Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!wasatch!cs.utexas.edu!uunet!murtoa.cs.mu.oz.au!ditmela!smart From: smart@ditmela.oz (Robert Smart) Newsgroups: comp.protocols.tcp-ip Subject: Re: CERT Internet Security Advisory Keywords: security Message-ID: <6685@ditmela.oz> Date: 19 Aug 89 01:39:36 GMT References: <3858@fy.sei.cmu.edu> Reply-To: smart@ditmela.oz.au (Robert Smart) Organization: CSIRO, Division of Information Technology, Australia Lines: 72 Australia is about to establish a Research network. Security is a hot topic. I have been arguing the need for the network to have a security officer to coordinate security measures, and to cooperate with other research networks and with computer vendors on security matters. So I am pleased to hear about the Computer Emergency Response Team. In article <3858@fy.sei.cmu.edu> krvw@sei.cmu.edu (Kenneth Van Wyk) writes: > > o Test telnet for unauthorized changes by using the UNIX "strings" > command to search for path/filenames of possible log files. Affected > sites have noticed that their telnet programs were logging information > in user accounts under directory names such as "..." and ".mail". It seems that the code could easily be written so that "strings" doesn't show anything. > > o Test authenticity of critical programs - Any program with access to > the network (e.g., the TCP/IP suite) or with access to usernames and > passwords should be periodically tested for unauthorized changes. > Such a test can be done by comparing checksums of on-line copies of > these programs to checksums of original copies. (Checksums can be > calculated with the UNIX "sum" command.) Alternatively, these > programs can be periodically reloaded from original tapes. Is "sum" designed to be a security device? If not it is probably easy to arrange for the checksum to be unchanged. I would like to see a checksum like program that was designed like an encryption algorithm: very hard to alter and keep the checksum the same. > o Apply fixes - Many of the old "holes" in UNIX have been closed. > Check with your vendor and install all of the latest fixes. Vendors remain shockingly unconcerned about security issues. What do we do about machines which don't have software maintenance? Should they be barred from Internet access? Since the BSD 4.3 network stuff is publically available I think we should be able to plug network holes in unix systems, even for machines which don't have software maintenance. > > If system administrators do discover any unauthorized system activity, > they are urged to contact the Computer Emergency Response Team (CERT). > So what does CERT do between emergencies? What I would like to see is the creation of a shell script to check machines out for security. It should be something like the "rn" installation script [a brilliant bit of work]: work out what its environment is, and make appropriate investigations and even offer to install updated software where appropriate: It might go like this: % security-check Still running SunOS 3.5 eh? For internet network performance you should switch to a more recent version. Gack! You're still running the old fingerd. You must remove it! Would you like me to install a safe version [yn]? etc. The shell script should also check for obvious bad passwords: words, first names, password=login name, etc. It should check for potential configuration problems (like + in hosts.equiv). It would be nice to see similar mechanisms for other common operating systems, which probably means VMS. This would require cooperation from the vendors of VMS tcp/ip software. Non-cooperaters banned from the internet! Another thing CERT could do is check machines from the internet to see if they exhibit known security bugs. Bob Smart