SDSC Security Bulletin 97.002 Original Issue Date: 1997/05/08 Version: $Id: 97.02.sniffed_passwords,v 1.2 1997/05/20 18:04:51 tep Exp $ Topic: "sniffed" passwords used to abuse SDSC account ________________________________________________________________________________ Recently there was a case of a person with accounts on SDSC machines having their username and password "sniffed" (eavesdropped from the network) at their home site. Intruders were able to make use of the user's account for a period of time, but no damage occurred. Users need to be aware that SDSC offers several authentication technologies that eliminate of reduce this risk, and also need to check the "last login time" messages to help detect this kind of activity. I. Description Recently unusual activity on a user's account caused an SDSC investigation. This unusual activity included logins from Brazil, as well as logins from multiple sites simultaneously, and unusual files and sub-directories in the user's home directory. After contacting the user, it was determined that this activity was unauthorized, and appropriate steps were taken to stop the activity. Notification to the user's home site (a U.S. university) caused an investigation there which turned up a password sniffer running in the user's desktop machine in their office. (Several other machines on the same network segment also had sniffers running.) This user's SDSC account information had been captured and used by the intruders to access the user's accounts at SDSC. II. Impact The intruder could have deleted all the user's data, even that which was stored in Unitree, or read the user's email. Fortunately, in this case, no damage to the user's data or programs occurred and the email was not read. The activity was limited to a single non-privileged account on a single machine. We have full accounting and network logs of all the activity, and there are no indications that any other users or their data were affected, or even at risk. The intruders were interested in hosting a "Warez" FTP site, and nothing else. III. Solution SDSC makes several tools available to avoid password sniffing attacks: Kerberos, Secure Shell (SSH), S/Key and SecureNetKey (SNK) "smart" cards. For all of these, the software is freely redistributable and widely available (subject to US cryptographic export controls). SNK cards are available for purchase (approx US$40) or may be made available to some SDSC users at no charge. All of these technologies are currently available at SDSC on a "friendly user" basis, and are CURRENTLY optional. They are all moving towards full production status, and will become REQUIRED to access SDSC computers at some point in the future. Kerberos V5 servers are running on all workstations and most supercomputers at SDSC. Kerberos client software is available in /usr/local/apps/krb5. Users must have Kerberos client software on their computers, and register with SDSC to receive a Kerberos "principal" (account and password). Information on Kerberos is available at: http://web.mit.edu/kerberos/www/index.html http://www.sdsc.edu/~schroede/kerberos_cug.html SSH servers are running on all workstations and most supercomputers at SDSC. Kerberos client software will soon be available in /usr/local/apps/ssh. Users must have SSH client software on their computers. There is no special registration required to use SSH. Information on SSH is available at: http://www.sdsc.edu/projects/ssh/ssh.html S/Key is an implementation of a challenge/response authentication system. Prior registration with SDSC is required. Information is available at: http://www.bellcore.com/SECURITY/skey.html SNK cards are another implementation of a challenge/response system, using a credit-card-sized security token. Prior registration with SDSC is required. If you are interested in using any of these solutions, contact the SDSC consultants (consult@sdsc.edu). Remember that all of these are in "friendly user" phase, and while they are quite robust, SDSC does not have a complete production-quality support infrastructure in place as yet. For general information on SDSC Security Activities, see http://www.sdsc.edu/Security/References/security_faq.stable IV. Detecting an attack All users should ALWAYS check the "last login time and place" which is presented each time they login to any UNIX system: ------------ San Diego Supercomputer Center CRAY C90 with 8 CPUs and 256 MW running UNICOS 9.0.1ai Last successful login was : Tue Apr 8 21:06:32 from galt.sdsc.edu ------------ If this time seems unusual, or the host is not what you expect, please contact SDSC Operations at +1.619.534.5090 immediately. SDSC Operations is available 24 hours a day, and can page the on-call security person if necessary. If you find unusual files or directories in your account, or have files that have been moved or removed, or other reason to believe that someone has made use of your account, please contact SDSC. V. Acknowledgments Information in this bulletin was produced by Tom Perrine. San Diego Supercomputer Center: http://www.sdsc.edu Pacific Institute of Computer Security: http://www.sdsc.edu/GatherScatter/GSspring96/perrine.html San Diego Regional Information Watch: http://www.sdriw.org VI. Disclaimers Copyright 1997 San Diego Supercomputer Center. The material in this security alert is for the use of SDSC's user community, and may NOT be reproduced or distributed, without prior written permission, in whole or in part.