Practical UNIX & Internet Security phần 7 ppsx

Unfortunately, many system administrators have disabled their finger command, and the sendmail daemon may not honor your [Chapter 24] 24.2 Discovering an Intruder file:///C|/Oreilly Unix

Trang 1

24.2.3 Monitoring the Intruder

You may wish to monitor the intruder's actions to figure out what he is doing This will give you an idea if he is modifying your accounting database, or simply rummaging around through your users' email.

There are a variety of means that you can use for monitoring the intruder's actions The simplest way is to use programs such as ps

or lastcomm to see which processes the intruder is using.

Depending on your operating system, you may be able to monitor the intruder's keystrokes using programs such as ttywatch or snoop These commands can give you a detailed, packet-by-packet account of information sent over a network They can also give you a detailed view of what an intruder is doing For example:

# snoop

asy8.vineyard.net -> next SMTP C port=1974

asy8.vineyard.net -> next SMTP C port=1974 MAIL FROM:<dfddf@vin

next -> asy8.vineyard.net SMTP R port=1974 250 <dfddf@vineyard.

asy8.vineyard.net -> next SMTP C port=1974 RCPT TO:<vdsalaw@ix.

next -> asy8.vineyard.net SMTP R port=1974 250 <vdsalaw@ix.netc

asy8.vineyard.net -> next SMTP C port=1974 DATA\r\n

next -> asy8.vineyard.net SMTP R port=1974 354 Enter mail, end

In this case, an email message was intercepted as it was sent from asy8.vineyard.net to the computer next As the above example

shows, these utilities will give you a detailed view of what people on your system are doing, and they have a great potential for abuse.

You should be careful with the tools that you install on your system, as these tools can be used against you, to monitor your monitoring Also, consider using tools such as snoop on another machine (not the one that has been compromised) Doing so lessens the chance of being discovered by the intruder.

24.2.4 Tracing a Connection

The ps, w, and who commands all report the terminals to which each user (or each process) is attached Terminal names like

/dev/tty01 may be abbreviated to tty01 or even to 01 Generally, names like tty01, ttya, or tty4a represent physical serial lines, while names that contain the letters p, q, or r (such as ttyp1) refer to network connections (virtual ttys, also called

orpheus console Jul 16 16:01

root tty01 Jul 15 20:32

jason ttyp1 Jul 16 18:43 (robot.ocp.com)

devon ttyp2 Jul 16 04:33 (next.cambridge.m)

%

In this example, the user orpheus is logged in at the console, user root is logged on at tty01 (a terminal connected by a serial line), and jason and devon are both logged in over the network: jason from robot.ocp.com, and devon from next.cambridge.ma.us.

Some versions of the who command display only the first 16 letters of the hostname of the computer that originated the

connection (The machine name is stored in a 16-byte field in /etc/utmp; some versions of UNIX store more letters.) To see the

complete hostname, you may need to use the netstat command (described in Chapter 16, TCP/IP Networks ) You will also have to

use netstat if the intruder has deleted or modified the /etc/utmp file to hide his presence Unfortunately, netstat does not reveal

which network connection is associated with which user (Of course, if you have the first 16 characters of the hostname, you [Chapter 24] 24.2 Discovering an Intruder

Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com

Trang 2

should be able to figure out which is which, even if /etc/utmp has been deleted You can still use netstat and look for connections

from unfamiliar machines.) Luckily, most modern versions of UNIX, including SVR4, report the entire machine name.

Let's say that in this example we suspect Jason is an intruder, because we know that the real Jason is at a yoga retreat in Tibet (with no terminals around) Using who and netstat, we determine that the intruder who has appropriated Jason's account is logged

in remotely from the computer robot.ocp.com We can now use the finger command to see which users are logged onto that

remote computer:

% finger @robot.ocp.com

[robot.ocp.com]

Login Name TTY Idle When

olivia Dr Olivia Layson co 12d Sun 11:59

wonder Wonder Hacker p1 Sun 14:33

%

Of course, this method doesn't pin the attacker down, because the intruder may be using the remote machine only as a relay point.

Indeed, in the above example, Wonder Hacker is logged into ttyp1, which is another virtual terminal He's probably coming from another machine, and simply using robot.ocp.com as a relay point You would probably not see a username like Wonder Hacker.

More likely, you would only see an assorted list of apparently legitimate users and have to guess who the attacker is Even if you did see a listing such as that, you can't assume anything about who is involved For instance, Dr Layson could be conducting

industrial espionage on your system, using a virtual terminal (e.g., xterm) that is not listed as a logged in session!

If you have an account on the remote computer, log into it and find out who is running the rlogin or telnet command that is

coming into your computer In any event, consider contacting the system administrator of that remote computer and alert him or her to the problem.

24.2.4.1 Other tip-offs

There are many other tip-offs that an intruder might be logged onto your system For example, you may discover that shells are running on terminals that no one seems to be logged into at the moment You may discover open network connections to machines you do not recognize Running processes may be reported by some programs but not others.

Be suspicious and nosy.

24.2.4.2 How to contact the system administrator of a computer you don't know

Often, you can't figure out the name and telephone number of the system administrator of a remote machine, because UNIX provides no formal mechanism for identifying such people.

One good way is to contact the appropriate incident response team for the designated security person at the organization Another way to find out the telephone number and email address of the remote administrator is to use the whois command to search the

Network Information Center (NIC) registration database If your system does not have a whois command, you can simply telnet to

the NIC site Below is an example of how to find the name and phone number of a particular site administrator.

The NIC maintains a database of the names, addresses, and phone numbers of significant network users, as well as the contact

people for various hosts and domains If you can connect to the host whois.internic.net via telnet, you may be able to get the

information you need Try the following:

Connect to the host whois.internic.net via telnet.

[Chapter 24] 24.2 Discovering an Intruder

file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch24_02.htm (4 of 9) [2002-04-12 10:45:04]

Trang 3

* For wais, type: WAIS <search string> <return>

* For the *original* whois type: WHOIS [search string] <return>

* For referral whois type: RWHOIS [search string] <return>

*

* For user assistance call (703) 742-4777

# Questions/Updates on the whois database to HOSTMASTER@internic.net

* Please report system problems to ACTION@internic.net

***********************************************************************

Please be advised that use constitutes consent to monitoring

(Elec Comm Priv Act, 18 USC 2701-2711)

Cmdinter Ver 1.3 Tue Oct 17 21:51:53 1995 EST

[xterm] InterNIC > whois

Connecting to the rs Database

Connected to the rs Database

Whois: whitehouse.gov

Executive Office of the President USA (WHITEHOUSE-HST) WHITEHOUSE.GOV

198.137.240.100 Whitehouse Public Access (WHITEHOUSE-DOM) WHITEHOUSE.GOV

Whois: whitehouse-dom

Whitehouse Public Access (WHITEHOUSE-DOM)

Executive Office of the President USA

Technical Contact, Zone Contact:

Ranum, Marcus J (MJR) mjr@BSDI.COM

(410) 889-6449

Record last updated on 17-Oct-94.

Record created on 17-Oct-94.

Domain servers in listed order:

GATEKEEPER.EOP.GOV 198.137.241.3

ICM1.ICP.NET 192.94.207.66

Trang 4

Whois: quit

[xterm] InterNIC > quit

Tue Oct 17 21:55:30 1995 EST

Connection closed by foreign host.

%

In addition to looking for information about the host, you can look for information about the network domain You may find that technical contacts are more helpful than administrative contacts If that approach fails, you can attempt to discover the site's network service provider (discovered by sending packets to the site using traceroute) and call them to see if they have contact information Even if the site's network service provider will tell you nothing, he or she will often forward messages to the relevant people In an emergency, you can call the organization's main number and ask the security guard to contact the computer center's support staff.

If you are attempting to find out information about a U.S military site (the hostname ends in mil), you need to try the whois command at nic.ddn.mil instead of the one at the InterNIC.

Another thing to try is to finger the root account of the remote machine Occasionally this will produce the desired result:

% finger root@robot.ocp.com

[robot.ocp.com]

Login name: root in real life: Joel Wentworth

Directory: / Shell: /bin/csh

Last login Sat April 14, 1990 on /dev/tty

Login name: root in real life: Operator

Directory: / Shell: /bin/csh

Last login Mon Dec 3, 1990 on /dev/console

221 robot.ocp.com closing connection

Connection closed by foreign host.

You can then use the finger command to learn this person's telephone number.

Unfortunately, many system administrators have disabled their finger command, and the sendmail daemon may not honor your [Chapter 24] 24.2 Discovering an Intruder

Trang 5

requests to verify or expand the alias However, you may still be able to identify the contact person.

If all else fails, you can send mail to the " postmaster" of the indicated machine and hope it gets read soon Do not mention a

break-in in the message - mail is sometimes monitored by intruders Instead, give your name and phone number, indicate that the matter is important, and ask the postmaster to call you (Offering to accept collect calls is a nice gesture and may improve the response rate.) Of course, after you've phoned, find out the phone number of the organization you're dealing with and try phoning back - just to be sure that it's the administrator who phoned (and not the intruder who read your email and deleted it before it got

to the administrator) You can also contact the folks at one of the FIRST teams, such as the CERT-CC They have some additional resources, and they may be able to provide you with contact information.

24.2.5 Getting Rid of the Intruder

Killing your computer's power - turning it off - is the very quickest way to get an intruder off your computer and prevent him from doing anything else - including possibly further damage Unfortunately, this is a drastic action Not only does it stop the intruder, but it also interrupts the work of all of your legitimate users It may also delete evidence you night need in court some day, delete necessary evidence of the break-in, such as running processes (e.g., mailrace), and cause the system to be damaged when you reboot because of the Trojaned startup scripts In addition, the UNIX filesystem does not deal with sudden power loss very

gracefully: pulling the plug might do significantly more damage than the intruder might ever do.

In some cases, you can get rid of an intruder by politely asking him or her to leave Inform the person that breaking into your computer is both antisocial and illegal Some computer trespassers have the motivation of a child sneaking across private property; they often do not stop to think about the full impact of their actions However, don't bet on your intruder being so simplistic, even

if he acts that way (And keep in mind our warning earlier in this chapter.)

If the person refuses to leave, you can forcibly kill his or her processes with the kill command Use the ps command to get a list of all of the user's process numbers, change the password of the penetrated account, and finally kill all of the attacker's processes with a single kill command For example:

Changing password for nasty

New password: rogue32

Retype new password: rogue32

# kill -9 147 321 339

You are well-advised to change the password on the account before you kill the processes - especially if the intruder is logged in

as root If the intruder is a faster typist than you are, you might find yourself forced off before you know it! Also bear in mind that most intruders will install a back door into the system Thus, even if you change the password, that may not be sufficient to keep them off: you may need to take the system to single-user mode and check the system out, first.

As a last resort, you can physically break the connection If the intruder has dialed in over a telephone line, you can turn off the modem - or unplug it from the back of the computer If the intruder is connected through the network, you can unplug the network connector - although this will also interrupt service for all legitimate users Once the intruder is off your machine, try to determine the extent of the damage done (if any), and seal the holes that let the intruder get in You also should check for any new holes that the intruder may have created This is an important reason for creating and maintaining the checklists described in Chapter 9, Integrity Management

24.2.6 Anatomy of a Break-in

The following story is true The names and a few details have been changed to protect people's jobs.

Late one night in November 1995, a part-time computer consultant at a Seattle-based firm logged into one of the computers that

he occasionally used The system seemed sluggish, so he ran the top command to get an idea of what was slowing down the [Chapter 24] 24.2 Discovering an Intruder

Trang 6

system The consultant noticed that a program called vs was consuming a large amount of system resources The program was running as superuser.

Something didn't look right To get more information, the programmer ran the ps command That's when things got stranger still

-the mysterious program didn't appear when ps was run So -the occasional system manager used -the top command again, and, sure

enough, the vs program was still running.

The programmer suspected a break-in He started looking around the filesystem using the Emacs dired command and found the vs

program in a directory called /var/.e That certainly didn't look right So the programmer went to his shell window, did a chdir() to the /var directory, and then did an ls -a But the ls program didn't show the directory /var/.e Nevertheless, the program was

definitely there: it was still visible from the Emacs dired command.

The programmer was now pretty sure that somebody had broken into the computer And the attack seemed sophisticated, because system commands appeared to have been altered to hide evidence of the break-in Not wanting to let the break-in proceed further,

the operator wanted to shut down the computer But he was afraid that the attacker might have booby-trapped the /etc/halt

command to destroy traces of the break-in So before the programmer shut down the system, he used the tar command to make a

copy of the directory /var/.e, as well as the directories /bin and /etc As soon as the tar file was made, he copied it to another

computer and halted the system.

The following morning, the programmer made the following observations from the tar file:

Somebody had broken into the system.

●

The program /bin/login had been modified so that anybody on the Internet could log into the root account by trying a

special password.

●

The /var/.e/vs program that had been left running was a password sniffing program It listened on the company's local area

network for users typing their passwords; these passwords were then sent to another computer elsewhere on the Internet.

●

The program /bin/ls and /bin/ps had been modified so that they would not display the directory /var/.e.

●

The inode creation dates and the modification times on the files /bin/ls, /bin/ps and /bin/login had been reset to their original

dates before the modifications took place The checksums for the modified commands (as computed with the sum

command) matched those of the original, unmodified versions But a comparison of the programs with a backup made the previous month revealed that the programs had been changed.

●

In retrospect, this was rather stupid behavior Allowing the intruder to stay on the system let him collect more passwords from users of the system The delay also allowed for plenty of time to make yet further modifications to the system If it was

compromised before, it was certainly compromised now!

Leaving the intruder alone also left the company in a precarious legal position If the intruder used the system to break in

anywhere else, the company might be held partially liable in a lawsuit because they left the intruder with free run of the

compromised system.

So, what should the system manager have done when she first discovered the break-in? Basically, the same thing as what the outside consultant did: take a snapshot of the system to tape or another disk, isolate the system, and then investigate If the staff was worried about some significant files being damaged, they should have done a complete backup right away to preserve

whatever they could If the system had been booby-trapped and a power failure occurred, they would have lost everything as surely as if they had shut down the system themselves.

The case above is typical of many break-ins that have occurred in 1994 and 1995 The attackers have access to one of many

"toolkits" used to break into systems, install password sniffers, and alter system programs to hide their presence Many of the users of these toolkits are quite ignorant of how they work Some are even unfamiliar with UNIX: we have heard many stories of monitored systems compromised with these sophisticated toolkits, only to result in the intruders attempting to use DOS commands

to look at files!

Trang 7

24.1 Prelude 24.3 The Log Files:

Discovering an Intruder's

Tracks

Trang 8

Chapter 26 Computer Security and U.S Law

26.2 Criminal Prosecution

You are free to contact law-enforcement personnel any time you believe that someone has broken acriminal statute You start the process by making a formal complaint to a law-enforcement agency Aprosecutor will likely decide if the allegations should be investigated and what (if any) charges should befiled

In some cases (perhaps a majority of them), criminal investigation will not help your situation If theperpetrators have left little trace of their activity and the activity is not likely to recur, or if the

perpetrators are entering your system through a computer in a foreign country, you are not likely to trace

or arrest the individuals involved Many experienced computer intruders will leave little tracing evidencebehind.[2]

[2] Although few computer intruders are as clever as they believe themselves to be

There is no guarantee that a criminal investigation will ever result from a complaint that you file Theprosecutor involved (Federal, state, or local) will need to decide which, if any, laws have been broken,the seriousness of the crime, the availability of trained investigators, and the probability of a conviction.Remember that the criminal justice system is very overloaded; new investigations are started only forvery severe violations of the law or for cases that warrant special treatment A case in which $200,000worth of data is destroyed is more likely to be investigated than is a case in which someone is repeatedlytrying to break the password of your home computer

Investigations can also place you in an uncomfortable and possibly dangerous position If unknownparties are continuing to break into your system by remote means, law-enforcement authorities may askyou to leave your system open, thus allowing the investigators to trace the connection and gather

evidence for an arrest Unfortunately, if you leave your system open after discovering that it is beingmisused, and the perpetrator uses your system to break into or damage another system elsewhere, youmay be the target of a third-party lawsuit Cooperating with law-enforcement agents is not a sufficientshield from such liability Before putting yourself at risk in this way, you should discuss alternatives withyour lawyer

26.2.1 The Local Option

One of the first things you must decide is to whom you should report the crime Usually, you should dealwith local or state authorities, if at all possible Every state currently has laws against some sort of

computer crime If your local law-enforcement personnel believe that the crime is more appropriately

[Chapter 26] 26.2 Criminal Prosecution

Trang 9

investigated by the Federal government, they will suggest that you contact Federal authorities.

You cannot be sure whether your problem will receive more attention from local authorities or fromFederal authorities Local authorities may be more responsive because you are not as likely to be

competing with a large number of other cases (as frequently occurs at the Federal level) Local

authorities may also be more likely to be interested in your problems, no matter how small the problemsmay be At the same time, local authorities may be reluctant to take on high-tech investigations wherethey have little expertise.[3] Many Federal agencies have expertise that can be brought in quickly to helpdeal with a problem One key difference is that investigation and prosecution of juveniles is more likely

to be done by state authorities than by Federal authorities

[3] Although in some venues, there are very experienced local law-enforcement officers, and

they may be more experienced than a typical Federal officer

Some local law-enforcement agencies may be reluctant to seek outside help or to bring in Federal agents.This may keep your particular case from being investigated properly

In many areas, because the local authorities do not have the expertise or background necessary to

investigate and prosecute computer-related crimes, you may find that they must depend on you for yourexpertise In many cases, you will be involved with the investigation on an ongoing basis - possibly to agreat extent You may or may not consider this a productive use of your time

Our best advice is to contact local law enforcement before any problem occurs, and get some idea oftheir expertise and willingness to help you in the event of a problem The time you invest up front couldpay big dividends later on if you need to decide who to call at 2 a.m on a holiday because you havefound evidence that someone is making unauthorized use of your system

Trang 10

Luckily, you don't need to determine jurisdiction on your own If you believe that a Federal law has beenviolated in your incident, call the nearest U.S Attorney's office and ask them who you should contact.Often, that office will have the name and contact information for a specific agent, or office in which thepersonnel have special training in investigating computer-related crimes.

26.2.3 Federal Computer Crime Laws

There are many Federal laws that can be used to prosecute computer-related crimes Usually, the choice

of law pertains to the type of crime, rather than whether the crime was committed with a computer, aphone, or pieces of paper Depending on the circumstances, laws relating to wire fraud, espionage, orcriminal copyright violation may come into play

Some likely laws that might be used in prosecution include:

Trang 11

Interstate transportation of stolen property.

18 U.S.C 2319

Willful infringement of a copyright for profit

18 U.S.C 2701-2711

Electronic Communications Privacy Act

Privacy and the Electronic Communications Privacy Act

Passed in 1986, the Electronic Communications Privacy Act (ECPA) was intended to provide the samesecurity for electronic mail as users of the U.S Postal Service enjoy In particular, the ECPA defines as afelony, under certain circumstances, reading other people's electronic mail The ECPA also details thecircumstances under which information may be turned over to Federal agents

To date, there has not been enough prosecution under the ECPA to determine whether this law has metits goal The law appears to provide some protection for systems carrying mail and for mail files, but thelaw does not clearly provide protection to every system If your system uses or supports electronic mail,consult with your attorney to determine how the law might affect you and your staff

In the coming years, we fully expect new laws to be passed governing crime on networks and maliciousmischief on computers We also expect some existing laws to be modified to extend coverage to certainforms of data used on computers Luckily, you don't need to carefully track each and every piece oflegislation in force (unless you really want to): the decision about which laws to use, if any, will be up tothe U.S Attorney for your district

26.2.4 Hazards of Criminal Prosecution

There are many potential problems in dealing with law-enforcement agencies, not the least of which istheir lack of experience with computer criminal-related investigations Sadly, there are still many Federalagents who are not well versed with computers and computer crime In most local jurisdictions, theremay be even less expertise Your case will be probably be investigated by an agent who has little or notraining in computing

Computer-illiterate agents will sometimes seek your assistance and try to understand the subtleties of thecase Other times, they will ignore helpful advice - perhaps to hide their own ignorance - often to thedetriment of the case and to the reputation of the law-enforcement community

If you or your personnel are asked to assist in the execution of a search warrant, to help identify material

to be searched, be sure that the court order directs such "expert" involvement Otherwise, you may findyourself complicating the case by appearing as an overzealous victim You will usually benefit by

recommending an impartial third party to assist the law-enforcement agents

The attitude and behavior of the law-enforcement officers can cause you major problems Your

equipment might be seized as evidence, or held for an unreasonable length of time for examination Ifyou are the victim and are reporting the case, the authorities will usually make every attempt to

coordinate their examinations with you, to cause you the least amount of inconvenience However, if theperpetrators are your employees, or if regulated information is involved (bank, military, etc.), you might

Trang 12

have no control over the manner or duration of the examination of your systems and media This problembecomes more severe if you are dealing with agents who need to seek expertise outside their local offices

to examine the material Be sure to keep track of downtime during an investigation as it may be included

as part of the damage during prosecution and any subsequent civil suit

An investigation is another situation in which backups can be extremely valuable You might even makeuse of your disaster-recovery plan, and use a standby or spare site while your regular system is beingexamined

Heavy-handed or inept investigative efforts may also place you in an uncomfortable position with respect

to the computer community Attitudes directed toward law-enforcement officers can easily be redirectedtoward you Such attitudes can place you in a worse light than you deserve, and may hinder not onlycooperation with the current investigation, but also with other professional activities Furthermore, theymay make you a target for electronic attack or other forms of abuse after the investigation concludes.These attitudes are unfortunate, because there are some very good investigators, and careful investigationand prosecution may be needed to stop malicious or persistent intruders

For these reasons, we encourage you to carefully consider the decision to involve law-enforcement

agencies with any security problem pertaining to your system In most cases, we suggest that you maynot want to involve the criminal justice system at all unless a real loss has occurred, or unless you areunable to control the situation on your own In some instances, the publicity involved in a case may bemore harmful than the loss you have sustained However, be aware that the problem you spot may be part

of a much larger problem that is ongoing or beginning to develop You may be risking further damageand delay if you decide to ignore the situation

We wish to stress the positive Law-enforcement agencies are aware of the need to improve how theyinvestigate computer crime cases, and they are working to develop in-service training, forensic analysisfacilities, and other tools to help them conduct effective investigations In many jurisdictions (especially

in high-tech areas of the country), investigators and prosecutors have gained considerable experience andhave worked to convey that information to their peers The result is a significant improvement in lawenforcement effectiveness over the last few years, with a number of successful investigations and

prosecutions You should very definitely think about the positive aspects of reporting a computer crime not only for yourself, but for the community as a whole Successful prosecutions may help dissuadefurther misuse of your system and of others' systems

-26.2.5 If You or One of Your Employees Is a Target of an

Local police or Federal authorities can present a judge with a petition to grant a search warrant if they

Trang 13

believe there is evidence to be found concerning a violation of a law If the warrant is in order, the judgewill almost always grant the search warrant Currently, a few Federal investigators and law-enforcementpersonnel in some states have a poor reputation for heavy-handed and excessively broad searches Thescope of the search is usually detailed in the warrant by the agent in charge and approved by the judge;most warrants are derived from "boiler plate" examples that are themselves too broad These problemshave resulted in considerable ill will, and in the future might result in evidence not being admissible onConstitutional grounds because a search was too wide-ranging How to define the proper scope of asearch is still a matter of some evolution in the courts.

Usually, the police seek to confiscate anything connected with the computer that may have evidence(e.g., files with stolen source code or telephone access codes) This confiscation might result in seizure ofthe computer, all magnetic media that could be used with the computer, anything that could be used as anexternal storage peripheral (e.g., videotape machines and tapes), auto-dialers that could contain phonenumbers for target systems in their battery-backed memory, printers and other peripherals necessary toexamine your system (in case it is nonstandard in setup), and all documentation and printouts In pastinvestigations, even laser printers, answering machines, and televisions have been seized by Federalagents

Officers are required to give a receipt for what they take However, you may wait a very long time beforeyou get your equipment back, especially if there is a lot of storage media involved, or if the officers arenot sure what they are looking for Your equipment may not even be returned in working condition -batteries discharge, media degrades, and dust works its way into moving parts

You should discuss the return of your equipment during the execution of the warrant, or thereafter withthe prosecutors You should indicate priorities (and reasons) for the items to be returned In most cases,you can request copies of critical data and programs As the owner of the equipment, you can also filesuit[4] to have it returned, but such suits may drag on and may not be productive Suits to recover

damages may not be allowed against law-enforcement agencies that are pursuing a legitimate

investigation

[4] If it is a Federal warrant, your lawyer may file a "Motion for Return of Property" under

Rule 41(e) of the Federal Rules of Criminal Procedure

You can also challenge the reasons used to file the warrant and seek to have it declared invalid, forcingthe return of your equipment However, in some cases, warrants have been sealed to protect ongoinginvestigations and informants, so this option can be made much more difficult to execute Equipment andmedia seized during a search may be held until a trial if they contain material to be used as prosecutionevidence Some state laws require forfeiture of the equipment on conviction

At present, a search is not likely to involve confiscation of a mainframe or even a minicomputer

However, confiscation of tapes, disks, and printed material could disable your business even if the

computer itself is not taken Having full backups offsite may not be sufficient protection, because tapesmight also be taken by a search warrant If you think that a search might curtail your legitimate business,

be sure that the agents conducting the search have detailed information regarding which records are vital

to your ongoing operation and request copies from them

Until the law is better defined in this area, you are well advised to consult with your attorney if you are atall worried that a confiscation might occur Furthermore, if you have homeowners' or business insurance,

Trang 14

you might check with your agent to see if it covers damages resulting from law-enforcement agents

during an investigation Business interruption insurance provisions should also be checked if your

business depends on your computer

26.2.6 Other Tips

Here is a summary of additional observations about the application of criminal law to deter possibleabuse of your computer Note that most of these are simply good policy whether or not you anticipatebreak-ins

Replace any welcome message from your login program and /etc/motd file with warnings to

unauthorized users stating that they are not welcome We know of no legal precedent where a

welcome message has been used as a successful defense for a break-in; however, some legal

authorities have counselled against anything that might suggest a welcome for unwanted visitors

●

Put copyright and/or proprietary ownership notices in your source code and data files Do so at thetop of each and every file If you express a copyright, consider filing for the registered copyright -this version can enhance your chances of prosecution and recovery of damages

●

If something happens that you view as suspicious or that may lead to involvement of

law-enforcement personnel, start a diary Note your observations and actions, and note the times.Run paper copies of log files or traces and include those in your diary A written record of eventssuch as these may prove valuable during the investigation and prosecution Note the time andcontext of each and every contact with law-enforcement agents, too

●

Try to define, in writing, the authorization of each employee and user of your system Include inthe description the items to which each person has legitimate access (and the items that each

person cannot access) Have a mechanism in place so that each person is apprised of this

description and can understand their limits

investigation

●

Trang 15

Make your employees sign an employment agreement that delineates their responsibilities withrespect to sensitive information, machine usage, electronic mail use, and any other aspects of

computer operation that might later arise Make sure the policy is explicit and fair, and that all

employees are aware of it and have signed the agreement State clearly that all access and

privileges terminate when employment does, and that subsequent access without permission will

●

Consider joining societies or organizations that stress ongoing security awareness and training.Work to enhance your expertise in these areas

●

26.2.7 A Final Note on Criminal Actions

Finally, keep in mind that criminal investigation and prosecution can only occur if you report the crime

If you fail to report the crime, there is no chance of apprehension Not only does that not help yoursituation, it leaves the perpetrators free to harm someone else

A more subtle problem results from a failure to report serious computer crimes: such failure leads others

to believe that there are few such crimes being committed As a result, little emphasis is placed on

budgets or training for new law-enforcement agents in this area, little effort is made to enhance theexisting laws, and little public attention is focused on the problem The consequence is that the

computing milieu becomes incrementally more dangerous for all of us

26.1 Legal Options After a

Break-in

26.3 Civil Actions

Trang 16

Chapter 24 Discovering a Break-in

24.5 An Example

Suppose you're a system administrator and John Q Random is there with you in your office Suddenly,

an alert window pops up on your display, triggered by a Swatch rule monitoring the syslog output The

syslog message has indicated that John Q Random has logged in and has used the su command to

become root.

The user must be an intruder - an intruder who has become root!

Fortunately, in one of the windows on your terminal you have a superuser shell You decide that the bestcourse of action is to bring your system to an immediate halt To do so, you execute the commands:

no other intruder is going to be interfering with the system while you figure out what's going on

The next step is to get a printed copy of all of the necessary logs that you may have available (e.g.,

console logs and printed copies of network logs), and to examine these logs to try to get an idea of whatthe unauthorized intruder has done You will also want to see if anything unusual has happened on thesystem since the intruder logged in These logs may give you a hint as to what programs the intruder wasrunning and what actions the intruder took Be sure to initial and timestamp these printouts

Do not confine your examination to today's logs If the intruder is now logged in as root, he may have

also been on the system under another account name earlier If your logs go back for a few days, examinethe older versions as well If they are on your backup tapes, consider retrieving them from the tapes

[Chapter 24] 24.5 An Example

Trang 17

If the break-in is something that you wish to pursue further - possibly with law enforcement - be sure to

do a complete backup of the system to tape This way, you'll have evidence in the form of the corruptedsystem Also, save copies of the logs Keep a written log of everything you've done and are about to do,and be sure to write the time of day along with each notation

The next step is to determine how the intruder got in and then to make sure the intruder can't get in again.Examine the entire system Check the permissions and the modes on all your files Scan for new SUID or

SGID files Look for additions in /etc/passwd If you have constructed checklists of your program

directories, rerun them to look for any changes

Remember: the intruder may not be an outsider! The majority of major incidents occur from inside the

organization, either from someone with current access or someone who recently had legitimate access.When you perform your evaluation, don't forget to consider the case that the behavior you saw comingfrom a user account was not someone breaking a password and coming in from outside, but was someone

on the inside who broke the password, or perhaps it was the real account owner herself!

Only after performing all these steps, and checking all this information, should you bring the system backup

24.5.1 Never Trust Anything Except Hardcopy

If your system is compromised, don't trust anything that is online If you discover changes in files onyour system that seem suspicious, don't believe anything that your system tells you, because a good

system cracker can change anything on the computer This may seem extreme, but it is probably better tospend a little extra time restoring files and playing detective now than it would be to replay the entireincident when the intruder gets in again

Remember, an attacker who becomes the superuser on your computer can do anything to it, change any

byte on the hard disk The attacker can compile and install new versions of any system program - so theremight be changes, but your standard utilities might not tell you about them The attacker can patch thekernel that the computer is running, possibly disabling security features that you have previously

enabled The attacker can even open the raw disk devices for reading and writing Essentially, attackerswho becomes the superuser can warp your system to their liking - if they have sufficient skill,

motivation, and time Often, they don't need (or have) great skill Instead, they have access to toolkits puttogether by others with more skill

For example, suppose you discover a change in a file and do an ls -l or an ls -lt The modification timeyou see printed for the file may not be the actual modification time of the file There are at least fourways for an attacker to modify the time that is displayed by this command, all of which have been used

in actual system attacks:

The attacker could write a program that changes the modification time of the file using the

utimes() system call.

●

The attacker could have altered the system clock by using the date command The attacker couldthen modify your files and, finally, reset the date back again This technique has the advantage forthe attacker that the inode access and creation times also get set

Trang 18

The attacker could have modified the ls command to show a predetermined modification timewhenever this file is examined.

●

The only limit to the powers of an attacker who has gained superuser status is that the attacker cannot

change something that has been printed on a line printer or a hardcopy terminal For this reason, if you

have a logging facility that logs whenever the date is changed, you might consider having the log made

to a hardcopy terminal or to another computer Then, be sure to examine this log on a regular basis

It is also the case that we recommend that you have a bootable copy of your operating system on a

removable disk pack so, when needed, you can boot from a known good copy of the system and do yourexamination of the system with uncorrupted tools Coupled with a database of message digests of

unmodified files such as that produced by a tool such as Tripwire, you should be able to find anythingthat was modified on your system

24.4 Cleaning Up After the

Intruder

24.6 Resuming Operation

[Chapter 24] 24.5 An Example

Trang 19

Chapter 7 Backups

7.2 Sample Backup Strategies

A backup strategy describes how often you back up each of your computer's partitions, what kinds ofbackups you use, and for how long backups are kept Backup strategies are based on many factors,including:

How much storage the site has

Here is a simple backup strategy for users with PCs or stand-alone workstations:

[Chapter 7] 7.2 Sample Backup Strategies

Trang 20

If your system is on a network, write a shell script that backs up your home directory to a remotemachine Set the script to automatically run once a day, or as often as is feasible But beware: ifyou are not careful, you could easily overwrite your backup with a bad copy before you realize thatsomething needs to be restored Spending a few extra minutes to set things up properly (for

example, by keeping three or four home-directory backups on different machines, each updated on

a different day of the week) can save you a lot of time (and panic) later

This strategy never uses incremental backups; instead, complete backups of a particular set of files arealways created Such project-related backups tend to be incredibly comforting and occasionally valuable.Retention schedule

Keep the monthly backups two years Keep the yearly backups forever

7.2.1.2 Media rotation

If you wish to perform incremental backups, you can improve their reliability by using media rotation Inimplementing this strategy, you actually create two complete sets of backup tapes, A and B At the

beginning of your backup cycle, you perform two complete dumps, first to tape A, and then on the

following day, to tape B Each day you perform an incremental dump, alternating tapes A and B In thisway, each file is backed up in two locations This scheme is shown graphically in Figure 7.2

Figure 7.2: Incremental backup with media rotation

7.2.2 Small Network of Workstations and a Server

Most small groups rely on a single server with up to a few dozen workstations In our example, the

organization has a single server with several disks, 15 workstations, and DAT tape backup drive

The organization doesn't have much money to spend on system administration, so it sets up a system for

Trang 21

backing up the most important files over the network to a specially designed server.

Server configuration Drive #1: /, /usr, /var (standard UNIX filesystems)

Drive #2: /users (user files) Drive #3: /localapps (locally installed applications)

Client configuration Clients are run as "dataless workstations" and are not backed up Most clients are

equipped with a 360MB hard disk, although one client has a 1GB drive

Every hour, a special directory, /users/activeprojects, is archived in a tar file This file is sent over

the network to the client workstation with the 1GB drive The last eight files are kept, giving

immediate backups in the event that a user accidentally deletes or corrupts a file The system

checks the client to make sure that it has adequate space on the drive before beginning each hourlybackup

The daily and hourly backups are done automatically via scripts run by the cron daemon All monthly

and weekly backups are done with shell scripts that are run manually The scripts both perform the

backup and then verify that the data on the tape can be read back, but the backups do not verify that thedata on the tape is the same as that on the disk (No easy verification method exists for the standard

UNIX dump/restore programs.)

Automated systems should be inspected on a routine basis to make sure they are still working as planned.You may have the script notify you when completed, sending a list of any errors to a human (in addition

to logging them in a file)

NOTE: If data confidentiality is very important, or if there is a significant risk of packet

sniffing, you should design your backup scripts so that unencrypted backup data is never

sent over the network

7.2.2.2 Retention schedule

Monthly backups

Trang 22

Kept for a full calendar year Each quarterly backup is kept as a permanent archive for a few years.The year-end backups are kept forever.

Weekly backups

Kept on four tapes, which are recycled each month These tapes should be thrown out every fiveyears (60 uses), although the organization will probably have a new tape drive within five yearsthat uses different kinds of tapes

Daily backups

One day's backup is kept Each day's backup overwrites the previous day's

7.2.3 Large Service-Based Network with Small Budgets

Most large decentralized organizations, such as universities, operate networks with thousands of usersand a high degree of autonomy between system operators The primary goal of the backup system ofthese organizations is to minimize downtime in the event of hardware failure or network attack; if

possible, the system can also restore user files deleted or damaged by accident

Server configuration

Primary servers Drive #1: /, /usr, /var (standard UNIX filesystems)

Drives #2-5: user files

Secondary server (matches each primary) Drive #1: /, /usr, /var (standard UNIX filesystems)

Drives #2-6: Backup staging areaClient configuration Clients are run as "dataless workstations" and are not backed

up Most clients are equipped with a 500MB hard disk Theclients receive monthly software distributions from a trustedserver, by CD-ROM or network Each distribution includes allfiles and results in a reload of a fresh copy of the operatingsystem These distributions keep the systems up to date,discourage local storage by users, and reduce the impact (andlifetime) of Trojan horses and other unauthorized

modifications of the operating system

7.2.3.1 Backup plan

Every night, each backup staging area drive is erased and then filled with the contents of the matchingdrive on its matching primary server The following morning, the entire disk is copied to a high-speed8mm tape drive

Using special secondary servers dramatically eases the load of writing backup tapes This strategy alsoprovides a hot replacement system should the primary server fail

7.2.3.2 Retention schedule

Backups are retained for two weeks During that time, users can have their files restored to a special

"restoration" area, perhaps for a small fee Users who wish archival backups for longer than two weeks

Trang 23

must arrange backups of their own One of the reasons for this decision is privacy: users should have areasonable expectation that if they delete their files, the backups will be erased at some point in the

future

7.2.4 Large Service-Based Networks with Large Budgets

Many banks and other large firms have requirements for minimum downtime in the event of a failure.Thus, current and complete backups that are ready to go at a moment's notice are vital In this scheme,

we do not use magnetic media at all Instead, we use a network and special disks

Each of the local computers uses RAID (Redundant Arrays of Independent Storage) for local disk Everywrite to disk is mirrored on another disk automatically, so the failure of one has no user-noticeable

effects

Meanwhile, the entire storage of the system is mirrored every night at 2 a.m to a set of remote disks in

another state (a hot site) This mirroring is done using a high-speed, encrypted leased network line At the

remote location, there is an exact duplicate of the main system During the day, a running log of activities

is kept and mirrored to the remote site as it is written locally

If a failure of the main system occurs, the remote system is activated It replays the transaction log andduplicates the changes locally, and then takes over operation for the failed main site

Every morning, a CD-ROM is made of the disk contents of the backup system, so as not to slow actualoperations The contents are then copied, and the copies sent by bonded courier to different branch

offices around the country, where they are saved for seven years Data on old tapes will be migrated tonew backup systems as the technology becomes available

7.2.5 Deciding upon a Backup Strategy

The key to deciding upon a good strategy for backups is to understand the importance and

time-sensitivity of your data As a start, we suggest that answers to the following questions will help youplan your backups:

How quickly do you need to resume operations after a complete loss of the main system?

Trang 24

How long do you need to keep each backup?

●

How much are you willing or able to spend?

●

Trang 25

Chapter 10 Auditing and Logging

10.8 Managing Log Files

There are several final suggestions we can make about log files The first has to do with backups Westrongly recommend that you ensure that all of your log files are copied to your backup media on a

regular basis, preferably daily The timing of the backups should be such that any file that is periodicallyreset is copied to the backups before the reset is performed This will ensure that you have a series ofrecords over time to show system access and behavior

Our second suggestion concerns how often to review the log files We recommend that you do this atleast daily Keeping log records does you little service if you do not review them on a regular basis Logfiles can reveal problems with your hardware, with your network configuration, and (of course) withyour security Consequently, you must review the logs regularly to note when a problem is actually

present If you delay for too long, the problem may become more severe; if there has been an intruder, he

or she may have the time to edit the log files, change your security mechanisms, and do dirty deeds

before you take notice

Our third suggestion concerns how you process your log messages Typically, log messages record

nothing of particular interest Thus, every time you review the logs (possibly daily, or several times aday, if you take our previous suggestion), you are faced with many lines of boring, familiar messages.The problem with this scenario is that you may become so accustomed to seeing this material that youget in the habit of making only a cursory scan of the messages to see if something is wrong, and this wayyou can easily miss an important message

To address this problem, our advice is to filter the messages that you actually look at to reduce them to amore manageable collection To do so requires some care, however You do not want to write a filter thatselects those important things you want to see and discards the rest Such a system is likely to result in animportant message being discarded without being read Instead, you should filter out the boring

messages, being as specific as you can with your pattern matching, and pass everything else to you to beread Periodically, you should also study unfiltered log messages to be sure that you are not missinganything of importance

Our last suggestion hints at our comments in Chapter 27, Who Do You Trust?, Who Do You Trust?Don't trust your logs completely! Logs can often be altered or deleted by an intruder who obtains

superuser privileges Local users with physical access or appropriate knowledge of the system may beable to falsify or circumvent logging mechanisms And, of course, software errors and system errors mayresult in logs not being properly collected and saved Thus, you need to develop redundant scanning andlogging mechanisms: because something is not logged does not mean it didn't happen

[Chapter 10] 10.8 Managing Log Files

Trang 26

Of course, simply because something was logged doesn't mean it did happen, either - someone may causeentries to be written to logs to throw you off the case of a real problem or point a false accusation at

someone else These deceptions are easy to create with syslog if you haven't protected the network port

from messages originating outside your site!

Programmed Threats

[Chapter 10] 10.8 Managing Log Files

Trang 27

Chapter 6 Cryptography

6.6 Encryption Programs Available for UNIX

This section describes three encryption programs that are available today on many UNIX systems:

Phil Zimmermann's Pretty Good Privacy.

Each of these programs offers increasing amounts of security, but the more secure programs have more legal restrictions on their use in the United States.[24] Many other countries have passed legislation severely restricting or outlawing the use of strong cryptography by private citizens.

[24] We don't mean to slight our readers in countries other than the U.S., but we are not familiar with all of the

various national laws and regulations around the world You should check your local laws to discover if there are

restrictions on your use of these programs.

6.6.1 UNIX crypt: The Original UNIX Encryption Command

UNIX crypt is an encryption program that is included as a standard part of the UNIX operating system It is a very simple encryption program that is easily broken, as evidenced by AT&T's uncharacteristic disclaimer on the man page:

BUGS: There is no warranty of merchantability nor any warranty of fitness for a particular purpose nor any other

warranty, either express or implied, as to the accuracy of the enclosed materials or as to their suitability for any

particular purpose Accordingly, Bell Telephone Laboratories assumes no responsibility for their use by the

recipient Further, Bell Laboratories assumes no obligation to furnish any assistance of any kind whatsoever, or to

furnish any additional information or documentation.

- crypt reference page

Note that the crypt program is different from the more secure crypt() library call, which is described in Chapter 8, Defending Your Accounts

6.6.1.1 The crypt program

The crypt program uses a simplified simulation of the Enigma encryption machine described in "The Enigma Encryption

System" earlier in this chapter Unlike Enigma, which had to encrypt only letters, crypt must be able to encrypt any block of 8-bit data As a result, the rotors used with crypt must have 256 "connectors" on each side A second difference between Enigma and crypt is that, while Enigma used three or four rotors and a reflector, crypt uses only a single rotor and reflector The

encryption key provided by the user determines the placement of the virtual wires in the rotor and reflector.

Partially because crypt has but a single rotor, files encrypted with crypt are exceedingly easy for a cryptographer to break For several years, noncryptographers have been able to break messages encrypted with crypt as well, thanks to a program developed

in 1986 by Robert Baldwin, then at the MIT Laboratory for Computer Science Baldwin's program, Crypt Breaker's Workbench [Chapter 6] 6.6 Encryption Programs Available for UNIX

Trang 28

(CBW), decrypts text files encrypted with crypt within a matter of minutes, with minimal help from the user.

CBW breaks crypt by searching for arrangements of "wires" within the "rotor" that cause a file encrypted with crypt to decrypt into plain ASCII text The task is considerably simpler than it may sound at first, because normal ASCII text uses only 127 of the possible 256 different code combinations (the ASCII codes 0 and 128 through 255 do not appear in normal UNIX text) Thus, most arrangements of the "wires" produce invalid characters when the file is decrypted; CBW automatically discards these arrangements.

CBW has been widely distributed; as a result, files encrypted with crypt should not be considered secure (They weren't secure before CBW was distributed; fewer people simply had the technical skill necessary to break them.)

6.6.1.2 Ways of improving the security of crypt

We recommend that you do not use crypt to encrypt files more than 1K long Nevertheless, you may have no other encryption system readily available to you If this is the case, you are better off using crypt than nothing at all You can also take a few simple precautions that will decrease the chances that your encrypted files will be decrypted:[25]

[25] In particular, these precautions will defeat CBW's automatic crypt-breaking activities.

Encrypt the file multiple times, using different keys at each stage This essentially changes the transformation.

●

Compress your files before encrypting them Compressing a file alters the information - the plain ASCII text - that

programs such as CBW use to determine when they have correctly assembled part of the encryption key If your message does not decrypt into plain text, CBW will not determine when it has correctly decrypted your message However, if your attackers know you have done this, they can modify their version of CBW accordingly.

●

If you use compress or pack to compress your file, remove the 3-byte header Files compressed with compress contain a 3-byte signature, or header, consisting of the hexadecimal values 1f, 9d and 90 (in that order) If your attacker believes that your file was compressed before it was encrypted, knowing how the first three bytes decrypt can help him to decrypt the rest of the file You can strip these three bytes with the dd command:[26]

[26] Using dd this way is very slow and inefficient If you are going to be encrypting a lot of compressed

files, you may wish to write a small program to remove the headers more efficiently.

% compress -c <plaintext | dd bs=3 skip=1 | crypt >encrypted

●

Of course, you must remember to replace the 3-byte header before you attempt to uncompress the file:

% (compress -cf /dev/null;crypt <encrypted) | uncompress -c >plaintext

If you do not have compress, use tar to bundle your file to be encrypted with other files containing random data; then encrypt the tar file The presence of random data will make it more difficult for decryption programs such as CBW to isolate your plaintext.

As encrypted files contain binary information, you must process them with uuencode if you wish to email them.

-rw-r r 1 fred 78535 Nov 16 15:25 myfile.Z

% dd if=myfile.Z of=myfile.Z.strip bs=3 skip=1

26177+1 records in

26177+1 records out

% crypt akey < myfile.Z.strip | uuencode afile | mail spook@nsa.gov

To decrypt a file that you have received and saved in the file text file:

% head -3 file

begin 0600 afile

[Chapter 6] 6.6 Encryption Programs Available for UNIX

Trang 29

M?Z/#V3V,IGO!](D!175:;S9_IU\A7K;:'LBB,8363R,T+/WZSOC4PQ,U/6Q

MX,T8&XZDQ1+[4Y[*N4W@A3@9YM*4XV+U\)X9NT.7@Z+W"WY^9-?(JRU,-4%

% uudecode file

% ls -l afile

-rw-r r 1 fred 78532 Nov 16 15:32 afile

% (compress -cf /dev/null;crypt < afile) | uncompress -c > myfile

myfile now contains the original file.

6.6.2 des: The Data Encryption Standard

There are several software implementations of the Data Encryption Standard that are commonly available for UNIX computers Several of the most popular implementations are based on the des code written by Phil Karn, a UNIX guru (and ham radio operator whose call sign is KA9Q) In the past, some UNIX vendors have included des commands as part of their operating system, although many of these implementations have been removed so that the companies can maintain a single version of their operating system for both export and domestic use.[27] Nevertheless, des software is widely available both inside and outside the United States.

[27] For example, Sun Microsystems ships the easily broken crypt encryption program with Solaris, and sells a "US Encryption Kit" which contains the des program at a nominal cost.

The des command is a filter that reads from standard input and writes to standard output It usually accepts the following

command-line options:

% des -e|-d [-h] [-k key] [-b]

When using the DES, encryption and decryption are not identical operations, but are inverses of each other The option -e

specifies that you are encrypting a file For example:

% des -e <message > message.des

Enter key: mykey

Enter key again: mykey

% cat message.des

"UI}mE8NZlOi\Iy|

(The Enter key: prompt is from the program; the key is not echoed.)

Use the -d option to decrypt your file:

% des -d < message.des

Enter key: mykey

Enter key again: mykey

This is the secret message.

You can use the -k option to specify the key on the command line On most versions of UNIX, any user of the system can use the

ps command to see what commands other users are running Karn's version of des tries to mitigate the danger of the ps command

by making a copy of its command line arguments and erasing the original Nevertheless, this is a potential vulnerability, and should be used with caution.

NOTE: You should never specify a key in a shell script: anybody who has access to read the script will be able to

decode your files.

A -b option to the command selects Electronic Code Book (ECB) mode The default is Cipher Block Chaining (CBC) As

described in "DES modes" earlier in this chapter, ECB mode encodes a block at a time, with identical input blocks encoding to identical output blocks This encoding will reveal if there is a pattern to the input However, it will also be able to decrypt most

of the file even if parts of it are corrupted or deleted CBC mode hides repeated patterns, and results in a file that cannot be decrypted after any point of change or deletion.

If you use the -h option, des will allow you to specify a key in hexadecimal Such keys should be randomly generated If you do not specify a key in hexadecimal, then your key will most likely be restricted to characters that you can type on your keyboard Many people further restrict their keys to words or phrases that they can remember (see the sidebar entitled "Number of

Passwords" in Chapter 3, Users and Passwords ) Unfortunately, this method makes it dramatically easier for an attacker to [Chapter 6] 6.6 Encryption Programs Available for UNIX

Trang 30

decrypt a DES-encrypted file by doing a key search To see why, consider the following table:

Table 6.3: Key Search Comparisons

Key Choice Algorithm Keyspace Number of Possible Keys

Random DES key 1288 = 2 56 7.2 x 10 16

Typeable characters[28] 127 8 6.8 x 10 16

Printable characters 968 7.2 x 10 15

Two words 1,000,0002 10 12

[28] You can't enter null as a character in your key.

Some versions of des will encrypt a file if it is specified on the command line Input and output filenames are optional If only one filename is given, it is assumed to be the input file.

Some versions of UNIX designed for export include a des command that doesn't do anything Instead of encrypting your file, it simply prints an error message explaining that the software version of des is not available.

6.6.3 PGP: Pretty Good Privacy

In 1991, Phil Zimmermann wrote a program called PGP which performs both private key and public key cryptography That program was subsequently released on the Internet and improved by numerous programmers, mostly outside of the United States.[29] In 1994, Zimmermann turned the distribution of PGP over to the Massachusetts Institute of Technology, which

makes the software available for anonymous FTP from the computer net-dist.mit.edu.

[29] Get the whole story! Although this section presents a good introduction to PGP, the program is far too

complicated to describe here For a full description of PGP, we recommend the book PGP: Pretty Good Privacy by Simson Garfinkel (O'Reilly & Associates, 1995).

The version of PGP that is distributed from MIT uses the RSA Data Security software package RSAREF This software is only available for noncommercial use If you wish to use PGP for commercial purposes, you should purchase it from ViaCrypt International (whose address is listed in Appendix D ).

PGP Version 2 uses IDEA as its private key encryption algorithm and RSA for its public key encryption (Later versions of PGP may allow a multiplicity of encryption algorithms to be used, such as Triple DES.) PGP can also seal and verify digital

signatures, and includes sophisticated key-management software It also has provisions for storing public and private keys in

special files called key rings (illustrated in Figure 6.5 ) Finally, PGP has provisions for certifying keys, again using digital signatures.

Figure 6.5: PGP key rings

6.6.3.1 Encrypting files with IDEA

Trang 31

You can use PGP to encrypt a file with the IDEA encryption cipher with the following command line:

% pgp -c message

Pretty Good Privacy(tm) 2.6.1 - Public-key encryption for the masses.

Distributed by the Massachusetts Institute of Technology Uses RSAREF.

Export of this software may be restricted by the U.S government.

Current time: 1995/02/12 03:32 GMT

You need a pass phrase to encrypt the file.

Enter pass phrase:some days green tomatoes

Enter same pass phrase again: some days green tomatoes

If you want to decrypt your file, run PGP with the encrypted file as its sole argument:

% pgp message.pgp

File is conventionally encrypted.

You need a pass phrase to decrypt this file.

Enter pass phrase: some days green tomatoes

Just a moment Pass phrase appears good .

Plaintext filename: message

%

If you do not type the correct pass phrase, PGP will not decrypt your file:

% pgp message.pgp

File is conventionally encrypted.

Enter pass phrase: I am the walrus

Just a moment

Error: Bad pass phrase.

Enter pass phrase: Love will find a way

Just a moment

Error: Bad pass phrase.

For a usage summary, type: pgp -h

Trang 32

For more detailed help, consult the PGP User's Guide.

%

6.6.3.2 Creating your PGP public key

The real power of PGP is not the encryption of files, but the encryption of electronic mail messages PGP uses public key

cryptography, which allows anybody to create a message and encrypt it using your public key After the message is encrypted,

no one can decrypt it unless someone has your secret key (Ideally, nobody other than you should have a copy of your key.) PGP also allows you to electronically "sign" a document with a digital signature, which other people can verify.

To make use of these features, you will first need to create a public key for yourself and distribute it among your correspondents.

Do this with PGP's -kg option:

% pgp -kg

Pick your RSA key size:

1) 512 bits- Low commercial grade, fast but less secure

2) 768 bits- High commercial grade, medium speed, good security

3) 1024 bits- "Military" grade, slow, highest security

Choose 1, 2, or 3, or enter desired number of bits: 3

Generating an RSA key with a 1024-bit modulus.

You need a user ID for your public key The desired form for this

user ID is your name, followed by your E-mail address enclosed in

<angle brackets>, if you have an E-mail address.

For example: John Q Smith <12345.6789@compuserve.com>

Enter a user ID for your public key:

Michelle Love <love@michelle.org>

You need a pass phrase to protect your RSA secret key.

Your pass phrase can be any sentence or phrase and may have many

words, spaces, punctuation, or any other printable characters.

Enter pass phrase:every thought burns into substance

Enter same pass phrase again:every thought burns into substance

Note that key generation is a lengthy process.

We need to generate 720 random bits This is done by measuring the

time intervals between your keystrokes Please enter some random text

on your keyboard until you hear the beep:

Here you type a lot of random data that nobody else really sees It doesn't really matter what you type, just don't hold down the key 0 * -Enough, thank you.

After you've generated your key, you should do two things with it immediately:

Sign it yourself You should always sign your own key right away Do this as:

% pgp -ks love@michelle.org

1

Trang 33

There are some obscure ways that your key might be abused if it is circulated without a signature in place, so be sure that you sign it yourself.

Generate a revocation certificate and store it offline somewhere Don't send it to anyone! The idea behind generating the

revocation right now is that you still remember the passphrase and have the secret key available If something should happen to your stored key, or you forget the passphrase, the public/private key pair becomes useless Having the

revocation certificate ready in advance allows you to send it out if that should ever happen You generate the certificate by:

% pgp -kx Michelle revoke.pgp

Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.

Distributed by the Massachusetts Institute of Technology.

Extracting from key ring: `/Users/simsong/Library/pgp/pubring.pgp',

userid "Michelle".

Key for user ID: Michelle Love <love@michelle.org>

1024-bit key, Key ID 0A965505, created 1995/02/12

Key extracted to file `revoke.pgp'.

% pgp -kd Michelle revoke.pgp

Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.

Distributed by the Massachusetts Institute of Technology.

Do you want to permanently revoke your public key

by issuing a secret key compromise certificate

for "Michelle" (y/N)? y

You need a pass phrase to unlock your RSA secret key

Key for user ID "Michelle"

Enter pass phrase: every thought burns into substance

Pass phrase is good Just a moment

Key compromise certificate created.

Warning: `revoke.pgp' is not a public keyring

2

Now, save the revoke.pgp file in a safe place, off line For example, you might put it on a clearly labeled floppy disk, then place

the disk inside a clearly labeled envelope Write your signature across the envelope's flap Then store the envelope in your safe-deposit box.

To extract a printable, ASCII version of your key, use PGP's -kxaf (Key extract ASCII filter) command:

% pgp -kxaf Michelle

Trang 34

Extracting from key ring: '/Users/simsong/Library/pgp/pubring.pgp', userid "Mic Key for user ID: Michelle Love <love@michelle.org>

Key extracted to file 'pgptemp.$00'.

-BEGIN PGP PUBLIC KEY

Looking for new keys

pub 1024/0A965505 1995/02/12 Michelle Love <love@michelle.org>

Checking signatures

Keyfile contains:

1 new key(s)

One or more of the new keys are not fully certified.

Do you want to certify any of these keys yourself (y/N)? y

Key fingerprint = 0E 8A 9C C4 CE 44 96 60 83 79 CB F1 F3 02 0C 7E

This key/userID association is not certified.

Do you want to certify this key yourself (y/N)? n

%

6.6.3.3 Encrypting a message

After you have somebody's public key, you can encrypt a message using the PGP's -eat command This will encrypt the message, save it in ASCII (so you can send it with electronic mail), and properly preserve end-of-line characteristics (assuming that this is

a text message) You can sign the message with your own digital signature by specifying -seat instead of -eat If you want to use

Trang 35

PGP as a filter, add the letter "f" to your command This process is shown graphically in Figure 6.6

Figure 6.6: Encrypting email with PGP

For example, you can take the file message, sign it with your digital signature, encrypt it with Michelle's public key, and send it

to her, by using the command:

% cat message | pgp -seatf message Michelle | mail -s message

:w

love@michelle.org

6.6.3.4 Adding a digital signature to an announcement

With PGP, you can add a digital signature to a message so that people who receive the message can verify that it is from you (provided that they have your public key).

For example, if you wanted to send out a PGP-signed message designed to warm the hearts but dull the minds of your students, you might do it like this:

% pgp -sat classes

A secret key is required to make a signature.

You need a pass phrase to unlock your RSA secret key.

Key for user ID "simson"

Enter pass phrase: all dogs go to heavenPass phrase is good.

Trang 36

Key for user ID: Simson L Garfinkel <simsong@acm.org>

1024-bit key, Key ID 903C9265, created 1994/07/15

Also known as: simsong@pleasant.cambridge.ma.us

Also known as: simsong@next.cambridge.ma.us

Also known as: simsong@mit.edu

-BEGIN PGP SIGNED

MESSAGE -Classes are cancelled for the following two months Everybody enrolled

in the course will get an A.

6.6.3.5 Decrypting messages and verifying signatures

To decrypt a message or verify a signature on a message, simply save the message into a file Then run PGP, specifying the filename as your sole argument If you are decrypting a message, you will need to type your pass phrase For example, to decrypt

a message that has been sent you, use the following command:

Trang 37

File is encrypted Secret key is required to read it.

Key for user ID: simson

Also known as: Simson L Garfinkel <simsong@acm.org>

You need a pass phrase to unlock your RSA secret key.

Enter pass phrase: subcommander marcos

Pass phrase is good Just a moment

Plaintext filename: message

% cat message

Hi Simson!

Things are all set We are planning the military takeover for next

Tuesday Bring your lasers.

For example, to create a detached signature for the /bin/login program, you could use PGP's -sb flags:

# pgp -sb /bin/login -u simsong

A secret key is required to make a signature

You need a pass phrase to unlock your RSA secret key

Key for user ID "simsong@pleasant.cambridge.ma.us"

Enter pass phrase: nobody knows my name

Pass phrase is good

Key for user ID: Simson L Garfinkel <simsong@acm.org>

Just a moment

Signature file: /bin/login.sig

#

Trang 38

In this example, the superuser ran PGP so that the signature for /bin/login could be recorded in /bin/login.sig (the default

location) You could specify a different location to save the signature by using PGP's -o filename option.

To verify the signature, simply run PGP, supplying the signature and the original file as command line arguments:

% pgp /bin/login.sig /bin/login

File has signature Public key is required to check signature

File '/bin/login.sig' has signature, but with no text.

Text is assumed to be in file '/bin/login'.

Using digital signatures to validate the integrity of your system's executables is a better technique than using simple

cryptographic checksum schemes, such as MD5 Digital signatures are better because with a simple MD5 scheme, you risk an

attacker's modifying both the binary file and the file containing the MD5 checksums With digital signatures, you don't have to

worry about an attacker's recreating the signature, because the attacker does not have access to the secret key (However, you still need to worry about someone altering the source code of your checksum program to make a copy of your secret key when you type it.)

NOTE: Protect your key! No matter how secure your encryption system is, you should take the same precautions

with your encryption key that you take with your password: there is no sense in going to the time and expense of

encrypting all of your data with strong ciphers such as DES or RSA if you keep your encryption keys in a file in

your home directory, or write them on a piece of paper attached to your terminal.

Finally, never use any of your passwords as an encryption key! If an attacker learns your password, your encryption

key will be the only protection for your data Likewise, if the encryption program is weak or compromised, you do

not want your attacker to learn your password by decrypting your files The only way to prevent this scenario is by

using different words for your password and encryption keys.

Our PGP Keys

One way to verify someone's key is by getting it from him or her in person If you get the key directly from the person involved, you can have some confidence that the key is really his Alternatively, you can get the key from a public keyserver, WWW page,

or other location Then, you verify the key fingerprint This is normally generated as pgp - kvc keyid You can do this over the

telephone, or in person You can also do it by finding the key fingerprint in a trusted location such as printed in a book.

Here are the key ids and fingerprints for our keys The keys themselves may be obtained from the public key servers If you don't know how to access the key servers, read the PGP documentation, or Simson's PGP book, also from O'Reilly.

pub 1024/FC0C02D5 1994/05/16 Eugene H Spafford <spaf@cs.purdue.edu>

Trang 39

Trang 40

Chapter 21

21 Firewalls

Contents:

What's a Firewall?

Building Your Own Firewall

Example: Cisco Systems Routers as Chokes

Setting Up the Gate

Special Considerations

Final Comments

Most systems for providing UNIX network security that we have discussed in this book are designed toprotect an individual UNIX host from a hostile network We have also explored systems such as

Kerberos and Secure RPC, which allow a set of hosts to communicate securely in a hostile environment

As an alternative to protecting individual computers on a network, many organizations have opted for aseemingly simpler solution: protecting an organization's internal network from external attack

The simplest way to protect a network of computers is with physical isolation Avoid the problems of

networks by not connecting your host to the Internet and not providing dial-in modems Nobody from theoutside will be able to attack your computers without first entering your physical premises Although thisapproach completely ignores the damage that insiders can do, it is nevertheless a simple, straightforwardpolicy that has been used by most organizations for years In many environments, this is still the best way

to approach network security - there is little to be gained from connection to outside networks, and much

to lose

Recently, however, the growth of the Internet has made physical isolation more difficult Employees inorganizations want email, they want access to Usenet news, and they want to browse the World WideWeb In addition, organizations want to publish information about themselves on the Web To allowpartial connection to the Internet, while retaining some amount of isolation, some organizations are usingfirewalls to protect their security

Firewalls are powerful tools, but they should never be used instead of other security measures They should only be used in addition to such measures.

[Chapter 21] Firewalls

Tiêu đề	Discovering an Intruder
Trường học	Simpo
Chuyên ngành	Internet Security
Thể loại	Chương

Định dạng
Số trang	104
Dung lượng	2,61 MB