Technical Services Technical Services[Ed: Links to web pages and/or e-mail addresses which have become inactive since the publication of this article have been enclosed in curly brackets { }. Replacement links have been provided where possible.]
Many folks, who used to have simple terminals or personal computers that ran only local programs, have recently acquired more powerful desktop machines, such as scientific workstations of various sorts. People see these computers as freestanding and individual, so they don't consider the fact that now that everyone's networked, their machines can pose security risks to other users.As desktop machines became more powerful and better connected, people started using the machines to reach out and take advantage of remote services such as mail servers, websites and news groups.
Now, a number of people have purchased powerful computers that have the capability to offer services to others as well. Desktop computers running versions of the UNIX operating system are available from Sun, SGI, IBM, HP and DEC. The Linux variant of UNIX can be found running on Intel machines, Alphas, Power PCs and others. Even Microsoft and Apple's latest desktop operating system releases come with a few pieces of server software (Web servers and file servers) already installed.
Unfortunately, as more systems are connected to the network and have the options enabled to provide services (as is the default for Linux and most all the other UNIX systems), the risk of people misusing these services gets higher.
Most UNIX boxes run e-mail by default. Since they are designed as multi-user systems, they are mail servers in their own right and can receive mail (so you can get messages there), send it to remote systems, and store messages in between, so you can read them at your leisure or wait for a remote system to come up and accept a message you sent.
The risk this poses is that spammers can use your system to deluge others with unwanted and sometimes offensive advertising or political statements.
Spam, you will recall, is the technoslang term for unsolicited, repetitive or commercial mass mailings or postings. It refers to a Monty Python skit in which a group of Vikings were so enthusiastic about the meat product that if its name were mentioned, they started singing it over and over and over, preventing all rational conversation.
Many people do not like unsolicited mass mailings, especially commercial ones, and most especially unsolicited ads for products they neither want nor need. Sometimes, in an attempt to block spam, all traffic from a site that has sent spam in the past is blocked.
In response, many spammers try to avoid those blocks by passing the mail to another host on the network that is not on any blacklist.
Traditionally, any Internet host would accept mail for anyone else and send it along in the interest of keeping information flowing. This traditional helpfulness is very convenient for spammers. A small number of bad actors with very powerful machine-gun mailing tools can swamp a host or an entire piece of the network with outgoing mail to literally millions of users. Clearly it is important that all mail servers here at NYU block such attempts to misuse our mail forwarding services.
A feature called mail relaying block lets you permit other hosts within NYU to pass you mail for the outside world, and lets outside hosts pass you mail for NYU destinations, but will not forward mail from an outsider to another outsider. Thus, attempts to spam innocent third parties using an innocent system as an agent will fail. The general NYU-NET operating procedures, which can be found at {www.nyu.edu/its/standards/netopolicy.nyu} Replacement URL: http://www.nyu.edu/its/policies/netopolicy.html, require a user running a server to have the appropriate anti-relaying software on that system.
End-user mail programs such as Eudora do not have this problem. If you are just reading your mail using a POPmailer like Eudora, don't worry. But anyone running a UNIX box or another mail server (such as cc:Mail server, Mercury mailer, or any of the Microsoft mail servers) may well be at risk. For a summary of the current vulnerabilities of different mail transfer agents like sendmail, see {maps.vix.com/tsi/}.
Because spammers run sweeps over large ranges of IP addresses, you cannot assume that you do not need to worry about this simply because your network-connected SGI or Sun workstation is not known to the outside world. We have seen quite obscure machines being found and abused in this way.
NYU has detected regular attempts by automated cracking tools to sweep all of NYU-NET, using the known bugs in some personal computer vendor's TCP/IP implementations to cause machines to hang or crash. To avoid such automated attackers, it is important to have the most recent set of patches for systems like Windows95, Windows 98, Windows NT, HP-UX and Linux, since it is hard for network staff to detect and block such attacks before they have done their damage.
The Security Group maintains a mailing list of alerts for system managers, but it is the responsibility of every person who maintains a computer system to track problems and fixes from their vendor. For popular or rapidly changing products like Windows and Linux, it is especially important to track problems as they are reported and to install fixes promptly.
Data sent over the Internet is broken down into packets. Some implementations of the fragmentation re-assembly code do not properly handle overlapping packets. Teardrop is a widely available attack tool that exploits this vulnerability.
Some implementations of TCP/IP are vulnerable to packets that are crafted in a particular way (a SYN packet in which the source address and port are forged to be the same as the destination). Land is a widely available attack tool that exploits this vulnerability.
A copy of the Computer Emergency Response Team advisory on this topic at {ftp://ftp.cert.org/pub/cert_advisories/CA-97.28.Teardrop_Land}, which includes specific vendor version and patch information. Because of their wide use, Windows95 and Windows NT are supplanting Sun systems and even Solaris as the preferred target of cybervandals. They want to do as much damage to as many systems as possible, either to build a reputation or to prove to large software companies like Microsoft that their software design and testing practices are inadequate.
People are not only scanning NYU-NET to crash systems. Most recent UNIX operating systems include a variety of features created at Berkeley that let users access systems and move files from account to account without having to prove their identity each time they start another operation on a different system. The Berkeley R* tools (rlogin, rshell, rexec and rmt) and the Sun-popularized Network File System (NFS) are some examples.
We have run into a number of cases lately where crackers seemed to be scanning for known holes in the remote procedure call (RPC) programs used by NFS to share files among several cooperating systems. NFS was designed to work in a small local network of secure systems run and used by responsible engineers who trust each other to protect each other's privacy.
Although it lacks strong security features and can be used in a number of ways to break system security, it is popular. Sun is working on patching some of the holes and adding some additional privacy protection code.
Nonetheless, there are a number of systems where the responsible party has not been aggressive about patching holes as they were reported. When a cracker has found a hole and used it to break in, starting from that account he can infiltrate all the other machines that trust that one. (If any user on one system lists an account on another system in his or her .rhosts, .shosts, .netrc, or similar authorization files, or if the second system's name appears in the /etc/rhosts files or their equivalents under other operating systems, then the first system can be said to trust the second system.)
Once infiltrated, those other machines' accounts can be used to collect passwords as they fly over the network past those systems; to crack the encrypted passwords stored in the password files on older and less secure UNIX systems; and to set up unauthorized network servers. During the last academic year, we have found servers sharing stolen programs and access codes, running attacks on systems at other schools and companies around the network, and sending out e-mail and IRC SPAM of one sort or another, advertising dubious products and websites.
CERT advisories and recent summaries {ftp://ftp.cert.org/pub/cert_advisories/CA-96.09.rpc.statd} and {ftp://ftp.cert.org/pub/cert_advisories/CA-97.09.imap_pop}.
Individual weaknesses in machines' security systems can cause the same or more damage than obvious security breaches like giving out a password. It can be very embarrassing for an innocent party to start getting incoming mail complaining about a pornographic advertisement sent from their account -- all because they choose a poor password or because a researcher on the same local area network was lax in managing his system or the department network has not been upgraded to reduce the impact of a break-in on that person's machine.
For more information visit the NYU-NET Security page: http://www.nyu.edu/its/security/.
![[ C ]](../icons/CSmFall98.gif){kind=icon}
Posted October 5, 1998. Revised April 25, 2004.
|
|
|
|