Security Scene Errata


(CERT advisory in question:
http://www.cert.org/advisories/CA-98-13-tcp-denial-of-service.html)

TCP/IP "hole" leads to alert
By Jim Hu
December 22, 1998, 6:20 p.m. PT
http://www.news.com/News/Item/0%2C4%2C30250%2C00.html?sas.mail

 A "hole" in the underlying language of the Internet could allow hackers to
break into systems and cause an array of damage to targeted Web sites,
according to a government-funded computer security watchdog. 

[Remember that he clearly states "break into systems and cause
an array of damage..."]

    Vulnerable systems could encounter intruders who may use their sites as
a launch pad for other attacks, according to the Computer Emergency
Response Team Coordination Center, best known as CERT, which yesterday
issued an advisory about the security concern.

["use their sites as a launch pad" once again.]

    Most of the hardware running the Internet is not vulnerable to the hole
in the TCP/IP protocols, CERT says.

    But vulnerable systems are subject to "IP spoofing," in which a
perpetrator uses the security hole to break into a site and take over its
IP address. Once that happens, the intruder can then send packets under the
guise of the compromised address. 

[BUZZ. IP Spoofing does NOT entail breaking into a site, at all.]

     Intruders can then target other sites, causing machines to "crash,
hang, or behave in unpredictable ways," the report said. The method of
attack is similar to a "denial of service" attack, in which intruders don't
actually break into a site, but block access by flooding it with email or
Web traffic.

[At first it is a hole that allows entrance into a system..
then it is an IP Spoofing problem.. now it is "similar" to a Denial
of Service attack. Three completely different classes of attack.]

    This kind of attack is worse because it involves an actual break-in,
according to security experts. Additionally, intruders can conceal their
true location. 

[The advisory explicity states that remote users may crash or
hang the machine. NOT break in.]

    "Denial of service attacks ... are just aimed at preventing someone
from using their own computers," said  AT&T Labs Research Fellow Steven
Bellovin. "In this case, an enemy can send some packets that will crash
certain operating systems."

    Ironically, "There is rarely any direct benefit to the attacker,"
Bellovin added. "It's usually the electronic equivalent of kids who walk
down the street snapping off car antennas."

    The exploitation of TCP/IP vulnerabilities are not as rare as many
think, according to security experts. But only lately have computer systems
focused on developing defenses against them.

    "There are a lot of IP spoofing methods, and until very recently all
systems were vulnerable to this," said Fred Cohen, a security expert at
Sandia National Laboratory at Livermore, California. "It's widespread and
it has caused a lot of problems." 

    CERT has also posted solutions to the exploit. The group recommends
that sites reconfigure their routers or firewalls and install filtering on
the routers to prevent IP spoofing attacks.

    Other experts suggest still more measures. 

    "The solution is to be really anal about the way you deal with trust
relationships [with other sites]," said David Kennedy, security analyst at
the International Computer Security Association. "Sites should require
passwords, or some type of encryption."

    Systems from Berkeley Software Design and FreeBSD reported that they
are vulnerable to the TCP/IP exploit.

    Hardware manufacturers immune to attacks include: Cisco, Fujitsu,
Hewlett-Packard, IBM, Livingston Enterprises, Computer Associates,
Microsoft, NEC, Sun  Microsystems, and Wind River Systems.