Shortly before covering security analyst Craig Ozancin's LinuxWorld Conference & Expo session on Linux security, I wandered into the Geek Bowl quiz competition in progress. Through an odd bit of synchronicity, the two events segued rather nicely: One of the many questions the panelists blew completely was "In the movie Tron, the lead character Flynn's voice was provided by what actor?"

I told Eric Raymond we'd have to send him back to the geek reeducation camps, for missing that one. But it helped put me in the proper frame of mind for a security panel -- once you correct the movie's minor flaw of depicting the wrong side as the heroes. In a nutshell, you (the system administrator) are in the villain's role in that computerist's classic, the Master Control Program. Your problem: How do you keep out Jeff Bridges (the outside attacker)?

Sniff, sniff

Ozancin's talk dwelled at length on the methods and tools an attacker (a term he advocates over hacker) uses to select you as his target and worm his way in.

The attacker may also use specialized network-vulnerability scanners (see Resources): Nessus, the older SATAN and SAINT packages, Firewalk (which probes and identifies a network's firewall ruleset), or proprietary scanners such as Internet Security Systems' Internet Scanner and Axxent Technologies' NetRecon -- as well as checking Websites on the target network for known-exploitable CGI scripts.

Or the attacker may skip the fancy network scanners and concentrate on stealing one of your passwords. In my experience, that is the bad guys' usual way in and absurdly easy on most systems. If one of your users uses Telnet or (nonanonymous) FTP, or POP3 to reach your system remotely, the user's login name and password can be snagged with trivial effort at any point between the two machines. Alternatively, the malefactor may use as low-tech a means as shoulder surfing (watching the login as it's being typed in), or a variety of social engineering techniques. People are often astonishingly willing to give their passwords over the telephone to a stranger with a plausible reason for asking. Or they email passwords and other confidential data across the open Internet, ripe for interception.¹ At the minimum, the attacker may telephone the firm to glean people's names and positions, or get that information from the company Webpages. He may then be able to predict valid usernames and try them with likely password combinations.

Then there are the truly embarrassing password techniques that amount to walking into an open, unguarded bank vault. There are still services that ship with default remote administrative passwords, as evidenced by Red Hat Software's recent Piranha gaffe, as well as sites reckless enough to use null passwords, the username as the

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine