In real life I've been the victim of an attack and I've advised someone who
has been the victim of the attack. First me. A long long time ago I was
writing my first C code, and I had to create a file, and I had no idea what
flags to to set on the file mode (Unix was very new to me). So I gave it a
"-1", set all the flags. Including set user id and world writable. Not a
big problem yet. Said routine gets put into a library that is run by a
database, and of course it gets run as root. Somewhat a problem, but not
yet a BIG problem. Said database becomes distributed, therefore needs to be
NFS exported world mountable writable. Someone else, finding a user level
.rhost inconvenient, put a "+" in there (allow any host). On the internet.
So, someone mounted the drive, copied /bin/sh into the database, did a rsh
to run the database, instant root shell prompt. Moral of the story: small
bits may add up to be big disasters when combined.
In another thread, a friend started up his own internet web site. And he
telnets in to go to root. I advise him not to do so, to install ssh
instead. He said, and I quote: "no one will ever break into my site, its
too small to be noticed". Guess what, it got noticed. Site got really
trashed. He now uses ssh to connect instead, and does updates by tunneling
the ftp command channel through ssh.
On another thread, I have a Linux box at home that calls up my ISP several
times a day, and waits there a few minutes. If no activity is noticed, it
drops the connection. Its in case I left a file I need at home. Total
exposure time on the internet, maybe an hour a day. At least once a week
that box gets scanned, never from the same address. All the usual scans,
ftp, telnet, pop, smtp, all logged thanks to tcp wrappers.
And, on yet another thread, a couple of years ago I brought up a new
internet firewall gateway at my present job. IP address had never been used
before, it wasn't in DNS anywhere. First day I unpacked it from the
shipping box, got it connected, sent out a few queries, and then when to the
hotel until the next day. Overnight I found in the Gauntlet logs that
several port scans got run on it, and people tried to telnet, ftp, and
several other queries into it. Only thing I can think of is that someone
noticed a new route on the internet and decided to check it out in case they
installed someone with the intention of later securing it.
On Thursday, January 27, 2000 2:54 PM, Keller Dennis (DDSP)
[SMTP:[EMAIL PROTECTED]] wrote:
> Ask him how long he can afford to have his servers down (money talks).
> Also, ask him if he is prepared to answer to the CIO/CEO of the company
when
> he's questioned on why his network segment was shut down because he's an
> incompentent bonehead.
>
> Cheers,
> Dennis Keller
> Network Security Administrator
> DDSP-Z
> email: [EMAIL PROTECTED]
>
> > -----Original Message-----
> > From: Shawn Savadkohi [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, January 27, 2000 1:17 PM
> > To: [EMAIL PROTECTED]
> > Subject: Hey, I DON'T WANT a firewall in front of my network!
> >
> >
> > Forgive me for the blunt subject heading, but unfortunately
> > this is a reality I'm facing in my organization.
> >
> > I'm a network administrator new to firewalls and the list.
> > Like so many other organizations, we have a router linking us
> > to the Internet which until recently went unfiltered. I've
> > successfully deployed a couple firewall devices to change
> > this, but my advances in securing our private network haven't
> > been met with cheers ("Hey, why can't I get my RealAudio
> > streams anymore!"). In particular, there is one department
> > head who holds the sentiment I shared in the SUBJECT line.
> > This person insists on keeping their segment firewall-free,
> > with public IP addresses on workstations and servers alike.
> >
> > Having been unsuccessful on my own, I'm seeking advice on how
> > I can persuade this dept head their machines are at risk.
> > Remember I'm dealing with a non-technical member of
> > management who would gloss over at responses describing DoS,
> > Land attacks, SYN flooding, Bonk/Boink, port scans, etc.
> > Real-life episodes of successful hacking I imagine will work
> > well. And accept my "Thanks, but no thanks" in advance if
> > you'd like to offer a demonstration!
> >
> > At the risk of exposing too much, let me briefly describe
> > what services are unprotected: two (2) HTTP servers, one (1)
> > SQL database server, and an NT box that's the PDC for that segment.
> >
> > Thanks for your responses.
> >
> > -Shawn
> >
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
