Enterprise Unix Roundup: Paradigm Wars II, Pass the Hubris

Enterprise Unix Roundup: Paradigm Wars II, Pass the Hubris


April 15, 2004

Main     In Other News     Security Roundup     Tips of the Trade

Sometimes, when things are slow around Roundup Ranch, we pop some popcorn, curl up on the sofa, and enjoy select scenes from the best movie about computer security ever: "Hackers." Does it get any better than when our rag-tag band of hackers ... er ... crackers take to the streets and hack The Gibson? Not for our money. "Hack the planet!" dudes.

Back in the real world, last week, a small and intrepid band of blackhats hacked the planets of as many as 20 supercomputing installations. If the post-mortem offered up by Stanford University, which was one of the victims, is any indication, the hack required little more than a few compromised accounts and a venerable and common piece of password auditing software that the victims should have been using in the first place.

Oh, right: They also took advantage of known vulnerabilities in Linux and Solaris as well as systems configured to use Network File System (NFS) in a deliberately insecure manner. In other words, it was a fairly routine cracking run, noteworthy mainly because it was so widespread and targeted a grid computing project that would have given the blackhats serious firepower for a denial of service attack.

The incident was so humiliating that the Washington Post reports admins working on the case have promised to not name all the institutions involved for fear that the victims will try to hide from the media.

That's probably par for the course. We've seen a few compromised sites in our day, and the first reaction from those involved is usually to clam up so no one ends up looking bad. What got our dander up about this particular situation, though, was one comment from a Stanford Security Officer:

"This incident is definitely giving us an opportunity to re-evaluate the maintenance and protection we provide to our Unix systems ... When you're completely focused on widespread attacks on Windows systems, it's certainly startling."

So even when Microsoft isn't to blame, it's somehow to blame: We're all so distracted by Code Red, Nimda, Slammer, and whatever else that we can't be bothered to patch our Unix boxes. And to think just last week we said the Paradigm Wars were over.

None of us are perfect when it comes to keeping up on our patches. Few of us are willing to put up with the pushback from users when we institute password policies that involve enforced periodic password changes, or install software that ensures users choose secure passwords. Almost every Unix graybeard, confronted with the need to move files from one server to another, has probably cheated and relaxed security on an NFS share just "that one time." We know one Unix admin who was shocked to realize an NFS server he inherited was not only sharing files for his local users, but was also a voluminous warez site for someone in Denmark who took advantage of its open permissions.

If that security officer, who was "startled" that sloppy NFS configuration, unpatched systems, and weak user passwords allowed the blackhats to get inside the wire is any indication, there's a frightening amount of complacency in the Unix world about just how secure things really are.

A certain euphoric reaction is not unusual the first time a former Windows admin realizes she has far fewer chances of unwittingly running some sort of malware on her Unix system. We also believe experienced professionals are well-aware of the need to set that euphoria aside because they know the security advantages Unix confers aren't so much bulletproof armor as they are speed bumps that fail in the face of bad management and undisciplined users.

That said, the Stanford post-mortem offers a useful collection of Unix security tips, including how to detect some rootkits once they're installed, how to enforce better password choices, and how to look for suspicious activity. We can't think of a better opportunity to set aside hubris and benefit from someone else's hard-gained wisdom.

In Other News

» Too late for last week's edition, Sun announced a Solaris 10 beta release. The new release allows users to try out Sun's N1 Grid Containers. It also includes support for Sun's V20z and other Opteron servers, and Sun's UltraSparc IV processors.

» The CEO of Green Hills Software made some waves when he singled Linux out as vulnerable to, er, Communist takeover because of its open source nature. "Now that foreign intelligence agencies and terrorists know that Linux is going to control our most advanced defense systems, they can use fake identities to contribute subversive software that will soon be incorporated into our most advanced defense systems," he fumed. As long as they don't change everyone's mail signature to "Hack the planet!"

» Red Hat announced it is the first Linux vendor to attain Internationalization Runtime Environment Certification from the Free Standards Group. What this means: Red Hat's product runs in a wide variety of localized languages.

» SCOWatch: There really wasn't any SCO news this week, which, in and of itself, qualifies as news.

>> To Security Roundup
>> To Tips of the Trade

Main     In Other News     Security Roundup     Tips of the Trade

Security Roundup

  • Several vendors released patches for assorted vulnerabilities in the Linux kernel, including Debian (1, 2, 3), Mandrake, and SUSE. Although the vulnerabilities addressed vary, all involve potential root compromises.
  • OpenPKG, and Debian released MySQL patches to address a bug that could allow malicious users to overwrite files with permissions of the MySQL owner (which is often the root user).
  • Several vendors also patched a vulnerability in the version control software CVS that could allow a malicious user to create any file on the local user's disk. Look for patches from OpenPKG, Mandrake, SUSE, and Red Hat.
  • HP reported a patch for systems using IPsec/IKE (Internet Key Exchange) and vulnerable to an exploit that could lead to a root compromise.

Tips of the Trade

One of the tools the blackhats used in that crack attack was a piece of software called "John the Ripper" ("John" henceforth). Some reports call John "sophisticated" and say it "sniffs" passwords. While we don't want to take anything away from its developers, John isn't particularly exotic, and it doesn't so much "sniff" passwords as much as throw itself at the system password file with a brute-force dictionary attack, looking for weak passwords.

John is, in fact, so common that the best way to keep from it from having its way with your own password file is to first use it to audit users' passwords -- before a malicious user compromises an account (using a weak password, for example) and does it for you.

A visit to the John the Ripper home page provides download information. Versions are available for a wide variety of Unix and Linux variants as well as OpenVMS, Microsoft Windows, and a few others.

You can also take a look at crack, which does much the same thing and has the benefit of being one of the snarkiest FAQs on the 'net. Snark aside, the FAQ provides download links and some useful information about how to get it up and running on your system.

Both programs can ensure that your users aren't creating the dreaded "plain English password."

Finally, consider installing pam_passwdqc, a module that runs in conjunction with PAM to check the strength of passwords users enter using the passwd command. Among this module's tricks is the ability to detect whether a user's new password is too similar to the last one as well as the ability to offer a randomly generated choice to users when they run passwd.

>> To Main
>> To Other News