Wednesday, April 26, 1995 - Volume 01, Issue 01
"God is in the details"
Editor's Introduction
Welcome to Netsurfer Focus! In putting together Netsurfer Digest we have discovered that sometimes a topic deserves more attention and depth than can be provided in the Digest. Netsurfer Focus is designed to address these topics. Each issue focuses on a single topic, and is published on a periodic basis. Like the Digest, issues are sent out via e-mail and placed at our World Wide Web site. In addition, the issues are supplemented by a comprehensive database of resources at our web site. This two-tiered approach allows us to give the big picture for general readers and provide detailed resources for the experts.
Netsurfer Focus departs from the Digest format that you love and support. But we hope that it delivers the same useful and entertaining values of our "More Signal, Less Noise" promise. Please let us know what you think by writing to focus@netsurf.com. Your input will help us shape future issues of the Focus.
The three tradeoffs
Life is full of tradeoffs and computer security is no different.
As you design or modify your computer and network
security, think about how you want to use your systems and what
you stand to lose if it is compromised. This will help guide your
choice of solutions and their relative complexity and costs.
GOOD HOUSEKEEPING
Or, more things come in threes
All systems consist of three components, the software and hardware parts, the people, and the procedures. The same is true of computer and network systems. Securing your computer system means security of the software and hardware, trustworthiness of the people who use and manage it, and reliability of the procedures for using and managing the system. In this issue, we will mainly focus on secure software and system management practices. But when you are evaluating the security of your system, don't forget to consider the other components.
And while we are talking about threesomes, remember that there are three kinds of threats to your system: malice, ignorance, and acts of god or nature. A malfunctioning sprinkler system in the computer room, a magnitude 6.0 earthquake, a disgruntled employee, or a misguided big cheese can do equal amounts of damage. Think through each of the components, the what-if scenarios, the technical and non-technical solutions, and the cost-benefit tradeoffs. Also, don't count on your computer to come out of the box with its security mechanisms set up correctly for you. They aren't always that way.
The bottom line: It really is housekeeping, and it really is up to you what kind of a computer house you keep.
Ali Baba is my real name
The whole idea of security is tied to who can have access to what. You prove who you are by providing a secret password. The cave doors magically open and you get to the jewels: you can read and write file, run programs, allow other users access to your files and computers, etc. Multiuser computer systems, like Unix, usually have a hierarchy of personages, each with different access privileges. If you prove you are the Grand Vizier (a.k.a. root), you can basically do whatever you want - wipe out entire disks of files, change how the system is set up, and maybe even launch a frog battalion against Upper Timbuktu. However, even the lowliest courtier can let intruders in, setting off a chain of intrigue and skullduggery of who does what to whom.
So the first line of defence is secure passwords. The second is to make sure that only selected people have access to the powerful files and tools.
Twisty passages all connected to each other
Now, connect your single computer to other computers, through phone lines, a local network, or the Internet. The plot thickens. An intruder doesn't even have to be physically near your computer. Through the magic of telecommunications, they are only a handshake or two away. At this point, to make things worse, not only can people try to pretend they are you, computers can also pretend they are your computers (known in the vernacular as "spoofing"). And oh, by the way, about the telecommunications - it's a party line. On the way from your computer to some other computer, anyone can use a "sniffer" program to tap in and listen to what you are saying.
Before you hide your computer under the bed, remember our friends, the tradeoffs. Think through the system components and the risks methodically and logically. You've done the basic good housekeeping on each computer. Minimize your risk by making only one of them publically available and hiding the rest behind a secure barrier or firewall. Then focus on the exposed gateway computer and make it as secure as you can from potential intruders. Monitor it for intruders. And make sure you don't transmit secret information - like your password - over the Internet without protection.
Basic tools of the trade
You want to make sure of the basics: that the passwords on your system are secure and hard to break, that only the right people have write access to system files and programs, and that no one has modified the files without your knowledge. A log of who has been active on your system is also helpful for monitoring usage and documenting malfeasance. Here are some useful readings and a list of (free) tools that will help you get started on protecting your system.
References
Site Security Handbook (RFC 1244) "http://www.cis.ohio-state.edu/hypertext/htbin/rfc/rfc1244.html" Basic Computer Security "http://www.cis.ohio-state.edu/hypertext/faq/usenet/security-faq/faq.html"
Password crackers and checkers
Crack "ftp://ftp.win.tue.nl/pub/security/crack4.1.tar.Z" Crackerjack (for DOS) "ftp://theta.iis.u-tokyo.ac.jp/pub1/security/tools/Crackerjack-1.4.tar.gz " Npasswd "ftp://emx.utexas.edu/" S/key "ftp://thumper.bellcore.com/pub/skey/"
Check system for password protection, access permissions, system file modifications
COPS "ftp://cis.ohio-state.edu/pub/cops" tiger "ftp://net.tamu.edu/pub/security/TAMU/" Tripwire "ftp://coast.cs.purdue.edu/pub/COAST/Tripwire "
Login Monitoring
PowerLogin/PowerBroker "http://www.fsa.ca/" SysGuard "http://www.bellcore.com/SECURITY/sysguard.html"
Put all your eggs in one basket and watch it
Every computer is a potential host of vulnerabilities. The more accessible it is, the more it is susceptible to attack. Connecting to a network such as the Internet makes it potentially accessible to everyone on the network. We want the advantages of Internet access, but we also need to limit our exposure to intruders. The solution is often the installation of a "firewall", so that only selected "gateways" have access to the outside world.
The "gateway", either a computer or a router, stands guard over your network, rejecting all incoming traffic not directed to itself, and selectively forwarding communications such as mail between the inside and outside networks. A proxy server is a program that mediates application-specific traffic, e.g., ftp, through the firewall, making secure access less cumbersome. It usually has additional logging, user authentication, and protocol-specific security capabilities.
The computer firewall industry has become a hotbed of growth with the increasing popularity of the Internet. You can build your own from free software toolkits, purchase hardware and/or software solutions from a vendor, or engage consultants who will implement a custom solution. Hardware solutions include both Intel x86 boxes running Unix and network routers that support intelligent packet filtering. Another option is to use an Internet Service Provider who provides the firewall and gateway service between your network and the Internet. Whatever approach you choose, protecting the exposed gateway is of primary importance, and a later section on Satan suggests some tools that can be used.
Reading
Firewall FAQ "http://www.tis.com/Home/Firewalls/FAQ.html" Thinking about Firewalls "http://first.org/secpubs/fwalls.ps" Routers and Firewalls "ftp://ftp.livingston.com/pub/firewall/firewall-1.1.ps.Z" Keeping the Visigoths Out "http://www.ziff.com/~pcweek/netweek/jan_1995/rev_ttech_0123.html"
Firewall Tools
Firewall Toolkit "ftp://ftp.tis.com/pub/firewalls/toolkit/" drawbridge (IP bridging filter) "ftp://net.tamu.edu|/pub/security/TAMU/" Socks (generic proxy server) "ftp://ftp.nec.com/pub/security/socks.cstc"
Secure Internet Service
Pilot Networking Services "http://www.pilot.net/"
The three-headed hound from hell
You've protected your systems from external threats with a firewall, but what happens when you cannot trust everyone in your own organization? You may have confidential data to send, e.g., personnel records, or you may just need to login to another host in your network. This is particularly true in the academic environment. MIT considered this problem back in the 80's and came up with the Kerberos package. This is an authentication system that uses cryptography to protect passwords and other sensitive information in network traffic.
Kerberos relies on the security of a central authentication server, i.e., a single point of failure. Every network program, such as remote login, that wants to use its authentication and encryption capabilities must be modified to include Kerberos code directly. A third significant limitation is that Kerberos uses Data Encryption Standard (DES) to encrypt its information. Codebreaking played a key role in the success of the Allied Forces during World War II. As a result, certain forms of cryptography are still classified as "Munitions" by the US Government, subjecting them to International Traffic in Arms Regulations (ITAR). What this means is that special export licensing from the US State Department may be required to take Kerberos software out of the country, even if it is only an ftp download.
Reading
Kerberos: An Authentication Scheme for Open Networks "http://hightop.nrl.navy.mil/docs/ps_files/kerberos.ps" Limitations of the Kerberos System "http://hightop.nrl.navy.mil/docs/ps_files/kerblim.ps" Kerberos FAQ "http://www.cis.ohio-state.edu/hypertext/faq/usenet/kerberos-faq/user/faq.html"
Getting Kerberos
Kerberos (Unix) "ftp://athena-dist.mit.edu/pub/kerberos" Kerberos (Unix, Mac, Windows) "http://www.cygnus.com/data/cns.html"
Cryptography Export Control
Archives "http://www.cygnus.com/~gnu/export.html" ITAR "ftp://ftp.cygnus.com/pub/export/itar.in.full"
Where's the beef?
April 5th has come and passed. Satan was released to the Internet on schedule and the networked world as we know it has not collapsed in an apocalypse of security incidents.
Satan, short for Security Administrator Tool for Analyzing Networks, is a set of tools that probes remote computers on the Internet for known vulnerabilities. It is not the first of its kind; tools that check host computers for well-known vulnerabilities in ftp, tftp, and sendmail have been available for several years. These include public and commercial versions of the Internet Security Scanner (ISS), PINGWARE (commercial only), and the Security Profile Inspector (SPI) which is currently available only to the Departments of Energy and Defense. What is different about Satan is that it is widely available and has an HTML-based interface. This allows users to probe networks with point-and-click ease through a World Wide Web browser. In addition, Satan also provides extensive documentation on the vulnerabilities being identified and how to repair them.
Satan can be used by the system administrator to test local security, or it can be used by crackers to look for weaknesses in a potential victim. The risk to a system decreases with good security practices and using Satan first to uncover and repair any additional vulnerabilities before a cracker can discover them. To help system administrators detect when their systems may be under scrutiny from a rogue copy of Satan, CIAC has developed "Courtney", a program to monitor and report on any network activity that resembles a Satan probe.
As security experts and system administrators use Satan on different systems, its strengths and weaknesses are being characterized. A security hole was quickly discovered for host machines running Satan. Version 1.1 introduced a new and different hole, and now Version 1.2 is expected shortly. Although the initial noise about Satan's release may look like hype or hysteria in retrospect, there's no reason to let down your guard. Crackers may simply be lurking until the scrutiny dies down; they now have one more powerful tool in their black bag.
Resources
Satan "ftp://ftp.win.tue.nl:/pub/security/satan.tar.Z" Detailed Review of Satan "http://cica.llnl.gov/ciac/notes/Notes07.shtml" Satan Vulnerability "ftp://info.cert.org/pub/cert_advisories/CA-95:07.README&" Courtney "http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html#Courtney" CERT Advisories "ftp://info.cert.org/pub/cert_advisories/" Internet Security Scanner "aql.gatech.edu/pub/security/iss/ISS" Internet Security Systems "http://iss.net/~iss/iss.html" PINGWARE "www.bellcore.com/SECURITY/pingware.html" SPI "ciac.llnl.gov/cstc/CSTCProducts.html#spi"
Just say CERT
Your system is under attack by the Mother of Uebercrackers, and you are in hot soup. Sooo, who do you call? AUSCERT, CERT, CERT/NL, CIAC, COAST, DFN/CERT, FIRST, NASIRC, NAVCIRT, NIH, NIST/CSRC... Just say CERT, which stands for Computer Emergency Response Team, an organization that works with users and vendors, in confidence, to respond to security incidents. Simply pick the one in or closest to your part of the world.
AUSCERT - Australia (Hotline +61 7 365 4417)
"http://www.auscert.org.au/"
CERT - United States (Hotline +1 412 268 7090)
"http://www.sei.cmu.edu/SEI/programs/cert.html"
CERT/NL - Netherlands
"http://www.nic.surfnet.nl/surfnet/security/cert-nl.html"
DFN/CERT - Germany
"http://www.cert.dfn.de/eng"
What to Do if Your Site Has Been Compromised
"http://www.cis.ohio-state.edu/hypertext/faq/usenet/computer-security/compromise-faq/faq.html"
To the pot of gold
Orange book, yellow book, green book. They are all part of the Rainbow Series of publications on Trusted Systems, the DOD term for a system that "employs sufficient hardware and software assurance measures to allow its use for simultaneous processing of a range of sensitive or classified information". The book that contains the Trusted Computer Security Evaluation Criteria is the Orange Book; and there are Canadian and European versions as well. The Yellow Book tells you how to implement the Orange Book, and the Green Book is all about password management. Insecure off-the-shelf Unix workstations, PC's, and Macintosh's need not apply.
Resources
Orange Book "http://hightop.nrl.navy.mil/rainbow.html" Rainbow Series "http://first.org/secpubs/" Trusted Systems "http://mls.saic.com/docs.html"
Money talks
It was the best of times with the dreams of online commerce roaring across the Global Information Superhighway. It was the worst of times when it was pointed out that the Internet is one giant party line. Confidential information such as credit card numbers can easily be captured between sender and receiver. The techies rushed in with a variety of secure implementations of electronic commerce, and when the dust settled, two contenders for standardization were left.
On one side was Netscape Communications, with their Secure Sockets Layer (SSL). SSL is an additional layer in the networking protocol (between the application and TCP/IP connection layers) It protocol that is applicable to the channel of communication. On the other side, CommerceNet, a non-profit consortium of companies and organizations established to create an electronic marketplace on the Internet, weighed in with Secure-HTTP (S-HTTP). S-HTTP is an application level "meta-protocol" that allows web applications to negotiate the protocols of encryption and authentication to be used with the documents being exchanged. Both sides lined up major commercial supporters, submitted proposals to various standard bodies such as the World Wide Web Consortium, created reference implementations, and took gentle potshots at the other side.
Was this shaping up to be another VHS versus Beta battle in the search for a common security standard for online commerce? Fortunately, saner heads prevailed. Rather than sow mass confusion and delay market development, Netscape joined forces with heavyweights IBM, America Online, and H&R Block (owner of CompuServe), and purchased a controlling interest in Terisa Systems, Inc., tasking it with the responsibility of combining the two rival standards. The "Open Security Platform" toolkit is expected in June of 1995. Terisa Systems, of course, is a joint venture between cryptography vendor RSA Data Security, and Enterprise Integration Technology, Internet consultants and the project manager for CommerceNet.
Resources
CommerceNet Secure-HTTP "http://www.commerce.net/information/standards/draft/shttp.txt" "http://www.eit.com/projects/s-http/" Netscape Secure Sockets Layer "http://home.mcom.com/newsref/ref/netscape-security.html" Terisa Systems and the Open Security Platform "http://www.terisa.com/pr/qa.html"
What's in a name?
A hacker is a person who is intensely interested in how complex systems, in particular computer systems, work. A cracker extends this interest to unauthorized entry and modification of these systems. The term hacker has also been used synonymously with cracker, much to the dismay of hackers who are sometimes called on to detect, repair, and prevent future damage by crackers. Phrack is an electronic magazine in publication since 1985 and dedicated to providing information on operating systems, networking technologies, telephony, and news of the international computer underground. Varied topics such as lock picking and construction of acetyline bombs have also been covered in their "philes". The uebercracker is a cracker of superior skill, and is very hard to keep out of your systems. Phone phreaks have a fascination with telephone systems. There is no special meaning to the word spy in computer security, but you can be an international arms courier...
Resources
A Guide to Cracking Unix "http://tamsun.tamu.edu/~clm3840/2600/security/cracking_guide" The Uebercracker Web Page "http://underground.org/" Phrack Magazine Home Page "http://freeside.com/~phrack.html" The Social Organization of the Computer Underground "http://hightop.nrl.navy.mil/docs/general/hacker.txt"
and other lighter elements
The export regulations on encryption presents challenges we don't
quite expect. Here is the story of someone who found himself becoming
an international arms courier despite his best intentions.
"http://www.netsurf.com/nsf/v01/01/local/courier.html "
If you have a fast line and your browser can understand .au sound
files, don't miss Cliff Stoll's Performance Art Theater and Networking
Security Revue. Stoll is best known for his experience tracking
a cracker through Germany and back to the KGB, a tale described
in his book, "The Cuckoo's Egg".
"http://town.hall.org/university/security/stoll/cliff.html"
Hacker versus cracker again took a turn in the limelight in February
when Tsutomu Shimomura decided to track down Kevin Mitnick after
Mitnick broke into Shimomura's computer. Shimomura ultimately
got his man, but Mitnick got the fan club. On to book and movie
rights.
"news://alt.fan.kevin-mitnick"
And then there are the Bloopers of the system administration world.
For all of us who've said "Oh !@#$%!" in our turn.
"http://mls.saic.com/papers/admin_stories.txt"
The educated person knows where to find the information
There is a lot of useful information and tools on the Internet.
In the interest of brevity, we have only included a selection
in this issue. You can find a more comprehensive list of resources
at our web site, including
"http://www.netsurf.com/nsf/v01/01/resource/index.html"
Other directory sites include:
COAST Archive At Purdue University. It claims to be the largest
archive of computer security resources, it has about 400 documents,
120 Unix tools, 30 DOS tools, and 40 Macintosh tools.
"http://www.cs.purdue.edu.coast/archive/index.html"
NIH Unix Security Page. From the Advanced Laboratory Workstation
Systems group at the National Institute of Health this server
includes discussions on general and specific security issues,
security advisories, programs, patches, and a directory to other
security sites.
"http://www.alw.nih.gov/Security/security.html"
NIST Computer Security Resource Clearinghouse. The Clearinghouse
includes a selection of publications, alerts, news, and event
calendars. In addition to the standard security papers such as
Bill Cheswick's "An Evening with Berferd", it has a
detailed collection of US Government publications. These range
from standards-oriented publications from NIST, e.g., security
in ISDN or security in the SQL data language, to the Department
of Defense's documents on security architecture and trusted systems.
"http://first.org/
Curl up with a good book
Spring is here! (At least for those of us in the Northern Hemisphere.) There are times when even the most dedicated Netsurfer wants to get away from our computer screens and sit out in the garden with a good book. Here is our selection on the topic of Computer Security for your consideration.
General:
Technical:
But remember, just as with computer security, it's up to you to take care of yourself. So wear a hat and suncreen.
AKA coming attractions
In talking about computer security, we have barely scratched the surface of cryptography and have not yet touched the thorny issues of privacy and the law. At the same time, while the Open Security Platform is still months away, commercial and financial transactions are already taking place over the Internet. Electronic cheque- and cash-equivalents are also being developed. Here's a selection of links to whet your appetite for the upcoming Netsurfer Focus issues on cryptography and online commerce.
Cryptography and the Cypherpunks
"ftp://ftp.u.washington.edu/public/phantom/cpunks/README.html"
[yellow ribbon]
Privacy, Liberty, and The Phil Zimmermann Legal Defense Fund
"http://www.netresponse.com/zldf"
Secure Purchasing on the Internet Today
"http://www.fv.com/"
Electronic Cash
"http://www.digicash.com"
This issue of Netsurfer Focus is sponsored by Bellcore.
For more information about Bellcore and our other advertisers, please see
the current issue of Netsurfer Security Marketplace.
"http://www.netsurf.com/nsf/v01/01/nsfm.01.01.html"
Participation in the Security Marketplace is unrelated to editorial coverage within Netsurfer Focus.
Netsurfer Focus is currently a periodic supplement to Netsurfer Digest and Netsurfer Tools.
Netsurfer Focus Home Page:
http://www.netsurf.com/nsf/index.html
Letters to the Editor:
focus@netsurf.com
To subscribe to Netsurfer Digest or Netsurfer Tools:
By WWW form: http://www.netsurf.com/subscribe.html
By e-mail: nsdigest-request@netsurf.com
Body:
![[Netsurfer Focus Logo]](http://www.netsurf.com/nsf/logo.gif){kind=link}
![[yellow ribbon]](http://www.netsurf.com/nsf/ribbon.gif){kind=link}
![[Bellcore Logo]](http://www.netsurf.com/nsf/bellcore.gif){kind=link}
subscribe nsdigest-html
subscribe nsdigest-text
Publisher: S. M. Lieu
Production Manager: Bill Woodcock
Marketing and Sales: Lisa Nichols
NETSURFER FOCUS (c) S. M. Lieu. This document may be distributed
freely in electronic form in its entirety and without modification.
All other rights reserved.
NETSURFER DIGEST is a trademark of Netsurfer Communications, Inc.
Other publication, product, and company names may be trademarks of their companies.
"God is in the Details" is a quote from Mies van der Rohe.