Compromising Positions

1
Compromising Positions

• Incident Response At
• Harvard University

2
Todays Situation

• A School was compromised by a hacker or hackers
  using ttdb, statd, rpc.cmsd and NIS
  vulnerabilities found in Solaris 2.5 and above.
• Please see http//www.cert.org for further
  information on the vulnerabilities.

3
Todays Situation

• Once the intrusion of one system was successful,
  due to the open state of Schools system and
  network infrastructure, access was gained to less
  vulnerable systems.
• Given the sheer volume of security
  vulnerabilities found and the large number of
  systems known to be compromised, it is safe to
  assume that most UNIX/NT systems were
  compromised, and to treat this incident as if ALL
  systems are compromised.

4
Todays Situation

• Various log and vulnerability scanning utilities
  were employed to scan the Schools subnets from
  without for vulnerabilities.
• 10 of the vulnerabilities found were high risk.
• Over 100 machines were found to be extremely open
  to compromise.
• Over 35 machines are known to be compromised.

5
Todays Situation

• Once the extent of the intrusion was discovered,
  all inbound network connectivity was suspended to
  the Schools network.
• This was done to allow time to secure, fix and/or
  rebuild all UNIX/NT systems within the Schools
  network.
• Once these systems are fixed, services will be
  opened where needed.
• Intrusion Detection monitors were installed to
  watch all network traffic.

6
Recommendations

• Lock down incoming connectivity.
• Deny everything, permit only what is necessary.
• As stated, this should minimize the threat of the
  hacker(s) from coming back before the systems are
  secured.
• Internal traffic will be allowed so that
  computers within the School can communicate with
  each other and people can work within the school.
• Evaluate system order of importance.
• Which systems are vital?
• Fix and secure these systems first.

7
Recommendations

• Evaluate current system state.
• Check through local system logs and files to
  determine if it has been compromised.
• Validate current system configuration to
  determine and eliminate possible vulnerabilities.
• Rebuild or reinstall OS and application if
  necessary.
• If the evaluation has found the system to have
  been compromised with binary system files
  replaced, it will be necessary to reinstall
  everything.

8
Recommendations

• Install latest OS and application patches on each
  server.
• This will not only bring the systems up to
  recommended security levels, but will also apply
  Y2K fixes as well.
• Determine what services need to be available, and
  to where.
• How open should the system be? Only to the
  School? The world? Both?
• This will determine what needs to be locked down
  and what needs to be opened. And how.

9
Recommendations

• Clean up the INETD Superserver.
• Every UNIX system has a Superserver, INETD. The
  majority of common network services are
  controlled by this.
• Unfortunately, SUN installs with everything on
  within INETD, even well known insecure services.
• Shut off the unnecessary services and limit
  access to the ones left on.
• This will also entail the wrapping of necessary
  services. Wrapping is explained further on.

10
Recommendations

• Upgrade or patch Sendmail
• Unfortunately, most vendor Sendmail installs
  vulnerable or old versions.
• Upgrade Sendmail to the latest vendor supported
  patch level? Or replace with Open Source version.
  
• Configure Sendmail to permit relaying only to and
  from necessary mail servers/clients. This will
  cut down liability for spam.

11
Recommendations

• Install file validation software.
• Monitors the state of the system files, creating
  a checksum database of each file. That way, if
  an intrusion occurs, the checksum database will
  alert to any changes made to the files.
• This provides the ability to determine if any
  backdoors or rootkits have been installed onto
  the system, providing a way for the hacker to
  gain unnoticed entry into the system at a later
  time.

12
Recommendations

• Install SSH
• One goal of system security is to allow no
  unencrypted access to the server. While this is
  not possible on every level, it can be applied to
  most connectivity from the Internet.
• SSH - Secure Shell, provides secure, encrypted
  telnet and ftp like sessions.
• Minimizes the possibility of confidential
  information being seen on the Internet.

13
Recommendations

• Install and configure Daemon Wrappers.
• A wrapper allows control over what services can
  be connected to and from where.
• Unfortunately, most vendors system services do
  not log very much information by default, by
  wrapping a service, logging is increased.
• There are wrappers for TCP and RPC system and
  application services
• These are VERY effective. If a connection if
  made to a service that is not recognized by IP or
  domain name, as a system allowed to connect,
  that connection is denied.

14
Recommendations

• Configure centralized system logging.
• Wrapping services increases the level at which
  system activity is logged.
• By configuring each system to log to one central
  server, all system activity can be monitored from
  one location.
• With logging taking place centrally, checks can
  be easily set up to provide daily reports of
  system activity from all servers in the network.
• This will cut down on the likelihood of problems
  being overlooked.

15
Recommendations

• Install system intrusion detection software,
  PortSentry
• PortSentry sits on each system and watches
  incoming TCP and UDP traffic for scans. Scans
  being the most commonly used method of
  determining which systems a hacker will attempt
  to penetrate.
• If PortSentry detects a scan, it can disappear
  from the scanning host. To the scanning software
  of the hacker, all future connectivity will be
  denied.
• The system will still be available to the allowed
  users.

16
Recommendations

• Re-scan the system.
• Check to make sure all unnecessary and vulnerable
  services are fixed or secured.
• Fix any remaining problems.
• Re-scanning ad nauseum.
• Open allowable services within the router access
  control list.

17
Outstanding Issues

• POP and IMAP mail services.
• POP and IMAP services within the school
  unfortunately use the same usernames and
  passwords as the logins to the server. There is
  then the chance, since POP and IMAP are clear
  text applications, that usernames and passwords
  may be captured and used to log into the server
  itself.
• Mail itself is sent clear text. This means that
  if email is captured, it can be read.

18
Outstanding Issues

• Dial-up modem pool
• Currently requires no authentication.
• Open to telnet to the School and others.
• VPN
• Virtual Private Network.
• Will allow connectivity with encryption.
• Exportable clients.
• Used by ADAPT.

19
Outstanding Issues

• Deployment of SSH
• Getting end-users the software.
• Training end-users on the software.
• Export restrictions?
• Insecure system services
• Some systems/networks need connectivity to
  services that are inherently insecure, NIS, NFS,
  etc..
• Are the connecting systems/networks secure?
• Should they be allowed?

20
Final Thoughts

• This will only minimize the risk of future
  intrusion.
• Vulnerabilities are being found daily. Within all
  OSs, systems and networks. Sooner or later, if
  system and network security is not thought of
  daily, if bug and security reports are not
  followed, if patches are not applied regularly,
  they will own you again.