-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= AL-95.05 AUSCERT Alert November 3, 1995 Increased Network Monitoring Attacks - ----------------------------------------------------------------------------- There has been a dramatic increase in intruder activity in recent weeks. The intruders have a wide range of tools for breaking into computer systems and have caused malicious damage to some sites. Network sniffers are being widely deployed, netting the intruders unauthorised access to a large number of accounts. The intruders are very careful to remove most traces of their intrusions on computer systems. No specific platform or version of Unix is being targeted and the intruders are familiar with most versions of Unix. Access to non-Unix systems has been gained through the unauthorised use of accounts whose passwords have been obtained via network sniffers. The intruders are exploiting well-known vulnerabilities and misconfigurations of computer systems, for which solutions are already available. Analysis of incident trends over the past two years indicate a significant increase in intruder activity during the months of November and December. This may be due to the end of the academic year, combined with general staff shortages as staff take summer holidays. In particular, the week between Christmas and the New Year is notorious for unnoticed computer intrusions. AUSCERT advises sites to take the time now to review their computer system and network security as a matter of priority. Alec Muffett, Sun Microsystems Network Security Engineer, stated: "Even if a host has been 'locked down' in accordance with some comprehensive security policy, as time progresses more people will become aware of the host's existence, and hitherto undiscovered flaws in its hardware, software, or inadequacies in the standard to which it was secured, will come to light. In short: even though the machine per se does not change, its defences weaken as more becomes known about them.". [1] A number of documents to assist system administrators with security issues can be found on the AUSCERT ftp server. Particularly useful documents are the AUSCERT Unix Security Checklist [2], CERT Advisory CA-94.01 [3], AUSCERT Alert AL-95.01 [4], and the CERT Security Information text [5]. A number of tools to assist system administrators to assess the security of computer systems can be found on the AUSCERT ftp server, including COPS [8] and TAMU Tiger [9]. It is imperative that all security-related vendor patches are applied. Some patches are available on the AUSCERT ftp server [6]. For a complete list of relevent patches for your system, contact your vendor representative. Any network services not required outside of your organisation should be filtered at the router. This particularly applies to X11, NFS, "r" commands, and TFTP. Filters should be installed to prevent IP Spoofing attacks (see CERT Advisory CA-95.01 [7]). Any network services not essential to the correct operation of the computer system should be disabled. The effective use of TCP Wrappers [10] provide increased access control and logging. The correct use of Tripwire [11] will greatly assist in the rapid recovery from any computer intrusion provided the Tripwire database was created and protected using a known secure system (refer to Tripwire documentation for further details). Tripwire may also be beneficial in the early warning of intruder activity on the system. [1] Muffett, Alec, WAN-hacking with AutoHack - Auditing security behind the firewall, Proceedings of the 5th USENIX Unix Security Symposium, 6th June 1995. [2] ftp://ftp.auscert.org.au/pub/ auscert/papers/unix_security_checklist_1.0 [3] ftp://ftp.auscert.org.au/pub/ cert/cert_advisories/CA-94:01.network.monitoring.attacks [4] ftp://ftp.auscert.org.au/pub/ auscert/advisory/AL-95.01.Ongoing.Network.Monitoring.Attacks [5] ftp://ftp.auscert.org.au/pub/ cert/tech_tips/security_info [6] ftp://ftp.auscert.org.au/pub/ mirrors/sunsolve1.sun.com/ mirrors/ftp.sgi.com/ mirrors/sgigate.sgi.com/ mirrors/software.watson.ibm.com/ [7] ftp://ftp.auscert.org.au/pub/ cert/cert_advisories/CA-95:01.IP.spoofing [8] ftp://ftp.auscert.org.au/pub/ cert/tools/cops/1.04/ [9] ftp://ftp.auscert.org.au/pub/ mirrors/net.tamu.edu/tiger* [10] ftp://ftp.auscert.org.au/pub/ mirrors/ftp.win.tue.nl/tcp_wrappers_7.2.tar.gz [11] ftp://ftp.auscert.org.au/pub/ coast/COAST/Tripwire/tripwire-1.2.tar.Z - ---------------------------------------------------------------------------- If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is the Australian Computer Emergency Response Team, funded by the Australian Academic Research Network (AARNet) for its members. It is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key iQCVAwUBMJqUDyh9+71yA2DNAQF8ywP9Hu9M9iuFTbsdUXbv2uiCvflj9zPPMIlO tY8CEOux1Y6wllb0oG1SRSB7DLEc6bZN0hQLK4+FW5rPipWtDUeAcTSeX2LyhVAA 4aU73GGFSdAvX7FhPLTzBSgQKHPrJuzPcYSzlJrucvKBGhZ3ekWMEZcKoEKCyO+8 lvqC5L5N3zs= =ZVp+ -----END PGP SIGNATURE-----