Secure Computing Internet Security Newsletter

vol. 1, no. 7, August 1997

Up-to-the-minute news on Internet security threats

Hackers turn up heat at DEF CON V

by Holly Knox, Internet Security Editor


DEF CON V, the annual hacker convention, was held for the fifth consecutive year in Las Vegas on July 11-13. Antics such as breaking into a hotel's phone system by previous year's convention attendees have prevented organizers from holding this event in the same hotel twice. A DEFCON V ParticipantThis year an estimated 1,000 people gathered at the Aladdin Hotel and paid $40 each to be part of the largest of all hacker conventions.

To the casual observer it might be difficult to pinpoint what type of convention it is that attracts such a diverse group of people. Since hackers tend to be an unusual breed, it should come as no surprise that this convention thrives on the unconventional. Most attendees are young males in their teens and twenties, many of whom dress in all black. Only a handful use their real names and most prefer to use monikers or code names like White Knight, Se7en, Cyber, and Deth Veggie. 

Contents

Tunneling protocol attacks

Product update

In the news

Chasing back door connections

We welcome your comments!
Please email us at:

Internet_Security@securecomputing.com


Unlike most of the other hacker conventions the organizers of DEF CON openly invite information security professionals including law enforcement officials to participate in the conference. One of the more popular games played at the conference is called "Spot the Fed." Contestants in this game are awarded a T-shirt for spotting a member of a law enforcement agency or "Fed" and pointing this out to others. While there were probably some Feds who easily blended in to the crowd, the ones who were spotted tended to be clean cut which contrasted sharply to the those who dressed in all black and had various parts of their body pierced and tattooed.

DEF CON attendees were also given the opportunity to participate in their own rendition of "Capture the Flag." The game is structured to award a cash prize to the first team of individuals who successfully broke into all four different network operating systems set up by conference organizers. As it turned out, not one individual team was successful in breaking into all of the systems, so the prize was split among individuals from several teams.

Some hackers even went on a field trip to "Area 51," the place where its rumored that the government conducts research on crashed UFO's. The hackers launched foil attached to helium balloons over the perimeter security fence hoping the objects would float into Area 51's radar. A short time later the hackers were asked to leave the area.

The formal agenda for the convention was composed primarily of hourly discussions on topics ranging from "Hacking Vegas" to "Global Domination," and discussions about what the Feds think of hackers. There were also break out sessions and panel discussions on such subjects as how to read email headers, and how to create and decipher forged email messages.

The clueless ones

One particularly interesting presentation was given by Ira Winkler, a noted security consultant and author of Corporate Espionage. His topic included a discussion on how the Internet has made it easy for almost anyone to call themselves a hacker. In fact, he believes most hackers today are of a variety he labels as the "clueless ones." Winkler even devised a quiz to help ferret out a clueless hacker from a real one. He challenged the audience to take the quiz and answer it truthfully. For example, if you have never installed a network operating system or written a program in "C" or another similar language you hardly qualify as having the skills of a real hacker. These clueless hackers, who he asserts are primarily teenagers, pose one of the biggest threats to corporate security administrators because they are more apt to use the Internet hacking tools indiscriminately. Winkler contends that many of the attacks done today are executed by those he considers clueless and judging from the audience's reactions to his remarks many appeared to agree with him.

With each passing year the popularity of DEF CON continues to grow, as evidenced by this year's large turn out. No doubt many attend to satisfy their curiosity. Others are simply trying to stay informed about the latest hacking trends. For many others, the big attraction may be the opportunity to rub shoulders with some of the "legendary heroes" of hackerdom.

For more information on DEF CON go to: http://www.defcon.org

(Return to top)


Tunneling protocol attacks

by Sean Keir, Research Scientist

The systems administrator at XYZ Company was confident that sensitive information on his internal servers was secure from unauthorized access by the outside world. After all, he had implemented a very stringent security policy that blocked all incoming and outgoing telnet and ftp services. This was done to prevent anyone from intentionally or unintentionally transferring the company's sensitive proprietary information offsite.

He was sure that the network was as secure as it could be. How, then, did the company's latest product development plans get into their competitor's hands?

The system administrator at XYZ Company uses ping frequently to test remote connections, and he keeps it running and available to both external and internal users. Keeping ping active leaves an internal network vulnerable to "tunneling protocol attacks."

What exactly is a tunneling protocol attack?

A tunneling protocol attack allows intruders to hide or encapsulate one protocol inside of another. For example, a request to establish a telnet session can be hidden or encapsulated within a ping request. This can be dangerous because you are never sure of what is passing through your network. It is possible to launch this type of attack from almost anywhere on the Internet provided a computer on your internal network is running a process that accepts the encapsulated protocol (ping) and the tunneled protocol (telnet).

In the example above, the attacker established a telnet session with XYZ Company's internal server by encapsulating a telnet request inside a ping request. When XYZ Company's server received the ping packet it responded by sending back its own ping packet containing an encapsulated response and establishing a telnet session. The systems administrator did not notice the request since shell requests do not create much network traffic.

An attacker will likely tunnel a service request in situations where a protocol is either blocked or monitored, as in the case of XYZ Company. Also, in cases where an encrypted request is not allowed or would raise suspicion, tunneling can be used to keep the service request hidden.

It is also possible for an intruder to encrypt his tunneled request inside of another unencrypted protocol. For example, an attacker could mask a telnet session request by encrypting it and inserting it inside an unencrypted ping request. Unless the administrator reviewed the contents of each ping packet, the traffic passing through the network would appear normal.

What does this mean to you or your systems administrator as you try to keep your network data secure? With a little effort, a hacker could siphon off mission critical information and sell it or leak it to your competitors. Several security measures should be taken to thwart this type of attack.

Protecting your network

  • Shut down access to ping and any other service that is not needed. Remember, ping was designed for diagnostics and should be turned on only when needed.
  • If you don't have a firewall, install one, and make sure that blocks all incoming ping. Firewalls provide a single point of control over your network traffic and provide detailed logging capabilities. The logs in products such as Borderware™ Firewall Server and Sidewinder™ Security Server are superior to those of commercial routers and can be used to identify any unusual activity.
  • Use automated port scanning tools to monitor network activity. Port scanners can generate daily reports to track what services are running on your internal hosts. Comparing these reports with previous daily reports can identify when a host is acting out of the ordinary. A good port scanning tool is the freeware tool known as SATAN, it can be run against internal or external hosts and generates very useful reports.
  • Limit the amount of services available on hosts where sensitive information resides. A good security policy will specify the type of information allowed on each host.
  • Stay abreast of current attack methodologies and modify your security policy when necessary.

Summary

Tunneling protocol attacks still require some work on the part of the hacker and are not yet considered a "recipe" hack. However, tools needed to execute these attacks are being developed by various individuals and entities. It is almost certain that once developed, these tools will be distributed via the Internet.

So, implementing effective security measures as outlined above are critical to helping ensure that your company's secrets are not vulnerable to tunneling protocol attacks.

(Return to top)


Product update

Secure Computing Firewall™ for NT 2 Plus now available

Secure Computing Firewall for NT 2 Plus has these new features:

  • Connectivity support has been expanded to include NT RAS and ISDN devices. This eliminates the need for an intermediate router as was required in the earlier version.

  • The Firewall Manager now includes an ACL (Access Control List) Wizard. New entries and existing entries can be added or modified using the ACL Wizard, with step by step on-line help. A Quick Summary button is now available on the ACL grid, which allows the users to view a detailed description of the ACL rule.

  • The NT Performance Monitor allows users to more effectively monitor and assess system performance.

A number of NT based firewalls were evaluated in the August 4, 1997 issue of LAN Times Magazine. Secure Computing's Firewall for NT 2 Plus was ranked among the top in the review. The following quote is an excerpt from the LAN Times review:

Product Icon

"Firewall for NT fared well as the only near-final beta release. In addition to a well-written manual, it has an unusual GUI. The Firewall Manager interface is made of pages, windows, and tabs. You configure the firewall with the top tabs, and bottom tabs are used by the NT Security Scanner to display security information. By using NT's Performance Monitor to represent traffic statistics and extracting security data for audit logs, Firewall for NT delivers a good set of monitoring tools."

For more information on the LAN Times review go to: http://www.lantimes.com/lantimes/97/97aug/708a055a.html

(Return to top)


Chasing back door connections

by Dr. Richard Smith, Principal Research Scientist

[Editor's Note: This is an excerpt from Chapter 3 of "Internet Cryptography" (ISBN 0-201-92480-3, Addison-Wesley, 1997).]

The Internet protocols are designed to be persistent and inclusive. They will route data to any directly or indirectly connected device the protocols can reach. A router will forward a packet solely on the speculative belief built into its routing algorithm that, even if it doesn't recognize a packet's destination address itself, another router somewhere will know how to route the packet. Unauthorized connections to other networks can exist, and if they do they can communicate with any destination inside your network.

Any host on the network can route traffic to another network if it connects the two networks together. When this happens, the host becomes a gateway to additional sites and networks. This makes the network very easy to extend but very hard to control, reducing the certainty you have about the security properties of your network. Unexpected network connections can lead to an unexpected and unsafe "back door" connection to the public Internet.

Classic Example

This problem was best illustrated in the 1985 movie, War Games, in which a high school kid inadvertently found a way to dial-in to the computer systems that defended the country against nuclear missile attack. He found this "back door" by programming his home computer's modem to dial every telephone number in a given area. Whenever a computer answered the phone, the number would be saved for later investigation. This technique is now known as "war dialing." Many telephone companies have since implemented measures to detect war dialing, but the technique still poses a threat.

War dialing would not be so much of a threat if we were certain that dial-in access always went to security conscious hosts. Unfortunately, the plunging cost of modems has spoiled this assumption. Many workstation vendors routinely include a modem with computer systems they sell, along with convenient software to use it. Many people find it very tempting simply to connect an extra wire from the back of their computer to their office phone. This produces the worst kind of back door if the modem accepts dial-in connections, but it can also be dangerous when dialing out. We trace that problem back to the protocol stack and the IP layer.

Internet CryptographyThe IP layer of a TCP/IP protocol stack typically does one of two things with packets: it transfers packets between the network and the host's application software, or it forwards packets received on one network connection via another. This second process is often called "IP forwarding." If a host computer contains two or more network connections (for example, a LAN interface and a modem) then it may be possible for the IP software to transfer packets between them. This risky behavior is not what most workstation users intend. Some vendors have recognized this risk and have produced TCP/IP packages that do not support IP forwarding between different interfaces. Others make forwarding a configuration option, allowing individual hosts to enable it if the user desires.

Dial-up IP connections combined with IP forwarding produce a difficult network management problem, and the solutions can be difficult to achieve. Military networks rely heavily on punitive sanctions: it is a federal crime to leak classified information and, by definition, every bit of data on a typical classified computer system is considered classified information. Thus, violations of security measures can lead to a vacation behind bars. Few commercial entities can produce similar deterrents.

Practical Solutions

Commercial organizations rely primarily on proactive measures like education and physical protections, and use various detection techniques to locate violators. One large, multinational corporation established a rule that no packets on their corporate network may contain an external network address; any external addresses thus indicate that an external Internet connection has been made. The networking administrators detect "leaks" monthly from all sources. Experts in IP routing also suggest that leaks can be controlled by tuning the routers to reject external packets travelling in the wrong direction with respect to an approved, external connection.

A technique used by many sites is to vigorously eliminate all desktop modems. Many organizations have already converted their internal phone system from traditional, modem friendly analog lines to digital systems. Connecting a modem to a digital phone is at least ineffective and possibly damaging to the modem. Few individuals will be motivated enough to purchase converters, particularly when the connections are forbidden. Some sites also adopt the attackers' tools, using war dialers to seek dial-in modems within the organizations' incoming telephone lines.

More information on this book is available at:

http://www.visi.com/crypto/

Copyright (c) 1997 Secure Computing Corporation. All rights reserved. All trademarks, trade names mentioned and/or used herein belong to their respective owners.

(Return to top)


In the news

Government bills aimed at eliminating junk email

Consumers upset with receiving large amounts of junk emails may be relieved to know that members of the U. S. Congress have proposed legislation to curtail this problem. There are several bills before the U.S. Congress, and each takes a different approach at addressing this problem. While none of the proposed legislative efforts offers a perfect solution to stopping junk email they are a start. In fact, junk email on the Internet maybe eliminated before junk mail at your home. For more information on each of these bills go to the following web sites:

http://www2.cauce.org/Smith.bill.intro.html

(This URL contains the bill introduced on May 21, 1997 by Representative Christopher H. Smith, called the "Netizens Protection Act of 1997." The goal of the bill is to modify an existing law regarding junk faxes to extend the legislation to include email messages.)

http://www.vtw.org/uce/

(This URL provides information on the Electronic Mailbox Protection Act of 1997,' introduced by Senator Torricelli would prohibit the use of falsified headers and sources for any commercial mail. The bill also requires recipients be able to be request they are removed from future mailings.)

Also, Alaska Senator Frank Murkowski introduced a legislation mandating tagging of junk email with `advertisement' in the subject line. The bill is designed to make it easy for people to filter out junk email before they see it. Unfortunately the bill requires Internet Service Providers to install mandatory filtering software. Thus the consumers would likely end up footing the bill, (web address not available.)

CERT issues special advisory on IMAP pop server attack

Recently CERT issued a special summary advisory on a vulnerability with IMAP. The advisory emphasizes that the vulnerability is with the implementation of this particular IMAP server, not with the protocol.

According to CERT preliminary data from one current incident indicates that probes were made to thousands of hosts, and approximately 40% of those hosts appear to be vulnerable. CERT has also received numerous reports of root compromises as a result of this vulnerability. The CERT advisory also states that there was at least one instance where large-scale scans were launched, and the intruders installed a Trojan Horse identd server. The intruders used this Trojan identd to connect to the identd server and obtain root access. CERT advises any site running an identd server to verify the integrity of your identd executable.

To determine if your site has been compromised CERT advises following their Intruder Detection Checklist available at:

ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist

If you discover that you have suffered root compromise as a result, CERT recommends following the steps outlined in their root compromise document available at:

ftp://info.cert.org/pub/tech_tips/root_compromise

For more information on this vulnerability go to:

ftp://info.cert.org/pub/cert_advisories/CA-97.09.imap_pop

(Return to top)



This page is maintained by webmaster@securecomputing.com

Copyright 1997, Secure Computing Corporation.
All rights reserved.