have an inbuilt DoS attack that is triggered
at Y2K.
If anyone has any information or links to information that could help me
refute the allegations below, I would very much appreciate it. Thanks
very much for your help!
Matt Roberds
above is a spamtrap, take out first 'att.' to reply, to yield mroberds
at worldnet dot att dot net
Subject: Linux - Security Issue
Date: Thu, 16 Dec 1999 17:25:06 -0000
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.10)
Content-Type: text/plain;
charset="iso-8859-1"
Gents,
We [Information Security] have been receiving requests for developers
(UK and other OPCOs) to have Linux loaded onto network and standalone
boxes for development purposes.
[Information Security] have met with [person] and [person] and discussed
the Linux issue. The result of that meeting is that both ISG and MIS
Operations view the use of Linux on the network as potentially dangerous
and a clear threat to the security of the network.
The following issues are highlighted:-
* Integrity of user ID's, user passwords and their security.
* Security of data - who will maintain data integrity.
* Scheduling of data backup - who will maintain a regular cycle of
archiving.
* Network integrity - who would have control of insuring that the
activities of the machine did not affect the network.
* IP integrity and maintenance - DHCP maintenance.
* Root privileges - allowing unsupported software utilities to be run,
such as network monitoring tools, sniffers etc.
* Root privileges - allowing the owner of a machine to configure it to
appear to be another on the network, this would make tracing any malicious
or unauthorised actions very difficult.
* Maintenance of the machines both hardware and software - in
particular the testing and installation of software patches which are
relevant to the version of operating system and applications being used.
* Who would have any control over any application that was brought
into production.
We have already experienced a situation that caused [office location] to
effectively 'drop' off the network this earlier this year when a developer
inadvertently created a DHCP server on the network causing all PC's in
[office] to go to it for IP address rather than the correct MIS one.
Although not Linux related, I cite this as an example of what can happen if
we allow 'uncontrolled' software on our network.
The loading of Linux is in direct violation of our current policy. I
suggest that we advise all developers of the policy and ask for Linux to be
removed from all company equipment. ISG would, after a suitable time
period, run an audit to check compliance with the policy.
I am not expecting this to be a popular decision with the developers, as a
number of them are known to use Linux and think it is a good 'tool'.
Comments?
[person]
Systems Security Manager
International Security Group
[company]
---Response to first message---
Subject: RE: Linux - Security Issue
Date: Thu, 16 Dec 1999 20:25:39 -0000
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.10)
Content-Type: text/plain;
charset="iso-8859-1"
I support your position, there isn't any good business reason for us to be
running a shareware operating system within our environment.
---Second Message - By author of the original message---
Subject: Linux Update - Threat Received Medium/HIGH Risk
Date: Fri, 17 Dec 1999 13:52:32 -0000
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.10)
Content-Type: text/plain;
charset="iso-8859-1"
Gents,
Further to my e-mail yesterday about Linux, which we are all agreed on, ISG
have today received a warning advisory originated by the FBI which they have
stated "causes significant concern".
In short, the advisory warns of a dormant rogue program embedded in Linux
(and some mainstream UNIX languages) that once activated begins a strong
denial of service attack by 'swamping' its host network with IP traffic,
each compatible box it reaches also initiates the same attack and so on.
Being a switched network makes us particularly vulnerable to this type of
denial of service, and once infected preventing spread would mean attempting
to isolate entire network sections i.e. OPCO or country.
[A person] has been advised and will begin sweeping our supported UNIX
systems for the files we have identified as potential carriers of this
attack.
Activation date for the attack is of course 31 Dec 1999.
ISG rate this threat as Medium to HIGH.
Our challenge is to ensure all development boxes (including those 'less
official') are also checked and have Linux removed.
Who would be best placed to send a mail to all international (and OPCO)
developers to advise them to remove Linux and check their boxes for the
offending files?
I will of course keep you advised of any further developments.
[Person]
Systems Security Manager
International Security Group
[Company]
---Third message - Also by the author of the original message---
Date: Mon, 20 Dec 1999 10:02 -0500 (EST)
Subject: UNIX Security Issue - URGENT
Firstly let me introduce myself, I am [person], Systems Security Manager
of the International Security Group. I report to [person], Director of
Central Operations and International Security.
As part of my day-to-day responsibilities I liaise with [person] and
[other person] on matters of security that do or could impact the systems
environment of the international business.
I have attached several e-mails relating to this issue, but in summary:-
ISG have identified a serious and potentially dangerous rogue program that
is believed to exist in all 'favours' of UNIX. This is being dealt with by
our support teams in MIS, however, there are developers that are using
unauthorised versions of the Linux system, and it is these that present an
issue.
Linux is an unsupported platform and should not be used (it is against
current agreed policy), however it has come to our attention that developers
(number and location unknown) are using Linux in an unofficial capacity for
development purposes.
The trigger date for the rogue program is Dec 31 1999.
I have discussed this issue with [person], and he agrees that the use of Linux
must be stopped.
[Person, person] and I agreed that a mail should be sent to all development
staff instructing them to remove Linux from all company equipment.
Unfortunately [person] is now unavailable and will not be back
read more »