Wirt Atmar writes:
>I have yet to see any greater danger associated with having an HP3000
>connected to a fixed-address packet-switched network (the internet) than I
>used to have having it connected to a fixed-address public-switched network
>(the phone system), save these two exceptions:
>
> o the hacker used to have pay for each of his attempts to break into
> my computer if he wasn't smart enough to use a "blue box," (which
> was, btw, Apple's first real product :-).
>
> o he can cycle his attempts much more quickly nowadays than he used
> to be able to do.
>
>But other than that, there is no real difference. Ultimately, good
>passwording is your only security. If security ...
>was good with a permanently connected modem,
>it won't be any worse with a network connection. I blame a lot of the
>calls for firewalls on simple fear and not much else.
Unfortunately, this seriously understates the threat.
First, don't minimize the "no cost" and "quick cycle" differences.
They're huge. One penetration attempt every fifteen seconds is a vastly
different threat than a hundred attempts per second. Second, "no cost"
means that the number of possible attackers has grown immensely, since
cost was a barrier before. Moreover, international phone calls can easily
be policed. International IP traffic is a lot harder to police,
particularly with the connivance of the authorities at the attacker's
point of entry into the network.
But more importantly, almost NONE of the Internet-based system
penetrations available to all and sundry via FTP-able "rootkits" rely on
password security. They rely on the fact that many different code paths
are exposed via the network. An attacker going in through a modem can do
just one thing: try to log on by guessing or knowing passwords. Someone
who attacks through the network doesn't need a password; they just need a
bug in one of the many processes that provide services to network users.
MPE's separation of code and data provides some level of security against
typical root compromises. However, as HPe3000s start to look more and
more like Unix boxes, they'll start to see some of the same threats. A
recently-publicized attack against Apache on MacOS X Server -- a
BSD-derived Unix platform -- also has the potential to work against
Apache on MPE. It works by bypassing Apache's authorization scheme, not
by guessing passwords.
>Now that we have such extraordinary features as
>FTP and telnet, a lot of people have these protocols senselessly locked
>down...
It's not "senseless" to lock these down. MPE allows only eight-character
case-insensitive alphanumeric passwords. Given a fast line and a fast
box, I can try 100,000 common words and names in an hour while nobody is
monitoring the console. If you have complete control over your passwords,
and always assign random ones, and always reinstall passwords after a
system update, and, and, and... that's not a problem. Otherwise, why take
chances?
>The second attribute that has always impressed me about this persistent
>call for firewalls is the fact that system managers tend to sit around the
>glow of twinking CRTs late into the night and tell each other adult
>bogeyman stories.
Wirt has never had to recover from a system penetration. I have -- on a
box where all passwords were mixed-case alphanumeric and random, and
where the attacker couldn't have cared less about it. I was sitting in
the glow of a twinkling CRT late at night on the phone with an ISP,
trying to track the sucker down. The bogeyman was real, and I have the
network traces to prove it.
>I used to give these people stern lectures about this faux pas, but I've
>stopped. If I say anything at all anymore, it's just a gentle reminder.
>The chances that anything untoward will happen to them are about the same
>as their being hit by a martian meteorite. They are protected by mulitple
>layers of "security through obscurity," simply because they're running an
>HP3000.
I'm sorry to be so blunt, but this is singularly bad advice. I know of
two sites where HP3000s were compromised because they were accessible
from the Internet. Wirt says you don't need a firewall. Do you have a
Windows box on your Internet connection? Even by accident? If you do,
your HPe3000 passwords are visible for all and sundry. How about a Unix
box? Unless you've been extraordinarily careful about applying security
patches (just "careful" won't do, I found out), the same applies.
Are you *sure* that the only machine ever on your Internet connection is
your HPe3000? How sure? Would you bet $500? You would? Fine, don't buy a
firewall.
>What I do give them are lectures about the importance of backups, because
>in the end, someone hacking in and destroying their data is no different
>in end result than their data being destroyed by fire or flood.
Now THIS is good advice. Thanks to nightly backups, I was able to detect
changes to system files that the attacker had made to facilitate a second
entry. Without good backups, I'd have been facing a much more protracted
and less certain recovery, or repeated penetrations through back doors
that leave no trace in the log files.
-- Bruce
--------------------------------------------------------------------------
Bruce Toback Tel: (602) 996-8601| My candle burns at both ends;
OPT, Inc. (800) 858-4507| It will not last the night;
11801 N. Tatum Blvd. Ste. 142 | But ah, my foes, and oh, my friends -
Phoenix AZ 85028 | It gives a lovely light.
btoback AT optc.com | -- Edna St. Vincent Millay
Mail sent to [log in to unmask] will be inspected for a
fee of US$250. Mailing to said address constitutes agreement to
pay, including collection costs.
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
