Click on our Sponsors to help Support SunWorld
Security: Pete's Wicked World by Peter Galvin

In the trenches

Information gleaned from the 1996 SANS conference

June  1996
[Next story]
[Table of Contents]
Subscribe to SunWorld, it's free!

We interrupt your normally scheduled security column for an update from the SANS '96 conference. The conference featured interesting talks by Gene Spafford, Matt Bishop, and many other known and becoming-known security aficionados. Here you'll find coverage of the best talks and pointers to important information shared at SANS '96.

Also in Pete's Wicked World this month: NIS+ and lockd/statd security holes in the bug-of-the-month-club. In the bookstore this month is a review of the second edition of Garfinkle and Spafford's Practical Unix & Internet Security. (2,500 words)

Mail this
article to
a friend

SANS '96 was the 5th Annual Unix System Administration, Networking & Security conference, held in Washington D.C. during the week of May 12th. Aside from the usual (high quality) tutorials, there was also 32 invited and refereed papers and panels. Many of them had interesting information about security, but some of the most illuminating discussion happened in the hallways and bars surrounding the conference. A sure sign of a good conference.

More ways to secure Solaris
First, we'll provide an update to the previous two security columns. I gave a talk at the conference, entitled "Securing Solaris" and based on the April and May security columns in this space. It was well accepted and resulted in a lot of interesting feedback. Here are some more tidbits for ensuring that your Solaris machine is secure:


Diego Zamboni described a new tool he wrote, called SAINT. SAINT is not a security tool per se. Rather, it's a tool to gather the output of security tools and evaluate the results. For instance, it can look at the tcp_wrapper logs on multiple systems and alert you that a systematic attempt to break in to your site is occurring. SAINT is modular and extensible, so you can add your own rules or support log files not in SAINT's repertoire.

SAINT uses a cycle of:

The artificial intelligence component does not need to be very sophisticated to note patterns in the events, which means it has a reasonable chance of working well.

SAINT is written in Perl V5. Unfortunately, its output is in Spanish only today. Diego is continuing development of the tool though, and other languages will be supported eventually.

swatch is a well known sysadmin and security tool. It allows for automated parsing and alerting based on system log contents. There are several similar tools as well, including watcher, xtail, and EventServer. A new tool tries to combine the best features of all of these (and then some), while being easily extensible. It's written in Perl and allows any arbitrary set of pattern-match/action pairs, allowing it to be used to match and act upon arbitrary strings in arbitrary logfiles. Ken Mayer ( is the author of the program. A 0.010 release is currently available. There are also two mailing lists that discuss xswatch: for users, developers, and discussion, and for releases and other announcements.

Incidents & peppermints
Moira J. West-Brown from CERT provided insight into current security incident trends. She said that the current typical network attack scenario is:

  1. Locate a system to attack
  2. Gain user access
  3. Gain privileged access
  4. Cover tracks (install Trojan horses, clean log files)
  5. Install backdoor for future use
  6. Engage in unauthorized activity
  7. Jump to other hosts on the local network

The 1995 Intrusion Profile includes:

They also see Internet infrastructure attacks aimed at reconfiguring routers, using weaknesses in DNS to break root name servers, and the abuse of FTP servers. In 1996 they expect to see more Java and CGI-related break-ins.

Moira also discussed some astounding 1995 CERT statistics: there were 2,412 incidents handled involving 32,084 e-mail messages and 3,428 hotline calls.

This explains why there has been some grumbling about the new CERT operations. Word is that CERT only works to resolve security issues for sites if they are paying customers. Otherwise they gather information and provide pointers to their advisories and summaries. If you've had good or bad experiences with CERT, feel free to send me an e-mail.

The good news is that the rate of incident growth has decreased, either due to incident response teams or improved security at sites in general. Of course, the crackers can be getting more sophisticated and going unnoticed more frequently.

The state of security education
Gene "Spaff" Spafford gave a compelling talk about "A Different Perspective on Incident Response." He pointed out that there are only two dedicated University-based security and incident response research programs in the U.S. This lack of educational foundation leads to the current helter-skelter security knowledge base, as well as the lack of progress in the areas of detection and prevention of security incidents. His points are well taken. Until agencies (be they public or private) put more emphasis on security education, funding more research into its causes, effects, and prevention, there will be no solutions for the current problems facing computer installations and their security administrators.

Spaff likened the current state of computer security to life in the old West. It was a free-for-all, every man (and woman) for himself. He sees the natural evolution to private security then (Wells Fargo, Pinkerton) to the transition happening today in computer security, with many companies providing security tools and services for a fee (CERT, IBM, AT&T, BBN, and so on). The question is, will the evolution be able to continue to the point where system administrators don't need to carry holsters full of security tools? Time and improved training will tell.

In passing
Several useful security points were brought up in conversations, usually over a beer. The ones that stuck in memory include:

There's more to life than security
Strange though it may seem, there are other interesting aspects of Sun machines than their security. At the conference, several talks about system administration and networking were high quality and had important content. Given that this space is dedicated to security, though, I'll be brief.

Overall, the conference was very interesting. There were many other talks, by industry favorites like Matt Bishop, Rob Kolstad, Marcus Ranum, Hal Pomeraz, Dan Geer, Gene Schultz, and Michele Crabb. Unfortunately, many of the talks didn't have papers in the proceedings and aren't (currently) available on line. Next year you'll just have to attend...

The bookstore
This is the month a lot of security-conscience folks have been waiting for. The new version of the Garfinkle and Spafford Practical Unix & Internet Security is out. It's been expanded to a mammoth 971 pages. And the good news is, many of those new pages are useful. It covers many version of unix now (including SunOS and Solaris). It also include up-to-date information on security holes, cracking techniques, security tools, and security information (Web sites, mailing lists). The Appendices contain a valuable Unix Security Checklist, plus a table of Import Files, Paper Sources and Electronic Sources of security information, information about security Organizations, and a table listing IP services, including their port, protocol, name, use, and suggested firewall handling. Worth the price of admission.

Unfortunately, there are a few aspects of the book that are wanting. There is a real need for authoritative coverage of security tools, including what they do, how much work they are to build, how useful they are, and so on. Practical Unix & Internet Security contains little of this information. In fact, some useful tools (Argus for instance) are barely mentioned. S/Key and Java coverage are likewise scant. There are some typos that I'm sure will be snuffed out in the next printing. Finally, I realize that indexing is an art more than a science, but such a large (and useful) book needs a very extensive one. The current version is adequate but not extensive.

But on the whole the book is very solid. FTP, backups (and their security issues), policies, cryptography, network wrappers, and NFS are covered very well. And readers can gain at least a passing understanding of almost all aspects of security by studying this book. Recommended.

Practical Unix & Internet Security also includes a few network resources that we haven't yet discussed here. For your edification:

Bug of the Month Club
This month there are (again) a couple of important security holes to report. Just because you've installed NIS+ does not mean you've improved your security. In fact, a NIS+ CERT advisory details a problem with the default Solaris 2.5 installation permissions. If the permissions on the password table within NIS+ are set incorrectly, users are able to gain root access. This appears to be the case when NIS+ is installed from scratch on a Solaris 2.5 system. To determine if your system is vulnerable, view the permissions with the command: niscat -o passwd.org_dir

The details of the expected output are given in the advisory, but the important permissions are those of the name, password, and uid fields ("columns" in NIS+ lingo). They should look like:

        [0]     Name          : name
                Attributes    : (SEARCHABLE, TEXTUAL DATA, CASE SENSITIVE)
                Access Rights : r---------------
        [1]     Name          : passwd
                Attributes    : (TEXTUAL DATA)
                Access Rights : -----m----------
        [2]     Name          : uid
                Attributes    : (SEARCHABLE, TEXTUAL DATA, CASE SENSITIVE)
                Access Rights : r---------------
The access rights for these columns allow anyone to read the name and uid of the entry, but only the owner can modify the password.

Another potentially damaging security hole involves lockd and statd on SunOS and Solaris. It is not known to be actively exploited, but it has the potential to allow any user to remove or create any file that root could do the same to. This information is in Sun Security Bulletin #135, CERT advisory CA-96.09, and CIAC bulletin G-25.

Patches that fix the bug are available. Use this table to select the proper one:

        OS version	Patch ID
        ----------	---------
         SunOS 5.3	102932-02
         SunOS 5.4	102769-03
         SunOS 5.4_X86	102770-03
         SunOS 5.5	103468-01
         SunOS 5.5_X86	103469-01 

        OS version	Patch ID
        ----------	---------
         4.1.3		100988-05
         SunOS 4.1.3_U1	101592-07
         SunOS 4.1.4	102516-04

    For SunOS 4.1.x, the fix is supplied in a new version of the "UFS
    file system and NFS locking" jumbo patch.

Next Month, on "As Pete's Wicked World Turns"
Next month we'll look at a new tool which can enable enterprise-wide security.

Click on our Sponsors to help Support SunWorld


About the author
Peter Galvin is Chief Technologist for Corporate Technologies, Inc., a Systems Integrator and VAR. He is also Adjunct System Planner for the Computer Science Department at Brown University, a member of the Board of Directors of the Sun User Group, and has been Program Chair for the last four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. Reach Peter at

What did you think of this article?
-Very worth reading
-Worth reading
-Not worth reading
-Too long
-Just right
-Too short
-Too technical
-Just right
-Not technical enough

[Table of Contents]
Subscribe to SunWorld, it's free!
[Next story]
Sun's Site

[(c) Copyright  Web Publishing Inc., and IDG Communication company]

If you have technical problems with this magazine, contact

Last modified: