In the trenches
Information gleaned from the 1996 SANS conference
We interrupt your normally scheduled security column for an update from the SANS '96 conference. The conference featured interesting talks by Gene Spafford, Matt Bishop, and many other known and becoming-known security aficionados. Here you'll find coverage of the best talks and pointers to important information shared at SANS '96.
Also in Pete's Wicked World this month: NIS+ and lockd/statd security holes in the bug-of-the-month-club. In the bookstore this month is a review of the second edition of Garfinkle and Spafford's Practical Unix & Internet Security. (2,500 words)
SANS '96 was the 5th Annual Unix System Administration, Networking & Security conference, held in Washington D.C. during the week of May 12th. Aside from the usual (high quality) tutorials, there was also 32 invited and refereed papers and panels. Many of them had interesting information about security, but some of the most illuminating discussion happened in the hallways and bars surrounding the conference. A sure sign of a good conference.
More ways to secure Solaris
First, we'll provide an update to the previous two security columns. I gave a talk at the conference, entitled "Securing Solaris" and based on the April and May security columns in this space. It was well accepted and resulted in a lot of interesting feedback. Here are some more tidbits for ensuring that your Solaris machine is secure:
sendmailversion 8.7.5 fixes the newest DNS vulnerability, and is the current recommend version. Remember to evaluate
smrsh, which accompanies the BSD
sendmailrelease, to further insulate your machines from
sendmail. (As an aside, few people seem to be using
smrsh. If you are using it successfully, please drop me an e-mail, I'd like to hear about your experiences.)
sendmail, but others (predictably) pointed out that MMDF has its own share of problems.
noshellshell for accounts that are not to be used, as we recommended in the last column, there you use a program called
noshellthat displays a message to the user explaining the situation and logs the fact that it was invoked. This is useful information. Unfortunately, the README file for
noshellsays it has been ported to SunOS but no word on Solaris. (If you do use
noshellon Solaris please let us know the details.)
crontabfiles, you may want to use the
cron.allowfeature to disable the use of cron from all accounts.
psto view processes on the system to verify that all unnecessary facilities are disabled, use
netstat -af inetto view all UDP and TCP networking ports that are being serviced. On an unsecured machine, this list is quite extensive. On a secured machine it should be limited to just those services that you have determined that you need.
Diego Zamboni described a new tool he wrote, called
SAINT is not a security tool per se. Rather, it's a
tool to gather the output of security tools and evaluate the results.
For instance, it can look at the
tcp_wrapper logs on multiple
systems and alert you that a systematic attempt to break in to your
site is occurring.
SAINT is modular and extensible, so you can
add your own rules or support log files not in
SAINT uses a cycle of:
The artificial intelligence component does not need to be very sophisticated to note patterns in the events, which means it has a reasonable chance of working well.
SAINT is written in Perl V5. Unfortunately, its output is
in Spanish only today. Diego is continuing development of the
tool though, and other languages will be supported eventually.
swatch is a well known sysadmin and security tool. It
allows for automated parsing and alerting based on system log
contents. There are several similar tools as well, including
A new tool tries to combine the best features of all of these (and then
some), while being easily extensible. It's written in Perl and allows
any arbitrary set of pattern-match/action pairs, allowing it to be used
to match and act upon arbitrary strings in arbitrary logfiles. Ken
Mayer (email@example.com) is the author of the program. A
is currently available. There are also two mailing lists that discuss
users, developers, and discussion, and
firstname.lastname@example.org for releases and other
Incidents & peppermints
Moira J. West-Brown from CERT provided insight into current security incident trends. She said that the current typical network attack scenario is:
The 1995 Intrusion Profile includes:
They also see Internet infrastructure attacks aimed at reconfiguring routers, using weaknesses in DNS to break root name servers, and the abuse of FTP servers. In 1996 they expect to see more Java and CGI-related break-ins.
Moira also discussed some astounding 1995 CERT statistics: there were 2,412 incidents handled involving 32,084 e-mail messages and 3,428 hotline calls.
This explains why there has been some grumbling about the new CERT operations. Word is that CERT only works to resolve security issues for sites if they are paying customers. Otherwise they gather information and provide pointers to their advisories and summaries. If you've had good or bad experiences with CERT, feel free to send me an e-mail.
The good news is that the rate of incident growth has decreased, either due to incident response teams or improved security at sites in general. Of course, the crackers can be getting more sophisticated and going unnoticed more frequently.
The state of security education
Gene "Spaff" Spafford gave a compelling talk about "A Different Perspective on Incident Response." He pointed out that there are only two dedicated University-based security and incident response research programs in the U.S. This lack of educational foundation leads to the current helter-skelter security knowledge base, as well as the lack of progress in the areas of detection and prevention of security incidents. His points are well taken. Until agencies (be they public or private) put more emphasis on security education, funding more research into its causes, effects, and prevention, there will be no solutions for the current problems facing computer installations and their security administrators.
Spaff likened the current state of computer security to life in the old West. It was a free-for-all, every man (and woman) for himself. He sees the natural evolution to private security then (Wells Fargo, Pinkerton) to the transition happening today in computer security, with many companies providing security tools and services for a fee (CERT, IBM, AT&T, BBN, and so on). The question is, will the evolution be able to continue to the point where system administrators don't need to carry holsters full of security tools? Time and improved training will tell.
Several useful security points were brought up in conversations, usually over a beer. The ones that stuck in memory include:
There's more to life than security
Strange though it may seem, there are other interesting aspects of Sun machines than their security. At the conference, several talks about system administration and networking were high quality and had important content. Given that this space is dedicated to security, though, I'll be brief.
Overall, the conference was very interesting. There were many other talks, by industry favorites like Matt Bishop, Rob Kolstad, Marcus Ranum, Hal Pomeraz, Dan Geer, Gene Schultz, and Michele Crabb. Unfortunately, many of the talks didn't have papers in the proceedings and aren't (currently) available on line. Next year you'll just have to attend...
This is the month a lot of security-conscience folks have been waiting for. The new version of the Garfinkle and Spafford Practical Unix & Internet Security is out. It's been expanded to a mammoth 971 pages. And the good news is, many of those new pages are useful. It covers many version of unix now (including SunOS and Solaris). It also include up-to-date information on security holes, cracking techniques, security tools, and security information (Web sites, mailing lists). The Appendices contain a valuable Unix Security Checklist, plus a table of Import Files, Paper Sources and Electronic Sources of security information, information about security Organizations, and a table listing IP services, including their port, protocol, name, use, and suggested firewall handling. Worth the price of admission.
Unfortunately, there are a few aspects of the book that are wanting. There is a real need for authoritative coverage of security tools, including what they do, how much work they are to build, how useful they are, and so on. Practical Unix & Internet Security contains little of this information. In fact, some useful tools (Argus for instance) are barely mentioned. S/Key and Java coverage are likewise scant. There are some typos that I'm sure will be snuffed out in the next printing. Finally, I realize that indexing is an art more than a science, but such a large (and useful) book needs a very extensive one. The current version is adequate but not extensive.
But on the whole the book is very solid. FTP, backups (and their security issues), policies, cryptography, network wrappers, and NFS are covered very well. And readers can gain at least a passing understanding of almost all aspects of security by studying this book. Recommended.
Practical Unix & Internet Security also includes a few network resources that we haven't yet discussed here. For your edification:
Bug of the Month Club
This month there are (again) a couple of important security holes to report. Just because you've installed NIS+ does not mean you've improved your security. In fact, a NIS+ CERT advisory details a problem with the default Solaris 2.5 installation permissions. If the permissions on the password table within NIS+ are set incorrectly, users are able to gain root access. This appears to be the case when NIS+ is installed from scratch on a Solaris 2.5 system. To determine if your system is vulnerable, view the permissions with the command:
niscat -o passwd.org_dir
The details of the expected output are given in the advisory, but the important permissions are those of the name, password, and uid fields ("columns" in NIS+ lingo). They should look like:
 Name : name Attributes : (SEARCHABLE, TEXTUAL DATA, CASE SENSITIVE) Access Rights : r---------------  Name : passwd Attributes : (TEXTUAL DATA) Access Rights : -----m----------  Name : uid Attributes : (SEARCHABLE, TEXTUAL DATA, CASE SENSITIVE) Access Rights : r---------------The access rights for these columns allow anyone to read the name and uid of the entry, but only the owner can modify the password.
Another potentially damaging security hole involves lockd and statd on SunOS and Solaris. It is not known to be actively exploited, but it has the potential to allow any user to remove or create any file that root could do the same to. This information is in Sun Security Bulletin #135, CERT advisory CA-96.09, and CIAC bulletin G-25.
Patches that fix the bug are available. Use this table to select the proper one:
OS version Patch ID ---------- --------- SunOS 5.3 102932-02 SunOS 5.4 102769-03 SunOS 5.4_X86 102770-03 SunOS 5.5 103468-01 SunOS 5.5_X86 103469-01 OS version Patch ID ---------- --------- 4.1.3 100988-05 SunOS 4.1.3_U1 101592-07 SunOS 4.1.4 102516-04 For SunOS 4.1.x, the fix is supplied in a new version of the "UFS file system and NFS locking" jumbo patch.
Next Month, on "As Pete's Wicked World Turns"
Next month we'll look at a new tool which can enable enterprise-wide security.
About the author
Peter Galvin is Chief Technologist for Corporate Technologies, Inc., a Systems Integrator and VAR. He is also Adjunct System Planner for the Computer Science Department at Brown University, a member of the Board of Directors of the Sun User Group, and has been Program Chair for the last four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. Reach Peter at email@example.com.
If you have technical problems with this magazine, contact firstname.lastname@example.org