Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!wasatch!cs.utexas.edu!uunet!murtoa.cs.mu.oz.au!ditmela!smart
From: smart@ditmela.oz (Robert Smart)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: CERT Internet Security Advisory
Keywords: security
Message-ID: <6685@ditmela.oz>
Date: 19 Aug 89 01:39:36 GMT
References: <3858@fy.sei.cmu.edu>
Reply-To: smart@ditmela.oz.au (Robert Smart)
Organization: CSIRO, Division of Information Technology, Australia
Lines: 72

Australia is about to establish a Research network. Security is a hot topic.
I have been arguing the need for the network to have a security officer to
coordinate security measures, and to cooperate with other research
networks and with computer vendors on security matters. So I am pleased
to hear about the Computer Emergency Response Team.

In article <3858@fy.sei.cmu.edu> krvw@sei.cmu.edu (Kenneth Van Wyk) writes:
>
> o Test telnet for unauthorized changes by using the UNIX "strings"
>   command to search for path/filenames of possible log files.  Affected
>   sites have noticed that their telnet programs were logging information
>   in user accounts under directory names such as "..." and ".mail".

It seems that the code could easily be written so that "strings" doesn't
show anything.
>
> o Test authenticity of critical programs - Any program with access to
>   the network (e.g., the TCP/IP suite) or with access to usernames and
>   passwords should be periodically tested for unauthorized changes.
>   Such a test can be done by comparing checksums of on-line copies of
>   these programs to checksums of original copies.  (Checksums can be
>   calculated with the UNIX "sum" command.)  Alternatively, these
>   programs can be periodically reloaded from original tapes.

Is "sum" designed to be a security device? If not it is probably easy
to arrange for the checksum to be unchanged. I would like to see a
checksum like program that was designed like an encryption algorithm:
very hard to alter and keep the checksum the same.

> o Apply fixes - Many of the old "holes" in UNIX have been closed.
>   Check with your vendor and install all of the latest fixes.

Vendors remain shockingly unconcerned about security issues. What do
we do about machines which don't have software maintenance? Should they
be barred from Internet access? Since the BSD 4.3 network stuff is 
publically available I think we should be able to plug network holes
in unix systems, even for machines which don't have software
maintenance.
>
> If system administrators do discover any unauthorized system activity,
> they are urged to contact the Computer Emergency Response Team (CERT).
>

So what does CERT do between emergencies? What I would like to see is
the creation of a shell script to check machines out for security. It
should be something like the "rn" installation script [a brilliant
bit of work]: work out what its environment is, and make appropriate
investigations and even offer to install updated software where appropriate:
It might go like this:

  % security-check

  Still running SunOS 3.5 eh? For internet network performance you should
  switch to a more recent version.

  Gack! You're still running the old fingerd. You must remove it! Would
  you like me to install a safe version [yn]?

etc.

The shell script should also check for obvious bad passwords: words, first
names, password=login name, etc. It should check for potential configuration
problems (like + in hosts.equiv). 

It would be nice to see similar mechanisms for other common operating
systems, which probably means VMS. This would require cooperation from
the vendors of VMS tcp/ip software. Non-cooperaters banned from the internet!

Another thing CERT could do is check machines from the internet to see
if they exhibit known security bugs. 

Bob Smart