Internet_Security@securecomputing.com

DEF CON attendees were also given the opportunity to participate in their own rendition of "Capture the Flag." The game is structured to award a cash prize to the first team of individuals who successfully broke into all four different network operating systems set up by conference organizers. As it turned out, not one individual team was successful in breaking into all of the systems, so the prize was split among individuals from several teams.

Some hackers even went on a field trip to "Area 51," the place where its rumored that the government conducts research on crashed UFO's. The hackers launched foil attached to helium balloons over the perimeter security fence hoping the objects would float into Area 51's radar. A short time later the hackers were asked to leave the area.

The formal agenda for the convention was composed primarily of hourly discussions on topics ranging from "Hacking Vegas" to "Global Domination," and discussions about what the Feds think of hackers. There were also break out sessions and panel discussions on such subjects as how to read email headers, and how to create and decipher forged email messages.

The clueless ones

One particularly interesting presentation was given by Ira Winkler, a noted security consultant and author of Corporate Espionage. His topic included a discussion on how the Internet has made it easy for almost anyone to call themselves a hacker. In fact, he believes most hackers today are of a variety he labels as the "clueless ones." Winkler even devised a quiz to help ferret out a clueless hacker from a real one. He challenged the audience to take the quiz and answer it truthfully. For example, if you have never installed a network operating system or written a program in "C" or another similar language you hardly qualify as having the skills of a real hacker. These clueless hackers, who he asserts are primarily teenagers, pose one of the biggest threats to corporate security administrators because they are more apt to use the Internet hacking tools indiscriminately. Winkler contends that many of the attacks done today are executed by those he considers clueless and judging from the audience's reactions to his remarks many appeared to agree with him.

With each passing year the popularity of DEF CON continues to grow, as evidenced by this year's large turn out. No doubt many attend to satisfy their curiosity. Others are simply trying to stay informed about the latest hacking trends. For many others, the big attraction may be the opportunity to rub shoulders with some of the "legendary heroes" of hackerdom.

For more information on DEF CON go to: http://www.defcon.org

(Return to top)

(Return to top)

Secure Computing Firewall for NT 2 Plus has these new features:

• Connectivity support has been expanded to include NT RAS and ISDN devices. This eliminates the need for an intermediate router as was required in the earlier version.

• The Firewall Manager now includes an ACL (Access Control List) Wizard. New entries and existing entries can be added or modified using the ACL Wizard, with step by step on-line help. A Quick Summary button is now available on the ACL grid, which allows the users to view a detailed description of the ACL rule.

• The NT Performance Monitor allows users to more effectively monitor and assess system performance.

A number of NT based firewalls were evaluated in the August 4, 1997 issue of LAN Times Magazine. Secure Computing's Firewall for NT 2 Plus was ranked among the top in the review. The following quote is an excerpt from the LAN Times review:

"Firewall for NT fared well as the only near-final beta release. In addition to a well-written manual, it has an unusual GUI. The Firewall Manager interface is made of pages, windows, and tabs. You configure the firewall with the top tabs, and bottom tabs are used by the NT Security Scanner to display security information. By using NT's Performance Monitor to represent traffic statistics and extracting security data for audit logs, Firewall for NT delivers a good set of monitoring tools."

For more information on the LAN Times review go to: http://www.lantimes.com/lantimes/97/97aug/708a055a.html

(Return to top)

The Internet protocols are designed to be persistent and inclusive. They will route data to any directly or indirectly connected device the protocols can reach. A router will forward a packet solely on the speculative belief built into its routing algorithm that, even if it doesn't recognize a packet's destination address itself, another router somewhere will know how to route the packet. Unauthorized connections to other networks can exist, and if they do they can communicate with any destination inside your network.

Any host on the network can route traffic to another network if it connects the two networks together. When this happens, the host becomes a gateway to additional sites and networks. This makes the network very easy to extend but very hard to control, reducing the certainty you have about the security properties of your network. Unexpected network connections can lead to an unexpected and unsafe "back door" connection to the public Internet.

Classic Example

This problem was best illustrated in the 1985 movie, War Games, in which a high school kid inadvertently found a way to dial-in to the computer systems that defended the country against nuclear missile attack. He found this "back door" by programming his home computer's modem to dial every telephone number in a given area. Whenever a computer answered the phone, the number would be saved for later investigation. This technique is now known as "war dialing." Many telephone companies have since implemented measures to detect war dialing, but the technique still poses a threat.

War dialing would not be so much of a threat if we were certain that dial-in access always went to security conscious hosts. Unfortunately, the plunging cost of modems has spoiled this assumption. Many workstation vendors routinely include a modem with computer systems they sell, along with convenient software to use it. Many people find it very tempting simply to connect an extra wire from the back of their computer to their office phone. This produces the worst kind of back door if the modem accepts dial-in connections, but it can also be dangerous when dialing out. We trace that problem back to the protocol stack and the IP layer.

The IP layer of a TCP/IP protocol stack typically does one of two things with packets: it transfers packets between the network and the host's application software, or it forwards packets received on one network connection via another. This second process is often called "IP forwarding." If a host computer contains two or more network connections (for example, a LAN interface and a modem) then it may be possible for the IP software to transfer packets between them. This risky behavior is not what most workstation users intend. Some vendors have recognized this risk and have produced TCP/IP packages that do not support IP forwarding between different interfaces. Others make forwarding a configuration option, allowing individual hosts to enable it if the user desires.

Dial-up IP connections combined with IP forwarding produce a difficult network management problem, and the solutions can be difficult to achieve. Military networks rely heavily on punitive sanctions: it is a federal crime to leak classified information and, by definition, every bit of data on a typical classified computer system is considered classified information. Thus, violations of security measures can lead to a vacation behind bars. Few commercial entities can produce similar deterrents.

Practical Solutions

Commercial organizations rely primarily on proactive measures like education and physical protections, and use various detection techniques to locate violators. One large, multinational corporation established a rule that no packets on their corporate network may contain an external network address; any external addresses thus indicate that an external Internet connection has been made. The networking administrators detect "leaks" monthly from all sources. Experts in IP routing also suggest that leaks can be controlled by tuning the routers to reject external packets travelling in the wrong direction with respect to an approved, external connection.

A technique used by many sites is to vigorously eliminate all desktop modems. Many organizations have already converted their internal phone system from traditional, modem friendly analog lines to digital systems. Connecting a modem to a digital phone is at least ineffective and possibly damaging to the modem. Few individuals will be motivated enough to purchase converters, particularly when the connections are forbidden. Some sites also adopt the attackers' tools, using war dialers to seek dial-in modems within the organizations' incoming telephone lines.

More information on this book is available at:

http://www.visi.com/crypto/

Copyright (c) 1997 Secure Computing Corporation. All rights reserved. All trademarks, trade names mentioned and/or used herein belong to their respective owners.

(Return to top)

Government bills aimed at eliminating junk email

Consumers upset with receiving large amounts of junk emails may be relieved to know that members of the U. S. Congress have proposed legislation to curtail this problem. There are several bills before the U.S. Congress, and each takes a different approach at addressing this problem. While none of the proposed legislative efforts offers a perfect solution to stopping junk email they are a start. In fact, junk email on the Internet maybe eliminated before junk mail at your home. For more information on each of these bills go to the following web sites:

http://www2.cauce.org/Smith.bill.intro.html

(This URL contains the bill introduced on May 21, 1997 by Representative Christopher H. Smith, called the "Netizens Protection Act of 1997." The goal of the bill is to modify an existing law regarding junk faxes to extend the legislation to include email messages.)

http://www.vtw.org/uce/

(This URL provides information on the Electronic Mailbox Protection Act of 1997,' introduced by Senator Torricelli would prohibit the use of falsified headers and sources for any commercial mail. The bill also requires recipients be able to be request they are removed from future mailings.)

Also, Alaska Senator Frank Murkowski introduced a legislation mandating tagging of junk email with `advertisement' in the subject line. The bill is designed to make it easy for people to filter out junk email before they see it. Unfortunately the bill requires Internet Service Providers to install mandatory filtering software. Thus the consumers would likely end up footing the bill, (web address not available.)

CERT issues special advisory on IMAP pop server attack

Recently CERT issued a special summary advisory on a vulnerability with IMAP. The advisory emphasizes that the vulnerability is with the implementation of this particular IMAP server, not with the protocol.

According to CERT preliminary data from one current incident indicates that probes were made to thousands of hosts, and approximately 40% of those hosts appear to be vulnerable. CERT has also received numerous reports of root compromises as a result of this vulnerability. The CERT advisory also states that there was at least one instance where large-scale scans were launched, and the intruders installed a Trojan Horse identd server. The intruders used this Trojan identd to connect to the identd server and obtain root access. CERT advises any site running an identd server to verify the integrity of your identd executable.

To determine if your site has been compromised CERT advises following their Intruder Detection Checklist available at:

ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist

If you discover that you have suffered root compromise as a result, CERT recommends following the steps outlined in their root compromise document available at:

ftp://info.cert.org/pub/tech_tips/root_compromise

For more information on this vulnerability go to: