Security Digest Volume 1 Issue 36 subject(s): chroot and device files Legion of Doom information? summary: Sun secure NFS, C2, secure RPC, secure rexd Yow! A Brand New Inet Newsgroup Computer Viruses set to go off on October 12 and 13. Fifth Annual Computer Security Applications Conference ------------------------------------------------------------------------ Date: Fri, 6 Oct 89 15:40:16 CDT From: uunet!src.honeywell.com!jkimball (John Kimball) Subject: chroot and device files Some folks here want to set up a kermit area in our anonymous ftp area, using the restrict program from Wood and Kochan. (The restrict program is meant to be specified as the user's shell; it does a chroot to bottle the user up, before invoking the real shell.) I have heard tell that there are unspecified tricks one can play with device files to examine the filesystem above the current root directory. Kermit wants a /dev/tty. Is it safe for us to create a /dev/tty in our little bottled-up filesystem? ------------------------------------------------------------------------ Date: Fri, 06 Oct 89 16:21:53 -0700 From: rtech!friday!sid (Sid Shapiro) Subject: Legion of Doom information? I'm looking for information on a cracker group calling themselves the Legion of Doom. Any information about who they are, what kind of things they do, what kind of things they have done, or anything else about them would be most appreciated. Are they Bad Guys or "enthusiasts" who look but don't touch? ------------------------------------------------------------------------ Date: Tue, 10 Oct 89 06:42:31 CDT From: uunet!src.honeywell.com!jkimball (John Kimball) Subject: summary: Sun secure NFS, C2, secure RPC, secure rexd A couple months ago I asked for people's opinions about the new optional security features in SunOS 4.0.x. Below is the information I collected. Many thanks to the respondents! (Some of this you've probably seen already, but I decided it was worthwhile to have it all in one place.) > . . . Now I'm looking at Sun's enhancements for security: > secure RPC (including secure NFS and secure rexd), and the C2 package. > I recall hearing various disparaging things about the C2 stuff and secure > NFS several months ago, but nothing recently. So, to those people who > are using or have tried to use secure RPC and/or the C2 package: > o Do they work? > o What are the benefits? > o What are the disadvantages? -From: Jason Heirtzler That seems to be the same feeling that everyone is giving me. It doesn't seem like anyone uses it (or is too paranoid to admit it.. :-) Anyway, the shadow password stuff works without a lot of pain, and that's about where I stopped. -From: uunet!Sun.COM!gkass%slapshot.EBay (Gordon Kass) A number of bugs in SunOS 4.0 C2 were fixed in SunOS 4.0.3 and a number more were fixed thereafter and are available from the USAC (Sun's U.S. Answer Center) as a patch tape. Yes, the C2 stuff does work. Benefits: if you want C2 security and what that offers, then this is how to get it. C2 security primarily offers: * split password files, keeping the encrypted passwords from being readable by everyone * auditing, selectable per-user, allowing one to track assorted events going on in the system. Disadvantages: if you audit a lot of events, it'll take up a lot of disk space (although you can archive or "rm" as you like) and it might slow down performance some. Note that C2 and other levels of Orange Book security are slightly different than penetration security. (If this leaves you puzzled, e-mail me for more details.) (we did the C2 stuff, along with a lot of other things) -From: lsf@astrosun.tn.cornell.edu (Sam Finn) Pursuant to a bug report, I have been informed by Sun that the secure feature of rexd (the -s option documented in the manuals) performs no function at this time. DES authentication does not exist for rexd or the on(1) command, and is not expected to before 4.1FCS. At present, with rexd enabled on a workstation there is no way to prevent another user on another wholey unrelated system from using the workstation's CPU, disk, etc., for his/her own purposes. Sun informs me that this applies only to the on(1) command and rexd; in particular, DES authentication in secure RPC is functional. -From: eie@cs.vu.nl (Ed Keizer) While converting from SunOS 3.5 to SunOS 4.0.1 we decided to use the secure NFS software to protect the staff file systems at our faculty. The first sign of `something wrong somewhere' was that the server exporting the Secure NFS system started crashing about once a week on null pointer derefences in kernel code connected with authorization. We also had to reboot one of our diskless clients after each crash. That client had produced the error message: vmunix: authget: authdes_create failure and could not be convinced to perform any further accesses the Secure file system, not even after rebooting the server. We did not pursue this in the hope that SUN would have repaired this in SunOS 4.0.3. We would have started searching if we had the kernel code, but we don't so we left it at that, although it was somewhat annoying. Then, one day, our server produced the following error message: vmunix: ie0: out of mbufs: output packet dropped while more than a few diskless clients produced the message mentioned earlier. This was the sign to start a search for an mbuf leak in the kernel. We found that each unauthorized access to a Secure File System used 10 `mbufs allocated to data' which where never freed. An unauthorized access happens when a process with a uid that has a public key in the publickey data bases tries an access from a client that does not have that users private key. Unauthorized accesses happen whenever a user with a key in the publickey database and his or her home directory on the Secure file system does an rlogin, reading $HOME/.rhosts, to a client he or she has never used before. Or, when somebody tries the well-known trick of `su user' after becoming super-user in order to access that users files over the network from a client that does not have that users private key. We often have two of these `Unauthorized access' messages: vmunix: NFS getattr failed from server: RPC: Authentication error when one of the events mentioned above happens. That means that each event costs us twenty mbufs. Mbufs are are finite resource. The kernel code limits the amount of memory dedicated to mbufs to 1 Mb. In practice this means that we have to reboot our Secure NFS servers every second day. We see the amount of mbufs allocated to data growing from about 20 to 2924 and higher. We had our first SunOS 4.0.3 system running yesterday. The bug was still there. We reported this problem to SUN through the official channel a few days ago, but have not yet received an answer. ------------------------------------------------------------------------ Date: Wed, 11 Oct 89 11:12:59 PDT From: neil (Neil Gorsuch) Subject: Yow! A Brand New Inet Newsgroup [ Posted to the nntp managers mailing list by eric Fair: - neil ] just for those of you who can't worry enough: comp.security.announce This newsgroup will be mirroring a moderated mailing list that the DARPA Computer Emergency Response Team (CERT) maintains for makign important announcements about computer security. If you have any questions about that, drop a note to cert@cert.sei.cmu.edu. [ The mailing list is an output-only broadcast list with no formal input channel that is used by CERT to send out announcements to their contacts. One of the contacts is zardoz. I of course re-broadcast any appropriate information to the security list. I am glad that comp.security.announce has finally been created, it fills a definite need - neil ] ------------------------------------------------------------------------ Date: Thu, 12 Oct 89 12:30:07 PDT From: neil (Neil Gorsuch) Subject: Computer Viruses set to go off on October 12 and 13. [ This was in usenet news group news.announce.important - neil ] There are a pair of computer viruses ready to go on October 12 and 13 of this year. If you have an IBM or compatible PC, you may have a virus on your system. If your .COM or .EXE files have grown by 1000 or so bytes, they may be infected. One virus is known as the Jerusalem virus, and is set to go off on or after the next Friday the 13th. It can add itself to your executable files, slow down your system, and in some cases erase your hard disk. The other is the DATACRIME virus. It is not as common as the Jerusalem virus, but will immediately and without warning wipe out your disk. You are strongly urged to take a complete backup of your disks before the 12th. Since viruses often spread through public domain software, use of binary software that is not shrink wrapped should be avoided. There are commercial virus detection programs on the market. One is the ViruScan program from McAfee Associates, in California. It detects some 39 viruses (in the 9-28-89 version.) Their telephone number is 408-988-3832. Another source is Rikki Cate, in Amsterdam. The product, Cate's Cure, detects the DATACRIME virus. Cate's telephone is 31-20-981963 in the Netherlands. ------------------------------------------------------------------------ Date: Thu, 12 Oct 89 12:33:36 PDT From: neil (Neil Gorsuch) Subject: Fifth Annual Computer Security Applications Conference [ This was in usenet news group misc.security - neil ] Fifth Annual Computer Security Applications Conference formerly the Aerospace Computer Security Applications Conference December 4-8, 1989 Westward Look Hotel, Tucson, Arizona Sponsored by IEEE Technical Committee on Privacy and Security American Society for Industrial Security Aerospace Computer Security Associates Conference Highlights Keynote Speaker Luncheon Speakers ----------- ---------------- Senator Dennis DeConcini Mr. Charles. T. Force (D - Arizona) NASA Mr. Dave Fitzsimmons Cartoonist, Arizona Daily Sun Distinguished Lecture in Computer Security "INFOSEC: Where Are We Going?" --------------- Mr. Stephen T. Walker Trusted Information Systems Tutorial Program Monday, 4 December 1989 "Secure System Design - An Introduction" Mr. Morrie Gasser, DEC "Database Security" Ms.Teresa Lunt, SRI Tuesday, 5 December 1989 "Secure System Design - Advanced" Dr. Virgil Gligor, University of Maryland "A New Approach to Network Security" Mr. Jerome Lobel, Lobel Consulting "Computer Crime" Ms. Gail Thackeray, Arizona Assistant Attorney General Technical Program Wednesday - Friday, 6-8 December 1989 Technical Paper Sessions + Architecture for Trusted Systems + Network Security + Cryptographic Applications + Architecture and Mechanisms + Security Policy and Models + Risk Management + Software Development for Security + Data Base Security I & II + Security for Command and Control + Audit Applications + Trusted Distribution Panel Sessions + Computer Crime + Data Base Design for MLS + TCB Subset Issues + Human Issues + Gemini Users + International INFOSEC Standards + Integrity + Shoot Out at the OSI Security Corral + Civil Sector Security + Security Standards for Open Systems + Space Station Information Security + Data Integrity and Security for Computer Aided Acquisition and Logistics Support (CALS) Special Events Biosphere II: a prototype of the Earth for the future Sonora Desert Museum: living animals and plants of the Sonoran Desert Region Additional Information For a copy of the advance program, which includes rates, schedule, registration form, and special activities, contact: Diana Akers, Publicity Chair, (703) 883-5907 akers%smiley@gateway.mitre.org Victoria Ashby, Co-Chair, (703) 883-6368 ashby%smiley@gateway.mitre.org The MITRE Corporation, 7525 Colshire Dr., McLean, VA 22102 If your organization wishes to consider placing a related exhibit at the conference, a limited number of spaces are available on a first come - first serve basis. For information, contact: Robert D. Kovach, Exhibits Chair, (202) 453-1182, rkovach%nasamail@ames.arc.nasa.gov Advance Programs will be available early September. Please request one at that time. Conference proceedings and videotape of the Distinguished Lecture will be available. Program Subject To Change ------------------------------------------------------------------------ End of Security Digest Volume 1 Issue 36 **********************