Path: utzoo!utgpu!water!watmath!clyde!att!rutgers!bellcore!texbell!ssbn!carpet!bill From: bill@carpet.WLK.COM (Bill Kennedy) Newsgroups: news.sysadmin Subject: Re: Security checkup Message-ID: <170@carpet.WLK.COM> Date: 25 Oct 88 07:29:12 GMT References: <167@carpet.WLK.COM> <1454@lznv.ATT.COM> <1834@ddsw1.MCS.COM> <1325@nmtsun.nmt.edu> <1146@unisec.usi.com> <933@stiatl.UUCP> Reply-To: bill@ssbn.WLK.COM (Bill Kennedy) Distribution: na Organization: W.L. Kennedy Jr & Associates, Pipe Creek, TX Lines: 53 There are two purposes to this follow-up. First my apologies for not posting the promised summary. I have it, but it's at my home site in Texas and I am in California on assignment. I will post it as soon as I get back. Second, I see two threads in the discussion. One says "gosh, let's not talk about it" and the other (with which I agree) says "we'd better talk about it or we're going to get ugly surprises". I have some experience as an intruder. I was specifically assigned, by my (a previous) employer, to crack security in the data center. This was a large IBM mainframe shop, so the analogy isn't perfect. The first thing we did was to copy all of the company's financial and personnel files to tape. They were all very carefully password and date protected. I used an IBM utility, iebcopy, which knew nothing of the protection schemes and proceeded without any intervention by the security imposed. Having saved and verified the copy, I then proceeded to overwrite those data sets with sarcastic remarks about the security. The correct data were restored when the first howls were heard the following morning. The security people were, of course, furious but the simple fact was that the data were compromised and there wasn't a thing they could do about it. Ironically, security within the company was pretty strict, but a vandal logged in from TSO could have shredded us. I was also able to anger the security people with an attache case filled with bricks. I went by that big pretty window that showed off the mainframe and threw in the case with a sheet of greenbar paper taped to the side inscribed "BOMB". After it shattered the glass it skidded across the floor and came to rest beneath the system console where it "detonated". Those are two examples taken from real life in a Fortune 100 company who lives and dies by its computing center. Moving back to our own world for a moment... My site has had a malicious intruder, one of my news/mail neighbors has too. I fear that my neighbor got cracked because my own security was lax. I don't think this can be overdiscussed. I don't think we need to publish technique ("here's how I got past cron"), but we can share common sense ideas, experience, and general precautions to keep out the `tourists'. An accomplished vandal *will* penetrate and vandalize your system unless you have it physically secure (which means no phone lines). It's a fact, let's accept that. I want to explore those things we can do to deter the amateur or journeyman jerk. In (merciful) conclusion, I noticed a leak at my site. My Telebit modems were set up to force DCD high regardless of carrier presence. This was OK for uucp and other things that terminate normally, but if I was logged in from here (worse, shudder, in su'd to root) and just took a disconnect then the next thing to call that line picked up where I left off. The modem did the right thing but the SIGHUP never got through so the process just lived on. What now? I have my modems make DCD follow `real' carrier detect and suffer the inconveniences setting them up. -- Bill Kennedy Internet: bill@ssbn.WLK.COM Usenet: { killer | att | rutgers | uunet!bigtex }!ssbn!bill