And You Thought You Were Safe!

[This was originally published on Aviary Magazine and mirrored on attrition.org.]

The realm of computer security is not an isolated slice of life reserved for geeks and bitheads. Security is all inclusive, no longer a realm of obscure networks or sensitive databases full of nuclear codes and credit card numbers. I know this may be hard to swallow for many people as they haven’t given the matter serious thought. Stop reading for a minute and think about all things computerized in your life. Now consider which ones present potential security or privacy concerns to you. If you think any less than 90% or so present these problems, think again.

Some will cast this notion aside in favor of the argument that so many security concerns are so trivial that they make no real difference. Who cares if someone knows you visited a web site or purchased something online right? This argument can effectively be countered any number of ways as long as the reader is willing to to give them appropriate consideration. First, each of these small concerns add up. To use an old but familiar and fitting analogy, consider each privacy violation a brick. Put enough of these bricks together and you have a full blown wall. Second, at what point do they stop being small and trivial? If you convince yourself that each security vulnerability is small, they slowly begin to grow without you acknowledging it. Before long, they have turned into full blown risks that your mind associates with ‘trivial’.

So in a single day, where do you encounter these risks? Anytime you use technology. Before you say “But I don’t use it that much!”, think about how much technology surrounds your life. In many cases it has become so integrated that you often stop noticing it. Have a personal organizer like a Palm Pilot? Play games on a Sega Dreamcast? Send e-mail to friends or family via an on-line service? Have controlled access to your office via ‘strong’ token cards? These points of technology slowly add up and paint a bigger picture of rapidly degrading privacy while security vulnerabilities increase in number. All of the above, and we’ve barely touched serious computing as far as most people are concerned.

To anyone reading this that is passingly familiar with computer based news outlets like Wired, MSNBC and others, this is no doubt preaching to the choir. For those of you new to the net, I write this in hopes that you are fully aware just how vulnerable your computer setup and system can be. The disturbing trend emerging in people’s reactions to security is that perception says if you aren’t online, you are safe. I hate to break this to you, but connectivity has little to do with security and privacy. All it takes is a single ten second connection to the net and game over.

You boot up your computer and interface with the Operating System. Be it Windows NTWindows 95Solaris or any other platform, it is potentially vulnerable. When you open your browser, it too poses more risks than you can possibly imagine. Both Microsoft Internet Explorer and Netscape Navigator have had their fair share of problems. Even in seemingly safe applications like Microsoft Word lurks danger. Users connecting to the net via cable modem learned quickly that while their walls protected them from neighbor’s prying eyes, their modems certainly did not.

As with all articles on security, I try to present the problem and a solution for my readers. What can I possibly suggest to counter such an overwhelming amount of intrusions into your personal privacy and security? Awareness. Just understanding and realizing the concerns better equips you to battle the hoards of bad guys we always read about. Be proactive when using anything electronic, assess the risks, and proceed with caution. All joking aside, it may save you a lot of headache in the near future.

Building a Global IDS

[This was originally published on Aviary Magazine and mirrored on attrition.org.]

A good Intrusion Detection System (IDS) is designed to not only warn of known attacks, but to second guess and stop unknown attacks. This is done by utilizing known signatures of existing attacks, and speculating on unseen or new intrusion techniques that have some of the same characteristics of their predecessors. Attacks like buffer overflow exploits all utilize the same basic method for gaining additional privileges. An effective IDS will look for the basic method rather than unique strings characteristic of an attack on a specific binary of a specific operating system.

The nature of IDS brings about potential weak spots that take away from their overall strength. Once deployed and deemed operating correctly, an IDS may log dozens of attempts at intrusion and simply block them because they meet a certain profile of attack. If the administrator doesn’t read these logs, they move on in life unaware of the attempts to break into their network. If these logged events are signatures of new and unseen attacks, they will stay that way. Unless the administrator notices and reports these new attacks to a full disclosure list or an appropriate vendor, the IDS has only lived up to a fraction of its intended purpose.

The Next Evolution

In order to make IDS systems more useful to the Internet at large, there must be more communication. IDS administrators, security auditors, IDS vendors, Operating System vendors and related parties must establish a more static method of communication. In talking, the ability to notice and prepare for previously unseen threats grows quickly.

  • IDS Administrators: Monitor logs more closely. Unknown attacks or probes should be reported and shared.
  • Security Auditors: Take note of common attacks while auditing client networks. Look for trends in their logs that indicate a new attack on the horizon.
  • IDS Vendors: Take in customer reports of suspicious activity. Report these attempts to the appropriate software vendors. They will be much more recipient to high profile IDS companies reporting the potential bugs.
  • OS Vendors: Communicate with IDS vendors and respond quickly to potential threats. Patch holes quickly and release vendor fixes to combat the problems before they are widely exploited.

As with any form of communication, a break down at any point hinders the process and the effectiveness is limited.

Building the Network

It would take a surprisingly small amount of resources to achieve the desired results. Using the cooperation of IDS administrators on a wide variety of networks, an effective network could be setup to monitor these attacks. If ten machines on each Class-B network were setup to do this, and more importantly shared those results with a central source, it would achieve the desired goal. In a more ideal situation, some one hundred machines on each Class-B could even further pinpoint and track new attacks. Obviously, the more machines looking for these signatures, the better chance there is of noticing them.

The beauty of this proposed network is that it is not vendor specific. Any IDS product could be used to monitor new activity and report it. Regardless of your preferred operating system, utilities, or IDS, your machine or network would be just as effective as the next. The only catch to this entire idea is who the information is reported to. Each IDS would want to be the primary contact for publicity and name recognition. However, the plan is not best suited for that. A neutral third party coordination center would be ideal, but bodies like CERT are often frowned upon by knowledgeable security professionals. Creating a new body to handle this workload would be the best option, but that leads to more questions of who will run it, and more importantly who will fund it.

Perhaps this is the reason an idea such as this hasn’t taken off. It has obvious technical merit in the form of existing technology being put to a specific use. No new or additional hardware or software would be required for those participating.

Practical Example

An associate of mine recently asked me if there were any new exploits on a specific port. This question is asked of me once a month by various friends or acquaintances. Each and every time it is based on them monitoring and unusually high amount of requests to specific ports. The last query was prompted by hundreds of connection attempts on a port that is basically unused. Probing systems ranged from educational institutions to cable modems to standard dialup ISP users.

While this specific example may not indicate a new bug, it is reminiscent of another incident much like this one. In June of 1998, CERT released an advisory outlining a new threat to some Internet hosts. Based on an unusual amount of connection attempts on port 1, security professionals were able to figure out that these probes were designed to seek out Irix systems. Default installations of Irix left port 1 (TCPMUX service/protocol) open for connections. While there was no vulnerability in this specific service, intruders were using it as a litmus test in seeking out Irix boxes. From there, they would try several well known default login/password combinations and often gain access to the machine. This is a perfect example of the potential inherent in this type of system.

Even more recently, a well known computer journalist found himself in the role proposed by this type of IDS. John Dvorak recently wrote an article about his observations after installing a new firewall that logged all connection attempts. Within a day of putting up his new defense, he had logged dozens of rogue connection attempts to his system. Imagine if a network of individuals like him were out there, all sharing these attempts with a central source. The results could be extremely beneficial.

Conclusion? Everyone Wins

By establishing better communication between more administrators and IDS vendors, it is possible to establish a world wide IDS capable of detecting new vulnerabilities in products being widely used. When vendors and responsible parties are discovering these new threats, pro-active security measures can be put in place. Customers paying money for these products begin to receive more secure software. Security auditors are able to protect their clients from more attacks and recognize more signatures. Confidence in product vendors rises dramatically.

The Last Line of Defense, Broken

[This was originally published on SecurityFocus and mirrored on attrition.org.]

The Last Line of Defense, Broken
The Public Perception of Security Companies Getting Compromised

Every so often, the protectors of your most important digital resources get hit with a little mud in the face. The so-called last line of defense is broken, and the security company protecting your networks falls victim to the ones they work against. It happens, possibly more often than you realize, and it will continue to happen.

The question to ask is what can be gleaned from a network security company getting hacked. Does it adversely affect business and undermine the trust and confidence customers place in them? Or is it fair warning that anyone is vulnerable to attack and a grim reality we must face in today’s networked world?

Perhaps it is a little of both.

Security companies are there to offer security to companies lacking the ability to protect themselves. Further, they are the publicly-perceived experts in all things security related. Their software, consulting services, and superior knowledge of computers are but a small part of the arsenal they use to keep malicious intruders
out of your networks. At what point do these resources break down and allow someone to compromise even a security firm’s security?

The Race Condition

Those familiar with the technical side of UNIX security may recall many older exploits that relied on winning a Race Condition to achieve increased access. The concept of these attacks are that the program must beat the system in performing a specific function or task. If the exploit successfully beats the system to this target
function, it is able to gain elevated privileges giving the intruder more control over the system. If it fails the race, nothing extraordinary occurs.

Much like the Race Condition attack, security companies and intruders are in a continued Race Condition every day. Each day the security companies stay secure, they are winning the race. Every day a security
company is hacked, they have lost another leg of the race. Both hackers and security professionals are looking for new bugs in software and operating systems. Sometimes this entails elaborate testing against poorly documented software while other times it is detailed scrutiny of tens of thousands of lines of source code.

The entire time this race is going on, security companies are also creating products that will hopefully protect them against entire classes of attacks. This effort is designed to attempt to protect them from the unknown, namely the undisclosed vulnerability that hackers have discovered before they do. These forms of protections are currently found in the form of firewalls, intrusion detection systems (IDS), and other specialized security software.

Perception is Everything

Back to the original question of perception of these incidents. There are two ways to perceive a security company failing in their own specialty:

    1. The compromise of their network adversely affects business.
       The incident further undermines the trust and confidence
       their customers place in their ability to secure a network.

    2. The compromise is fair warning that anyone is vulnerable
       and that there are simply too many undiscovered bugs out
       there. No one can reasonably expect security companies to
       find them all.

Life has taught us that things are not that simple. Our perception (should be) based on more than the event of the hack. Rather our perception should be based on the hack and more importantly, the company’s reaction to the incident. There are two basic ways a security company can react to an intrusion of their own network (assuming it is publicly known):

    1. Admit there was a lapse in their own security and a network
       intrusion occured. Water under the bridge and a pledge to
       do better.

    2. The government way: cover it up. Disavow! Never happened!
       If no customers know (or more to the point believe) an intrusion
       occured, then there is no loss of integrity and disaster
       has been averted.

As logical and honorable as it sounds, not all security companies will admit to incidents that hurt their reputation. The downside to this course of action is when the public does find out. Like all things political, it escalates the incident into an embarrassing failed coverup worthy of tabloids.

Because many people believe admitting such things is automatic grounds for laughter and snide remarks, they take the low road and cover up.

Rather than lie or attempt to obscure prior incidents, these companies must learn that it is a fact of life and they need to move on. Use these times of turmoil as motivation to achieve better security for them and their clients. Turn the negative into a positive.

Track Record

Some readers may be trying to think of what security companies have been victims of this and have had to deal with this. In the past year, each of these security sites have been publicly defaced:

Network Security – http://www.networksecurity.org
Secure Service – http://www.secure-service.org
Securities Software – http://www.securitiessoftware.com
Secure Transfer – http://www.secure-transfer.com
AntiOnline – http://www.antionline.com
Security Net – http://www.securitynet.net
Network Flight Recorder – http://www.nfr.net
Symantec – http://www.symantec.com

Companies such as NFR who design Intrusion Detection Systems are particularly vulnerable to reputation damage over such incidents. Sites such as AntiOnline that continually boast about their own security
often find such defacements more embarrassing as well.

Worse Than Being Attacked

Yes, security companies face one thing worse than being hacked and having their web page defaced. The rumor of getting hacked. Once rumors get started, people demand answers and often won’t settle on an answer until it is the one they wish to hear. Conspiracy-driven minds will not believe the truth no matter how many times it is told. This suspicion is often fueled by prior incidents in which companies have attempted to cover up intrusions.

If SecurityCo Inc. has been talked about and rumors are floating around they were defaced, they are in a horrible position. Even if they respond truthfully and tell their customers they remain secure and have not
experienced any network intrusions, some people will believe it to be a coverup. Despite there being no proof a company was hacked, no mirror of a web defacement and nothing more than “I heard”, people often cling
to the idea of it.

FIN

The act of a security company getting hacked and possibly defaced can be damaging, it’s true. However, lying or trying to obscure such incidents can be much more damaging. If a company that created your best lines of defense gets hacked, understand that the security game is not an absolute. Everyone is vulnerable at one point or another. What should we think about our protectors falling victim? The choice is up to you but remember: no one is perfect.

In Response To: Unplugged! The biggest hack in history

[This was originally published in Aviary Magazine and mirrored on attrition.org.]

Original Article
http://www.zdnet.com/filters/printerfriendly/0,6061,2345639-2,00.html
By John Simons, WSJ Interactive Edition
October 1, 1999 8:54 AM PT

The Phonemasters and I

In 1994, I was learning as much about computers and telephony as I could possibly take in. Had an extra 500 page manual? I’d digest it in days. Anything related to phones was of particular interest to me. For some reason, the computers that ran the phone systems were interesting and I found myself with an insatiable curiosity for them. Some called it an obsession. Ironic that I hated talking on phones with anyone, even with the people sharing new information about the systems I was learning about. It didn’t take long for me to move on to switches and systems that were the core of the telephone network.

To this day, I can still say I never did anything harmful, destructive or malicious to any phone or computer network out there. It was all about learning the systems. The natural curiosity of a young man, focused on technology that was becoming more and more widespread. It was about knowledge, nothing else.

You find yourself a newcomer to the concept of hacking, new to technology and learning. Who do you turn to? If you are truly into it because of the love of the system, anyone willing to help. That is how I ran into two of the ‘phonemasters’ back in 1994. Fortunate for me, I ran into some of the best teachers I have ever encountered. Given that one of my primary functions in my current professional life is teaching government agencies and fortune 500 companies, that statement shouldn’t be taken lightly.

I remember my first talk with one of the phonemasters. He was soft-spoken from the beginning, talking with a cool and reserved voice. When it came to phone systems, his voice became that of an expert. The information and advice he passed on to me was flawless. If I didn’t know better, I could have easily believed he was an employee of the phone company, or some other expert on the subject material. It didn’t take long for our email to lead to talking on the phone. We had maybe ten conversations over a year long period. Each one an hour or more of us discussing phone systems and the intricacies involved.

While i didn’t know them as close friends, we were on a first name basis for the conversations we had. Back then, a first name was a sure sign of trust and/or respect. They trusted me, I respected and trusted them implicitly. It started out talking with ‘T’ and eventually lead to a handful of conversations with ‘G’ (two of the three ‘phonemasters’).

Ethics

Simons says in his article that the Phonemasters had “Unlimited potential for harm”. While this is technically true, consider the long haul. Over five years of having this powerful access, and what harm was done? None. Like so many hackers, being malicious is not in their book. A sense of power and exploring maybe, but causing harm to anyone just wasn’t considered. Simons goes on to tell us about FBI evidence that alleges they had planned on breaking into the National Crime Information Center (NCIC). So? They wouldn’t be the first to compromise the FBI’s pride and joy of a network.

While the three ‘phonemasters’ were close friends, they periodically reached out to talk to others. Often times imparting new bits of knowledge to newcomers to hacking, they enjoyed teaching. None of them bragged about their skills, demanded tribute or anything indicating they had large egos. It was during these external talks that lead to the incident Simons refers to on January 23. He writes: “On Jan. 23, while probing a U S West telephone database, Cantrell, Bosanac, Lindsley and others stumbled over a list of telephone lines that were being monitored by law enforcement. On a lark, they decided to call one of the people — a suspected drug dealer, says Morris — and let him know his pager was being traced by the police.” The idea of notifying the owners of traced lines actually came from another Mid West hacker who shared the deed on a conference call with two of the phonemasters. Sorry, can’t blame them for that idea.

Side affects of their raid

   "Morris hastily arranged for an FBI raid. On Feb. 22, 1995, agents
    raided Cantrell's home, Lindsley's college dorm room, and burst into
    Bosanac's bedroom in San Diego."

I remember this night quite well. A couple hackers I knew were in an absolute state of panic. They were baffled over the raid and kept wondering why they weren’t recipients of an FBI visit of their own. One of the hackers admitted to me that he too had been hacking some of the same phone computers that the phonemasters had. He had even found printouts of their activity in the trash can of a U.S. West Central Office and later confirmed it was their activity that generated these printouts.

Another hacker in touch with the phonemasters paid me a visit that night. He was openly sweating and a little out of breath. I quickly found out that he had spent the day cleaning his place, in fear of impending FBI raid. Throwing out over forty technical manuals detailing the use of various phone systems. He had also thrown out a wide range of hardware and other extraneous equipment he felt were no longer needed. Some of his friends were not thrilled with his decision. A veritable gold mine of information was lost forever.

Co-conspirators

Three individuals are being charged with crimes related to this long term intrusion. After half a decade of running through phone, credit and every other system out there, a question emerges. Did they do it alone? Of course not.

During on of my phone conversations with ‘T’, he told me about a night he was dabbling on some system. He typed in a long command and received an error message. Trying again and altering his syntax yielded no success either. As he sat there pondering the correct command to type in, someone else on the system did it for him. Alarmed at first, he wondered who could have done it for him. Perhaps one of the other phonemasters he thought? Not this time, instead, a legitimate phone technician was the one to help. He went on to describe the hours of technical help the phone company employee gave him. The whole time fully aware that his student had no right to be on the system.

The sum of the charges…

While the three ‘phonemasters’ did break laws by intruding into these sensitive and critical systems, there are a few things we need to remember. If such vital and life saving systems are vulnerable to this widespread and lengthy hack, why are we relying on them? Why hasn’t the government put more resources or some form of standards on these mission critical systems?

Based on my limited conversations with them, I can say it is somewhat comforting knowing these three were involved rather than malicious hackers. More importantly, that these technically brilliant hackers were at the keyboard. The systems they were in like the AT&T 1AESS switch isn’t the most fault tolerant system. Commands that go awry have a tendency to leave thousands of people without phone service. Novice hackers finding themselves with the same hackers the ‘phonemasters’ enjoyed could have presented a real threat to citizens everywhere.

When you read these articles, remember that the sum of their charges do not paint a full picture of what kind of people they really are.

Why Your Network is Still Vulnerable

[This was originally published on Hacker News Network (HNN) and mirrored on attrition.org.]

You trust the security experts. Their books and articles about security are often the bibles of System Administrators. Their one paragraph biographies tell you of their ten to twenty years doing network security. They take on impressive titles of neat sounding companies they secure. Why is it these experts often give you the absolute worst advice that could cross your ears?

Time and time again, security ‘experts’ casually recommend that you use or deploy a package like the SATAN security scanner to test your network for vulnerabilities. While few references to SATAN will claim it is the end all solution to computer security, the mere fact people ever recommended the tool is absurd. More disturbing is that over four years after it is released, some continue to reference it in a serious manner.

Before I continue, I’d like to qualify and assure you this is not a rant against SATAN’s (or any other tool’s) authors. The attention and hype that propelled SATAN into the media spotlight is no fault of theirs. Rather, other security ‘experts’ and/or media outlets cried wolf before it was released and helped create the “demise of the internet” as it was once called. This article will focus on SATAN as an example, simply because of the label it received from so many. Please keep in mind that SATAN is a forefather to most of the commercial scanners you are familiar with. So time progresses and people realize the futility of recommending a utility never designed for intensive and thorough auditing, right? Of course not.

Politically Correct

Instead of researching options more suitable for these books and articles, many security professionals dutifully recommend SATAN, COPS, Tiger and other out of date utilities. The question is why? Regardless of the answer, it isn’t a good enough reason. Security experts have an ethical obligation to recommend viable and solid solutions to their readers and customers. Each and every time they don’t, they further validate weak utilities as a method for securing your network. Days after auditing your network with these tools, their network falls victim to an intruder and they can’t figure out why.

SATAN was last released as version 1.1.1 on March 20, 1995. Obviously, network security concerns move at the speed of light. Any security audit tool not updated hours ago is already behind the times. So how can so many security professionals continue to recommend such an old and outdated tool? The only answer that comes to mind is the concept of being Politically Correct. The media told the masses this was a serious tool and should be regarded as a legitimate network auditing tool. Who would want to go against the grain and say otherwise? No one apparently.

Media and mainstream press put SATAN on a pedestal of unseen heights. As a result, several security professionals are still looking up and not seeing the scanner for what it is. Every day that passed with no qualified individuals speaking up, the more it lent to what the media had already said. Four years later, this is the first article to my knowledge that is doing that.

Who’s on the Bandwagon?

If you haven’t read many security articles, you may not have run across a reference to SATAN. In case you haven’t, lets look at a few of the many media outlets, security professionals and others who tell you to use it.

It started in 1995 with a wave of articles and press frenzy surrounding the tool’s release. To this day, articles still seem to latch onto the idea SATAN is a viable tool for network security. In 1995, an Oakland Tribune article said:

   "It's like randomly mailing automatic rifles to 5,000 addresses.
    I hope some crazy teen doesn't get a hold of one."

More recently SATAN has popped back up in more articles. James Glave quoted a Microsoft spokesperson on the use of SATAN in his article “Back Orifice a pain in the..?” (27). In April, Kevin Reichard wrote about the tool in his article “Network Security” (28).

Many popular and respected magazines have run articles suggesting the use of SATAN. Among them are Linux Journal (1), Info Security News (2), Security Advisor (3) and Information Security (An ICSA Publication) (4). Most disturbing is that most of the publicly available security magazines each push SATAN onto their readers at one point or another. These are the so-called experts, the people that should know the program does little for today’s networks. Yet as late as September 1998, three years since SATAN’s last release, they are still doing it.

Visit your local bookstore and you will be lucky to find more than five or ten security books. Over the past five years over one hundred books focusing on security have crossed these shelves. Interestingly enough, a healthy percentage each make the misplaced recommendation of SATAN as a valuable auditing tool. Worse, the idea of using such outdated and inferior tools has crossed beyond the realm of security books. A few of these books you may have seen are Practical Unix & Internet Security (5), UNIX System Administrator’s Companion (6), Halting the Hacker (7), and Internet Besieged (8). Recently, O’Reilly released an entire book devoted to using SATAN to protect your networks. (9) To a degree, this release gave the ultimate validation to the tool’s ability to protect your network. Are these books unworthy of attention? No. I would hazard they are being politically correct.

To keep on the bandwagon of overhype and undue attention, several security advisories have been released to prepare the net for this tool. One issue remains unresolved though. Why have few advisories followed the various SATAN advisories warning users of other utilities that are far more dangerous to their organization? In 1995 we were flooded with advisories from every response team or security group out there. CERT CA-95:06 (10), CIAC F-19 (11), CIAC F-20 (12), CIAC F-21 (13), CIAC F-23 (14), CIAC F-24 (15), SMS 00130A (16), NASIRC (17), Assist 95-11 (18), Assist 95-19 (19), and Auscert AA-95.03 (20) are just a few of the security advisories warning us of the impact of SATAN.

With all of the news articles, books, security advisories and other miscellaneous hype, how could anyone go against the grain and jump off the bandwagon?

Satan is as Satan Does

Giving these various doomsday media outlets the benefit of the doubt, we could at least expect them to talk to knowledgeable professionals. That leads to two more questions. First, why didn’t they do just that? Second, why are some security professionals writing articles recommending it? Some might argue that since it has a point and click graphical user interface, it is easy for the novice admin. I certainly don’t buy that. Considering it takes a UNIX host, Perl, x-windows and other resources that are not the easiest to setup, expecting novice admins to use it is not logical.

Martin Freiss (author of ‘Protecting Networks with SATAN’) writes in his introduction about the extent of SATAN protecting your network:

   "Naturally, SATAN cannot detect every security vulnerability.
   In particular, there are security problems in the transfer
   protocols of the Internet and intranets.. True security can
   be achieved only if all dangers are known, including those
   that SATAN cannot detect.."

Based on these words, I think it fair to say that those people familiar with the tool realizes its limits. Most security professionals when asked if there is an end all be all solution to network security, will answer no such beast exists. On the other hand, they will also tell you that no one tool will be the ‘demise of the internet’ like some claimed.

Falling Short

Technically speaking, why shouldn’t these organizations and people be recommending SATAN? Let’s examine what the program does in the way of vulnerability checking on a remote host. The following list is taken from the documentation.

  • NFS file systems exported to arbitrary hosts
  • NFS file systems exported to unprivileged programs
  • NFS file systems exported via the portmapper
  • NIS password file access from arbitrary hosts
  • Old (i.e. before 8.6.10) sendmail versions
  • REXD access from arbitrary hosts
  • X server access control disabled
  • arbitrary files accessible via TFTP
  • remote shell access from arbitrary hosts
  • writable anonymous FTP home directory

First thing we notice is that it scans for ten whole vulnerabilities. Thinking back to the start of this year alone, you should be aware that over one hundred vulnerabilities have been brought to light on the Internet. So the sheer percentage of vulnerabilities doesn’t quite cut it. Commercial competitors of SATAN like ISS and Cybercop pride themselves and attempt to gain market share based on the high number of vulnerabilities they scan for (over 500).

Since numbers are often misleading, lets look at some real world examples of why SATAN is not a good recommendation. If you are tasked to deal with network security and you run any flavor of UNIX, you are probably aware of the hundred or so vendor based security advisories for your platform of choice. Some of the more recently exploited vulnerabilities:

  • ToolTalk (rpc.ttdb): Detailed in NAI Advisory #29 (23)
  • Statd (rpc.statd): Detailed in SMS Advisory #186 (24)
  • Calender Manager (rpc.cmsd): Detailed in SMS Advisory #188 (25)
  • Cold Fusion (WinNT): Several problems covered in many advisories (26)
  • wu-ftpd, named (DNS), pop (mail), imap (mail), nisd, autofsd, and more.

Comparing the list of vulnerabilities being widely exploited on the Internet today with the list of vulnerabilities SATAN checks for, we can see it does one thing quite well. It falls short. For you NT administrators, seek help elsewhere.

Insult to Injury

Yes, it gets worse. Not only does the program fall short in assisting with network security analysis, it poses a serious threat to your network security in ways that didn’t previously exist.

As outlined in CERT CA-95:07 (21), there is a “Password Disclosure” issue with SATAN 1.0, fixed in version 1.1. CIAC F-22 (22) covers another vulnerability that allows unauthorized users to execute commands and gain root access through SATAN. Marc Heuse later posted to Bugtraq regarding SATAN and other widely used security tools having /tmp race conditions allowing unauthorized users to create or overwrite any file on the system. This last vulnerability was found in SATAN 1.1.1, the last version released. No further revisions have been forthcoming so the issue has not been fixed.

So What’s the Solution?

So if tools like SATAN are antiquated, what is a viable freeware solution? Like most tools, there are always alternatives. In the past few years, a more current tool based on SATAN’s foundation has arisen, called SAINT (30). As of August 19, 1999, SAINT version 1.4 was released adding more features and security checks that address current security concerns. Among these are checks for well known NT security holes, Operating System fingerprinting, as well as several new Unix vulnerabilities. The continued development and community effort to support this product has turned it into a much better foundation for testing network security than many other tools like it. Due to its active development and continued support for detecting new vulnerabilities, this seems like a great alternative to recommending outdated tools. When possible, don’t rely on canned tools at all. They will never come close to the ability and instinct of a qualified security consultant.
Conclusion

A few dozen clichés come to mind as a way to wrap up this article. I think I have sufficiently shown that everyone from the media to security experts continue to quote SATAN as a way to defend your network. Because the tool has not been updated in several years, it is far behind the times in addressing network security issues. On top of it not being adequate by any stretch of the imagination, it poses further risk to your machines. Despite all this, the recommendation to use inferior technology still comes pouring in.

Subversion of Information Attacks

[This was originally published on Aviary Magazine and mirrored on attrition.org.]

The Real Threat

What is the absolute worse consequence of hackers on the Internet? Defacing high profile sites? Deleting a dozen machines effectively shutting down an entire business? Flooding subnets and denying access to an ISP of five thousand people? None of the above.

One of the above threats touches on a much more sinister threat some hackers may pose to the Internet today. Unfortunately no one has the ability to say “at least it hasn’t happened yet” because the nature of this threat prevents us from knowing. When it is discovered media outlet will reel in shock, stumbling over themselves trying to comprehend and report the full implications of such a beast. That threat is what some people call a ‘Subversion of Information’ (SoI) attack. It is a style of web defacing that leaves no obnoxious ‘elite speak’, doesn’t consist of poorly written rants about unrelated topics, nor does it warn anyone that an intrusion has taken place.

I for one have no doubt it has occurred in a limited fashion at some point in recent history, yet no one can cite a specific example of it. The concept of the attack is simple. An intruder on a web server has the ability to edit any file on the system. Most defacements we see are bold and brazen, leaving no doubt the page was altered. A handful of these defacements actually use the base design of the original web page for their alteration. If these intruders were to take it one step further, they could make subtle alterations to the page that may not be noticed until serious and qualifiable damage has occurred.

Serious Repercussions

Without a solid case history to build on, it is difficult to assess the full damage that can be done with a well executed Subversion of Information attack. At this point, we can only go by speculation and well founded examples based on the information available to be altered, and how people react to it.

The first and most often discussed SoI attack centers around large media outlets. Looking at sites like ABC News, Wired and the New York Times (all defaced in the past), an obvious attack becomes apparent. What if intruders were to make subtle changes to various stories without being noticed? Editors at Wired could find out when lawsuits are leveled at them for libel. Staff at ABC could be forced to print numerous retractions calling their integrity into question. The New York Times might find themselves supporting ultra radical militia groups that they denounced a day before.

Security professionals typically bring up the obvious threat of financial manipulation. What if a single stock price was altered on a site catering to investors? A price dropped just a few dollars long enough to make a sound investment from a company. Shortly after, popping the price up a few dollars higher than the real market value. While these events are unlikely to occur because of various failsafes, they could lead to massive chaos for investors trying to handle the request for buying and selling.

Another subtle but highly profitable attack could come in the form of sites with banner ads or reseller programs. OSALL is a reseller of Amazon books. By linking to them to share resources, Amazon is able to track these links and kick back a very small profit to OSALL in return for book sales made through them. Rather than getting a check for one hundred dollars every year, what if the Amazon site was altered so that every fourth link automatically credited OSALL regardless of where the link came from? The next year would be highly profitable to say the least.

In the future

If any serious SoI attacks have occurred to date, there has been little to no media attention surrounding them. That, or no one has noticed such an attack yet. That begs the question of how you would recognize this type of attack if it were to occur. The trick is having a source to verify information on one site from another. Since this attack could affect any site on the net, that leaves us comparing magazines and papers to web sites. Kind of defeats the purpose and convenience of a web site.

Adequate internal security and auditing would be a good start. Knowing that a company goes under intense certification and auditing at periodic intervals is definitely reassuring. But even then, what if an intruder slips by the defenses in between audits? Mechanisms like strong Intrusion Detection Systems (IDS) need to be in place. Not only would they detect an intruder and hopefully boot him off, they would monitor the integrity of the pages or information they protect, ready to rewrite a page with the original information if necessary.

We have hopefully been lucky so far. Mostly inexperienced kids running canned scripts against web sites, uploading their own pages for bragging rights. The serious intruders may enter and exit your system a dozen times a day completely undetected. How do you know they didn’t change your product’s price to eight cents, forcing you to honor advertised prices? Perhaps they changed some other bit of information that hasn’t been detected. This is just the beginning.