FW: SECURITY WATCH: Network protection commentary from InfoWorld.com

FW: SECURITY WATCH: Network protection commentary from InfoWorld.com

[Stephen Dawes]

Here is some interesting information:

Stephen Dawes B.A. B.Sc.
Web Business Office, City of Calgary
PHONE:  (403) 268-5527. FAX: (403) 268-6423
E-MAIL ADDRESS:  sdawes@gov.calgary.ab.ca

-----Original Message-----
From: SecurityWatch@bdcimail.com [mailto:SecurityWatch@bdcimail.com]
Sent: Thursday, June 29, 2000 1:57 PM
To: sdawes@gov.calgary.ab.ca
Subject: SECURITY WATCH: Network protection commentary from
InfoWorld.com


========================================================
SECURITY WATCH                             InfoWorld.com
========================================================

Thursday, June 29, 2000

Network protection commentary by:  McClure & Scambray

Advertising Sponsor - - - - - - - - - - - - - - - - - -
Symantec
New Enterprise Security Website Launched!
Symantec, a world leader in internet security technology,
provides a broad range of content security solutions,
including anti-virus, Internet content and e-mail
filtering, and mobile code detection technologies.
For up-to-the-minute information regarding enterprise
security issues you are facing, visit our website at:
http://www.symantec.com/specprog/sym/63000.html

- - - - - - - - - - - - - - - - - - - - - - - - - - - -

TRACKING AN ATTACK OFTEN PROVIDES LITTLE BENEFIT; TOP
DETERRENT IS SECURE SYSTEMS EVERYWHERE

Posted at June 23, 2000 01:01 PM  Pacific

EVER SINCE JACK installed his personal firewall on his
cable modem, he's seen hundreds of port scans hitting
the box. At first he took them seriously, worrying
about what these cybermiscreants were up to. As Jack
quickly learned, finding out the answers to these
questions requires enormous investigative work and can
lead to absolutely nothing.

Trying to track down the knocks on your cyberdoor can
quickly turn into a passion. But each ping, trace
route, port scan, Whois, and American Registry of
Internet Numbers (ARIN) search often reveals only what
little can be done to stop these preludes to an
attack. The final desperate act will inevitably be the
abuse@whateverisp.com inbox black hole that is ISP
abuse reporting. Now imagine that every single
computer banging away at your door is the end of a
long string of computers being used to channel an
attack. Tracking down this last hop reveals only the
tail of an enormous, multiheaded dragon.

The days of direct computer attacks are long gone.
Today, only hacker wanna-bes use their own computers
to direct the attack at the target system. More than a
decade ago, the serious malicious hackers broke into
vulnerable systems not to collect credit card numbers
or turn off the power grid to a city neighborhood.
Instead, they gained access to these systems simply to
use them for further attacks on the Internet. Just as
the distributed DoS (denial of service) attacks in
February required a number of compromised "zombie"
machines to generate the necessary traffic to disable
e-commerce sites, these zombie machines can also be
used as jumping-off points for malicious attacks.

To build this elaborate diving platform, attackers will
scan for vulnerable systems on the Internet. DSL and
@Home customers such as those with AT&T and Pacific
Bell are easy targets. To find these juicy targets,
attackers will look up subnets on ARIN and Network
Solutions, looking for netblocks that house
high-speed, poorly secured home systems. Another
popular target is educational institutions. Using
automated attack scripts, attackers can literally
break into these systems overnight and "own" more than
a hundred systems within hours.

Attacking Windows NT home users begins with port
scanning on TCP ports 135 and/or 139. Once the ports
are open, the attackers will launch the typical
Windows NT-based assaults, including simple password
guessing, input validation attacks, and buffer
overflow attacks. NT systems tend to be juicier
targets than are Windows 9x systems simply because
NT's remote control capabilities are far superior.
Using programs such as netcat, NTRK remote, and
RemotelyAnywhere, attackers can control an NT system
with ease -- and then upload and
kick off the same attacks from that system.

Attacking and controlling Unix systems such as Red Hat
and Mandrake Linux can be even simpler using numerous
remote buffer overflow attacks. Vulnerabilities such
as those in several Unix daemons can be trivially
exploited with publicly available source code. Once
owned, the attackers will set up backdoors and remote
control capabilities, kicking off the same Linux
attack scripts to further invade systems.

And let's not forget about open proxy relays, often
unwittingly left dangling by customers of those very
same consumer-oriented services. With the growing
focus on application-layer vulnerabilities, most
attacks nowadays take the form of a maliciously
malformed URL; it's point-and-shoot simply to bounce
these off of a proxy if it isn't properly configured.
We recently visited a site that had been compromised
by just such a bullet, a single URL anonymously
relayed by a misconfigured SOHO (small office/home
office) proxy device out in the void. Does anyone
remember the infamous Wingate and squid proxy-scanning
tools that circulated the Net about a year ago? Try
turning WinScan (one of the most popular Wingate
scanners) loose on your favorite network and see what
pops up. How many of those do you think were run by
unwitting end-users who thought they were improving
the security of the Internet? Or just browse to
proxys4all.cgi.net and take your pick.

All an attacker needs to begin a reign of terror is
that first vulnerable system. Each subsequent attack
will actually be coming from a compromised system and
not the original attacker. And that is what makes
security-incident response an enormously difficult and
often fruitless task. Tracking down an attempted hack
may turn up your grandmother's computer rather than
the real culprit. Can you see yourself knocking on the
door of an @Home user asking to look at the computer?
The fact is, unless the crime causes more than $5,000
in damage, the FBI won't get involved, and without the
FBI, knocking on the door during Sunday brunch will
have little motivational impact for cooperation.

The solution to the problem of island-hopping is not
trivial, requiring nothing less than absolute security
on all systems attached to the Internet -- not a small
task. So what is the stopgap measure? Tell us what you
think about a resolution
at security_watch@infoworld.com.

Stuart McClure is president and CTO and Joel Scambray
is Managing Principal at security consultant
Foundstone ( www.foundstone.com ).


- - - - - - - - - - - - - - - - - - - - - - - - - - - -

MORE SECURITY WATCH
For a complete archive of his InfoWorld columns visit
http://www.infoworld.com/opinions/moresecuritywatch.html

INFOWORLD OPINIONS
Weekly commentary from the most trusted voices in
IT at: http://www.infoworld.com/opinions/index.html

- - - - - - - - - - - - - - - - - - - - - - - - - - - -

QUOTE OF THE DAY:

"There is a more honest attitude now. There will be a Darwinian
selection process, and the end of opportunism."

--Enrique Carrier, director of Prince & Cooke, Argentina,
speaking about the future of dot-coms.

http://www.infoworld.com/articles/hn/xml/00/06/21/000621hnmortality.xml?0629
thse

- - - - - - - - - - - - - - - - - - - - - - - - - - - -

SUBSCRIBE
To subscribe to any of InfoWorld's e-mail newsletters,
tell your friends and colleagues to go to:
http://www.iwsubscribe.com/newsletters/

To subscribe to InfoWorld.com, or InfoWorld Print,
or both, go to http://www.iwsubscribe.com

UNSUBSCRIBE
If you want to unsubscribe from InfoWorld's Newsletters,
go to http://www.iwsubscribe.com/NewsletterEdit

CHANGE E-MAIL
If you want to change the e-mail address where
you are receiving InfoWorld newsletters, go to
http://www.iwsubscribe.com/newsletters/EmailChange.htm

- - - - - - - - - - - - - - - - - - - - - - - - - - - -

InfoWorld announces our new recruiting service:
ITcareers.com
We're not just in the work place...we are the work place!
InfoWorld's new career service, ITcareers.com,
is where tech talent looks for new and better opportunities.
Post for thirty days at only $200. Or buy a package and
get the whole job done.  We deliver the news, the readers
and the hires. You can be up today. Check us out.
http://www.ITcareers.com  Forward this to your recruiting team.


Advertising Sponsor - - - - - - - - - - - - - - - - - -
Symantec
New Enterprise Security Website Launched!
Symantec, a world leader in internet security technology,
provides a broad range of content security solutions,
including anti-virus, Internet content and e-mail
filtering, and mobile code detection technologies.
For up-to-the-minute information regarding enterprise
security issues you are facing, visit our website at:
http://www.symantec.com/specprog/sym/63000.html

- - - - - - - - - - - - - - - - - - - - - - - - - - - -

Copyright 2000 InfoWorld Media Group Inc.

Re: FW: SECURITY WATCH: Network protection commentary from InfoWorld.com

[Kirk Wood]

It soubnds like a bunch of crap designed to help sell home users more
software to me. I am not saying that attacks don't happen. I have a friend
whos machine was taken over. But the tone of the message was that half our
problems would be solved if the "vunerable home users" were not out
there. Like I said, load of crap.

If the author had paid attention the distributed DOS attacks were based in
a couple universities. Of course those machine s could be secured. Then
the students wouldn't learn as much contributing to the lack of qualified
workers in the field. But hey, that is a small price to pay when someone
has a firewall product to sell.

And I would love to know why the "numerous" buffer overflow problems in
RedHat and Mandrake haven't been published. The authors failed to notice
that most of the software for those distibutions is found in many Linux
distributions. But hey, they will get a few lucrative leads for their
business of taking care of businessis in the "dot com world."

-- 
Kirk Wood
Cpt.Kirk@1tree.net
------------------

Seek simplicity -- and distrust it.
		Alfred North Whitehead

Re: FW: SECURITY WATCH: Network protection commentary from InfoWorld.com

[brent harding]

What do buffer overflows do to the system? Do they just make it go down, or
what? I found a security site called rootshell.com that described tons of
exploits from older versions of sendmail, wu_ftpd, and others that when
running this exploit makes some kind of buffer overflow that somehow makes
normal user have root access. How can that happen without knowing the
password or using su? Or does the person get through off of a running cron
job that has root access, taking it's process number over with their shell?
I hear a lot of hyp about what can be done to a system with various shell
scripts.
At 09:19 AM 6/30/00 -0500, you wrote:
>It soubnds like a bunch of crap designed to help sell home users more
>software to me. I am not saying that attacks don't happen. I have a friend
>whos machine was taken over. But the tone of the message was that half our
>problems would be solved if the "vunerable home users" were not out
>there. Like I said, load of crap.
>
>If the author had paid attention the distributed DOS attacks were based in
>a couple universities. Of course those machine s could be secured. Then
>the students wouldn't learn as much contributing to the lack of qualified
>workers in the field. But hey, that is a small price to pay when someone
>has a firewall product to sell.
>
>And I would love to know why the "numerous" buffer overflow problems in
>RedHat and Mandrake haven't been published. The authors failed to notice
>that most of the software for those distibutions is found in many Linux
>distributions. But hey, they will get a few lucrative leads for their
>business of taking care of businessis in the "dot com world."
>
>-- 
>Kirk Wood
>Cpt.Kirk@1tree.net
>------------------
>
>Seek simplicity -- and distrust it.
>		Alfred North Whitehead
>
>
>
>
>
>_______________________________________________
>Speakup mailing list
>Speakup@braille.uwo.ca
>http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
>

buffer overruns was Re: FW: SECURITY WATCH

[Kirk Wood]

A buffer overrun occurs durring input of data. The program requests some
information which is then passed to a variable. But if the variable is not
designed to contain as much data as is attempted to place into it, it runs
out the end and can cover memory that was for other things. This could in
some cases allow the excess to become executing code. Mostly it causes the
program (and sometimes system) to crash.

On a Unix system (including Linux and other variants) if this happens with
a program that runs as root, then the person who caused the problem may
end up in a shell with the access from the program (or root).

But, most of these security holes have been patched because the source is
available and people go looking for such possibilities. Understand that
some of the holes that are published are theoretical. Nobody has actually
made it to root access. The code just suggests that it could be
done. Then, when you have a proprietary system, the same hole may show up
in the next version. Not that I would point out any MSlop flaws mind you.

-- 
Kirk Wood
Cpt.Kirk@1tree.net
------------------

Seek simplicity -- and distrust it.
		Alfred North Whitehead

Re: buffer overruns was Re: FW: SECURITY WATCH

[brent harding]

So just as me running a buggy program as a normal user, I could find myself
in a root shell? I get messages from my logs suggesting that the klogd
daemon gets terminated and loaded. I received it yesterday and today. I get
a lot of junk about ppp errors when the link goes down under unusual system
behavior. Is there a way of telling how the klogd process seems to restart
itself? I installed syslog-ng last night, don't know what that does, but it
might be an update, but I got the message in today's log check. I set up
the debian package logcheck that allerts the root account to unusual
activity. Most of it appears from the console, so it's probably what I did
when I typed the password fast and mistyped it several times. Does it
always say from tty1 no matter who initiated that? The logging shouldn't
stop nd restart, unless logcheck stops it to analyze it so no more data
comes in while it's working. Apparently it runs with anacron in
/etc/cron.daily.
At 01:06 PM 6/30/00 -0500, you wrote:
>A buffer overrun occurs durring input of data. The program requests some
>information which is then passed to a variable. But if the variable is not
>designed to contain as much data as is attempted to place into it, it runs
>out the end and can cover memory that was for other things. This could in
>some cases allow the excess to become executing code. Mostly it causes the
>program (and sometimes system) to crash.
>
>On a Unix system (including Linux and other variants) if this happens with
>a program that runs as root, then the person who caused the problem may
>end up in a shell with the access from the program (or root).
>
>But, most of these security holes have been patched because the source is
>available and people go looking for such possibilities. Understand that
>some of the holes that are published are theoretical. Nobody has actually
>made it to root access. The code just suggests that it could be
>done. Then, when you have a proprietary system, the same hole may show up
>in the next version. Not that I would point out any MSlop flaws mind you.
>
>-- 
>Kirk Wood
>Cpt.Kirk@1tree.net
>------------------
>
>Seek simplicity -- and distrust it.
>		Alfred North Whitehead
>
>
>
>_______________________________________________
>Speakup mailing list
>Speakup@braille.uwo.ca
>http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
>