Unattended Terminals

It is quite common to find user terminals left signed on and unattended for extended periods of time, such as during lunch time. Assuming that the hacker can gain physical access to users’ work areas (or assuming that the hacker is an insider), this situation is a perfect opportunity for a hacker to compromise the system’s security. A hacker may use an unattended terminal to process unauthorized transactions, insert a Trojan horse, download a destructive virus, modify the user’s.rhost file, or change the user’s password so that the hacker can sign on later.

The network administrator can minimize the threat from access through unattended terminals by ensuring that:

•  User sessions are automatically timed out after a predefined period of inactivity, or password-protected screen savers are invoked.

•  Users are regularly educated and reminded about the importance of signing off their sessions whenever they expect to leave their work areas unattended.

•  Adequate controls are in place to prevent unauthorized persons from gaining physical access to users’ work areas.

Writeable Set User ID Files

UNIX allows executable files to be granted root privileges by making file permissions set user ID (SUID) root. Hackers often search through the file system to identify all SUID files and to determine whether they are writeable. Should they be writeable, the hacker can insert a simple line of code within the SUID program so that the next time it is executed it will write to the /etc/passwd file and this will enable the hacker to gain root privileges. The following UNIX command will search for SUID root files throughout the entire file system: find /-user root -perm -4000 -print.

The network administrator can reduce the possibility of illegal access through SUID files by ensuring that:

•  Only a minimum number of programs are assigned SUID file permissions.

•  Programs that are SUID are not writeable by users other than root.

•  Executables defined within the system cron tables (especially the root cron table) are not writeable by users other than root because they are effectively SUID root.

Computer Emergency Response Team Advisories

The Computer Emergency Response Team (CERT) issues advisories whenever a new security exposure has been identified. These exposures often allow unauthorized users to gain root access to systems. Hackers always keep abreast of the latest CERT advisories to identify newly found bugs in system software. CERT can be accessed via an anonymous FTP at info.cert.org.

The network administrator should ensure that:

•  All CERT advisories have been reviewed and acted on in a controlled and timely manner.

•  Checksums are used to ensure the integrity of CERT patches before they are implemented.

Hacker Bulletin Boards

The Internet has a large number of hacker bulletin boards and forums that act as an invaluable source of system security information. The most popular hacker bulletin board is the “2600” discussion group. Hackers from around the world exchange security information relating to various systems and often publish security-sensitive information relating to specific organizations or hacker techniques relating to specific programs.

The network administrator should ensure that the organization’s data security officer regularly reviews hacker bulletin boards to identify new techniques and information that may be relevant to the organization’s system environment.

Internet Software

The Internet offers a large number of useful tools, such as SATAN, COPS, and ISS, which can assist data security officers and administrators in securing computer resources. These tools scan corporate systems to identify security exposures. However, these tools are also available to hackers and can assist them in penetrating systems.

To identify and resolve potential security problems, the network administrator should ensure that:

•  The latest version of each security program is obtained and run in a regular manner. Each identified exposure should be promptly resolved.

•  The system is subject to regular security audits by both the data security officer and independent external consultants.

SUMMARY

Hacker activity is a real and ongoing threat that will continue to increase as businesses connect their internal corporate networks to the Internet. This chapter has described the most common hacker techniques that have allowed unauthorized persons to gain access to computer resources. The self-hack audit is becoming an increasingly critical technique for identifying security weaknesses that, if not detected and resolved in a timely manner, could allow hackers to penetrate the corporate system. System administrators and data security officers should keep abreast of the latest hacker techniques by regularly reading all CERT publications and hacker bulletin boards.