From owner-freebsd-security Mon Jun 24 10:25:17 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA08350 for security-outgoing; Mon, 24 Jun 1996 10:25:17 -0700 (PDT) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id KAA08343; Mon, 24 Jun 1996 10:25:14 -0700 (PDT) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id KAA28491; Mon, 24 Jun 1996 10:19:22 -0700 From: Terry Lambert Message-Id: <199606241719.KAA28491@phaeton.artisoft.com> Subject: Re: I need help on this one - please help me track this guy down! To: narvi@haldjas.folklore.ee (Narvi) Date: Mon, 24 Jun 1996 10:19:22 -0700 (MST) Cc: terry@lambert.org, jkh@time.cdrom.com, guido@gvr.win.tue.nl, hackers@FreeBSD.ORG, security@FreeBSD.ORG, ache@FreeBSD.ORG In-Reply-To: from "Narvi" at Jun 24, 96 08:05:05 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Now are there some more things someone who's system was breaked into > could look for? Perhaps some passwords should be switched to S/Key - > it should be possible to generate them on a remote machine and then > install? SUID/SGID programs. Permission changes on devices. Compiler changes. Changes to ld.so. Kernel modules that weren't there before. RC file changes. The list is endless, which is why you reinstall. You can trust every binary from the distribution media. When the 414's broke into a machine I was administering, it got reinstalled, period. Using security logs (which you have to have in place before the fact), we were able to trace back to the original MAC address ... to a specific machine in a specific lab on a college campus, with the cooperation of the terminal server there. The same loose security that let him hack from there let us locate him. Within 8 hours, the system was fully firewalled and back on line (with all attempt logging active). The most stupid thing I have ever seen someone do was asserting "we're smarter than them; we're going to let them come in, and we'll catch them red handed". Then they decided to establish a secure zone and expand it, instead of cutting off the net access and establishing a switchable zone. This rendered the computers of a large number of engineers useless for a relatively long period of time... the net effect was about $1.2M in costs for idle engineering time plus facility costs. If you have a problem system, dike it out of your network. If you have a problem terminal server, take it off line and fix it. If you have a problem office, deny it access to the corporate net until the problem is resolved. A couple of plane tickets and some hotel bills to get your experts on site is a hell of a lot less expensive and more effective than trying to run an uncooperative hacker by wire in an ill-thought attempt to demonstrate your own brilliance. Further discussion should probably go to "chat" or "security". Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.