God is in the details
Welcome to Netsurfer Focus! In putting together Netsurfer Digest
we have discovered that sometimes a topic deserves more attention
and depth than can be provided in the Digest. Netsurfer Focus
is designed to address these topics. Each issue focuses on a single
topic, and issues are published on a periodic basis. Like the Digest,
issues are sent out via e-mail and placed at our World Wide Web
site. In addition, the issues are supplemented by a comprehensive database
of resources at our web site. This two-tiered approach allows
us to give the big picture for general readers and provide detailed
resources for the experts.
Netsurfer Focus departs from the Digest format that you love and
support. But we hope that it delivers the same useful and
entertaining values of our More Signal, Less Noise
promise. Please let us know what you think by writing to
focus@netsurf.com.
Your input will help us shape future issues of the Focus.
Life is full of tradeoffs and computer security is no different.
As you design or modify your computer and network
security, think about how you want to use your systems and what
you stand to lose if security is compromised. This will help guide your
choice of solutions and their relative complexity and costs.
All systems consist of three components, the software and hardware parts, the people,
and the procedures. The same is true of computer and network systems.
Securing your computer system means security of the software and
hardware, trustworthiness of the people who use and manage it, and reliability of the procedures for using and managing the system.
In this issue, we will mainly focus on secure
software and system management practices. But when you are evaluating
the security of your system, don't forget to consider the other
components.
And while we are talking about threesomes, remember that there
are three kinds of threats to your system: malice, ignorance,
and acts of god or nature. A malfunctioning sprinkler system in
the computer room, a magnitude 6.0 earthquake, a disgruntled employee,
or a misguided big cheese can do equal amounts of damage. Think
through each of the components, the what-if scenarios, the technical
and non-technical solutions, and the cost-benefit tradeoffs. Also, don't
count on your computer to come out of the box with its security mechanisms
set up correctly for you. They aren't always that way.
The bottom line: It really is housekeeping, and it really is up
to you what kind of a computer house you keep.
The whole idea of security is tied to who can have access to what.
You prove who you are by providing a secret password. The cave
doors magically open and you get to the jewels: you can read and
write file, run programs, allow other users access to your files
and computers, and so on. Multiuser computer systems, like Unix, usually
have a hierarchy of personages, each with different access privileges.
If you prove you are the Grand Vizier (a.k.a. root), you can basically
do whatever you want - wipe out entire disks of files, change
how the system is set up, and maybe even launch a frog battalion
against Upper Timbuktu. However, even the lowliest courtier can let
intruders in, setting off a chain of intrigue and skullduggery
of who does what to whom.
So the first line of defense is secure passwords. The second is
to make sure that only selected people have access to the powerful
files and tools.
Now, connect your single computer to other computers, through
phone lines, a local network, or the Internet. The plot
thickens. An intruder doesn't even have to be physically near
your computer. Through the magic of telecommunications, they are
only a handshake or two away. At this point, to make things worse,
not only can people try to pretend they are you, computers can
also pretend they are your computers (known in the vernacular
as spoofing). And oh, by the way, about the telecommunications
- it's a party line. On the way from your computer to some other
computer, anyone can use a sniffer program to tap
in and listen to what you are saying.
Before you hide your computer under the bed, remember our friends,
the tradeoffs. Think through the system components and the risks
methodically and logically. You've done the basic good housekeeping
on each computer. Minimize your risk by making only one of them
publically available and hiding the rest behind a secure barrier
or firewall. Then focus on the exposed gateway computer and make
it as secure as you can from potential intruders. Monitor it for
intruders. And make sure you don't transmit secret information
- like your password - over the Internet without protection.
You want to make sure of the basics: that the passwords on your system are
secure and hard to break, that only the right people have write access
to system files and programs, and that no one has modified the
files without your knowledge. A log of who has been active on your system
is also helpful for monitoring usage and documenting malfeasance.
Here are some useful readings and a list of
(free) tools that will help you get started on protecting
your system.
References
Tools sites for password protection, access permissions, system
file modifications, etc.
Select Tools
Every computer is a potential host of vulnerabilities. The more
accessible it is, the more it is susceptible to attack. Connecting
to a network such as the Internet makes it potentially accessible
to everyone on the network. We want the advantages of Internet
access, but we also need to limit our exposure to intruders. The
solution is often the installation of a firewall, so that only
selected "gateways" have access to the outside world.
The "gateway", either a computer or a router,
stands guard over your network, rejecting all incoming traffic
not directed to itself, and selectively forwarding communications such as
mail between the inside and outside networks.
A proxy server is a program that mediates application-specific traffic, e.g., ftp,
through the firewall, making secure access less cumbersome.
It usually has additional logging, user authentication, and protocol-specific
security capabilities.
The computer firewall industry has become a hotbed of growth with
the increasing popularity of the Internet. You can build your own from free
software toolkits, purchase hardware and/or software solutions from a vendor,
or engage consultants who will implement a custom solution. Hardware
solutions include both Intel x86 boxes running Unix and network routers that
support intelligent packet filtering.
Another option is to use an Internet
Service Provider who provides the firewall and gateway service
between your network and the Internet. Whatever approach you choose,
protecting the exposed gateway is of primary importance, and a later
section on Satan suggests some tools that can be used.
Reading
Firewall Tools
Secure Internet Service
You've protected your systems from external threats with a firewall,
but what happens when you cannot trust everyone in your own organization?
You may have confidential data to send, e.g., personnel records,
or you may just need to login to another host in your network.
This is particularly true in the academic environment. MIT considered
this problem back in the 80's and came up with the Kerberos package.
This is an authentication system that uses cryptography to protect
passwords and other sensitive information in network traffic.
Kerberos relies on the security of a central authentication server, i.e., a single
point of failure. Every network program, such as remote login, that wants to
use its authentication
and encryption capabilities must be modified to include Kerberos code directly.
A third significant limitation is that Kerberos uses Data Encryption
Standard (DES) to encrypt its information. Codebreaking played a key
role in the success of the Allied Forces during World War II. As a result, certain
forms of cryptography are still classified as Munitions
by the US Government, subjecting them to International Traffic in Arms
Regulations (ITAR).
What this means is that special export licensing from the US State
Department may be required to take Kerberos software out of the
country, even if it is only an ftp download.
Reading
Getting Kerberos
Cryptography Export Control
April 5th has come and passed. Satan was released to the Internet
on schedule and the networked world as we know it has not collapsed
in an apocalypse of security incidents.
Satan, short for Security Administrator Tool for Analyzing Networks,
is a set of tools that probes remote computers on the Internet
for known vulnerabilities. It is not the first of its kind; tools
that check host computers for well-known vulnerabilities in ftp,
tftp, and sendmail have been available for several years. These
include public and commercial versions of the Internet Security
Scanner (ISS), PINGWARE (commercial only), and the Security Profile
Inspector (SPI) which is currently available only to the Departments
of Energy and Defense. What is different about Satan is that it is widely
available and has an HTML-based interface. This allows users to
probe networks with point-and-click ease through a World Wide
Web browser. In addition, Satan also provides extensive documentation
on the vulnerabilities being identified and how to repair them.
Satan can be used by the system administrator to test local security,
or it can be used by crackers to look for weaknesses in a potential
victim. The risk to a system decreases with good security practices.
Use Satan first to uncover and repair any additional vulnerabilities
before a cracker can discover them. To help system administrators
detect when their systems may be under scrutiny from a rogue copy
of Satan, CIAC has developed Courtney, a program to
monitor and report on any network activity that resembles a Satan
probe.
As security experts and system administrators use Satan on different
systems, its strengths and weaknesses are being characterized.
A security hole was quickly discovered for host machines running Satan.
Version 1.1 introduced a new and different hole, and now Version 1.2
is expected shortly. Although the initial noise about Satan's release
may look like hype or hysteria in retrospect, there's no reason
to let down your guard. Crackers may simply be lurking until the
scrutiny dies down; they now have one more powerful tool in their
black bag.
Resources
Your system is under attack by the Mother of Uebercrackers, and
you are in hot soup. Sooo, who do you call? AUSCERT, CERT, CERT/NL,
CIAC, COAST, DFN/CERT, FIRST, NASIRC, NAVCIRT, NIH, NIST/CSRC...
Just say CERT, which stands for Computer Emergency Response Team,
an organization that works with
users and vendors, in confidence, to respond to security incidents.
Simply pick the one in or closest to your part of the world.
AUSCERT - Australia (Hotline +61 7 365 4417)
CERT - United States (Hotline +1 412 268 7090)
CERT/NL - Netherlands
DFN/CERT - Germany
What to Do if Your Site Has Been Compromised
Orange book, yellow book, green book. They are all part of the
Rainbow Series of publications on Trusted Systems, the DOD term
for a system that employs sufficient hardware and software
assurance measures to allow its use for simultaneous processing
of a range of sensitive or classified information. The book
that contains the Trusted Computer Security Evaluation Criteria
is the Orange Book; and there are Canadian and European versions
as well. The Yellow Book tells you how to implement the Orange
Book, and the Green Book is all about password management. Insecure off-the-shelf
Unix workstations, PC's, and Macintosh's need not apply.
Resources
It was the best of times with the dreams of online commerce roaring
across the Global Information Superhighway. It was the worst of
times when it was pointed out that the Internet is one giant party
line. Confidential information such as credit card numbers can
easily be captured between sender and receiver. The techies rushed
in with a variety of secure implementations of electronic commerce,
and when the dust settled, two contenders for standardization were left.
On one side was Netscape Communications, with their
Secure Sockets Layer (SSL). SSL is an additional layer
between the application and TCP/IP connection layers
in the network protocol stack.
On the other side, CommerceNet, a
non-profit consortium of companies and organizations established to create
an electronic marketplace on the Internet, weighed in with Secure-HTTP (S-HTTP).
S-HTTP is an application level "meta-protocol" that allows web applications
to negotiate the protocols of encryption and authentication to
be used with the documents being exchanged. Both sides lined up
major commercial supporters, submitted proposals to various standard
bodies such as the World Wide Web Consortium, created reference
implementations, and took gentle potshots at the other side.
Was this shaping up to be another VHS versus Beta battle in the
search for a common security standard for online commerce? Fortunately,
saner heads prevailed. Rather than sow mass confusion and delay
market development, Netscape joined forces with heavyweights IBM,
America Online, and H&R Block (owner of CompuServe), and
purchased a controlling interest in Terisa Systems, Inc., tasking
it with the responsibility of combining the two rival standards.
The Open Security Platform toolkit is expected in
June of 1995. Terisa Systems, of course, is a joint venture between
cryptography vendor RSA Data Security, and
Enterprise Integration Technology, Internet consultants and
the project manager for CommerceNet.
Resources
HACKER, CRACKER, PHRACKER, SPY
A hacker is a person who is intensely interested in how complex
systems, in particular computer systems, work. A cracker extends
this interest to unauthorized entry and modification of these
systems. The term hacker has also been used synonymously with
cracker, much to the dismay of hackers who are sometimes called
on to detect, repair, and prevent future damage by crackers. Phrack
is an electronic magazine in publication since 1985 and dedicated
to providing information on operating systems, networking technologies,
telephony, and news of the international computer underground.
Varied topics such as lock picking and construction of acetyline
bombs have also been covered in their philes. The
uebercracker is a cracker of superior skill, and is very hard
to keep out of your systems. Phone phreaks have a fascination
with telephone systems. There is no special meaning to the word
spy in computer security, but you can be an international arms
courier...
Resources
CONFESSIONS OF AN INTERNATIONAL ARMS COURIER
The export regulations on encryption presents challenges we don't
quite expect. Here is the story of someone who found himself becoming
an international arms courier despite his best intentions.
If you have a fast line and your browser can understand .au sound
files, don't miss Cliff Stoll's Performance Art Theater and Networking
Security Revue. Stoll is best known for his experience tracking
a cracker through Germany and back to the KGB, a tale described
in his book, The Cuckoo's Egg.
Hacker versus cracker again took a turn in the limelight in February 95
when Tsutomu Shimomura decided to track down Kevin Mitnick after
Mitnick broke into Shimomura's computer. Shimomura ultimately
got his man, but Mitnick got the fan club. On to book and movie rights.
And then there are the Bloopers of the system administration world.
For all of us who've said Oh !@#$%! in our turn.
INFORMATION AT YOUR FINGERTIPS
There is a lot of useful information and tools on the Internet.
In the interest of brevity, we have only included a selection
in this issue.
Major resource sites include:
Purdue University Center for Education and Research in Information Assurance and Security
COAST Archive At Purdue University
NIST Computer Security Resource Clearinghouse
NIH Unix Security Page
Spring is here! (At least for those of us in the Northern Hemisphere.)
There are times when even the most dedicated Netsurfer wants to
get away from our computer screens and sit out in the garden with
a good book. Here is our selection on the topic of Computer Security
for your consideration.
But remember, just as with computer security, it's up to you to
take care of yourself. So wear a hat and suncreen.
In talking about computer security, we have barely scratched the surface of cryptography and have not yet touched the thorny issues of privacy and the law.
At the same time, while the Open Security Platform is still
months away, commercial and financial transactions are already taking
place over the Internet. Electronic cheque- and cash-equivalents are also being developed. See also
The original development for this issue of Netsurfer Focus was sponsored by
For more information about Bellcore and our other advertisers, please see
the current issue of Netsurfer Security Marketplace at
http://www.netsurf.com/nsf/v01/01/nsfm.01.01.html
Participation in the Security Marketplace is unrelated to editorial coverage within Netsurfer Focus.
Netsurfer Focus Home Page:
http://www.netsurf.com/nsf/index.html
To subscribe to Netsurfer Digest or Netsurfer Tools:
By WWW form: http://www.netsurf.com/nsd/subscribe.html
Publisher: S. M. Lieu
NETSURFER FOCUS (c) S. M. Lieu. This document may be distributed
freely in electronic form in its entirety and without modification.
All other rights reserved. |
October 21, 1998
.
All updates were facilitated by the use of the
search engine.