close this bookTidBITS#261   19950130
View the documentMailBITS/30-Jan-95
View the documentKeep Your Doors Locked
View the documentTaxing Situation
View the documentDeskWriter Rollers Clean Up Their Act
View the documentNew MessagePad, System Update
View the documentEarthquakes on the Net
View the documentURL or Not: URL Marks the Spot!
View the documentReviews/30-Jan-95
View the documentFoot Notes

Keep Your Doors Locked

by Geoff Duncan <geoff@tidbits.com>

The Computer Incident Advisory Capability office (CIAC) issued a notice 23-Jan-95 on two techniques currently being used to compromise the security of Internet hosts: spoofing and hijacking (or tapping). Although neither of these techniques is particularly new, apparently incidence of their use has increased sharply.

The first method, spoofing, involves an attacker "impersonating" a local machine by altering his or her packets to appear as if they originated at a local machine. This in itself is not inherently a threat; however, many local networks are configured so they implicitly "trust" packets arriving from particular hosts (say an administrator's workstation) and do not require authentication on requests from those machines. If intruders successfully impersonate a trusted machine on a network, they could potentially acquire full access to files, mail, accounts, or anything else on that network. The recommended workaround is to configure network routers to block any packet entering from outside and claiming to be from the local domain.

Hijacking, or tapping, involves using a tool called tap to take over existing login sessions on a system. A user or intruder with root access can use tap to execute commands exactly as if they had been typed by the owner of that login session. If that user had connected to a remote system within that session, no authentication would be required to gain access to that remote system. Users of a hijacked session may notice commands appearing as they're typed by the intruder, screens suddenly clearing, or other unusual events. Contrary to net rumors, it appears that the tap tool is available only for SunOS 4.1.x systems.

These threats do not have an enormous direct impact on Macintosh users, although they could have an affect on systems you connect to with your Macintosh, particularly in corporate, educational, or government sites. Check with your system administrator if you think this information may apply to you or your site. CIAC notices, various software, details on mailing lists and other information are available at:

ftp://ciac.llnl.gov/pub/ciac/

Information from:
CIAC <ciac@llnl.gov>
Pythaeus