============================================================ T H E S E C U R I T Y O U T P O S T B U L L E T I N ============================================================ January 13, 2000 | Vol. 1, #02 | http://www.securityoutpost.com Contents 1. FEATURE: Where to Find the Y2K Bugs 2. TIPS: Drwatson, Winipcfg, netstat 3. TOOLS: nmap, SuperScan 4. THREATS: Distributed Attacks ============================================================ A service of PC Guardian ... San Rafael, California "Protecting Computers & Data Worldwide" ... Since 1984 ============================================================ -------------------------------------------------------- 1. FEATURE: Where to Find the Y2K Bugs -------------------------------------------------------- In the wake of the Year 2000 rollover, which didn't cause the end of civilization as we know it, many are wondering what happened to the Y2K infopocalypse we were promised. Some question whether the $100 billion or so spent in the US was worthwhile; others wonder if the whole Y2K bug was a barrelful of hype. Don't believe the counter-hype/conventional wisdom about the smooth and uneventful Y2K rollover. There were tens of thousands of Y2K incidents, some of them quite serious. Perhaps not as serious as planes falling from the sky, or nuclear plants going critical, but endemic glitches, bugs, date errors, etc.[1] Why haven't you heard about them? Well, why *would* you hear about them? Y2K incidents are similar to computer security incidents -- they make the victims look bad. The overwhelming instinct is to cover up these kinds of problems as quickly as possible with minimal public disclosure. Imagine that you are a corporate IT manager dealing with a severe post-rollover Y2K problem. You're not going to call the New York Times or issue a press release. ("Well, we thought we knew what we're doing.") You're going to fix the problem as expeditiously as possible and hope that word doesn't leak. This is part of what computer security expert M. E. Kabay calls "the problem of ascertainment." Most computer break-ins -- like many calendar problems -- are undetected. We know they're undetected because some are discovered long after they occur. Even if they are detected, many problems are dealt with discretely for fear of bad publicity. Kabay guesses that only 10% of computer crimes are detected, and of those, only 10% are reported.[2] Consider for a moment the tremendous increase of computer crime over the past several years, fueled in part by widespread Internet connectivity and the availability of automated cracking tools. Then check out these computer crime stats displayed on the FBI's web site: Both investigative cases and successful prosecutions have increased significantly. Pending cases have increased 115% from the beginning of FY 1997, from 260 to 559. In FY 1997, there was a 110% increase in informations and indictments (from 10 to 21), 950% increase in arrests (from 4 to 42), and an 88% increase in convictions (from 16 to 30).[3] These numbers are underwhelming, given the tens of millions of Americans on the net and the amount of online crime and mischief that goes on every day. Clearly, the FBI isn't casting a very wide net. If an organization with the resources of the FBI can't develop a solid profile of computer crime stats, who can? This raises an even sharper question: How can one assess the risk of computer crime or calendar problems if there's no way to ascertain their scope and severity? How can one develop a computer security plan (and budget) if one doesn't know what the risk of loss is? The bottom line: Treat Y2K and computer crime statistics with skepticism. The total scope and severity of rollover problems are unknowable -- they're not even guessable. -------------------------------------------------------- 2. TIPS: Know Thy Hosts -------------------------------------------------------- Given the problem of ascertainment, how can one ensure computer security at all? While it may be difficult or impossible to really know what's happening in the larger world, you can take steps to ascertain what's happening on your local hosts and local network. Port scanning software programs are one ruthless way to discover the security posture of your network (see the next section). But there are also host-based tools you can run that report on the status of individual personal computers and workstations. If you run UNIX or Linux workstations, you've undoubtably run commands like ps, uptime, and netstat to inspect what's happening. You've probably also installed a log-watching program like Swatch and perhaps even a filesystem integrity checker like Tripwire. If you're running Windows, perhaps you've noticed these simple built-in utilities: * Dr. Watson (C:\Windows\Drwatson.exe) -- Provides you with a snapshot of what's happening on your system. Pick the "Advanced" option and click on the "Tasks" tab to see what processes are running on your computer. Learn to recognize common tasks (and thus uncommon or potentially malicious tasks). * Winipcfg (C:\Windows\Winipcfg.exe) -- Displays information about your Ethernet adapter (including address) and host (including name and IP address). * netstat (C:\Windows\Netstat.exe) -- This simple command- line utility displays current TCP/IP connections (it has to be run at a DOS prompt). The "-a" flag shows all connections and listening ports. Here is an excerpt of typical netstat output: C:\WINDOWS>netstat -a Active Connections Proto Local Address Foreign Address State TCP austerity:1393 s3.red.CERT.ORG:80 CLOSE_WAIT TCP austerity:1396 www.ISI.EDU:ftp CLOSE_WAIT TCP austerity:1409 example.com:22 ESTABLISHED TCP austerity:nbsession SROSS:0 LISTENING TCP austerity:1451 smtp.example.com:pop3 TIME_WAIT UDP austerity:nbname *:* UDP austerity:nbdatagram *:* Run these tools on a regular basis to monitor what's running on your computers. Become familiar with the tasks and processes your systems run and be on the look-out for signs of anything unusual. -------------------------------------------------------- 3. TOOLS: nmap, SuperScan -------------------------------------------------------- Last month, I mentioned the network security threat posed by port scanning software, those increasingly popular programs that search for open and listening ports on remote networked hosts. A port is an abstraction that enables a process on one machine to communicate with a process on another machine over a network. Popular net services like the WWW, FTP, and Telnet each use different incoming ports (numbers 80, 21, and 23, respectively). Open ports are potential vulnerabilities since by definition they "listen for" or accept connections from random machines on the net. If computers on a network were houses in a neighborhood, then port scanning software programs would be like both (1) burglars who go door-to-door jiggling doorknobs, testing to see if they're locked, or (2) the friendly members of the neighborhood watch program who do the same. Dozens of these programs are available on the Internet, each with different specialities (fast scans, stealthy scans, etc.). Enter Fyodor. Fyodor got tired of having to use different port scanners for different port scans. So he coded nmap, the Swiss Army Knife of port scanners. nmap can launch an exhaustive variety of port scans, including scans targeting TCP, UDP, and ICMP (ping) services. The simplest "scan" involves pinging a computer to see if it's running. More exhaustive scans can tell which ports are open across hundreds or even thousands of machines -- you specify a range of IP addresses to target, which can be every machine on your LAN or all 65,000 machines on a Class B network. Port scanning is a "gray hat" activity. A tool like nmap can be used by network administrators ("white hats") to discover and map all the hosts on a network. It's also used by computer security experts to search for potential vulnerabilities. Sadly, it can also be used by crackers ("black hats") to seek out targets and assess their security posture (see "Distributed Attacks" below). The "gray" status of nmap is reinforced by its use of stealth. The scans can be run at six different timing policies -- Paranoid|Sneaky|Polite|Normal|Aggressive|Insane -- with "Paranoid" going extremely slow (in order to avoid intrusion detection systems) and "Insane" going extremely fast. nmap also allows you to specify decoy hosts that appear to launch scans along with the real host. This makes it tough for system administrators or intrusion detection programs to ascertain the true source of nmap scans. One of the most powerful features of nmap is its remote operating system detection ability. Essentially, nmap can test the TCP/IP stack of a remote computer and make inferences about the operating system that's running. This is particularly handy for system crackers, since so many vulnerabilities and potential exploits are based on specific OS versions. Below is sample output from nmap, probing a web server. Note that it successfully guessed the operating system (FreeBSD 3.2 in this case). # nmap -O 10.55.2.202 Starting nmap V. 2.3BETA6 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on www.example.com (10.55.2.202): Port State Protocol Service 21 open tcp ftp 22 open tcp ssh 23 open tcp telnet 25 open tcp smtp 80 open tcp http 110 open tcp pop-3 111 open tcp sunrpc 443 open tcp https 2049 open tcp nfs 3306 open tcp mysql TCP Sequence Prediction: Class=random positive increments Difficulty=24748 (Worthy challenge) Remote operating system guess: FreeBSD 2.2.1 - 4.0 Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds nmap only runs on real computers (i.e., UNIX, no Windows, no Macs). If you're interested in exploring and learning about network security, you really should set up a UNIX box with nmap, or at least get a shell account on one. I recommend FreeBSD (see http://www.freebsd.org), but Linux works just as well. Both are free and can run on modest computer hardware. You can find out more and download nmap at http://www.insecure.org/nmap/ If you're willing to accept a working substitute, check out SuperScan, one of several free port scanners that runs on Windows systems (95, 98, NT, 2000). While it doesn't have all of nmap's features, it does have a nice graphical interface, including a slider to control the timing of your scans. You find out more and download SuperScan at http://members.home.com/rkeir/software.html -------------------------------------------------------- 4. THREATS: Distributed Attacks -------------------------------------------------------- Despite the shield of silence, word does get out about substantive and widespread computer security threats. During the second half of 1999, numerous sites were hit by a new and very nasty form of attack that utilizes a small army of Internet-connected hosts to flood and deny service to a victim system. The good folks at CERT Coordination Center at Carnegie Mellon University have publicized and analyzed at least four related distributed attack tools: Trinoo, Tribal Flood Network (TFN), TFN2000, and Stacheldraht. A classic denial-of-service attack overwhelms a service or resource with a flood of requests. For example, if you were able to bombard a web server with 10,000,000 http requests a minute, that web server would likely grind to a halt. These kinds of attacks are very common, though the attacker is often limited by the bandwidth available on his or her system. Instead of using a single system to launch an attack, an intruder armed with a distributed attack tool can harness hundreds or even thousands of machines -- and their combined bandwidth -- in an effort to bring down a target. The attack most likely starts with port scans that identify vulnerable hosts. The attacker then compromises the hosts and installs a Trojan Horse "daemon" (client) capable of launching packet flooding or other attacks against a victim. These "daemon" systems are controlled by a smaller set of "master" systems, which in turn are under the control of the attacker. The ASCII figure below depicts the distributed attack tool method:[4] Daemon Host-----------------\ / \ Master \ / \ \ / Daemon Host-----------------\ ATTACKER VICTIM \ Daemon Host-----------------/ \ / / Master / \ / Daemon Host-----------------/ Apparently, most of the infected clients are Sun Microsystems workstations (fast servers with access to ample bandwidth). These get rolled through the exploitation of known vulnerabilities such as rpc.cmsd, rpc.statd port-bounce, and tooltalk buffer-overflow. Anyone, however, can be victimized by the packet storm unleashed by the daemons. This illustrates the fallacy of those who think, "I don't need to worry about computer security because there's nothing on my system that anyone would want." In many cases, an attacker does not want any particular thing on a system, he or she wants *the system itself* as a platform to attack others. As CERT says:[5] Security on the Internet is a community effort. Your security depends on the overall security of the Internet in general. Likewise, your security (or lack thereof) can cause serious harm to others, even if intruders do no direct harm to your organization. Similarly, machines that are not part of centralized computing facilities and that may be managed by novice or part-time system administrators or may be unmanaged, can be used by intruders to inflict harm on others, even if those systems have no strategic value to your organization. If you're running SunOS or Solaris, make sure your systems have been updated with the latest security workarounds and patches. Check the CERT site and http://www.sun.com/security/ The National Infrastructure Protection Center has released a host-based tool for Solaris systems that can detect the presence of Trinoo clients: http://www.fbi.gov/nipc/trinoo.htm For a quick overview of the problem, see CERT's original advisory: http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html Security gurus Dave Dittrich and Marcus Ranum have released a scanning program that can be found at: http://staff.washington.edu/dittrich/misc/sickenscan.tar Finally, Dittrich has written a detailed and clear analysis of the infestation. His report be found at: http://staff.washington.edu/dittrich/misc/stacheldraht.analysis -------------------------------------------------------- REFERENCES -------------------------------------------------------- [1] For a catalog of Y2K problems, see http://y2kmistakes.com/ Additional problems are discussed in The Risk Digest: http://catless.ncl.ac.uk/Risks/20.72.html For general Y2K info, see http://www.year2000.com [2] M. E. Kabay (1998), "ICSA White Paper on Computer Crime Statistics". See http://www.icsa.net/html/library/whitepapers/crime.PDF [3] These crime stats are from the FAQ at http://www.fbi.gov/nipc/nipcfaq.htm [4] Based on a figure that appears in "Results of the Distributed-Systems Intruder Tools Workshop" (1999). See http://www.cert.org/reports/dsit_workshop.pdf [5] From the latest advisory on distributed attacks at http://www.cert.org/advisories/CA-2000-01.html ============================================================ The Security Outpost Bulletin is published monthly by PC Guardian. For information about our quality encryption software and anti-theft devices, please visit us at http://www.pcguardian.com/index.html?so102 To unsubscribe from this newsletter, send an email to leave-security-outpost-news@lists.securityoutpost.com To subscribe to this newsletter, send an email to join-security-outpost-news@lists.securityoutpost.com ============================================================ FEEDBACK OR QUESTIONS Contact the author directly: Seth T. Ross Director of Security Publications & Resources PC Guardian 1133 East Francisco Blvd. San Rafael, CA 94901 +1 415-459-0190 x143 sross@pcguardian.com ============================================================ Please mail this newsletter to someone you care about. Copyright 2000 PC Guardian. All rights reserved. ============================================================