Kurt Seifried, [email protected]
What's in a name?
February 14, 2001 - Yesterday it became public knowledge that Tatu Ylonen, the creator of the SSH protocol and founder of a company with the same name, asked the OpenSSH group to change its name. Normally such a case, a commercial company asking someone to change its name, wouldn't be a terribly big deal but in this case it is. SSH was first used as the name for a protocol, "Secure SHell." The SSH protocol uses strong crypto and public key cryptography and provides a secure replacement for insecure protocols such as Telnet, rexec, rcp, rsh, FTP and so on. In addition, the SSH protocol features tunneling, allowing you to easily wrap insecure protocols such as POP or X and face far fewer worries when using them.
Network Intrustion Detection Systems and Virus Scanners - Are They The Answer?
It takes a lot less effort to destroy and break things, than it takes to build and fix them. This is nowhere more evident then computer networks. Corporations, governments, universities and other organizations spend large sums of money on computer network infrastructure, and the cost of keeping them running is not trivial. And this doesn't even take into consideration malicious attacks and security controls which add even more cost to building and maintaining a network of computers.
The Story of Jeff
This story is the ongoing saga of Jeff, a tragic tale full of hardship, heartbreak and triumph over impossible odds. Jeff is your average network administrator, responsible for Acme, Inc.'s Microsoft-based corporate network. We start with the basics, but as Jeff's network is broken into again and again, we spiral steadily into madness and insanity.
Kurt Seifried's predictions for Information Security in 2002.
Airline Computer Security - Key to Thwarting Terror
The airline industry in North America is a critical component of our economic prosperity, and even more than that a vital component to our lifestyle. Have to be in San Diego tomorrow to meet with a client regarding critical issues? Be there in less than 12 hours from virtually anywhere in North America, affordably. The airline industry in the US employs slightly over one million people, and services like air cargo allow many other businesses to function that depend on quick delivery of everything from electronic components to stuffed toys and legal documents. Yet we are coming to understand that security threats can put a quick end to services we depend on and take for granted.
Keyboard is a useful techniques for computer investigators, forensics specialists and people who are overly curious in their surroundings. Many modern security practices, such as encryption, are virtually impossible to brute force, and if the defender is using a good passphrase then it is virtually impossible to hit the right combination unless you are very lucky. The answer to this, and other password protected services is of course to use a keyboard sniffer, in effect tricking the subject into revealing their password.
Devil in the details - why package signing matters
This articles discusses the Red Hat response to KSSA-002. To quote Red Hat: "Preston Brown, director of Linux engineering for Red Hat, said the software firm doesn't digitally sign the two packages because the firm doesn't consider it necessary." This articles discusses why it is neccesary. Updated October 24 - Red Hat has signed the packages and stated they will sign all packages in future. A happy ending.
Interview with Elias Levy (Bugtraq)
Bugtraq is probably the best security mailing list around. However while the quasi-founder (technically Aleph1 didn't start Bugtraq as I was surprised to find out) is quite prominent online I wasn't able to find any detailed information about him or Bugtraq (except for one old interview). So here for you to enjoy is an interview with Aleph1.
Protecting information from exposure
If you ask an administrator what they have done to protect information from being stolen or otherwise disclosed they will often respond with filesystem ACL's, strong user authentication and so forth. Unfortunately the strongest ACL's and user authentication in the world will only protect you from certain limited types of threats. It doesn't matter how strong your NT filesystem permissions are if I steal your laptop and use something like a dos boot disk with NTFS support to simply read all the files, or reset your password with NTLocksmith. Additionally information has an annoying tendency of ending up in odd places that you may not have expected, for example users may save data to a floppy disk or email it to themselves at home so they can work on it from there. Fortunately there are solutions to these problems, however without user education and support from management most will not be effective.
Writing security advisories
I've been writing security digests now for several months, for Linux and BSD. This means I read pretty much every single vendor issued security advisory, along with advisories for software packages on Bugtraq and other mailing lists/websites/etc. I am happy to say that most Linux distributions and vendors are doing a pretty good job on their security advisories, but not all are perfect. A security advisory is a complex thing to write properly, the following items need to be covered (if applicable):
A Matter of Trust: How Apache.org Was Compromised
As you've probably heard by now, Apache.org was broken into last week, and the system was compromised. How this happened is much more interesting then your usual "known hole in an old piece of software" scenario (although this was the final nail in the coffin for Apache.org).
Most break-ins we hear about are relatively straightforward -- someone was running an unpatched copy of IIS 5.0 or they forgot to upgrade their FTP server to a recent version. These types of problems are relatively easy to deal with, you keep software up to date, but they are impossible to completely eliminate. At some point you have to run software to make the system useful, and even the most heavily audited and secured system will have bugs in it's software. It is inevitable that at some point an attacker will discover a problem and use it, or release code publicly allowing anyone to exploit the flaw, and software vendors will react, provide a fix, but this still needs to be applied by system administrators.
However, an old issue is becoming increasingly problematic as more machines are placed online. The problem is trust.
Last updated 1/25/2002
Copyright Kurt Seifried 2001