Don Gilbert (gilbert at bio.indiana.edu) writes:
>Over the course of three weeks in August, two Sun computers that I
>manage, including the IUBio archive host, were broken into by an
>Internet cracker. This person, or persons, apparently used known
>security holes in the standard SunOS Unix software to gain access
>via NFS, logins and full superuser privileges.
>Prior to this, I had not paid much attention to security concerns
>for Internet-accessible computers. I thought passwords were enough,
>and there wasn't anything of interest to crackers on my computers.
>My mistake. Among other things, the cracker used one of my hosts
>to break into other computers, and tried to gain control of a modem
>and telephone to dial out to other computers.
> If you have an
>Internet-connected computer, the only way to insure it isn't
>broken into by bad people is to be vigilant on security.
This happened to our main users' computer at a university where I used to work,
but they had already patched all the security holes in their system. The
invader entered using "password cracker" software, so I would like to add a
word about passwords to Don's note. It seems that there is a list of about
400 words that are used quite frequently as passwords. There also exists
"password cracker" software which tries every entry in this list against a
given account. More often than you would think, this list succeeds. In
addition, there are known viruses which use the same list to crack accounts
and invade new machines.
The staff at the university used the same password cracker software to
identify accounts that could be invaded this way, and shut them down. They
then either contacted the the legitimate user or waited for him/her to call
and complain, and explained the problem and started up the account again
with a better password.
They also put a password filter on the system. When anyone ever changed
a password, the new one must have at least one uppercase letter and at
least one lowercase letter, and I believe they also talked about requiring
one punctuation symbol, but finally didn't. On case-insensitive systems
like Vaxen, where all passwords are raised to uppercase, my favorite
scheme is to make my password out of either one word, but misspelled, such
as zeebraa, or out of two words together, such as dogcat. The thing is,
don't make them REAL WORDS, no matter how obscure, even out of literature.
Another point, if you think you are safe on you own Mac or IBM, you
may not be. NCSA Telnet for the Mac allows you to open your drive for
ftp by other users. If you use telpass to create accounts for your
friends, then you are probably ok, subject to the discussion about
passwords above. However, at least one version of Telnet was
distributed with the FTP ENABLE menu item defaulting to ON. This means
that if you have that version, have never bothered with telpass,
and you use Telnet to connect to your local mainframe, you are open
for someone to mess around on your hard disk. This is the only
situation I have heard of in which the default settings allow invasion,
but there may be others.
In addition, of course, if you choose the FTP ENABLE menu item, you
can manually allow access to your hard drive using ANY version of
Telnet, and if you have modified your telnet configuration file (named
"config.tel" as I recall) then you might have opened your system as its
default behavior.
Robert K. Stodola (stodola at fccc.edu) writes:
>Also be aware that some vendors (obviously not SwisscheeseOS) are
>rather circumspect about exposing holes via CERT on the theory that
>they are telling everyone how to break into all the systems of people
^^^^^^^^
>who don't get the CERT advisory.
In my humble opinion, it is not "everyone" who wants to break into other
people's systems. The hackers and crackers who do want to do this will
not need to get their information from CERT. CERT is telling "everyone"
how to keep them out. Recently I read a newspaper article about a man
who is trying to publish a book documenting all the security holes that
Ma Bell has in its phone system. (Sorry, I can't recall the name.) The
phone company wanted to throw him in jail, and (of course) prevent
publication. But the fact was that because of the book, they finally got
around to FIXING the holes, so that the people who use them secretly can
no longer do so. I thought it was a great victory for freedom of the
press.
Ben Jones, BioQUEST
