Very Computer

This really isn't a m*dilemma so much as it is a
question of due diligence of sysadmins...

Not too long ago, I received word via the 'groups that a particular
IP address yielded interesting information when telnetted to.
I tried it...and found it to be an unpassworded switch.  I immediately
contacted the contact I got from a whois lookup and it was
fixed immediately.

Recently, within the past several weeks, I have received information
regarding two more switches...different IPs from the first.  Not only
are they open to telnet (no password), but the Java management
interface to the switches is really cool!!  In fact, someone could shut
down the switch by clicking their mouse twice!

I have tried to contact everyone I have found via whois, etc.  I have
tried
calling.  I got the IPs from a skript kiddie at the school...I am afraid
that
they will post the IPs on the Internet.  I have yet to get a response to
any
of my queries, and the switches haven't been 'fixed'.

Now, the question to pose is this:  I could alter the sysContact and
sysInfo
to hold a little message, and then shut the switches down myself.  But
technically, that's a crime.  Or I could just walk away and leave these
folks
at the mercy of the skript kiddies.  I'm not asking for you to
decide...I am
still trying to get in touch with someone...

It's 23 Jan 99  01:49:20,

discussion of M*Question for the group

 ca> Now, the question to pose is this:  I could alter the sysContact and
 ca> sysInfo
 ca> to hold a little message, and then shut the switches down myself.  But
 ca> technically, that's a crime.  Or I could just walk away and leave
 ca> these folks
 ca> at the mercy of the skript kiddies.  I'm not asking for you to
 ca> decide...I am
 ca> still trying to get in touch with someone...

I would avoid doing this.  While your intentions are good, if anything
ever happens to their network, you may find yourself on the wrong end of
a lawsuit.  Just keep persevering for a contact to fix it up.

Hmm, it's not a HP switch by any chance?  (they have the web
interface)...

.. A person who looks up to God rarely looks down on people.
--
|Fidonet:  Tony Langdon 3:633/284.18

|
| Standard disclaimer: The views of this user are strictly his own.

Quote:>Now, the question to pose is this:  I could alter the sysContact and
>sysInfo
>to hold a little message, and then shut the switches down myself.  But
>technically, that's a crime.  Or I could just walk away and leave these
>folks
>at the mercy of the skript kiddies.  I'm not asking for you to
>decide...I am
>still trying to get in touch with someone...

I don't think you should do anything that directly impacts the operation of
the switches.  It sounds like you performed due diligence in trying to
notify the operators of the switches.  If they're not returning your calls,
that's their problem, not yours.  If they have problems because the
addresses get posted onto cracker groups, they have no one to blame but
themselves for ignoring your messages.  Unless you have some business
relationship with these sites that implies some responsibility for their
proper operation, I think you can give up once you've exhausted the obvious
avenues to reach them.

--

GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Don't bother cc'ing followups to me.

I agree with Barry. In fact, I think it is questionable to even test the
switches yourself. Someone could take that the wrong way and it could
hurt you.

I would just make a reasonable attempt to contact the owner and give them
the information of interest.

--

If this looks funny the                 baby is trying to help me type!

Quote:> I agree with Barry. In fact, I think it is questionable to even test the
> switches yourself. Someone could take that the wrong way and it could
> hurt you.

To the group...

I have no intention of doing anything whatsoever to the switches
(yes, they are HP switches).  I am still trying to get someone...via
some means other than voice or email...

But this begs another question...these switches are freely accessible
via a browser.  What about other machines...open shares or NFS mounts
without passwords?  At what point does accessing such things stop
being defined under a federal crime, and become the responsibility
of the sysadmin.  I mean, if you have no legitimate reason to do so, but
you access or mount an open share, or access a switch via Netscape,
or a VAX/VMS system via port 15...at what point does this cease to be
unauthorized access, and the burden goes back to the sysadmin?

Also, why are such things still accessible today?  For example, I thought
the days of default passwords were gone with Cliff Stoll ("The Cuckoo's
Egg"), but there are VAX's with default passwords, unpassworded NT
boxes, etc.  Why?

Quote:> Also, why are such things still accessible today?  For example, I thought
> the days of default passwords were gone with Cliff Stoll ("The Cuckoo's
> Egg"), but there are VAX's with default passwords, unpassworded NT
> boxes, etc.  Why?

Two reasons, IMHO: 1) people are lazy and ignorant. There are lots of
admins and users out there who don't give a damn about security until
something bad happens to them. I won't debate why they feel this way here,
just suffice it to say that these people are very common. 2) most buyers
of OSes/software are not willing to pay extra for security.  Accordingly,
most commercial software vendors have no incentive to ship more secure
products. Some open-source products (OpenBSD comes to mind) take security
much more seriously, but they are a minority.

--
Daniel Bell
Heuer's Law: Any feature is a bug unless it can be turned off.

Quote:>Recently, within the past several weeks, I have received information
>regarding two more switches...different IPs from the first.  Not only
>are they open to telnet (no password), but the Java management
>interface to the switches is really cool!!  In fact, someone could shut
>down the switch by clicking their mouse twice!

>I have tried to contact everyone I have found via whois, etc.
...
>Now, the question to pose is this:  I could alter the sysContact and
>sysInfo
>to hold a little message, and then shut the switches down myself.  But
>technically, that's a crime.

I think that it's not just *technically* a crime.  You are breaking their
equipment (albeit temporarily).

Quote:>Or I could just walk away and leave these folks at the mercy of the skript
>kiddies.

You have many options, not just those two.  You could try to escalate it
within the organization, or you could contact someone like CERT -- they may
pass on the information and your target organization may take it more
seriously if it comes from someone like CERT.  Or you could send anonymous
e-mail to a large variety of people in the organization.  Or find someone
else at the organization (perhaps also via whois) who is NOT in charge of the
router, and mail them the info on how to shut down their organization's
router and try to get *them* angry about it.

Quote:> Two reasons, IMHO: 1) people are lazy and ignorant. There are lots of
> admins and users out there who don't give a damn about security until
> something bad happens to them. I won't debate why they feel this way here,
> just suffice it to say that these people are very common. 2) most buyers
> of OSes/software are not willing to pay extra for security.  Accordingly,
> most commercial software vendors have no incentive to ship more secure
> products. Some open-source products (OpenBSD comes to mind) take security
> much more seriously, but they are a minority.

I would tend to agree with this.  Funny how MCSEs learn nothing about
securityyet they are more sought after than security guys like me....

And as far as paying extra...that may simply be paying someone $10k more
per year b/c they DO know how to secure as system.  But since firms still want
to treat their IT Ops folks like bastard step-children (in most, but not all,
cases)
I think it's going to be a problem for a while...

Quote:> Two reasons, IMHO: 1) people are lazy and ignorant. There are lots of
> admins and users out there who don't give a damn about security until
> something bad happens to them. I won't debate why they feel this way here,
> just suffice it to say that these people are very common. 2) most buyers
> of OSes/software are not willing to pay extra for security.  Accordingly,
> most commercial software vendors have no incentive to ship more secure
> products. Some open-source products (OpenBSD comes to mind) take security
> much more seriously, but they are a minority.

I would tend to agree with this.  Funny how MCSEs learn nothing about
securityyet they are more sought after than security guys like me....

And as far as paying extra...that may simply be paying someone $10k more
per year b/c they DO know how to secure as system.  But since firms still want
to treat their IT Ops folks like bastard step-children (in most, but not all,
cases)
I think it's going to be a problem for a while...

Quote:>Recently, within the past several weeks, I have received information
>regarding two more switches...different IPs from the first.  Not only
>are they open to telnet (no password), but the Java management
>interface to the switches is really cool!!  In fact, someone could shut
>down the switch by clicking their mouse twice!

>I have tried to contact everyone I have found via whois, etc.
...
>Now, the question to pose is this:  I could alter the sysContact and
>sysInfo
>to hold a little message, and then shut the switches down myself.  But
>technically, that's a crime.

In 1995, Randall Schwartz (sp?), author of the perl camel book, had
root privilages in one department at Intel where he used to work as a
consultant. When he moved to another department, they did not delete
that account. Randall  ran crack on the first department's server,
cracked a significant percent of the passwords, and notified the
sysadmins. And the return he got from intel? A criminal law-suit,
which resulted in conviction to 3 counts of felony, suspended
sentences, $68,000 restitution, etc.

[the 'we don't have a clue' sidebar:On the first machine, he left a
.forward file, which intel presented as a back-door in court. And won
that count.]

The lesson: DON'T probe other people's networks and computers.

As Barry suggested, if they have some business relationship with you
and you are concerned that your assets may become vulnerable because
of their sloppy security, request a security audit from them, more or
less in the same way companies are demanding Y2K compliance from
business partnets.

I hope the people you are trying to warn do not see this post and get
ideas :-)

JI

All of which serves to illustrate the idiocy of both the Intel
sysadmins, and the US courts, regardless of the fact that it may also
be a warning not to probe other people's machines without prior
permission.

--

Trinity Hall, Cambridge |  Excession: http://excession.ucam.org
"For every complex problem, there is a solution that is simple,
neat, and wrong."  (H. L. Mencken)

Quote:>I mean, if you have no legitimate reason to do so, but
>you access or mount an open share, or access a switch via Netscape,
>or a VAX/VMS system via port 15...at what point does this cease to be
>unauthorized access, and the burden goes back to the sysadmin?

Never.  It is always unauthorized access.  Responsibility does not sum to a
constant.  It is possible for multiple people each to be fully responsible for
a particular transgression.

It's Randal with one 'l'.

Quote:>root privilages in one department at Intel where he used to work as a
>consultant. When he moved to another department, they did not delete
>that account. Randall  ran crack on the first department's server,
>cracked a significant percent of the passwords, and notified the
>sysadmins. And the return he got from intel? A criminal law-suit,
>which resulted in conviction to 3 counts of felony, suspended
>sentences, $68,000 restitution, etc.

Read up on it at http://www.lightlink.com/spacenka/fors/ . Be prepared
to be amazed at such a stupendous miscarriage of justice. Learn the
lesson.

I know that *I* will never attempt to help any one with security matters
if I don't have a signed contract stipulating what I am and am not
allowed to do.

Paul Slootman
--

http://www.wurtel.demon.nl | Murphy Software,   Enschede,   the Netherlands