Date: 03 November 1995
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
AL-95.05 AUSCERT Alert
November 3, 1995
Increased Network Monitoring Attacks
- -----------------------------------------------------------------------------
There has been a dramatic increase in intruder activity in recent weeks. The
intruders have a wide range of tools for breaking into computer systems and
have caused malicious damage to some sites. Network sniffers are being widely
deployed, netting the intruders unauthorised access to a large number of
accounts. The intruders are very careful to remove most traces of their
intrusions on computer systems.
No specific platform or version of Unix is being targeted and the intruders
are familiar with most versions of Unix. Access to non-Unix systems has been
gained through the unauthorised use of accounts whose passwords have been
obtained via network sniffers.
The intruders are exploiting well-known vulnerabilities and misconfigurations
of computer systems, for which solutions are already available.
Analysis of incident trends over the past two years indicate a significant
increase in intruder activity during the months of November and December.
This may be due to the end of the academic year, combined with general staff
shortages as staff take summer holidays. In particular, the week between
Christmas and the New Year is notorious for unnoticed computer intrusions.
AUSCERT advises sites to take the time now to review their computer system and
network security as a matter of priority. Alec Muffett, Sun Microsystems
Network Security Engineer, stated:
"Even if a host has been 'locked down' in accordance with some
comprehensive security policy, as time progresses more people will
become aware of the host's existence, and hitherto undiscovered
flaws in its hardware, software, or inadequacies in the standard
to which it was secured, will come to light. In short: even
though the machine per se does not change, its defences weaken as
more becomes known about them.". [1]
A number of documents to assist system administrators with security issues can
be found on the AUSCERT ftp server. Particularly useful documents are the
AUSCERT Unix Security Checklist [2], CERT Advisory CA-94.01 [3], AUSCERT Alert
AL-95.01 [4], and the CERT Security Information text [5].
A number of tools to assist system administrators to assess the security of
computer systems can be found on the AUSCERT ftp server, including COPS [8]
and TAMU Tiger [9].
It is imperative that all security-related vendor patches are applied. Some
patches are available on the AUSCERT ftp server [6]. For a complete list of
relevent patches for your system, contact your vendor representative.
Any network services not required outside of your organisation should be
filtered at the router. This particularly applies to X11, NFS, "r" commands,
and TFTP. Filters should be installed to prevent IP Spoofing attacks (see
CERT Advisory CA-95.01 [7]). Any network services not essential to the
correct operation of the computer system should be disabled.
The effective use of TCP Wrappers [10] provide increased access control and
logging. The correct use of Tripwire [11] will greatly assist in the rapid
recovery from any computer intrusion provided the Tripwire database was
created and protected using a known secure system (refer to Tripwire
documentation for further details). Tripwire may also be beneficial in the
early warning of intruder activity on the system.
[1] Muffett, Alec, WAN-hacking with AutoHack - Auditing security behind
the firewall, Proceedings of the 5th USENIX Unix Security Symposium,
6th June 1995.
[2] ftp://ftp.auscert.org.au/pub/
auscert/papers/unix_security_checklist_1.0
[3] ftp://ftp.auscert.org.au/pub/
cert/cert_advisories/CA-94:01.network.monitoring.attacks
[4] ftp://ftp.auscert.org.au/pub/
auscert/advisory/AL-95.01.Ongoing.Network.Monitoring.Attacks
[5] ftp://ftp.auscert.org.au/pub/
cert/tech_tips/security_info
[6] ftp://ftp.auscert.org.au/pub/
mirrors/sunsolve1.sun.com/
mirrors/ftp.sgi.com/
mirrors/sgigate.sgi.com/
mirrors/software.watson.ibm.com/
[7] ftp://ftp.auscert.org.au/pub/
cert/cert_advisories/CA-95:01.IP.spoofing
[8] ftp://ftp.auscert.org.au/pub/
cert/tools/cops/1.04/
[9] ftp://ftp.auscert.org.au/pub/
mirrors/net.tamu.edu/tiger*
[10] ftp://ftp.auscert.org.au/pub/
mirrors/ftp.win.tue.nl/tcp_wrappers_7.2.tar.gz
[11] ftp://ftp.auscert.org.au/pub/
coast/COAST/Tripwire/tripwire-1.2.tar.Z
- ----------------------------------------------------------------------------
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
AUSCERT is the Australian Computer Emergency Response Team, funded by the
Australian Academic Research Network (AARNet) for its members. It is
located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security
Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key
iQCVAwUBMJqUDyh9+71yA2DNAQF8ywP9Hu9M9iuFTbsdUXbv2uiCvflj9zPPMIlO
tY8CEOux1Y6wllb0oG1SRSB7DLEc6bZN0hQLK4+FW5rPipWtDUeAcTSeX2LyhVAA
4aU73GGFSdAvX7FhPLTzBSgQKHPrJuzPcYSzlJrucvKBGhZ3ekWMEZcKoEKCyO+8
lvqC5L5N3zs=
=ZVp+
-----END PGP SIGNATURE-----
|