Many DOE sites are enthusiastically embracing the functionality provided by the Internet. Especially attractive is the ease with which the Internet can be used to provide information. More and more sites are establishing anonymous FTP, gopher, archie, WAIS, and WWW info servers. These provide a fast and easy way to share research, ask questions and, in general, collaborate with colleagues around the world. CIAC uses this technology to provide DOE and the interested public with its warning notices (advisories and bulletins), useful tools, pertinent computer security-documents, and other reference material.
The main security issue is configuration. Are your Internet-accessible information services configured properly? Do they control who has access to what information? Can unauthorized changes be made? Recently, members of the CIAC team created a publication called "Securing Internet Information Servers." CIAC also developed a companion course called "Connecting to the Internet Securely." Both the document and the class discuss the risks associated with these services when they are provided on a UNIX-based platform. They also include instruction on how to reduce your risk level. The document is available through CIAC's anonymous FTP server, ciac.llnl.gov, and DOE Headquarters plans for CIAC to provide the course at various DOE locations across the U.S. in FY95.
After your server is properly configured, consider the sensitivity and appropriateness of the information that is being made "public", especially on Web servers where pictures and sound can be delivered as well as text. In our excitement to "brag" about our organizations or share information we know, it is easy to forget that the Internet is home to 20 million plus individuals both within and outside the U.S. Among these individuals are persons or organizations who are involved in breaking into other people's systems. Their goal may be as benign as being able to brag about gaining access to your site or they may do deliberate damage by erasing information or stealing information to sell, i.e., information trafficking. There are also reporters regularly "surfing" the Internet looking for embarrassing information that gets them headline stories such as the pirate software exchanges.
When establishing Internet information servers, the key is "managed" servers. Before establishing a server, be sure you know who can establish publicly available servers in your organization, what information is deseminated, and what release processes exist, if any. Plan to periodically review the information to ensure that it is appropriate.
We should all remember that those who access our servers are not necessarily looking out for our best interests. Do you publicly "share" information that should remain internal to your organization? Whenever you put information on a server, ask yourself if an "outsider" could use this information against you. For example, do you have your site's network diagram publicly available over the network? A hacker could use such information to target an attack specifically aimed at you. Do you provide information on the hardware, software and LANs used at your site? Again this information could make it easier for a hacker/cracker to penetrate your site. Information about your internal operation, network configurations, hardware, and software should be limited to internal access only servers. Do you have sensitive business information lying on a publicly accessible server? Who controls write access to your servers? A disgruntled employee could place an embarrassing "Internal Use Only" memo on an anonymous FTP server.
The risks involved in setting up and using an Internet information server should not dissuade you from using them. The potential opportunities to share, market, learn and collaborate far outweigh the risks involved as long as you understand the risks and properly manage them. Managers, security professionals, program and project leaders - all must understand the communication technologies they use on a daily basis so they can effectively evaluate risk. For additional information on the topic of the Internet and security see the November 28, 1994 Issue of Information Week, "Is Your Data Safe?" and December 12, 1994 Information Week, "Internet: How Safe?"
Firewalls are not a complete network security solution. In fact, probably nothing is. So while firewalls are an important network security component, it is worth noting a few of the problems inherent with any firewall arrangement. The problems can be grouped into three categories: software, policies and users.
Since firewall systems depend on software programs, they likely will have bugs in them. Expect these bugs to be immune to rational methods of detection, since they are the ones which passed through the debugging phase of the system.(1) The "paranoid" approach to firewall set-up is to reject everything incoming unless an explicit exception is made for it. But any exception in a possibly flawed system can still carry risks of penetration.(2)
Also, there are concerns about address spoofing since there is presently no fool-proof authentication method. It is possible for a presumed excluded service to "tunnel" through a firewall by being enclosed in an allowed service.
Firewall policies pose problems also. It takes equipment to enforce and people to administer them and this combination can result in a security breach, even with 'bug-free' software. The following incident happened at a large research facility:(3)
The imperfections of firewalls underscore the need for host-based security. Machines on the local network should be analyzed for vulnerabilities using tools such as the Security Profile Inspector (SPI)(4) . A network can then be configured and procedures can be adopted to minimize access from the breach point. User security education is the most important factor in a secure firewall, since legitimate users are already inside the firewall. Users easily develop a cavalier attitude since the firewall 'protects' them. For instance, a person may connect his/her machine to a modem because of the convenience or necessity of working from home. The firewall is now circumvented and anyone at the user's house or with a system that can dial-out to the telephone can run riot through the local network.(5) Legitimate users can inadvertently subvert host-based security simply by changing the contents of a configuration file or changing a file access permission. The most common means of cracking a network is usually due to a poor choice of user passwords. Fast PC's allow hackers to 'guess' thousands of passwords in a short time. Thus any password that anybody might guess is probably a bad choice. A list of poor and good qualities for passwords can be found in reference (6) below.
(1) Cheswick and Bellovin, "Firewalls and Internet Security," pg. 7. (2) ibid., pg. 83. (3) ibid., pg. 8. (4) SPI has a limited distribution (contact ciac@llnl.gov), but commercial and freeware products are also available (see CIAC Notes 02e, May 12, 1994). (5) ibid., pg. 11. (6) Garfinkel and Spafford, "Practical Unix Security," O'Reilly & Associates, Inc. (1991), pp. 32-35.
CIAC still affirms that reading E-mail, using typical mail agents, will not activate malware delivered in or with the message. However, the amount of E-mail CIAC received in response to issue 4 was extrordinary. To summarize what we received: lots of thank you's for exposing "good times" and "xxx-1" viruses as urban legends (hoaxes); no E-mail viruses have been captured (and brought to us for examination); the FCC warning concerning "good times" was retracted; the warning message and its denounciation are seen to behave like viruses (memetic lifeforms) with a human serving as the replicating mechanism (just like chain letters); many people believe "in theory" that malware can be delivered and activated by some mail agents that have automated services. The best example of such malware was mail delivered to a PC that has embedded, seemingly invisible escape sequences which affect screen display or program the keyboard to do some nastiness when some key is "accidently" pressed. This case is described more fully below.
CIAC did not claim that E-mail could not be a delivery agent for malware. A real threat comes from attached files which could contain viruses or Trojan programs. You should scan any executable attachment before executing it in the same way that you scan all new software before using it . It is possible to create a file that remaps keys when displayed on a PC/MS-DOS machine with the ANSI.SYS driver loaded. However, this only works on PC/MS-DOS machines with the text displayed on the screen in text mode. It would not work in Windows or in most text editors or mailers. A key could be remapped to produce any command sequence when pressed, for example DEL or FORMAT. However, the command is not issued until the remapped key is pressed and the command issued by the remapped key would be visible on the screen. You could protect yourself by removing ANSI.SYS from the CONFIG.SYS file, but many DOS programs use the functionality of ANSI.SYS to control screen functions and colors. Windows programs are not effected by ANSI.SYS, though a DOS program running in Windows would be. CIAC Plans To Have A Mosaic Home Page In January We have been working with several people to coordinate the WWW server support for Web home pages for LLNL, the Computer Security Technology Center (CSTC) and CIAC. When we are ready to go, there will be much easier access to information on CIAC and our electronic publications. In the meantime, you might find the listing of security information servers (below) of interest.
Novell: http://www.novell.com/cgi-bin/ftpsearch.pl?QString=security Microsoft Windows: gopher://198.105.232.4:70/77%5Ckb%5Cperopsys%5Cwindows%5Cwindows.src?security gopher://198.105.232.4:70/77%5Ckb%5Cperopsys%5Cwindows%5Cwindows.src?patches FIRST's WWW server: http://www.first.org/first/ NIST/CSRC http://cs-www.ncsl.nist.gov Purdue Computer Emergency Response Team (PCERT) http://www.cs.purdue.edu/pcert/pcert.html NASA Automated Systems Incident Response Capability (NASIRC) (this is accessible to *.nasa.gov systems only, but it can be accessed though the FIRST server or you can contact NASIRC to be added to their hosts.allow file) http://nasirc.nasa.gov/NASIRC_home.html Naval Computer Incident Response Team (NAVCIRT) http://infosec.nosc.mil/niseeast/html/navcirt.html Australian Computer Emergency Response Team (AUSCERT) http://www.auscert.org.au (Proposed to be up in a couple of weeks) http://www.uq.oz.au/pcc/services/sert/home.html (Currently active) DFN-CERT German Home Page - http://www.cert.dfn.de/ English Home Page - http://www.cert.dfn.de/eng/ Computer Emergency Response Team (CERT) http://www.sei.cmu.edu/SEI/programs/cert.html Veterans Health Administration (VHA) http://www.va.gov Small Business Administration (SBA) (Should be up soon) http://www.sbaonline.gov/ IBM Computer Virus Information Center gopher://index.almaden.ibm.com/1virus/virus.70 Italian Computer Antivirus Research Organization http://www-iwi.unisg.ch/~sambucci/icaro/index.htmlIf you know of others, please send mail to ciac@llnl.gov.
F-01 Advisory SGI IRIX serial_ports Vulnerability Oct. 4, 1994 1600 PDT F-02 Bulletin Summary of HP Security Bulletins Nov. 17, 1994 1300 PDT F-03 Bulletin Restricted Distribution F-04 Bulletin Security Vulnerabilities in DECnet/OSI for OpenVMS Nov. 28, 1994 0900 PDT F-05 Bulletin SCO Unix at, login, prwarn, sadc, and pt_chmod Patches Available 0800 PDT Dec. 06, 1994 F-06 Bulletin Novell UnixWare sadc, urestore, and suic_exe Vulnerabilities Dec. 14, 1994 0800 PDT
A - T - T - E - N - T - I - O - N ! For emergencies and off-hour assistance, CIAC is available 24-hours a day to DOE and DOE contractors via an integrated voicemail and SKYPAGE number. To use this service, dial 1-510-422-8193 or 1-800-759-7243 (SKYPAGE). The primary SKYPAGE PIN number, 8550070 is for the CIAC duty person. A second PIN, 8550074 is for the CIAC Project Leader. Keep these numbers handy.
CIAC has several self-subscribing mailing lists for electronic publications:
subscribe list-name LastName, FirstName PhoneNumberas the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and valid information for LastName FirstName and PhoneNumber. Send to: ciac-listproc@llnl.gov (not to: ciac@llnl.gov) e.g.,
subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36 subscribe ciac-bulletin O'Hara, Scarlett W. 404-555-1212 x36You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. To subscribe an address which is a distribution list, first subscribe the person responsible for your distribution list. You will receive an acknowledgment (as described above). Change the address to the distribution list by sending a second E-mail request. As the body of this message, send the following request, substituting valid information for list-name, PIN, and address of the distribution list:. Send E-mail to ciac-listproc@llnl.gov:
set list-name address PIN distribution_list_address e.g., set ciac-notes address 001860 rE-mailer@tara.georgia.orbTo be removed from this mailing list, send the following request:
unsubscribe list-nameFor more information, send the following request:
helpIf you have any questions about this list, you may contact the list's owner: listmanager@cheetah.llnl.gov.
Use FTP to access it either by name or IP address (128.115.19.53). The operation and prompt will depend on which vendor's FTP you are running. Usually, you must first log in before you can list directory contents and transfer files. Use "FTP" or "anonymous" for Name or Foreign username unless given a general prompt such as ciac.llnl.gov> or FTP>. In that case, enter the keyword "user" or "login" before "FTP" or "anonymous" (e.g., user FTP). Use your Internet E-mail address for the Password.
Once logged in you may type a question mark to find out what key-words are recognized. The file 0-index.txt (in the top level directory /FTP) is a document explaining the directory structure for downloadable files. The file whatsnew.txt (in directory /FTP/pub/ciac) contains a list of the new files placed in the archive. Use the command get [for single files] or mget [for multiple files] to download one or more files to your own machine.
No. E P TITLE 2300 x x Abstracts of the CIAC-2300 Series Documents 2301 x x Computer Virus Information Update 2302 Accessing The CIAC Computer Security Archives 2303 x x The Console Password Feature for DEC Workstations 2304 Data Security Vulnerabilities of Facsimile Machines and Digital Copiers 2305 x Unix Incident Guide: How To Detect A Unix Intrusion 2308 x Securing Internet Information Servers CIAC x Incident Handling Guidelines LLNL x User Accountability Statement, E. Eugene Schultz, Jr. SRI x Improving the Security of your Unix System, David A. Curry LLNL x Incident Handling Primer, Russell L. Brand ORNL x Terminal Servers and Network Security, Curtis E. Bemis & Lynn HymanTo obtain further information, contact Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov.