I hope that none of these attacks will happen to me in the future when I surf the world wide web with my Amiga. So far I never had any problems, but who knows, maybe the hackers find new ways to attack Amiga computers?
I hope that one of the developers of the next generation Amiga OS can clarify if there is support for better security functions planned.
Nessus has a port scanner as its second phase of scanning ( the first phase is a lookup ), it has specific attacks for smb and apache - more if you register the plugins.
I'm not an ignorant.
That is like saying "my webserver has no idea what an Amiga is"
It doesn't have to. Many of the nessus plugins scan for services which are all or mostly written to RFCs, and therefore do have some common exploitation issues. Many more do indeed scan for specific problems with say, Windows or Linux, but as I said it isn't a simple matter of running Nessus.
As you say, nessus is ignorant of what the issues are but by saying "move along nothing to see here" all the time we are never going to change that situation.
The court case is like a thunderstorm after a long humid summer.
Mitch wrote: There are plenty of opportunities to get hacked on line all you need to do is look at something like securityfocus.
There are a list of possibilities: tthe 1. Trojan horses - downloaded or executed through accessing a web page or opening/downloading emails or running bad software. Once in, you are reliant on whatever security the OS or the software packages that are interpreting/running the exploit provide.
Look. We are soo few comparing to the Win users, so it doesn't worth the effort to build a trojan for OS4.
Quote:
2. Daemon attacks - anything from remote code exploitation ( running stuff on your machine ), denial of service, forcing it offline or sending it bad information to cause anything from buffer overflows or misallocating the entire memory in your OS.
Are you running any daemons? It could be valid but you have a PPC cpu which is not as popular as the x86. Even if you are using an exploit you should know the offsets where to jump which is different in every OS. And I'm not 100% sure, on OS4 it would work.
Quote:
3. Snooping and fishing for data. By not using the right level of security on your clients ( e.g. using telnet rather than SSL based clients ) they get hold of passwords and usernames just by listening in and seeing the raw plain text data passing.
It's a user related problem.
Quote:
4. Ephemeral security - send emails in plain text rather than using PGP or some other security plugin.
See pont #3.
Quote:
The point is you might not be exposed to any of them, or be exposable, however at the moment there is nothing out there that I have seen that does a risk assessment of the basic OS, the OS with extra packages installed, individual packages, different configurations or provides any advice whatsoever.
Other portals have long been swamped with political wars and it looks like those that want to start arguments for the sake of it will either be steering clear of here or thrown off. So, I think it is high time we started to collate our experiences and advice and stop thinking we are invulnerable.
Just know how vulnerable you are ( or not ).
Only problem could be using echo/chargen/etc services by default. But if I'm correct ther are switched off by default. You can check by using nmap on your winbox targetted with your OS4 machine.
Quote:
Security through ignorance is stupidity. Security through willful ignorance is basically being a sucker.
I aggree.
Quote:
I don't want to get involved in ego trips, I just want to enjoy the hobby.
It isn't scary. I'm not saying anything will happen at all. I'm saying we just don't know. There is no information I can find that helps and the OS was never designed to be used on the internet and as far as I am aware does not sandbox tasks. Because of that, it is ripe for exploitation if/when someone wants to.
Because of this there is more onus on those who develop servers ( daemons ) and mail applications and other system automation tools ( whether connected or not to the network ) to provide their own security.
Because we don't know, we are in a state of ignorance. What I can't stomach is the attitude towards the subject.
The court case is like a thunderstorm after a long humid summer.
1. Trojan horses writen for AmigaOS (PPC or m68 CPU) ? Never heard from one. 2. Daemon Amiga is not Unix there are no daemons to be usesd. 3. Thats a Problem, i use telnet, i do not know a SSH Client or Server for Amiga OS 4. Same Problem, PGP Amiga ? But 3. and 4. could not harm my Amiga -> outbound.
If you use apache samba and so on, different story. The Amiga ports are normaly rather old, many security holes have been found. But there are not many users out there, able to assamble a code for the Amiga.
In a chatroom you can see the ip addresses which are connected, and go after them. Even just being able to knock people off the net might be a pain.
Nothing like that can happen under OS4. Even hacking utilities like NMAp can't identify the host operating system, let alone try to attack OS4.
For the record, I've been running an A1 on the internet for the last 4 years, with a STATIC ip address and without any kind of firewall. Never had a "security" problem.
Also, not having any open port by default, does certanly help.
Are you running any daemons? It could be valid but you have a PPC cpu which is not as popular as the x86. Even if you are using an exploit you should know the offsets where to jump which is different in every OS. And I'm not 100% sure, on OS4 it would work.
It doesn't come down to offsets or jumps. The field isn't that narrow. You see I am not asking for advice on MY setup I am asking for general advice.
The point being, advice we can give to a new user ( and all users ) out there even if it is:
"Don't run any daemons when connected to the internet unless they are properly firewalled by an external router/gateway".
That is it!
Quote:
Quote:
3. Snooping and fishing for data. By not using the right level of security on your clients ( e.g. using telnet rather than SSL based clients ) they get hold of passwords and usernames just by listening in and seeing the raw plain text data passing.
It's a user related problem.
..... unbelievable. Of course it is a user related problem, but so what? It is still advice! It is still something that some people know the answers on and other people can provide helps to stop people needlessly exposing sensitive data. There are three possible outcomes from this:
1. You continue to treat it like a tennis match, and nothing useful gets developed out of it. We continue to live as isolated islands of information and some get caught out ( "so what, it is a user related problem" ) but tough doodoos eh?.
2. We develop a FAQ on security on the Amiga, and for applications running on the Amiga so the information is there.
3. We do (2) and develop/enhance a security scanner or write some scripts to check for simple things.
I can't see the Freidens or the OS4 development team having the time to redevelop the TCP stack or implement a process security model, so how about we help the users to get smarter as a collective rather than just trying to slap the issue down each time?
The court case is like a thunderstorm after a long humid summer.
I also don't understand why anyone would program a virus or trojan horse to attack an Amiga system. Unfortunately, Amigas have become very rare, so it isn't really worth the effort to design a trojan horse I think.
1. Trojan horses writen for AmigaOS (PPC or m68 CPU) ? Never heard from one.
First virus a virus checker found on my A1200 was a trojan horse, it was even called "trojan" something. That was before it was ever put on the internet. What is it they say about the stock exchange? Past performance is no indication of future performance.
This applies in spades to security.
Quote:
2. Daemon Amiga is not Unix there are no daemons to be usesd.
Daemon is a concept as well as an implementation method on UNIX. Apache is a daemon. SMB is a daemon.
Amtelnet is a SSH client, SSHv1, and I won't use it because of that ( insecure ).
Anyhow I feel I'm going round in circles and banging my head on a brick wall - at the very least I think some people aren't reading thoroughly before they reply.
The court case is like a thunderstorm after a long humid summer.
> In any incarnation is AmigaOS secure enough to risk connecting to the internet with your private data on the system?
If you even have to ask this question, then it's secure.
> Every other OS out there has holes and flaws and I was wondering ( in the light of a lot of people investigating the retro classic market ) if it is worth building a list of what you should and should not do with an Amiga online?
Most other operating systems provide something to the outside world which is deemed a "service", that is, it has got something to offer. If for an outsider there is no point in using your computer, then there's no lever to abuse it either.
> Is the advice always: Use a hardware firewall.
This is generally a good idea, but in the case of an Amiga, not really needed. And it has not even something to do with obscurity, just with the absence of services. So ask yourself what services your Amiga offers to the network. If the answer is "nothing" (which is likely), then there's nothing to worry about.
How could you execute the code brought in by the security holes ? How do you stop a "daemon" on AmigaOS? Code: Amiga OS 3.1(m68), Amiga OS 4(PPC), MorphOS(PPC), AROS(x86), not every Amiga uses the same OS mostly even not the same CPU.
Best Luck to try it, there are many many security holes in the old ports, but i do not know a way to use them for anything dangerous.
The Trojan horse would not find the way out of the computer
The last virus on my Amiga was on the bootblock of a floppy disk, no floppy disks no virus. There where some in old archives on the internet, but nothing that could spread.
For a start all the OS functions are designed for that OS so it isn't a matter of injecting a "binary". If you can call shell commands ( just for example ) you can screw up the system.
Hypothetical scenario:
Web server on Amiga is installed by user and puts it online. This web server runs executables ( CGI ) from the path.
Not saying this will happen with any web servers out there, but just assuming someone was cretinous to write a web server that ran cgi scripts from a path environment variable. It would.
But the point is worse than that. The point is that the person who wrote the web server had to compensate for the lack of group/user permissions protecting the filesystem ( and the processes ). OK?
A common attack of a year ago was to use a bit of portal server code which ran a series of commands like curl, wget etc available in the path to download whatever the hacker wanted to the system. OK? So the point was, the hacker didn't need to care what the architecture of the system was - just the existence of a shell was sufficient - and poorly configured security permissions.
Now take the Amiga. No security permissions whatsoever.
Now do you see my point? "I should be ok" sure. "you are ok so long as you don't open a port" sure. But what if someone does? Do they have to be the sucker for everyone else to exploit or do we provide some words of advice - or at best - contributions to the nessus plugin database to help people scan for flaws.
The amiga has got to be one of the most automatable systems out there besides UNIX, AREXX not only runs scripts but it can address message ports. If it can address message ports there isn't a lot it can't do, including bugger up devices.
So again, once in, a hacker could cause havoc. How they get in, whether trojan or via a daemon on an open port.
Stuff it, why bother? Why ever have virus checkers or scanners, no one will hurt us! No one will mug me as I walk down this dark alleyway after all I am no threat to anyone.....
The clueless use computers too you know.
The court case is like a thunderstorm after a long humid summer.
Ok, I got your point. But you should separate some things. AmigaOS4 is a desktop OS. Not a server operating system. For HTTP/etc server I would use Linux or BSD. So daemons should be out of our picture. You can use them for testing or hobby but not for serious server install. That's a different story and that need multiuser support in lower level. As a webclient I'd say OS4 is secure. If you are using telnet it's the same as on any other system. It's vulnerable for snooping. You should be careful with Samba only but if you have knowledge to install and maintain it, you should know what you are doing.
There is a step by step guide to using samba on the internet for the Amiga. Written by the same Mikey_C. It would help the clueless get it online.
It is possible to set up an insecure samba configuration - especially if you are desperately trying to hack things about.
As there are daemons available on os4depot, people will install them, use them and some will forget they have them live. WindowsXP home is a desktop OS, so was Windows 98, and 95, and ME. All of them are incredibly easy to screw up what little security they have by default and install daemons.
All these words of advice that have been put on this thread need to be put into a faq, or a wiki or something.
I hope amigans.net will provide a wiki facility. If you don't know what danger you are putting yourself in by installing a bit of software, you will end up putting yourself at risk at some point.
That is why spyware scanners also pick up keystroke loggers, the odd trojan and other foolish error. That is why nessus doesn't just test ports that are open, it looks for badly configured software running on them. If we don't ever contribute plugins ( for example ) it never will be able to. If we don't think about it sooner, the task will become mammoth the more software is written and used on our Amigas whatever its internal architecture.
The court case is like a thunderstorm after a long humid summer.
> Now do you see my point? "I should be ok" sure. "you are ok so long as you don't open a port" sure. But what if someone does?
In one word: Don't.
The Amiga is hardly suited for serving documents to a publicly exposed network, and it is definitely unfit for running CGI scripts -- at least by the means of executing binary code. What I would find myself halfway comfortable with, though, is when the webserver (and all accompanying CGIs) were written in safe scripting languages, i.e. pointer-less, with automatic memory management. But I still wouldn't run such a setup unless I had written every single line of code myself.
Use Linux oder *BSD for serving documents to the outside world, that's what they are made for. Get a VServer-enabled kernel or use 'jails' and setup your software in a virtual environment. You can even mess around with half-finished scripts in a public network then. OS3 and 4 simply lack the needed features for that.
News feed
OS4 Feedback forum
OS4Depot Feedback forum
Amigabounty forum
OpenAmiga forum
AmiCygnix forum
ABC shell forum
AmiKit forum
Cinnamon Writer forum
CodeBench forum
Digital Universe forum
Dopus 5 forum
E-UAE forum
Gnash forum
Ibrowse forum
JAmiga forum
Odyssey forum
OWB forum
Qt forum
SmartFileSystem forum
Timberwolf forum
TouchDevice forum
TuneNet forum
Unsatisfactory Software forum
