The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #355 [Re: Some warnings] (1 message, 944 bytes)
NOTICE: recognises the rights of all third-party works.


From: John Robert LoVerso <>
To: [not phage]
Date: Fri 13:42:05 09/12/1988 EST
Subject: Re: Some warnings
References: [Thread Prev: 353] [Thread Next: 354] [Message Prev: 354] [Message Next: 358]

> If you have an Annex box or other terminal server, make sure access to it
> uses passwords.  Some of the people doing the recent breakins have been
> dialing in to these and effectively using them as TACs.  This allows
> people access to the Internet who shouldn't have such access....

If you have an Annex, be sure you are not using an antiquated
software release!  Be sure you are running either R3.0 or (preferably)
R4.0 (or later); these are the only releases that will support the
Annex security system.  One site involved in the breakins this week
had dialin modems connected to an Annex running R2.1 ("pre-loverso").
This meant anyone dialing that number had free access to their
network.  With a later release using the Annex security system, it
is easy to extend the host-based security policy to do anything
you want, including only allow connections (rlogin|telnet) to local

Also, do not place an Annex (or any other "rlogin"-supporting
terminal server) in a /etc/hosts.equiv file.  This especially
includes those sites using YP that have "carefully" placed a "+"
there!  The unfortunate implementation of "rlogin -l" in Annex R4.0
allows the user-specified username to override the security-verified
username, thus creating a security hole *ONLY IF* the Annex is
made a trusted host (fixed in R4.1).

John R LoVerso, Encore Computer Corp
loverso@Encore.COM, encore!loverso