0blivion nº3:(0blivion3.txt):15/03/2000 << Back To 0blivion nº 3
_____ _ _ _____ | | |_| |_|| | | | _ _ __ _ _ _ | | ____ | _ || | | |\ \\ \ | || || _ || _ \ | | | || |__ | | \ \\ \ | || || | | || | \ \ | | | || || | \ \\ \ | || || | | || | | | | |_| || [] || |___\ \\ \| || || |_| || | | | |_____||____||_____\\_\\___||_||_____||_| |_| M a g a z i n e -=[ Oblivion Magazine ]=- -=[ http://www.oblivion-mag.org.uk ]=- Feer Us F00ls, Because We Are Gaining R00t On You -=[ Editor: Cyber0ptix ]=- -=[ cyberoptix@email.com ]=- -=[ Assistant Editor: Slider ]=- -=[ Slider_100@hotmail.com ]=- Being Sane is a Dream To Us -=[ IRC: #OBLIVIONMAG on EFnet ]=- Join Us And Dream Dreams ----------------------------- Designed On 800x600 Resolution -=[ Issue 3 - 15/05/2000 ]=- The Third Coming -=[ Contents ]=- -------- --------------------------------------- ---------------- [ Articles ] [ Author ] +-------------------------------------+ +--------------+ [ Contents ] [ Slider ] [ Introduction to Issue 3 ] [ Slider ] [ Deputy Editors Rant ] [ Cyber0ptix ] [ Interview with Cancer Omega ] [ Cyber0ptix ] [ *Basic* Network Architecture ] [ Virtual_Byte ] [ Overview Of OS/400 and Security ] [ Slider ] [ Interview with Munge ] [ Cyber0ptix ] [ Using VN Clouds as a... ] [ LockDown ] [ LDAP - Explained and Secured ] [ Slider ] [ The Underground, How deep is it? ] [ Strafe ] [ This Months News ] [ Slider ] [ Using a RSVP as aid in creating... ] [ LockDown ] [ Hax0ring Bouncers ! ] [ Slider ] --------------------------------------- ---------------- We stand at the precipice of a grave threat to our public health.... It affects people from all walks of life, in every state, in every country. And unless we do something about it soon, it will kill more people than AIDS. Hepatitis C -- C. Everett Koop, Former U.S. Surgeon General ---------------------------------------------- ********************************************** Issue 3 Introduction - Slider ********************************************** Well, its the third coming of Oblivion and you might of noticed that im editing this month. Why? Caus I asked, and Cyber gave, aint he nice :] This month Is a tiny bit special because as I was in charge i decided to change the outline of the zine to what i wanted, and the specifications of articles :P Also we have gone a little more technical thanks to Lockdown and this theorys, and generally i got my head down and wrote some better articles, also cyber approached Attrition.org bowed his head got on his knees and pleaded for an interview, and they gave it cos they feer'd... No honestly they did, no really... So exactly what did you give them Cyber to get the interviews ? Anyways, what have i been up to, well... I have been on holiday, and stuff and been to my mates funeral, who was involved in a car crash on Friday 28th/ Saturday 29th May and was put onto a life support machine until the Monday, when it was switched off. He was a good friend and only 3 days before I had spoken to him in a club, both blotted. Anyway, life goes on and we must party hard, drink to much and get blotted :] And o yeah, do some work once in a few years. So heres issue 3, hope you like it, and this month we have had some audience participation :]~ I also have had some good comments from followers, congratulating us on our work, i would like to say thank you, the more comments we get the better we can upgrade our work. We also want more articles from you, the audience, because you make it what it is, i also want some requests for articles, caus like i said you make it what it is. I would also like to thank 809, 2600-UK, [Spammy] and Nynex, Spaceman, Abbattis, Sadarar, Si, and other friends. I would like to say thank you to Hacker News Network, and to Net-security for putting us on their sites. We had about 1000 hits in the first day, and we have been getting articles sent in, which have been included in this months issue, if it has not been added, then you should know why, because we emailed you back the reason :] Exploits havent been added this month, due to the fact i ran out of time... It will be in next months bigger and better than normal with a few changes. Also what amused me was when someone on IRC asked me if the UK was really like it is portrayed in "Lock Stock and Two Smoking Barrels", lets just say he aint coming over here... Period... hehe Feer Us f00ls Or We Will Shoot Your Knee Caps Off Also, ANARCHY SUCKS ASS... So dont bother doing it f00ls cos I will shoot your kneecaps off :] Also it was noted this month that Ali G is getting letters from a group called Combat 18. Guys, he is taking the piss out of black/white culture and how it is inter-linked into todays society, The guy is a geniues in the eyes of many, including myself. If it is because he is Jewish, then get a life, because this kind of racism is not wanted in todays world, nor will it be tolerated. If it was not for the culture of Jewish people to be non-racist or for its non-violent nature, then i would personally cart you to the nearest country where they hang out and help them give you the kicking you deserve. Slider. AGHHH SHIT, I'VE BEEN SHOT. I DONT FUCKING BELIEVE THIS... COULD EVERYONE STOP GETTING SHOT? -- LOCKSTOCK, AND TWO SMOKING BARRELS ---------------------------------------------- ******************************** Deputy Editors Rant - Cyber0ptix ******************************** So you've just decided to read the deputy editors section of this months zine and what do you find? Me, writing the deputy editors slot! NO, its not an error in the editing. We decided to let Slider edit this months zine, for a few reasons. Firstly I have a lot on with work and Uni at the moment, and it just so happened that Slider said he would like to edit an issue. So this is it. Hopefully over the next few months we will be able to get different members of the team to take a turn at editing issues so that they can appear different and not start to look stale and the same each month. Well another month has passed in the life of Oblivion, and yes we do seem to be getting more popular, both with hits to the website and people joining in the fun on #oblivionmag on efNET. Well this month we seem to have gained a new writer to the team, Lockdown. If ya aint already read any of his articles in this months issue then i would advise you to make sure you do, as this bloke is just plain mad ;) but he also know a thing or two about networking and has written some excellent texts on network protocols and security. Well the team at Oblivion have kind of decided to change direction a little, this doesn't mean we will be not bringing you the quality articles every month, that you have grown to love ;) but we are going to be changing a few things around. Anyway enough of that for now, at the moment we have postponed any changes until the release of issue 4, which will be on the 15th of June. just make sure you go to www.oblivion-mag.org.uk to get your latest copy and all will be revealed then ;) If your on the mailing list, dont worry we will be sending out full details of the changes when we send you issue 4. So what will you be expecting? Well we are currently developing a new website, which along with all the issues of the magazine, will carry all the latest news, links to some of the best resources on the net, a large file area with files in all aspects of computer security. Well thats enough about that for now. So what else has been happening this month? Well no doubt you saw on the news about the 'Love Bug'. Well for some reason the world seems to of woken upto the reality of computer security. Sometimes the worst things make people realise what is possible. If everyone wasn't so hell bent on using Microshaft products then maybe it would of just passed by like the majority of viruses/worms that appear and no-one takes any notice of. Cyber0ptix ------------------------------- ********************************************** Cancer Omega Interview - Cyber0ptix ********************************************** Interview with Cancer Omega, member of the top class Attrition.org site. Q1) Introduce yourself? Cancer Omega. Former "token fed" of Attrition (now ex-NASA). I perform updates to the system where requested and do occasional PERL & shell scripting to make tasks simpler for Attrition Staff. I also do occasional paper authoring that goes up in various Attrition sections. I'm also the maintainer of the Attrition "Firearms Demystified" section. Q2) When did you get into the computer Underground? That would have been in the mid '80s during the BBS craze. I stayed largely on the periphery as it was apparent that anyone who went out for publicity was generally subject to LE investigation. Times are much different now. Q3) Why do you run attrition.org? Why not? As Attrition is a not-for-profit site and has no political masters to serve, it is an excellent vehicle by which the unadulterated and non-sugar-coated truth about security may be told. We don't have a product to pitch, nor do we have capital interests to serve. While this does limit our "authority" in the eyes of some, it is incredibly liberating in that we can go in whatever direction we see fit. Q4) What do you think of 'crackers'? I have no respect for them. They could be utilizing their time in far better ways. Q5) Have you ever defaced a website? No. Q6) What was your first computer? Timex Sinclair ZX80 with a whopping 16K of RAM. ;-) Q7) What Systems do you have set-up at home? Two windows boxes, and two Solaris 7 (x86) boxes in progress. One Sparc 1 that's in serious need of a lobotomy. Q8) What Operating Systems do you most rate? I'm not sure I understand the question. Can you rephrase? < what O/S do you most like, Mines OS400 :]~ - Slider > Q9) What, in your opinion, is the most secure Operating System? Out-of-box install: OpenBSD. Modified/locked-down install: Just about any flavor of UNIX. Bottom line: a system is only as secure as its admin is competent. Q10) What do you think of the state of the Underground today? These days, especially in the States, the bulk of the underground has been taken over by juvenile angst and egotistical posturing. The pure research and discovery of vulnerabilities has long since moved to above-board specialists like the l0pht and other groups who make full disclosure their policy. Q11) Who do you most respect in the Underground? As I mentioned in my previous reply, most of the skilled people aren't really "underground." They're above-board. With that in mind, the people I respect most are the l0pht crew, the people at dis.org, eEye and others. Q12) Who were your mentors, when you started to get into the Scene? When I first started, anyone who did original work accorded much respect in my book. I was never actually mentored by any one person. Quite often it was more a case of me visiting with them, learning what resources (books, periodicals, and so on) they deemed of value, and pursuing those resources myself. I wasn't much of a social creature when I was younger, but I've broadened my social scope since I've grown older. Q13) Have you ever read Oblivion Underground Magazine? Until now, no. Q14) Do you think you will ever read it? Possibly. Judging from the site content, it looks pretty new. Time will tell. Q15) What do you think of people getting arrested for hacking? If you mean people who defaced websites getting arrested, I'd say the criminal investigation is misguided. It seems a waste of time and money to run around tracking down kids who did little more than digital graffiti. It strikes me as far more advisable to spend said time and resources on educating admins so their machines aren't such easy targets. On a tangential note, I find the turbo-legal harassment of hackers (like those who created the DVD encryption crack and the CyberPatrol crack) to be utterly criminal. The people being persecuted in these cases did nothing more than show inherent flaws in a system that was touted as secure. In my view, those hackers should not be on trial; the people who developed said insecure products should. Q16) What do you think of 'skript kiddies'? Apart from readily demonstrating that most admins on the 'net don't have a clue about security, they have no purpose. Q17) What other groups have you ever belonged to? None, really. I prefer to be solely responsible for my own actions. Being in groups tends to foster issues of "guilt-by-association" and sometimes charges of "conspiracy" that I'd sooner avoid. It's better to say that I have friends with whom I share common interests. Q18) Do you ever admire any of the 'crackers' that you mirror on attrition.org? While I don't admire the crackers of the present day, there were some historic website defacements that I found amusing or elegant in some way. But the vast majority of defacements are just a waste of space. Q20) Any greets? I'd like to say hello to my Mum & Dad. Dad used to say that I was wasting my time with my computer hobby. ;-) Q21) Any links you wanna plug? http://www.attrition.org/technical/firearms/ .c ---------------------------------------------- ********************************************** AN INTRODUCTION TO NETWORKS - Virtual_Byte ********************************************** Virtual_Byte@hotmail.com Ok I was just reading through and interview with Slider and he describes his systems at home. And I was thinking shit, how many people would really understand all this? Cause I had to go through it twice. < Well, it did take 1 1/2 years to get everything and put it together - Slider > So came to a conclusion... write an article on networks. Since I know a little about this I thought wicked. So here I go. First I will tell you about basic communications. Simplex - This allows communication in one direction only. Must switch between transmit and receive on agreed signal. Duplex - Two channels one for each direction and both permanently available. Half Duplex - A single channel that may be used by communication in either direction but not at the same time. Asymmetric Duplex - Same as duplex but one direction has a lower transmission speed than the other. Network topologies. - Different shapes and layouts of the network. - Each terminal is referred to as a Node. - Host, is the central computer that controls the network. - Subnet, is the type of communication within the network. - Methods of data transmission. - Point to Point. Only goes to addressee - Broadcast. Goes to all stations and reads the address to see if the message is for them. I will start to go through the different topologies. Star - This type has a central computer known as a hub. And have a number of nodes (nodes) they each have a separate connection. This type of network is good for LANs (Local Area Network) and for WANs (Wide Area Network). This uses Point to Point transmission for communication. A hub can be a big PC. Or even a minicomputer or a mainframe. Usually determined by the size of the network. If it's a bigger network there will be more activity and will put more strain on the hub. < A hub can also be a multi-port terminal that allows extra port's on the network. You can pick up a cheap one from Net Gear, which has 4 ports, and allows for master connections - Slider > Ring - This is only suitable for LANs or MANs (Metropolitan Area Network). All the nodes are in a ring. There is no hub. None of the nodes have overall control over the network. But one node is used to monitor and control communications. All communication is in one direction. Broadcast is used for communication. Bus - Here all the nodes are connected along the same cable connection in one line. The ends are left open, which means there is nothing at the ends. Data is transmitted in both directions in a broadcast manner. It is possible to connect these together. So you may want a small Star network connected to a ring network or whatever. INTERNATIONAL NETWORK STANDARDS ISO OSI (International Standard Organisation. Open Systems Interconnection) The ISO OSI model is used to define the ways in which different computer networks be connected with each other. Without standards such as this it would be impossible to work towards the idea of a global communications network. The ISO OSI model is a comprehensive structure for data communications so that different systems can be connected This is a very complex task and it is subdivided into seven different subtasks. These are all at the software level - Application layer - Presentation layer - Session layer This is the interface - Transport layer These are the Hardware considerations. - Network layer - Data link layer - Physical layer I would now like to go on to into error detection and collisions. And how networks avoid or detect this. Carrier sense multiple access (CSMA) This method of access control is used on broadcast systems such as the bus network. Each device is theoretically free to any other device at anytime. First, Carrier Sense means that the NIC (Network Interface Card) listens to the medium to check whether there is any activity on the wire. The wire is, of course, the carrier and the interface card is sensing whether the cable is busy when a packet is ready for transmission. This is sometimes known as Listen before the Transmission. If the NIC can 'hear' activity on the cable it waits until the line is clear. Generally the delay will be in the region of a few millionths of a second. Second, Multiple Access means that it is quite possible for more than one station to be ready and waiting with data to send. It is therefore multiple access since many stations could in theory transmit simultaneously in order to gain access. Carrier Sense Multiple Access with Collision Detection (CSMA/CD) Since it is possible that two stations will transmit simultaneously, action must be take if and when a collision occurs - so a Network interface must be in a position to (a) detect a collision, (b) take appropriate steps to alert other stations that a collision has occurred and (c) re-transmit a packet which has been in a collision. - Collision Avoidance (CSMA/CA) This strategy attempts to improve on that of CSMA/CD, which allows a device to place a packet onto the network path as soon as its network card detects it as being free. In the time between the test (measured in fractions of a microsecond) and the placing of the packet onto the path, another device's network card may have deterred the path as free and be about to place another packet onto it. CSMA/CA seeks to remedy this problem by requiring a device's network card to test the path twice once to see if the path is free and a second time, after alerting the device that it may use the network, but before the packet is # placed onto the path. And I think that leaves you with a better understanding of networking. So you can go away now and build small networks at home. < NetGear supply a nice hub and two NIC's for about 50ish English Pounds, dunno what the cost is over seas, so drop me a line and tell me - Slider > Anyway hope you enjoyed the article. I'm sure you'll see many more from me. Any comments or anything please don't hesitate to email me. ---------------------------------------------- ********************************************** Overview Of OS/400 and Security Facilities - Slider ********************************************** *[Spammy] is back -[ bbs ]- gone 18 min 22 s <[Spammy]> hrm <[Spammy]> odd gardening van outside <[Spammy]> blacked out windows and 2 ariels... Unfortunatly as OS/400 is not well known, i will have to give a brief run down on the O/S. The Application System/400* (AS/400*) has a very sophisticated and modern architectural base. While it has evolved from the System/36 and the System/38, it contains many facilities that AS/400 customers are only now utilizing to the maximum capability. Like the AS/400, its operating system, Operating System/400* (OS/400*), has evolved from the S/36 and S/38, and offers a very sophisticated and powerful computing base. This chapter is an overview for readers who are not regular AS/400 users. It offers an overview of OS/400 architectures and relevant object structures, and then highlights OS/400 security features. - Basic AS/400 Terminology This section introduces basic AS/400 terminology. Understanding these terms and concepts are essential to understanding AS/400 security. For a more information on these, refer to the AS/400 Concepts And Facilities manual. - System Object Structure There are a few basic concepts that will enable you to quickly start work with the AS/400 system. These are described below. - Objects Everything on the system that contains some form of information and can be accessed via the standard OS/400 interface is represented as an object.An object is made up of a set of attributes that describe the object and some form of data. The attributes of an object include its name, type, size, the date it was created, a short description, and the name of the library in which it is stored. Every object on the system has an owner, who plays an important part in the security functions. The owner of an object can grant or revoke access of other users. A user cannot be deleted before all objects that are owned by the user are deleted or assigned to another user. The data component of an object is the collection of information that is stored in the object. The data part of a program is the instructions that make up the program. The data portion of a file is the collection of records that make up the file. The term 'object' is used to refer to a number of different items that can be stored in the system, regardless of what the items are. - Object Types Different object types have different operational characteristics. These differences make each object type unique. For example, because a file is an object that contains data, its operational characteristics differ from those of a program, which contains instructions. Objects are arranged with a common object header and a type-dependant functional portion. For example, a program object header would contain a description of the object, including the type (program), and the owner (the user who created the program). The functional part of the program object contains information that governs the way the object can be used. This allows the system to perform operations collectively on all objects, as well as permitting each object to be tailored for its own purposes. There are over 60 different object types. Some examples are: files, commands, documents, programs, libraries, controller descriptions, device descriptions, user profiles, and job queues. Each object type has an abbreviated form preceded by an asterisk, to signify this as a reserved word. For example a file is referred to as an object of type *FILE. For the purposes of security, each individual object may be secured, tailoring user access to the function of the system. In addition, certain object types may have many attributes which further differentiate the types. For example, an object type of program (*PGM) could have an attribute of RPG, CBL, C, or CLP, for instance. An object type of file (*FILE) could have an attribute of PF, LF, DSPF, DDMF, or SAVF, and so on. Each of these attributes allow deeper levels of sub-typing for particular specialized function. - Libraries A library is an object that is used to group related objects and to locate objects by name. Thus, a library is like a directory to a group of objects. Libraries can be used to group the objects into any meaningful collection. Objects can be grouped according to security, backup, processing, or any other user requirements. Some libraries come with the AS/400 system and are standard parts of the system. The QSYS library contains the base operating system components, as well as other libraries. It is special in that it is the only library that can contain other libraries. Users can create other libraries. IBM Program Products usually have their own libraries. Users should avoid adding objects to IBM libraries. Library access rules govern the use of commands, programs, files or any object you may want to use. You must have access to the library as well as the object you want to use. The system will look for the object in the libraries specified in the library search path (called a library list, abbreviated to *LIBL), or you can refer to an object by specifically stating a library and the object name. - Object Names Each object has a name. The object name and the object type are used to identify an object. The object name is explicitly assigned by the system for system-supplied objects, or by the user when creating an object. The object type is determined by the command used to create the object. Several objects can have the same name so long as their object types differ, or as long as they exist in different libraries. Object names can be qualified using the name of the library where that object exists. The combination of the object name and the library name is called the qualified name of the object. An unqualified name contains only the name of the object, and is useful only when the object and type are unique on the system or within the object's library list. The object name in the following examples is always MASTFILE; the different library names and object types identify the following objects uniquely: ACCTPAY/MASTFILE *FILE - file MASTFILE in library ACCTPAY ACCTPAY/MASTFILE *PGM - program MASTFILE in library ACCTPAY ACCTPAY/MASTFILE *MENU - menu MASTFILE in library ACCTPAY ACCTREC/MASTFILE *FILE - file MASTFILE in library ACCTREC These four objects may all exist at once without naming or type conflicts. - Document Library Objects Within the OfficeVision/400 and PC Support/400 products, two main object types are used: documents (*DOC) and folders (*FLR). Collectively these are termed Document Library Objects (DLOs). These are most commonly created using OfficeVision/400 or PC programs accessing the AS/400 with the PC Support/400 product, although they can be created and used outside of these products. A folder is an object that is used as a directory for documents or other folders. For example, a user of a personal computer could store personal computer programs, files and documents created with his PC programs in folders on an AS/400 system. Folders can be filed within another folder. Folders within folders can be considered to be like drawers in a filing cabinet. The filing cabinet itself is the root directory, (as it is termed on a PC), and the drawers are considered as sub-directories. The AS/400 folder structure was designed like the directory structure on a PC, so that PC users could easily use AS/400 folders for storing their objects. These objects can be shared with OfficeVision/400 users, as this same folder structure is used to store OfficeVision/400 documents. Users can access the documents and folders through the PC Support and OfficeVision/400 interface. However, all documents and folders are actually located in the IBM supplied library QDOC. The library name QDOC is never specified by the user when accessing documents and folders; this is simply a storage mechanism. - Document Library Object Names A document or folder name can be 1 to 12 characters long, including an optional extension. If no extension is included, a document or folder name can have a maximum of 8 characters. If an extension is included, the extension must start with a period and can have up to 3 additional characters. Folder names should not begin with a Q because the IBM-supplied folder names begin with Q. The following are examples of permitted names for Document Library Objects: LTR001.DOC LETTERS/LTR001.DOC PAYROLL/LETTERS/LTR001.DOC APPMAIL/PAYROLL/LETTERS/LTR001.DOC The / is used to separate folder names in the path and the document name. - Files Files are commonly secured objects on any computer system. On the AS/400, there are twelve categories of files: PF Physical files (for data records and program source) LF Logical files (for relational database functions) SAVF Save files (for online save/restore) DDMF Distributed Data Management (DDM) files DSPF Display file (for I/O to the screen) PRTF Printer file (spool file definition) DKTF Diskette (for I/O to diskette) TAPF Tape files (for I/O to tape) CMNF Communications files BSCF BSC communications files MXDF Mixed files ICFF ICF communications files Typically, discussions of security are related to physical and logical files, as these are used by application programs and contain application data. Most often, the other file types do not present the same security exposure. Physical Files: A physical file contains both the description of the data fields of the file, and the data itself. The record description is maintained in a separate portion of the object from the data. Before any records can be written in a file, the file must be created with the record description. Logical files: Logical Files, or views, as they are called in SQL/400*, do not actually contain data, but describe how records contained in one or more physical files are to be presented. They define an alternate record layout or access path for the file. Physical files have three main parts: a description, an access path and data. Logical files have two parts: a description, an access path, and it also contains pointers to data fields that are in physical files. Programs using logical files treat them exactly the same as if they were physical files. File Members: A physical file may contain members, which are groups of records. Records are made up of many fields. Database files - files with transaction and master file data - often consist of only one member. In contrast, a file holding source program statements usually contains several members, one per source program. Authorities for a file apply to all the members in the file. The members are not seen as having individual authorities. However, individual authorities are actually stored with each member. All these 'extra' authorities can affect the performance of system save and restore operations, but they have no impact on the normal user. There are no commands to individually manipulate the member authorities. - Work Management Work management supports the commands and operating system functions necessary to control system operations and the daily workload on the system. It controls resources for applications, such as workstations, and storage, so that the system can support multiple applications and system tasks. All the work done on the system is submitted though the work management functions. When OS/400 is installed, it includes a work management environment that supports interactive, batch, and communications jobs. The operating system can be tailored to create an individual, user-defined work management environment. - Jobs The AS/400 system uses the term job to refer to your workstation session as well as any 'batch' jobs or 'system' jobs that may be in the system. There are five types of jobs relevant to security: > Interactive job > User or operator submitted batch job > Communications job > Autostart job > Prestart job The security implications of each of these are discussed below. Interactive Job: An interactive job is started when a user signs on to a work station. That is, a workstation session is called an interactive job. The user is identified to the system with a User Profile, and the authentication is tested through password checking (at security levels 20 and above). Batch Job: A workstation user or operator can submit a batch job. The user profile under which the batch job executes can be the same as the profile of the submitting user, or it can be a different user profile. In order to use a different user profile, the submitting user must be authorized to use a job description, an object containing the job execution attributes, which includes the other user profile name. Alternatively, the user can submit a job under a different user profile by specifying a profile name on the user profile parameter of the Submit Job command. In both cases, the submitter must be authorized to the user profile. These techniques allow good control over job submission on behalf of other users. Communications Job: A communications job is started when another system issues a request over a communications line. Many techniques are available to control the attachment of a proper user profile to that job. Autostart Job: This type of job is started automatically when a subsystem is started. It requires a job description to identify the user profile for the job. An autostart job can be used to perform some operations on a routine basis. For example, the QBASE and QCTL subsystems have autostart jobs that start up printer spooling. Prestart Job: This type of job is used for communication purposes. When a program A on a remote system wishes to communicate with a program B on the local system, program A must send a request to load program B. This takes time. To speed up the load process program B can be loaded in advance by defining it as a prestart job. A prestart job is started when its subsystem is started. - Job Queues A Job Queue (*JOBQ) is a list of jobs waiting to be run by the system. Each job queue is associated with a subsystem (the processing environment). A job is placed on a job queue by the SBMJOB command or by starting a spool reader that reads the job from a diskette or database file. Jobs are selected from the job queue to run based on the job queue scheduling priority. Security information can be included in the job queue description to define who can control the job queue and manage the jobs on the queue. - Subsystems A subsystem (*SBSD) is a single, predefined operating environment through which AS/400 work flow and resource use are coordinated. A subsystem is a means to separate activities on the system - for example, interactive users and batch jobs. Each piece of work running in a subsystem is called a job. In a subsystem, work entries are defined to identify the sources from which jobs can be started for running in that subsystem. A Communications Entry is an example of a work entry. Devices are simply a source of work for a subsystem. Each work entry defines one or more devices or remote locations that are controlled by the subsystem. The devices are allocated by the subsystem for receiving program start requests for the jobs. Regardless of how a job is started it must use a job description (JOBD). Jobs are processed as one or more consecutive routing steps. A routing step is the processing done as a result of a call to a program specified in the subsystem's routing entry. When a job is started, the correct routing entry is selected by means of routing data. Routing data is extracted from the job description for the job. A single AS/400 may have many subsystems defined. There are several subsystem configurations shipped by IBM with OS/400 and with additional licensed products. AS/400 software vendors may supply software packages with subsystem descriptions. Customers may also define their own subsystems. The QBASE subsystem provides a single combined environment for interactive, batch, and communications jobs and also provides the subsystem control function. It is typically used with less complex environments. Most often, customers with a mixed workload will choose to separate the workload and use other subsystems - either shipped by IBM (such as QCTL) or defined by the user. Other subsystems may be created for installation needs or supplied with packaged applications. - Subsystem Function QBASE Control function, interactive, batch and communications jobs QBATCH Batch subsystem QCMN Communications subsystem QCTL Controlling subsystem. Supports only the system console QINTER Subsystem for interactive work QPGMR Programmer subsystem QSNADS For SNA Distribution Services QSPL Spooling subsystem QSYSSBSD Backup subsystem - used if controlling SBSD is damaged QSYSWRK Operating system jobs QDSNX For Distributed Systems Node Executive QFNC For Finance communications QTCP For TCP/IP communications - Output Queues An Output Queue (*OUTQ) is a list of spooled files waiting to be printed. Printer files are objects used to define the attributes for output from jobs on the system. If the processing of a job results in output, the subsystem running the job creates the output as one or more spooled files in the output queue. Subsystems themselves have output associated with starting and completion status. - Message Queues A message queue (*MSGQ) is a list in which messages are placed when they are sent to a user or program. A message queue is like a mailbox for messages. Messages sent to an 'address' in the system (such as a user or a program) are put in the message queue associated with the address. System operator message queue: The QSYSOPR message queue is a special message queue to which the system sends messages regarding changes in the status of the system, devices, and jobs, and messages indicating a condition that needs operator intervention. - Configuration Descriptions Configuration Descriptions are objects used to define the characteristics and arrangement of devices and communications links attached to the AS/400. Configuration descriptions are linked together to form a hierarchy: Networks (*NWID) Lines (*LIND) Controllers (*CTLD) Devices (*DEVD) printers, displays, tape, diskette, communications Modes (*MODD) Classes of Service (*COSD) The AS/400 has the capability to create certain configuration descriptions automatically such as locally attached controllers and devices. This is called autoconfiguration. This significantly reduces the initial installation tasks that need to be performed. The default authority given to configuration objects is such that any user can use it, for example, to sign on to a locally attached display station. - Programs and Commands AS/400 terminology differentiates between programs and commands. A command is used to request a function of the system. A command consists of a command name, indicating the type of action to be performed, together with optional parameters, defining more detail about the command. For example, to create a user profile, enter the command CRTUSRPRF and specify the parameters to create the required user characteristics. Users can create their own commands, using the 'create command' command (CRTCMD). A command invokes program code, called the command processing program. A program means a user or vendor program, written in a language such as CL, RPG, COBOL, or C. Program source statements are created as members of a source file. The members are compiled (using one of the create program commands) a process that creates the program as a new object (*PGM). Like commands, a program can also be invoked from a workstation, but requires a CALL command to invoke it. Since commands and programs are objects (*CMD and *PGM), they are subject to normal AS/400 resource security. - Control Language (CL) The commands mentioned previously make up the primary user interface on the AS/400, which is called Control Language (CL). This is a large, rich and functional set of commands that are used in every environment including programming, communications, configuration, performance management, messaging, save and restore, printing, problem management, office, online education and security. These commands can be combined to make up a program (called a CL program). Some applications can consist of only CL programs. - Application Program Interface (API) An API is a functional interface supplied by the operating system or a separately orderable licensed program. It allows an application program in a high-level language to use specific data or functions of the operating system or licensed program. * AS/400 Security Architecture System security is an integrated function of the AS/400 system. It is implemented at the instruction level and controls all AS/400 software functions. Users are identified and authenticated by a single security mechanism, at the system level, for all functions and environments available on an AS/400, including program development and execution, data base applications, office applications, and so forth. All objects on an AS/400 system are under security control, including libraries and files, display stations, operator console functions, programs, menus, and so on. - S/36 and S/38 Compatibility AS/400 is the follow-on system for the S/36 and the S/38, and has been designed to be compatible with both architectures. Similarly, security features from both environments have been combined in AS/400 system security, with significant enhancements. Combining both original security facilities results in some functional redundancy that is necessary to accomplish easy and secure migrations to AS/400. It is possible to operate an AS/400 in a S/36 or S/38 environment in which the user command interface (the screen menus) are similar to the prior system. This does not, however, affect the underlying security functions of the AS/400. - System Integrity The integrity of the operating system is an important prerequisite for the implementation of security controls. The AS/400 system has good integrity for several reasons: > Precisely controlled storage addressing limits for a user > Security implementation at the instruction level > A physical keylock controlling the operating system security environment > A precisely defined method for providing limited capabilities for users > A security system that is an integral part of the total system > A communications environment with security features built in at the lowest level > Special hardware to validate software pointers > Complete auditing capabilities of system and user functions - Single-Level Storage Storage allocation on the AS/400 is very different than on most other computer systems. The AS/400 uses a shared storage system in which all portions of main and auxiliary storage are addressed as though they are within a single area (or level). The system uses the object name to determine where it exists in storage. This means that the user can find objects by name, rather than by storage locations. Because operations cannot be performed on an object that is not in main storage, the system moves all or part of the object into main storage as it is needed, and moves it back into auxiliary storage when the object is not needed. This transfer is controlled by the system, and does not require control by the user or programmer. Because objects can be accessed only by name, security cannot be bypassed to access an object directly. - AS/400 Security System Values The AS/400 has over 100 variables that control system-wide functions. These are called system values. Some of the system values are security-related. These security-related system values fall into four main categories: > General Security Defaults > Audit Control > Password Rules > Other System Values Related to Security - AS/400 Users and Groups The following terms and concepts are involved in defining users and their authorities to the AS/400. Users are defined with profiles; the users can: > Be organized into groups > Have special capabilities ╖ Have special limitations - User Profiles User Profiles contain information describing a system user, that useró s privileges and limitations when using the system, and lists of objects the user owns or is authorized to use. For objects owned by a user, the profile also contains lists of other usersó authorizations to those objects. - Special Authorities All security systems have special user privileges for certain security and system administration functions. Special authorities allow certain users to administer AS/400 security and system tasks. There are eight special authorities. These special authorities are not hierarchical. *ALLOBJ All object authority is granted for accessing any system resource *AUDIT Allows the user to perform auditing functions *JOBCTL Allows manipulation of job and output *SAVSYS Used for saving and restoring the system and data without having explicit authority to objects queues and subsystems *SECADM Allows administration of User Profiles and Office *SERVICE Allows access to special service functions for problem diagnosis *SPLCTL Allows control of spool functions *IOSYSCFG Allows change of system configuration - User Classes There are five user classes which are hierarchical in authority. The classes represent different roles in the DP environment. These are convenient ways to assign the special authorities listed above to different types of users. A higher class can perform all the functions of a lower class; for example, *SECOFR includes the privileges of *SECADM by default. The following are the five user classes: *SECOFR Security Officer *SECADM Security Administrator *PGMR Programmer *SYSOPR System Operator *USER End User The user class also affects what options are shown on the system menus. A user with higher authorities will see more of the system menu options. A user with less authorities will only see the menu choices allowed by the user class. A user may be given any of the special authorities regardless of his user class. Letting the special authorities be assigned automatically to match the user class is a convenient way to get started. Special authorities can be assigned specifically, by the security officer or security administrator, when one of the standard user classes does not have the desired combination of authorities. - IBM-Supplied User Profiles The AS/400 has a number of user profiles provided as part of the operating system. Only QSECOFR is intended for signon. Others are for ownership of various objects and system functions. QDBSHR QMSF QSRVBAS QDFTOWN QNETSPLF QSYS QDOC QPGMR QSYSOPR QDSNX QRJE QTCP QFNC QSNADS QTSTRQS QGATE QSPL QUSER QLPAUTO QSPLJOB QLPINSTALL QSRV - Group Profiles A User Profile may be linked to a group profile. This allows all the members of the group to share common attributes, common access to selected objects, and common ownership of objects. A user is not required to be a member of a group. In V3R1 a user may be a member of up to 16 different groups. In earlier releases the user can only be a member of one group. In addition, only one level of grouping is permissible. For example, if user profile FRED belongs to group profile DEPTA, DEPTA cannot belong to another Group Profile. Group profiles are used to organize users along job functions and to simplify the assignment and administration of object authorities by authorizing users through a smaller number of group entries. When designing groups, it is important that the group ownership concepts are well understood and that good naming conventions are used. A group profile is implemented as a user profile; that is, it is created just like a user profile, and when granting authority, the AS/400 does not treat groups any differently than user profiles. The two uses may be intermixed. For easy management it is better that user and group profiles be used as separate entities. One way to enforce this is to set the group profile password to *NONE. This prevents any sign on to the profile. - Limited Capability A user may be assigned limited capability. This is done when creating or changing a user profile. Limited capability, when used with an appropriate initial program or initial menu, can restrict a user to a desired subset of the system's functions. Some local programming (or the use of a packaged application) is necessary to accomplish this. Limited capability (LMTCPB keyword of CRTUSRPRF or CHGUSRPRF commands) may be set to no, partial, or full. The selected value will affect initial program, initial menu, current library, the current attention program (associated with the attention key on the terminal), and access to general system commands. - AS/400 Object Protection Since all AS/400 data structures (system and user) are objects, the security system is primarily concerned with protecting objects. All objects have some common structures in their control blocks (invisible to the normal user). This allows a unified approach to security, since all objects interface the same way to the security routines. - Authorities In AS/400 terminology, an authority is the permission to access an object. The object owner and the security officer (or other *ALLOBJ users) can grant or revoke authority to an object. It is important to understand the difference between authority to an object and authority to the data in the object. Operations such as moving, renaming, saving, or deleting apply to the object as such. It is possible to have authority for these operations without having access to the data stored in the object. Likewise, one can have full access (read, write, update, delete, execute) to the data in an object without having full authority to manipulate the whole object. The following authorities are independent (not hierarchical). For some operations a combination of authorities is required: *OBJOPR: The object operational authority controls the use of an object and the capability to look at the description of the object. It is needed to open a file and therefore usually assigned in combination with the desired data rights. *OBJMGT: The object management authority controls the move, rename, and change attribute functions for object, and the grant and revoke authority functions for other users or groups. *OBJEXIST: The object existence authority controls the delete, save, restore, or transfer ownership operations of an object. *AUTLMGT: This authority is needed to manage the contents of an authorization list associated with the object. This is a specialized security authorization that is not usually grouped with the other seven object authorities. *OBJALTER: This authority is needed to alter the attributes of data base files and change the attributes of SQL packages. *OBJREF: This authority is needed to specify a data base file as the first level in a referential constraint. *READ: Controls the ability to read data from the object. *ADD: Controls the ability to insert a new entry (such as a new record in a file) into the object. *UPDATE: Controls the ability to modify existing entries in the object. *DELETE: Controls the ability to remove existing entries (for example, records) in the object. To delete the whole object requires *OBJEXIST authority. *EXECUTE: Controls the ability to run a program, service program, or SQL package, and to locate an object in a library or a directory. Some common combinations of authorities have been given special names as an abbreviated form. For example, *USE is the combination of *OBJOPR, *READ, and *EXECUTE. *ALL Allows unlimited access to the object and its data *CHANGE Allows unlimited access to the data in the object *USE Allows data in the object to be read *EXCLUDE Allows no access to the object or its data - PUBLIC Authority Public authority is the default authority for an object. It is used if users do not have any specific (private) authority to an object, are not on the authorization list (if one is specified) for the object, or their group(s) has no specific authority to the object. - Authorization Lists An authorization list is an important and commonly used security structure. It is used to authorize a user or a group of users to different types of objects (such as files or programs) secured by the authorization list. An object may have only one authorization list associated with it. An authorization list may secure more than one object. A user can appear on many different authorization lists. Authorization lists are not affected when objects secured by the authorization list are deleted. If an object is deleted and then restored to the same system, it is automatically linked to an existing authorization list for the object. This is an important advantage of authorization lists. - Adopted Authority Certain programs or commands called by a user may require a higher level of authority (for the duration of the command) than is normally available to that user. Adopted authority provides a means for handling this situation. Adopted authority allows a user to temporarily gain the authority of the owner of a program (in addition to the useró s own authorities) while that program is running. This provides a method to give a user additional access to objects, without requiring direct authority to objects. - Audit Journal The Security Audit Journal is a facility that allows security-related events to be logged in a controlled way that cannot be bypassed. The following are some of the events that may be logged: > Authorization failures > Object creations > Object deletions > Changes to jobs > Move or rename of objects > Changes to system distribution directory or office mail actions > Obtaining authority from programs which adopt > System security violations > Printing actions, both spooled and direct print > Actions on spooled file data > Restore operations > Changes to user profiles, system values or network attributes > Use of service tools > System management functions > Usersó access to audited objects > CL command strings Information from the audit journal can be extracted into a database file, then examined by an auditor using a tool such as Query/400 to locate security violations or exposures. Security/400 has programs that produce reports from the audit journal receiver. - Authority Holder An authority holder is an object that specifies and reserves an authority to a program-described database file before the file is created. When the file is created, the authority specified in the holder is linked to the file. The authority holder is for use mainly in the System/36 Environment. - Physical Security Physical and procedural security controls provide the basis on which other controls such as software security are built. In addition to physical access control and output distribution procedures, which are necessary controls in any computing environment and therefore not mentioned here, the AS/400 has two unique hardware features, which are important for physical security: > System Keylock - to enable or disable certain system service functions > Display Station functions - keylock, and play/record keys - The History Log (QHST) The history log (QHST) contains a subset of messages that are sent about system operational events to the system operator message queue. Some messages relating to system security are written in the system history log. However, this function is now superseded by support offered by the security audit journal. QHST should not be used as a source for tracking security-related events as it may have been in the past. - Cryptographic Support The IBM Common Cryptographic Architecture Services/400 PRPQ is used for hardware cryptography on the AS/400. The hardware encryption feature is available in two versions. The full function version has a restriction on who is allowed to use it. The *commercial* function is without such restrictions. The product currently provides the following: > Data Encryption Standard (DES) > Public Key Algorithm (PKA) > Key Management functions > Security Application Programming Interfaces (SAPIs) to invoke cryptographic functions from user-written applications > Security for the IBM 4700 banking terminal The Security Application Programming Interface (SAPI) verbs must be used to implement file cryptography. A system command or utility program for the encryption or decryption of files is not currently available. The IBM Common Cryptographic Architecture Services/400 is capable of exchanging encrypted data with any products that implement DES. - IBM Security/400 IBM Security/400 allows the system administrator to monitor and track system users to ensure they are in compliance with their security policy. It will accomplish this task by providing the ability to create reports on files, libraries, command, user profiles and job descriptions. In addition, it provides reporting on programs that adopt authority, user profiles with access authority, authorization lists, and network values. This reporting will help control system compliance and also identify areas that may require tighter controls. IBM Security/400 allows you to tailor the applications to your individual environment by supplying the source code at no additional cost. This allows you the flexibility to design and implement your own security control for your environment. To aid in tailoring your applications, IBM Security/400 includes: > Installation Instructions > Technical Documentation > Object Code > Source Code - IBM Security/400 Components The major components of IBM Security/400 are: * Auditor The Auditor function is menu driven. It provides the following functions: ╖ Reports public authority to libraries, files, commands, job descriptions, and user profiles > Reports on specific system values and network attributes > Reports contents of authorities on authorization lists > Reports programs that adopt authority > Reports all user profiles on the system (optionally reported by profile attributes) > Reports all the attributes contained within QAUDJRN (change to profiles, invalid signon attempts, and restore objects report) * Remove Inactive User Users who have not changed their password in the last 186 days (6 months) will have their user profiles disabled. Two notifications are sent to the security administrator as a warning that the user profile has been disabled and will be deleted from the system if no action is taken. * Use SECADM Profile This utility is designed to give a user the ability to sign on to the system with a profile which has *SECADM authority. The user profile is named SECADM to avoid any confusion. All activity is tracked while the user is signed on with this profile. This allows queries to be run against usage of the profile. After the user signs off the system, the SECADM user profile's password is changed to *NONE. If the user wants to sign on to the system again using the SECADM user profile, the SECADM command must be executed again to reset the password. * Universal Access *NONE This program revokes *PUBLIC authority from root folders and libraries, with the exception of registered objects. Root level folders are the very top level folders. For instance, if you have a folder VANRIPER, which is not contained within another folder, and contains a folder SUSAN, then VANRIPER is considered the root level folder and SUSAN is the subfolder. Objects may be registered by having the object name entered into a database file. If the object is not registered and has *PUBLIC authority, a warning notification is sent to the owner. The owner must ensure that proper authority is granted to all users who need access to the object. If the owner does not justify the need for public authority to this object within 10 days, the public authority will be changed to *EXCLUDE. * Systematic Logon Reporting This utility is designed to report excessive invalid signon attempts and user profile disables. (Excessive is determined by the user at installation time.) The utility uses the QAUDJRN journal to extract the information needed to count the number of invalid signon attempts and revokes (user profile disables caused by exceeding the limit of invalid signon attempts). If the invalid signon attempt exceeds the value stored in the data access, a message is distributed to the system administrator. * Security Design For Performance One of the causes of performance problems may be excessive security processing by the system. System performance on the AS/400 can change significantly based upon how objects are secured. This chapter provides an overview of the way AS/400 stores object authority and the authorization lookup process. This overview of the AS/400 authority checking internals gives you the background needed to understand the performance impact of different methods used to secure objects. Based on this understanding, the second part of the chapter gives practical rules you can use to secure data in the an efficient and effective manner. - Architecture The hallmark of the AS/400 is the simplified system operation resulting from the integration of function by the system and operating system. Traditional systems often have separately installed products for communications, security, and data bases. The AS/400 integrates all of these features into OS/400. Access control of traditional systems often is done by a security product that is separate from the operating system. Traditional operating systems call this security product when access checks are needed. The security product performs the access control checks and returns a go or no-go indication. The operating system then proceeds or prevents the operation. Like other AS/400 functions, security is highly integrated. All security functions are included in OS/400 and the AS/400 system. A separate security product is not required. In traditional systems often the different products have their own access control rules and enrollment. The AS/400 operating system, data base, and communications functions all use the same access check rules and security enrollment. The AS/400 access control checks are built into the machine instructions. Each time an AS/400 program runs any instruction that uses a system pointer to reference data (an object), the machine interface makes an access control check as part of the instruction execution. If the user is authorized to the object, the instruction continues. If the user is not authorized, the instruction is not executed and the system signals a 'not authorized exception'. Moving security into the machine instructions prevents a system programmer from altering the operating system to bypass the access control checks. In traditional systems, a system programmer has the potential of altering the operating system to bypass security. The following common operations use several instructions that reference an object using a system pointer: ╖ Running a CL command ╖ Calling a program ╖ Opening a file ╖ Sending a message stored in a message file The AS/400 performs an access check on each instruction that uses a system pointer resulting in multiple access checks for a single CL command. On first reference to an object, the operating system may store the user's authority in the pointer, which eliminates the search for useró s access on subsequent references using the authorized pointer. For example, when a program opens a data base file, the useró s access is checked and OS/400 data management stores the useró s authority in the system pointer. Subsequent read and write operations to the open file do not require searching for authority. Open files are allocated so that authority to the file does not change. Most CL commands are not able to retain the authorized pointer after the command has completed. As a result, each time the command is issued the access checks are repeated. The program retrieves a data area, increments the number, and places the updated number back in the data area. The seven access checks that are made each time the program is called are shown to the right of the program. The objects checked are shown to the right of the program. The seven access checks that are made each time the program is called are shown to the right of the program. You cannot control the number of times that the AS/400 checks access, but you can select a security implementation that minimizes the overhead for each access check. - Security Design Options This section discusses how you can secure objects to minimize the performance overhead associated with access control checks. The security design goal is both efficient and effective control of access to system resources. An efficient security option would be to give all users *ALLOBJ access or have the *PUBLIC authority of *ALL for every object. This is very efficient but would not be effective. The following are some rules that are both effective and efficient. NOTE :Only secure objects that require protection. Authority to objects are similar to the door locks used to limit access to rooms. You do not put locks on every door in your home or office. If you had to lock and unlock a door every time you moved between rooms, it would be a slow process and a waste of time. In a similar manner, you should not secure every object in the system. When objects are restricted the system will check user's access on each reference which can impact performance. Only the objects that need to be secured should have restricted access. When ever possible make *PUBLIC access adequate for most operations. The system uses the No private access flag in the object header to eliminate the need to check individual profiles for access. NOTE : Avoid giving users less authority than *PUBLIC access. Giving any user less access than *PUBLIC will cause the system to perform an individual access check for every user. Giving a user less access than *PUBLIC is like placing a guard at a door to prevent one person from entering. The guard requires every person that enters the door to produce identification. The guard will allow access to all users but the restricted individuals. However, every user is required to produce identification each time they enter the door. In a similar manner, if you give users less access than *PUBLIC for an object the system must check all users. The flag No private authority less than *PUBLIC eliminates the need to search individual user profiles when *PUBLIC authority is adequate for the operation. Access to *PUBLIC authority in the object header can be done with less CPU resource than the searching for private authority in user profiles. If a single user has less authority than *PUBLIC access the flag is turned off. This results in an authority search for every user that has access to the object. It is best to reduce *PUBLIC access for an object to the lowest access rather than giving a few users less access than *PUBLIC. Some users may require more access than the *PUBLIC. The system will search the user profiles only when the operation requested requires more authority than *PUBLIC. For operations where *PUBLIC authority is adequate no search of the user profile is required. There are no authority lookup operations when there are no private authorities, or all private authorities were higher than the public authority. When a user was given less authority than *PUBLIC, the authority count increased to 20,000. The 20,000 represents two authority lookup operations for the data area (once for the RTVDTAARA and once for the CHGDTAARA command) each time the program loops. NOTE : When granting users more access than *PUBLIC, use private authorities not authorization lists. Users can be granted more access than public using explicit private authority or using of an authorization list. If an authorization list is used, the performance advantage of the No private authority less than *PUBLIC flag is lost. An authorization list should not be used to give users more authority than *PUBLIC authority. Users should be explicitly granted access to the object rather than using an authorization list. When an object has an authorization list there will be a check of the authorization list. - Securing Transmission Control Protocol/Internet Protocol (TCP/IP) There are many protocols that can be used to enable computers to share resources and transmit information across a network. Transmission Control Protocol (TCP) and Internet Protocol (IP) are two of the best known protocols. Since they are the most widely used, the term TCP/IP has become synonymous with a whole family of protocols. The AS/400 implementation of TCP/IP includes: ╖ File Transfer Protocol (FTP) allows the user to log on to the remote system to PUT or GET files. ╖ Simple Mail Transfer Protocol (SMTP) is supported on the AS/400 using normal SNADS functions. It allows the sending and receiving of mail across a network. An AS/400 user can use OfficeVision/400 to handle mail. SMTP can also be accessed using the Send Distribution (SNDDST) and Receive Distribution (RCVDST) commands. ╖ TELNET Protocol allows you to access and use the resources of a remote system as if your work station is locally connected to the remote system. The AS/400 TELNET support consists of two elements, 'TELNET client' and 'TELNET server', which means that users on the AS/400 can request access (client) to another system (server) and vice versa. The TELNET application forces a user to sign on as if at a local terminal. ╖ Packet Internet Groper (PING) used to verify a TCP connection to a remote system. ╖ Application Program Interface (API) are programmable modules that may be called from AS/400 Pascal. The APIs provide no security features; it is up to the applications using the APIs to provide security. - Configuring for AS/400 TCP/IP AS/400 TCP/IP is supported via Token-Ring, Ethernet, or X.25 line. You must create a line description depending on the type of network you are using. The controller and device descriptions can be automatically created for the TCP/IP jobs or configured manually. A subsystem, QTCP, is used for all the jobs associated with TCP/IP. - TCP/IP Port Security There are TCP/IP configuration commands (ADDTCPPORT and RMVTCPPORT) that restrict ports, so that only configured user profiles may use them. You can use this function when a server application has been developed that uses a specific port. The system administrator can prevent users from starting other applications that use the port. - TCP/IP File Transfer The target AS/400 supporting TCP/IP must have a user profile created for each user who needs to send files from their system (AS/400 or non-AS/400) to the target system. When the file is sent, the sender specifies the name of the library that the file will be placed into. The library must already exist and the user must be authorized to it. The default library is the user's current library. The user can issue the FTP subcommand 'CD', (change directory), which changes the user's current library. Since the AS/400 supports files of fixed length and record size, the file being sent to the AS/400 must have a file length and record size no greater than the file on the AS/400. If the file does not already exist in the library, one will be created automatically. The file being sent will be created as a member of that file. Other files will be added as members of the file created. Although these are normal functions for FTP, they pose some security considerations for the AS/400. Users already having a user profile on the AS/400 should be authorized only to the libraries and files they need to access. Allowing such users access via TCP/IP support should not present any additional security risk. Users who need only to send files from other systems using TCP/IP but have no need for interactive sign on, still need to have a valid user profile and password on the AS/400. Such users should be LMTCPB(*YES). Menu security can be used to control the user should they attempt to sign on interactively, or use an initial program that signs them off. Library and file authorizations are particularly important. By using FTP on other systems (AS/400 or non-AS/400) a user can retrieve a copy of a file member using the GET command. Read authority (*USE) is required for this function. TCP/IP users added to the AS/400 should have *EXCLUDE authority to all but the required libraries and files. - Simple Mail Transfer Protocol (SMTP) Using the SMTP function of AS/400 TCP/IP, a user can send documents, notes or messages to another user. When using OfficeVision/400 to send mail to a host defined to SNADS as a TCP/IP host, the TCP/IP routines will automatically be used if the TCP/IP and SNADS subsystems are started. Configuration of SMTP requires several steps. You can also use the AS/400 as an office gateway between SNADS and TCP/IP networks. In this situation you will have to configure your AS/400 for both environments. Of particular importance is the updating of the system distribution directory and the SMTP host and alias tables. In simple terms, the host and alias tables contain the address and addressee information needed for sending and receiving distributions. The alias table is a nickname-type table, used to shorten lengthy addressee information or where special characters may cause a problem. Each SMTP user can have an alias table. Only the owner of the alias table and users with *SECADM authority are able to work with the alias table. Entries should only be made for known hosts and users. - TELNET Client The AS/400 TELNET client allows an AS/400 TCP/IP user to sign on to and use the applications on a remote system that has the TELNET server application. It is up to the remote system (the server or target) to enforce security through normal user profile, password, and resource security measures. - TELNET Server The AS/400 TELNET server allows a TCP/IP user on a remote TELNET client system to sign on to and run applications on the AS/400 system. With few changes to the system values, the TELNET server is automatically set up to support TELNET connections when TCP/IP is started. In 5250, 3270, or VT220** full-screen mode, the AS/400 automatically sends the AS/400 signon display when a TELNET connection is made. - Security Officerós Password What happens if the security officer forgets his password? Or if he is unavailable for some reason? Other users with *ALLOBJ cannot completely duplicate his functions, especially since (in most installations) the security officer is also the security administrator (*SECADM). One approach is to have the security officer keep a written copy of his password locked in the companyó s safe. This can work if the security officer never changes his password without changing the written record. (Working through a list of passwords is one way to accomplish the same thing). There are various problems with this approach. Another approach is to have a defined user (named RESETSEC in this example) that is never used, except in one circumstance. If it is never used, there is no need to change passwords at intervals. The only circumstance in which this user profile is used is to reset the security officeró s password. The company president or a senior manager would keep the (unchanging) password for RESETSEC locked away. The RESETSEC user profile would have an initial program that causes the security officeró s password to be reset to QSECOFR. That is, the RESETSEC user profile would have INLPGM(FIXIT). The fixit program must be owned by the security officer and run with adopted authority. (Obviously this program must be installed while the security officer, with his password, is available. It cannot be installed after the problem arises). This program's access should be very restricted, of course. The program could be very simple: FIXIT PGM CHGUSRPRF USRPRF(QSECOFR) PASSWORD(QSECOFR) SIGNOFF ENDPGM The situation described here may seem amusing, but it could be very real in a good, secure installation. An auditor should insist on some defined recovery procedure for the described situation. DST (dedicated service tools) also provides a method for recovery in this situation. However, DST requires usage skills that may not exist in all installations. - Security Checklist The following checklist can be used by auditors or system administrators to evaluate security setup on an AS/400 system. This checklist is broken down by function to give good principles for every system. Before you start on this security checklist we encourage you to take a look at the Basic Security Guide. It has a number of forms that may be very useful in a security audit. Physical Security > The machine room should be water-proofed and fire-proofed. The door can be locked to control the entrance. Each entrance should be logged. > UPS (Uninterruptable Power Supply) should be used to allow for a normal shutdown in case of a power outage. > Physical access to the system console should be restricted. > Recording confidential information such as user passwords on workstation/ terminal record/play keys should be prohibited. > Backup tapes and documentation should be protected from damage and theft. > The key should be removed from AS/400 system panel and stored in a secure location. The keylock switch setting on the processor unit should not be in the manual position. > The following questions should be asked: Are users of non-programmable terminals allowed to store information in the keyboard. Should the signon screen warn about unauthorized/illegal attempts to log on to the system. -- System Values/Network Attributes > The following questions should be asked: Who has authority to change system values, network attributes and work management? Are such changes documented and filed? > Signon for users with *ALLOBJ or *SERVICE special authority should be limited to specific devices. System value QLMTSECOFR should be set to *1* to restrict users with *ALLOBJ or *SERVICE special authority to specific devices. > System value QSECURITY should be set to 30 or higher to activate resource security. > Security-related system values and network attributes should follow recommended guidelines. Use the following two commands, WRKSYSVAL (Work with System Value) and DSPNETA (Display Network Attributes), to list all security-related system values and network attributes: WRKSYSVAL SYSVAL(*SEC) OUTPUT(*PRINT) DSPNETA OUTPUT(*PRINT) Refer to the AS/400 Security Reference for information about the valid parameters. > Decisions about system values and network attributes should be reviewed periodically, particularly when the system environment changes, such as the installation of new application or a communication network. If you activate QAUDJRN any changes to system values and network attributes can be logged. Refer to the AS/400 Security Reference about how to activate QAUDJRN. User and Group Profiles > Naming conventions for user profiles, group profiles and authorization lists should be followed. > Each user should be assigned a unique profile. The system value QLMTDEVSSN should be set to *1* > Users should be limited to signing on at only one device at a time. System value QLMTDEVSSN should be set to *1* to limit users to one signed on device. > Users should be able to change their own passwords. Allowing users to define their own passwords reduces the need for users to write down their passwords. Users should have access to the CHGPWD (Change Password) command or to the Change Password function from the Operational Assistant menu. > Users that are limited to menus should have LMTCPB(*YES) specified to prevent override of initial program or initial menu at signon. This also restricts use of commands on system menus. But you should modify the query definition to list all user profiles with LMTCPB(*YES). > Programmers should be restricted from production libraries. Use the DSPOBJAUT (Display Object Authority) command to determine the public and private authorities for production libraries and critical objects in the libraries. The administration of user profiles should be adequately organized. No user profiles should have large numbers of private authorities. > There should be a routine on how to register a new user. > Employees should be removed from the system immediately upon notification of transfer or termination. Regularly review the DSPAUTUSR (Display Authorized Users) list to make sure only active employees have access to the system. > User profiles should be checked to verify that they are not used as group profiles. > Owners of applications should verify the authorized users, including *PUBLIC access. The verification should be performed according to the company's security policy. > Management should regularly audit the users with special authorities, particularly *ALLOBJ special authority. > Users that are limited to menus should have no menu option that allows entry of commands. > The security officer profile or user with *ALLOBJ special authority should not be a group profile. If other profiles have the QSECOFR as a group profile, then these profiles should be controlled in a tight security environment. > Group profiles shall have PASSWORD=*NONE. > Group profiles should be identified with a naming convention. The naming convention GRPxxx for group profiles makes it apparent that multiple users are authorized when the group profile name is shown on a list of authorized users. Check the DSPAUTUSR (Display Authorized Users) command list: DSPAUTUSR SEQ(*GRPPRF) OUTPUT(*PRINT) > Membership in a group profile should be changed when job responsibilities change. To verify group membership, use one of the these commands: DSPAUTUSR SEQ(*GRPPRF) OUTPUT(*PRINT) DSPUSRPRF USRPRF(group profile name) TYPE(*GRPMBR) OUTPUT(*PRINT) -- Password Controls > The passwords of IBM supplied profiles should be changed. If you are on release V2R3 or earlier verify that password of the following IBM-supplied user profiles have been changed: QSECOFR, QPGMR, QUSER, QSRV, QSRVBAS and QSYSOPR. If you are on V3R1 only QSECOFR needs to be changed. The rest of the Qxxxxxx profiles are shipped with password = *NONE. > Only a limited number of users should know the passwords for the Qxxxxx profiles above. > The passwords for these Qxxxxxx profiles must be documented and kept in a safe place. > Only authorized user should be able to change the passwords for the Qxxxxxx profiles. > The IBM dedicated service tools (DST) passwords should be changed. > Only a limited number of users should know the DST passwords. > The DST passwords should be documented and kept in a safe place. > There must be a rule for when the DST passwords are changed. > Only a limited number of users should be authorized to change the DST passwords. > The passwords of group profiles should be *NONE. Check the DSPAUTUSR (Display Authorized Users) command list: DSPAUTUSR SEQ(*GRPPRF) OUTPUT(*PRINT) > Check when a user last changed the password. One way to do this is to copy all user profiles to an outfile. (QADSPUPB in QSYS can be used. It has all the necessary fields predefined). Run a query sorted on the date when the password was last changed. ╖ Password expiration active. System value QPWDEXPITV should be set to meet the organizationó s security guidelines. > Trivial passwords should be prevented by selecting QPWDxxxx system values. Use the WRKSYSVAL (Work with System Value) command to list all security-related system values beginning with QPWD. > If a user profile has a password expiration interval that is different from the system value, it should meet or be better than the organization's security guideline. -- Applications and Ownership > Applications in the production environment should be owned by a single user profile, not a group profile. > Application ownership should correspond with the 'Plan to protect the business processes'. > Documented routines should be followed when authorizing a user to an application. > Authorization to applications should only be given to users who need it. > Some objects within libraries may be secured better than others. Programs > Only specific libraries should contain source code. > Request for changes to an application must be authorized and documented. The documentation must be kept. > Changes must be done in a test environment. > The programmer must document the changes made, and the documentation must be kept. > It must be verified that the programs have been changed according to the programmeró s documentation. > It must be verified that someone is responsible to check if changes to an application do not require a change in the backup routines, the restore strategy or the 'Plan to protect the business processes'. > The ownership of the objects must be changed when they are transferred to the production environment. > Programs in production environment should prevent use of DEBUG facilities to change variables. > The source for programs should be captured when programs are moved into the production environment. > The SECURE parameter in all override commands should be specified as *YES to prevent the file name being redirected to another file. > Control the library list in applications to prevent a library that contains a similar program being added before the production libraries. You should specify a library name instead of default *LIBL in the source for programs. > Programs that adopt authority must be checked for ownership, where they are used, and who has access to them. > DFU and SQL should only be accessible by those who need them. Authorization Control > Owners of data should understand their obligation to authorize users on a need-to-know basis. > Written forms should be signed by the application owners when a user is authorized to an application. > Data should not be over-protected. System performance is improved when *PUBLIC authority is used for objects that do not justify protection. This also saves time during a backup of the system (SAVSYS or SAVSECDTA). > Sensitive data should need public *EXCLUDE. Check the authority for user *PUBLIC for critical objects using DSPOBJAUT (Display Object Authority) command. > Authorization should be defined at the library level where possible. > The public authority to user profiles should be *EXCLUDE. > Users are not allowed to sign on by pressing the Enter key on the Sign On display. Make sure no workstation entries in subsystem descriptions specify a job description that has a user profile name specified for the USER parameter. > Authorization lists should be used to secure physical files. If the physical file has multiple members the use of an authorization list will provide better performance on save/restore than individual authorities. > When the S36 environment is used authority holders must be checked. > When the authorization to an object in the QSYS library is changed, it must be changed in all QSYSxxx libraries on the system, such as QSYS38 and QSYSVxRxMx. > Job descriptions with *PUBLIC authority should specify USER(*RQD). To find out what job description are on the system, use DSPOBJD OBJ(*ALL/*ALL) OBJTYPE(*JOBD) DETAIL(*BASIC) OUTPUT(*PRINT) To check the USER parameter of a job description, use the DSPJOBD (Display Job Description) command. > Job descriptions that specify a user profile name should have public authority *EXCLUDE, and should be authorized to specific users. To find out what job description are on the system, use DSPOBJD OBJ(*ALL/*ALL) OBJTYPE(*JOBD) DETAIL(*BASIC) OUTPUT(*PRINT) To check the authority to a job description, use the DSPOBJAUT (Display Object Authority) command. -- Auditing Access > Activate logging of security relevant events. System value QAUDLVL should be at least *AUTFAIL and *PGMFAIL. Regularly reviewing entries in the audit journal is the best method for detecting unauthorized attempts to access information. > Entries in audit journal that report authorization failures should be reviewed for repeated offenders. Authorization failures cause AF type entries in the audit journal. > Periodically review of changes to user profiles. Use the OUTFILE option on DSPUSRPRF to detect changes in user population and authority assignments. > System value QMAXSIGN should limit number of access attempts to five or less. The QMAXSGNACN system value should be set at two or three. > Message queue QSYSMSG should be created in library QSYS and monitored. > The message CPF1116 shown when the user is about to exceed the retry limit for passwords should be changed to be the same as the invalid password message CPF1107. This change prevents the user from knowing that the next attempt will notify the security officer. -- Communications ╖ It should be verified if users on other systems can log on to this AS/400. If so, which users and which systems? > Which telecommunication lines are used for what purpose should be determined. Should they be online at IPL? > Dial-in support should be protected by call-back procedures. > Encryption should be used on sensitive data. > Autoconfiguration should be prohibited once initial configuration has been done. System value QAUTOCFG should be set to ô0ö to turn off autoconfiguration. > Remote signon should be controlled. The system value QRMTSIGN should be set to *FRCSIGNON or a pass-through validation program is used. > Subsystems should prevent usage of default user. A user profile should be required to start a session. > Access to data from other systems, including personal computers, should be controlled using the JOBACN, PCSACC, and DDMACC network attributes. Use the DSPNETA (Display Network Attributes) command to list all security-related network attributes: DSPNETA OUTPUT(*PRINT) > Configuration lists must be checked. > The use of DDM and ICF must be verified. > APPC devices and remote controllers must be checked. -- PC Support > The folders should be checked for PC viruses periodically. > Only those who need it should have access to the PC Support file transfer functions. > PC users should not be allowed to store their passwords in the clear in a file in the PC. Hope that helps. For cracking AS/400's check out my text that i might write later in life :] But, in the mean time check out 9X's site for one. Slider. - EOF - Werd : Zomba, MuFTAk, Abattis, NynexPhreak, IS-, JonP, and others. FuqU : Any body that hates me Cool : Moby - South Side Here we are now going to the South side, i look at my friends and they start to rise, friday nights yeah right on day, looking out for sunny days. ---------------------------------------------- ********************************************** Munge Interview - Cyber0ptix ********************************************** Q1) Introduce yourself? munge, a.k.a celsus, bastiat, Matt Dickerson. Q2) When did you get into the computer Underground? Officially: as soon as I executed BitchX and entered #hack2000. Ph33r. Q3) Why do you run attrition.org? Shell access and chicks. Q4) What do you think of 'crackers'? Ma and Pa is good folk. Q5) Have you ever defaced a website? My own HTML has been called a defacement. Otherwise, no. Q6) What was your first computer? Apple II. Unfortunately, it was much later that I became interested in the computer technologies I was using. Q7) What Systems do you have set-up at home? Linux, FreeBSD, TI 1500S (sometimes labled HP 9000), Solaris (x86), Windows 95; though I spend the vast majority of my time on Linux and FBSD. Q8) What Operating Systems do you most rate? I'm keen on *BSD. Unix, all the way though. Q9) What, in your opinion, is the most secure Operating System? Depends on the administrator, ultimately. Out of the box, OpenBSD has a great reputation, but I have yet to try it. Q10) What do you think of the state of the Underground today? What's the Underground? Whatever is illegal? Warez pups trading pirated programs? Defacers? If so, it's a sad state. Q11) Who do you most respect in the Underground? If you're referring to the security scene, I have always had a lot of respect for L0pht. I have huge respect for Elias Levy, a.k.a. aleph one, bugtraq moderator among other things. Fyodor for creating nmap. Not really associated with the Underground, but: Randal Schwartz, Perl and shell guru, and the Master of Ceremonies for The Coveted and Immortal UUCA has my respect, for being a great instructor and writer, and enduring the ugliness of corporate scapegoating (Intel). Q12) Who were your mentors, when you started to get into the Scene? comp.unix.shell is a harsh mistress. mal_vu taught me a lot as well. Q13) Have you ever read Oblivion Underground Magazine? Not yet. Q14) Do you think you will ever read it? Sure. Q15) What do you think of people getting arrested for hacking? It's a pity that the U.S. government has resorted to arresting kids instead of promoting security, and uses these instances of mild vandalism to justify curtailing the necessary freedoms of it's innocent citizens. Q16) What do you think of 'skript kiddies'? Sad, isn't it? Hopefully the skript kiddies will get over the joy riding and discover, in the best sense of the word, hacking. Q17) What other groups have you ever belonged to? None, really. Q18) Do you ever admire any of the 'crackers' that you mirror on attrition.org? Without condoning their vandalism, I think that it is possible to admire the message, artwork, humor, or skill that all too rarely shines through the mountain of dung. So yes. Q19) If Yes. Which ones and why? ULG, for the art, humor, and the skill. Q20) Any greets? mal_vu, null, dpr, Innocent III, skb Q21) Any links you wanna plug? Lighten up: www.leisuretown.com (justifies the existence of the Internet) www.spacemoose.com (justifies the existence of Canada) pr0n: www.nerve.com (justifies my continued existence ;) because we're all still kids at heart: www.yenz.com (I know I will get flak for this, but this justifies the existence of flash) ---------------------------------------------- ********************************************** Using VN Clouds as a Mechaism to avoid Partial Internet Routing Outages and Bandwidth Starvation (theory) - LockDown ********************************************** You may have checked Slider txt on VPN's in Issue 2 of Oblivion, where he outlined the use of VPN's for private network to private network communication over a public packet network (i.e. the internet!).. [ + I will continue VPN's in Issue 4, cos i havent had the time to write it :[ - Slider ] check dis.. -Public Internet- | | XXX Network ---->VPN Tunnel<----------------->VPN Tunnel-----> ZZZ Network Okay, I was connect to my ISP (who shall remain nameless, I'll give you some clues below!), I was doing some surfing , when my connection went blam! ....Okay...lets start to trouble shoot the problem..... okay...(we're in NT!) ipconfig /all PPP adapter: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface Physical Address. . . . . . . . . : 00-53-45-00-00-00 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 194.131.244.117 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 194.131.244.117 DNS Servers . . . . . . . . . . . : 212.41.41.1 212.41.41.6 NetBIOS over Tcpip. . . . . . . . : Disabled Ping my local gateway... 194.131.224.117....fine, ping default gateway, 194.131.224.117 fine, Okay, next a tracert to linx.net (check out www.linx.net to learn more about this IP exchange point in the UK!). Tracing route to www.linx.net [195.66.232.34] over a maximum of 30 hops: 1 94 ms 125 ms 109 ms 194.131.240.7 2 203 ms 234 ms 188 ms 194.131.240.1 3 234 ms 266 ms 313 ms gw3.lnd4.gbb.uk.uu.net [158.43.175.3] 4 265 ms 282 ms 329 ms fddi0-0-0.hr1.lnd4.gbb.uk.uu.net [158.43.172.1] 5 282 ms 281 ms 297 ms pos1-1.cr1.lnd4.gbb.uk.uu.net [158.43.172.97] 6 * * * Request timed out. 7 250 ms 282 ms 234 ms fe0-0-0.br1.lnd8.gbb.uk.uu.net [158.43.188.69] 8 * * * Request timed out. 9 * * * Request timed out. 10 * * * Request timed out. 11 * * * Request timed out. As you can see, pretty horrible stuff, after fe0-0-0, we don't get any packets back, which is rather bad... Pinging that last good router show's.... Pinging 158.43.188.69 with 32 bytes of data: Reply from 158.43.188.69: bytes=32 time=219ms TTL=248 Reply from 158.43.188.69: bytes=32 time=187ms TTL=249 Reply from 158.43.188.69: bytes=32 time=188ms TTL=248 Reply from 158.43.188.69: bytes=32 time=235ms TTL=249 Ping statistics for 158.43.188.69: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss) Approximate round trip times in milli-seconds: Minimum = 187ms, Maximum = 235ms, Average = 207ms Okay, so we know that we can get to this router, our packets disapear. This can be for many reason, over subscribed bandwidth, local routing problem or routing loop, hardware fault, stoned engineer with a screwdriver! Okay, tried a trace route to the oblivion boys.. Tracing route to www.oblivion.org.uk [195.147.246.231] over a maximum of 30 hops: 1 125 ms 125 ms 406 ms 194.131.240.7 2 219 ms 218 ms 204 ms 194.131.240.1 3 203 ms 234 ms 188 ms gw3.lnd4.gbb.uk.uu.net [158.43.175.3] 4 187 ms 235 ms 219 ms fddi0-0-0.hr1.lnd4.gbb.uk.uu.net[158.43.172.1] 5 625 ms 297 ms 265 ms pos1-1.cr1.lnd4.gbb.uk.uu.net [158.43.172.97] 6 * * * Request timed out. 7 203 ms 219 ms 219 ms fe0-0-0.br1.lnd8.gbb.uk.uu.net [158.43.188.69] 8 250 ms 297 ms 281 ms fd5-0-0-llb-x-lx.TH7.core.rtr.xara.net [195.66.25.29] 9 266 ms 281 ms 313 ms hs4-0-llb-x-th7.TH26.core.rtr.xara.net [194.14.164.33] 10 656 ms 235 ms 203 ms po6-0-llb-x-th26.HE3.core.rtr.xara.net [195.14.240.53] 11 * * * Request timed out. 12 203 ms 219 ms 219 ms serv-farm.freenetname.co.uk [195.147.246.231] < Oblivion-mag.org.uk is run on Freenetname, until we get a better provider - Slider > < Well actually, the domain is hosted there, and as they want £94 to release it, i have just stuck up a index.html that redirects, fuq u freenetname! Anyways, keep an eye out for our totally new site which will be going live in about 1 month - Cyber0ptix> As we can see, a much better trace, don't worry about hop 6/11, thats a router which is not responding to the traceroute packets (usualy a configuration problem, or reservse routing problem...sometimes for security reasosn!). So, we know we can get to the oblivion boys, There a very strong chance that the xara.net backbone can still access the linx backbone as it will take another route around the network, thus letting our packets escape to the rest of the world. This is where we use VN tunnel's to reroute around the fault. Question: arn't internet protcol's like rip/ospf/bgp supposed to do this automaticly. Answer: In theory yes, but many networks are single homed (attached to a single bgp as), many are multihomed, linx.net for example is attached to every backbone in the UK!. The Peering agreements between the bandwidth providers can lead to some very strange routing agreement's in the UK, so traffic you send to linx can take a very very strange r oute around the UK. If all network's in the UK we're equal, then a problem like this would be less likley, as the routing protocol's would reroute around the problem dynamicly. But, network's are owned by different companies, peering agreements, routing policy etc etc, all determine where you packets go in the real world, not internet routing protocol's. BGP has a very large 'human' element, i.e manually entering route's backup path's, peering etc etc. If you let lose a BGP newbie on your network, it can lead to big routing problems for everyone else....I might write more on this if someone can lend me a router with BGP on it!!!! First my broken network - [x] = Router Hops.. [*]= End of the line for my packets so, ME!-----[0]-------[1]-------[2]--------[3]-------[*] www.linx.net So, Example... we run a VN Server on the oblivion network, and connect... -----------------Public Internet------------------------- | | so, ME!--VN<--Good route-->VN OBLIVION SERVER------------> www.linx.net NAT <------------- www.linx.net here the oblivion server, handles packet's in both direction, and runs a layer of NAT, to translate IP address. think of it as proxying as you would a http connection, but at IP packet layer with NAT. -----------------Public Internet------------------------- | | so, ME!--VN<--Good route-->VN OBLIVION SERVER--IP SRC SPOOF-------> www.linx.net ME! -------------------Run's Over Different Route-------------> www.linx.net Here we do not need a NAT layer, as the oblivion server rewrites the IP source address, (we spoof the IP for legal reason's ;-). www.linx.net will return packets directly to ME! This assumes that the routing outage from me to www.linx.net is one way (which is usually the case), Packet take a different route back from www.linx.net to ME!. That sounds a bit weird, but on large packet internetworks, this is ususally the case, due to traffic engineering, inefficient routing tables, or BGP instablity! As you can see, I managed to reroute my packet's over a VN tunnel, thus doing what the ISP supposed to do ;-)..... and I get my boring data from www.linx.net ;-). In actually fact, I've managed to connect to another IP backbone! This method is inefficient, as you need to send packets over more hops than is necessary, but with the poor state of routing on some large networks, A VPN tunnel might be the only way to reach a network from you location. VN cloud's can also be used in otherways, for anon ip connections, distributing traffic load (without using fancy OSPF or cisco Routers!), and traffic enginneering. Don't think VPN's are limited to private networks...:-). I hope this got you thinking..., if wish to discuss!!! Cheers, Lockdown lock-down@hushmail.com ---------------------------------------------- ********************************************** Lightweight Directory Access Protocol (LDAP) - Slider ********************************************** Channel : #oblivionmag <Slider> Its just one of those days just when you dont wanna wake up, everything is fucked, everyone sucks... - LimpBizket Lightweight Directory Access Protocol (LDAP) is a fast growing technology for accessing common directory information. LDAP has been embraced and implemented in most network-oriented middleware. As an open, vendor-neutral standard, LDAP provides an extendable architecture for centralized storage and management of information that needs to be available for today's distributed systems and services. After a fast start, it can be assumed that LDAP has become the de facto access method for directory information, much the same as the Domain Name System (DNS) is used for IP address look-up on almost any system on an intranet and on the Internet. LDAP is currently supported in most network operating systems, groupware and even shrink-wrapped network applications. LDAP: The New Common Directory People and businesses are increasingly relying on networked computer systems to support distributed applications. These distributed applications might interact with computers on the same local area network (LAN), within a corporate intranet, or anywhere on the worldwide Internet. To improve functionality, ease of use and to enable cost-effective administration of distributed applications information about the services, resources, users, and other objects accessible from the applications needs to be organized in a clear and consistent manner. Much of this information can be shared among many applications, but it must also be protected to prevent unauthorized modification or the disclosure of private information. Information describing the various users, applications, files, printers, and other resources accessible from a network is often collected into a special database, sometimes called a directory. As the number of different networks and applications has grown, the number of specialized directories of information has also grown, resulting in islands of information that cannot be shared and are difficult to maintain. If all of this information could be maintained and accessed in a consistent and controlled manner, it would provide a focal point for integrating a distributed environment into a consistent and seamless system. The Lightweight Directory Access Protocol (LDAP) is an open industry standard that has evolved to meet these needs. LDAP defines a standard method for accessing and updating information in a directory. LDAP is gaining wide acceptance as the directory access method of the Internet and is therefore also becoming strategic within corporate intranets. It is being supported by a growing number of software vendors and is being incorporated into a growing number of applications. - What is a Directory? A directory is a listing of information about objects arranged in some order that gives details about each object. Common examples are a city telephone directory and a library card catalog. For a telephone directory, the objects listed are people; the names are arranged alphabetically, and the details given about each person are address and telephone number. Books in a library card catalog are ordered by author or by title, and information such as the ISBN number of the book and other publication information is given. In computer terms, a directory is a specialized database, also called a data repository, that stores typed and ordered information about objects. A particular directory might list information about printers (the objects) consisting of typed information such as location (a formatted character string), speed in pages per minute (numeric), print streams supported (for example PostScript or ASCII), and so on. Directories allow users or applications to find resources that have the characteristics needed for a particular task. For example, a directory of users can be used to look up a person's e-mail address or fax number. A directory could be searched to find a nearby PostScript color printer. Or a directory of application servers could be searched to find a server that can access customer billing information. The terms white pages and yellow pages are sometimes used to describe how a directory is used. If the name of an object (person, printer) is known, its characteristics (phone number, pages per minute) can be retrieved. This is similar to looking up a name in the white pages of a telephone directory. If the name of a particular individual object is not known, the directory can be searched for a list of objects that meet a certain requirement. This is like looking up a listing of hairdressers in the yellow pages of a telephone directory. However, directories stored on a computer are much more flexible than the yellow pages of a telephone directory because they can usually be searched by specific criteria, not just by a predefined set of categories. - Differences Between Directories and Databases A directory is often described as a database, but it is a specialized database that has characteristics that set it apart from general purpose relational databases. One special characteristic of directories is that they are accessed (read or searched) much more often than they are updated (written). Hundreds of people might look up an individual's phone number, or thousands of print clients might look up the characteristics of a particular printer. But the phone number or printer characteristics rarely change. Because directories must be able to support high volumes of read requests, they are typically optimized for read access. Write access might be limited to system administrators or to the owner of each piece of information. A general purpose database, on the other, hand needs to support applications such as airline reservation and banking with high update volumes. Because directories are meant to store relatively static information and are optimized for that purpose, they are not appropriate for storing information that changes rapidly. For example, the number of jobs currently in a print queue probably should not be stored in the directory entry for a printer because that information would have to be updated frequently to be accurate. Instead, the directory entry for the printer could contain the network address of a print server. The print server could be queried to learn the current queue length if desired. The information in the directory (the print server address) is static, whereas the number of jobs in the print queue is dynamic. Another important difference between directories and general purpose databases is that directories may not support transactions (some vendor implementations, however, do). Transactions are all-or-nothing operations that must be completed in total or not at all. For example, when transferring money from one bank account to another, the money must be debited from one account and credited to the other account in a single transaction. If only half of this transaction completes or someone accesses the accounts while the money is in transit, the accounts will not balance. General-purpose databases usually support such transactions, which complicates their implementation. Because directories deal mostly with read requests, the complexities of transactions can be avoided. If two people exchange offices, both of their directory entries need to be updated with new phone numbers, office locations, and so on. If one directory entry is updated, and then other directory entry is updated there is a brief period during which the directory will show that both people have the same phone number. Because updates are relatively rare, such anomalies are considered acceptable. The type of information stored in a directory usually does not require strict consistency. It might be acceptable if information such as a telephone number is temporarily out of date. Because directories are not transactional, it is not a good idea to use them to store information sensitive to inconsistencies, like bank account balances. Because general-purpose databases must support arbitrary applications such as banking and inventory control, they allow arbitrary collections of data to be stored. Directories may be limited in the type of data they allow to be stored (although the architecture does not impose such a limitation). For example, a directory specialized for customer contact information might be limited to storing only personal information such as names, addresses, and phone numbers. If a directory is extensible, it can be configured to store a variety of types of information, making it more useful to a variety of programs. Another important difference between a directory and a general-purpose database is in the way information can be accessed. Most databases support a standardized, very powerful access method called Structured Query Language (SQL). SQL allows complex update and query functions at the cost of program size and application complexity. LDAP directories, on the other hand, use a simplified and optimized access protocol that can be used in slim and relatively simple applications. Because directories are not intended to provide as many functions as general-purpose databases, they can be optimized to economically provide more applications with rapid access to directory data in large distributed environments. Because the intended use of directories is restricted to a read-mostly, nontransactional environment, both the directory client and directory server can be simplified and optimized. - Directory Clients and Servers Directories are usually accessed using the client/server model of communication. An application that wants to read or write information in a directory does not access the directory directly. Instead, it calls a function or application programming interface (API) that causes a message to be sent to another process. This second process accesses the information in the directory on behalf of the requesting application. The results of the read or write are then returned to the requesting application. The request is performed by the directory client, and the process that looks up information in the directory is called the directory server. In general, servers provide a specific service to clients. Sometimes a server might become the client of other servers in order to gather the information necessary to process a request. A directory service is only one type of service that might be available in a client/server environment. Other common examples of services are file services, mail services, print services, Web page services, and so on. The client and server processes might or might not be on the same machine. A server is capable of serving many clients. Some servers can process client requests in parallel. Other servers queue incoming client requests for serial processing if they are currently busy processing another client's request. An API defines the programming interface a particular programming language uses to access a service. The format and contents of the messages exchanged between client and server must adhere to an agreed upon protocol. LDAP defines a message protocol used by directory clients and directory servers. There is also an associated LDAP API for the C language and ways to access LDAP from withing a Java application. The client is not dependent upon a particular implementation of the server, and the server can implement the directory however it chooses. - Distributed Directories The terms local, global, centralized, and distributed are often used to describe a directory or directory service. These terms mean different things to different people in different contexts. In this section, these terms are explained as they apply to directories in different contexts. In general, local means something is close by, and global means that something is spread across the universe of interest. The universe of interest might be a company, a country, or the Earth. Local and global are two ends of a continuum. That is, something may be more or less global or local than something else. Centralized means that something is in one place, and distributed means that something is in more than one place. Like local and global, something can be distributed to a greater or lesser extent. The information stored in a directory can be local or global in scope. For example, a directory that stores local information might consist of the names, e-mail addresses, public encryption keys, and so on of members of a department or workgroup. A directory that stores global information might store information for an entire company. Here, the universe of interest is the company. The clients that access information in the directory can be local or global. Local clients might all be located in the same building or on the same LAN. Global clients might be distributed across the continent or planet. The directory itself can be centralized or distributed. If a directory is centralized, there is one directory server that provides access to the directory. If the directory is distributed, there is more that one server that provides access to the directory. When people refer to a distributed directory, they are usually referring to distributed directory servers. When a directory is distributed, the information stored in the directory can be partitioned or replicated. When information is partitioned, each directory server stores a unique and non-overlapping subset of the information. That is, each directory entry is stored by one and only one server. When information is replicated, the same directory entry is stored by more than one server. In a distributed directory, some information may be partitioned, and some information may be replicated. The three *dimensions* of a directory scope of information, location of clients, and distribution of servers are independent of each other. For example, clients scattered across the globe could access a directory containing only information about a single department, and that directory could be replicated at many directory servers. Or clients in a single location could access a directory containing information about everybody in the world that is stored by a single directory server. The scope of information to be stored in a directory is often given as an application requirement. The distribution of directory servers and the way in which data is partitioned or replicated can often be controlled to effect the performance and availability of the directory. For example, a distributed and replicated directory might perform better because a read request can be serviced by a nearby server. A centralized directory may be less available because it is a single point of failure. However, a distributed directory might be more difficult to maintain because multiple sites, possibly under the control of multiple administrators, must be kept up-to-date and in running order. The design and maintenance of a directory service can be complex, and many trade-offs are involved. - Directory Security The security of information stored in a directory is a major consideration. Some directories are meant to be accessed publicly on the Internet, but any user should not necessarily be able to perform any operation. A company's directory servicing its intranet can be stored behind a firewall to keep the general public from accessing it, but more security control is needed within the intranet itself. For example, anybody should be able to look up an employee's e-mail address, but only the employee or a system administrator should be able to change it. Members of the personnel department might have permission to look up an employee's home telephone number, but their co-workers might not. Perhaps information needs to be encrypted before being transmitted over the network. A security policy defines who has what type of access to what information. The security policy is defined by the organization that maintains the directory. A directory should support the basic capabilities needed to implement a security policy. The directory might not directly provide the underlying security capabilities, but it might be integrated with a trusted network security service that provides the basic security services. First, a method is needed to authenticate users. Authentication verifies that users are who they say they are. A user name and password is a basic authentication scheme. Once users are authenticated, it must be determined if they have the authorization or permission to perform the requested operation on the specific object. Authorization is often based on access control lists (ACLs). An ACL is a list of authorizations that may be attached to objects and attributes in the directory. An ACL lists what type of access each user is allowed. In order to make ACLs shorter and more manageable, users with the same access rights are often put into security groups. - LDAP Concepts and Architecture LDAP is based on the client/server model of distributed computing. LDAP has evolved as a lightweight protocol for accessing information in X.500 directory services. It has since become more independent of X.500, and servers that specifically support the LDAP protocol rather than the X.500 Directory Access Protocol (DAP) are now common. The success of LDAP has been largely due to the following characteristics that make it simpler to implement and use, compared to X.500 and DAP: * LDAP runs over TCP/IP rather than the OSI protocol stack. TCP/IP is less resource-intensive and is much more widely available, especially on desktop systems. * The functional model of LDAP is simpler. It omits duplicate, rarely-used and esoteric features. This makes LDAP easier to understand and to implement. * LDAP uses strings to represent data rather than complicated structured syntaxes such as ASN.1 (Abstract Syntax Notation One). - Overview of LDAP Architecture LDAP defines the content of messages exchanged between an LDAP client and an LDAP server. The messages specify the operations requested by the client (search, modify, delete, and so on), the responses from the server, and the format of data carried in the messages. LDAP messages are carried over TCP/IP, a connection-oriented protocol; so there are also operations to establish and disconnect a session between the client and server. However, for the designer of an LDAP directory, it is not so much the structureof the messages being sent and received over the wire that is of interest. What is important is the logical model that is defined by these messages and data types, how the directory is organized, what operations are possible, how information is protected, and so forth. The general interaction between an LDAP client and an LDAP server takes the following form: * The client establishes a session with an LDAP server. This is known as binding to the server. The client specifies the host name or IP address and TCP/IP port number where the LDAP server is listening. The client can provide a user name and a password to properly authenticate with the server. Or the client can establish an anonymous session with default access rights. The client and server can also establish a session that uses stronger security methods such as encryption of data. * The client then performs operations on directory data. LDAP offers both read and update capabilities. This allows directory information to be managed as well as queried. LDAP also supports searching the directory for data meeting arbitrary user-specified criteria. Searching is a very common operation in LDAP. A user can specify what part of the directory to search and what information to return. A search filter that uses Boolean conditions specifies what directory data matches the search. * When the client is finished making requests, it closes the session with the server. This is also known as unbinding. Although it is not defined by the LDAP protocol and architecture itself, there is a well-known LDAP API (application program interface) that allows applications to easily interact with LDAP servers. The API can be considered an extension to the LDAP architecture. Although the C language LDAP API is only an informational RFC and the most recent update to it is an Internet Draft, it has achieved de facto standard status because it is supported by all major LDAP vendors. The philosophy of the LDAP API is to keep simple things simple. This means that adding directory support to existing applications can be done with low overhead. Because LDAP was originally intended as a lightweight alternative to DAP for accessing X.500 directories, it follows an X.500 model. The directory stores and organizes data structures known as entries. A directory entry usually describes an object such as a person, a printer, a server, and so on. Each entry has a name called a distinguished name (DN) that uniquely identifies it. The DN consists of a sequence of parts called relative distinguished names (RDNs), much like a file name consists of a path of directory names in many operating systems such as UNIX and Windows. The entries can be arranged into a hierarchical tree-like structure based on their distinguished names. This tree of directory entries is called the Directory Information Tree (DIT). Each entry contains one or more attributes that describe the entry. Each attribute has a type and a value. For example, the directory entry for a person might have an attribute called telephonNnumber. The syntax of the telephoneNumber attribute would specify that a telephone number must be a string of numbers that can contain spaces and hyphens. The value of the attribute would be the person's telephone number, such as 512-555-1212. A directory entry describes some object. An object class is a general description, sometimes called a template, of an object as opposed to the description of a particular object. For instance, the object class person has a surname attribute, whereas the object describing John Smith has a surname attribute with the value Smith. The object classes that a directory server can store and the attributes they contain are described by schema. Schema define what object classes are allowed where in the directory, what attributes they must contain, what attributes are optional, and the syntax of each attribute. For example, a schema could define a person object class. The person schema might require that a person have a surname attribute that is a character string, specify that a person entry can optionally have a telephoneNumber attribute that is a string of numbers with spaces and hyphens, and so on. LDAP defines operations for accessing and modifying directory entries such as: * Searching for entries meeting user-specified criteria * Adding an entry * Deleting an entry * Modifying an entry * Modifying the distinguished name or relative distinguished name of an entry (move) * Comparing an entry LDAP is documented in several IETF RFCs. There are different models assigned within the use of LDAP, they are the : * Information Model * Naming Model * Functional Model * Security Model The rest are generally the same :[, but we are more intrested in the security model. If you want to look the other models up, be my guest. Or contact me and i will send them to you in an email. - The Security Model Part 1 As previously described, the security model is based on the bind operation. There are several different bind operations possible, and thus the security mechanism applied is different as well. One possibility is when a client requesting access supplies a DN identifying itself along with a simple clear-text password. If no DN and password is declared, an anonymous session is assumed by the LDAP server. The use of clear text passwords is strongly discouraged when the underlying transport service cannot guarantee confidentiality and may therefore result in disclosure of the password to unauthorized parties. Additionally, a Kerberos bind is possible in LDAP Version 2, but this has become deprecated in LDAP Version 3. Instead, LDAP V3 comes along with a bind command supporting the Simple Authentication and Security Layer (SASL) mechanism. This is a general authentication framework, where several different authentication methods are available for authenticating the client to the server; one of them is Kerberos. Furthermore, extended protocol operations are available in LDAP V3. An extension related to security is the *Extension for Transport Layer Security (TLS) for LDAPv3*. It defines operations that use TLS as a means to encrypt an LDAP session and protect it against spoofing. TLS is defined in *The TLS Protocol* Version 1.0. It is based on the Secure Socket Layer (SSL) Protocol 3.0, devised by Netscape Communications Corporation which it eventually will supersede. TLS has a mechanism which enables it to communicate to an SSL server so that it is backwards compatible. Some vendors, like Netscape and IBM, have already extended the LDAP protocol and added some SSL specific commands so that an encrypted TCP/IP connection is possible, thus providing a means for eliminating the need of sending a DN and a password unprotected over the network Once a client is identified, access control information can be consulted to determine whether or not the client has sufficient access permissions to do what it is requesting. - Security part 2 Security is of great importance in the networked world of computers, and this is true for LDAP as well. When sending data over insecure networks, internally or externally, sensitive information may need to be protected during transportation. There is also a need to know who is requesting the information and who is sending it. This is especially important when it comes to the update operations on a directory. The term security, as used in the context of this book, generally covers the following four aspects: Authentication Assurance that the opposite party (machine or person) really is who he/she/it claims to be. Integrity Assurance that the information that arrives is really the same as what was sent. Confidentiality Protection of information disclosure by means of data encryption to those who are not intended to receive it. Authorization Assurance that a party is really allowed to do what he/she/it is requesting to do. This is usually checked after user authentication. In LDAP Version 3, this is currently not part of the protocol specification and is therefore implementation- (or vendor-) specific. This is basically achieved by assigning access controls, like read, write, or delete, to user IDs or common names. There is an Internet Draft that proposes access control for LDAP. The following sections focus on the first three aspects (since authorization is not contained in the LDAP Version 3 standard): authentication, integrity and confidentiality. There are several methods that can be used for this purpose; the most important ones are discussed here. These are: * No authentication * Basic authentication * Simple Authentication and Security Layer (SASL) Because no other data encryption method was available in LDAP Version 2, some vendors, for example Netscape and IBM, added their own SSL calls to the LDAP API. A potential drawback of such an approach is that the API calls might not be compatible among different vendor implementations. Therefore, in LDAP Version 3, a proposal is made (Extension for Transport Layer Security) to include SSL or, more accurately, its successor, TLS, through extended protocol operations. This should make the vendor-dependent functions redundant in the near future. * No Authentication This is the simpliest way, one that obviously does not need to be explained in much detail. This method should only be used when data security is not an issue and when no special access control permissions are involved. This could be the case, for example, when your directory is an address book browsable by anybody. No authentication is assumed when you leave the password and DN field empty in the bind API call. The LDAP server then automatically assumes an anonymous user session and grants access with the appropriate access controls defined for this kind of access (not to be confused with the SASL anonymous user as discussed later. * Basic Authentication The security mechanism in LDAP is negotiated when the connection between the client and the server is established. This is the approach specified in the LDAP application program interface (API). Beside the option of using no authentication at all, the most simple security mechanism in LDAP is called basic authentication, which is also used in several other Web-related protocols, such as in HTTP. When using basic authentication with LDAP, the client identifies itself to the server by means of a DN and a password which are sent in the clear over the network (some implementation may use Base64 encoding instead). The server considers the client authenticated if the DN and password sent by the client matches the password for that DN stored in the directory. Base64 encoding is defined in the Multipurpose Internet Mail Extensions (MIME) standard (RFC 1521). It is a relatively simple encryption, and therefore it is not hard to break once one has captured the data on the network. * Simple Authentication and Security Layer (SASL) SASL is a framework for adding additional authentication mechanisms to connection-oriented protocols. It has been added to LDAP Version 3 to overcome the authentication shortcomings of Version 2. SASL was originally devised to add stronger authentication to the IMAP protocol. SASL has since evolved into a more general system for mediating between protocols and authentication systems. It is a proposed Internet standard defined in RFC 2222. In SASL, connection protocols, like LDAP, IMAP, and so on, are represented by profiles; each profile is considered a protocol extension that allows the protocol and SASL to work together. A complete list of SASL profiles can be obtained from the Information Sciences Institute (ISI). Each protocol that intends to use SASL needs to be extended with a command to identify an authentication mechanism and to carry out an authentication exchange. Optionally, a security layer can be negotiated to encrypt the data after authentication and so ensure confidentiality. LDAP Version 3 includes such a command (ldap_sasl_bind()). The key parameters that influence the security method used are: dn This is the distinguished name of the entry you want to bind as. This can be thought of as the user ID in a normal user ID and password authentication. mechanism This is the name of the security method that should be used. Valid security mechanisms are currently Kerberos Version 4, S/Key, GSSAPI, CRAM-MD5 and EXTERNAL. There is also an ANONYMOUS mechanism available which enables an authentication as user *anonymous. In LDAP, the most common mechanism used is SSL (or its successor, TLS), which is provided as an EXTERNAL mechanism. credentials This contains the arbitrary data that identifies the DN. The format and content of the parameter depends on the mechanism chosen. If it is, for example, the ANONYMOUS mechanism, it can be an arbitrary string or an e-mail address that identifies the user. Through the SASL bind API function call, LDAP client applications call the SASL protocol driver on the server, which in turn connects the authentication system named in the SASL mechanism to retrieve the required authentication information for the user. SASL can be seen as intermediator between the authentication system and a protocol like LDAP. Of course, the server must support this SASL mechanism as well, otherwise the authentication process will not be able to succeed. The basic idea behind SASL is that it provides a high level framework that lets the involved parties decide on the particular security mechanism to use. The SASL security mechanism negotiation between client and server is done in the clear. Once the client and the server have agreed on a common mechanism, the connection is secure against modifying the authentication identities. An attacker could now try to eavesdrop the mechanism negotiation and cause a party to use the least secure mechanism. In order to prevent this from happening, clients and servers should be configured to use a minimum security mechanism, provided they support such a configuration option. As stated earlier, SSL and its successor, TLS, are the mechanisms commonly used in SASL for LDAP. I believe that I have already written a text on SSL, if not it will be coming soon, but im to tired to connect to the net to check. - Designing and Maintaining an LDAP Directory -- Directory Design Guidelines Creating a design that has the flexibility to accommodate changes within the organization is probably the single most important task in implementing a directory service. This will help save time and money as the directory service grows. When designing the directory service, the project can be divided into several smaller projects: surveying the directory service contents, creating access control strategies, replication and partitioning strategies, and network planning (physical planning): * Planning the directory content includes deciding on what data to store in the directory and how it will be arranged in the tree structure. When deciding on what to put into the directory, all the owners of data relevant to the contents of the directory tree in the organization should be identified. It is very probable that the information you will be choosing to put in the LDAP directory already resides on some other system in your organization. For example, the personnel department most likely already has databases with personnel information. Also be sure to make adequate use of processes already in place to administer that data even in the planned directory service. * Data management and access control are both important when maintaining a directory service. Plans must be made to identify resources for keeping the data up to date and identifying resources with the authority to decide on access control policies regarding the data residing in the directory tree. * In sizing the directory service, consideration must be taken to which clients will be accessing what data, from where, and how often. If there are client applications which use the directory extensively, consideration must be taken to ensure that the network availability and bandwidth are sufficient between the application servers and the directory servers. If there are network bottlenecks, they must be identified because there may be needs to replicate data into remote LANs. -- Defining the Data Model There are many steps involved in designing a directory tree, such as deciding on the kind of data that the entries will contain, what schema to use and finally how the entries are going to be arranged in the tree structure. During design, several different aspects must be taken into account: * What type of application/applications will use the directory? * Will the LDAP service be participating with an X.500 directory service? * How will the organizations infrastructure be mapped into the directory? * What are the requirements for manageability and scalability? --- Directory Data Planning the directory's data is the most important aspect of the directory planning activities, and it is probably the most time-consuming aspect as well. A considerable amount of the time spent planning the directory data will most likely be spent surveying the organization to locate all the data stores where directory information is managed. As this survey is performed, expect to find that some kinds of data are not well managed; some processes may be inefficient, inadequate, or nonexistent altogether; and some kinds of data may not be available at all. All of these issues should be addressed before finishing a data-planning phase. We start by looking at the requirements on the data to be used in the directory service. Some types of data are better suited for a directory service than others. Ideal candidates in a directory service have some of the following characteristics: A directory service is not a file system, a file server, an FTP server, a Web server, or a relational database. Therefore, large, unstructured objects of data should not be put in the directory. For that kind of data, a server more appropriate for the task should be used. However, it is appropriate to store pointers to these kinds of applications within the directory service through the use of FTP, HTTP, or other types of accesses. The data should typically be read much more often than it is written. This is because directory services usually are tuned for read operations; write operations are more expensive in terms of resource utilization than reads, and they may impact the directory server's performance in typical directory server implementations. Another *rule of thumb* is that the data should typically be accessed from more than just one system or client. For example, an employee's preference settings for a specific application may not be meaningful to put in the directory if that application is only run on the employee's single workstation. If the user wants to run this application on different systems, such as a mail client application, then the application would certainly benefit from a central directory for storing user preferences. This would allow the employee to use the same setup on multiple systems or even platforms within the organization. Having in mind the types of data suitable and unsuitable for use in a directory, it is now possible to survey what the directory service data will be. In doing this, it may be helpful to do the following: * Determine what directory-enabled applications to deploy and what their data needs are. * Survey the organization and identify where the data comes from (such as Windows NT or Novell NetWare directories, Human Resources databases, e-mail systems, and so forth.). * Determine who needs access to the data, particularly the organization's mission-critical applications. Find out if those applications can directly access and/or update the directory. * For each piece of data, determine the location where it will be mastered, who owns the data,that is, who is responsible for ensuring that the data is up-to-date. * For each piece of data, determine the name of the attribute(s) that you will use to represent the data in the directory and the object class(es) (the type of entry) that the data will be stored on. * If data is going to be imported from other sources, develop a strategy for both bulk imports and incremental updates. Try to limit the number of applications that can change the data. Doing this will help ensure the data integrity while reducing the organization's administration. * Identify duplications and data that is not actually used or required. Harmonize the data by eliminating such duplications and discard unnecessary data. Having decided on the type of data to use in the directory service, what the directory will be used for and how the data will be updated, it is possible to start structuring the data. Structuring data is done by designing a schema, choosing a directory suffix, branching the directory tree and finally creating a naming style for the directory entries. - Security Policy Having designed the directory tree, we now need to decide on a security policy. A security policy should be strong enough to prevent sensitive information from being modified or retrieved by unauthorized users while simple enough that administration is kept simple so authorized parties can easily access it. Ease of administration is very important when it comes to designing a security policy. A too complex security policy can lead to mistakes that either prevent people from accessing information that they should have access to, or allow people to modify or retrieve directory information that they should not have access to. The security policy that needs to be designed for the directory service is a reflection of the: * Kind of information that will be stored in the directory * Ways in which clients will be accessing the directory * Ways which will be used to update and manage the directory * Acceptable administration effort for security To reach these goals, two basic areas must be considered and the following question must be answered: What level of security is needed when clients identify themselves to the directory server, and what methodology will be used when authorizing access to the different kinds of information in the directory? -- Authentication Conceptually, directory authentication can be thought of as logging in to the directory. LDAP terminology, however, usually refers to this operation as binding to the directory. Generally, bind operations consist of providing the equivalent of a user ID and a password. However, in the case of an LDAP directory, the user ID is actually a distinguished name (or a distinguished name derived from a user ID). The distinguished name used to access the directory is referred to as the bind DN. So, what level of authentication should be considered? There are, generally speaking, three different approaches: No Authentication This is the simplest approach, which might be perfectly suitable for most directories when all users are equally granted read (or even write) access to all data. There is no need or user authentication when this is the case. Basic Authentication This lets the client bind by entering a DN and a password. Using basic authentication will not ensure integrity and confidentiality of the login data since it is being sent over the network in a readable form. Secure Authentication SASL (Simple Authentication and Security Layer) is an extensible authentication framework. It was added to LDAP Version 3, and it supports Kerberos and other security methods, like S/Key. SASL provides the possibility to securely authenticate LDAP clients and LDAP directory servers. There is a so called EXTERNAL mechanism in SASL that allows the use of authentication identity information from security layers external to the SASL layer. One possibility is to use the authentication information from SSL. SSL is generally used to secure the connection between a client and a server through the exchange of certificates. The client certificate can get used through SASL as authentication identity. SASL is already used within several Internet protocols including IMAP4 and POP3 (mail server protocols). It is possible that there is a need for both basic and secure authentication. The choice will be dependent on the security policies in the organization's networks and what type of access rights the different types clients will have when communicating with the server. For example, when setting up server-to-server communication, it may be valuable to use strong, secure authentication since server-to-server communication will often rely on unrestricted access to each other's tree structures, including individual entries access settings. On the other hand, for client-to-server communication, where clients only have read access to names, phone numbers, and mail addresses, there is most likely no need for anything but basic authentication. When using secure authentication, it is possible to choose from different methods depending on the vendors' implementations, for example Kerberos or SSL. If Kerberos is not already deployed in the organization's intranet, then it will probably be sensible to use SSL, since support for SSL is included in most popular LDAP clients. When using SSL, it is possible for the server to authenticate to the client by using its server certificate. A server certificate can be thought of as a secure, digital signature that unequivocally identifies a server. It has been generated and registered with a trusted certifying authority, also known as a Certificate Authority (CA), such as the United States Postal Service CA or the IBM World Registry CA. Also, when using server certificates, an encrypted communication can be established between the client and server, enabling a secure basic authentication of the client to the server. Using SSL server certificates will be particularly interesting when setting up LDAP services on insecure networks, such as the Internet/extranet. This will enable the clients to verify the identity of the server and to encrypt communication of the basic authentication from the clients to the server on the insecure networks. When using basic authentication, administration of passwords on the directory server will be necessary and may impose some administration overhead. If SSL client certificates are used, then an appropriate infrastructure will be needed to support the certificate generation and administration. This is usually done by separate certificate servers. Client certificate deployment is beyond the scope of this book, but it ought to be mentioned that LDAP supports storing client public keys and certificates in the entries. - Physical Design Physical design involves building a network and server infrastructures to support availability, scalability and manageability. Methods to do this in LDAP are partitioning and replication (replication is actually not standardized in LDAP Version 3, but most vendors do have an implementation). In this section, we concentrate on deployment issues regarding when partitioning and/or replication is appropriate when trying to reach the goals of availability, scalability and manageability, and what the trade-offs are. --Availability Availability for a directory service may not be an issue in cases where the directory is not business-critical. However, if the use of the service becomes mission-critical, the need to design a highly available system is required. Designing a highly available system involves more than what is supported in LDAP. The components from LDAP that are needed are partitioning and replication. Since high availability involves eliminating single points of failure or reducing their impact, it is necessary to have redundant hardware, software and networks to spread the risk. A simple approach to create a highly available directory service is to create a master and a slave directory server, each one on its own physical machine. By replicating the data, we have eliminated the single point of failure for both hardware and software failures. This solution with a master and one or more slave servers normally provides for high availability for read functions to the LDAP servers. Write requests can only be directed to the master server. If high availability is required for write access, additional effort is necessary. Neither read-only nor read/write replication is supported natively by the LDAP standards, but vendors may have implemented their own mechanisms. Replication solutions can also be constructed using the export/import facilities of LDAP servers or with additional, custom-designed software tools. A mechanism must be added to handle client redirection if one server fails. This can be done manually or semi-automatically by a DNS switchover, or automatically with a load-balancing technique by using a router designed for this. Such a router forwards client requests to one of the servers based on configurable criteria. It is important that the router supports stateful protocols; that is, subsequent requests from the same client need to be forwarded to the same server. There are several products on the market from different vendors to do this, such as IBM's eNetwork Dispatcher (www.ics.raleigh.ibm.com/netdispatch/) or Cisco Systems' Local Director (www.cisco.com). There is also the issue of network bandwidth and its reliability to take into consideration. In some cases, it may be necessary to distribute a replica into another LAN with slow network connections to the master. This can also be done with any means of replicating an LDAP server (remember that replication is not included in the LDAP standards, thus you have to use vendor product support or your own methods). The primary server for a particular client may be the directory server on the client's own LAN, and the secondary will then be the central master server, accessed over the WAN. If the method of spreading the risk is used to create high availability, it is possible to partition the directory tree and to distribute it to different locations, LANs, or departments. As a side-effect, depending on how the directory tree is branched and distributed to these servers, each location, department or LAN administrator could then easily manage their own part of the directory tree on a local machine, if this is a requirement. If a single server failed in such a configuration, then only a portion of the whole directory would be affected. A combination of the two methods explained above could be used to create a dynamic, distributed, highly available directory service. -- Scalability As more and more applications use and rely on a directory service, the need to scale the directory for high load tolerance increases. Scaling up directory servers is done much the same way, either by increasing availability or by upgrading hardware performance. As is the case when increasing availability, we have to rely on functions outside the LDAP standard as well as LDAP replication and partitioning. The round-robin DNS or the load-balancing router are good tools to scale an LDAP server site. Scalability may be affected by network performance, therefore requiring local directory servers in LANs. -- Manageability Manageability aspects involve almost all parts of a directory design. Here is where trade-offs may have to be made regarding scalability, availability, flexibility, and manageability. The level of scalability and availability are both related to cost in hardware and software and, as a drag-along, cost of overall systems management. One important question to ask in a directory design about manageability is whether and how all information providers are able to furnish reliable, correct and consistent directory data to the LDAP service. If this cannot be assured, there will be a chance for errors and inconsistencies in the LDAP directory data. If such problems are considered critical for the clients using the LDAP service, tools must be provided that can detect and maybe even correct these errors. To create a high availability environment, it is necessary to replicate and/or partition the directory, as discussed in the previous sections. Although not directly related to LDAP, it should be mentioned that adequate systems management tools and skills must be available to run such a fairly complex environment. In addition, one of the manageability concerns regarding replication might be the need to ensure an ample level of consistency. A master LDAP server might have been updated with new information while a replica server still runs with the old, outdated information. The required level of consistency is largely dependent on the needs of the client applications using the service. If there is a requirement for currency and consistency among replicated servers, additional means must be provided to ensure this. Replication will also affect backup and disaster/recovery procedures. Processes will be needed to handle recovery of master servers and how synchronization of slaves will be handled. Since replication is outside the current standard for LDAP, it is necessary to study the vendors' implementation in order to find adequate solutions. Partitioning the directory enables local servers to own their own data, depending on schema and branching design. This increases flexibility when maintaining data, but increases the complexity of referral handling. A clear method of linking the name space together will have to be formulated to ensure consistent referrals in the directory service name space such that the logical name space is still a whole. Also, each local server may have to be administered and maintained locally, requiring staff with operating system and LDAP knowledge. - The Future of LDAP With LDAP Version 3, a solid foundation for a directory service infrastructure for the Internet was built. As we have seen in previously, most vendor implementations are based on this version or have most features of Version 3 incorporated. But there is still room for enhancements, for example in areas of API support for other program languages, like Java. To define these standards, members of the Internet Engineering Task Force (IETF) work on and submit draft proposals that eventually might become Request for Comments (RFCs). The RFCs describe the idea and the implementation of the major design and technologies for the new functions and features. Although there is not a specific section in this book devoted to it, it should be mentioned that the vendor products will of course be further developed and enhanced, namely in areas such as improved functionality, manageability, and performance. For example, client-side caching could be implemented to improve performance remarkably, especially on multiuser client systems with heavy directory access. Graphical management tools can be added, or existing GUIs may be improved that allow easy configuration and contents management. As LDAP matures to a de facto standard, it will eventually replace proprietary directory services in vendor products and other standardized middleware solutions, such as the Distributed Computing Environment (DCE). DCE makes heavy use of a directory service and currently uses its own, specific implementation, called Cell Directory Service (CDS). Slider. - EOF - Werd - Darkcyde, 809, rest of Oblivion crew, attrition.org, Rain.Forest.Puppy, Security focus crew, and PSS. Wymeys - All the wh0res Thanks - Mikey J for using his LDAP server ---------------------------------------------- ********************************************** The Underground, How deep is it? - Strafe ********************************************** email: strafe.of.apoc@usa.net The Underground. What exactly is the underground? It is whatever those that are not part of it see it as. I am not a member of the underground. I can only see myself for what I truely am. I will not allow those who try, to push me under. You can only be seen as a member of the underground by those who consider themselves better, thats why they own the sun. The symbolism is heavy in a grouping name such as the underground. Humans are surface dwellers. We live on land, our food comes from on the land, the things that we are supposed to hold dear, are on land. So why is it that we, the intelligent, aware citizens of earth are denied these things. We are symbolically forced under the soil, denied our lives and interaction with the masses. Why? We are not seen as worthy, not normal, we are non-conformists. I can say WE, WE are united, WE know what WE want. WE know that information should be distributed and that the rights that should be every mans, sadly are not. Our minds are not clouded with greed, sucsess is not our main goal. WE strive to make the world better. So why are WE forced under. Because WE accepted it. WE allowed ourselves to be walked on. WE did not stand for what WE belived. Now is the time, many belive WE are small, weak because people see the light and stray out of their caves. WE are not weak. WE are not the underground, WE are the free ground. Philosophy and thought flow through creative rivers till they meat the dam. The dam is us. WE hold ourselves back by fearing to do more. We are afraid we might lose our precious image of darkness, and a general love for destruction of lives. If you joined the underground because you thought it would be cool to be a bad guy, then you are not a member of the underground, you are a rock in the dam. The dam that holds those who strive for what is right, in the stagnant pool that is indesision. - Strafe [ I was not sure if this was a flame or an article, but I like it so I have added it. Kinda makes you think - Slider ] ---------------------------------------------- ********************************************** News This Month - Slider ********************************************** MSNBC: Police ready to arrest virus suspect <http://www.msnbc.com/news/403350.asp?cp1=1> - As they awaited a judge's warrant to move in, Philippine police said Sunday the computer suspected of being used to launch the "Love Bug" virus is owned by a female computer college student May 7, 2000 NandoTimes: FBI investigates e-mails sent to virus author <http://www.nandotimes.com/technology/story/0,1643,500201388-500278198-50147 8088-0,00.html>- U.S. government agents are going over logs of angry e-mails sent by victims of the "ILOVEYOU" computer virus to its creator, who used Philippine e-mail addresses, a Philippine Internet service provider said Sunday Currents: The Love Bug Worm And Spam: Evil Twins? <http://www.currents.net/news/00/05/07/news3.html> - E-mail viruses, such as the so-called "Love Letter" that crippled millions of e-mail servers over the past two days, carry the same type of identifying digital "fingerprints" that allow computer security experts to track down and eventually block unsolicited e-mail--or "spam"--campaigns, a leading computer security expert said on Friday May 5, 2000 Dataloss.net: How we defaced www.apache.org <http://www.dataloss.net/papers/how.defaced.apache.org.txt> - This paper does _not_ uncover any new vulnerabilities. It points out common (and slightly less common) configuration errors, which even the people at apache.org made. This is a general warning. Learn from it. Fix your systems, so we won't have to. LinuxWorld: Linux goes Unloved <http://www.linuxworld.com.au/news.php3?tid=1&nid=19> - The "I LOVE YOU" virus has hit Microsoft Outlook users around the world with anything but love. Once opened as a Visual Basic Script attachment by an Outlook mail client, the virus is executed on the local machine. It affects image and music files, such as JPEGs and MP3s, and also tries to download malicious software from around the Internet, to allow crackers to enter affected systems. At the same time, the virus mails itself to all addresses in the Outlook address book. Sendmail.net: Sendmail Releases Blocking Feature for LoveLetter Worm <http://sendmail.net/?feed=lovefix> - Sendmail has released a blocking configuration feature for the LoveLetter worm infecting users of Microsoft Exchange, Outlook, and Outlook Express. Email administrators can help prevent the spread of this worm by adding this configuration feature to Sendmail Switch, Sendmail Pro, Sendmail for NT, or open source sendmail. InfoWorld: European Union: Love bug underscores security needs <http://www.infoworld.com/articles/en/xml/00/05/05/000505eneubug.xml> - AS EUROPEAN INDUSTRY sits down to review the damage brought by the "I Love You" software worm, the European Commission on Friday said international cooperation prevented the havoc from being even worse than it was. WinNTMag: NTFS Access Control Security Enhancements <http://www.winntmag.com/Articles/Content/8452_01.html> - In Windows 2000 (Win2K), Microsoft redesigned how NTFS handles access control to files and other objects. You might have noticed that Security Configuration Manager (SCM), which Microsoft released in Windows NT 4.0 Service Pack 4 (SP4), handles access control like Win2K does. The new NTFS access control model takes a while to get used to, but it adds some important features. The redesign changes access control in three areas. First, permissions are much more granular, which means you can fine-tune user access. Second, if you come from the Novell NetWare world and like NetWare's dynamic inheritance, the dynamic way Win2K and SCM handle the inheritance of permissions will especially impress you. Third, Microsoft completely revamped the access control dialog boxes. PCWorld: Microsoft: Don't Blame Us for Virus <http://www.pcworld.com/pcwtoday/article/0,1510,16598,00.html?cp=reuters> - Microsoft says that the author of the devastating "Love Letter" virus probably targeted its software because it is broadly used, but analysts point to what they call inherent weaknesses in the software titan's products as a possible factor in the attack. CNN: Internet provider in Philippines homes in on virus author <http://cnn.com/2000/TECH/computing/05/05/iloveyou.01/index.html> - An Internet service provider in Manila, Philippines, has confirmed to CNN.com that a 23-year-old male from the Pandacan area of Manila has two e-mail addresses through their service and is believed to be the author of the "ILOVEYOU" virus ZDNet: ILOVEYOU worm keeps mutating <http://www.zdnet.com/zdnn/stories/news/0,4586,2562652,00.html?chkpt=zdhpnew s01> - Experts say the world's fastest-moving bug is likely to spawn even more versions and linger for a couple of weeks Daily Telegraph: Hackers vs Crackers <http://web.lexis-nexis.com/more/cahners-chicago/11407/5801705/4> - Hackers have got a bad name for themselves. Popular belief has it that they disrupt and deface computer systems, but true hackers - as opposed to these "crackers" and vandals - are said to be innocent and there for our benefit. So why the misconception? Jon Katz, the media critic with slashdot.org and Wired magazine, claims that "when the media use the term 'hacker', they are really talking about vandals (A hacker is a person that manipulates c0de f00l, a cracker breaks into systems, jesus ppl get it right !!! - Slider) FCW: GSA joins smart card group <http://www.fcw.com/fcw/articles/2000/0501/web-gsa-05-05-00.asp>- The General Services Administration has joined GlobalPlatform, an organization that promotes the implementation of multiple-application smart card services by advancing international standards SJ Mercury: Technology Security Risks Growing <http://www.sjmercury.com/svtech/news/breaking/ap/docs/37011l.htm> - The latest outbreak of a computer virus exposes technology's darker side: As machines get better, smarter and more popular, the security risks multiply May 4, 2000 Details on the ILoveYou E-mail Worm <http://securityportal.com/research/virus/vbslovelettera.html> - Reports regarding this worm were received as early as May 4, 2000 GMT. This worm appears to originate from the Manila, Philippines. This worm has wide-spread distribution and hundreds of thousands of machines are reported infected. This includes some removal information. More to come. PCWeek: Analysis: Worm underscores limits of firewalls <http://www.zdnet.com/pcweek/stories/news/0,4153,2561866,00.html> - From Hong Kong comes the definitive comment on the rapid spread of VBS.Loveletter.A, as the currently thriving e-mail attack is dubbed by Symantec Corp.'s virus center. In the words of a Dow Jones spokeswoman quoted by the Associated Press, "I don't know how it got through the firewall." ZDNet: Businesses shut down e-mail servers <http://www.zdnet.com/zdnn/stories/news/0,4586,2562060,00.html> - It's a 'last-resort' option, but some corporations are shutting down their e-mail servers to stop the 'ILOVEYOU' worm from spreading. Latest victim: Department of Defense. Linux.com: Linux Security: TCP-Wrappers? <http://www.linux.com/articles.phtml?sid=93&aid=8518> - Linux, like any operating system, is only as secure as you make it. Any computer that is connected to a network, and especially the Internet, is susceptible to being compromised. Security is an issue that affects everyone from home users who may have credit card information and such to businesses that may have business plans and product design specifications stored on these systems. TCP-Wrappers is a software package available for Linux that greatly simplifies securing these systems. MSNBC: 'Love' virus infects e-mail systems <http://www.msnbc.com/news/403350.asp> - another story about the "LoveLetter" virus, this one focusing on the user impact and reports of damage LoveLetter Virus Analysis from F-Secure </topnews/love20000504.html> - LoveLetter VBS virus is currently sweeping the world in Melissa-like fashion. Do NOT open messages with subject line of ILOVEYOU and do not execute attachments in any message called LOVE-LETTER-FOR-YOU-TXT.vbs Netscape: JavaScript Cookie Exploit <http://home.netscape.com/security/jscookie.html> - An exploit has recently been reported and confirmed across platforms for Netscape Communicator 4.72 and earlier in which a hostile site can read the links in a user's bookmark file if the user's profile name and the Communicator installation directory path are known to the hostile site Its All In the Cards <http://securityportal.com/research/inthecards20000504.html> - Mundane objects, like hotel key cards, gaming arcade cards, metro transit passes, and slot machine courtesy cards, all manifesting the cultural code phrase from the 1960's film, The Graduate, that the future was in "Plastics", serve today's computer criminals well Wired: Cybercrime Solution Has Bugs <http://wired.com/news/politics/0,1283,36047,00.html>- -- U.S. and European police agencies will receive new powers to investigate and prosecute computer crimes, according to a preliminary draft of a treaty being circulated among over 40 nations CERT: May Issue of Infosec Outlook now online <http://www.cert.org/infosec-outlook/infosec_1-2.html> - A joint monthly publication of the Information Technology Association of America and the CERT Coordination Center, this issue contains articles regarding the EU Change in Encryption Exports and Defining Risk: Security and Survivability May 3, 2000 Currents: Entrust Launches Zero Footprint Security Technology <http://currents.net/news/00/05/03/news13.html> - "Entrust Technologies has taken the wraps off the world's first "zero footprint" Web security technology. Known as TruePass, the firm said that the technology will make life easier for firms wanting to offer e-commerce to their customers" OpenSSH now supports SSH protocol version 2.0 <http://www.openssh.com/> - OpenSSH (a subset of the OpenBSD project) has now added SS protocol version 2.0 support (previously it supported 1.0 and 1.5 only). With this added support you can now interoperate with the commercial version of SSH. Sophos: W95/Smash.10262 executable file virus <http://www.sophos.com/virusinfo/analyses/w95smash.html> - On the 14th of any month from June onwards, this virus will patch the IO.SYS system file so that on the next restart the hard disk will be overwritten with garbage Civic.com: Washington coalition attacks Internet crime <http://www.civic.com/civic/articles/2000/0501/web-law-05-02-00.asp>- Federal, state and local law enforcement agencies in Washington have joined together to fight Internet crime, saying each agency alone does not have the expertise or resources to respond to Internet complaints CERT: mstream Distributed Denial of Service Tool <http://www.cert.org/incident_notes/IN-2000-05.html> - In late April 2000, we began receiving reports of sites finding a new distributed denial of service (DDOS) tool that is being called "mstream". The purpose of the tool is to enable intruders to utilize multiple Internet connected systems to launch packet flooding denial of service attacks against one or more target systems. See May 2 Top News CNet: Filemaker hit with Web software bug <http://news.cnet.com/news/0-1003-200-1803773.html?tag=st.ne.1002.thed.1003- 200-1803773>- Software publisher Filemaker confirmed today that there is a bug in one of its programs that potentially allows unauthorized access to databases posted to the Internet ZDNet: Stiff penalties sought for computer crime <http://www.zdnet.com/zdnn/stories/news/0,4586,2559889,00.html> - Jail time and sentencing terms recommended for credit card and identity theft, using computers to solicit or sexually exploit minors and violating copyrights or trademarks online Currents: Teen Sentenced in Columbine Web Threat <http://www.currents.net/news/00/05/02/news2.html> - A judge in Denver has reportedly handed down a four-month prison sentence to an 18-year-old Florida man convicted of sending a chat-room message threatening violence at Columbine High School, scene of a shooting spree last year which claimed 15 lives ComputerWorld: Moving COBOL to the Web - Safely <http://www.computerworld.com/home/print.nsf/idgnet/000427d956> - As they move more of their business online, companies are stripping away security mechanisms inherent in Cobol and mainframe access controls ZDNet: Biometrics to bolster Windows security <http://www.zdnet.com/zdnn/stories/news/0,4586,2559787,00.html?chkpt=zdhpnew s01> - Microsoft Corp. has agreed to include in future versions of its Windows operating system a type of software that uses "biometric" devices such as fingerprint or eye scanners to boost online security (hummmmm... Still does not make it more secure from remote attack... - Slider) Conducting Effective Security Meetings <http://securityportal.com/research/meetings20000502.html> - You arrive at the office with a million tasks to accomplish that day and a meeting is called to discuss security. You need to attend a meeting, in the middle of everything, like you need a hole in your head. Whether you are conducting security meetings or enduring them, we have all experienced effective ones and those that simply wasted our time. Meetings that provide a collective exchange of ideas to solve a specific problem are an effective use of resources in developing security solutions. Meetings that simply meet a regular schedule, devoting little to promoting security or utilizing the talents of attendees, are another matter and require reconsideration CNet: Expert warns of powerful new hacker tool <http://news.cnet.com/news/0-1003-200-1798064.html?tag=st.ne.ron.lthd.ni>- A potent new software tool has emerged for launching attacks similar to, but more lethal than, the ones that took down Yahoo and other major Web sites in February TrendMicro: VBS_KILLMBR Trojan <http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_KILLMBR> - VBS_KILLMBR is compatible with the Windows Scripting Host interpreter. You must have MS IE 5 or a browser that supports Windows Scripting for this to execute. When executed this script overwrites the MBR of drive C: TrendMicro: TROJ_ANTI-RS <http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ANTI-RS &VSect=T>- This trojan implements the same concept as other flooders where it sends packets of data, 413 bytes each, to a host IP using port 7070. This can cause disconnection of the user from the network or cause slowdown in the system speed May 1, 2000 Currents: Always-on Internet Security <http://www.currents.net/articles/1905,5,14,1,0501,00.html> - The two best things about those fast Internet connections you get from cable, DSL, and ISDN are that you don't have to dial a number to connect to the Internet, and they are also easy to share over a network. That's also the worst thing about them--the Internet's a two-way street, and when you've got always-on access to the Net, the Net has the same access to your hard disk. And as for networking... well, that presents its own set of problems, especially in the telecommuter home office and the satellite corporate bureau. ZDNet: Web startup stirs up privacy concerns <http://www.zdnet.com/zdnn/stories/news/0,4586,2558316,00.html> - A new Web company, Predictive Networks, has developed software that can track every site a Web surfer visits and can build a profile based on those movements SeattleTimes: Internet security: Just how safe is your e-mail? <http://www.seattletimes.com/news/technology/html98/inbo30_20000430.html>- Whether your ISP is small - like Arthur's shop - or large like America Online and MSN, the technology exists for someone to intercept, read and pass along any message - all without your knowledge Wired: The Epidemic of Cyberstalking <http://www.wired.com/news/politics/0,1283,35728,00.html> - Deborah has been stalked in a chat room for over six months, during which time detailed personal information and a doctored pornographic photograph with her likeness has been posted on a website. The cyberstalker has threatened to rape and kill her. "He told people that I was on drugs, that I was looking for sex," said Deborah, not her real name. "He enlisted Internet friends to harass me". Frightening scenarios like this are increasingly common as more people use the Internet and blindly trust those they meet online SJ Mercury: Britain plans to build Internet surveillance centre <http://www.sjmercury.com/svtech/news/breaking/internet/docs/481988l.htm> - British government plans to build a $39.17 million Internet surveillance center would not allow security services to examine everybody's e-mail, the Home Office said Sunday (Use PGP f00ls, then they wont be able to read it - Slider) CERT: Denial of Service Attacks using Nameservers <http://www.cert.org/incident_notes/IN-2000-04.html> - We are receiving an increasing number of reports of intruders using nameservers to execute packet flooding denial of service attacks. The most common method we have seen involves an intruder sending a large number of UDP-based DNS requests to a nameserver using a spoofed source IP address. Any nameserver response is sent back to the spoofed IP address as the destination. In this scenario, the spoofed IP address represents the victim of the denial of service attack. The nameserver is an intermediate party in the attack. The true source of the attack is difficult for an intermediate or a victim site to determine due to the use of spoofed source addresses Apr 28, 2000 ZDNet: Computer worm targets Chinese Windows users <http://www.zdnet.co.uk/news/2000/16/ns-15075.html> - A new computer worm which exploits a hole in Chinese versions of Microsoft Internet Explorer, is currently running riot among China's computer users, according to Russian anti-virus firm, Kaspersky Labs. According to Kaspersky, the worm is similar to the much talked about Bubbleboy virus because its victims do not need to click an attachment in order for it to take effect ABCNews: Feds to Hacker: Shut Up or Go Back To Jail <http://www.apbnews.com/newscenter/internetcrime/2000/04/28/mitnick0428_01.h tml> - Kevin Mitnick, the notorious computer hacker accused of causing millions of dollars in damage to technology companies, has been ordered to get off the lecture circuit or risk going back to prison. The federal probation department sent word through his probation officer that his activities must stop (I wonder if Mitnik reads Oblivion... Im waiting for your email :] - Slider) NAI: Wscript KillMBR Trojan <http://vil.nai.com/villib/dispvirus.asp?virus_k=98607> - This is a script trojan which exploits a security hole in the running of ActiveX signed objects with the use of VB Script. This trojan will write an .HTA file to the local system for execution at next Windows restart. When this .HTA file executes, it will execute code to overwrite the first sector of the hard drive Newsbytes: White House Security Official Calls for More E-vigilance <http://www.newsbytes.com/pubNews/00/148150.html>- The recent arrest of a Canadian teenager in connection with the distributed denial-of-service attacks that hit several major Web sites earlier this year should not assuage anybody's vigilance about information security, a senior White House official said today Developing Information Security Needs <http://securityportal.com/direct.cgi?/research/security101/isneeds20000428. html> - Security professionals are constantly looking for ways to balance the need for information security with usability in managing corporate resources. The primary way to accomplish this balance is development of effective security policies that support both security needs and business functions without inconveniencing computer users. A corporate security policy must notify everyone that information security is a priority issue for the organization with everyone both responsible and accountable for achieving that goal CNet: Qualcomm warns of Eudora security hole <http://news.cnet.com/news/0-1005-200-1773077.html> - Qualcomm is urging people who use Eudora to guard against a potentially dangerous security vulnerability. ormally, before Eudora and similar email applications will run an executable file attached to an email message, they will present a warning that asks whether the recipient wants to risk running untrusted code on the computer. But in an exploit devised by bug hunter and anticontent-filtering advocate Bennett Haselton, a hostile email sender can circumvent that warning ZDNet: Beware shopping cart's backdoor <http://www.zdnet.com/zdnn/stories/news/0,4586,2556876,00.html?chkpt=zdhpnew s01> - E-commerce sites using CART32 shopping cart software have a backdoor that allows attackers free reign, says report ZDNet: Intel disables ID tracking in new chips <http://www.zdnet.com/zdnn/stories/news/0,4586,2556671,00.html?chkpt=zdhpnew s01> - There was a firestorm of protest when Intel put ID-tracking technology in Pentium III chips. Now it's obsolete and being removed Apr 27, 2000 Slashdot: Spooky Quantum Data Encryption <http://slashdot.org/article.pl?sid=00/04/27/103207&mode=thread> - Hardy writes "Imagine an encrypted communications channel that immediately notifies the parties if they are being bugged. The American Institute of Physics site is running an article about exploiting what Einstein described as the "spooky" action at a distance properties of quantum entangled particles. The entanglement process can generate a completely random sequence of 0s and 1s distributed exclusively to two users at remote locations. Any eavesdropper's attempt to intercept this sequence will alter the message in a detectable way and enabling the users to discard the appropriate parts of the data. This random sequence of digits is then used to scramble the message. This approach solves the problem of distributing a shared key to both parties without it falling into the wrong hands. This diagram might help. " VNUNet: System uses speed to find virus antidote <http://www.vnunet.com/News/723584> - A program which allows antivirus vendors to protect users against rapidly spreading viruses by secure exchange of 'urgent' virus samples was launched today. TheRegister: BTopenworld security glitch reveals thousands of customer names <http://www.theregister.co.uk/000427-000028.html> - BTopenworld has suffered a security leak of biblical proportions after the details of tens, of hundreds of thousands of customers were published willy-nilly on its Web site. ZDNet: AboveNet vows to nab cybervandals <http://www.zdnet.com/zdnn/stories/news/0,4586,2556074,00.html> - Internet service provider AboveNet Communications Inc. and law enforcement officials are on the hunt for the cyberattackers who halted traffic on Tuesday to almost 1,000 businesses that contract Internet services and Web-page hosting through the company. Linuxlock: Interview with Kevin Sexton of Protectix <http://www.linuxlock.org/features/protectix.html> - After first approaching Kevin Sexton from Protectix about an interview, the two of us, started sending mail back and forth. Some of the mail was about the interview, and some of it was just was personal about security in general. Kevin definately gets it. He is committed to Open Source Software and is serious about security. Along with providing the technological edge for keeping his security company at the top of the game, he has been working out business deals, including one with Lynx, the developers of BlueCat embedded Linux. I have a great amount of respect for Kevin and I encourage you to get in touch with Protectix if you want to outsource your security. NandoTimes: Hackers raided Russia's gas monoploy, officials say <http://www.nandotimes.com/technology/story/0,1643,500197283-500270387-50141 8162-0,00.html>- Russian authorities say Gazprom, a huge state-run gas monopoly, was one of a growing number of targets hit by computer hackers last year. Acting with a Gazprom insider, hackers were able to get past the company's security and break into the system controlling gas flows in pipelines, Interior Ministry Col. Konstantin Machabeli said, according to the Interfax news agency LinuxToday: Update on Red Hat Security Advisory: Piranha web GUI exposure <http://linuxtoday.com/stories/20850.html>- The GUI portion of Piranha may allow any remote attacker to execute commands on the server. This may allow a remote attacker to launch additional exploits against a web site from inside the web server. This is an updated release that disables Piranha's web GUI interface unless the site administrator enables it explicitly In the Investigative Eye <http://securityportal.com/direct.cgi?/research/investigate20000427.html> - Masters of locating Internet and electronic database information, dossier compilers pursue dirt. If it exists in bits, they convert it into hits on a target's reputation faster than a luge run in the Winter Olympics. This information may serve as direct intelligence or as a tool for coercion. So, if you're a possible target, your goal becomes minimizing your exposure in cyberspace. Watch out for Vices, Business Secrets, Travel Arrangements... CNN: Carnegie Mellon establishes anti-hacking institute <http://cnn.com/2000/TECH/computing/04/26/cybersecurity/index.html> - A Pennsylvania university created a research institute this month dedicated to fighting computer attacks like those that besieged major Web sites like eBay, Yahoo! and CNN.com in February ISS Security Advisory: Insecure file handling in IBM AIX frcactrl program <http://xforce.iss.net/alerts/advise47.php3> - ISS X-Force has discovered a vulnerability in the AIX frcactrl program. The Fast Response Cache Accelerator (FRCA) is a kernel module that can be used with the IBM HTTP server to improve the performance of a web server. If the FRCA module is loaded, a local attacker could use frcactrl, a program used to manage FRCA configuration, to modify files CERT Advisory CA-2000-03 Continuing Compromises of DNS servers <http://securityportal.com/direct.cgi?/topnews/ca2000-03.html> - This CERT Advisory addresses continuing compromises of machines running the Domain Name System (DNS) server software that is part of BIND ("named"), including compromises of machines that are not being used as DNS Servers. The Advisory also reports that a significant number of delegated(*) DNS servers in the in-addr.arpa tree are running outdated versions of DNS software, and urges system and network administrators to ensure that they are up-to-date with DNS security patches and workarounds Wired: Anonymity Threatened in Europe <http://wired.com/news/politics/0,1283,35924,00.html>- The European Parliament is weighing a proposal that would limit the use of anonymous email, saying such a requirement would enhance police surveillance of criminals Apr 26, 2000 FCW: DOD pushing forward on Internet disconnect <http://www.fcw.com/fcw/articles/2000/0424/web-dod-04-26-00.asp>- Despite criticism it received last year for a proposal to disconnect from the Internet to bolster security, the Defense Department remains committed to developing a technical architecture that will allow it to do just that, DOD's top cyberdefender said. Techweb: Korean Firms Hit By Chernobyl Computer Virus <http://www.techweb.com/wire/story/reuters/REU20000426S0001> - The so-called Chernobyl computer virus struck South Korea on Wednesday, wiping out hard disks at hundreds of companies, the Ministry of Information and Communication said on Wednesday. InternetNews: Register.com Launches Domain Security Service <http://www.internetnews.com/bus-news/article/0,2171,3_348071,00.html> - Domain registrar Register.com Inc. Wednesday launched Domain Lock Down, a service that protects domain names from being hijacked. With the new service, register.com (RCOM), "locks" names at the registry level, which helps prevent unauthorized alterations to name server and registrar information and blocks deletions of a domain name for the length of the registration term. CNet: Start-up to help businesses get hip to privacy <http://news.cnet.com/news/0-1005-200-1760269.html?tag=st.ne.1002.bgif.1005- 200-1760269>- Riding the wave of Net security fears, a new organization is launching a Web site next week aimed at helping businesses comply with privacy laws worldwide. Privacy Council, founded in October, is getting off the ground with $5 million in venture funding plus help from two major partners: Marsh USA, an insurance brokerage firm, and IBM F-Secure reports CIH virus damage much lighter this year <http://securityportal.com/direct.cgi?/topnews/cih20000426.html> - minimal confirmed reports of damage caused by the CIH virus, set to activate Apr 26, and which caused a large amount of damage in 1999. There are unconfirmed reports of greater damage in Korea NW Fusion: Stolen laptop prompts calls for internal review <http://www.nwfusion.com/news/2000/0425stolentop.html> - Safeware, The Insurance Agency Inc. in Columbus, Ohio, estimates that 319,000 laptops were stolen in the U.S. last year Fairfax: Privacy experts slam Australian effort in EU test <http://www.it.fairfax.com.au/industry/20000425/A17140-2000Apr20.html> - The chairman of the Privacy Foundation, Tim Dixon, says Australia's proposed privacy legislation does not stand up well compared to foreign counterparts and "clearly fails the EU test" ZDNet: FBI investigating new Web attack <http://www.zdnet.com/zdnn/stories/news/0,4586,2555422,00.html?chkpt=zdhpnew s01> - ISP AboveNet hit by a denial-of-service attack -- blocking customers' Web access for hours. 'It was a direct attack on our infrastructure.' PlanetIT: First U.S. Online Privacy Law Takes Effect <http://www.planetit.com/techcenters/docs/security/news/PIT20000424S0017> - The government will start surfing the Web Friday to enforce the first federal statute on online privacy -- a new law that imposes thousands of dollars in fines on marketers who collect personal information from children under 13. Apr 25, 2000 LinuxSecurity.Com: Build a Secure System with LIDS <http://www.linuxsecurity.com/feature_stories/feature_story-12.html> - LIDS ( Linux Intrusion Detection System) is a Linux kernel patch to enhance the Linux kernel. In this article, we will talk about LIDS, including what it can do and how to use it to build a secure linux system. Currents: Motorola Turns to Certicom for Wireless Security <http://www.currents.net/news/00/04/25/news7.html> - Certicom, a Canadian company with marketing operations in Hayward, Calif., said the deal means Certicom's elliptic curve cryptography technology could be used in Motorola's pagers, mobile handsets and Web-enabled phones, as well as the building blocks of wireless networks, such as servers offering content via the wireless application protocol, WAP. Silicon: News in View: Hackers get inside jobs <http://www.silicon.com/public/door?REQUNIQ=956639138&6004REQEVENT=&REQINT1= 37117&REQSTR1=newsnow>- Hackers are alive and well - and hard at work within your company. But these people can be the best way of ensuring your security systems are water-tight ComputerNewsDaily: Congress Nears Passage Of Digital Signature Bill <http://199.97.97.16/contWriter/cnd7/2000/04/23/cndin/5068-0014-pat_nytimes. html>- With the flourish of a quill spelling out ``John Hancock'' or with a simple pencil scratching out an ``X,'' Americans have long used their signatures to seal a deal. But in the age of the Internet, business owners say electronic commerce will never reach its full potential unless two parties can complete a contract by using a computer to ``sign'' and send legally binding documents ZDNet: Albright reassigns security after laptop vanishes <http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2554906,00.html?chkpt=p 1bn> - Secretary of State Madeleine Albright ordered new security steps taken on Monday after a laptop computer containing classified information disappeared inside the State Department Wireless Security Overview <http://securityportal.com/direct.cgi?/research/wireless/wirelessgeneral2000 0421.html> - Wireless networks are adopting online commerce at a dizzying pace, reminiscent of the Internet's adoption of ecommerce during the last two years. Applications such as stock trading, shopping, and banking are now available on wireless networks. It is the market of the future, but wireless is worth paying attention to right now. ISS Advisory: Backdoor Password in Red Hat Linux Virtual Server Package <http://securityportal.com/direct.cgi?/topnews/iss20000424.html> - Internet Security Systems (ISS) X-Force has identified a backdoor password in the Red Hat Linux Piranha product. Piranha is a package distributed by Red Hat, Inc. that contains the Linux Virtual Server (LVS) software, a web-based GUI, and monitoring and fail-over components. A backdoor password exists in the GUI portion of Piranha that may allow remote attackers to execute commands on the server Apr 24, 2000 IBM: Make your software behave: CGI programming made secure <http://www-4.ibm.com/software/developer/library/secure-cgi/> - In a short span of years (since 1992, in fact), the Web has exploded from nonexistence to the gazillions of Web sites found today. As the Web has grown, so too have the capabilities of Web technologies. This article focuses on writing CGI scripts: software that lives on the Web and that, not surprisingly, has critical security implications. ChicagoSunTimes: Field expanding for cyber-sleuths <http://www.suntimes.com/output/weinstein/wein232.html>- First it was Yahoo!, then eBay, followed by Amazon.com, CNN and even the FBI. Cyber-thieves are not only cracking the largest bastions of e-commerce, but the government's elite sites as well. Hackers have made headlines for a long time, but the recent attacks prove they'll go to surprising lengths to wreak havoc. ComputerUser: Hackers Bust Into Area 51 Site <http://www.computeruser.com/news/00/04/24/news3.html> - The company that published online satellite photos of the super-secret US Air Force installation known as Area 51 believes that it has solved a hacker problem that surfaced just hours after the pictures were posted. ComputerUser: F-Secure Warns Of Chernobyl Virus Anniversary Meltdown <http://www.computeruser.com/news/00/04/24/news7.html> - F-Secure has issued a warning to its customers about the CIH virus (also known as Chernobyl), which activates every year on April 26. The IT security firm said that when CIH activated last time, in April 1999, it caused the most damage done by one virus. According to the latest statistics, more than 2 million PCs suffered data loss because of the CIH virus last year. SJ Mercury: Palm VII banned from lab as security threat <http://www.sjmercury.com/svtech/news/breaking/merc/docs/001887.htm> - "Lawrence Livermore National Laboratory officials have identified a new security threat -- the Palm VII personal organizer. While the Palm VII gives gadget junkies the power to check e-mail and download stock quotes on the fly, security officers say it also makes it easier for would-be spies to copy and ship guarded information. None of the country's most sensitive material has been compromised, but the lab is not taking chances" Trend Micro Virus Alert: VBS_KakWorm.A <http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_KAKWORM. A>- rated as a medium risk, VBS_KakWorm.A is a direct action worm that is compatible with the Windows Scripting Host interpreter. You must have MS IE 5 or a browser that supports Windows Scripting for this worm to execute. This worm modifies your default signature in Outlook Express, embedding itself in the message. This worm is compatible with both the English and French versions of Windows Real Networks patches stack overflow in Real Server <http://service.real.com/help/faq/servg270.html> - The specific exploit involves a stack overflow in the PNA protocol handling scheme that ultimately causes the RealServer to discontinue serving streams until the RealServer is restarted or "rebooted" by the System Administrator Apr 22, 2000 GNIT Vulnerability Scanning Engine for NT and Windows 2000 <http://security.ellicit.org/> A vulnerability scanner for Windows that detects most common problems and produces a nicely HTML formatted report. Free. Apr 21, 2000 Wired: Navy Intranet a Security Threat? <http://www.wired.com/news/politics/0,1283,35713,00.html>- The U.S. Navy's plan to build the world's biggest Intranet could create a big security threat and a boondoggle to boot, according to the country's largest federal employees union. VNUNet: Turning up the heat on firewalls <http://www.vnunet.com/Features/602442> - A firewall puts up a barrier that controls the flow of traffic between hosts, networks and domains. The safest firewall would block all traffic, but that defeats the purpose of the connection. Strict control over selected traffic is needed, according to a logical security policy. A firewall can also conceal the topology of your internal network and network addresses from public view. Linux.com: CYA for System Administrators <http://oreilly.linux.com/pub/a/linux/2000/04/19/enterprise/CYA.html> - Things to keep in mind in our litigious society. In the last Linux in the Enterprise column, Linux Tools For Network Analysis, I mentioned some things to consider when you're using network scanning systems on your company's network. Doing the wrong thing in the cause of making your network "more secure" can land an unlucky administrator in a duel with the legal system. This is more likely when your actions come as a surprise or are viewed in a bad light by others who question your authority or motives to be doing what you're doing. With all the sound and fury in media about evil hackers, it's a good idea to consider how to protect yourself ahead of time. Wired: Like Mafia Son, Like Mafia Dad <http://www.wired.com/news/politics/0,1283,35836,00.html> - Turns out the Canadian police tapped into some rather incriminating telephone calls placed by the 15-year-old cracker's dad, who allegedly took out a contract on a business colleague. Lieutenant Lenny Lechman said Mafiaboy's 45-year-old father was arrested last week and charged with conspiring to commit bodily harm. ZDnet: RealNetworks server attack released <http://www.zdnet.com/zdnn/stories/news/0,4586,2553736,00.html> - A group of South American computer security researchers earlier today released a program, called realdie.exe, that can knock virtually any RealNetworks video server offline ComputerUser: Judge Blocks Hackers Appearance at Conference <http://www.currents.net/news/00/04/21/news1.html> - An information technology conference in Salt Lake City this week had to go on without convicted hacker Kevin Mitnick after a judge ruled his participation in a panel discussion on computer security would violate terms of his probation Cisco Advisory: IOS Software TELNET Option Handling Vulnerability <http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml> - A defect in multiple Cisco IOS software versions will cause a Cisco router to reload unexpectedly when the router is tested for security vulnerabilities by security scanning software programs. The defect can be exploited repeatedly to produce a consistent denial of service (DoS) attack Trend Micro: new Trojan TROJ_HACKTACK_2K <http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_HACKTAC K_2K> - This is a new Backdoor Trojan, which can be used by a hacker to remotely control an infected computer. The hacker can do this because the Trojan sends out vital system information and compromises the security of the computer and the network it is in ZDNet: No plan for personal cybersecurity <http://www.zdnet.com/zdnn/stories/news/0,4586,2553485,00.html?chkpt=zdhpnew s01> - Speaking at ZDNet's Town Hall meeting, a top White House advisor said he 'found it extraordinary' that there was no plan for securing private PCs against malicious hackers Presenting the Big Picture in Security <http://securityportal.com/direct.cgi?/research/security101/bigpicture200004 21.html> - When explaining security issues, it is easy to lose track of the bottom line in protecting data and resources. Presenting all the details during employee security awareness training may miss the big picture about securing your organization InfoSecurityMag: The Process of Security <http://www.infosecuritymag.com/apr2000/cryptorhythms.htm> - Security doesn't have to be perfect. But risks do have to be manageable. The problem is, users don't understand the risks, and products alone can't solve security problems. Apr 20, 2000 NewsBytes: Company Secrets Leak Through Employee E-Mail - Report <http://www.newsbytes.com/pubNews/00/147649.html>- As if corporate computer security managers didn't have enough to worry about from disgruntled former employees, a new study finds a marked increase in the number of employees who acknowledge receiving confidential information via e-mail from employees at other companies. InfoSecurityMag: Privacy, Please <http://www.infosecuritymag.com/apr2000/logoff.htm> - Online services need to realize that possession of customer information does not imply permission to do with it what they want. - "PRIVACY" is a word that tends to get misused a lot by Internet security professionals. Just look at the RFCs, the closest thing the Internet has to a set of standards. The word privacy appears in 282 RFCs-but rarely do the RFC authors use the word privacy the same way that it's used by the majority of computer users. EcommerceTimes: Teen Hacker Arrest Masks True Net Peril <http://www.ecommercetimes.com/news/viewpoint2000/view-000420-1.shtml>- This past weekend, a Canadian teen who calls himself "Mafiaboy" was arrested in the Montreal area and charged with at least one of the February denial-of-service (DoS) hacker attacks that blocked access to such popular Web sites as Yahoo!, Amazon and eBay. BellLabs: Bell Labs Free Linux Software Foils the Most Common Computer Security Attack <http://www.bell-labs.com/news/2000/april/20/1.html> - Bell Labs announced today that it is releasing free Linux software that foils the most common form of computer security attack. Lucent's Libsafe software prevents electronic intruders from overflowing an application program's buffer memory to gain unauthorized access to a computer. SCMP: PSINet hit by denial-of-service attack <http://www.technologypost.com/internet/Daily/20000420194747504.asp?Section= Main>- A denial-of-service attack on PSINet Hong Kong on Wednesday disabled the Internet service provider's Web-hosting servers for most of the day, leaving many of its dotcom customers without e-mail and Web sites ZDNet: DoS attacks - What really happened <http://www.zdnet.com/zdnn/stories/news/0,4586,2553035,00.html> - More details are emerging about last February's massive denial of service attack, and they continue to paint a dramatic picture of how helpless the Net's biggest Web sites really were. A 15-year-old Canadian computer vandal was charged with toppling CNN.com this week, allowing security experts a bit more freedom to speak about the incident SQL: Friend and Foe <http://securityportal.com/direct.cgi?/research/sqlfriend20000420.html> - SQL, the lingua franca for databases, converts data into information and knowledge. A skeleton key to the most widely used databases, Standard Query Language may protect or may breach security. Its double-edged nature arises from SQL's ease of use, its power to uncover hidden relationships among data, and its occasionally neglected security features Cisco Advisory: Catalyst Enable Password Bypass Vulnerability <http://www.cisco.com/warp/public/707/catos-enable-bypass-pub.shtml> - Cisco Catalyst software permits unauthorized access to the enable mode in the 5.4(1) release. Once initial access is granted, access can be obtained for the higher level "enable" mode without a password. This problem is resolved in version 5.4(2). Customers with vulnerable releases are urged to upgrade as soon as possible PR Newswire: AtomicTangerine launches venture consulting firm with heavy focus on security <http://web.lexis-nexis.com/more/cahners-chicago/11407/5742841/3> - "AtomicTangerine, a major strategic spin-off from SRI International, is redefining e-services as a venture consulting firm that combines emerging technologies with a business model and a strategy that bases a portion of its compensation on client results" FCW: NSF launching grants for cybercorps <http://www.fcw.com/fcw/articles/2000/0417/web-cyber-04-19-00.asp>- The National Science Foundation is expected to release applications next month for grants that would fund the Federal Cyber Services program designed to train the next generation of digital defenders ZDNet: Security experts - Give 'Mafiaboy' a break <http://www.zdnet.com/zdnn/stories/news/0,4586,2552944,00.html?chkpt=zdhpnew s01> - Security professionals and hackers that break into networks for a living urged compassion in the case of 'Mafiaboy,' the 15-year-old Internet vandal accused of bringing down CNN.com during February's denial-of-service attacks Cnet: Canadian police arrest suspect in major Web attacks <http://news.cnet.com/news/0-1005-200-1717149.html?tag=st.ne.1002.thed.1005- 200-1717149> - Canadian police today said an arrest has been made in connection with a number of debilitating attacks on some of the Internet's most popular Web sites earlier this year. A 15-year-old boy known online as "Mafiaboy" has been accused of launching the attacks that began last February. Canadian officials would not name the boy, because Canadian law prevents releasing the names of juvenile suspects. Apr 19, 2000 LinuxToday: Mandrake Security Updates: imwheel and gpm <http://63.236.72.248/stories/20452.html> - A security bug was found in gpm-root, the bug can be exploited to provide local users with root access. A security bug was found in imwheel; the bug can be exploited to provide local users with root access. Version 0.9.8 fixes this problem CNNfn: What price cyber security <http://www.cnnfn.com/2000/04/19/technology/v_cyber/> - Security experts say billions of dollars are being spent to safeguard material on the Internet, and a lot of that money is wasted. Small users have little protection if their information is taken from a database, but they can guard what they put out into cyberspace, particularly in their e-mail. CNN's Charles Molineaux takes a look at cyber security ABC: Juniper Develops Anti-Hacker Chip <http://www.abcnews.go.com/sections/tech/CNET/cnet_chip000418.html> - Juniper today said it is shipping a new processor that can scan all the data flowing through a network without slowing down the traffic. The chip, now built into Juniper's family of networking equipment, could prevent the hacker attacks that crippled many of the top Web sites in February, according to Juniper chief executive Scott Kriens CNet: Netscape tests patches for security hole <http://news.cnet.com/news/0-1005-200-1717169.html?tag=st.ne.1002.thed.1005- 200-1717169>- Netscape is testing patches for a newly discovered security hole in its Communicator Web browser that could expose private files ZDNet: Hacker charged in DOS attacks <http://www.zdnet.com/zdnn/stories/news/0,4586,2552353,00.html> - The Royal Canadian Mounted Police have charged someone in connection with February's massive denial of service attacks against Internet sites Currents: FBI Laptop Stolen <http://www.currents.net/newstoday/00/04/19/news2.html> - The State Department may have had some explaining to do Tuesday, as it emerged late Monday that a laptop containing top secret FBI information had disappeared from a supposedly secure conference room at the State Department's Bureau of Intelligence in Washington ZDNet: Top U.S. priority: Protect that data <http://www.zdnet.com/zdnn/stories/news/0,4586,2552199,00.html> - Summers said he had no doubt that in 10 years information security would be an absolutely central priority in terms of management of business risk InfoWorld: Government to implement measures to combat Trojan horses <http://www.infoworld.com/articles/en/xml/00/04/18/000418entrojan.xml>- THE federal government intends to make finding Trojan horses and trap doors on computer systems a "research priority," as the risk is one that some companies may be facing as a result of hasty Y2K problem repair work TrendMicro: PE_CIH Virus <http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=PE_CIH> - On April 26th, PE_CIH will once again activate and may cause damage to many computers. At this point we can only hope that people have upgraded to an up-to-date Antivirus software package that detects and cleans PE_CIH before it can activate. When PE_CIH activated in 1999 it caused damage to several hundred thousand systems, leaving many users with an unbootable computer NewsBytes: Administration, Industry Confer On Cybersecurity <http://www.newsbytes.com/pubNews/00/147521.html>- Maintaining the stance that industry, not government, must take the lead in guarding against hacker attacks and other electronic intrusions, Clinton Administration officials urged corporate leaders to beef up their cybersecurity efforts at a government-industry summit today Apr 18, 2000 CRN: Hacker Script Attempts To Exploit Microsoft Backdoor <http://www.crn.com/dailies/digest/breakingnews.asp?ArticleID=15872>- The Test Center found a Perl script on the Web that appears to have been authored by the same individual who originally reported the flaw to Microsoft. However in attempting to execute the Perl script, Test Center Engineers ran into syntax errors in the script as well as un-resolved external references Sendmail.net: Q and A with Wietse Venema <http://sendmail.net/?feed=interviewvenema> - When you name a program SATAN, you can expect your intentions to be misread. Wietse Venema discovered this firsthand when he and colleague Dan Farmer released the Security Administrator Tool for Analyzing Networks, reporting software designed to let administrators test their own networks for vulnerabilities, but immediately misconstrued as a toy for budding crackers. Bruce Schneier - Crypto-Gram <http://www.counterpane.com/crypto-gram-0004.html>- A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. LinuxPlanet: The Ultimate Anti-Virus Software: Linux <http://www.linuxplanet.com/linuxplanet/reviews/1739/1/> - Solving the Security Issues in Windows: Replace It! Currents: Former Employee Steals Internet Radio Stations <http://www.currents.net/newstoday/00/04/18/news2.html> - Three Internet-only radio stations have gone off the air after they were actually removed from the computer server they were hosted on by a disgruntled former employee Currents: Site Employs Biometrics for E-Prescription Security <http://www.currents.net/newstoday/00/04/18/news6.html> - DrugEmporium.com, the online subsidiary of Drug Emporium [NASDAQ:DEMP], the national chemist chain, has licensed biometrics technology from BioNetrix to allow it to authenticate the identities of doctors ordering patient prescriptions over the Internet from the online pharmacy Tele.com: ASPs to Insurers: 'Cover Me' <http://web.lexis-nexis.com/more/cahners-chicago/11407/5732422/7> - New liability insurance policies take aim at cyber-risks ZDNet: Microsoft - More security holes <http://www.zdnet.com/zdnn/stories/news/0,4586,2551396,00.html?chkpt=zdhpnew s01> - For a company that prides itself on the quality of its software development prowess, Microsoft Corp. has encountered a rough patch of late, racking up two security holes as well as committing a major faux pas in the space of less than a week Keep Your Paws Off My Data <http://securityportal.com/direct.cgi?/research/security101/pawsoff20000418. html> - This article talks about ways to Keep your personal data safe. From a Security 101 perspective Silicon: Security industry hits out at ethical hackers <http://www.silicon.com/public/door?REQUNIQ=956018642&6004REQEVENT=&REQINT1= 37026&REQSTR1=newsnow>- UK security vendors have reacted angrily to the news that a group of the world's most experienced hackers have joined forces to launch their own company Apr 17, 2000 Open Source - Why it's Good for Security <http://securityportal.com/direct.cgi?/topnews/os20000417.html> - The argument that open source operating systems are less secure hangs on the faulty premise that attackers can't find vulnerabilities in closed source O/S's CNN: Ireland to lower encryption export restrictions <http://cnn.com/2000/TECH/computing/04/17/irish.encrypt.idg/index.html> - The government of Ireland has relaxed regulations for exporting mass market encryption products, the Department of Enterprise, Trade and Employment announced Friday. The simplified licensing procedure, known as a General Authorization, means Irish companies are no longer required to obtain export licences for individual products or for individual countries, said Mary Harney, the Minister of Enterprise, Trade and Employment in a statement InfoWorld: Novell delivers multiple-level security authentication <http://www.infoworld.com/articles/en/xml/00/04/17/000417ennovsecurity.xml> - NMAS lets network managers establish multiple levels of security into the network through a combination of password authentication, digital certificates, tokens, smart cards, or biometric devices SaltLakeTribune: Bennett Aims to Protect U.S. From New Cyber-Threat -- Hackers <http://www.sltrib.com/04172000/utah/41965.htm> - First, U.S. Sen. Bob Bennett leaped over tall bureaucracies as a Y2K czar, making sure the nation's millennial odometer cranked over smoothly. Now the Utah Republican is donning the cape of cyber-crime-fighting master. RootPrompt: Digital Certificates and Encryption <http://rootprompt.org/article.php3?article=354> - On the Internet, information you send from one computer to another passes through numerous systems before it reaches its destination. Normally, the users of these intermediary systems don't monitor the Internet traffic routed through them, but someone who's determined can intercept and eavesdrop on your private conversations or credit card exchanges. Worse still, they might replace your information with their own and send it back on its way. SecurityFocus: Wide Open Source <http://www.securityfocus.com/commentary/19> - Is Open Source really more secure than closed? Elias Levy says there's a little security in obscurity. One of the great rallying cries from the Open Source community is the assertion that Open Source Software (OSS) is, by its very nature, less likely to contain security vulnerabilities, including back doors, than closed source software. The reality is far more complex and nuanced. LinuxToday: Eric S. Raymond: Designed for Insecurity -- reprised <http://linuxtoday.com/stories/20251.html> - The status of the back door I discussed in Microsoft: Designed For Insecurity is now uncertain. Since the problem was reported on 14 April by BugTraq and the Wall Street Journal, one of the people involved in discovering it has retracted his report. There is now dispute over whether this problem was due to a genuine back door or a server misconfiguration. PA: HACKERS HIT BACK AT HEAVY METAL BAND<http://www.pa.press.net/news/technology/POP_Metallica%2c%20Napster_1026 27.html>- Web music enthusiasts, apparently enraged at Metallicas legal action against Napster, temporarily shut down the bands official web site Cert: Tech Tips <http://www.cert.org/tech_tips/index.html> - Our tech tips provide basic information on a variety of Internet security issues Slashdot: QNX Crypt Cracked <http://slashdot.org/articles/00/04/16/1324233.shtml> - The Crypt algorithm for the QNX operating system was just cracked. QNX runs on banks computers, ATM's, Medical Equipment LinuxToday: Caldera Systems Security Advisory: Security problem in telnetd <http://63.236.72.248/stories/20245.html> - The telnet daemon from the Linux netkit supports a command line option -L that lets the administrator specify a login program other than /bin/login. An unintended interaction with some other piece of code in telnetd has the effect that the memory location holding the name is overwritten with information obtained from the client host. This bug can be abused by an attacker to bypass authentication completely. However, in almost all cases, this will just cause telnetd to not work at all, which makes it unlikely that this feature has been used widely Apr 15, 2000 ZDNet: MS security flaw called pinhole <http://www.zdnet.com/zdnn/stories/news/0,4586,2550735,00.html> - Initial reports of a back door in Microsoft Corp.s FrontPage server software -- a deliberate security hole put in to allow illicit access -- now seem to be, for the most part, incorrect Microsoft Security Bulletin MS00-025 <http://www.microsoft.com/technet/security/bulletin/fq00-025.asp> - A server-side component, named Dvwssr.dll, is provided to support the Link View feature for Visual Interdev 1.0. This component will return the source code of .asp files on the server, when requested by a user who has web authoring privileges for a web site hosted on it Apr 14, 2000 ZDNet: Doubt cast on Microsoft back door report <http://www.zdnet.com/pcweek/stories/news/0,4153,2550387,00.html> - This is a hole that could allow information to be manipulated by others, Cooper wrote on the NTBugTraq Web site. However, its limited to others who already have Web authoring permissions on the same box NTSecurity: Update: FrontPage 98 is BackDoor 98 <http://www.ntsecurity.net/forums/2cents/news.asp?IDF=118&TB=news> - The backdoor was discovered with the revelation of a keyphrase that reads "!seineew era sreenigne epacsteN," which is the reverse text of "Netscape engineers are weenies!" The phrase is plainly visible in the FrontPage 98 DLL file called dvwssr.dll, which you can see by opening the file with a text editor such as Notepad ZDNet: Proposal would outlaw spying across European borders <http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2550367,00.html?chkpt=p 1bn> - Spying on electronic communications by international agencies is a serious invasion of privacy according to proposals put before the European Parliament in Strasbourg this week Currents: Hacker to Speak at Security Conference <http://www.currents.net/newstoday/00/04/14/news8.html> - Kevin Mitnick, the self-confessed superhacker who was recently released from jail following his latest escapades, will give his first public presentation in Salt Lake City next week Currents: Hacker Guilty in Federal Web Intrusions <http://www.currents.net/newstoday/00/04/14/news1.html> - The 19-year-old co-founder of a hacker group known as Global Hell faces up to five years in prison and a 250,000 fine after pleading guilty to breaking into White House and U.S. Army Web sites LinuxToday: Red Hat Security Advisory: New gpm packages available <http://63.236.72.248/stories/20137.html> - gpm is a cut and paste utility and mouse server for virtual consoles. As part of this package, the gpm-root program allows people to define menus and actions for display when clicking on the background of current tty. The current gpm-root program fails to correctly give up the group id 0 membership for user defined menus. If you are running gpm-root on your system then you are at risk Register: Bertie Ahern in ú1m porn scandal, while Serbian hackers go haywire <http://www.theregister.co.uk/000413-000022.html> - Cybersquatting has found a new lease of life with the arrival of www.bertieahern.com, specialising in teenage girls in uncompromising positions, and a dedicated group of Serbian hackers going for big-name sites CNN: Proposed computer security bill under fire <http://cnn.com/2000/TECH/computing/04/13/cyber.sec.act/index.html> - A bill designed to protect confidential company information is under fire from critics who characterize it as unnecessary and an invitation to abuse Networks, Past Present and Future <http://www.securityportal.com/direct.cgi?/research/security101/networks.htm l> - A Security 101 view of Networks, past present and future: If a computer is not attached to any communication device then once broken in to it cannot be used to launch attacks on other systems. This of course changes the minute you attach a phone line to it... ZDNet: Record encryption puzzle cracked -- finally <http://www.zdnet.com/zdnn/stories/news/0,4586,2542359,00.html> - The broken encryption method is widely expected to secure next-generation wireless devices. But is the break such bad news Apr 13, 2000 Vnunet: 911 virus fears exaggerated <http://www.vnunet.com/News/602125>- Although the feared 911 virus has caused some localised damage in the US, it represents little real threat to UK users, according to security experts Currents: Lawmaker Calls for New Surveillance Laws <http://www.currents.net/newstoday/00/04/13/news11.html> - Technological changes, especially the advent of the mass-market Internet, have made it necessary for Congress to come up with a new set of surveillance and intelligence laws suitable to the 21st century, Rep. Bob Barr, R-Ga., said in remarks scheduled for delivery at a congressional hearing Wednesday SCMP: Security task force looks to close holes in Net <http://www.technologypost.com/enterprise/DAILY/20000413172035429.asp?Sectio n=Main>- What can organisations do in the short term to protect their internal computer networks from possible attacks via the Internet PCWorld: Net Attacks Can Spread Beyond PCs <http://www.pcworld.com/pcwtoday/article/0,1510,16247,00.html>- Internet appliances and other Net devices will share PCs' vulnerability to malicious code Currents: Government Response to Cyberattacks Slowed by Spoofing <http://www.currents.net/newstoday/00/04/13/news4.html> - The government's ability to differentiate between cyberattacks waged by hostile foreign nations and those perpetrated by teenage hackers has been severely restricted by the emergence of identity-concealing technologies and a raft of legal and constitutional issues Wired: Net Fort Opens to Mixed Reviews <http://www.wired.com/news/technology/0,1282,35550,00.html>- The building, a renovated version of a former IBM facility, was rebuilt by Bechtel Corporation, the brawn behind the Hong Kong International Airport and Bostons Ted Williams Tunnel. Bechtel has entered into a 1.2 billion contract to build 26 more of these hosting facilities. The company has already built two on the East Coast -- in Virginia and New Jersey Microsoft Security Bulletin MS00-024 <http://www.microsoft.com/technet/security/bulletin/fq00-024.asp> - Microsoft Security Bulletin MS00-024 announces the availability of a tool that eliminates a vulnerability posed by innapropriate permissions on a registry key in Microsoft Windows NT 4.0. The default permissions on this key could allow a malicious user to compromise other users cryptographic keys Wired: Where Is WhoAmI.com <http://www.wired.com/news/business/0,1367,35628,00.html> - Another domain owner finds its name hijacked and transferred to someone somewhere in the Balkans. Like past victims, the company says Network Solutions has a big hole to plug ComputerWorld: Security, e-commerce top airline conference agenda <http://www.computerworld.com/home/print.nsf/all/000412D4B2> - Airline executives were warned of the perils of online commerce and alerted to the possible entrance of the federal government as a regulator of electronic business at the annual Airlines@Internet conference sponsored by the International Air Transport Association underway here this week. CNN: Geeks, spies debate Web privacy <http://www.cnn.com/2000/TECH/computing/04/12/geeks.spies.idg/index.html> - Technology pioneers mix with cyberpunks, law professors, federal agents, and others to debate the state of personal privacy online, at the 10th Computers, Freedom and Privacy conference here. Currents: Warnings Issued About Chain E-Mail <http://www.currents.net/newstoday/00/04/12/news5.html> - Ericsson has warned would-be mobile phone buyers to avoid a chain e-mail currently doing the rounds, offering free standard and WAP enabled mobile phones in return for surfing the WAP section of the firm's Web site. TechnologyPost: Poor implementation exposes flaws in security armour <http://www.technologypost.com/enterprise/DAILY/20000412191525384.asp?Sectio n=Main> - The increase in awareness of network security largely has been undone by problems of implementation and open holes, according to Glenn Bell, business development director for Atalla security products at Compaq Computer. Apr 12, 2000 SunWorld: Script kiddies -- geniuses or idiots <http://www.sunworld.com/sunworldonline/swol-04-2000/swol-04-security.html> - Law enforcement officials, in their war against hackers, have actually succeeded in tracking down a few naive hackers crackers who didn't know how to cover their tracks. To validate their efforts, authorities exaggerated the skill level of these kids from that of a script kiddie to that of Neo, Morpheus, and Trinity from The Matrix. Say it ain't so. It ain't so. For this installment of Wizard's Guide to Security, Carole Fennelly tells what really happened Register: Ethical hacker reveals secrets of underground world <http://www.theregister.co.uk/000412-000005.html> - A 20-year-old Brit who hacked into the Web sites of two merchant banks last week can never be prosecuted. Chris McNab, who says he has one foot in the underground and one foot in the corporate world, claims to have one of the best jobs in the IT industry Microsoft Security Bulletin MS00-023 <http://www.microsoft.com/technet/security/bulletin/fq00-023.asp>- This is a denial of service vulnerability. If a malicious user requested a file from a web server via a specially-malformed URL, the server could become unresponsive for some period of time. The vulnerability does not cause the server to fail, or cause any data to be lost, and the server eventually would resume normal operation, given enough time. Patch available. ComputerWorld: Microsoft backs P3P Net privacy standard <http://www.computerworld.com/home/print.nsf/all/000412D49A>- The chief privacy officer at Microsoft Corp. said last week that the company plans to release free software tools that could spur the adoption of Internet privacy standards ZDNet: Cell phone giants in Net security pact <http://www.zdnet.com/zdnn/stories/news/0,4586,2531636,00.html> - The worlds top three mobile phone manufacturers teamed up on Tuesday in an attempt to secure the growth of e-commerce by developing an open, global industry framework for safer and simpler business over cell phones NewsBytes: Bill Would Shelter Firms Sharing Hacking Info <http://www.newsbytes.com/pubNews/00/147313.html>- A bill set to be unveiled Wednesday will encourage companies to share information about hacker attacks by providing firms with a limited exemption from the Freedom of Information Act ,FOIA, bill supporters said today NewsBytes: Visa Asia Pacific Cards Will All Be Smart By 2006 <http://www.newsbytes.com/pubNews/00/147318.html>- Visa International anticipates that all Visa-branded cards issued in the Asia Pacific region including Thailand will be chip-based by the end of 2006. The project is part of Visas continuing efforts to increase the use of multi-function smart cards Sophos: Troj Narnar <http://www.sophos.com/virusinfo/analyses/trojnarnar.html> - The Trojan contains a simplified IRC client which, on every subsequent restart of Windows, uses the computer's internet connection to announce itself on a specific IRC channel on irc.dal.net. This allows other people with the client software to access infected users' computers Silicon: Baltimore boss calls for hands off security policy <http://www.silicon.com/public/door?REQUNIQ=955506344&6004REQEVENT=&REQINT1= 36908&REQSTR1=newsnow>- Public Key Infrastructure has become an accepted Internet standard, but the UK government must provide a strong legislative framework for information security, without being seen to interfere with commerce APDNews: ACLU Fights Decision to Quash Hacking Program <http://www.apbnews.com/newscenter/internetcrime/2000/04/11/cphack0411_01.ht ml> - The American Civil Liberties Union plans to appeal a judge's order barring three U.S. Web sites from posting information that reveals how to defeat a popular program used by parents to keep children away from violent or pornographic sites Apr 11, 2000 TrendMicro: TROJ_IRCFLOOD <http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_IRCFLOO D> - TROJ_IRCFLOOD is a PE Trojan that floods the infected computer via mIRC. The Trojan functions as a DOS to attack servers NewsBytes: Cybersecurity Or Bust: The Auditors Cometh <http://www.newsbytes.com/pubNews/00/147251.html>- Drawing upon lessons learned from February's distributed denial of service attacks, representatives from nearly every facet of the risk management community will attempt to convince an audience of corporate decision-makers that their bottom line is essentially bottomless without a solid foundation of information security ComputerWeekly: US court rules encryption source code protected <http://www.computerweekly.com/cwarchive/daily/20000411/cwcontainer.asp?name =C7.HTML&SubSection=6> - A U.S. Appeals Court judge has ruled that encryption source code is constitutionally protected and not subject to restrictions imposed by the U.S. government Cryptography Versus Privacy? <http://www.securityportal.com/direct.cgi?/research/cryptovspriv20000411.htm l> - Cryptography is usually thought of as a technique that protects privacy. And indeed, that is precisely its function; it protects the secrets of the person who is using it. But today, people are concerned that cryptography is being used in ways that allow the people who are using it to compromise the privacy of other people Cert: Compromises via BIND Vulnerability <http://www.cert.org/current/current_activity.html> - We continue to receive multiple daily reports of systems being root compromised via one of the most recent vulnerabilities in BIND. The "NXT bug" described in CA-99-14, Multiple Vulnerabilities in BIND can and is being exploited to gain root access to systems running a vulnerable version of BIND. An exploit is in public circulation and intruders are actively seeking out and compromising vulnerable hosts on a widespread basis Cert: Unprotected Windows Shares <http://www.cert.org/current/current_activity.html> - We are receiving reports of intruders exploiting unprotected Windows networking shares on a widespread basis. A share is created when a Windows user configured a folder or a file to be shared with other users on the network. Insecure configurations are being exploited to place malicious code on vulnerable computers. Exploitation is being carried out using automated propogation from computer to computer by copying files to unprotected Windows networking shares on vulnerable systems Apr 10, 2000 L0pht: CRYPTOCard PalmToken PIN Extraction Advisory <http://www.l0pht.com/>- CRYPTOCards CRYPTOAdmin software is a challenge response user authentication administration system. The PT-1 token, which runs on a PalmOS device, generates the one-time-password response. A PalmOS .PDB file is created for each user and loaded onto their Palm device. By gaining access to the .PDB file, the legitimate user's PIN can be determined through a series of DES decrypts-and-compares. Using the demonstration tool below, the PIN can be determined in under 5 minutes on a Pentium III 450MHz Vnunet: Intel to open source security software <http://www.vnunet.com/News/601946> - Making the software open source means that it can be modified and used by developers with any operating system to add security features to ebusiness applications. This will "allow companies around the world to develop software and hardware security products faster and cheaper", said Intel in a statement ahead of the announcement ZDNet: Home is where the hack is <http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2524210,00.html?chkpt=p 1bn> - For many broadband users, it is becoming a rude awakening to learn that being connected around the clock to the Internet is not just a Valhalla of always-on convenience. Right now, about one in four computers hooked up to broadband connections is vulnerable Currents: PrettyPark Virus Wreaks the Most Havoc <http://www.currents.net/newstoday/00/04/10/news1.html> - The latest monthly virus reports from Sophos show that, despite what many had predicted, the PrettyPark virus is still raging through the online community, having raised the blood pressure of just over a quarter of virus-infected users during March. Apr 8, 2000 CRN: Security Firm Outlines Hacker Attack Points <http://www.crn.com/dailies/digest/breakingnews.asp?ArticleID=15603>- Following recent high-profile Web security breaches, Enstar, an e-security firm, hosted a live demonstration in San Antonio Friday to show the many ways hackers break into systems Apr 7, 2000 ZDNetUK: Government warned of hacking danger <http://www.zdnet.co.uk/news/2000/13/ns-14693.html> - The Prime Minister has been warned that placing more of the government's infrastructure online will leave it vulnerable to computer hackers, in a leaked letter from the head of the House of Commons published in The Times Friday Wired: Getting Snooped On? Too Bad <http://www.wired.com/news/politics/0,1283,35498,00.html>- You say you don't like browser cookies? You're not quite sure if that program you download from the Net is revealing more about you than it should? Well, here's something to make you really nervous: In the United States, it may be illegal to disable software that snoops on you ZDNetUK: A Year Ago: IBM says some Aptivas hit by virus <http://www.zdnet.co.uk/news/2000/13/ns-14603.html> - IBM spokeswoman Stacy Pena said that some Aptiva PCs sold in the United States had been exposed to the CIH virus during the manufacturing process due to human error TrendMicro: TROJ_SPLITTERS Trojan <http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SPLITTE RS> - TROJ_SPLITTERS floods computers via mIRC to perform a Denial of Service attack CNet: Privacy activists lobby Congress for greater Net protections <http://news.cnet.com/news/0-1005-200-1653132.html?tag=st.ne.1002.thed.1005- 200-16531321005-200-1653132>- Privacy advocates today urged Congress to extend constitutional search-and-seizure rights to the Internet to protect from Big Brother consumers who shop, join groups and bank online Apr 6, 2000 InternetNews: Victims of 911 Worm: FBI Warning Was No Hype <http://www.internetnews.com/bus-news/article/0,2171,3_336231,00.html> - Self-diagnosed victims of the 911 Worm Thursday credited the FBI with protecting their hard disks from possible disaster. But others question whether the incident which began April Fools' Day is just the latest example of Internet-induced virus hysteria WinNTMag: Application Service Providers: Are They Sitting Ducks? <http://www.ntsecurity.net/go/loadit.asp?id=/forums/2cents/eds.asp?IDF=102&T B>- If anything will stymie ASPs acceptance in the marketplace, it will be security. The reasons are manifold but are mainly found in the potential for Denial of Service attacks and data interception. Are today's OSs and network hardware robust enough to fend off Distributed Denial of Service attacks? Has VPN technology been tested thoroughly enough that a business can trust its ability to continually protect data? I think you'll find that the answer is no to both questions. ZDNetUK: Teen hackers sentenced in Hong Kong <http://www.zdnet.co.uk/news/2000/13/ns-14664.html> - Three hackers plead guilty to 49 different computer related offences. A teenage computer hacker was sentenced to six months imprisonment and two accomplices were sent to a detention centre for computer offences in a landmark case in Hong Kong, according to reports Thursday CNet: Government ineffective in chasing Net crime, executives say <http://news.cnet.com/news/0-1005-200-1648223.html?tag=st.ne.1002.thed.1005- 200-16482231005-200-1648223>- As high-tech executives know, the Justice Department lacks the staff to investigate and prosecute most hackers. Many companies also are reluctant to undergo government scrutiny, they've got too many secrets. As a result, cybercriminals are breaking into or paralyzing Web sites with little fear of retribution, costing the industry hundreds of millions of dollars CERT: Infosec Outlook April 2000 <http://www.cert.org/infosec-outlook/infosec_1-1.html> - Infosec Outlook is a monthly publication intended to help all stakeholders in the Internet Economy come to terms with the technical, business and risk management, and policy issues related to information security. Outlook is the result of a partnership between the Information Technology Association of America and the CERT Coordination Center at the Software Engineering Institute ComputerWorld: Study: E-commerce spread defeating crypto regulations <http://www.computerworld.com/home/print.nsf/idgnet/000405D222>- Attempts by governments to curb the worldwide use of strong encryption are being eclipsed by the growth of electronic commerce and the corresponding need for privacy and Internet security, according to a study released yesterday by the Washington-based Electronic Privacy Information Center InfoWorld: IBM Net guru has hope for privacy on the Web <http://www.infoworld.com/articles/ic/xml/00/04/05/000405icibmguru.xml> - In a wide-ranging speech about the future of the Web at the Internet World trade show Wednesday, Patrick predicted that cookies will become a thing of the past, to be replaced by digital identities that give users greater control over who can spy on their Net activities NewsBytes: Secure E-commerce Protocol Not Dead Yet, Study Says <http://www.newsbytes.com/pubNews/00/146973.html>- The specter of growth in credit card fraud online may provide the motivation needed to spur widespread adoption of the much-recommended Secure Electronic Transaction protocol, a study released today say NandoTimes: Internet challenges old assumptions about spying <http://www.nandotimes.com/technology/story/0,1643,500189518-500255032-50130 0835-0,00.html>- Local press reports, once smuggled across borders at great risk, are available on the Internet. High-resolution satellite images, once the domain of superpowers, can be purchased for about 2,000 dollars a shot. And, with the collapse of the Berlin Wall, it takes little more than a passport and a plane ticket so see what were once the world's most forbidden cities SV.com: Reno urges teamwork on battling cybercrime <http://www.mercurycenter.com/svtech/news/indepth/docs/reno040600.htm> - Attorney General Janet Reno ventured into Silicon Valley on Wednesday to make her latest pitch for ramping up the war on cybercrime, soliciting the help of tech-industry leaders who traditionally have been skeptical of cooperating with law enforcement FBI agent: I am Big Brother <http://www.zdnet.com/zdnn/stories/news/0,4586,2522568,00.html> - Pro-privacy groups might consider him the enemy, but Paul George counters: There are worse things than having your privacy violated ... like murder. Apr 5, 2000 An overview of OS security features - part II <http://www.securityportal.com/direct.cgi?/closet/closet20000405.html> - So last we covered some of the fundamental areas of computer security, this week I'll be looking at encryption of data on the filesystem and over the network, remote administration tools, and finally software security NewsBytes: Thai Police Panel Formed To Tackle Cyber Crime <http://www.newsbytes.com/pubNews/00/146912.html>- In Thailand, a body to investigate and help bring cyber criminals to their knees is being set up in response to the wave of publicity Internet misconduct has received of late Wired: Crypto Regs Challenged Again <http://www.wired.com/news/politics/0,1283,35425,00.html> - Privacy advocates won a preliminary victory when for the second time a federal appeals court questioned restrictions on data-scrambling encryption software. The Sixth Circuit Court of Appeals suggested Monday that President Clinton's restrictions on distributing encryption products might be unconstitutional TrendMicro: IROK.7877 virus <http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=IROK.7877> - This is a DOS Exec virus that infects .EXE files. It spreads by infecting files, emailing itself and propagating over Internet Relay Chat. When triggered, it corrupts the data on the hard drive TrendMicro: W97M_TPPFORM Macro Virus <http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=W97M_TPPFORM >- This direct file infector, macro virus is triggered when the current system date is 1 and the month is 9. Once triggered this virus displays a message box and deletes command.com. On other dates this virus has less destructive payloads LinuxCare: meantime: non-consensual http user tracking using caches <http://www.linuxcare.com.au/mbp/meantime/> - Some people would like to be anonymous as they use the web, and other people would like to prevent anonymous access for various reasons. Consider, for example, an internet marketing company that wants to chain together visits to various web sites by a user so as to build a fuller profile of their interests and usage patterns. Conversely, a web user might not wish to leak such information to a site because they are looking at controversial information, desire a good negotiating position, or see privacy as a moral right. CNet: RealNetworks says RealPlayer bug won't sting <http://news.cnet.com/news/0-1005-200-1639271.html?tag=st.ne.1002-0-1002-0-1 641021..1005-200-16392711005-200-1639271>- RealNetworks said it is testing a fix for a software glitch in its streaming media player but disputed claims that the bug poses a security risk Currents: Virus Blows a Hole in NATOs Security <http://www.currents.net/newstoday/00/04/04/news3.html> - The North Atlantic Treaty Organization has launched a full-scale investigation into how one of its top-secret documents ended up posted on the Internet CERT Incident Note IN-2000-03 911 Worm <http://www.cert.org/incident_notes/IN-2000-03.html> - The "chode" worm affects Windows 98 systems with unprotected shares. It does not function properly on Windows NT systems. We have not completed testing on Windows 95 systems or Windows 2000 systems. As of this writing, CERT/CC has not received any direct reports of systems infected with this worm, though we have received a small number of second-hand reports Cnet: DeBeers security hole reveals customer information <http://news.cnet.com/news/0-1007-200-1639327.html?tag=st.ne.ron.lthd.1007-2 00-1639327>- On the Web, diamonds can be a spammer's best friend. About 35,000 customer email and home addresses were exposed on adiamondisforever.com, an informational site about diamonds sponsored by De Beer's, CNET News.com has learned. Chad Yoshikawa, a Bay Area consultant, stumbled across the security hole today while searching for his home address through a search engine. The results turned up a little more than he bargained for. Cnet: First Amendment lawyers take on DVD cracking case <http://news.cnet.com/news/0-1005-200-1635490.html?tag=st.ne.1002.> - Free speech lawyers have appealed a preliminary injunction granted against 72 Web site operators accused of stealing trade secrets by circulating a program online that lets people crack the security on DVDs. ZDNet: Linux Firewall On A 486: A Guard-Penguin For Your DSL Or Cable Modem Connection <http://www.zdnet.com/zdhelp/stories/main/0,5594,2503199,00.html> - Everybody's talking about using Linux to turn an old 486 into a router/firewall for a home or small office network. This article offers step-by-step instructions for setting up such a device using Open Source software from the Linux Router Project (LRP). If you have an Internet connection with a single static IP address, a 486 box with a working floppy drive and at least 12MB of RAM, two NICs and a hub, you have everything you need to provide safe Internet connectivity for your whole network. Apr 4, 2000 InternetNews: No Hoax, But Did FBI Hype the 911 Worm? <http://www.internetnews.com> - An advisory from the FBI's National Infrastructure Protection Center issued April Fool's day set off hoax alarms across the Internet. But while anti-virus software vendors Monday confirmed that the 911 Worm is the real thing, some are puzzled by the FBI's advisory and are openly questioning the severity of the worm. ComputerNewsDaily: Silverman: Washington Takes Aim At Spammers <http://199.97.97.16/contWriter/cnd7/2000/04/02/cndin/4903-0004-pat_nytimes. html>- The United States is a diverse country, and we all have different opinions on political, social and ethical issues. But there's one thing nearly everyone who uses a personal computer can agree on: We all despise spam -- unsolicited commercial e-mail ZDNet: Overview: Do we need a national plan? <http://www.zdnet.com/special/stories/defense/0,10459,2475331,00.html> - Forty-four hours. That's how long it took for network security to go from being considered a geek subject to a national issue on a par with such monumental policy debates as healthcare and Social Security reform. ZDNet: FBI Most Wanted: A computer worm? <http://www.zdnet.com/zdnn/stories/news/0,4586,2504646,00.html?chkpt=zdhpnew s01> - The FBI's National Information Protection Center is searching for more information on a computer worm spreading in the Houston area. A largely unsuccessful computer worm has garnered national attention after an FBI agency posted a warning of the malicious code on its pages over the weekend. Slashdot: Your CPU Will Explode. <http://slashdot.org/article.pl?sid=00/04/03/1139205&mode=thread>- (On the lighter side of things). Crowdpleazr1 writes, In case any of you were still opening up email from people you don't know, the Weekly World News is reporting that you could now be killed by a malicious email virus that will alter the molecular structure of your CPU, making it explode!! Of course, as a person who understands these newfangled computer things, even I can not imagine what evils those hacker people can come up with. I think I'm going to go hide in my Y2K compound now. PCWorld: Governments Relax Encryption Regulations <http://www.pcworld.com/pcwtoday/article/0,1510,16028,00.html>- Regulations that once stunted the distribution of strong encryption technology around the world are being rolled back at an encouraging pace, according to a new study by the Electronic Privacy Information Center, a public research center in Washington, D.C. Microsoft Security Bulletin MS00-022 <http://www.microsoft.com/technet/security/bulletin/fq00-022.asp> - Microsoft Security Bulletin MS00-022 announces the availability of a patch that eliminates a vulnerability in Microsoft« Excel. The vulnerability could allow a macro to run without warning the user. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it Apr 3, 2000 Weekly Axent Security Roundup <http://www.securityportal.com/direct.cgi?/topnews/weekly/axent20000403.html> - News: Whispers of version 6.5. Mailing List Review: Passing Oracle JDBC through the Firewall, Blocking Real Audio, Win 98 on a DMZ. FireTower Tip from the Trench: Chris Poulin describes the pros and cons of downloading and installing the International Version of 6.5. ---------------------------------------------- ********************************************** Using a RSVP as aid in creating dynamic IP filters at the access later in response to basic downstream denial of service attack (non spoofed Source IP/failed three way tcp negotation). - LockDown *********************************************** This is for beginners only, just some crazy idea's...sketched out after too many beers again. (If you can do this after a few beers... I hate to see what your like when your stoned... U solved the meaning of life yet? - Slider) aka, Why firewalling should be in the hands of the end users, but filtering at the ISP's end. security filtering in the user's hands? Dangerous...only to the spread of information. Current System.... Router Access -----(56k,ISDN,T1,OC192)---->Router-----(LAN) Customer Dungeon One example of a simple 'skipt kiddie' denial of service attack. Okay, script kiddies got minimal control of a 3 linux server's on quite fast networks, he can write programs that open tcp/udp connections (!). So, he run's on the target machines :Start open a port 80 on the target machine wait for 2 seconds kill processes Spawn Start(*) for ever. This could saturate the entire link capacity between the access level and the customer premises. Access Router-----(TCP OPEN 80 Packets)---------Customer Router (from 4 different IP address) As the link is overloaded, no more new connections can be serviced, and if the pressure from the denial is great, it can impair performance and even cut current connections due to packet discard and latency as the acess router becomes overloaded. Making a ppp access router drop packets is easiy, as the thing to remember is it might have enough horse power to actualy forward all the ddos incomming packets, but if you exceed access bandwidth (i.e T1 Speed), by say 4x , your going to get exceptional packet loss due to bandwidth oversubscription..problem huh. What Can I do to stop it? Use a firewall at the access layer, if you like to keep everything under your control (of course you do), then you want to run your own firewall, not rely on some unseen force working away at the bottom of nuclear fallout shelters contantly battling with the forces of hacker evil to keep your network secure. (In real terms, Employed one guy to monitor the firewall, if the screen goes green, don't do anything, if the screen goes red, write it down, and then don't do anything, that's what they call instant security response!..;-), anyway don't know if that's true ;-), but it's also damm expensive to lets someone else mananage your ip security off site. Their firewall will have very a very complex rule set, and it's doubtful you'll have access to what they are actally blocking from you, they could be blocking half of aol by mistake...;-) They will have 1000's of users running throught it, it's hard enought keeping tab's on one firewall, not to mention reacting to a ddos sitation with many. Q. So, why can't we just create dynamic filters , and block connection from the ddos ip address streams at the customer layer, using our £100000 Firewall.?? A. if only it was that simple.(it's is..;-). Routers are thick, dead thick, they don't understand the connections they have running across them, they only understand packets, image a phone system that forgot how many people were calling over it, it just knew it need to a get stuff from A to B. no more billing that's for sure, you don't have that data!. Okay, so we create a filter for the traffic at the customer premises with a firewall. No Good.. Access Router-----(TCP OPEN 80 Packets)---------Customer Router (from 4 different IP address) | | | Filtering Firewall as you can see, the bandwidth killing illegal packets are still transmitted before being dropped by the firewall, we've still sent the evil packets onto the line, they did there evil masters bidding...eating bandwidth resources!!! So, you call your ISP, and ask them to kindly filter incomming traffic from x,y,z interfaces...they respond 'filtering what?'.. your in for a long night ;-). We're assuming the packets are not spoofed, that's a whole different story, another txt... There is no standard way of creating custom filters on the access level router (i.e. out of adminstitive control). This potential problem makes ddos attacks harder to design for firewalls, as the firewall has no control over what gets sent to it from the access layer router, the access router just shoves whatever it receves down the line, no matter. So a normal firewall can't help fight such a bandwidth/resource attack. We need control of the Access Routers *incomming* filters. we don't have the access cause it's thier equipment, and you can't touch it...but to solve the problem that's going to have to change. So we need a protcol to negiotate what comes in and out without human intervention... We are saved..RSVP!!! Resource Reservation , interesting stuff;-). So, our networks look's like Access Router---(TCP OPEN 80 FLOOD)-------Customer Router--me! (RSVP) (from 4 different IP address) (RSVP) Okay, with rsvp we will know how many 'connections' are open across the access router. We'll also know how much bandwidth each is using, what it peak burst rate is, what it's latency is and a whole host of network related statistics. This is the data that is missing at the heart of the internet, now we can tell exactly what's going on at the access level!! During an attack, the RSVP router at the customers site know's the following info (somewhere deep within ios). We start to analyses connection patterns, ratio of dropped tcp connections to ratio of good connections. packet rate, bursting rate etc etc. With this information, we can start to build up pictures of packet flow between the access router and customer router. This data is usually hard to gather, as it needs to be 'snooped' from the network using a third party device or custom router. RSVP can give us this as standard. Source Address Destination TCP Open Flow Attempts TCPUnsuccessful % Mr DDOS#1 my subnet 1111313 12131133 80 Mr DDOS#2 my subnet 30000 15000 40 Mr DDOS#3 my subnet 2123 2120 30 Mr DDOS#4 my subnet 1500 1400 20 DDOS Subnet my subnet 1000000 200000000 Normal User me! 12 0 0.4 Quite high number of unsuccessful tcp connections, so, if we see a high number of unsucessful connection attempts, and a high percentage of packets from this source is choking the link bandwidth, we filter this by informing the access level router via rsvp to degrade streams associated with the following Address Mr DDOS#1 Mr DDOS#2 Mr DDOS#3 Mr DDOS#4 DDOS Subnet Normal User filter the incomming port for a set lengyh of time, (or allocate all traffic from this ip as lowest priority, so it will get discarded and will not cause bandwidth stavation, but could still lead to host overload on weak O/S IP stacks). If we drop for a little as 1 second , we can reduce the amount of bandwidth being used by more than 50%. If we give this stream a lower priority, using some clever IP queuing techniques, see cisco resources on RED , very cool. We can avoid filtering, we just label potentail dangerous traffic at a low priority. with RSVP, we can actually just use it's knowlage of tcp connection states to prevent bandwidth denial of service attacks. By controlling the access layer queues, via analysing rsvp tcp transport statistics and marking suspious traffic at a lower priroity than trusted traffic (which need not to be distrupted), can over come simple resourece ddos attacks. DDOS attack that involved the dreaded rotating source IP address attacks, which can actually overload routers which have to keep track of layere 4 state information via thier own tables. an rsvp ddos ( ;-).. If such a rotating attack occurs, where source IP address are randomaly received, creating source IP filter for this type of attack is not normally possible without the use of complex AI firewalls. Just giving the router simple qos commands , for example give prority to connections that furfil a certain critera such as completion of the three way tcp handshake, or withing packet received per second rates. DDOS Defenses and qos need to be pushed out to the access layer, this is the only point where such compex logic has time to be performed without pentalites to packet lactency and switching performance. Running this in the core could be dangerous for you network forwarding performance.... As for spoofed IP packets from other networks, that's hard to fix, but if the ISP concrete proof their access layers too, then spoofing becomes a lot harder to achive without being detected. Q. So, B isp won't concrete there access layer, they told me to go fuck myself, they carry ISP' C traffic to me, but users on ISP B can forge packets comming from C. There also a load of legit users on ISP B we don't want to loose! ISP ISP ISP A---------B--------C | | | | | | me! spoofer Innocent User 'I'm not ddosing anybody am I!' I think I'm Innocent user on ISPC A. Get a direct connection to ISP C (physical link or peer with them at a public/private peering point). Don't use B as a Inter AS for ISP C. You'll be able to spoof protect at the peering point or you own directed router to them. Q. Does'nt that mean I have to run BGP-4 and get into all that BGP-4 mumbo jumbo.... A. Err, yes, but hey..it's not rocket science, then again it's not a walk in the park either. B, Must concrete there access layer. Each access layer on every ISP on the way must prevent packets being 'injected' that are spoofed(harmful). (difficult task!) B must , but C. At the moment, preventing spoofing is difficult, as most backbone links carry many many different network packets, as backbones become mainly interconnected at selected peering points, anti spoofing measures can be strengthend at these points only. The network core will be generally clean from filtering due to speed restrictions in switching routers. Access Layer -- Needs spoofing protection/RSVP Network Core -- Clean, for raw speed. Peering Points -- Needs spoofing protection/RSVP, can be problematic in hyperfast switching network cores. Peering Points -------------- Another protocol must be developed if RSVP is not adpoted as 'the' internet qos protocol. RSVP will need a universal bandwidth broker, rather like the universal BGP-4 of the routing world. This is the only way of acheiving end to end packet qos on between as's on the public internet. Using spoofing protection at peering points improves routing performance too, this is a strange side effect of filtering at peering points. another txt, if I receive enough demand. RSVP if egineered correctly can 'smooth' out access connections, by controlling bandwidth usage of the link. we can avoid ddos bandwidth attacks on the access to the customer link but not however in the network core. anti-DDOS the network core is much harder to do, if you have limited resources yourself. It's much easier to eat a E-1 (the speed 30ish 56k modem, to the speed of a backbone line of oc-192 (10gig!). By building rich features on top of rsvp, in routers, and enhancing firewall software to cooperate with the rsvp on behalf of a protected subnet, in my opionion it's the only way to go on this subject. The next level is RSVP acutally intergrated into the end o/s tcp/ip stack. This unifies the transport layer, the IP layer , and backs it up with gurantee's, which the o/s know about. (windows 2000 has rsvp Intergrated already!, not had resources to check it out, anyone played with this yet?). Q. It's seems like a lof of effort to upgrade the access later and customer to rsvp just to prevent hackers. A. Improved security, better connections, more reliable...who are you kidding???? Q. I've got a 56k modem, what use is rsvp qos. A. It's all about TDM....First there was TDM then Came Packet networks, which were cheap, but we still needed TDM, so we made packet think it was TDM, and before TDM could wake up...packet was TDM over packet. ;-). so , TDM did'nt die, but was transformed before your eye's and you did'nt see it did you ;-). Q. Okay, that's the theory, where can I get this solution now.., A. As far as I know, you can't do this directly, but if I ever get the chance to build a network like this, I'll let you know. (oh I forgot, I've gotta wear a suit to build a network like this.....oh well!). (Tell me about it, im attending the London2600 meet next month in a 700 pound Suit, cos I am doing a course and meeting a customer for lunch :[ - Slider) Hope you enjoyed reading this insane document. There maybe mistakes and concepts that you don't agree with, don't erase my hard disks from afar, mail me..and discuss.. If you have any Ideas, or you've got an 'new' rsvp router I could play with, drop me a line. You feedback is important.!!, but not as much as donuts. lock-down@hushmail.com Oh My computers has just, Blue Screened of Death, Coredump, Displayed a row of Little Bombs and then said *GuruMeDiTAti0n*..how strange;-) < You get that problem too? wow. Im not alone... - Slider > *This will probably kill the attacking machine too, it's not too bright...but hey..it's just an example....I'm no coding expert...okay!!. ;-\..... ---------------------------------------------- ********************************************** Hax0ring Bouncer's ! - Slider ********************************************** By far the most taxing event of the nite, specially as some of you are like under 18 and should be like home in bed sucking your mothers nipples or something, But huh! what do i know I was'nt breast fed (although im making up for lost time with g/f's) and incest wasnt at the top of my list... Maybe caus my parents are like techno crazed acid house ravers that do that white glove thing and have like whissles and shit. Or maybe... caus i never had parents and i lived under a bush for most of my childhood masturbating over 1989 copys of Page 3 and generally mugging old ladys and shit to make a living, actually that proberly aint it, but sure as hell I have to stop eating these fucking little tablet things my g/f has caus its making my hormones go yeeeeeeeeeyhaahhhhhh... Now, as a member of the pub/club scene, I knew how much i wanted to get out, meet women and drink, and drink, and drink. But, because of my age (I was 17 then, but older now) I had problems getting in and drinking. So i developed tatics :]~ Now you average Human has this many brain cells ..... Your average Clubber/Pubber/Hax0r has this many ........................................ And you average Bouncer has this many [ Results may be changed from orginal readings i.e the bouncer has been given a few more ] Anyways, as you can see the bouncer has x no. of brain cells... Now, the whole point of the exercise is to gain user status, run a local r00t exploit. So anyways, heres the description from Bugtraq. -------------------------------- bugtraq id: 20456 class: Boundary Condition Error cve: GENERIC-MAP-NOMATCH remote: Yes local: Yes published: 15/05/2000 vunerable: all versions not vunerable: discussion: Bouncerd, is a deamon that runs mainly on port 3654, The daemon checks numerous variables, supplied by the user to assertain if access is allowed or denied. There are many unchecked buffers in the program, some of which can be exploited directly from any browser. Supplying an overlylong value for the "age", "pissed" and "dresscode" variables, and possibly others, will overwrite their respective buffers. In this manner, arbitrary code can be executed on the remote target. With the arbitrary code it is possible to spoof the variables in the bouncerd daemon into believing you have full r00t access to the system and you will recieve no problems trying to enter. ------------------------------------ So what you gotta do is know some small minor detail like your fake date of birth. Now dress up like everyone else, i.e. the new craze in dressing in your town or city, then get a nice coat. A good one would be thats quite large, making you look bigger. Then practice what you are going to say, a deeper voice, a stiff "evening". Keep your head up, eyes looking at theres, and generally making them feel awkward. If you are turned away then dont make a fuss say "cheers anyway mate, goodnight" and try the next pub along the road. Or if no-one is around and he is small, give him a good shoeing :] Slider. * This article does not mean to inflict harm to any members of the earth, if you do, dont blame it the fuck on me, caus i would of used a steal bar and the body wouldnt of been found :} * * Slider does not suggest taking women's medicine * | | \___ 0wning The World Is A Slow Process, So Give Up And Let Us Gain R00t On You f00ls #OblivionMag EFNet - Feer The Family Copyright Oblivion.org.uk 2000 B0w Down And Feer The Revolution Of Oblivion Sponsors : http://www.slidersecurity.co.uk Music : The Old Prodigy