Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
Linux Tracker

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents
Up to --> Linux Tutorial

· Security
· Real Threats
· Restricting Access
· Passwords
· File Access
· The Root Account
· The Network
· What You Can Do About It

Glossary
MoreInfo
Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
FAQ
Copyright Info
Terms of Use
Privacy Info
Disclaimer
WorkBoard
Thanks
Donations
Advertising
Masthead / Impressum
Your Account

Communication
Feedback
Forums
Private Messages
Recommend Us
Surveys

Features
HOWTOs
News
News Archive
Submit News
Topics
User Articles
Web Links

Google
Google


The Web
linux-tutorial.info

Who's Online
There are currently, 214 guest(s) and 1 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here

  
Linux Tutorial - Security - Real Threats
  Security ---- Restricting Access  


Real Threats

One of the things that I enjoyed most about one job I had was that I was one of the few people that most of the end users felt comfortable talking to. One day I was approached about the way we required passwords to be changed every couple of months. Computers are there to be used and not to keep people out. Many were annoyed that they even had passwords, let alone had to change them regularly. The biggest problem is not that he was right, but that he, as well as many users and even system administrators, don't understand the dangers involved.

The stereotypical image of a pair of teenage computer enthusiasts breaking into a military computer and almost starting a war, may be good for Hollywood, but the times have changed. Yes, there are still those kind of hackers running around, but they are not likely going to break into systems with the more advanced security techniques employed today as most of the security is good enough. But then again, maybe not.

Hacking has become almost a cult phenomenom with newsgroups, magazines and even their own language. The people that belong to this culture are not only equipped with the latest technology, they have an almost never-ending list of new security holes that they can use to break into a system. Since they spend much of their free time trying to break into systems, they may have found some of the security holes themselves. However, the techniques they use go beyond just the list of known holes (although these are probably things that are tried first). Instead, there is a methodology to the attack.

More and more, hackers are not just randomly trying systems across the country. Instead, there is usually some motivation for attacking a particular site. It may be just the notoriety of being the first to break into the crystal palace that is some major corporation. In some cases, this is what these people do for a living. The ability to break into a competitors computer system and look over the shoulder of his R&D people, may be worth the investment of hiring a hacker.

As we all know from many of the detective shows we see on TV, criminals are caught because of the clues they leave behind. This also applies to the computer hacker. Breaking into a computer is less likely to leave evidence that can trace directly back to perpetrator. Instead, it is usually a case of being caught in the act during a subsequent break-in. Then there is the added problem of criminal jurisdiction as the hacker could just as easily be on the other side of the world as on the other side of town.

Just knowing that you should lock your front door or buckle your seats belts is enough for many people to do it. However, I am not one of those. Understanding that someone could walk away with my TV or my head could go flying through the windshield is what motivates me to do what I should. I am then also less likely to forget to do or intentional not do it one time because it's inconvenient. I take the same approach to computer security.

Most system administrators are aware that there needs to be "security" on their system. I put it in quotes, because it is often just a phrase that is brought up at staff meetings. When addressed, this often just means forcing users to change their password at regular intervals or making sure that users were logged out when they went home. One company I worked at forced users to change their password every six weeks, but the root password was only changed when someone left the company. (It was too inconvenient.) Added to that the fact that the root password for all the machines were variations on a single theme, so once you figured out one it was easy to figure out the rest.

With all the talk of the Internet, the kind of security most often in people's minds is the attack from outside. Although this is a very real threat, it is not the only one. Personal experience has taught me that inside attacks can be just as devastating.

In this same MIS shop everyone had the root password to every machine (also the administrator password on our NT machines.) There were people who only administered the UNIX machines and others who only administered the NT machines. However they had the password to all machines. One employee was not satisfied with the speed that the hardware vendor was reacting to a problem he was having with one of the NT machines. Since they were the same vendor for the UNIX machines he decided to "motivate" them to make a personal call.

On several, irregular occasions he killed the Oracle database process. Since most everyone used that database, the company was brought to a standstill for the couple of hours it took to discover the problem, reboot the system and clean up. Eventually he was caught, but not after causing tens (if not hundreds) of thousands of dollars worth of damage.

Keeping the UNIX root password from him would have probably prevented him from doing this exact thing. However, there are other things that he could have done to damage the company if that was his intent. Nothing can prevent this kind of act. However, if passwords are limited and something goes wrong, it is not so easy for the guilty party to deny it.

In the beginning, I was a firm believer that information about what security holes should be kept secret.(security by obscurity) I had an obligation as the all-knowing UNIX guru to protect the innocent system administrators in the world. Therefore, I felt it was improper to discuss these issues publically.

As I began to read more about security, I discovered that I was one of the few people that shared this belief. Most of the books and articles and books that I read presented the material as "Here's the threat and here's what you can do about it." By not only knowing that there is a threat but why it is a threat, you can correct the problem as well as identify other potential problems that may not have been discussed.

On any computer system, there is always the danger that something can be compromised. Now the word "danger" can span a whole spectrum of meaning and it all depends on what you are talking about. It might be dangerous to leave a bowl of sugar on the counter where you're two-year-old can reach, just as it might be dangerous to walk through Chernobyl without a radiation suit. It's purely a matter of scale.

The dangers involved with an insecure computer system are like that. If someone else found out the password of another user on our system, the danger of damage is low. On the other hand, if someone found out a password for a computer at the CIA, the danger is greater.

The damage caused can also span the entire spectrum. Sometimes there is no real damage. Someone who breaks into a system might simply be curious and wants to look around. This is comparable to having someone wandering through your living room.

The "Worm" that Robert Morris let loose on the Internet in 1988 was such an event. Although little real damage was done, it "infected" 2100-2600 computers. Many machines were brought to a standstill as the filesystem filled up and the system could no longer write it's log files and was busy running the processes that the worm started. In the end, it has been estimated that between $1 Million and $100 Million was lost due to time spent cleaning up and the loss in productivity when the systems were down. Even with the lowest estimates, the lost was stunning.

On the other end of the spectrum is the case that was documented by Cliff Stoll in his book Cuckoo's Egg. The information that these intruders from (then) West Germany gathered from over 450 government and military computers was sold to the Soviet KGB. There were a few convictions and one of the prime suspects was found burned to death in a wooded area near his home.

Computer intruders also have the ability to cause physical damage. A virus that's introduced to a system acting as a file server for DOS PCs could change the scan rate of the monitor which can cause it to explode. One computer that was broken into that Cliff Stoll was monitoring was used to regulate the radiation doses given to cancer patients. If the computer behaved unexpectedly as a result of the hackers actions, it could have meant the death of a patient.

In any information system, whether it is a computer or filing cabinet, there are some basic security issues that need to be considered. First, there is one aspect of security that no operating system can help you with: the physical security of your system. You might have all the security implemented that Linux provides, but if someone can walk off with your computer, even the highest levels of operating system security don't do any good. Just as a security policy in an office has no effect if someone can just walk away with sensitive files.

One of the easiest and most effective types of physical security is simply a locked door. This prevents the "crime of opportunity" from ever happening, such as someone from just walking away with pieces of equipment, or the whole machine for that matter. The only thing that can prevent this kind of theft is more elaborate security measures that are beyond the scope of this book. However, it is something that you must give serious thought to. Locking the door to the computer can also prevent people from breaking into the system. Anyone who has a set of installation disks or an emergency boot disk set can gain access to your system if they have access to the computer itself.

Another aspect of physical security is access to the machine itself. It may be impractical for someone to walk off with your computer. However, a knowledgeable user with root access to a another Linux system can gain access to yours if they have physical access. Even without access to another system, if that user has access to the installation floppies, they can get into your system. Once in, it doesn't matter what kind of security is has been configured on the hard disk since the only security the system knows is what it has been told by the floppy.

The next issue is privacy. This can be the company's privacy or that of individuals. You don't want unauthorized users to have access to payroll records, just as you don't want to have access to other employees personal files.

One of the most commonly ignored aspects of this is the power of small pieces of information. As individual items, these pieces may have no significance at all. However, when taken in context they can have far reaching implications. Police use this same concept to investigate crimes and intelligence agencies like the CIA use it as well. Extending this to the business world, such techniques are useful for corporate spies.

There are other cases where security is important in business. What if someone came along and changed an important piece of information? For example, an employee who thinks he is underpaid may want to change it. Whether this information is on paper or in a computer, the integrity of the data is an important part of security. Along the same lines is the consistency of the data. You want the same behavior from the system is identical situations. For example, if salary is based on position, inconsistent data could mean that the night watchman suddenly gets paid as much as the company president.

Another aspect is the concept of auditing. Like an audit of a company's books, auditing in a computer security sense is a record of the transactions or events that occurred on the system. This allows the system administrator to follow the tracks of suspected perpetrators and maybe catch them in the act. It was a combination of auditing and accounting for time on the system that led Cliff Stoll to discover his hackers.

When preparing one company for connection to the Internet, I checked the security on the system. I found dozens of holes in the system. Keep in mind that this was actually my first attempt at being a hacker. Added to that, I exploited no real bug in the software, instead I just took advantage of "features" that were not considered in a security context. By using just the tools and programs that the system provides, I was able to gain complete access to the system. Once the system is compromised, the danger of further compromise grows steady. The only safe thing to do is to reinstall from scratch.

Its not meant to scare you to say that every system has the potential for being broken into. In the end, every security related decision and every function in the program was written by a human. The security could be mathematically tested, but who is to say that the mathematical test is not flawed?

The first step in stopping the would-be intruder is to keep him from getting to your system in the first place. This is similar to having a lock on your front door. You could go to the extreme of fencing off your property, hiring full-time guards, installing video cameras and alarms, but this is too extreme for most people. First they probably can't afford it. Second, the threat is not that great compared to the costs.

But what about your business. The potential loss from someone breaking in can be devastating. Corporate spies can clean out your sensitive data or a disgruntled former (or current) employee can wipe out your entire system.

With regard to the Internet, the only way to ensure that no one can break in is to completely cut yourself off from the rest of the world. This also means no modems, ISDN lines or any other device that can be used to call in and out. For some companies, this may be the only way to go. However, because of the fantastic market potential on the Internet, it may not be a wise decision.

If there is a physical connection to the outside, there is the potential that someone could break in. However, once you have made the decision to connect to the Internet, you need to be much more aware of security than when you network was isolated.

When a system is improperly accessed, the attacker may not necessarily continue with the attack immediately after gaining access. Instead, he might create himself backdoors to gain access to the system as a later time. He can add entries to .rhost files to give him access later. For example, putting the line + + would give him access from any machine with any account. New accounts can be created that give him access. He can also use one machine to gain information about other machines and the network in general.

An unauthorized user gains access to a system and is able to determine what files and directories this account has access to. He then places .rhosts and .forward files in every home directory he has write permission on. He now has unlimited access to all of those accounts, even though he never knew their password.

In the .forward file is a pipe to a script that copies /bin/sh in /tmp and makes it SUID to that user. Whenever /tmp/sh is started the UID is the new user. Now access can be obtained to other machines with the appropriate entries in .rhosts or host.equiv.

 Previous Page
Security
  Back to Top
Table of Contents
Next Page 
Restricting Access


MoreInfo

Test Your Knowledge

User Comments:


You can only add comments if you are logged in.

Copyright 2002-2009 by James Mohr. Licensed under modified GNU Free Documentation License (Portions of this material originally published by Prentice Hall, Pearson Education, Inc). See here for details. All rights reserved.
  




Login
Nickname

Password

Security Code
Security Code
Type Security Code


Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!


Amazon Wish List

Did You Know?
The Linux Tutorial welcomes your suggestions and ideas.


Friends



Tell a Friend About Us

Bookmark and Share



Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.15 Seconds