On the road again -- SANS '97 Missed out on SANS '97? Read on and become a virtual attendee. We highlight advice on countering espionage and on Web server security

The SANS '97 conference focused on case studies in the areas of system administration, networking, the World Wide Web, and security. This month, Pete's Wicked World reviews several of the most interesting security talks. Even if you missed the conference, SANS '97 can still be of value to you.

Also in Pete's Wicked World this month: The bookstore has a pointer to a library of hacked Web pages. In the buglist, read about how Sun has released some security patches and might have problems with its IMAP and POP servers. Finally, read a letter with useful comments on Pete's Security FAQ. (2,700 words)

Opinions differ, experiences vary, and results are left open to interpretation. That's why it is valuable to review the security work of others. Frequently, evaluating someone else's work on a topic that is near and dear to you can reward you with new insights and can give you a fresh perspective on topics that you may have previously dismissed or considered unimportant. Such insights and perspectives abounded at the April SANS '97 conference in Baltimore, MD. The conference was also a good trip for doing the network thing, checking out the vital Baltimore "inner harbor," and joining BOFs (beer included) about firewalls, Linux, and just about every other hot topic.

The keynote address
The keynote address was a particularly good security consciousness-raising piece entitled "The DICE Game: Counter-Espionage In the Age of Networked Computers" and was given by Ray Semko of the U.S. Department of Energy. Ray's goal is to make DICE, short for "Defense of Information to Counter Espionage," well-known and widespread. DICE, Ray claimed, can help businesses to avoid being the target of espionage attacks, which have already put several companies out of business. He asserted that any company that is not aware of the dangers posed by such attacks and does not have countermeasures in place is at serious risk.

Ray said that the spies among us take advantage of "stupid, gullible, [and] naive" employees to gain information illicitly. Companies and countries seeking to steal your corporate secrets will try to turn the hard-working, extra-hours-spending, taken-for-granted employee into a they'll-pay-for-not-appreciating-me corporate spy. It is estimated that 90% of spies are internal to their targets and have badge clearance. These internal operatives are very difficult to catch, because they do not stand out, and because they tend to be good at their jobs. Mr. Semko pointed out that no women are currently serving time for espionage in any U.S. prison; and yet it is very unlikely that there are no female spies. In addition to being indiscernible from their loyal coworkers, the bad guys (and gals) have no fear of guards, gates, guns, or briefcase searches, for there is always a way to get confidential data out of the target site undetected.

What's the difference between my wife and a terrorist? I can negotiate with a terrorist.

-- Ray Semko

Semko stressed three methods of uncovering espionage:

1. Penetrate the espionage activities.
2. Investigate any evidence that comes to light.
3. Educate companies and individuals.

DICE uses the last method, telling companies and individuals the truth about the current state of espionage, so that techniques that worked in the past will be foiled in the future. Most penetration efforts, it turns out, are based on information obtained from defectors. Semko claimed that in the current world state, there are so many defectors that agencies and companies have their pick of the best ones. The Russian government has reportedly boasted being so successful at stealing industrial secrets that it has obtained more of them than it has the resources to use. Last year, 800 industrial espionage cases were tried in the U.S. alone. As large as this figure may seem, it is much smaller than the actual number of incidents that occurred, thanks to the reticence of corporate America to air its dirty laundry. American companies often do not report, investigate, or prosecute incidents of espionage.

Semko used the example of Ellery Systems, formerly of Boulder, CO. This company was forced out of business because its trade secrets were stolen by a resident alien. This spy was not prosecuted because it was determined that Ellery never instituted a corporate information policy. Officially, there was no information that was off-limits to employees, and no legal limits were placed on what employees could do with data they obtained. The Ellery case led to the enactment of the Economic Espionage Act, but even this act requires that companies make an effort to protect their corporate secrets if they expect to be able to prosecute corporate spies.

Taking a cue from The Art of War (a must-read), DICE has created an "Art of Stealing" that lists the means that companies and countries typically use to penetrate targets:

• Government-sponsored theft
• Joint ventures
• Forced technology transfer (usually forced in government contracts)
• Marketing surveys
• Targeting former employees at job fairs
• Ethnic targeting (helping the motherland)
• Conferences, trade shows, and the like.

Finally, Ray listed covert collection methods:

• Computer hacking
• BBSes
• Cover companies
• Taps and bugs
• Opening mail (at foreign sites)
• Sexual entrapment (It's still alive and well.)
• Co-opting foreign nationals working at the target company.

Web server security
Among the most important talks at SANS were the ones about Web server security. The growth of Web server use, coupled with the predisposition of these servers to being attacked and compromised and becoming an embarrassment, has made their security essential.

Barry Suskind of GE Information Services gave a talk on "Methods for Securing Your Web Server." Although some of his techniques echo those found in the Solaris Security FAQ and therefore are not covered here, several of the areas that Barry discussed are interesting and different.

The talk centered on allowing fast and safe content updates and made several other good points:

1. Make security concerns known up-front, so that the architecture of the facility can reflect their importance.
2. Define your Web server needs by determining your audience, your method of content deployment, and your desired techniques for monitoring and auditing usage.
3. These choices will help drive the platform and server software decision. Consider Web servers with available source code and rapid patch cycles.
4. The need to access a database should be a factor in your Web server architecture as well. The Web server and database can share a machine, but consider separating the two if the database contains secure information. With separate machines, you will be able to control the data pipe between the two servers.
5. Likewise, be careful when combining a read/write FTP service with a Web service. An escape from the FTP service could allow damage to your Web service.
6. No matter what decisions you make for your first-generation facility, use separate domain names for Web, FTP, e-mail, and other services to allow for their later dispersion.
7. Security needs may dictate prohibiting clear-text password access to the system, except for accessing Web pages.
8. If some Web page access is secured, be sure that there are not any links in other pages that bypass this security.
9. Alarm the system and monitor it to determine when and if attacks take place and, if so, how you fair against them.
10. Study firewall technology, even if you don't plan to use a firewall. Information about these devices can be applied to securing Web servers as well.

Suskind made several specific security recommendations in the talk as well. Some of these duplicate the FAQ information, but all are at least mentioned here for completeness:

• Install a minimum OS.
• Install the latest security patches.
• Only install needed packages.
• Install no compilers or kernel rebuilding facilities.
• Leave out X-Windows, NFS, and portmapper (if possible).
• Limit login accounts, give no direct root access, and use one-time passwords.
• Set appropriate permissions within the Web server tree.
• If anonymous FTP is allowed, keep its directory tree separate from the Web server tree
• Use tripwire to verify file integrity.
• Shut down all unnecessary system services, including most network daemons and new Solaris features such as sadmind, cmsd, and dtspc.
• Unless circumstances prevent you from doing so, do not allow any type of remote administration.
• Use tcp_wrappers or netacl and klaxon to alarm and to control network access. Connect klaxon to several unused ports, including 1, 7, and 77 to watch for port scans.
• Use static routing if possible, or use gated if static routing is not an option. Avoid routed.
• Use a firewall or screening router to limit server access, if doing so fits your architecture.
• Block source routing and implement anti-spoofing filters.

Suskind also had several recommendations for securing the Web server software:

• Know the security features of the chosen Web server -- these features vary.
• Turn off directory-listing capabilities.
• Disable unused CGI scripts.
• Review the CGI scripts that you do use. Remember phf?
• Use SSL for encryption -- it's better than nothing.
• If writing CGI scripts, use Perl rather than a shell language.
• Within your scripts, strip out meta characters, watch for buffer overflow possibilities, and be careful when accepting file names.
• Avoid SUID code.

Once the facility is up and running, Suskind recommends maintaining precautions:

• Automate the process of detecting that the Web server is down.
• For production Web servers, implement fast alert methods, such as paging.
• Use Web log analyzers to monitor hits and watch error logs.
• Monitor system performance.
• Have cron e-mail status reports daily.
• Be sure to have accurate backups.

Roll your own
SANS '97 featured several other interesting security talks, including one by Randy Marchany comparing old and new Internet attack and defense patterns and methods, and a talk on intranet Web security by Philip de Louraille. If these topics interest you, consider picking up a copy of the conference proceedings. If your job involves computer security, then conference attendance is a great way to gather information and to meet others with similar tastes. Better yet, share your experiences with others by submitting a talk to a conference. There are worse things than standing in front of 300 people for an hour and discussing your work...like standing in front of 400!

Bug of the Month Club
A bug that can allow users to gain root access on the host server has been discovered in certain IMAP and POP servers. Sun is investigating the problem but has not yet determined if its versions of these daemons are vulnerable. If you run these services, check out the CERT advisory for more information.

Sun has released a spate of security-related patches, including fixes for sendmail, bind, the volume manager (including eject), and Sun's version of Firewall-1 2.1. Check http://sunsolve.Sun.COM/pub-cgi/pubpatchpage.pl for current patch information.

The Bookstore
For some interesting, uncensored viewing of what could happen to your Web site, check out http://www.2600.com/hacked_pages/. It contains the original and the hacked versions of several Web sites, including those of the CIA and Air Force. These realworld examples may provide you with some useful ammunition if marketing is taking over management of your company's Web site and is lacking in its respect for site security.

Letters and numbers
Thanks to Halvard Halvorsen from Norway for this letter.

1. the restricted shell might be mentioned? then again -- as it's not
that secure (ftp'ing to an account with /usr/lib/rsh will still get you 
far outside where you are supposed to go) -- it might be as well to leave 
it out. 

2. ditto with ASET which is included in 2.5/2.5.1. at least
it can help on increasing security (though it does overlap
a lot with other utilities).

3. a mention on www.trouble.org in "4.7 Useful Web sites"
might be considered (COPS and SATAN and more of Dan's stuff).

4. your disk partition table in section "5.2 Install the OS"
seems to be messed up. there's no /var at all (or is it
supposed to be in /?).

5. For users not wanting to fiddle around with wu-ftp, you 
can get the ordinary ftpd to do quite extensive logging by
adding

... /usr/sbin/in.ftpd	in.ftpd -d

in /etc/inet/inetd.conf

and eg.

daemon.debug		/dev/console
daemon.debug		/var/log/ftplog

in /etc/syslog.conf. Not as good as wu-ftp; but still
useful.

6. Thanks for the good work, I found the FAQ very useful 
in deed.

Halvard Halvorsen
Senior Systems Consultant

Good comments. I'll make appropriate changes to the next version of the FAQ. My opinion of ASET is that it can only be used in its "low" security mode. I've heard horror stories about attempts to use it in "high" mode, in which it makes changes to the system. Some of these changes can necessitate a reload of the operating system.

About point 5: there is no error in the partition table. As Halvard suggests, /var is included in the root partition in that example.

• SANS '97 conference in Baltimore http://www.sans.org
• Peter Galvin's recently-updated Solaris Security FAQ. http://www.sunworld.com/common/security-faq.html
• CERT advisory for IMAP and POP servers ftp://info.cert.org/pub/cert_advisories/CA-97.09.imap_pop
• http://sunsolve.Sun.COM/pub-cgi/patchpage.pl
• http://www.2600.com/hacked_pages/
• Full listing of previous Security columns in SunWorld http://www.sunworld.com/common/swol-backissues-columns.html#security
• Check out the SunWorld Site Index for stories on Web server security. http://www.sunworld.com/common/swol-siteindex.html#websec
• Related network security stories in SunWorld's Site Index. http://www.sunworld.com/common/swol-siteindex.html#netsec

Peter Galvin is chief technologist for Corporate Technologies, Inc., a systems integrator and VAR. He is also adjunct system planner for the Computer Science Department at Brown University, a member of the board of directors of the Sun User Group, and has been program chair for the past four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. You can reach him at peter.galvin@sunworld.com.