University Times

In response to the number of communications it has received since The New York Times article and the advisory by the Computer Emergency Response Team (CERT) appeared, Computing and Information Services (CIS) has issued the following advisory on "Internet protocol spoofing" and "hijacking." The original CERT advisory can be obtained through anonymous ftp: ftp://ftp.pitt.edu/info/security/cert-advisories/CA-95:01. The CERT advisory also can be viewed on the CIS UNIX Service or any computer using the AFS distributed file system in the file by using: /afs/pitt.edu/public/info/security/cert-advisories/CA-95:01 The following information was provided by CIS: Terminal Hijacking The CERT advisory details problems that could occur when a computer is compromised at the root level.

One of those problems is that the person who has compromised the computer can "take over" or "hijack" an active work session.

For example, if Jane is logged onto computer "A" and is connected via Telnet to another computer, and someone has compromised [illegally entered] the root account on machine "A," that person could "hijack" Jane's Telnet connection and would be able to issue commands on the computer Jane is connected to as if she had typed them in herself.

However, terminal hijacking is only one of the many problems that can occur when a computer's root account is compromised.

Some of these problems are discussed in other CERT or CIS advisories that can be obtained by following the directions below.

The best way to prevent hijacking and other types of vulnerabilities is to keep root accounts from being compromised in the first place, according to the CIS advisory.

Besides keeping passwords confidential, users should be sure that they have installed on their computer the most recent security patches, software updates that help guard against attacks, from their operating system vendor, and have taken steps to ensure that their computer is properly configured, meaning the latest patches are installed and the proper parameters set for the software being used. Operating system vendors can provide information on security patches for a system. To ensure a computer is properly configured users should do the following: * Consult the documentation for their operating system software for information on proper and secure configurations.

* Check previous CIS and CERT advisories. Such advisories are available via anonymous ftp as: CIS advisories: URL: ftp://ftp.pitt.edu/info/security/pitt-advisories AFS: /afs/pitt.edu/public/info/security/pitt-advisories CIS advisories also are available on World Wide Web at: http://www.pitt.edu/HOME/Security/Security-Home.html CERT advisories: URL: ftp://ftp.pitt.edu/info/security/cert-advisories AFS: /afs/pitt.edu/public/info/security/cert-advisories * Review technical papers on security issues. Some security related papers are available via anonymous ftp to ftp.pitt.edu. They include: Generic security information by CERT: URL: ftp://ftp.pitt.edu/info/security/papers/cert_security_info.text AFS: /afs/pitt.edu/public/info/security/papers/cert_security_info.text "Coping with the Threat of Computer Security Incidents – A Primer from Prevention Through Recovery" by Russell L. Brand is available on: URL: ftp://ftp.pitt.edu/info/security/papers/primer.ps AFS: /afs/pitt.edu/public/info/security/papers/primer.ps "Improving the Security of Your UNIX System" by David A. Curry is available on: URL: ftp://ftp.pitt.edu/info/security/papers/improve-unix-security.ps AFS: /afs/pitt.edu/public/info/security/papers/improve-unix-security.ps A more extensive collection of papers is located at the Computer Operations, Audit and Security Technology (COAST) project archives. They can be accessed via anonymous ftp to: ftp://coast.cs.purdue.edu/pub/doc * There also are a few books that address security issues relating to computers connected to the Internet. They include: "Practical UNIX Security" by Simpson Garfinkel and Gene Spafford and "Firewalls and Internet Security: Repelling the Wily Hacker" by William Cheswick and Steven Bellovin.

Internet Protocol Spoofing Internet protocol (IP) is a standard networking protocol used to exchange information between computers connected to the Internet.

"IP spoofing" is a type of attack that exploits applications that use authentication based on IP addresses. These applications include SunRPC, NFS, BSD, UNIX, "r" commands (such as rsh and rlogin), and anything wrapped by the tcp daemon wrappers, X windows, or any other application that uses IP addresses for authentication.

Since these attacks exploit authentication based on IP addresses, users can reduce the likelihood of exposure by restricting or eliminating the use of such services.

For example, according to the CIS advisory, the following steps can be taken: * Never use a .rhost file for root and never use a /etc/hosts.eqiv file.

* Eliminate the use of .rhosts files for users.

* Do not export Read/Write NFS filesystems.

* Do not use TCP wrappers to permit applications to run because the connections can come from certain computers.

* Do not use X windows xhost command to permit other computers access to your X server. Instead, use some other mechanism for X windows security.

Although CIS is not currently aware of any attacks on computers on the University network using the IP spoofing method, it has taken steps to greatly reduce the vulnerability of the University network to IP spoofing attacks.

Computer users who believe their machine has been compromised by terminal hijacking or IP spoofing should contact the CIS helpline at 624-8888 or cis-helpline+@pitt.edu.

CIS regularly issues computer security advisories to the campus community. Anyone wishing to subscribe to the advisory mailing list may do so by sending mail to security-advisory-request+@pitt.edu.

Advisories also are available in the USENET newsgroup pitt.announce.security.

Previous University advisories are available for anonymous ftp at ftp://ftp.pitt.edu/info/security/pitt-advisories or through the World Wide Web at: http://www.pitt.edu/HOME/Security/Security-Home.html

–Mike Sajna