IN THIS CHAPTER
Computer security is a constant process, not a product, and not following it can prove disastrous. Generally speaking, the security process goes something like this:
After configuring your system as securely as possible with help from the resources discussed in this chapter, you, or some other party, discover a vulnerability.
An exploit for that vulnerability becomes public knowledge.
Your system’s vendor responds, typically with a patch or upgrade.
By staying on top of alerts posted by vendors and security organizations, you learn of the exploit, assess its potential impact on your organization, and, if appropriate, download the fix, test it, and install it.
With luck, the fix works without any negative effects, and the process begins anew as you await the discovery of the next vulnerability. The key is that this is an iterative process, and an important part of it is staying current on the information available without suffering information overload.
This chapter offers a laundry list of mailing lists, Web sites, and FTP archives that house security information. That’s great, but if you subscribe to any security mailing list, you’ll immediately discover that list members are only slightly more courteous than Usenet users. These folks argue like schoolchildren, and they’ll do it on your time.
This dissension is a major problem. Your mailbox will be filled with, say, 100 messages daily, when only 12 of them have valuable information. The rest will consist of arguments, “me-too”s, and, sadly, spam.
This might not seem like a serious problem, but it is. If you run a heterogeneous network, you might need to subscribe to several lists. Because the average list generates about 30 messages a day, you might end up receiving between 150 and 300 messages daily.
Here are some suggestions to help you out:
Before joining a slew of mailing lists, prepare your system to compartmentalize the output. Set up an email box expressly for receiving security-based mail. Allot one email address for each mailing list you join. For example, create accounts
ntsec,sunsec, andhpuxsecto receive mail related to NT security, Sun security, and HP-UX security. This will at least separate the material by operating system or subject. (If you don’t have a permanent network connection, you can still do this by establishing Web-based mailing addresses. Many companies provide free email accounts to the public. The downside with that, of course, is that many mailing lists will block domains such as hotmail.com and altavista.net, because these domains are often used for spamming.)Subscribe only to digests or moderated groups. Most mailing lists offer a digested or moderated version of their list. These versions generally have a lesser noise-to-signal ratio. In other words, irrelevant posts and messages are edited out prior to distribution. You therefore receive more relevant and pertinent information.
Choose lists that have searchable archives, such as BugTraq or the others located at http://www.securityfocus.com.
It might be worth your time to automate at least the cursory analysis of advisories and mailing list messages. For example, if you maintain a network that runs three or four platforms, the amount of security mail you receive each day will be more than you can humanly read. With the use of Perl scripts, you can develop a primitive but effective method of mining data automatically. It works like this:
As suggested previously, structure your directory to reflect the names of various operating systems (
/aix,/linux, and so on) and various security issues (such as/denial_of_service).When a mail message arrives, it’s examined by subject line and the first six lines of the body. If an operating system name appears in those lines, the mail is redirected to the appropriate directory.
Once a day, a Perl script traverses those directories, scanning for original posts. (In other words, all “Re:” posts are discarded from the list.) Alternatively, if you use an email client such as Outlook or Outlook Express, you can configure a rule to delete posts from the mailing list that have
Re:in the subject line.The resulting messages are printed.
This process ensures that you see every original advisory. The obvious problem with this approach, however, is that often meaningful discussion appears in follow-up posts. Most moderated mailing lists enable you to search for a particular “thread” of interest. This way, your time is focused on the few items of importance to you, rather than on several issues that do not affect you.
Do you really need all that information from all those lists? Probably. Most vendors wait until strategically favorable moments to distribute patches on hard media. Therefore, by the time you get a CD-ROM with patches, your system can be 30–100 patches behind. In the interim, your system isn’t safe.
Additionally, if you don’t keep up with developments on at least a weekly basis, bringing your network up to date might prove to be an overwhelming task.
NOTE
Another irritating factor is that some vendors aren’t in any hurry to publicly acknowledge flaws in their software. Microsoft is sometimes guilty of this, denying problems until proof becomes so widespread that they no longer have plausible deniability. Even then, the information often only becomes available in knowledge base articles and exploit Web sites.
Just as a car manufacturer cannot be held responsible if the owner has not maintained the brakes and tires, a computer vendor cannot be responsible for a system that is not configured securely with up-to-date patches. The bottom line is that it’s your responsibility to chase down security information. If your network gets cracked, it’s you (and not your vendor) who shoulders the blame. You must keep yourself informed on recent developments.
The remainder of this chapter identifies key sources of up-to-date security information. I strongly suggest that you assign someone in your organization to track such information.
The following sources have both up-to-the-minute information and legacy information.
Computer Emergency Response Team (CERT) Coordination Center
Software Engineering Institute
Carnegie Mellon University
URL: http://www.cert.org
The Computer Emergency Response Team (CERT) was established in 1988 following the Morris Worm incident. Since then, CERT has issued hundreds of security advisories, and has responded to more than 140,000 reports of Internet break-ins, and more than 7,000 vulnerabilities (see http://www.cert.org/stats/cert_stats.html#incidents).
CERT not only issues advisories whenever a new security vulnerability surfaces, but it also
Remains on call 24 hours a day to provide vital technical advice to those who have suffered a break-in.
Uses its Web site to provide valuable security information, both new and old (including papers from the early 1980s).
Publishes an annual report that can give you great insight into security statistics.
There was a time when CERT did not publish information on a hole (a vulnerability) until after a fix had been developed. Opinion on this stance varied. Some felt it was counterproductive to advertise an exploit until it was fixed. On the other side of the fence were those who believed that by the time the “white hat” community became aware of a vulnerability, the “black hat” cracking community was well aware of it, and probably had been circulating information about it through their channels for some time. By not publishing the information right away, CERT was keeping the ethical hacking community unaware and vulnerable. In October 2000, CERT compromised by adopting a policy whereby it will issue an alert 45 days (in most cases) after its initial report, regardless of vendor action. Complete details on CERT’s disclosure policy can be found on its Web site at http://www.cert.org/faq/cert_faq.html#C9.
CERT advisories generally contain location URLs for patches and vendor-initiated information. From these sites, you can download code or other tools that will help proof your system against the vulnerability. CERT is also a good starting place to check for older vulnerabilities, as the database goes back to 1988.
NOTE
A bit of trivia: The first CERT advisory was issued in December 1988—it concerned a weakness in FTPD.
There are several sources where you can obtain CERT advisories, including the following:
The CERT mailing list—. The CERT mailing list distributes CERT advisories and bulletins to members. To subscribe, send email to [email protected] and include
"subscribe cert-advisory"in the body of the message. For more details about signing up, see http://www.cert.org/contact_cert/certmaillist.html.The CERT Web site—. If you don’t want to clog your email directory with advisories, you can still obtain them from the CERT Web site. To do so, point your browser to http://www.cert.org/nav/alerts.html.
Computer Incident Advisory Capability (CIAC)
Computer Security Technology Center
Lawrence Livermore National Laboratory
Computer Incident Advisory Capability (CIAC) was established in 1989. CIAC maintains a database of security-related material intended primarily for the U.S. Department of Energy. However, most information and tools housed at CIAC are available to the public.
The CIAC site is an excellent information source. Here are some CIAC resources available to you:
CIAC virus information—. CIAC has links to eight of the major anti-virus corporations’ databases (http://www.ciac.org/ciac/ciac_virus_info.html).
CIAC security bulletins—. CIAC bulletins are very much like CERT advisories. They describe particular vulnerabilities and possible solutions. CIAC has a search engine as well, so you can rake through past bulletins for interesting information.
CIAC security documents—. CIAC has an interesting and ever-growing collection of security documents. Some are how-to in nature (for example, how to secure X Window System), whereas others are informational (such as lists of security information links). Most are available in both plain text and PDF formats.
CIAC tools—. CIAC has links to excellent security tools, most of which are free. There are tools that support DOS/Windows 9x, NT/2000, Unix, and Macintosh. Some are free only to government agencies and their contractors.
CIAC has a searchable archive of advisories and bulletins at http://www.ciac.org/cgi-bin/index/bulletins.
The following are some examples of important information provided by CIAC to the public:
Defense Data Network advisories
CERT advisories
NASA advisories
National Institute of Standards and Technology (NIST)
The NIST CSRC Web site offers a sizable list of publications, tools, pointers, organizations, and support services. In particular, the following resources are extremely helpful:
NIST Information Technology Laboratory (ITL) computer security bulletins—. Bulletins from ITL cover various topics of current interest. Although ITL documents seldom deal with specific vulnerabilities, they do apprise readers of the latest developments in security technology.
CSRC drafts—. CSRC drafts record important security research being conducted at NIST and elsewhere. These documents can help you define security plans and policies. (A sample title is “User Guide for Developing and Evaluating Security Plans for Unclassified Federal Automated Information Systems.”) In particular, CSRC has a multitude of documents that deal with security policy.
The CSRC search engine—. CRSC provides a search engine that links information from a wide range of agencies and resources.
The CSRC advisory page has links to other valuable references, including the Federal Computer Incident Response Capability (FedCIRC), CERT, the National Infrastructure Protection Center (NIPC), and the Forum of Incident Response and Security Teams (FIRST). These sources provide up-to-the-minute warnings about various vulnerabilities.
The BugTraq archives contain all messages sent to the BugTraq mailing list. The majority of these messages describe holes in the Unix operating system. The site is of particular interest because it features a search mechanism that enables you to search based on platform (Sun, Linux, Microsoft) viruses, IDSs, advisories, and other topics.
The BugTraq list is an excellent resource because it isn’t inundated with irrelevant information. The majority of posts are short and informative. Chris Chasin, the founder of BugTraq, describes the list as follows:
This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing the use of security holes and risks.
BugTraq is probably the Internet’s most valuable resource for online reporting of Unix-based vulnerabilities. There are more than 20 different mailing lists that focus on specific platforms and security issues, including forensics, Microsoft, security basics, VPNs, mobile code, and others. Visit it at http://www.securityfocus.com.
FIRST is a coalition of many organizations, both public and private, that work to circulate Internet security information. Some FIRST members are
DoE Computer Incident Advisory Capability (CIAC)
NASA Automated Systems Incident Response Capability
Purdue University Computer Emergency Response Team
Stanford University Security Team
IBM Emergency Response Service
Australian Computer Emergency Response Team
FIRST exercises no centralized control. All members of the organization share information, but no one exercises control over any of the other components. FIRST maintains a list of links to all FIRST member teams with Web servers. Check out FIRST at http://www.first.org/team-info/.
Table 4.1 identifies key security mailing lists. The majority of these lists issue up-to-the-minute advisories.
Table 4.1. Mailing Lists for Holes and Vulnerabilities
List | Description |
|---|---|
The alert list at Internet Security Systems, features alerts, product announcements, and company information. To subscribe to this and other ISS lists, complete the form at http://online.securityfocus.com/cgi-bin/sfonline/subscribe.pl. BugTraq and several other mailing lists are available at http://www.securityfocus.com. This Web page has instructions and an online form for you to pick which mailing lists you want to join. As of this writing, there are 20 lists to choose from. Their Mailing Lists pull-down menu has an Other Lists link with pointers to even more mailing lists hosted by other sites. | |
The Firewall Wizards mailing list. This list is a moderated forum for advanced firewall administrators. | |
Get information regarding Red Hat mailing lists. | |
The Firewall-1 security list. This list focuses on issues related to CheckPoint’s Firewall-1 product. | |
The Firewalls mailing list focuses on firewall | |
The Cyberpunks mailing list. Members discuss issues of personal privacy and cryptography. (If a major cryptographic API is broken, you’ll probably hear it here first.) To subscribe, send a message with the command | |
The Intrusion Detection Systems list. Members of this list discuss real-time intrusion detection techniques, agents, neural-net development, and so forth. To subscribe, send a message with the command | |
The Risks forum—members of this list discuss a wide variety of risks that we are exposed to in an information-based society. Examples are invasion of personal privacy, credit card theft, cracking attacks, and so on. To subscribe, send a message with the command | |
The Secure Sockets Layer mailing list—members of this list discuss developments in SSL, and potential security issues. To subscribe, send a message with the command |
For a thorough compilation of mailing lists, you can also go to http://www.securityfocus.com. Select mailing lists from the main page—you will see about 20 lists. To see even more, click Other Lists or go directly to it at http://www.securityfocus.com/focus/home/menu.html?fm=8,23,0&action=unfold and explore the lists by category.
You can also occasionally collect interesting information that doesn’t appear elsewhere from Usenet security groups. Table 4.2 outlines some newsgroups that discuss security holes. Some newsgroups such as alt.2600 are included so you can get an idea of how the hacker community shares, debates, and brags. The newsgroups are not all intended for everyday reading, but are interesting to visit once in a while. One final note: Newsgroups come and go, and activity might decrease over time. Make use of a newsgroup search engine such as Google Groups—http://www.google.com/grphp?hl=en&ie=UTF-8&oe=UTF-8—to find newsgroups that are active and relevant to you.
Table 4.2. Security Newsgroups
Finally, this section identifies vendor sites, patch archives, and lists that house important security information.
Silicon Graphics, Inc.
The Silicon Graphics Security Headquarters provides the following services to the public:
SGI security advisories—. SGI advisories provide up-to-the-minute information on vulnerabilities in the IRIX operating system. These advisories are available at http://www.sgi.com/support/security/advisories.html.
SGI security patches—. SGI provides a patch archive. This is a good place to find solutions to older vulnerabilities. SGI patches are located at http://www.sgi.com/support/security/patches.html.
Q’s toolbox of programs—. This is a collection of security-related programs that can help shore up your SGI system’s security. (These include scanning tools, logging utilities, and even access control list tools.) Get these programs at http://www.sgi.com/support/security/toolbox.html.
A site with several FAQs, which would be of interest not only to security managers, but also to administrators and developers, is http://www-viz.tamu.edu/~sgi-faq/faq/html-1/. A sample tip that can be found here is what to do when you’ve forgotten the root password.
Sun Microsystems provides up-to-date security bulletins about many of its products. These bulletins and patches are available on the SunSolve server at http://sunsolve.sun.com/pub-cgi/show.pl?target=security/sec.
This site (http://www.iss.net/security_center/) maintains an excellent vulnerability database. It is searchable by the name of the vulnerability or by system platform. The site also has a newsletter, mailing list and security library with links to dozens of other sites, presentations, and PDF documents for ISS products.
Eugene Spafford’s site can be summed up in five words: the ultimate security resource page. Of the hundreds of pages devoted to security, this is the most comprehensive collection of links available. In contrast to many link pages whose links expire, these links remain current. Check it out online at http://www.cerias.purdue.edu/hotlist/.
The SANS Institute offers free subscriptions to newsletters that do a lot of the data mining for you. SANS pulls news of critical security news from several of the sources mentioned previously (CERT, NIPC, BugTraq, and so on) as well as vendor sources that were not mentioned. SANS also puts together three digests:
Security Alert Consensus (SAC)—weekly
SANS NewsBites—weekly
SANS Windows Security Newsletter—monthly
Particularly noteworthy is the SAC. When subscribing from the SANS Web site, you can specify which platforms you are interested in. This enables you to personalize your newsletter and limit the “noise” you might otherwise have to sift through. Currently, SANS collects news from 72 sources, so you only need to read one. Sign up at http://www.sans.org/sansnews.
An excellent resource for anyone involved in the investigation of computer crime is IACIS. IACIS is a organization of dedicated volunteers catering to those in law enforcement. They provide training in the legal aspects of search and seizure of computer equipment, forensic analysis of computer evidence, and provide a certification program for forensic examiners called the CFCE (Certified Forensic Computer Examiner). The certification process is vendor-neutral, and starts with a two-week training conference (which can be waived if you have sufficient work experience). Unlike other certification “bootcamps,” you are then assigned a mentor to help guide you through the remainder of the process. This includes completion of seven projects and a written exam, all of which must be completed within a year.
Another invaluable resource they provide is the IACIS List-Server. This mailing list enables a world-wide community of law-enforcement professionals to assist one another with questions ranging from how to extract a hard drive from a specific laptop computer to handling legal issues. There is also an FTP site with tools, technical papers, and procedural documents available. For more information, see http://www.cops.org.
Your key to success is timely access to relevant information. Too much information, and you might not pay enough attention to an important issue that gets lost in the noise. So, before you subscribe to every list you find, keep in mind that there is a fair bit of redundancy and overlap in what many of them cover. Look through the lists’ archives/Web sites and see which lists suit you—which go into the level of detail you are comfortable with, and pay attention to issues that are relevant to your environment. This will be time well spent, because the window between vulnerability announcements is becoming shorter and shorter.