-----BEGIN PGP SIGNED MESSAGE----- ________________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: Network Snooping and Promiscuous Network Interfaces Title: CERT CA-94:01 Ongoing Network Monitoring Attacks Number: 19940301-01-I Date: February 22, 1995 ________________________________________________________________________________ Silicon Graphics provides this information freely to the SGI community for its consideration, interpretation and implementation. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any consequential damages arising from the use of, or failure to use or use properly, any of the instructions or information in this Security Advisory. ________________________________________________________________________________ Silicon Graphics acknowledges this issue as reported by the CERT Coordination Center. The issue as reported involves capturing account names and passwords as new FTP, telnet and rlogin sessions are started between two systems on a network. Silicon Graphics engineering has investigated this issue and has the following observations and recommendations. A. All systems can snoop network traffic Provided with the correct hardware and software combination, most computer systems today can be used to capture or "snoop" network traffic. This is normally a function left to protocol analyzers and network monitoring devices but technical advances allow even a minimally configured personal computer to accomplish the same task. This means that all systems on a network can be a potential platform for snooping of traffic. A complete knowledge of all systems connected to a network, the network topology and the snooping capability of each network connection is useful in determining a particular sites vulnerability to this kind of activity. B. /dev/nit The Silicon Graphics IRIX operating system does not make use of the /dev/nit network interface file. There is also not an equivalent by any other filename on the system. C. Network interface promiscuous mode Promiscuous mode for a network interface means that the network interface has been put into a state of operation in which each and every network packet is picked up regardless if it is for this hosts interface or not. Use of the promiscuous mode is normal for the IRIX operating system in order to accomplish certain network tasks. This normal use is controlled by the IRIX kernel and is privileged and protected making it unavailable to users. It is not possible to remove this operation from the kernel. Additionally, network monitoring programs such as the SGI NetVisualyzer product, also use the promiscuous mode to do their work. This is acceptable behavior since the purpose of these products is to capture and monitor network traffic. Since these tools can be use for bad intent as well as good, these products generally require root or special predefined privileges in order to be used on the system. At anytime, should the system root account be compromised or privileged promiscuous mode software be misconfigured, network snooping can occur. D. Root privileges Restricted use of the root account, root password and su privileges is very prudent. Denial of these privileges to the general user is both necessary and sufficient to prevent a user from using an IRIX workstation to perform network snooping. Failure to limit access to these elevated privileges, a system could be compromised potentially resulting in various unauthorized activities including network snooping. E. Social engineering It is often reported by compromised sites, that the most common factor contributing to break-ins is the weakest link - people. Parties with bad intentions will often use techniques to obtain information from insider people in order to assist access to systems. This is know as social engineering. Social engineering relies on the way people behave and how that behavior can be manipulated in-order to get information that can be used in helping gain access to a system. Examples include people giving out passwords and other access information to persons who claimed to work for other divisions of their companies, displaying accounts and passwords on post-it notes on terminal, and using easily guessed passwords (birthday, employee number, name, etc). Only user community education regarding security and the awareness of social engineering can help to strengthen this area of weakness. F. Clear text transmission of passwords Presently, the implementation of the TCP/IP protocol does not define any mechanism to prevent network snooping of transmitted, reusable, clear-text passwords on a network. However, if a site desires enhanced security, there are a number of commercial and public softwares that implement encrypted and/or one-time use password schemes. - ------------------------------------ - --- Further Information/Contacts --- - ------------------------------------ For obtaining security information, patches or assistance, please contact your SGI support provider. If there are questions about this document, email can be sent to cse-security-alert@csd.sgi.com . For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com . -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMLtq27Q4cFApAP75AQFqOgQAqksjC+ggjT0H0iCcbHECVuBESP4E6+KF 6m1DWnk+pGEoh0ni0Jw519Qa4Lb3Y7HvGxPoUHMy/BJIQOGTY4O7j99Td+2IjNHv FAWR36C3+cZUm3aubaeP7jl4ClrQmAPSTM7UAf3d1VEW8XiQN4QQ502TnsCDJHwN 8tcdCsxWvak= =RnEJ -----END PGP SIGNATURE-----