Linux security classes: ISS founder is a cracker in a white hat

[William Knowles <wk () C4I ORG>]

http://www.linuxworld.com/linuxworld/lw-2000-06/f_lw-06-iss.html

Whether your firm has been running Linux for awhile or is one of a
growing number of companies that have only recently moved to Linux on
their networks, you may be concerned about how to secure Linux. If
you're not, you should be. ISS (Internet Security Systems), the
security firm founded by Christopher Klaus in 1994, has announced that
it will be the first company to offer a professional Linux security
training course.

Before researching ISS and Christopher Klaus, I assumed that he had
been a black hat cracker who had changed his ways and then appeared in
the enterprise wearing a white hat. That is often the case with those
involved with Internet security, and I knew that his creation, the
first port-scanning program (also called ISS) had been a popular item
in many hacker toolkits in the past. I supposed that the appeal of the
ISS corporation would be based on the old notion of using a thief to
catch a thief all over again. But I was wrong.

Klaus appears to have always been on the side of the angels. He didn't
hang out on an "elite" BBS, he didn't sit on IRC and try to build a
rep on #hack, and he didn't write stories for phrack (one of the
computer underground's longest-running zines) about how to break into
machines on the Internet. In fact, in one of the two references I
found to Klaus in the phrack archives, he plainly states that he
didn't want ISS, the first program of its type, to appear there. In
another issue, he mockingly explained how to become an "bercracker."

But he did publish the source code for the ISS port scanner, which
allows you, via the Internet, to look across a network and see what
ports are open on a specific machine or range of machines. He wrote
ISS in 1992. In September of 1993, he posted the full source code to
version 1.00 of ISS to the comp.sources.misc newsgroup on Usenet.

ISS is still available on the Internet at security and hacker sites
alike. I found it at Purdue University's CERIAS FTP site. (See
Resources below to find the URL.) In any event, tool usage is a habit
shared by both those interested in maintaining site security and those
interested in violating it.

Regardless of the color of Klaus' hat, ISS became a part of many
hacker toolkits in the years following its release. It isn't used as
often these days by those with bad intentions simply because it is too
obvious. Using a port scanner today to find active ports on a system
is like casing a house for a burglary by driving up to it in the
middle of the night and then aiming a huge spotlight at every nook and
cranny, looking for open doors and windows. (Services like sendmail,
BIND, Telnet, FTP, HTTP, and so on are usually run on well-known
ports.)

Only the most naive script kiddies will use a port scanner, blissfully
unaware that they are probably triggering security alarms at many of
the sites they scan. Their only potential victims are those sites
whose owners are even less aware of security than they are. But when I
conducted an authorized security test on my employer's network three
years ago -- a test in which I eventually got root privileges on two
machines -- the first tool I used was ISS.

Klaus' real background is much different than I had envisioned. In
1990, while he was in high school and a lot of his computer-savvy
peers were swapping "warez" on elite BBSs, Christopher was accepted
for an internship at Lawrence Livermore National Laboratory. It was
there that he began his research into computer and network security.

He also read some interesting books; he credited William Gibson's
novel Neuromancer for the concepts that eventually became his security
scanner. When he published the source code to ISS on the
comp.security.misc newsgroup, he also credited as sources of relevant
information phrack and CERT, the Computer Emergency Response Team,
created in 1988 after a worm disabled ten percent of all the computers
connected to the Internet.

Today, Atlanta-based ISS (the company) offers a full suite of security
tools, educational services, and security consulting services around
the world. It also sponsors the X-Force Website, an excellent source
of information on the latest exploits. The site houses a searchable
database of previous exploits, security mailing lists, and "zero day"
advisories. Klaus handed over the reins of the company in 1997, but
remains with ISS as the firm's chief technology officer.

The ISS class for Linux security will be distribution neutral, but
will be taught on Red Hat 6.2. It addresses Linux-specific security
issues and the ways they can be addressed within the framework of a
security enforcement policy. For schedules, and other information, on
the class, see the ISS Linux Security Course link in the Resources
section below. And if you know of any other good Linux security
resources or classes, please write in to the forum. I'd love to hear
about them.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".