vol. 1, no. 7, August
1997 |
Up-to-the-minute
news on Internet security threats |
Hackers
turn up heat at DEF CON V
by Holly Knox, Internet Security
Editor |
DEF CON V, the annual hacker convention, was held for the fifth consecutive year in Las
Vegas on July 11-13. Antics such as breaking into a hotel's phone system by previous
year's convention attendees have prevented organizers from holding this event in the same
hotel twice. This year an estimated 1,000 people gathered at the Aladdin
Hotel and paid $40 each to be part of the largest of all hacker conventions.To the casual observer it might be difficult to pinpoint what type of
convention it is that attracts such a diverse group of people. Since hackers tend to be an
unusual breed, it should come as no surprise that this convention thrives on the
unconventional. Most attendees are young males in their teens and twenties, many of whom
dress in all black. Only a handful use their real names and most prefer to use monikers or
code names like White Knight, Se7en, Cyber, and Deth Veggie. |
Tunneling
protocol attacks
Product update
In the news
Chasing back
door connections
We welcome your comments!
Please email us at:
Internet_Security@securecomputing.com
|
Unlike
most of the other hacker conventions the organizers of DEF CON openly invite information
security professionals including law enforcement officials to participate in the
conference. One of the more popular games played at the conference is called "Spot
the Fed." Contestants in this game are awarded a T-shirt for spotting a member of a
law enforcement agency or "Fed" and pointing this out to others. While there
were probably some Feds who easily blended in to the crowd, the ones who were spotted
tended to be clean cut which contrasted sharply to the those who dressed in all black and had various parts of their
body pierced and tattooed.
DEF CON attendees were also given the opportunity to participate in their
own rendition of "Capture the Flag." The game is structured to award a cash
prize to the first team of individuals who successfully broke into all four different
network operating systems set up by conference organizers. As it turned out, not one
individual team was successful in breaking into all of the systems, so the prize was split
among individuals from several teams.
Some hackers even went on a field trip to "Area 51," the place
where its rumored that the government conducts research on crashed UFO's. The hackers
launched foil attached to helium balloons over the perimeter security fence hoping the
objects would float into Area 51's radar. A short time later the hackers were asked to
leave the area.
The formal agenda for the convention was composed primarily of hourly
discussions on topics ranging from "Hacking Vegas" to "Global
Domination," and discussions about what the Feds think of hackers. There were also
break out sessions and panel discussions on such subjects as how to read email headers,
and how to create and decipher forged email messages.
The clueless ones
One particularly interesting presentation was given by Ira Winkler,
a noted security consultant and author of Corporate Espionage. His topic included a
discussion on how the Internet has made it easy for almost anyone to call themselves a
hacker. In fact, he believes most hackers today are of a variety he labels as the
"clueless ones." Winkler even devised a quiz to help ferret out a clueless
hacker from a real one. He challenged the audience to take the quiz and answer it
truthfully. For example, if you have never installed a network operating system or written
a program in "C" or another similar language you hardly qualify as having the
skills of a real hacker. These clueless hackers, who he asserts are primarily teenagers,
pose one of the biggest threats to corporate security administrators because they are more
apt to use the Internet hacking tools indiscriminately. Winkler contends that many of the
attacks done today are executed by those he considers clueless and judging from the
audience's reactions to his remarks many appeared to agree with him.
With each passing year the popularity of DEF CON continues to grow, as
evidenced by this year's large turn out. No doubt many attend to satisfy their curiosity.
Others are simply trying to stay informed about the latest hacking trends. For many
others, the big attraction may be the opportunity to rub shoulders with some of the
"legendary heroes" of hackerdom.
For more information on DEF CON go to: http://www.defcon.org
(Return to top)
|
by Sean Keir, Research Scientist
The systems administrator
at XYZ Company was confident that sensitive information on his internal servers was secure
from unauthorized access by the outside world. After all, he had implemented a very
stringent security policy that blocked all incoming and outgoing telnet and ftp services.
This was done to prevent anyone from intentionally or unintentionally transferring the
company's sensitive proprietary information offsite.
He was sure that the network was as secure as it could be. How, then, did
the company's latest product development plans get into their competitor's hands?
The system administrator at XYZ Company uses ping frequently to
test remote connections, and he keeps it running and available to both external and
internal users. Keeping ping active leaves an internal network vulnerable to
"tunneling protocol attacks."
What exactly is a tunneling protocol attack?
A tunneling protocol attack allows intruders to hide or encapsulate
one protocol inside of another. For example, a request to establish a telnet
session can be hidden or encapsulated within a ping request. This can be dangerous because
you are never sure of what is passing through your network. It is possible to launch this
type of attack from almost anywhere on the Internet provided a computer on your internal
network is running a process that accepts the encapsulated protocol (ping) and the
tunneled protocol (telnet).
In the example above, the attacker established a telnet session
with XYZ Company's internal server by encapsulating a telnet request inside a ping
request. When XYZ Company's server received the ping packet it responded by sending
back its own ping packet containing an encapsulated response and establishing a telnet
session. The systems administrator did not notice the request since shell requests do not
create much network traffic.
An attacker will likely tunnel a service request in situations where a
protocol is either blocked or monitored, as in the case of XYZ Company. Also, in cases
where an encrypted request is not allowed or would raise suspicion, tunneling can be used
to keep the service request hidden.
It is also possible for an intruder to encrypt his tunneled request inside
of another unencrypted protocol. For example, an attacker could mask a telnet session
request by encrypting it and inserting it inside an unencrypted ping request. Unless the
administrator reviewed the contents of each ping packet, the traffic passing
through the network would appear normal.
What does this mean to you or your systems administrator as you try to
keep your network data secure? With a little effort, a hacker could siphon off mission
critical information and sell it or leak it to your competitors. Several security measures
should be taken to thwart this type of attack.
Protecting your network
- Shut down access to ping and any other service that is not needed. Remember, ping
was designed for diagnostics and should be turned on only when needed.
- If you don't have a firewall, install one, and make sure that blocks all incoming ping.
Firewalls provide a single point of control over your network traffic and provide detailed
logging capabilities. The logs in products such as Borderware Firewall Server and
Sidewinder Security Server are superior to those of commercial routers and can be
used to identify any unusual activity.
- Use automated port scanning tools to monitor network activity. Port scanners can
generate daily reports to track what services are running on your internal hosts.
Comparing these reports with previous daily reports can identify when a host is acting out
of the ordinary. A good port scanning tool is the freeware tool known as SATAN, it can be
run against internal or external hosts and generates very useful reports.
- Limit the amount of services available on hosts where sensitive information resides. A
good security policy will specify the type of information allowed on each host.
- Stay abreast of current attack methodologies and modify your security policy when
necessary.
Summary
Tunneling protocol attacks still require some work on the part of
the hacker and are not yet considered a "recipe" hack. However, tools needed to
execute these attacks are being developed by various individuals and entities. It is
almost certain that once developed, these tools will be distributed via the Internet.
So, implementing effective security measures as outlined above are
critical to helping ensure that your company's secrets are not vulnerable to tunneling
protocol attacks.
(Return to top)
|
Product
update
Secure Computing
Firewall for NT 2 Plus now available
Secure Computing Firewall for NT 2 Plus has these new features:
Connectivity support has been expanded to include NT RAS and ISDN
devices. This eliminates the need for an intermediate router as was required in the
earlier version.
The Firewall Manager now includes an ACL (Access Control List) Wizard.
New entries and existing entries can be added or modified using the ACL Wizard, with step
by step on-line help. A Quick Summary button is now available on the ACL grid, which
allows the users to view a detailed description of the ACL rule.
The NT Performance Monitor allows users to more effectively monitor and
assess system performance.
A number of NT based firewalls were evaluated in the August 4, 1997 issue
of LAN Times Magazine. Secure Computing's Firewall for NT 2 Plus was ranked among
the top in the review. The following quote is an excerpt from the LAN Times review:
"Firewall for NT fared well as the only near-final beta
release. In addition to a well-written manual, it has an unusual GUI. The Firewall Manager
interface is made of pages, windows, and tabs. You configure the firewall with the top
tabs, and bottom tabs are used by the NT Security Scanner to display security information.
By using NT's Performance Monitor to represent traffic statistics and extracting security
data for audit logs, Firewall for NT delivers a good set of monitoring tools."
For more information on the LAN Times review go to: http://www.lantimes.com/lantimes/97/97aug/708a055a.html
(Return to top)
|
Chasing
back door connections
by Dr. Richard Smith, Principal
Research Scientist
[Editor's Note: This is an excerpt from
Chapter 3 of "Internet Cryptography" (ISBN 0-201-92480-3, Addison-Wesley,
1997).]
The Internet protocols are
designed to be persistent and inclusive. They will route data to any directly or
indirectly connected device the protocols can reach. A router will forward a packet solely
on the speculative belief built into its routing algorithm that, even if it doesn't
recognize a packet's destination address itself, another router somewhere will know how to
route the packet. Unauthorized connections to other networks can exist, and if they do
they can communicate with any destination inside your network.
Any host on the network can route traffic to another network if it
connects the two networks together. When this happens, the host becomes a gateway to
additional sites and networks. This makes the network very easy to extend but very hard to
control, reducing the certainty you have about the security properties of your network.
Unexpected network connections can lead to an unexpected and unsafe "back door"
connection to the public Internet.
Classic Example
This problem was best illustrated in the 1985 movie, War Games, in
which a high school kid inadvertently found a way to dial-in to the computer systems that
defended the country against nuclear missile attack. He found this "back door"
by programming his home computer's modem to dial every telephone number in a given area.
Whenever a computer answered the phone, the number would be saved for later investigation.
This technique is now known as "war dialing." Many telephone companies have
since implemented measures to detect war dialing, but the technique still poses a threat.
War dialing would not be so much of a threat if we were certain that
dial-in access always went to security conscious hosts. Unfortunately, the plunging cost
of modems has spoiled this assumption. Many workstation vendors routinely include a modem
with computer systems they sell, along with convenient software to use it. Many people
find it very tempting simply to connect an extra wire from the back of their computer to
their office phone. This produces the worst kind of back door if the modem accepts dial-in
connections, but it can also be dangerous when dialing out. We trace that problem back to
the protocol stack and the IP layer.
The IP layer of a TCP/IP protocol stack typically does one of
two things with packets: it transfers packets between the network and the host's
application software, or it forwards packets received on one network connection via
another. This second process is often called "IP forwarding." If a host computer
contains two or more network connections (for example, a LAN interface and a modem) then
it may be possible for the IP software to transfer packets between them. This risky
behavior is not what most workstation users intend. Some vendors have recognized this risk
and have produced TCP/IP packages that do not support IP forwarding between different
interfaces. Others make forwarding a configuration option, allowing individual hosts to
enable it if the user desires.
Dial-up IP connections combined with IP forwarding produce a difficult
network management problem, and the solutions can be difficult to achieve. Military
networks rely heavily on punitive sanctions: it is a federal crime to leak classified
information and, by definition, every bit of data on a typical classified computer system
is considered classified information. Thus, violations of security measures can lead to a
vacation behind bars. Few commercial entities can produce similar deterrents.
Practical Solutions
Commercial organizations rely primarily on proactive measures like
education and physical protections, and use various detection techniques to locate
violators. One large, multinational corporation established a rule that no packets on
their corporate network may contain an external network address; any external addresses
thus indicate that an external Internet connection has been made. The networking
administrators detect "leaks" monthly from all sources. Experts in IP routing
also suggest that leaks can be controlled by tuning the routers to reject external packets
travelling in the wrong direction with respect to an approved, external connection.
A technique used by many sites is to vigorously eliminate all desktop
modems. Many organizations have already converted their internal phone system from
traditional, modem friendly analog lines to digital systems. Connecting a modem to a
digital phone is at least ineffective and possibly damaging to the modem. Few individuals
will be motivated enough to purchase converters, particularly when the connections are
forbidden. Some sites also adopt the attackers' tools, using war dialers to seek dial-in
modems within the organizations' incoming telephone lines.
More information on this book is available at:
http://www.visi.com/crypto/
Copyright (c) 1997 Secure Computing
Corporation. All rights reserved. All trademarks, trade names mentioned and/or used herein
belong to their respective owners.
(Return to top)
|
In
the news
Government bills aimed
at eliminating junk email
Consumers upset with receiving large amounts of junk emails may be
relieved to know that members of the U. S. Congress have proposed legislation to curtail
this problem. There are several bills before the U.S. Congress, and each takes a different
approach at addressing this problem. While none of the proposed legislative efforts offers
a perfect solution to stopping junk email they are a start. In fact, junk email on the
Internet maybe eliminated before junk mail at your home. For more information on each of
these bills go to the following web sites:
http://www2.cauce.org/Smith.bill.intro.html
(This URL contains the bill introduced on May 21, 1997 by Representative
Christopher H. Smith, called the "Netizens Protection Act of 1997." The goal of
the bill is to modify an existing law regarding junk faxes to extend the legislation to
include email messages.)
http://www.vtw.org/uce/
(This URL provides information on the Electronic Mailbox Protection Act of
1997,' introduced by Senator Torricelli would prohibit the use of falsified headers and
sources for any commercial mail. The bill also requires recipients be able to be request
they are removed from future mailings.)
Also, Alaska Senator Frank Murkowski introduced a legislation mandating
tagging of junk email with `advertisement' in the subject line. The bill is designed to
make it easy for people to filter out junk email before they see it. Unfortunately the
bill requires Internet Service Providers to install mandatory filtering software. Thus the
consumers would likely end up footing the bill, (web address not available.)
CERT issues special advisory on IMAP pop server attack
Recently CERT issued a special summary advisory on a vulnerability with
IMAP. The advisory emphasizes that the vulnerability is with the implementation of this
particular IMAP server, not with the protocol.
According to CERT preliminary data from one current incident indicates
that probes were made to thousands of hosts, and approximately 40% of those hosts appear
to be vulnerable. CERT has also received numerous reports of root compromises as a result
of this vulnerability. The CERT advisory also states that there was at least one instance
where large-scale scans were launched, and the intruders installed a Trojan Horse identd
server. The intruders used this Trojan identd to connect to the identd
server and obtain root access. CERT advises any site running an identd server to verify
the integrity of your identd executable.
To determine if your site has been compromised CERT advises following
their Intruder Detection Checklist available at:
ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist
If you discover that you have suffered root compromise as a result, CERT
recommends following the steps outlined in their root compromise document available at:
ftp://info.cert.org/pub/tech_tips/root_compromise
For more information on this vulnerability go to:
ftp://info.cert.org/pub/cert_advisories/CA-97.09.imap_pop
(Return to top)
|
This page is maintained
by webmaster@securecomputing.com
Copyright © 1997, Secure Computing Corporation.
All rights reserved. |