Date: Thu, 20 Aug 1998 11:10:46 -0700 (PDT)
From: Dave Dittrich
To: Anil Coumar
cc: Network System Adminstrators list ,
LAN Administrators list
Subject: Re: TCI @Home
In-Reply-To: <002a01bdcc4d$9b5307e0$832e5f80@HH320-1.PCNHH>
Message-ID:
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: R
On Thu, 20 Aug 1998, Anil Coumar wrote:
> Since you are the local expert on security, I thought I'd seek your advice
> on this matter.
>
> I am thinking of subscribing to TCI's @Home, cable internet connection. Will
> this direct connection compromise security in any way - both for my personal
> PC and/or the UW system? Is there a way to protect/prevent break-ins?
Anil,
This is a very good question and I'm going to answer it to a broader set of
people so more people see this.
Services like @Home and Digital Subscriber Link (DSL) from US West and others,
are just really fast modem-like equivalents (meaning you get the same
functionality as PPP over voice lines) with the two main differences being:
a). The connection speed is MUCH faster, and
b). The connection is up 24x7 instead of one hour here, one hour there.
Granted, there have been people using 56k modems on second phone lines, or
112K ISDN ("it still does nothing" ;) connections that come/go as needed, but
nothing like the scale that @Home and DSL are aiming to serve.
This has two main effects on security:
1). The window of opportunity to hack your system remotely is greatly
increased, and
2). The amount of time per attempt in brute force attacks, time
per probe of TCP/IP services, etc. (and amount of time it takes to
load a bunch of hacker tools, clean up tracks, and install back-doors
when someone *does* break root) is greatly reduced.
I recently spoke with a woman in the @Home security department about one of
there customer's systems that was probing systems here on campus. She told me
that they are seeing a large increase in the number of attacks on @Home
customers because of a) and b) and a good percentage succeed because the
system owners didn't pay attention to turning off unneeded services, they
decide to turn on file sharing on Windows 95, they don't keep up with security
patches, etc., facilitated by 1) and 2). [In fact, she said they knew the
person who used the system in question (a teen, using the connection and
computer the parents pay for) and that he was both giving out accounts to
friends, who were also hacking from this system, and he had a history of this
kind of hacking. I think we'll see a lot more of these "hack-from-home"
situations as bandwidth increases and difficulty in tracing the actual
attackers location gets harder. "Hey, it wasn't me who was doing it. Someone
must have broken in to my system. No, I don't keep any logs. Sorry."]
I also heard from someone whose friend is a DSL customer that Windows NetBIOS
broadcasts (I would assume any local network broadcast packets, for that
matter) get through, which has the effect that you can see all the information
that Microsoft Windows leaks out about printers, file shares, your computer's
name, etc. (Wow. I guess they call it Windows for a reason. Does that mean
security is the curtains, or its curtains for security? ;)
With programs like Back Orifice for Windows 95/98
(http://www.cultdeadcow.com/tools/), Netbus for Windows NT
(http://netbus.hypermart.net/index_en.html), and RootKit for Linux, all it
takes is for someone to get root *once* (or to be able to install/run a
program on Windows) on your system and it is then used remotely to attack
other sites and/or just to watch everything you do on your home system.
Without taking steps to secure any/all of these operating systems, these
things *can* be done (and are done now all over the Internet and this
network). Or, if you decide to network other systems in your home and use
WinGate (and leave it wide open, like most people do) your system becomes a
reflector for attackers on the Internet who bounce off of your system to hack
other systems. Then you get to explain to the DoD investigators how it
really wasn't you hacking systems in Area 51. (Don't laugh -- it happens!)
@Home just extends the 24x7 Internet to your home. If you consider yourself
secure on the UW network, and you do the same things at home, you should be
just as (in)secure.
As for security implications to UW systems, that depends on what trust
relationships are established to them, because trust relationships are usually
the way hackers move from system to system ("island hopping attacks" as Marcus
Ranum calls them).
If, for example, you use SSH on your PC (Windows or Linux), but someone can
get to your file system through a hole (bug in Linux service, you turn on
Windows file sharing, etc.), then they can steal your private key and make
connections to systems at the UW and they look like you.
OK, forget SSH. Let's say you instead use Kerberized clients to authenticate
to the UW Kerberos database. Same holes allow someone to install BO, etc. and
they sniff your keys, get your password, and they *still* get in.
And what about PGP? If someone can get to your file system, they can
steal your PGP key. The hole key ring, in fact. All your key rings. But you
have a passphrase to prevent the keys from being useful, right? If they
can see your keystrokes, they can steal the passphrase, too. Or if you use a
simple English word or short phrase (which has very low entropy), they might
be able to break the passphrase. There goes your assumed privacy via
encrypted email.
This isn't meant to scare you away from @Home. Not at all. I am just trying
to make it very clear that choosing to expose your system this much comes with
the responsibility to spend the time securing and monitoring it or at
least understanding that if you fail to do this and your system is hacked,
that is your responsibility as well.
So what can you do?
Well, now that you realize the dangers, you just have to get in the habit of
taking the time to seek out the information about security patches (which no
vendors take great pains to put in your hands, like the auto industry does
with exploding gas tanks and anti-lock brakes that don't brake) and make sure
you apply them ASAP. Almost all (all?) vendors have some sort of security
announcement email list that you can get on to get updates. Agencies like
CERT, CIAC, and a slew of hacker groups (professional and ad hoc) post
advisories to lists like BUGTRAQ and NTBUGTRAQ.
There are also programs you can get (most for Linux/Unix, a few for Windows
NT, even fewer for Windows 95/98) that allow you to monitor your system for
suspicious or unauthorized activity (like probing every service port, trying
to mount directories remotely, etc.) and would let you know when someone is
trying to break in. If you are running Linux, there is IP level "firewalling"
software you can put in the kernel that gives you very fine grained control
over who can connect (see
http://www.redhat.com/linux-info/ldp/HOWTO/Firewall-HOWTO.html). If you then
have these things logged via email to your UW account or somewhere else, then
(unless they can get into those accounts too) you have a record of the
intrusion, even if they manage to wipe out log files on your home system.
If you are using PGP to encrypt email, you might want to consider doing that
(and any other sensitive things, like running Quick Books for bookkeeping,
Quiken for financial transactions, etc.) on another PC (a cheap one, hey -
we're government employees!) that is *not* networked with the others. You can
then do sneaker net (floppies are still useful) to copy the message to the
networked system from which you mail it.
In other words, using 24x7 services *can* be secure, as long as you make the
effort to secure it yourself and act wisely/responsibly (security on the
Internet isn't going to be something you can take for granted for a
LLLLOOOOOOOONNNNNNNGGGGG time, and even then you'll still need to know how to
act wisely/responsibly.)
--
Dave Dittrich Client Services
dittrich@cac.washington.edu Computing & Communications
University of Washington
Dave Dittrich / dittrich@cac.washington.edu [PGP Key]