the things that I enjoyed most about one job I had was that I was one of the
few people that most of the end users felt comfortable talking to. One day I was
approached about the way we required passwords to be changed every couple of
months. Computers are there to be used and not to keep people out. Many were
annoyed that they even had passwords, let alone had to change them regularly.
The biggest problem is not that he was right, but that he, as well as many users
and even system administrators, don't understand the dangers involved.
stereotypical image of a pair of teenage computer enthusiasts breaking into a
military computer and almost starting a war, may be good for Hollywood, but the
times have changed. Yes, there are still those kind of hackers running around,
but they are not likely going to break into systems with the more advanced
security techniques employed today as most of the security
is good enough. But
then again, maybe not.
Hacking has become almost a cult phenomenom with
newsgroups, magazines and even their own language. The people that belong to
this culture are not only equipped with the latest technology, they have an
almost never-ending list of new security
holes that they can use to break into a system. Since they spend much of their
free time trying to break into systems,
they may have found some of the security
holes themselves. However, the
techniques they use go beyond just the list of known holes (although these are
probably things that are tried first). Instead, there is a methodology to the
More and more, hackers are not just randomly trying systems
across the country. Instead, there is usually some motivation for attacking a
particular site. It may be just the notoriety of being the first to break into
the crystal palace that is some major corporation. In some cases, this is what
these people do for a living. The ability to break into a competitors computer
system and look over the shoulder of his R&D people, may be worth the
investment of hiring a hacker.
As we all know from many of the detective
shows we see on TV, criminals are caught because of the clues they leave behind.
This also applies to the computer hacker. Breaking into a computer is less
likely to leave evidence that can trace directly back to perpetrator. Instead,
it is usually a case of being caught in the act during a subsequent break-in.
Then there is the added problem of criminal jurisdiction as the hacker could
just as easily be on the other side of the world as on the other side of town.
Just knowing that you should lock your front door or buckle your seats
belts is enough for many people to do it. However, I am not one of those.
Understanding that someone could walk away with my TV or my head could go flying
through the windshield is what motivates me to do what I should. I am then also
less likely to forget to do or intentional not do it one time because it's
inconvenient. I take the same approach to computer security.
Most system administrators are aware
that there needs to be "security" on their system. I put it in quotes, because
it is often just a phrase that is brought up at staff meetings. When addressed,
this often just means forcing users to change their password at regular
intervals or making sure that users were logged out when they went home. One
company I worked at forced users to change their password every six weeks, but
the root password was only changed when someone left the company. (It was too
inconvenient.) Added to that the fact that the root password for all the
machines were variations on a single theme, so once you figured out one it was
easy to figure out the rest.
With all the talk of the Internet, the kind
most often in people's minds is the attack from outside. Although
this is a very real threat, it is not the only one. Personal experience has
taught me that inside attacks can be just as devastating.
In this same MIS
shop everyone had the root password to every machine (also the administrator
password on our NT machines.) There were people who only administered the UNIX
machines and others who only administered the NT machines. However they had the
password to all machines. One employee was not satisfied with the speed that the
hardware vendor was reacting to a problem he was having with one of the NT
machines. Since they were the same vendor for the UNIX
machines he decided to
"motivate" them to make a personal call.
On several, irregular occasions
he killed the Oracle database process. Since most everyone used that database,
the company was brought to a standstill for the couple of hours it took to
discover the problem, reboot the system and clean up. Eventually he was caught,
but not after causing tens (if not hundreds) of thousands of dollars worth of
Keeping the UNIX
root password from him would have probably
prevented him from doing this exact thing. However, there are other things that
he could have done to damage the company if that was his intent. Nothing can
prevent this kind of act. However, if passwords are limited and something goes
wrong, it is not so easy for the guilty party to deny it.
In the beginning, I was a firm believer that information about what security holes
should be kept secret.(security by obscurity) I had an obligation as the
guru to protect the innocent system administrators in the
world. Therefore, I felt it was improper to discuss these issues publically.
As I began to read more about security, I discovered that I was one of
the few people that shared this belief. Most of the books and articles and
books that I read presented the material as "Here's the threat and here's
what you can do about it." By not only knowing that there is a threat but
why it is a threat, you can correct the problem as well as identify other
potential problems that may not have been discussed.
On any computer
system, there is always the danger that something can be compromised. Now the
word "danger" can span a whole spectrum of meaning and it all depends on what
you are talking about. It might be dangerous to leave a bowl of sugar on the
counter where you're two-year-old can reach, just as it might be dangerous to
walk through Chernobyl without a radiation suit. It's purely a matter of scale.
The dangers involved with an insecure computer system are like that. If
someone else found out the password of another user on our system, the danger of
damage is low. On the other hand, if someone found out a password for a computer
at the CIA, the danger is greater.
The damage caused can also span the
entire spectrum. Sometimes there is no real damage. Someone who breaks into a
system might simply be curious and wants to look around. This is comparable to
having someone wandering through your living room.
The "Worm" that Robert Morris let loose on the Internet in 1988 was such an event. Although little real
damage was done, it "infected" 2100-2600 computers. Many machines were brought
to a standstill as the filesystem
filled up and the system could no longer write
it's log files and was busy running the processes that the worm started. In the
end, it has been estimated that between $1 Million and $100 Million was lost due to
time spent cleaning up and the loss in productivity when the systems were down.
Even with the lowest estimates, the lost was stunning.
On the other end of the spectrum is the case that was documented by Cliff Stoll in his
book Cuckoo's Egg. The information that these intruders from (then) West Germany gathered from over 450 government and military computers was sold to the Soviet
KGB. There were a few convictions and one of the prime suspects was found burned
to death in a wooded area near his home.
Computer intruders also have the
ability to cause physical damage. A virus that's introduced to a system acting
as a file server for DOS
PCs could change the scan rate of the monitor which can
cause it to explode. One computer that was broken into that Cliff Stoll was
monitoring was used to regulate the radiation doses given to cancer patients. If
the computer behaved unexpectedly as a result of the hackers actions, it could
have meant the death of a patient.
In any information system, whether it
is a computer or filing cabinet, there are some basic security
issues that need
to be considered. First, there is one aspect of security
that no operating
system can help you with: the physical security
of your system. You might have
all the security
implemented that Linux provides, but if someone can walk off
with your computer, even the highest levels of operating system
don't do any good. Just as a security
policy in an office has no effect if someone can
just walk away with sensitive files.
One of the easiest and most
effective types of physical security
is simply a locked door. This prevents the
"crime of opportunity" from ever happening, such as someone from just
walking away with pieces of equipment, or the whole machine for that matter. The
only thing that can prevent this kind of theft is more elaborate security
measures that are beyond the scope of this book. However, it is something that
you must give serious thought to. Locking the door to the computer can also
prevent people from breaking into the system. Anyone who has a set of
installation disks or an emergency boot
disk set can gain access to your system
if they have access to the computer itself.
Another aspect of physical
security is access to the machine itself. It may be impractical for someone to
walk off with your computer. However, a knowledgeable user with root access to
a another Linux system can gain access to yours if they have physical access.
Even without access to another system, if that user has access to the
installation floppies, they can get into your system. Once in, it doesn't matter
what kind of security
is has been configured on the hard disk since the only
security the system knows is what it has been told by the floppy.
The next issue is privacy. This can be the company's privacy or that of individuals. You
don't want unauthorized users to have access to payroll records, just as you
don't want to have access to other employees personal files.
One of the most commonly ignored aspects of this is the power of small pieces of
information. As individual items, these pieces may have no significance at all.
However, when taken in context they can have far reaching implications. Police
use this same concept to investigate crimes and intelligence agencies like the
CIA use it as well. Extending this to the business world, such techniques are
useful for corporate spies.
There are other cases where security
is important in business. What if someone came along and changed an important piece
of information? For example, an employee who thinks he is underpaid may want to
change it. Whether this information is on paper or in a computer, the integrity
of the data is an important part of security. Along the same lines is the
consistency of the data. You want the same behavior from the system is identical
situations. For example, if salary is based on position, inconsistent data could
mean that the night watchman suddenly gets paid as much as the company
Another aspect is the concept of auditing. Like an audit of a
company's books, auditing in a computer security
sense is a record of the
transactions or events that occurred on the system. This allows
the system administrator
to follow the tracks of suspected perpetrators and
maybe catch them in the act. It was a combination of auditing and accounting for
time on the system that led Cliff Stoll to discover his hackers.
When preparing one company for connection to the Internet, I checked the security on
the system. I found dozens of holes in the system. Keep in mind that this was
actually my first attempt at being a hacker. Added to that, I exploited no real
bug in the software, instead I just took advantage of "features" that
were not considered in a security
context. By using just the tools and programs
that the system provides, I was able to gain complete access to the system. Once
the system is compromised, the danger of further compromise grows steady. The only
safe thing to do is to reinstall from scratch.
Its not meant to scare you to say that every system has the potential for being broken into. In the end, every security
related decision and every function in the program was written by
a human. The security
could be mathematically tested, but who is to say that the
mathematical test is not flawed?
The first step in stopping the would-be
intruder is to keep him from getting to your system in the first place. This is
similar to having a lock on your front door. You could go to the extreme of
fencing off your property, hiring full-time guards, installing video cameras and
alarms, but this is too extreme for most people. First they probably can't
afford it. Second, the threat is not that great compared to the costs.
But what about your business. The potential loss from someone breaking in
can be devastating. Corporate spies can clean out your sensitive data or a
disgruntled former (or current) employee can wipe out your entire
With regard to the Internet, the only way to ensure that no one
can break in is to completely cut yourself off from the rest of the world. This
also means no modems, ISDN
lines or any other device that can be used to call in
and out. For some companies, this may be the only way to go. However, because of
the fantastic market potential on the Internet, it may not be a wise decision.
If there is a physical connection to the outside, there is the
potential that someone could break in. However, once you have made the
decision to connect to the Internet, you need to be much
more aware of security than when you network
When a system is improperly accessed, the attacker may not necessarily continue with the
attack immediately after gaining access. Instead, he might create himself
backdoors to gain access to the system as a later time. He can add entries to
.rhost files to give him access later. For example, putting the line + + would
give him access from any machine with any account. New accounts can be created
that give him access. He can also use one machine to gain information about
other machines and the network in general.
An unauthorized user gains
access to a system and is able to determine what files and directories this
account has access to. He then places .rhosts and .forward files in every home
directory he has write permission on. He now has unlimited access to all of those
accounts, even though he never knew their password.
In the .forward file
is a pipe
to a script that copies /bin/sh in /tmp and makes it SUID
user. Whenever /tmp/sh is started the UID
is the new user. Now access can be
obtained to other machines with the appropriate entries in .rhosts or