SDSC Security Bulletin 97.003 Original Issue Date: 1997/06/27 Version: $Id: 97.03.intrusion,v 1.3 1997/06/27 19:47:07 tep Exp $ Topic: intrusion at SDSC using "sniffed" password ________________________________________________________________________________ On Monday morning, June 9, there was an intrusion into several SDSC host computers. The intruders used a username and password believed to have been acquired via a "password sniffer" running in one (or more) of the public computer labs at UCSD. Intruders were able to make use of the user's account on several hosts for a period of time. Users need to be aware that SDSC offers several authentication technologies that eliminate or reduce this risk, and also need to check the "last login time" messages to help detect this kind of activity. I. Description Recently unusual activity on a user's account caused an SDSC investigation. This unusual activity included attempting to use several known "exploits" to acquire "root" permissions on several SDSC hosts. The user's account was locked and an investigation was started. After contacting the user, it was determined that it was most likely that the user's account information had been captured and used by the intruders to access the user's accounts at SDSC. Fortunately, there were logs of the intruder's activity allowing SDSC to determine the complete extent of the problem. Several workstations were completely re-installed. II. Impact The intruder could have deleted all the user's data, even that which was stored in HPSS, or read the user's email. Fortunately, in this case, no damage to the user's data or programs occurred and the user had no local email at this time. The intruders could have compromised accounts of other SDSC users, or set up password sniffers on SDSC networks. However, none of these occurred in this incident. III. Solution SDSC makes several tools available to avoid password sniffing attacks: Kerberos, Secure Shell (SSH), S/Key and SecureNetKey (SNK) "smart" cards. For all of these, the software is freely redistributable and widely available (subject to US cryptographic export controls). SNK cards are available for purchase (approx US$40) or may be made available to some SDSC users at no charge. All of these technologies are currently available at SDSC on a "friendly user" basis, and are CURRENTLY optional. They are all moving towards full production status, and will become REQUIRED to access SDSC computers at some point in the future. Kerberos V5 servers are running on all workstations and most supercomputers at SDSC. Kerberos client software is available in /usr/local/apps/krb5. Users must have Kerberos client software on their computers, and register with SDSC to receive a Kerberos "principal" (account and password). Information on Kerberos is available at: http://web.mit.edu/kerberos/www/index.html http://www.sdsc.edu/~schroede/kerberos_cug.html SSH servers are running on all workstations and most supercomputers at SDSC. Kerberos client software will soon be available in /usr/local/apps/ssh. Users must have SSH client software on their computers. There is no special registration required to use SSH. Information on SSH is available at: http://www.sdsc.edu/projects/ssh/ssh.html SDSC is pursuing a "site license" for the commercial version of SSH in cooperation with UCSD. S/Key is an implementation of a challenge/response authentication system. Prior registration with SDSC is required. Information is available at: http://www.bellcore.com/SECURITY/skey.html SNK cards are another implementation of a challenge/response system, using a credit-card-sized security token. Prior registration with SDSC is required. If you are interested in using any of these solutions, contact the SDSC consultants (consult@sdsc.edu). Remember that all of these are in "friendly user" phase, and while they are quite robust, SDSC does not have a complete production-quality support infrastructure in place as yet. For general information on SDSC Security Activities, see http://www.sdsc.edu/Security/References/security_faq.stable IV. Detecting an attack All users should ALWAYS check the "last login time and place" which is presented each time they login to any UNIX system: ------------ San Diego Supercomputer Center CRAY C90 with 8 CPUs and 256 MW running UNICOS 9.0.1ai Last successful login was : Tue Apr 8 21:06:32 from galt.sdsc.edu ------------ If this time seems unusual, or the host is not what you expect, please contact SDSC Operations at +1.619.534.5090 immediately. SDSC Operations is available 24 hours a day, and can page the on-call security person if necessary. If you find unusual files or directories in your account, or have files that have been moved or removed, or other reason to believe that someone has made use of your account, please contact SDSC. V. Acknowledgments Information in this bulletin was produced by Andrew Gross, Glenn Sager and Tom Perrine. San Diego Supercomputer Center: http://www.sdsc.edu Pacific Institute of Computer Security: http://www.sdsc.edu/GatherScatter/GSspring96/perrine.html San Diego Regional Information Watch: http://www.sdriw.org VI. Disclaimers Copyright 1997 San Diego Supercomputer Center. The material in this security alert is for the use of SDSC's user community, and may NOT be reproduced or distributed, without prior written permission, in whole or in part.