SDSC Security Bulletin 98.04.home_systems Original Issue Date: 1998/10/01 Version: $Id: 98.04.home_systems,v 1.3 1998/10/02 05:48:19 tep Exp $ Topic: compromises of home computer systems ________________________________________________________________________________ SDSC acts as an Internet Service Provider (ISP) for staff, offering various dial-up services such as analog, ISDN, and frame relay services. Additionally, many staff have connections via "cable modems" such as RoadRunner and @Home. Some people have multiple systems at home, connected via a small router (such as an Ascend Pipeline) or a PC (running Linux or other UNIX-like OS) acting as a router. Home systems and networks are increasingly coming under attack from network intruders. In the past 4 weeks, SDSC Security has received three reports of home computer systems being completely compromised. One was connected via ISDN to SDSC, one was on a cable modem, and the other was on analog dial-up. Two were running Linux, and one was running FreeBSD UNIX. The intruders to these systems used these systems as a platform to scan and attack *thousands* of hosts in the Internet. In one case, the intruders may have examined files on a Windows 95 host on the home network and probably could have deleted all the files on that host if they had not been detected. All users are reminded that: * the security of an operating systems lies more in careful configuration than the type of operating system; * all operating systems are shipped by the vendor in a NOT SECURE configuration; * all users are responsible for the security of their home systems, and may ultimately be responsible for the activities of intruders. I. Description On August 31st, a former SDSC staff member (who still has guest accounts) reported that the 486 PC running FreeBSD and used as a router for his RoadRunner cable modem connection had been compromised. The intruders launched scans and attacks on several hundred Internet sites, and attempted to gain access to a Windows 95 host on the same home network. The intrusion method was the well-known "named/bind exploit", which gives the intruder immediate remote root access to the host. In mid-September, a report of another full "root compromise" was reported, method unknown. The host was running Linux, and again, several hundred Internet hosts were probed. In late September, reports of scanning and attacks from a host in the remote.sdsc.edu domain was traced to another home system, running Linux. In this case, the system was again compromised via the "named/bind exploit". The system was running SAMBA and serving as a file server for Windows hosts. The system was used to scan and attack several thousand Internet hosts. This host was connected via ISDN. In each case, a network sniffer was also installed which captured passwords used to access SDSC and other sites. II. Impact Would-be network intruders commonly scan hundreds of thousands of hosts each day, including those at SDSC and connected to almost any ISP. Being behind a "dial-up" connection, or being "obscure" is no protection. Cable ISPs have become a significantly "target rich" environment for would-be intruders, and a cable modem customer can expect to be scanned at least once per week. If you have a vulnerable host, it *will* be found. In each of these cases, the compromised hosts had to be re-installed from scratch. People's privacy was invaded and they could have suffered actual financial loss; in at least one incident the user's private financial data was residing on a host attached to the same network. The network sniffers captured user names and passwords used to access SDSC and other sites. If the scanned and attacked sites had decided to pursue law enforcement remedies, home computers could have been seized by law enforcement as evidence and held for several months. III. Solution All users must be responsible for the security of their home systems, especially if they are connected via an IP service such as PPP, ISDN or a cable modem. All users must take an active role in maintaining their home systems in a safe configuration, which often involves actively seeking security vulnerability and patch information. *** Unfortunately, SDSC is not able to provide specific information or extensive consulting on computer security issues for home systems. This is a liability issue as well as a resource issue. *** Users are encouraged to *regularly* visit the web site for the vendor of their operating system for vulnerability and patch information. Other security references include: * The "BUGTRAQ Mailing list" is a medium volume mail list for discussion and publication of discovered bugs, vulnerabilities and patches, mostly for UNIX and UNIX-like operating systems. Vulnerabilities are often discussed here weeks before vendors make patches available, and sometimes months before CERT announcements are made. Information is available at http://www.lsoft.com/scripts/wl.exe?SL1=BUGTRAQ&H=NETSPACE.ORG * The "NTBUGTRAQ Mailing list" has the same charter as BIGTRAQ, but focuses on Microsoft products, especially Windows NT and Window 9x. Information is available at: http://www.ntbugtraq.com * The CERT Coordination Center (CERT/CC) maintains general security information, pointers to other security-related sites, and releases its won security advisories. Information is available at: http://www.cert.org Additionally, SDSC makes several tools available to avoid password sniffing attacks, and all users are encouraged to use them. At the present time, SDSC accepts plaintext passwords for access from some SDSC dial-up networks. This policy will almost certainly change in the future. Cable modem users are already required to use safer authentication mechanisms such as Secure Shell (SSH) or Kerberos. *** Users are *strongly* encouraged to use SSH (or Kerberos, where available) for access to all SDSC and NPACI computers. *** For general information on SDSC and NPACI security activities, see http://www.sdsc.edu/Security/References/security_faq.stable http://www.npaci.edu/Security IV. Detecting an attack Detecting an attack is very difficult, as one of the first things intruders will do is destroy or modify system logs. Frequent examination of system logs, sending logs to another host, noticing outbound network connections when no one was home, and other "awareness" activities are good start. All users should ALWAYS check the "last login time and place" which is presented each time they login to any UNIX system. For example: ------------ San Diego Supercomputer Center CRAY T90 with 14 CPUs and 512 MW running UNICOS 10.0.0.2 Last login: Wed Jul 1 16:43:48 1998 from galt.sdsc.edu on /dev/ttyp059 ------------ If this time seems unusual, or the host is not what you expect, please contact SDSC HPC Consulting via the online support methods or by telephone at +1.619.534.5100. After hours or on weekends you can reach SDSC Operations at +1.619.534.5090 if you need urgent security assistance. SDSC Operations is available 24 hours a day, and can page the on-call security person if necessary. *** NOTE: UNICOS hosts at SDSC display time in GMT (UTC) by default. Apply the appropriate time-zone correction for your location. *** If you find unusual files or directories in your account, or have files that have been moved or removed, or other reason to believe that someone has made use of your account, please contact SDSC. V. Acknowledgments Information in this bulletin was produced by Tom Perrine at SDSC. San Diego Supercomputer Center: http://www.sdsc.edu National Partnership for Computing Infrastructure (NPACI) http://www.npaci.edu Pacific Institute of Computer Security: http://www.sdsc.edu/GatherScatter/GSspring96/perrine.html San Diego Regional Information Watch: http://www.sdriw.org VI. Disclaimers Copyright 1998 San Diego Supercomputer Center. The material in this security alert is for the use of the NPACI and SDSC user community, and may NOT be reproduced or distributed, without prior written permission, in whole or in part.