Date: Mon, 26 Jul 1999 23:32:18 -0400 From: Ed Vander Bush <ed@42interactive.com> To: freebsd-questions@FreeBSD.ORG Subject: Re: About the security issue in NY Times Message-ID: <379D2842.D5931705@42interactive.com> References: <Pine.BSF.4.10.9907262243050.2354-100000@dgriffin.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Since you need an account to view the page and I already have one... Here
is the article
Security Flaw Is Discovered in Several
Unix Programs
By SARA ROBINSON
SAN FRANCISCO -- A leading computer security group is
reporting a significant rise in potentially dangerous
attacks that
exploit security holes in programs shipped with the Unix
operating
system.
Unix is the most common operating system for servers, the
powerful
computers that control the flow of data over large networks,
including the
Internet.
"We've seen a good number of reports related to thousands of
different
machines on scores of different sites," said Shawn Hernan, a
member of
the Computer Emergency Response Team, or CERT, at Carnegie
Mellon University in Pittsburgh. "This is not like the Melissa
virus, but it's
a fairly significant event in Internet security." The Melissa
program
infected about 19 percent of the nation's large corporations in
March.
The full extent of the damage might not yet be evident -- and may
not be
for some time -- because the attacks, when successful, give those
cracking into a network what is known as "root access," basically
complete control over the server. This enables the crackers, as
such
intruders are known, not only to wreak immediate havoc with
networks
but to plant small, hard-to-trace programs that can be set off at
a later
date.
Hernan said a wide range of organizations, from small companies
to
universities and large corporations, reported being attacked last
week.
But, citing CERT policy, he declined to name specific companies
or
organizations.
Bob Todd, a network engineer for an Internet security company,
said a
client he would describe only as a "large state or federal
agency" had
been attacked multiple times both from within the United States
and
abroad. He said he had heard that at least half a dozen other
government
agencies had also been hit.
While the attacks did some mischief, like altering Web pages,
Todd said
he had not seen any serious damage so far.
Todd's company, Advanced Research Corp. in Vienna, Va., was
apparently the first to report the attacks in a posting on
Bugtraq, an
Internet security mailing list. Later, explicit instructions for
exploiting the
newest of the security holes were also posted to Bugtraq; Todd
said his
company was not responsible for that posting.
Internet Entertainment Group in Seattle may also have been hit,
according to messages posted on security discussion groups on the
Internet.
The attacks primarily exploit software that manages an
appointment
calendar program that is shipped with Unix operating systems from
makers of powerful servers, including Sun Microsystems Inc. and
Hewlett-Packard Co. Sun has already released a patch for the
problem,
and Hewlett-Packard plans to do so soon, according to CERT.
In addition to the calendar program, the crackers are also
exploiting two
previously identified Unix bugs. They appear to be using an
automated
software script that tries to exploit each security hole in turn,
Hernan said.
He said he based that conclusion on having found similar entries
in the log
files that servers keep of each transaction on a network and on
seeing
identical pernicious files on the attacked computers.
Though patches for the previously identified bugs have been
available for
some time, many system administrators have not yet applied them.
"System administrators don't apply patches as quickly as we'd
like,"
Hernan said. "They have their own priorities, and sometimes
they'll go
months without fixing" the problems.
Patching the security holes after an attack cannot repair any
damage
already done. Of special concern with these attacks is that it is
very
difficult to determine what has been done since these bugs give
the
intruder complete control over the affected machine, Hernan said.
Beyond immediate damage, the crackers can install so-called
Trojan
horse programs that obscure their activity and can set off
malignant
processes at a later date. The safest response to such an attack
is to
erase the hard drive, reinstall the operating system and software
and then
restore the data from backups that predate the attack -- a very
time
consuming process.
The calendar bug involves what is known as a "buffer overflow"
vulnerability, one of the most common types of software security
holes.
The attacker pretends to make an entry in the calendar, but the
"entry" is
really a carefully designed chunk of information that is too
large to fit the
storage space the program allots for the entry. The overflow
spilling out
into the computer's main memory consists of software code that
can do
any number of things but usually grants the cracker root access.
A university system administrator who asked not to be identified
said his
network had been attacked, but he said there had been little
damage
since this particular cracker's clumsy execution caught the
attention of
system personnel. He said he suspected that the intruder might
have been
using an attack recipe obtained from someone else.
"There's a large cracker community out there, and they talk to
each
other," he said. "These people waste an enormous amount of
resources."
Stede Bonnet wrote:
> In todays Business section, an article by Sara Robinson discusses a
> security problem apparent on UNIX OS's.
>
> How is that related to FreeBSD? Do I have anything to worry about, and
> what should I do if I need to do something?
>
> Thanks
>
> Stede
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?379D2842.D5931705>