Bugtraq mailing list archives

Re: No Security is Bad Security:

From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Fri, 5 Feb 1999 09:25:38 +1300


On Wed, 3 Feb 1999 08:33:10 -0800 "Jan B. Koum" <jkb () BEST COM> wrote:

1) Don't log in as root on a machine that most likely has been
compromised. Bsd things can happen.


        You have to login as root to shutdown the system. You don't
        want to 'just turn it off' since you can loose data.


I guess the rule should be 'Do the minimum necessary as root'  and be
aware that your normal tools may be trojaned.

3) Do *immediately* take the machine offline, and mount the disks on
another system for analysis.


        True. Dont' forget to mount rdonly,noexec,nosuid,nodev
      (mentioned about and some flags are redundant).


Errr... I must be thick!  how can you take the machine offline and
still have disks mounted on another system?  Do you mean physically
take the diisks and install them in another box or boot up on a CDROM?

For intel based systems you could reboot the system on a floppy with
Trinux or picoBSD.

1) we have no firewall nor tcpd running, so there is no effective access
control or access logging. We have incredibly primitive router filtering,
which eliminates only the most basic of IP-spoofing attacks.


      You can install ipf if you are on solaris. Or get a FreeBSD with
      two nics and use that as your firewall.


We use TAMU's drawbridge.  It seems well adapted to a university
enviroment where things are forever changing.

6) we did not purchase or implement any Intrusion Detection Software.
[IDS]


      http://www.l0pht.com/NFR
      http://www.nfr.com


Also the SANS CIDER project at http://www.nswc.navy.mil/ISSEC/CID/
and Argus IP audit tool at ftp://ftp.sei.cmu.edu/pub/argus  - this
isn't an intrusion detection system per se, it is an audit tool and I
have written some perl scripts that use it for detecting scans etc.


Not using tripwire cost us a lot, in that a) we had to rebuild every last
GNU program from source, and b) we did not have it available as a means of
detecting 'wrongness' on a production system.


I have tried using Tripwire but have never managed to overcome the lack
of non writable media storing the executables and database.  Also the
amount of work involved in keeping the data base up to date is non
trivial in our enviroment.

Cheers, Russell.

Computer Security Officer, The University of Auckland, New Zealand.

Current thread:

No Security is Bad Security: John \ (Feb 02)
- More oshare testing. C.J. Oster (Feb 02)
  - Re: More oshare testing. Jeff Roberson (Feb 03)
    - Re: No Security is Bad Security: com-nospam () CCRAIG ORG (Feb 04)
    - Re: More oshare testing. Alan Cox (Feb 04)
    - Re: More oshare testing. Cristiano Lincoln Mattos (Feb 05)
  - Re: More oshare testing. Dariusz Zmokly (Feb 04)
- Re: No Security is Bad Security: Kevin Day (Feb 02)
  - Re: No Security is Bad Security: Jan B. Koum (Feb 03)
    - Re: No Security is Bad Security: Russell Fulton (Feb 04)
- Re: No Security is Bad Security: ecx (Feb 04)
- Update on w00w00 article (bug report) Shok (Feb 04)
- <Possible follow-ups>
- Re: No Security is Bad Security: Donald Moore (Feb 04)
- Re: No Security is Bad Security: der Mouse (Feb 04)
- Re: No Security is Bad Security: Taral (Feb 04)
- Re: No Security is Bad Security: Scott (Feb 04)