In the trenches Information gleaned from the 1996 SANS conference

June  1996

We interrupt your normally scheduled security column for an update from the SANS '96 conference. The conference featured interesting talks by Gene Spafford, Matt Bishop, and many other known and becoming-known security aficionados. Here you'll find coverage of the best talks and pointers to important information shared at SANS '96.

Also in Pete's Wicked World this month: NIS+ and lockd/statd security holes in the bug-of-the-month-club. In the bookstore this month is a review of the second edition of Garfinkle and Spafford's Practical Unix & Internet Security. (2,500 words)

Mail this article to a friend

SANS '96 was the 5th Annual Unix System Administration, Networking & Security conference, held in Washington D.C. during the week of May 12th. Aside from the usual (high quality) tutorials, there was also 32 invited and refereed papers and panels. Many of them had interesting information about security, but some of the most illuminating discussion happened in the hallways and bars surrounding the conference. A sure sign of a good conference.

More ways to secure Solaris
First, we'll provide an update to the previous two security columns. I gave a talk at the conference, entitled "Securing Solaris" and based on the April and May security columns in this space. It was well accepted and resulted in a lot of interesting feedback. Here are some more tidbits for ensuring that your Solaris machine is secure:

• sendmail version 8.7.5 fixes the newest DNS vulnerability, and is the current recommend version. Remember to evaluate smrsh, which accompanies the BSD sendmail release, to further insulate your machines from sendmail. (As an aside, few people seem to be using smrsh. If you are using it successfully, please drop me an e-mail, I'd like to hear about your experiences.)

• Some attendees recommended using MMDF as a replacement for sendmail, but others (predictably) pointed out that MMDF has its own share of problems.

• Michele Crabb pointed out that, rather than specifying a "bogus" noshell shell for accounts that are not to be used, as we recommended in the last column, there you use a program called noshell that displays a message to the user explaining the situation and logs the fact that it was invoked. This is useful information. Unfortunately, the README file for noshell says it has been ported to SunOS but no word on Solaris. (If you do use noshell on Solaris please let us know the details.)

• Rather than, or along with, removing crontab files, you may want to use the cron.allow feature to disable the use of cron from all accounts.

• Along with using ps to view processes on the system to verify that all unnecessary facilities are disabled, use netstat -af inet to view all UDP and TCP networking ports that are being serviced. On an unsecured machine, this list is quite extensive. On a secured machine it should be limited to just those services that you have determined that you need.

• Another excellent suggestion is to remove all non-essential set-uid and set-gid programs. Alternatively, you can just disable this facility at mount time (via the "nosuid" mount option) or on a per file basis with appropriate chmod u-s and chmod g-s commands.

SAINT
Diego Zamboni described a new tool he wrote, called SAINT. SAINT is not a security tool per se. Rather, it's a tool to gather the output of security tools and evaluate the results. For instance, it can look at the tcp_wrapper logs on multiple systems and alert you that a systematic attempt to break in to your site is occurring. SAINT is modular and extensible, so you can add your own rules or support log files not in SAINT's repertoire.

SAINT uses a cycle of:

• Collect data, convert into a standard format
• Convert the data to events
• Analyze the results
• Present the results

The artificial intelligence component does not need to be very sophisticated to note patterns in the events, which means it has a reasonable chance of working well.

SAINT is written in Perl V5. Unfortunately, its output is in Spanish only today. Diego is continuing development of the tool though, and other languages will be supported eventually.

xswatch
swatch is a well known sysadmin and security tool. It allows for automated parsing and alerting based on system log contents. There are several similar tools as well, including watcher, xtail, and EventServer. A new tool tries to combine the best features of all of these (and then some), while being easily extensible. It's written in Perl and allows any arbitrary set of pattern-match/action pairs, allowing it to be used to match and act upon arbitrary strings in arbitrary logfiles. Ken Mayer (kmayer@synopsys.com) is the author of the program. A 0.010 release is currently available. There are also two mailing lists that discuss xswatch: xswatch-users@lists.best.com for users, developers, and discussion, and xswatch-announce@lists.best.com for releases and other announcements.

Incidents & peppermints
Moira J. West-Brown from CERT provided insight into current security incident trends. She said that the current typical network attack scenario is:

1. Locate a system to attack
2. Gain user access
3. Gain privileged access
4. Cover tracks (install Trojan horses, clean log files)
5. Install backdoor for future use
6. Engage in unauthorized activity
7. Jump to other hosts on the local network

The 1995 Intrusion Profile includes:

• IP Spoofing, targeting infrastructure elements
• Hijacked terminal connections
• New Trojan Horse programs (see CS-95:01)
• E-mail related attacks, including sendmail bugs and /bin/mail security holes
• Web vulnerabilities
• Automated attacks (see CA-95:18).

They also see Internet infrastructure attacks aimed at reconfiguring routers, using weaknesses in DNS to break root name servers, and the abuse of FTP servers. In 1996 they expect to see more Java and CGI-related break-ins.

Moira also discussed some astounding 1995 CERT statistics: there were 2,412 incidents handled involving 32,084 e-mail messages and 3,428 hotline calls.

This explains why there has been some grumbling about the new CERT operations. Word is that CERT only works to resolve security issues for sites if they are paying customers. Otherwise they gather information and provide pointers to their advisories and summaries. If you've had good or bad experiences with CERT, feel free to send me an e-mail.

The good news is that the rate of incident growth has decreased, either due to incident response teams or improved security at sites in general. Of course, the crackers can be getting more sophisticated and going unnoticed more frequently.

The state of security education
Gene "Spaff" Spafford gave a compelling talk about "A Different Perspective on Incident Response." He pointed out that there are only two dedicated University-based security and incident response research programs in the U.S. This lack of educational foundation leads to the current helter-skelter security knowledge base, as well as the lack of progress in the areas of detection and prevention of security incidents. His points are well taken. Until agencies (be they public or private) put more emphasis on security education, funding more research into its causes, effects, and prevention, there will be no solutions for the current problems facing computer installations and their security administrators.

Spaff likened the current state of computer security to life in the old West. It was a free-for-all, every man (and woman) for himself. He sees the natural evolution to private security then (Wells Fargo, Pinkerton) to the transition happening today in computer security, with many companies providing security tools and services for a fee (CERT, IBM, AT&T, BBN, and so on). The question is, will the evolution be able to continue to the point where system administrators don't need to carry holsters full of security tools? Time and improved training will tell.

In passing
Several useful security points were brought up in conversations, usually over a beer. The ones that stuck in memory include:

• Secure shell is a useful tool for creating an encrypted login session between two Unix machines. Unfortunately, you need to add both client and server software so it's not a complete replacement for S/Key, Secure-id, and that ilk. Check out the January '96 version of Hal Stern's column for more details. And here's the FAQ, Jack.

• Java and ActiveX have everyone in security depressed. The potential problems and the difficulties of their detection and prevention are enormous. In fact more than one attendee was heard muttering about the whole state of security was depressing by the end of the conference.

• To protect your systems from a cracker you need to think and act like a cracker. Crackers use a powerful tool called "rootkit" to automate break-ins to a system. You might want to track it down, and see what it does, Don't unpack it on a critical system because it has hacker-usable replacements for some system utilities. It's enlightening to see what's available to hackers and what their leavings can look like.

There's more to life than security
Strange though it may seem, there are other interesting aspects of Sun machines than their security. At the conference, several talks about system administration and networking were high quality and had important content. Given that this space is dedicated to security, though, I'll be brief.

• Lincoln Stein from the MIT Center for Genome Research addressed CGI scripting in Perl. He gave the gory details on a library of Perl routines he's written to make CGI scripting easier. The library should make it much easier to use Perl to implement CGI scripts called by Web servers. All the "glue" needed to get command-line parameters, pipe I/O, and return values is provided. Unfortunately, he doesn't say much on the security characteristics of the library. So be sure to be aware the the current CGI script security tidbits before unleashing remote-user-executable scripts on your machine. (Okay, so there isn't more to life than security.)

• Dan Rich from SGI gave a talk on "The Design and Implementation of a WWW Document Control Monitoring System", based on his experiences at running large Web servers. In the talk he evaluates several tools to help with new Web page revision releases and the mirroring of multiple Web servers (either development and production or multiple production). Also note that the newest version of bind (4.9.3, with security patch, I believe) implements DNS round-robin resolution to help implement mirrored production machines.

• Anders Vinberg, a graphics pioneer now at Computer Associates, gave an interesting talk entitled "What Makes a Great Commercial Web Site." He pointed out the need for information, entertainment, financial transactions, and customer service as being common aspects of the good sites. He also showed a a live demo of a cool sample site that displayed these characteristics.

Overall, the conference was very interesting. There were many other talks, by industry favorites like Matt Bishop, Rob Kolstad, Marcus Ranum, Hal Pomeraz, Dan Geer, Gene Schultz, and Michele Crabb. Unfortunately, many of the talks didn't have papers in the proceedings and aren't (currently) available on line. Next year you'll just have to attend...

The bookstore
This is the month a lot of security-conscience folks have been waiting for. The new version of the Garfinkle and Spafford Practical Unix & Internet Security is out. It's been expanded to a mammoth 971 pages. And the good news is, many of those new pages are useful. It covers many version of unix now (including SunOS and Solaris). It also include up-to-date information on security holes, cracking techniques, security tools, and security information (Web sites, mailing lists). The Appendices contain a valuable Unix Security Checklist, plus a table of Import Files, Paper Sources and Electronic Sources of security information, information about security Organizations, and a table listing IP services, including their port, protocol, name, use, and suggested firewall handling. Worth the price of admission.

Unfortunately, there are a few aspects of the book that are wanting. There is a real need for authoritative coverage of security tools, including what they do, how much work they are to build, how useful they are, and so on. Practical Unix & Internet Security contains little of this information. In fact, some useful tools (Argus for instance) are barely mentioned. S/Key and Java coverage are likewise scant. There are some typos that I'm sure will be snuffed out in the next printing. Finally, I realize that indexing is an art more than a science, but such a large (and useful) book needs a very extensive one. The current version is adequate but not extensive.

But on the whole the book is very solid. FTP, backups (and their security issues), policies, cryptography, network wrappers, and NFS are covered very well. And readers can gain at least a passing understanding of almost all aspects of security by studying this book. Recommended.

Practical Unix & Internet Security also includes a few network resources that we haven't yet discussed here. For your edification:

• Lincoln Stein's WWW Security FAQ

• Paul Phillips' CGI Security FAQ

• NCSA's CGI security documentation

Bug of the Month Club
This month there are (again) a couple of important security holes to report. Just because you've installed NIS+ does not mean you've improved your security. In fact, a NIS+ CERT advisory details a problem with the default Solaris 2.5 installation permissions. If the permissions on the password table within NIS+ are set incorrectly, users are able to gain root access. This appears to be the case when NIS+ is installed from scratch on a Solaris 2.5 system. To determine if your system is vulnerable, view the permissions with the command: niscat -o passwd.org_dir

The details of the expected output are given in the advisory, but the important permissions are those of the name, password, and uid fields ("columns" in NIS+ lingo). They should look like:

        [0]     Name          : name
                Attributes    : (SEARCHABLE, TEXTUAL DATA, CASE SENSITIVE)
                Access Rights : r---------------
        [1]     Name          : passwd
                Attributes    : (TEXTUAL DATA)
                Access Rights : -----m----------
        [2]     Name          : uid
                Attributes    : (SEARCHABLE, TEXTUAL DATA, CASE SENSITIVE)
                Access Rights : r---------------

Another potentially damaging security hole involves lockd and statd on SunOS and Solaris. It is not known to be actively exploited, but it has the potential to allow any user to remove or create any file that root could do the same to. This information is in Sun Security Bulletin #135, CERT advisory CA-96.09, and CIAC bulletin G-25.

Patches that fix the bug are available. Use this table to select the proper one:

        OS version	Patch ID
        ----------	---------
         SunOS 5.3	102932-02
         SunOS 5.4	102769-03
         SunOS 5.4_X86	102770-03
         SunOS 5.5	103468-01
         SunOS 5.5_X86	103469-01 

        OS version	Patch ID
        ----------	---------
         4.1.3		100988-05
         SunOS 4.1.3_U1	101592-07
         SunOS 4.1.4	102516-04

    For SunOS 4.1.x, the fix is supplied in a new version of the "UFS
    file system and NFS locking" jumbo patch.

Next Month, on "As Pete's Wicked World Turns"
Next month we'll look at a new tool which can enable enterprise-wide security.

Resources

• SANS '96
  http://www.usenix.org/events/sans96.html
• MMDF
  http://www.cs.okstate.edu/~vasoll/mmdf/admin.html#Overview-.000000.0.1 noshell http://ftp.umbc.edu/htmlftp/ftpcoast/toolsunixnoshellsrc.html SAINT ftp://ftp.super.unam.mx/pub/security/tools/
• xswatch 0.010 release
  ftp://ftp.best.com/pub/kmayer/
• Hal Stern's January column
  /sunworldonline/swol-01-1996/swol-01-sysadmin.html
• ssh FAQ
  http://sand.cis.ufl.edu/help-system/ssh/FAQ
• rootkit
  http://206.117.82.250/uploads/
• Lincoln Stein's security- and Web-related home page
  http://www.genome.wi.mit.edu/~lstein/
• CGI security tidbits
  http://merit.berkeley.edu/html/security.html
• "The Design and Implementation of a WWW Document Control Monitoring System"
  http://reality.sgi.com/drich/SANS96/
• "What Makes a Great Commercial Web Site" paper presented by Anders Vinberg. (URL presently unavailable.)
  Practical Unix & Internet Security http://www.ora.com/
• Lincoln Stein's WWW Security FAQ
  http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html
• Paul Phillips' CGI Security FAQ
  http://www.primus.com/staff/paulp/cgi-security
• NCSA's CGI security documentation
  http://hoohoo.ncsa.uiuc.edu/cgi/security.html
• CERT advisory
  ftp://info.cert.org/pub/cert_advisories/CA-96.10.README
• CERT advisory CA-96.09
  ftp://info.cert.org/pub/cert_advisories/CA-96.09.README

About the author
Peter Galvin is Chief Technologist for Corporate Technologies, Inc., a Systems Integrator and VAR. He is also Adjunct System Planner for the Computer Science Department at Brown University, a member of the Board of Directors of the Sun User Group, and has been Program Chair for the last four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. Reach Peter at peter.galvin@sunworld.com.

If you have technical problems with this magazine, contact webmaster@sunworld.com

URL: http://www.sunworld.com/swol-06-1996/swol-06-security.html
Last modified: