The Top Three Internet Security Threats - Internet/Web/Online Service Information

ENT, Nov 22, 2000

On the south coast of Monterey Bay, adjacent to the Monterey Bay Aquarium, lies a small Stanford University research facility known as the Hopkins Marine Station.

Observers were shocked last February when computers at Hopkins were implicated in the large-scale, distributed denial of service (DDoS) attacks that disabled Yahoo, eBay, and other marquee Web sites. The attacker installed small programs on each computer, and sent a command to each compromised machine telling it which machine to attack, what type of attack to run, and how long to continue.

Most RecentTechnology Articles

In the wake of these attacks, the President of the United States summoned 30 Internet leaders to determine how this could have happened and to discuss the prevention of future attacks. Participants, representing the Computer Emergency Response Center at Carnegie Mellon University, the Cerias Center at Purdue University, and the SANS Institute in Washington, led this group effort.

A Preventable Crisis

Surprisingly, the group found that most successful attacks on the Internet are enabled by 10 small sets of flaws that are easy to correct--corrections that would probably have prevented the February 2000 DDoS attacks. The majority of Web defacings that occurred in the 1997 Solar Sunrise attack on Pentagon computers also would have failed. That attack compromised hundreds of computers at the Pentagon using just one of the flaws identified by the experts.

Security practitioners now estimate that 75 to 80 percent of all successful Internet security attacks are made possible by failures to correct one or more of these 10 issues. Now widely known as the Top Ten Internet Security Threats, the three most common are fully described in the sections following.

Threat Number 1: Vulnerable Mail Systems

Nearly 25 percent of all Internet "post offices" are vulnerable to being taken over with a simple, widely available attack tool. Post office refers to a system that translates addresses like 101communications.com into numeric addresses that the Internet uses to route messages from place to place. Flaws in the software, also known as the Domain Name Service or DNS, can allow the takeover of thousands of computers.

As an example, one attacker took over the DNS server of a New York financial institution. After gaining control, he installed a program that reads messages and looks for user name/password combinations. The attacker found the president of the organization's password and stole his files. In a similar case, the DNS server of a government-run, computer security incident response center was taken over. How could this happen?

Unfortunately, a shortage of technically skilled security people can affect organizations across the board. In a third case, a mid-sized Midwestern company's DNS server was taken over and used to attack hundreds of computers in Asia.

Why don't people correct this flaw? Some IT personnel are reluctant to upgrade their DNS software because it's working, and who knows what the upgrade will bring? That concern is usually unfounded. However, most people who don't fix the problem simply don't realize they have a weakness. The DNS weakness is particularly widespread because most copies of Linux and UNIX automatically install a copy of DNS. Many of these DNS versions aren't the latest available and have known flaws. The following guidance is accurate as of October 1, 2000.

Advice on removing threat number 1

1. Disable the BIND name daemon (named) on all systems that aren't authorized to be DNS servers. Some experts recommend you also remove the DNS software.

2. On machines that are authorized DNS servers, update to the latest version and patch level (as of May 22, 2000, the latest version was 8.2.2 patch level 5) Use the guidance contained in the following advisories:

* For the NXT vulnerability, where improper validation of NXT records can allow an intruder to overflow a buffer and execute arbitrary code with the privileges of the name server: http://www.cert.org/advisories/CA-1999-14.html.

* For the QINV (Inverse Query) and NAMED vulnerabilities, where an improperly or maliciously formatted inverse query on a TCP stream can crash the server or allow an attacker to gain root privileges: http://www.cert.org/advisories/CA-98.05.bind_problems.html #TOPIC1.

3. Run BIND as a non-privileged user for protection in the event of future remote-compromise attacks. However, only processes running as root can be configured to use ports below 1024--a requirement for DNS. Therefore, you must configure BIND to change the User ID after binding to the port.

4. Run BIND in a chroot()ed directory structure for protection in the event of future remote-compromise attacks.

Threat Number 2: How Most Web Sites Get Hacked

Many Web sites can be taken over and their contents maliciously modified, simply through a cunning method of running sample programs. Vulnerable sample programs are installed automatically with most Web server software, and not all site administrators know how to find and remove them.

Exploiting sample programs is the path that was probably used last February, when the pharmaceutical company Aastrom Bioscience's Web site was taken over and a bogus press release posted saying the company had received a buyout offer for nearly three times its then current stock price. The price soared until the next morning, when trading was halted for two hours and a correction issued. In the meantime, the manipulated stock price and volume of shares traded created as much as $4 million in profits for someone associated with the attacker.