| By security-protocols.com |
Until a few years ago Internet security wasn't even recognized
as a need.
The culture of the Internet encouraged the sharing of
data and ideas; the
common goals of Internet users made boundaries and restrictions
unnecessary--or so it seemed to many at the time.
Originally, the people on the Internet were the people
who built the
Internet, but as time passed and the Internet became more
useful and more
reliable, they were joined by other people at their companies
and
universities--and then by other companies and universities.
With fewer
common goals and more people, the Internet became a much
more dangerous
place. Although various sorts of mischief were quite common,
these incidents
got little publicity, and most people who thought of computer
security
problems at all assumed that such problems involved teenagers
breaking into
banks with modems.
The Internet Worm changed all that. In November of 1988
the Internet linked
about 60,000 computers, and a good many of them found
themselves under
attack. Even those not affected by the Worm still had
to be checked and
rechecked to be sure they were safe from infection. Estimates
of the total
price tag for the incident are in the hundreds of millions
of dollars.
The Worm was the first Internet security incident to hit
the nightly news.
People who had been working in obscurity suddenly found
TV camera crews in
their machine rooms. The issue was no longer whether you
needed to secure
your computer systems--it was how you were going to secure
them.
In the years since the Worm, there has been an explosion
in Internet
usage--and a corresponding explosion in new types of Internet
attacks.
Consider a few recent reports from the front:
* Over the years, computational physicist and computer
security
researcher Tsutomu Shimomura of the
San Diego Supercomputer Center has
accumulated
an invaluable archive of security tools and documentation
of system security holes. On Christmas Day 1994
an intruder copied the
files from his archive.
Two days later Shimomura received a voice mail
message, bragging about the intrusion and threatening
his life.
Shimomura reacted aggressively by
setting up stealth monitoring posts
and tracking
the intruder's further break-ins at telephone company
switching centers, companies like Apple and
Motorola, the Well, and
Netcom (from which the
intruder copied 20,000 credit card account
numbers).
Shimomura concluded that the intruder was computer criminal
Kevin Mitnick, who had been sought for years
by law enforcement. After
an intensive hunt
conducted with the cooperation of the FBI and local
telephone companies, Mitnick was tracked down in
Raleigh, North
Carolina.
* In the
fall of 1994 two writers, Josh Quittner and Michelle Slatalla,
were the target of an "electronic mail bomb",
apparently in retaliation
for an article on
the cracker community they'd published in Wired
magazine. Someone broke into IBM, Sprint, and the writers'
network
provider and modified programs so their
email and telephone service was
disrupted. A
flood of email messages so overwhelmed their network
service that other messages couldn't get through;
eventually their
Internet connection was shut
down entirely. Their phone service also
fell
victim to the intruders, who reprogrammed things so that
callers
were routed to an out-of-state number
where they heard an obscene
recording.
* More and more sites are falling victim to password
sniffers. The CERT
(Computer Emergency Response
Team) reports that as many as 100,000
sites
were targeted by password sniffers in 1994. (We'll explain
what
sniffers do later in this article.)
Insidious attacks like these have made computer security
one of the most
pressing problems facing Internet users in this decade.
O'Reilly &
Associates' line of computer security books looks closely
at the risks of
using the Internet and the measures you can take to reduce
these risks.
Internet Risks
What kinds of security risks do you take on the Internet?
Here's a sampling:
Password Attacks
Some years ago, before the Worm raised our consciousness
about security
risks, it was almost laughably easy for intruders to break
into almost any
system. Many sites didn't use passwords at all, or offered
guest or admin
passwords that users could share. Users who did have their
own passwords
routinely chose passwords that could be easily guessed
(the names of their
children or pets, their birth dates, their license plates).
Because nobody
bothered to encrypt files, an intruder who broke into
the system could then
invade almost anybody's files, take a copy of the /etc/passwd
file, and
later run it through a password cracking program that
quickly revealed the
passwords of other users in the system. Once deciphered,
these purloined
passwords became bartering chips among underground groups
that shared
technical information about product vulnerabilities and
site-specific
security holes.
Most systems and users have tightened up their security
in the wake of the
Internet Worm. Guest and admin passwords have become rarer,
but password
security as a whole is still laughable in most places.
Group accounts
abound, and invariably at least 10 percent of the passwords
users select are
poor (the only way to make them better is to install a
password program that
forces good passwords). Readily available password dictionaries,
cracking
programs, and password sniffing combine to make passwords
very vulnerable.
How can you avoid password attacks? Educate the users
on your system so they
pick better passwords. Consider using system-generated
passwords or, better
still, stronger types of authentication, such as one-time
(nonreusable)
passwords.
Password Sniffing Attacks
The recent wave of password sniffing attacks on the Internet
makes the
strength of your passwords almost irrelevant.
How does password sniffing work? In many network setups,
it is possible for
any machine on a given network to hear the traffic for
every machine on that
network. This is true for most Ethernet-based networks,
and Ethernet is by
far the most common local area networking technology in
use today. This
characteristic of Ethernet is especially dangerous because
most of the
protocols in use today are unencrypted. As a result, the
data sent and
received is there for anybody to snoop on. This data includes
files accessed
via network file systems, passwords sent to remote systems
during Telnet,
FTP, and rlogin sessions, electronic mail sent and received,
and so on.
A password sniffer is a program that takes advantage of
this characteristic
to monitor all of the IP (Internet Protocol) traffic on
its part of the
network. By capturing the first 128 bytes of every FTP
or Telnet session,
for example, password sniffers can easily pick up your
user name and
password as you type them. Password sniffers may use programs
provided for
network debugging as building blocks, or may be written
to use the services
directly. Special-purpose password sniffing toolkits are
widely available to
attackers.
The danger of password sniffing attacks is in their rapid
spread. Favorite
targets for sniffers are network providers and public
access systems where
the volume of Telnet and FTP connections is huge. One
sniffer on large
public access systems can collect thousands of sniffed
account names and
passwords, and then compromise every system accessed.
Even if your systems
are as secure as possible and your user passwords are
not guessable, you can
be infected by a packet sniffer running at any site that
your users can log
in from, or at any site their packets will cross to get
to you.
Password sniffing can happen anywhere. Many people make
the mistake of
assuming that because they're using a well-known, commercial
service, there
is no danger in remotely accessing their own machines
across the network. In
fact, the commercial services are prime targets, and most
of them are
periodically compromised. In any case, a connection may
cross a large number
of intermediate networks, which each represent unknown
risks. How can you
avoid being sniffed? In general, you can't and still provide
remote network
access. If your password ever passes across a network
which might be
insecure--electronically or physically--it is likely to
be captured. What
you can do is ensure that an intruder who gets your password
can't use it.
One-time (nonreusable) passwords are probably the most
effective way. Using
a freely available program like Bellcore's S/Key may not
keep your passwords
from being viewed, but because these passwords are used
only once, it
doesn't really matter if they are seen.
NFS and Other Data Service Attacks
A number of services exist to allow computers to share
information with each
other and to allow users to move easily from computer
to computer. These
services are an important part of the power of UNIX networks.
Unfortunately,
they are often exploited by attackers, who convince these
services to share
more information than intended or to share it with unintended
recipients.
Often this occurs because designers were concerned with
local area network
access and did not realize that services might also be
available across wide
area networks to other organizations.
The Network File System (NFS) and Network Information
Service (NIS) are
notoriously easy ways to attack a system. NFS allows systems
to share files
over a network by letting a client mount a disk on a remote
server machine.
NIS maintains a distributed database of password tables,
group files, host
tables, and other information that systems on a network
can share. Many
sites choose not to support NIS at all, and some avoid
even NFS. However,
these services are not a problem if they are run in a
protected environment
(for example, behind a fire wall).
If you haven't properly protected your site, an attacker
may be able to
simply NFS-mount your filesystems. The way NFS works,
client machines are
allowed to read and change files stored on the server
without having to log
into the server or enter a password.
Because NFS doesn't log transactions, you might not even
know that someone
has full access to your files.
NIS is most often used to distribute password information,
and most
implementations of NIS provide absolutely no control over
which machines can
request information. As long as an attacker can guess
the name of your NIS
domain and can send an NIS request to your NIS server,
that attacker can get
a full copy of your password information (including encrypted
passwords),
even if you are running shadow passwords and the passwords
are not in the
/etc/passwd file. The attacker is then free to crack your
passwords at
leisure.
NFS, NIS, and other services have additional security
vulnerabilities, both
obvious and not so obvious. For example, NFS has very
weak client
authentication, and an attacker may be able to convince
the NFS server that
a request is coming from a client that is permitted in
the exports file (the
file that lets you specify which file systems can be mounted
via NFS, and
which other machines can mount them). There are also situations
in which an
attacker can hijack an existing NFS mount. (See the discussion
of hijacking
attacks later in this article.)
Denial of Service Attacks
There are two classic types of denial of service attacks,
both particularly
devastating when used on a network. Earlier in this article,
we described an
"electronic mail bomb" that shut
down service by flooding an email mailbox.
That's one type of denial of service--the same type performed
by the
Internet Worm. What happens here is that an intruder so
floods a system or
network--with messages, processes, or network requests--that
no work can be
done. The system or network spends all its time responding
to messages and
requests, and canUt actually satisfy any of them.
In the other category of attack, equipment or services
are completely shut
down or disabled. With ICMP attacks, which are becoming
more common on the
Internet, an attacker sends an ICMP message to a host
or router, telling it
to stop sending packets to all or part of the network.
How can you prevent denial of service attacks? The best
defense against an
ICMP attack is to install a firewall that ignores or filters
ICMP messages.
In general, though, denial of service attackers are tough
to
prevent--electronically, as well as in real life. If you
accept things from
the external world--electronic mail, telephone calls,
or packages--it's
possible to get flooded. The famous college prank of ordering
a pizza or two
from every pizzeria in town to be delivered to your least
favorite person is
a form of denial of service. (It's hard to do much while
arguing with 42
pizza deliverers.) In the electronic world, denial of
service is as likely
to happen by accident as on purpose. (Have you ever had
a persistent fax
machine try to fax something to your voice line?) The
most important thing
is to set up services so that if one of them is flooded,
the rest of your
site keeps functioning while you fix the problem.
Fortunately, denial of service attacks are not terribly
popular. They're
easy enough to be unsporting; they tend to be simple to
trace back--and
therefore risky to the attacker; and they don--t provide
the attacker with
the information or the ability to use your computers that
is the payoff for
most other attacks. Intentional denial of service attacks
are the work of
people who are angry at your site in particular--and at
most sites, there
are very few such people.
IP Attacks
Attackers sometimes take advantage of a little-used option--the
source
routing option--in the IP header of packets being sent
across the Internet.
Even systems protected by firewalls have fallen victim
to these types of
attacks.
Certain kinds of firewalls work by keeping packets from
being routed from an
outside system into your internal network. In normal packet
routing, packets
are routed in the most efficient way from source to destination.
However, if
the source routing option is specified for a packet, it
shows the particular
route that the packet is to follow. Unfortunately, turning
off the regular
routing of packets from the Internet to an inside network
doesn't turn off
the routing of source-routed packets on BSD systems. At
tackers have
exploited this peculiarity and used it to penetrate systems
that are
expecting their firewalls to keep all such outside packets
out.
Another attack, which surfaced for the first time in early
1995, involves
attackers creating packets with false IP addresses. By
exploiting
applications that use authentication based on IP addresses
(such as the
so-called Berkeley RrS commands, which include rlogin,
rsh, and rcp),
intruders have been able to gain access. Most of the attacks
take advantage
of the ability of intruders to guess sequence numbers
associated with
network connections and the acknowledgments passed between
machines. These
attacks are technically tricky, because the intruder doesn't
receive the
responses to the packets it sends; when they succeed,
however, the payoff
for these attacks can be high. (The attack on Shimomura
described earlier
was this type.)
How can you prevent these attacks? Firewalls are the only
sufficient
defense. You want to look for packets on your external
interface (that is,
packets coming from outside your internal network) that
claim to have
internal source IP addresses and for packets that have
source routes
specified. You can do this by installing an appropriately
configured packet
filtering router. It's also best to avoid address-based
authentication
completely, if you can.
Hijacking Attacks
Another emerging Internet threat involves the hijacking
of any open terminal
or login session from users on the system. Once intruders
have root access
on a system, they use a tool that lets them dynamically
modify the UNIX
kernel. This allows them to take over terminal connections
after any
authentication procedures have been completed. Even the
strongest
authentication (e.g., one-time passwords) are irrelevant
because the attack
occurs after the user successfully logs in. (This is another
way that your
systems can be compromised from any system that your users
can log in from.)
This sort of attack has always been possible, but is easier
to do and harder
to detect with the new tools. Various forms of hijacking--from
the
completely unsubtle method of waiting for someone to get
up for a cup of
coffee without locking their screen, to the devious exploitation
of window
systems--have long been the most popular attacks at universities
and other
places where people may legitimately have access and yet
simultaneously be
hackers. In the past, these attacks have mostly been aimed
at users at the
site where the attacks were taking place. The new attacks
are aimed at
getting from a compromised system to an otherwise uncompromisable
system
across the Internet.
How can you prevent this attack? Once intruders have root
access, you can't.
So keep them out to begin with.
Security Solutions
Getting discouraged about connecting to the Internet or
doing any real work
on it? Don't be. There are ways to protect your system
against the threats
we've described.
There isn't a magic Internet security bullet. The best
security solution
isn't a simple solution, but a collection of strategies
and techniques. Your
own site's security philosophy, the characteristics of
your users, the type
of data you're protecting, and your budget all help determine
the right
approach for you. Here are some suggestions.
Enforce Good Host Security
With host security, you enforce the security of every
machine at your site
separately, and you make every effort to learn about,
and plug, any security
holes that your particular operating system presents.
Although host security
isn't a complete solution to Internet risks--there are
simply too many
machines, vendors, and operating systems to be sure that
you've successfully
been able to secure them all--you need to make sure that
every system on
your local network is as secure as you can make it. Systems
exposed directly
to Internet traffic need especially strong host security.
In Practical UNIX Security, Simson Garfinkel and Gene
Spafford offer
hundreds of specific suggestions for host security and
also discuss a wide
range of network security problems and solutions. This
book has become the
classic security reference for UNIX users and system administrators.
Encryption of Files and Email
If you use good encryption, then even if an intruder gets
access to your
files and messages, he won't be able to make sense of
them. There are many
types of encryption programs. Make sure to use one that
uses a strong
cryptographic algorithm. Although it's been around a long
time, the Data
Encryption Standard (DES) is still a pretty sound private
key encryption
algorithm, particularly if you use a variant, like Triple-DES.
IDEA, RC2,
and RC4 are other good private key algorithms. The RSA
algorithm is the
premier public key algorithm. It's a part of Lotus Notes,
Novell NetWare,
and hundreds of other products. Diffie-Hellman and Merkle-Hellman
are other
good public key algorithms.
PGP is a program that implements the RSA algorithm and
is freely available
on the Net (for noncommercial use within the United States).
In PGP: Pretty
Good Privacy, Simson Garfinkel describes how to use PGP
to encrypt files and
email and how to "sign" your email with an unforgettable
digital signature,
proving to recipients that your messages were sent by
you and weren't
modified during transmission. The book also contains a
fascinating,
behind-the-scenes look at the development of Phil Zimmermann's
controversial
program and the issues surrounding privacy, the export
of encryption
programs, and cryptography patents.
Use Firewalls
A firewall restricts access from your internal network
to the Internet--and
vice versa. A firewall may also be used to separate two
or more parts of
your local network (for example, protecting finance from
R&D).
The dictionary definition of "firewall" is: "A fireproof
wall used as a
barrier to prevent the spread of a fire." A fire may damage,
or even
destroy, one section of a building, but a firewall may
keep that fire from
spreading to other sections of the building; at the very
least, it may slow
down the spread until the fire can be brought under control.
On computer networks, firewalls serve an analogous purpose.
A security
problem somewhere on a network--for example, eavesdropping,
a major
break-in, or a worm program--may do a great deal of damage
to one portion of
the network. But if a fire wall is in place, it can isolate
what's behind it
from the security problem. Without firewalls network security
problems can
rage out of control, dragging more and more systems down.
Once one system on
a network has been compromised, it's often trivial to
compromise the others.
Shared system resources, homogeneous services, and trust
policies may all
contribute to the spread of a security problem from one
system to another.
Think of a firewall as a checkpoint; all traffic is stopped
and checked at
this point--usually, at the perimeter of your internal
network, where you
connect to the Internet (see the figure above). Your own
site's security
policy determines what happens at the checkpoint. Some
requests (e.g.,
requests for email service) might pass right through.
Others (e.g., requests
for potentially dangerous service like NFS or NIS) might
be turned away.
Still others (e.g., requests for FTP file transfers) might
be routed to
proxy services, which satisfy the requests without directly
exposing
internal systems.
If your site is connected to the Internet, you may want
to check out our
forthcoming book, Internet Security Firewalls, by D. Brent
Chapman and
Elizabeth D. Zwicky. It contains the details of various
firewall approaches
and architectures, how you can build packet filtering
and proxying solutions
at your site, and how to configure Internet services to
work with a
firewall.
Use Secure Procedures
Purely technical solutions go only so far. Just as there
is a human element
to committing computer crimes, there is a human element
to preventing them.
Be smart about prevention, and make sure your organization
enforces good
security procedures in everything they do. Physical security
(e.g., using
access cards for entry, protecting network cabling, etc.),
personnel
security (e.g., removing the accounts of people who leave
your
organization), and operational security (e.g., varying
the schedules for
changing passwords, checking log files, etc.) are less
technical, but
nevertheless important, parts of Internet security.
Two books provide valuable information on understanding
and establishing
security at your site.
Computer Security Basics, by Deborah Russell and G. T.
Gangemi, is the first
book to read if you want to learn what computer security
is all about. It
contains the basics of access control, encryption, trusted
systems, and
physical security, as well as a history of computer security
developments,
U.S. Government security programs (such as the "Orange
Book"), and a
complete glossary and resource summary.
Computer Crime: A Crimefighter s Handbook, by David Icove,
Karl Seger, and
William VonStorch, is aimed particularly at those who
need to investigate
computer crimes--law enforcement, managers, and others.
It describes
targets, criminals, methods, and security measures you
can take to prevent
them. It also details the way to detect, investigate,
and prosecute computer
crimes, and it includes the complete text of all computer
crime laws, both
federal and state.
president of SAGE (the System Administrator's Guild).
She has been
involuntarily involved in Internet security since before
the Worm.
----------------------------------------------------------------------------
|
|
