The pain of being right

The Pain of Being Right

By: Scott Bradner

In this column on January 10th I predicted that there would be a major security incident on the Internet in 1994, one that would capture the attention of the national news media. Well, it did not take long for something to happen and some people have gone so far as to call it a blockbuster.

The Computer Emergency Response Team (CERT) posted a security advisory on February 3rd. The advisory described a particular type of attack on a number of Internet service providers that has resulted in the capturing of lognames and passwords "for tens of thousands of systems across the Internet." Reports, with varying degrees of accuracy appeared, among other places, on the front page of the Washington Post and on the NBC Nightly News.

If this sounds real bad it is because it could be real bad. But, as Peter Lewis pointed out in the New York Times last week, no known use has yet been made of the information gathered. It is all a bit puzzling.

Using a number of avenues, intruders attacked workstations at a number of Internet service providers. If they were successful in breaking security and obtained root access, the intruders installed software that turned the workstation into a network monitor. The software recorded the first 128 keystrokes of a new FTP, telnet and rlogin sessions that transited the LAN to which the workstation was attached. In almost all cases the user's logname and password will appear in the first 128 keystrokes. Note that the recorded sessions did not have to originate or terminate on the compromised workstation. A user at one customer of the provider could be starting up a FTP session with a server half way across the country and still be compromised if his traffic passed over the workstation's LAN.

Interestingly enough, this is not all that new a problem. I've been using the idea of remotely corrupting a workstation as an example in my Interop tutorials for a number of years (gee, I hope I'm not to blame) and a number of the Internet providers got hit by these same (we assume) people last October. When they were hit, a number of these providers did the responsible thing and informed their customers of the attack and provided advice to change passwords and some pointers about general and specific security procedures. NEARnet and BARRnet, among others, made this sort of announcement since it was more important to keep the users aware of problems than it was to cover up dirty laundry. As you might expect, NEARnet has re-archected its network, obtained new security devices and changed procedures to minimize the chance of this type of problem reoccuring.

The main thing that one can do to minimize the impact of this particular attack is to rearrange your network so that you don't have normal workstations connected to parts of your network that carry a lot of transit traffic. In addition, the CERT advisory makes a number of specific suggestions to improve security.

I hope that it does turn out that this is as bad as it gets, and that this incident gets the award for the security incident of the year (this somewhat assumes that we don't have the equivalent of the academy award's judges inability to remember more than a few months back). I will say I'm not ready to predict that we won't get hit again. Since someone migt want to make use of all those passwords it is time to change yours.

You can join the CERT Advisory mailing list by sending a request to: cert-advisory-request@cert.org. Past CERT advisories and information about computer and network security can be obtained from info.cert.org via. anonymous FTP.

Disclaimer: (from C. P. Thompson) "The above ramblings are my own and do not in any way reflect an official position of my employer."

sob@harvard.edu