Computers & Security, 17 (1998) 564-574
Security Views Dr. Bill Hancock, CISSP
Windows-98, RIP and My Adrenaline Rush
As some of you are aware, I have been an avid student of the martial arts since age 4. I did rather well in competition in the 70s and 80s at very large, interna- tional tournaments. Its come in quite handy on a couple of unfortunate times, but has always been part of my life and has been there for me when I needed it most.
What does this have to do with anything? Well, I still get an adrenaline rush when I step into a tournament ring - even if I am just one of the other old fossils who judge the efforts of the younger and more agile. Of course, us old fossils have a saying:
Youth md exuberance does riot stand a clzance against age arld deceit.. .
But, martial arts tournaments give me an adrenaline rush. Probably always will.
Of course, other things do as well. One is when I come to a realization of how nasty a security problem some feature or another is in an operating system that I am fooling around with. With that, I recently had a small one that grew in scope when I put two-and-two together and came up with a much larger number.
After recently purchasing a new Pentium II with all
the bells and whistles on it, it came pre-installed with the standard, buggy release of Windows-98. As the proper geek that I am, once I was happy that every- thing was working, I parked myself on the Microsoft Windows-98 CD-ROM that came with my system and started looking into items that are optional installs such as theValuPack and other goodies that are on the CD-ROM.
Whilst browsing the CD-ROM, I discovered that an install existed for Routing Information Protocol (RIP).This was a bit of a surprise as making a desktop system a router is not always a good idea for lots of network control reasons and even more security reasons. But, being curious as to whether it worked or not, I installed it and started playing with it.
I was quite successful in getting an ISP connection via modem with PPP to route properly to an Ethernet/802.3 connection on the system itself. This meant that I could dial up an ISP and allow other nodes on my constructed testing LAN to communi- cate with the ISP and, therefore, the Internet. A little further extrapolation caused the revelation that any laptop running W98 with the optional RIP installed would allow the laptop to back door connect the laptop to the ISP on the modem side and the laptop to the corporate LAN on the Ethernet side of the connection. Hence an adrenaline rush - a secu- rity problem, and a pretty serious one, waiting to happen.
564 0167-4048/98$19.00 0 1998 Elsevier Science Ltd. All rights reserved
Computers & Security, Vol. 17, No. 7
For example, one of my customers has a site with 2000 telephone handsets on the property. They also have over 950 analogue lines. Of those 950 analogue lines, over 700 are modem connection lines for desktop systems as the users got sick and tired of getting the IS department to help them connect out to the world. Using RIP with a W98 upgrade would now allow these users to connect out to the world and also route information from the local network to the Internet and vice-versa.
Of course, using this type of network technique is not new. Products such as WinGate have allowed this
capability on W95 for some time now. Other Network Address Translation (NAT) products for W95 and MS- DOS accomplish much the same thing. But, you must purchase WinGate after the trial period for a small fee and RIP comes included in the W98 distribution kit. Further, you would also be required to do a little snooping around the Net to figure out that there was a WinGate in existence. Inclusion of RIP on the distribution CD is much easier to discover and use.
I fully expect a lot of small businesses to implement this optional component. 1 also fully expect large cor- porate laptop users to do the same. In either situation, compromise of the internal networks via unautho- rized connectivity and access will become much more commonplace. It also follows that if your company does not have policies about what is allowed to be connected to the corporate network and, importantly, how, then be prepared to have your network compro- mised by a desktop near you soon.
Stealth Probing of Internet-connected Sites
A recent series of long-term, low packet-count probing has been going on within various large network sites belonging to the military and other large sites. Low-bandwidth, or group, hacking involves numerous hackers working together from different locations. Together, they intermittently send sets of IP packets against a network to test for vulnerabilities. Because the packets come from different hosts and at varying intervals, they come in, in effect, under the
radar of most intrusion-detection applications currently on the market.
This type of attack has been rumored about for several years, but it wasnt until last month that it was documented by the Shadow project of the US Department of the Navys Surface Warfare Center. With these new low-bandwidth attacks, hackers have found a way to make the most obvious part of their attacks - probing for vulnerabilities - virtually undetectable. That frees them up to do the real damage by racing through those holes to capture data before they can be shut down. So far, there have been three distinct patterns that have emerged:
Slow scans for machines and services: Attacker inter- mittently checks for machines and services to develop a picture of the target network. Once vulnerabilities are mapped, attacker can go back through that hole.
Multisourced attack: Attacker tries to access or crash a server, also known as denial of service, from multiple points of origin.
Multisourced attacks to multiple targets: Attacker dilutes the so-called attack density, making it look like normal traffic that is converging on the same data.
So far there has been a lot of vendor posturing and assurances of product upgrades coming out to fight this new method of probing for weakness. We will see. What is already known is that this type of probing requires monitoring consisting of various database and neural network methods as well as macho computing hardware to handle the performance issues that are sure to be an issue. This type of monitoring comes at a price and its not going to be cheap to implement nor simple to solve.
Lotus Domino Security Flaws Redux Another security glitch on Lotus Developments Domino Web server may make it possible to view sensitive credit card, address, and phone data from the Web. The breach was reported last week by LOpht Heavy Industries, a group dedicated to security research.Their advisory is located on their web site at:
Security Vie ws/Dr. Bill Hancock
http://www.lOpht.com (thats a zero, not an O).This flaw could make Lotus Domino application-based payment and client data available from a Web browser. LOphtS website said it received reports regarding a vulnerability in some implementations of Domino- based applications, which result in the Internet publi- cation of sensitive information belonging to customers of Lotus/IBM and their business partners.
LOpht said Web browser users can access database information simply by navigating to the payment entry part of a Domino site, then substituting open after -.nsf database names in the URL. LOpht suggests developers use reader and author names fields to prevent unauthorized access to sensitive data. It also suggests disallowing anonymous access to names.nsf, catalog.nsf, log.nsf, domlog.nsf, and domcfg.nsf databases.
Ironically, while Lopht was posting the advisory about the security-flaw on its website, Lotus outlined details of its E-commerce and public-key infrastructure security plans at its developers conference. To address security concerns, Lotus placed its IETF PKI compli- ant implementation in the public domain last summer. Lotus officials said Microsoft, Intel, and Security Dynamics Technologies pledged to support the reference implementation. Having a single PKI imple- mentation will keep down the number of certificate authorities businesses will have to maintain for trading partners and foster greater extranet development. PKI functionality for Notes/Domino will be completed and available in the next six to 18 months.
European Companies Not Impressed With E-Commerce
A recent survey by Andersen Consulting shows that many European business executives are slow to incor- porate electronic commerce into their operations. While 82% of executives said they believe E-com- merce will have a strategic impact on their business in the future, only 39% are taking steps today to incor- porate the technology into their strategy. Only 19%, the survey found, regard E-commerce as a serious competitive threat.
Moreover, one-half of the respondents believe that consumers lack an understanding of E-commerce. A majority view privacy and security as major barriers. Eight percent cited the need for governments to work together to form a common, international E-com- merce framework. The survey, conducted between December 1997 and July 1998, involved more than 300 senior executives throughout Europe
Vendor-Supplied Security for Computers Dell Computer Corp. is working overtime to help IS managers secure the data in their users notebooks, desktops and servers. Dell recently announced DellGuard, a security initiative that features password- protected hard drives for notebooks and desktops, along with an 800-number that assists in tracking stolen PCs. In the first half of 1999, the company plans to add smartcard hardware to its notebooks and desktops that will provide a single point of user