almost everything you ever wanted to know about security (but.txt

1000 HOWTOs for various needs [WINDOWS]

mind: to break insecure passwords.  It is probably the most efficent and
friendly password cracker that is publically available, with the ability
to let the user to specify precisely how to form the words to use as
guesses at users passwords.

It also has an inbuilt networking capability, allowing the load of
cracking to be spread over as many machines as are available on a
network, and it is supplied with an optimised version of the Unix crypt()
algorithm.

An even faster version of the crypt() algorithm, "UFC" by Michael Glad,
is freely available on the network, and the latest versions of UFC and
Crack are compatible and can be easily hooked together.

3) NPasswd (Clyde Hoover) & Passwd+ (Matt Bishop)

These programs are written to redress the balance in the password
cracking war.  They provide replacements for the standard "passwd"
command, but prevent a user from selecting passwords which are easily
compromised by programs like Crack.

Several versions of these programs are available on the network, hacked
about to varying degrees in order to provide compatibility for System V
based systems, NIS/YP, shadow password schemes, etc.  The usual term for
this type of program is a 'fascist' password program.

4) "Shadow" - a Shadow Password Suite

This program suite (by John F Haugh II) is a set of program and function
replacements (compatible with most Unixes) which implements shadow
passwords, ie: a system where the plaintext of the password file is
hidden from all users except root, hopefully stopping all password
cracking attempts at source.  In combination with a fascist passwd
frontend, it should provide a good degree of password file robustness.

>From: jfh@rpp386.lonestar.org (John F. Haugh II)
>Shadow does much more than hide passwords.  It also provides for
>terminal access control, user and group administration, and a few
>other things which I've forgotten.  There are a dozen or more
>commands in the suite, plus a whole slew of library functions.

5) TCP Wrappers (Wietse Venema)

These are programs which provide a front-end filter to many of the
network services which Unix provides by default.  If installed, they can
curb otherwise unrestricted access to potential dangers like incoming
FTP/TFTP, Telnet, etc, and can provide extra logging information, which
may be of use if it appears that someone is trying to break in.

6) SecureLib

>From: phil@pex.eecs.nwu.edu (William LeFebvre)
>You may want to add a mention of securelib, a security enhancer
>available for SunOS version 4.1 and higher.

>Securelib contains replacement routines for three kernel calls:
>accept(), recvfrom(), recvmsg().  These replacements are compatible with
>the originals, with the additional functionality that they check the
>Internet address of the machine initiating the connection to make sure
>that it is "allowed" to connect.  A configuration file defines what
>hosts are allowed for a given program.  Once these replacement routines
>are compiled, they can be used when building a new shared libc library.
>The resulting libc.so can then be put in a special place.  Any program
>that should be protected can then be started with an alternate
>LD_LIBRARY_PATH.

7) SPI

>From: Gene Spafford <spaf@cs.purdue.edu>
>Sites connected with the Department of Energy and some military
>organizations may also have access to the SPI package.  Interested (and
>qualified) users should contact the CIAC at LLNL for details.

>SPI is a screen-based administrator's tool that checks configuration
>options, includes a file-change (integrity) checker to monitor for
>backdoors and viruses, and various other security checks.  Future
>versions will probably integrate COPS into the package.  It is not
>available to the general public, but it is available to US Dept of
>Energy contractors and sites and to some US military sites.  A version
>does or will exist for VMS, too.  Further information on availabilty can
>be had from the folks at the DoE CIAC.

Q.6 Isn't it dangerous to give cracking tools to everyone?

That depends on your point of view.  Some people have complained that
giving unrestricted public access to programs like COPS and Crack is
irresponsible because the "baddies" can get at them easily.

Alternatively, you may believe that the really bad "baddies" have had
programs like this for years, and that it's really a stupendously good
idea to give these programs to the good guys too, so that they may check
the integrity of their system before the baddies get to them.

So, who wins more from having these programs freely available? The good
guys or the bad ? You decide, but remember that less honest tools than
COPS and Crack tools were already out there, and most of the good guys
didn't have anything to help.

Q.7 Where can I get these tools?

COPS:

  V1.04, available for FTP from cert.sei.cmu.edu in pub/cops and
  archive.cis.ohio-state.edu in pub/cops.

Crack/UFC:

  Crack v4.1f and UFC Patchlevel 1.  Available from any major USENET
  archive (eg: ftp.uu.net) in volume 28 of comp.sources.misc.

NPasswd:

  Currently suffering from being hacked about by many different people.
  Version 2.0 is in the offing, but many versions exist in many
  different configurations. Will chase this up with authors - AEM

Passwd+:

  "alpha version, update 3" - beta version due soon.  Available from
  dartmouth.edu as pub/passwd+.tar.Z

Shadow:

  This is available from the comp.sources.misc directory at any major
  USENET archive (see entry for Crack)

TCP Wrappers:

  Available for anonymous FTP:

    cert.sei.cmu.edu: pub/network_tools/tcp_wrapper.shar
    ftp.win.tue.nl: pub/security/log_tcp.shar.Z

Securelib:

  The latest version of securelib is available via anonymous FTP from the
  host "eecs.nwu.edu".  It is stored in the file "pub/securelib.tar".

Q.8 Why and how do systems get broken into?

This is hard to answer definitively.  Many systems which crackers break
into are only used as a means of entry into yet more systems; by hopping
between many machines before breaking into a new one, the cracker hopes
to confuse any possible pursuers and put them off the scent.  There is
an advantage to be gained in breaking into as many different sites as
possible, in order to "launder" your connections.

Another reason may be psychological: some people love to play with
computers and stretch them to the limits of their capabilities.

Some crackers might think that it's "really neat" to hop over 6 Internet
machines, 2 gateways and an X.25 network just to knock on the doors of
some really famous company or institution (eg: NASA, CERN, AT+T, UCB).
Think of it as inter-network sightseeing.

This view is certainly appealing to some crackers, and certainly leads
to both the addiction and self-perpetuation of cracking.

As to the "How" of the question, this is again a very sketchy area.  In
universities, it is extremely common for computer account to be passed
back and forth between undergraduates:

  "Mary gives her account password to her boyfriend Bert at another
  site, who has a friend Joe who "plays around on the networks".  Joe
  finds other crackable accounts at Marys site, and passes them around
  amongst his friends..." pretty soon, a whole society of crackers is
  playing around on the machines that Mary uses.

This sort of thing happens all the time, and not just in universities.
One solution is in education.  Do not let your users develop attitudes
like this one:

       "It doesn't matter what password I use on _MY_ account,
            after all, I only use it for laserprinting..."
                                - an Aberystwyth Law student, 1991

Teach them that use of the computer is a group responsibility.  Make
sure that they understand that a chain is only as strong as it's weak
link.

Finally, when you're certain that they understand your problems as a
systems manager and that they totally sympathise with you, configure
your system in such a way that they can't possibly get it wrong.

Believe in user education, but don't trust to it alone.

Q.9 Who can I contact if I get broken into?

If you're connected to the Internet, you should certainly get in touch
with CERT, the Computer Emergency Response Team.

        To quote the official blurb:

>From: Ed DeHart
> The Computer Emergency Response Team (CERT) was formed by the Defense
> Advanced Research Projects Agency (DARPA) in 1988 to serve as a focal
> point for the computer security concerns of Internet users.  The
> Coordination Center for the CERT is located at the Software Engineering
> Institute, Carnegie Mellon University, Pittsburgh, PA.

> Internet E-mail: cert@cert.sei.cmu.edu
> Telephone: 412-268-7090 24-hour hotline:
>     CERT/CC personnel answer 7:30a.m. to 6:00p.m. EST(GMT-5)/EDT(GMT-4),
>     and are on call for emergencies during other hours.

...and also, the umbrella group "FIRST", which mediates between the
incident handling teams themselves...

>From: John Wack <wack@csrc.ncsl.nist.gov>
>[...] FIRST is actually a very viable and growing
>organization, of which CERT is a member.  It's not actually true that,
>if you're connected to the Internet, you should call CERT only - that
>doesn't do justice to the many other response teams out there and in the
>process of forming.

>NIST is currently the FIRST secretariat; we maintain an anonymous ftp
>server with a directory of FIRST information (csrc.ncsl.nist.gov:
>~/pub/first).  This directory contains a contact file that lists the
>current members and their constituencies and contact information
>(filename "first-contacts").

>While CERT is a great organization, other response teams who do handle
>incidents on their parts of the Internet merit some mention as well -
>perhaps mentioning the existence of this file would help to do that in a
>limited space.

The file mentioned is a comprehensive listing of contact points per
network for security incidents.  It is too large to reproduce here, I
suggest that the reader obtains a copy for his/her self by the means
given.

Q.10 What is a firewall?

A (Internet) firewall is a machine which is attached (usually) between
your site and a wide area network.  It provides controllable filtering
of network traffic, allowing restricted access to certain internet port
numbers (ie: services that your machine would otherwise provide to the
network as a whole) and blocks access to pretty well everything else.
Similar machines are available for other network types, too.

Firewalls are an effective "all-or-nothing" approach to dealing with
external access security, and they are becoming very popular, with the
rise in Internet connectivity.

For more information on these sort of topics, see the Gateway paper by
[Cheswick], below.

Q.11 Why shouldn't I use setuid shell scripts?

You shouldn't use them for a variety of reasons, mostly involving bugs
in the Unix kernel.  Here are a few of the more well known problems,
some of which are fixed on more recent operating systems.

1) If the script begins "#!/bin/sh" and a link (symbolic or otherwise)
can be made to it with the name "-i", a setuid shell can be immediately
obtained because the script will be invoked: "#!/bin/sh -i", ie: an
interactive shell.

2) Many kernels suffer from a race condition which can allow you to
exchange the shellscript for another executable of your choice between
the times that the newly exec()ed process goes setuid, and when the
command interpreter gets started up.  If you are persistent enough, in
theory you could get the kernel to run any program you want.

3) The IFS bug: the IFS shell variable contains a list of characters to
be treated like whitespace by a shell when parsing command names.  By
changing the IFS variable to contain the "/" character, the command
"/bin/true" becomes "bin true".

All you need do is export the modified IFS variable, install a command
called "bin" in your path, and run a setuid script which calls
"/bin/true".  Then "bin" will be executed whilst setuid.

If you really must write scripts to be setuid, either

  a) Put a setuid wrapper in "C" around the script, being very careful
  to reset IFS and PATH to something sensible before exec()ing the
  script.  If your system has runtime linked libraries, consider the
  values of the LD_LIBRARY_PATH also.

  b) Use a scripting language like Perl which has a safe setuid
  facility, and is proactively rabid about security.