UNIX Unleashed, Internet Edition
- 12 -
UNIX Security Risks
by Robin Burk
In 1996, a well-known consulting firm was hired to evaluate computer security at a major manufacturing company. Several of the consultants, who were unknown to the company's personnel, walked into the headquarters building. While one member of the team distracted the receptionist, the others slipped upstairs and were able to wander about the building for several hours. By early evening, they entered the president's office. His PC monitor was turned off, but the CPU was on and he was logged into his network account.
The consultants read online e-mail from the president's account, confidential information about potential mergers, and other sensitive information. Then they used the president's account to send an e-mail to the senior IS executive complaining about the lack of security and telling him he was fired.
Overkill? An artificial exercise that doesn't prove anything?
Consider this: the president and his senior executives (including the IS leader) all knew that this intrusion would occur at some point and they still left their offices and their system wide open to outsiders.
In fact, a 1996 survey of more than 1,300 IS executives and other technology managers in the United States and Canada found that information security was a major, and under-reported, problem in their organizations. For example, the survey found that:
A second survey was sponsored by the FBI. Out of 428 university, government, and corporate sites:
Is There Really a Problem?
As the saying goes, there is no such thing as a free lunch. The recent surge in the popularity of UNIX extracts many costs. Perhaps the most insidious and potentially damaging of these are the risks associated with unauthorized access to computers and the information they contain.
Once the domain of a small, elite band of wizards, UNIX is emerging as a widely-known and implemented environment for business use. As companies build networks that are open to employees across the globe, and even to suppliers and customers, remote access to the resources and information on UNIX systems has never been easier or more widespread. Unfortunately, not all who attempt such access are legitimate users or well-intentioned.
Other trends also contribute to an increased need for UNIX administrators to carefully plan and manage the security of their systems. These trends include the following:
From time to time we read dramatic stories: teenagers crack their way into military or business computers, angry ex-employees sabotage critical databases, viruses spread havoc across networked machines. Although genuine cases of breached security, these tales tend to lull system administrators (and their management) into the false belief that these relatively rare, devastating occurrences are the only security risks facing them. Of course, no one wants to encounter such an incident. However, many less dramatic breaches of system security occur regularly. Their actual and potential costs far outweigh damage done in the incidents that receive press coverage.
Unless you run your UNIX system purely for your own pleasure, there are several different aspects of that system that have specific value to you, your organization, and possibly to an intruder. These valuable aspects include the following:
These aspects are all vulnerable to misuse such as:
In this section of UNIX Unleashed, we'll take a look at the ways in which your own system may be threatened. We'll also look at the organizations and tools available to aid you in securing your computers and the information they hold.
Hackers and Crackers: Who's Invading Your System and What Does He Want?
A hacker is someone who enjoys the challenge of figuring out how complex systems work. Hackers take great satisfaction in mastering the esoteric details of a computer system and using that information to analyze its performance or predict how other parts of the system will work.
Crackers are hackers who use their skills to bypass system security and manipulate computers and information illicitly. Once the cracker has entered the system, he may use its resources, modify information stored in it, prevent others from accessing it, or use it to launch an attack on another system.
In the early days of UNIX, most people who cracked open a system--that is, who learned the details of UNIX and were able to bypass the normal user controls--were reasonably thought to do so primarily for the thrill of succeeding and being among the elite few who were knowledgeable and clever enough to enter where they'd been told to stay out. However, as UNIX enters the mainstream of network and business use, a new breed of professional cracker has emerged. As with all professionals, these experts work to achieve well-defined, specific goals: to steal or corrupt business information, to sabotage an employer's operations, or simply to make use of system resources without paying for them, under the cover of your organization's identity.
Surveys consistently show that about 25 percent of computer-related business losses are due to malicious activities. Of those, only about 20 percent were attributable to attack by outsiders. The majority were caused by disgruntled or dishonest employees, or resulted from uninformed or untrained use of the system by otherwise authorized personnel.
What Do Crackers Do?
If a cracker breaks into your system, he may do the following:
You must analyze your own situation and decide how important these consequences are to you. You may have CPU cycles and disk space to spare, or no information to protect. You may not really care if other system administrators spit on the ground when they hear your name, and therefore decide to run a completely open system. On the other hand, you might lose your job if your company loses a contract because of industrial espionage. Most security needs fall somewhere in between these two extremes, but you can see that security is a continuum, and you're in the best position to decide your own security requirements.
All attacks depend on gaining initial access to the computer. You should put yourself in the cracker's shoes and think about how you could attack your own system. Is it used by you alone or by many people? Is it accessible via a phone line or connected to a private or public network? If it's connected to a network, is the network physically secure? Are your computers locked up or in a public site? Where are your backup tapes stored? Can a cracker get access to them, thereby gaining access to your files without ever breaking into your computer? If you're responsible for administering a multiuser system, how wise are your users? What will they do if they receive a phone call from the "system administrator" asking for their passwords for "special maintenance"?
These questions cover many--but certainly not all--of the approaches a cracker might use to gain access to your computer or data. The attacks fall into the following four basic categories:
The point of any attack is to gain access to a legitimate user's account, or to exploit bugs in system programs to get a command shell without actually compromising an account.
If your computer is locked in a room with a guard who checks IDs at the door, and isn't connected to a network or a phone line, you can skip to the next chapter. Unfortunately, computers are pretty useless when they're sitting in locked rooms, and most of them aren't. A cracker who gains physical access to your computer or the network to which it's attached might be able to tap the physical network and snoop legitimate users' passwords or data, reboot the computer with a different version of UNIX, or modify values in RAM memory to gain privileged access.
The first type of attack is becoming difficult to prevent. Laptop computers now have pocket-size EtherNet cards that plug into PCMCIA slots, and there is free, public-domain software that captures all packets on an EtherNet and saves them on a computer's hard disk. A cracker can unplug one of your computers from the EtherNet, attach his laptop, record packets for a while, and analyze them later to find valid login names and passwords. Even worse, if your users log in to remote systems with ftp, telnet, or rlogin, the cracker doesn't need access to the physical network at your site--anyplace between your site and the remote one will do.
Many workstations have a ROM-monitor mode that is entered by typing a special key combination. This mode suspends the normal operation of UNIX to allow you low-level access to the computer's hardware. It may allow you to reboot the computer or alter memory locations and resume running UNIX.
If a cracker can boot an operating system of her choice and masquerade as the legitimate computer, she can do any number of bad things. If your workstations have CD-ROMs, floppy disks, or tape drives and can be booted from those devices, the door may be open. A cracker who can boot an operating system of her choice while retaining a computer's identity can trick that computer or others on your network into providing illicit access or services.
A workstation that allows the user to change system memory while in ROM-monitor mode gives a cracker who has gained access to an unprivileged account the chance to promote it to the superuser account by changing the numeric user ID in RAM to 0.
Most workstations provide a way to prevent users other than the system administrator from entering ROM-monitor mode such as a password. Check your system administration manual to ensure that you've enabled whatever ROM-monitor security features are available, and avoid buying workstations that allow unrestricted access to this mode.
Social engineering is a euphemism for the phenomenon P.T. Barnum had in mind when he said "There's a sucker born every minute." More kindly, most people are trusting, and that trust can be exploited by system crackers.
Social engineering might be a seemingly innocuous offer to "help set up your account," or the gift of a free program that purports to do one thing but does something else (a Trojan horse). Either offer gives the cracker the chance to alter a legitimate user's files so he can later gain access to the account. Another popular approach is to send e-mail to naive users, saying that system security has been compromised, and the victim must change her password to one specified by the cracker. Calling a legitimate user on the phone, claiming to be the system administrator, and asking for the user's password on a pretext is another example of social engineering. Social engineering approaches shouldn't be taken lightly--they are surprisingly effective.
Rummaging through your company's trash bins may produce good results for a cracker: unlisted modem numbers, lists of valid accounts, passwords, discarded diskettes or tapes, and other helpful information. You may want to review how your organization disposes of waste paper, storage media, and used computer equipment, and make changes if you feel that crackers can get a helping hand from your discards.
Network- and Phone-Based Attacks
If your computer system is attached to a network, it is both a more attractive target and easier to crack. Physical access to the computer is no longer necessary, because the cracker can connect with a modem or over the network. If you are connected to the Internet (network of networks), your system can be attacked from anyplace in the world.
Physical network-based attacks like those described earlier in this chapter in the section "Physical Security" are a form of network-based attack. However, physical access to the network is not necessary for network or phone-based attacks--all you need is (legitimate or illegitimate) access to a computer on the Internet, or a terminal and a modem.
Attacks of this kind fall into two general categories: breaking into a user or system account by guessing its password, and tricking a network server program into giving you information about the system (for instance, the password file) or into executing commands to give you access to the computer.
File System Security
Despite your best efforts at establishing and implementing a good password security policy, your site may still be broken into. Once a cracker has gained access to an account on your computer, his goal is to ensure continued access. If he's broken a user's password, it may be changed to something more secure, or you might close whatever security hole he exploited to gain access. One way for crackers to ensure access is to install new accounts, or trap-door versions of a system program such as login. Good file system security helps you prevent or detect these modifications and recover from a break-in.
As distributed, most vendors' operating systems are not secure. System configuration files may be writable by users other than root, device files may have insecure file permissions, and programs and configuration files may be owned by users other than root. Configuration files writable by non-root accounts may allow a cracker to trick the system into granting additional privileges, or allow him to trick other computers on the same network. Device files that are readable or writable by users other than root may allow the cracker to alter system memory to gain additional privileges, snoop terminal or network traffic, or bypass the normal UNIX file protections to read files from or alter information on disk or tape storage. The cracker can alter files owned by users other than root even without breaking the superuser account. These are just a few of the ways vendors help make your life more interesting.
Attaching your computer to a network presents a host of new security threats. Networked computers can be attacked from any host on the network or by tapping into the physical network, and if you are connected to the Internet, your computer can be attacked from sites anywhere in the world. Networking software also introduces new threats. Most Internet software protocols were not designed with security in mind, and network server programs often run with superuser privileges that make them fruitful grounds for system cracking.
If you don't need a software service, do away with it. For instance, if you don't plan to use the UUCP software, remove both it and the UUCP account. However, if you want some network services, you must ensure that those are as secure as you can make them. Chapter 13, "Security Technologies," lists specific configuration settings and other actions you can take to tighten security around the network services.
Network File System (NFS)
Network File System, NFS, was invented by Sun Microsystems, which put the protocol specification in the public domain. This meant that anyone could write an NFS implementation that would interoperate with Sun's, and many vendors did. NFS is useful and popular, but does not offer strong security. It opens you to many attacks. If you don't need it, you shouldn't run it.
Network Information System (NIS)
Sun Microsystems also created Network Information System, NIS (previously known as YP, or Yellow Pages). As with NFS, several vendors in addition to Sun have implemented NIS on their computers.
NIS allows you to share system administration data over the network, which is convenient if you have many hosts to administer. For instance, if you have a cluster of 50 workstations using the same password file, you can create a single copy and use NIS to share it among the workstations.
Although NIS is convenient, it is not secure. A poorly administered NIS may allow crackers to gather information about your site remotely, for instance, by requesting your password file for offline cracking. As before, if you don't need it, don't run it.
Although the finger program seems innocuous, it may be another you can do without. finger is the client, and fingerd the server. The client program is safe, but the server can give crackers information about your site. In particular, the time of last login is often included in finger output, which helps crackers find unused accounts to break. finger's output format may also give clues to the kind of operating system you run. Because many crackers work from checklists of bugs particular to certain versions of UNIX, this information is valuable. Also, if your password policy doesn't prevent your users from choosing bad passwords, finger information may provide clues to crackers.
Trivial File Transfer Protocol (TFTP)
Trivial File Transfer Protocol, TFTP, is used by diskless workstations to load UNIX from a file server. It's called "trivial" because the normal security checks of FTP have been removed--accounts and passwords are not required. Some versions of the TFTP server allow crackers to grab any file on the system (for instance, the shadow password file for offline cracking). Recent versions of the TFTP server offer better security by only allowing files to be retrieved from a specific directory.
UNIX systems are open and flexible. They're also often far more vulnerable to misuse and even sabotage than many administrators and users realize. The threats come from many directions: physical access, network access, information gathering and system resource hijacking.
In the next chapter, we'll look at the technologies and tools you can use to address these security risks.