awm@gould.doc.ic.ac.uk (Aled Morris) (11/18/88)
I thought you might all like to read part of a letter which appeared in "Computer Weekly" (an English freebie paper) this week. It appeared under the banner "VIRUS ATTACK WAS AVOIDABLE" (!) "The recent virus attack on the US defence computer network demonstrates three major points First, the larger the network of interconnected computers, the more vulnerable it is. Secondly, breaking is nearly always via authentic impersonation. Sophisticated line taps are unnecessary. Finally, passwords are a complete waste of time. [Now the good bit] "This highly dangerous incident that has attracted so much press attention recently was totally avoidable. If signature-based, biometric authentication techniques had been used instead of passwords, there is no way the virus could have multiplied in the way that it did. [and so on] "Alan Leibert, Alan Leibert Associates, Pinner, Middlesex. Well, it made me laugh anyway. I wonder if the "Alan Leibert Associates" are on the net? I wonder what field of computing Mr. Leibert is involved in? Would _you_ buy a "biometric authentication" system from this man? Aled Morris systems programmer mail: awm@doc.ic.ac.uk | Department of Computing uucp: ..!ukc!icdoc!awm | Imperial College talk: 01-589-5111x5085 | 180 Queens Gate, London SW7 2BZ
honey@mailrus.cc.umich.edu (peter honeyman) (11/19/88)
i've heard of "signing on" to a computer, but this is going too far. peter
karn@ka9q.bellcore.com (Phil Karn) (11/20/88)
I've discovered another potential security hole in Berkeley FTP that may be widespread. If you run a UUCP gateway (or even if you don't), read on. In all but apparently the most recent version of the BSD UNIX ftp daemon, any user giving a valid ID and password is allowed to use FTP. The only exceptions are IDs with null passwords (you can log in via telnet, but not FTP) and IDs listed in the file /etc/ftpusers. (The file is misnamed, since it contains a list of accounts that are to be DENIED FTP access.) It appears that many sites do not list their alternate UUCP ids in this file. The most common example is "nuucp". Try ftping to your own site and logging in with your system's various uucp IDs and passwords. If it works, you are basically giving read access to most of your files to the whole world, since uucp passwords are usually not very secret. To see if you've been hit, run "who /usr/adm/wtmp" and grep for lines of the form nuucp ftp17452Nov 3 03:10 (oliver.bloomcounty.org) It appears that the latest version of FTPD works differently. It looks at the shell entry for the ID in question and lets the user in only if that shell is on a list of "approved" shells. This is clearly the better way to go, but this is apparently a very new feature and is not yet widespread. (It also accounts for the reason you see "getusershell" come up undefined when you try to install Berkeley's new ftpd that fixes the anonymous ftp hole.) Perhaps Berkeley should post the sources to getusershell() and related routines. Phil
gore@eecs.nwu.edu (Jacob Gore) (11/20/88)
/ news.sysadmin / karn@ka9q.bellcore.com (Phil Karn) / Nov 19, 1988 / >Try ftping to your own site and >logging in with your system's various uucp IDs and passwords. If it works, >you are basically giving read access to most of your files to the whole >world, since uucp passwords are usually not very secret. To see if you've >been hit, run "who /usr/adm/wtmp" and grep for lines of the form > >nuucp ftp17452Nov 3 03:10 (oliver.bloomcounty.org) This could also mean that oliver.bloomcounty.org is your TCP/UUCP neighbor. Jacob Gore Gore@EECS.NWU.Edu Northwestern Univ., EECS Dept. {oddjob,gargoyle,att}!nucsrl!gore