Put a tiger in your tank
A tiger team can save you time and money and improve
When your site is under attack, you can't afford the time to learn those security skills you've been putting off. A tiger team can use its knowledge to assist any team member when a security problem occurs.
Also in Pete's Wicked World this month: a serious bug involving
ypupdatedon SunOS and some Solaris machines; a list of the most commonly exploited security vulnerabilities; and, in the bookstore, an annotated list of the many security mailing lists and how to join them. (1,900 words)
The term "tiger team" was first used in computer parlance in the '70s to describe organized efforts to break into computers and find and fix security holes. The tiger teams of that era were not very effective -- they could find only some of the bugs. It was determined that the only way to ensure an operating system was secure was to design it that way from the beginning. (According to Computer Security Basics by Deborah Russell and G.T. Gangemi Sr.) This was a breakthrough. Nowadays tiger team has a different meaning, typically it is a group of one or more people who respond to security incidents. In a while we'll talk about more formal implementations of the concept, but for the moment let's look at informal teams.
The purpose of a tiger team is to take the responsibility of dealing with security incidents off the shoulders of one individual. Because computer security is complex and requires knowledge from multiple disciplines (operating systems, networking, firewalls, and sometimes operating system internals and law), it is difficult for one person to be well-informed in all areas. This is especially true if the individual does not do security full-time. At smaller sites there are usually just a couple of system administrators who deal with users, systems, and networking most of the time, and security when it bubbles to the top. If there are a few such people who are your peers, it makes sense to exchange information on security and to stand ready to aid each other when a security incident hits. Thus, a tiger team is born.
Even professional computer security people need tiger teams. For instance, in a large facility, there can be several departments that are affected if one system on the network is compromised. Damage control from this incident could involve the computing center personnel, networking personnel, and lawyers to tell you what you can and can't do to track down the culprit, and what you need to do to prosecute the fiend.
Forming a tiger team can be as simple as getting in touch with the folks you want to work with and getting their agreement to provide mutual aid as needed.
Tiger teams can move well beyond this handshake, however. The following are some ways a tiger team can leverage the knowledge of each individual to decrease the load on the other members:
Once a tiger team is in place, it can operate in two ways:
Note that both are legitimate, depending on the team members' needs, available time, and the level of security needed at their sites.
If a team is adopting the second behavior, it can provide the following set of services:
Taken to a logical extreme, tiger teams can combine themselves into a super-tiger team. The teams can work together toward the mutual goals of fostering knowledge and handling security events. In fact, such a team exists. FIRST is a group of response teams from governments, universities, and commercial enterprises. It has some interesting information on its Web site, and in theory provides a strong force with which to combat security breaches.
For more information on forming a tiger team, see The NIST Feb 92 Computer Security Lab Newsletter. Also useful is the "Forming an Incident Response Team" article from the Australian CERT FTP site.
Bug of the Month Club
There is a very serious bug involving
ypupdated is the daemon that communicates YP changes
between master and slave YP servers. Unfortunately, this bug allows
anyone to execute arbitrary commands on the master and slave servers.
Even more frightening is the fact that there's an exploitation script
in circulation that allows one to take advantage of this hole with
little effort. SunOS 4.1.x
is vulnerable. The current solution on Suns is to disable
ypupdated. Solaris 2 is vulnerable only if you're running
version 1.0 of the Solaris Name Service Transition Kit. Details are in
ypupdated bug is one of the most exploited system
vulnerabilities, according to CERT. Here is information, courtesy of
CERT, on other common ways hackers may be trying to break into your
The CERT staff urges you to immediately take the steps described in the advisories and README files listed below. Note that it is important to check README files as they contain updated information we received after the advisory was published.
Were we the gloating kind, we'd point out the CIAC Bulletin G-06 containing information about security vulnerabilities in Windows 95. Of course we'd never do that.... But you may want to look at the main CIAC site -- it contains some very useful information. You can also join CIAC's mailing lists by filling out a form at its Web site.
Finally, there is a problem with the Elm mailer that will let users create files in other Elm user's directories (CERT advisory VB-95:10).
ISS leads the list again this month with its Security FAQs web page. Possibly the most interesting FAQ on that list is the Security Mailing Lists FAQ. Here you'll find an annotated list of many security-related mailing lists and directions on how to join them. Exercise prudence, however, or your mailbox will be fuller than President Clinton's hair.
Most pertinent of these mailing lists for this month is one we've mentioned before: Sneakers, the tiger teams mailing list. Sneakers has a great signal-to-noise ratio, and has very little traffic in general. My type of mailing list. Of course there is the occasional annoying submission. In January someone sent a message to Sneakers asking for information on Nike athletic shoes. The list is still trying to figure out if the request was a prank or if someone could truly be that clueless.
If you're responsible for learning about and fixing security bugs at your site, you must visit the 8lgm Web site. 8lgm issues advisories about security bugs, complete with code or descriptions of how to detect or take advantage of these bugs. It also maintains a mailing list you can join. A must-visit site.
Other useful resources include the CIAC bulletins, which include information on Unix and non-Unix security problems and solutions. Also check out the security FAQ for a useful collection of network security knowledge. There's a random security Web page that contains some useful pointers as well.
Finally, if you are attacked and want to report the incident, contact CERT and check out the What to Do if Your Site Has Been Compromised FAQ.
It's time to get serious about SunOS and Solaris security. Next month we'll review the security patches available for the Sun operating systems, and we'll look at configuration changes needed to secure them.
ypupdatedvulnerability CERT Advisory ftp://info.cert.org/pub/cert_advisories/CA-95:17.rpc.ypupdated.vul
About the author
Peter Galvin is Chief Technologist for Corporate Technologies, Inc., a Systems Integrator and VAR. He is also Adjunct System Planner for the Computer Science Department at Brown University, a member of the Board of Directors of the Sun User Group, and has been Program Chair for the last four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. Reach Peter at email@example.com.
If you have technical problems with this magazine, contact firstname.lastname@example.org