Let's see how long CERT takes this time...

Let's see how long CERT takes this time...

Post by Graham To » Fri, 19 Nov 1993 20:50:48



I've just had an urgent message from an admin of a site I have
an account on (one I seldom use actually, and when I do, mostly
with rlogin, so I may have been lucky) telling me that someone
has hacked into Barnet (Barrnet?) and has been packet-sniffing
their traffic.  This is the panix thing all over again, but worse
because these guys are a whole network provider rather than a
single site.

Anyone else who accesses anwhere else via Barnet would be well
advised to change their password.

The thing this tells me more than anything else is that it *really*
is time to get encrypted sessions going.  It was OK when only Uncle
Tom NSA et al could sniff your packets, but if nets are open enough
for any Tom* and Harry then its time to draw the line.

Meanwhile, I'll start using rlogin to *everywhere* I call on the
net, and encouraging more people I mail with to use pgp if they
don't already...  (If anyone knows any nasties with rlogin, let
us know.  I mean at the outside attack level, not at the hacking
someone's .rhosts or /etc/hosts.equiv level...)

This isn't a criticism of that particular network-provider -
I don't know the whole story, and I'm sure something like this
could happen to any network provider.  But I thought the warning
about possible snooping and the suggestion to change your password
ought to be passed on more widely, ASAP, before the crackers make
use of any they found.  Also I'd like to hear more discussion on
how to foil such snooping, preferably at a user level for cases
(ie most cases) where we have no control over the host we log
in to.  For instance, how could a user on, say, netcom, set himself
up with a startup shell that asked for a subsidiary password and
started up an encrypted interface over the telnet or serial line
session?  (If you can't change your shell, for instance, is there
any way to start up a program in your .login that can't be circumvented
by hitting ^C early enough?)

G
(Now we sit back and wait for a week for CERT to announce the
break-in...)

 
 
 

Let's see how long CERT takes this time...

Post by James - The Keep » Sat, 20 Nov 1993 16:05:09



=
=Meanwhile, I'll start using rlogin to *everywhere* I call on the
=net, and encouraging more people I mail with to use pgp if they
=don't already...  (If anyone knows any nasties with rlogin, let
=us know.  I mean at the outside attack level, not at the hacking
=someone's .rhosts or /etc/hosts.equiv level...)
=

Add a few lines of code and your rlogind will ignore .rhosts and
/etc/host.equiv.

--

DATA# 714-539-0829,830-6061,310-527-4279 818-579-6701 16.8k/14.4k 8-N-1
ZyXEL U-1496E 16.8K: $279.00, U-1496E+ 19.2K: $389.00 Voice/FAX/Data Modems
AT&T DATA Port 14.4K: $189.00(Int) $209(Ext) w/ QuickLink II, FAX/DATA Modems

 
 
 

Let's see how long CERT takes this time...

Post by William Unr » Sat, 20 Nov 1993 16:25:55



>use of any they found.  Also I'd like to hear more discussion on
>how to foil such snooping, preferably at a user level for cases
>(ie most cases) where we have no control over the host we log
>in to.  For instance, how could a user on, say, netcom, set himself

skey does work, but it does require the sysadmin to cooperate by
at best changinh the login and su routines(and ftpd) or at worst
allowing the use of their special shell whihc just asks for a public
response passphrase. It is not the most convenient thing( and encrypted
protocol would be that) but it does work (modulo a few fixups in their
posted programs.)
 
 
 

Let's see how long CERT takes this time...

Post by Bill Staplet » Sun, 21 Nov 1993 01:14:23



Quote:> Add a few lines of code and your rlogind will ignore .rhosts and
> /etc/host.equiv.

So that everybody has to type in their password across that * network?

On a few of our machines here without shadow passwords of some flavor, I've
zapped my password and always login via rlogin+.rhosts file.  No password
to sniff, no password to crack, no password to guess.  The ".rhosts" file is
not always a bad thing.  Like anything else, it can be abused.  But for the
most part, it's probably not the weak link in the chain.

--
Bill Stapleton

     uwmcsd4!wls

 
 
 

Let's see how long CERT takes this time...

Post by Timothy Newsh » Sun, 21 Nov 1993 04:47:50




>> Add a few lines of code and your rlogind will ignore .rhosts and
>> /etc/host.equiv.

>So that everybody has to type in their password across that * network?

>On a few of our machines here without shadow passwords of some flavor, I've
>zapped my password and always login via rlogin+.rhosts file.  No password
>to sniff, no password to crack, no password to guess.  The ".rhosts" file is
>not always a bad thing.  Like anything else, it can be abused.  But for the
>most part, it's probably not the weak link in the chain.

.rhosts are not a bad thing?  Authentication on the basis of IP address
*is* a bad thing.  What happens when the hackers start using DNS hacks
to get into your system?  What happens when they start guessing sequence
numbers?  And worst of all, what happens when they get onto one of your
trusted machines, from there its just a hop skip and a rlogin to all of
your accounts.

.rhosts are not the answer.  We need secure remote logins, challenge
and response done transparently or key exchange followed by an encrypted
session.

>Bill Stapleton

>     uwmcsd4!wls

 
 
 

Let's see how long CERT takes this time...

Post by Michael Sierch » Sun, 21 Nov 1993 03:24:56




Quote:>I've just had an urgent message from an admin of a site I have
>an account on (one I seldom use actually, and when I do, mostly
>with rlogin, so I may have been lucky) telling me that someone
>has hacked into Barnet (Barrnet?) and has been packet-sniffing
>their traffic.  This is the panix thing all over again, but worse
>because these guys are a whole network provider rather than a
>single site.

>Anyone else who accesses anwhere else via Barnet would be well
>advised to change their password.

Yeah, please change your password while I'm listening.... :-)

--
A man sometimes devotes his life to a desire which he is not sure will ever be
fulfilled.  Those who laugh at this folly are, after all, no more than mere
spectators of life.
                                                   - Ryunosuke Akutagawa

 
 
 

Let's see how long CERT takes this time...

Post by Rahul Dhe » Sun, 21 Nov 1993 09:20:20



Quote:Newsham) writes:
>.rhosts are not a bad thing?  Authentication on the basis of IP address
>*is* a bad thing.  What happens when the hackers start using DNS hacks
>to get into your system?

I sense a little confusion here.  DNS is used to map between an IP
address and a host name.  When a .rhosts file contains an IP address
rather than a host name, DNS plays no role in the authentication
involved.  Granted, somebody with the ability to inject packets en
route and fool the routers could still spoof some other host's IP
address, but this (a) is harder to do than to spoof DNS, and
(b) has absolutely nothing to do with any flaws in DNS.

There are rlogin servers that won't recognize IP addresses in .rhosts
files, and perhaps you have to deal with one of those.  But not
everybody else does.   Given the wide availability of source for the r*
commands, this problem is easily solvable.
--


 
 
 

Let's see how long CERT takes this time...

Post by Graham To » Sun, 21 Nov 1993 09:25:00




:>Anyone else who accesses anwhere else via Barnet would be well
:>advised to change their password.
:
:Yeah, please change your password while I'm listening.... :-)

You can laugh tonight; when you read about it in the papers tomorrow
you'll laugh less methinks.  Doesn't netcom (and half of the valley)
all go out via Barrnet?  You've probably been snooped too, buddy.

48 hours, and still no word from CERT.  I find this all rather amusing.

G

 
 
 

Let's see how long CERT takes this time...

Post by Conrad Huang %C » Sun, 21 Nov 1993 14:13:18






>:>Anyone else who accesses anwhere else via Barnet would be well
>:>advised to change their password.
>:
>:Yeah, please change your password while I'm listening.... :-)
>You can laugh tonight; when you read about it in the papers tomorrow
>you'll laugh less methinks.  Doesn't netcom (and half of the valley)
>all go out via Barrnet?  You've probably been snooped too, buddy.
>48 hours, and still no word from CERT.  I find this all rather amusing.

I guess I'm showing my ignorance here...

I'm not too familiar with BARRnet topology, but I think it has a backbone
and some anscillary nets.  The backbone is mostly (all?) point-to-point.
Some anscillary nets are Ethernets.  If you use BARRnet, either your
packets go over some Ethernets, or they do not.

If they go over the Ethernets, what's your guarantee that no one on those
wires is listening?  BARRnet includes places like Berkeley and Stanford,
and those are not the places that nice packets visit.

I guess my point is that: as long as you use an "open" network like BARRnet,
you have absolutely no guarantee that *anything* you send will not be peeked.
It shouldn't take someone breaking into a system for you to realize that
putting passwords out onto any part of the Internet is a bad idea.  If I
were CERT and were told that someone hacked into BARRnet, my response would
be "so what's your point?"

Conrad

 
 
 

Let's see how long CERT takes this time...

Post by William Unr » Sun, 21 Nov 1993 15:48:09




]=Meanwhile, I'll start using rlogin to *everywhere* I call on the

]Add a few lines of code and your rlogind will ignore .rhosts and
]/etc/host.equiv.
I think he means that he WANTS .rhosts so he does not have to enter a
password over the net.

 
 
 

Let's see how long CERT takes this time...

Post by Timothy Newsh » Sun, 21 Nov 1993 15:58:47




>Newsham) writes:

>>.rhosts are not a bad thing?  Authentication on the basis of IP address
>>*is* a bad thing.  What happens when the hackers start using DNS hacks
>>to get into your system?

>I sense a little confusion here.  DNS is used to map between an IP
>address and a host name.  When a .rhosts file contains an IP address
>rather than a host name, DNS plays no role in the authentication
>involved.  Granted, somebody with the ability to inject packets en
>route and fool the routers could still spoof some other host's IP
>address, but this (a) is harder to do than to spoof DNS, and
>(b) has absolutely nothing to do with any flaws in DNS.

how many people use IP addresses rather than domain names in their
rhosts?   Also I did mention sequence number guessing.  After the
sequence number is successfully guessed sending two packets to
the rshd will get you access to the users account reguardless of
wether the .rhosts file contained an IP address or a domain name.
 
 
 

Let's see how long CERT takes this time...

Post by Frank 'Scruffy' Mill » Sun, 21 Nov 1993 16:49:21



>48 hours, and still no word from CERT.  I find this all rather amusing.

What are they supposed to do about it anyways ... only a maroon doesn't know
that net traffic by default is plain text.

I think the CERT is doing a fine job ... if you don't like it, try
volunteering and seeing if you can provide a better service.

This is an issue with the FBI and the system that has been hacked.

Frank

*No Whiners!*

--

 Software Engineer/UNIX Systems | "I went into her cave and returned without
 Tektronix CNA Division         |  the ears of a rabbit."

 
 
 

Let's see how long CERT takes this time...

Post by Rahul Dhe » Sun, 21 Nov 1993 19:10:16



Quote:Newsham) writes:
>how many people use IP addresses rather than domain names in their
>rhosts?

Not to get into a flame war, but you originally said that:

   Authentication on the basis of IP address *is* a bad thing.  What
   happens when the hackers start using DNS hacks to get into your
   system?

Which made no sense to me, and I responded:

   I sense a little confusion here.  DNS is used to map between an IP
   address and a host name.  When a .rhosts file contains an IP address
   rather than a host name, DNS plays no role in the authentication
   involved.

If nobody is using IP addresses, then it makes no sense to worry about
authentication on the basis of IP address, which is what you were
worrying about.  If you are worrying about the use of domain names,
then you really need to say something like:

   Authentication on the basis of domain name *is* a bad thing.  What
   happens when the hackers start using DNS hacks to get into your
   system?

I wouldn't dare argue with that.

As for

Quote:>Also I did mention sequence number guessing.  After the
>sequence number is successfully guessed sending two packets to
>the rshd will get you access to the users account reguardless of
>wether the .rhosts file contained an IP address or a domain name.

No, you didn't mention sequence number guessing.  Please explain
clearly enough that I can reproduce it here.  I would be willing to set
up a dummy account here to give you an opportunity to try out the
experiment.
--


 
 
 

Let's see how long CERT takes this time...

Post by Michal Jankows » Sun, 21 Nov 1993 21:55:40



>>>>> said:


Quote:Rahul> (Timothy Newsham) writes:

Timothy> Also I did mention sequence number guessing.

Rahul> No, you didn't mention sequence number guessing.

He didn't? Then read his original post:

Timothy> .rhosts are not a bad thing?  Authentication on the basis of
Timothy> IP address *is* a bad thing.  What happens when the hackers
Timothy> start using DNS hacks to get into your system?  What happens
Timothy> when they start guessing sequence numbers?
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
But you've edited this last sentence out of your followup 8-)

  Michal

 
 
 

Let's see how long CERT takes this time...

Post by Graham Toa » Sun, 21 Nov 1993 22:52:52



:If they go over the Ethernets, what's your guarantee that no one on those
:wires is listening?  BARRnet includes places like Berkeley and Stanford,
:and those are not the places that nice packets visit.

Take that argument to its extreme, there's no guarantee that every single
user on the net isn't being snooped by someone - but the net providers
are relatively trustworthy - if an employee snoops the wire and ever tells
anyone of anything he found, his job will be on the line.  In fact, he'll
probably be in *deep* shit because the net company will want to be seen to
be responsible net citizens - bad for business if they're not.

The point I was making was that it seems a cracker has got access to one
net, and has been snooping all the traffic going by.  This is not a
hypothetical situation - real people have had their passwords snooped
for any system they've accessed over that net, and those passwords are
probably making the rounds of the cracker BBSes right now.

Graham

 
 
 

1. Openssh authentication takes a long time (about 4 seconds)

I apologize if someone had already asked this question before.

As you can see from the command below, it takes 4 seconds for ssh and almost
instantaneous for the 'rsh'. Doe anyone know why?

# date; /opt/OBSDssh/bin/ssh 10.1.245.9 'echo hi'; date
Tue Sep  4 18:33:57 PDT 2001
hi
Tue Sep  4 18:34:01 PDT 2001

# date; rsh 10.1.245.9 'echo hi'; date
Tue Sep  4 18:33:46 PDT 2001
hi
Tue Sep  4 18:33:46 PDT 2001

2. COCOT in Rural NJ Ripped Me Off Good!

3. CERT's timing/clipper announcement...?

4. Porting C / C++ Code Solaris ->HP-UX: RogueWave problems

5. New Project error?

6. Why is it taking Kerio so long to start?

7. Backgammon

8. SSH login takes too long

9. logoff taking too long

10. I haven't seen this mentioned in .22's ChangeLog; has it been fixed?

11. Mama's, don't let your babies grow up to use Black Ice!

12. sshd 3.0.1 taking 99% of cpu time