Computer Security Update

Bob Cowles, SLACbob.cowles@stanford.edu

Presented at HEPiX - TRIUMF23 Oct 2003

Work supported by U. S. Department of Energy contract DE-AC03-76SF00515

23 Oct 2003 HEPiX - TRIUMF 2

23 Oct 2003 HEPiX - TRIUMF 3

Slammer Impact

23 Oct 2003 HEPiX - TRIUMF 4

Australia

JapanKorea

China

India

23 Oct 2003 HEPiX - TRIUMF 5

http://www.microsoft.com/security/security_bulletins/

23 Oct 2003 HEPiX - TRIUMF 6

23 Oct 2003 HEPiX - TRIUMF 7

Application of Patches to Windows

0

200

400

600

800

1000

1200

1400

1600

1800

2000

1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31

Days Since Patch Released

Vu

lner

able

Sys

tem

s

MS03-026

MS03-039

MS03-043

Internet Avg

MSBlaster Released

MSBlaster at SLAC

23 Oct 2003 HEPiX - TRIUMF 8

FireWall Log – Infected Machines

Sep 16 18:29:18 icmp 134.79.137.220 -> 134.79.72.98 (8/0)Sep 16 18:29:19 icmp 134.79.137.220 -> 134.79.72.198 (8/0)Sep 16 18:29:20 icmp 134.79.137.220 -> 134.79.73.42 (8/0)

Sep 16 18:38:46 tcp 134.79.137.220(3325) -> 134.76.2.205(135)Sep 16 18:38:47 tcp 134.79.137.220(3169) -> 134.76.2.48(135)Sep 16 18:38:48 tcp 134.79.137.220(3249) -> 134.76.2.128(135)

Sep 16 18:40:06 icmp 134.79.129.243 -> 134.79.72.0 (8/0)Sep 16 18:40:06 icmp 134.79.129.243 -> 134.79.72.64 (8/0)Sep 16 18:40:07 icmp 134.79.129.243 -> 134.79.72.128 (8/0)

Sep 16 18:40:17 tcp 134.79.136.68(4107) -> 134.79.124.0(135)Sep 16 18:40:18 tcp 134.79.136.68(4194) -> 134.79.124.98(135)Sep 16 18:40:19 tcp 134.79.136.68(4292) -> 134.79.124.196(135)

Sep 16 22:28:25 tcp 134.79.129.243(4413) -> 134.76.24.39(135)Sep 16 22:28:26 tcp 134.79.129.243(4377) -> 134.76.22.41(135)Sep 16 22:28:27 tcp 134.79.129.243(4383) -> 134.76.22.113(135)

23 Oct 2003 HEPiX - TRIUMF 9

Infection Sources @ SLAC

• 32% VPN

• 22% DHCP (reg, internal network)

• 20% Fixed IPOn vacation, laptop infected outside, etc.

• 14% Infected during build / patch

• 12% Dialup

23 Oct 2003 HEPiX - TRIUMF 10

Blaster - Easy to Get Infected09/29/103 11:46:42 Host: 134.79.25.55 Port: 135 TCP Blocked

09/29/103 11:46:41 Host: 134.79.25.55 Port: 135 TCP Blocked

email @ 12:21pm:Bob, is host "illusion" yours, as per my so-called memory? But the mac addr is registered to Richard Mount ...

Sep 29 11:41:37 dhcp2 dhcpd: DHCPACK on 134.79.25.55 to 00:10:a4:e4:2a:b8 (illusion)

host roam-rmount2 { hardware ethernet 00:10:a4:e4:2a:b8; }# 01/25/00 # PC54566, Richard Mount

23 Oct 2003 HEPiX - TRIUMF 11

https://rhn.redhat.com/errata/rh73-errata-security.html

23 Oct 2003 HEPiX - TRIUMF 12

23 Oct 2003 HEPiX - TRIUMF 13

23 Oct 2003 HEPiX - TRIUMF 14

23 Oct 2003 HEPiX - TRIUMF 15

http://docs.info.apple.com/article.html?artnum=61798

23 Oct 2003 HEPiX - TRIUMF 16

23 Oct 2003 HEPiX - TRIUMF 17

23 Oct 2003 HEPiX - TRIUMF 18

23 Oct 2003 HEPiX - TRIUMF 19

http://sunsolve.sun.com/pub-cgi/show.pl?target=security/sec

23 Oct 2003 HEPiX - TRIUMF 20

23 Oct 2003 HEPiX - TRIUMF 21

http://www.cisco.com/warp/public/707/advisory.html

23 Oct 2003 HEPiX - TRIUMF 22

23 Oct 2003 HEPiX - TRIUMF 23

It Sucks Not to Patch

• Popular rookit in many variations

• Hides files, directories, processes; precompiled password

• With keyboard and/or ssh sniffers

• Listens on *all* open ports for backdoor

• Any port open inbound allows backdoor signal, sk thens opens outbound tcp for encrypted shell connection

23 Oct 2003 HEPiX - TRIUMF 24

suckit (cont)

• Home page http://hysteria.sk/sd/

• Latest versions not publicly available

• Also find exploits for– ptrace– sendmail 8.11.x

23 Oct 2003 HEPiX - TRIUMF 25

Last 24 Hours

Last 30 Days

http://www.trendmicro.com/map/

23 Oct 2003 HEPiX - TRIUMF 26

Ballmer @ Gartner ITXpo

• Windows has fewer vulnerabilities than RH Linux [RH6]

• No roadmap for Linux. There’s nobody to hold accountable for security issues

• The security of Microsoft products is our top priority. We have our best brains on it.

• We understand this is an issue of customer satisfaction.

http://www.theregister.co.uk/content/4/33522.html

23 Oct 2003 HEPiX - TRIUMF 27

Microsoft @ Stanford

• Universities tend to be a worst case• Diverse, unmanaged

– Population– Hardware– Software

• Unlikely to fit into AD model

• Stanford had 8000 machines compromised by Blaster BEFORE students returned for classes

23 Oct 2003 HEPiX - TRIUMF 28

Feedback to Microsoft

• Clear & meaningful impact statements

• Fix IE (30+ outstanding bugs)

• Reduce the attack vector (profile services)

• Don’t require license check for security patches (e. g. MS Office CD)

• No tie-in to IE (no active scripting)

23 Oct 2003 HEPiX - TRIUMF 29

Feedback to Microsoft (cont)

• Open up patching tools and process

• Understand 3rd party tools +/-

• Allow other vendors to use same tools for their Windows products

• Provide feedback on real patch status (local & remote)

• Need general patch deployment tool not requiring AD

23 Oct 2003 HEPiX - TRIUMF 30

Conclusions

[Unchanged from last year]

• Poor administration is still a major problem

• Firewalls cannot substitute for patches

• Multiple levels of virus/worm protection are necessary

• Clue is more important than open source

23 Oct 2003 HEPiX - TRIUMF 31

No Easy Solutions

Questions?