Firewalls: Re: Two security issues

Firewalls
(February 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Two security issues
From:	Brad . Powell @ EBay . Sun . COM ( Brad Powell - Sun CIS)
Date:	Tue, 8 Feb 94 08:58:59 PST
To:	hkatz @ nucmed . med . nyu . edu
Cc:	Firewalls @ GreatCircle . COM
Classification:	None


Henry,
all the comment wars are currently going on on comp.security, alt.security,
and comp.security.unix.

Do we need to see them here too?

My $0.02.

No new tricks were applied. Sendmail, loadmodule, rdist, yp/nis, and
PC-based packet sniffing were all exploited to gain initial entry and obtain 
root on internet systems.

Then the compromised systems were trojaned to snoop/sniff/tcpdump logins and
passwords on the internet..

We also have seen increased ISS activity, but this may be unrelated.
(or a super-strain if iss).

Use of one-time passwords, digital tokens, or other enhanced authentication
technology, as well as decent firewalling prevents these attacks from
succeeding.
(plus keeping current on vendor patches)

=======================================================================
Brad Powell : brad .
 powell @
 Sun .
 COM        | 
                                         |
Full Time: Sr. Network Security Analyst  |Part time: Cyberspace PI
           Computer/Information Security.|           and Consultant
           Sun Microsystems Inc.         |
=======================================================================
               The views expressed are those of the author and may
                  not reflect the views of Sun Microsystems Inc.
=======================================================================

>From Firewalls-Owner @
 GreatCircle .
 COM  Tue Feb  8 00:09:38 1994
>Date: Tue, 8 Feb 94 02:53:53 EST
>To: Firewalls @
 GreatCircle .
 COM
>Subject: Two security issues
>Precedence: bulk
>X-Lines: 18
>
>Dear Firewalls readers,
>
>I am absolutely astounded that not a peep has been heard on this group
>since the CERT advisory last Thursday re widespread internet breakins.
>Today's WSJ said UCB, Texas and other sites were attacked probably from
>PA and Phoenix. Any comments?
>
>I also noted today, as I am currently involved in database administration,
>that the sybase user passwords are easily grep'd out of the master.dat
>files. Did I miss something here? This isn't strictly firewall related and I 
>shall cross-post to security groups.
>
>|Henry Katz                                                     |
>|ISCS, Inc (212)685.3057                                        |
>|Currently on contract to                                       |
>| Lehman Bros                    |          (212) 464.3363 (tel)|
>| 388 Greenwich St               |          (212) 464.3118 (fax)|
>| NY NY 10013                    |          hkatz @
 lehman .
 com    |
>

Follow-Ups:

Re: Two security issues
From: Geoff Mulligan <Geoffrey . Mulligan @ Eng . Sun . COM>

Indexed By Date	Previous:	restricting Internet Access From: richard @ wizard . ucs . sfu . ca (Richard Chycoski)
Indexed By Date	Next:	Re: restricting Internet Access From: Brad . Powell @ EBay . Sun . COM ( Brad Powell - Sun CIS)
Indexed By Thread	Previous:	Re: Two security issues From: "Robert G. Moskowitz" <0003858921 @ mcimail . com>
Indexed By Thread	Next:	Re: Two security issues From: Geoff Mulligan <Geoffrey . Mulligan @ Eng . Sun . COM>