Computer Security inHigher Education

David Brumleydbrumley@stanford.edu

Things To Come

• Need for policies and procedures

• Proper staffing and funding

• Clear, consistent, and followed plans

Stanford Infrastructure

• 55,000 registered nodes

• 58,000 active principles

• 800 MB/day web data alone

• 3.5 million/day email messages

• 200 to 700 mb/s bandwidth

Why Security?

• Do your users have any expectation of privacy?

• Do you have assets that need protecting?

• Have you considered the cost of system compromises vs. protection?

Attacks Happen

Incident Type Comparison

31%

12%23%

19%

11%4%

FY97FY97

5% 0%16%

5%

19%

55%

FY00FY00

5 %0%

1 6 %

5 %

1 9 %

5 5 %

Abuse/Harassment Denial of ServiceMisuse of University Resources Account Compromise (attempts)System Compromise(attempts) Network Scans

Worried about Privacy?

• School Records– Directories (FERPA)

– Email

– Homework

• Hospital/Medical Records– HIPPA

Computer Security Is...

Primarily risk management by ensuring:

• Confidentiality

• Integrity

• Availability

System Confidentiality

[root@topsecret cctest]# pwd

/var/lib/mysql/cctest

[root@topsecret cctest]# strings customer.MYD

david brumley

351 Monroe Palo Alto

Anton Ushakov

590 Escondido Mall

Russ Alberry

101 Great America Parkway

[root@topsecret cctest]# strings orders.MYD

9 piece knife set

34233394134272MasterCard

9910

Sickle and Hammer

543543545345452Visa

0120

3 towels

656565655555Visa

9920

Many believe there is nothing valuable on their system, but:• System can serve to launch attacks• There may be unexpected information on the host

Network Confidentiality

AA

HH

BBDST MAC A

DST MAC B

Hacker listening regardless of MAC

Network Sniffers

psych-Wylie-NT.Stanford.EDU => pobox3.Stanford.EDU [110]USER sleeplesPASS passwordSTATUIDLQUIT

----- [FIN]

psych-3354-dreamscape.Stanford.EDU => daydream.Stanford.EDU [23] !'''#P38400,38400#dreamscape.stanford.edu:0'DISPLAYdreamscape.stanford.edu:0XTERMoscarpassword2elmjjjjjjjjjjjjjjjjjjjjjj----- [Timed Out]

voodoo.Stanford.EDU => lucas.Stanford.EDU [21](#USER menonPASS password3SYSTPORT 171,65,60,163,5,104LISTCWD /home/pub/garyCWD /home/pub/CWD /home/

----- [Timed Out]

psych-3367-macG3.Stanford.EDU => elaine18.Stanford.EDU [23]%%jboyett%IR.STANFORD.EDU@(P^$:-)':ca<`%.+vc6s}DF~T[f8FLc|vI;#wG\CN6MYlP%6M-&&&&& #'$&&Y`&&VT100&wl\cfCCSDK) >aWHW^H>rGhsN{q0jxU`&$$ vQa;j:T8%H>VzL d>7s_----- [Timed Out]

University Of Washington Sniffer

Summer 2000:

• NT IIS Web Server compromise

• Password sniffer installed

• Exposed 5000 medical records

Ensuring Confidentiality

• Strong Authentication– No clear text logins

• Kerberos• SSH

• Strong Authorization– AFS

– Directory ACL’s

Kerberos

Populating the KDC

Compromises of Integrity

• ls (dir) - doesn’t show intruders files

• ps (task manager) - doesn’t show intruders processes

• ifconfig - doesn’t show interface in promisc mode

• zap - cleans log files

• fix - fixes timestamp and checksum info

• chfn - gives root shell with proper arg

• login - gives root shell w/ proper password

• inetd (runs network services like “telnet”) - gives full access on a particular port

Integrity Compromise Example

Normal System:sunset:security> telnet elaineTrying 171.64.15.86...Connected to elaine21.stanford.edu.Escape character is '^]'.

UNIX(r) System V Release 4.0 (elaine21.Stanford.EDU)

elaine21.Stanford.EDU login:

Hacked System:sunset:security> telnet jimi-hendrix 1524

Trying 171.65.38.180...Connected to jimi-hendrix.Stanford.EDU (171.65.38.180).Escape character is '^]'.

# ls -altr /; total 1618-r-xr-xr-x 1 root root 1541 Oct 14 1998 .cshrcdrwx------ 2 root root 8192 Apr 14 1999 lost+founddrwxr-xr-x 1 root root 9 Apr 14 1999 bindrwxrwxr-x 2 root sys 512 Apr 14 1999 mnt

Ensuring Integrity - Axioms

• All programs are buggy– The larger the program, the more

bugs it will have

• If a program isn’t ran, it doesn’t matter if it’s buggy– Hosts should run as few services as

possible

Building Integrity

• Create easy to use resources for system security:– Templates

– Distributions

– Best use documents

• Defense in Depth is the goal

0

50

100

150

200

250

1 3 5 7 9

11

13

15

17

19

21

23

Number of Hosts

To

tal T

ime

BeforeCloning

AfterCloning

Threats to Availability

• System intrusion

• Denial of Service Attack

• Domain Name Hijack/Modifications

RSA.COM’s Availability

The Master Plan

• Asses situation

• Create policies, procedures, and implementation plan

• Create infrastructure

• Maintain infrastructure

• Lather, rinse, repeat.

Getting Started

• Assessing where you are at:– What policies exist?

– What staff is already in place?

– What services are offered?

– What services will be offered?

Policy Key Points

• What are you protecting?

• Who has authority?

• What are the resources for?

• What organizational units are there?

The Key

The policy must be approved at the highest levels in order to deal with irate:

• Nobel prize laureates

• Crafty Students

• Other political entities

Security Office Plan

• Plan base authentication, authorization, and integrity mechanisms

• Work with infrastructure groups to utilize security resources

• Educated the community

Creating Infrastructure

Major points in an assessment:

• Create scalable architectures

• Create robust architectures

• Create low-risk architectures

Ex: Integrating Kerberos

Allocating Resources

• Staff and budget are needed, but security gets easier and cheaper as time goes on.

• Fundamental knowledge for computer security staff is knowledge of operating systems and programming

• Leverage off existing infrastructure to minimize long-term cost

The Benefits

• Guaranteed and quick response

• Guaranteed responsibility

• Protection

• Be a good net-citizen

Quick Response

From: xxxx@leland.Stanford.EDU

Sent: Saturday, May 29, 1999 5:46 AM

Subject:

As we'll know how fxxxxx Stanford housing situation is, still our

hypocrit spic-and-nigger loving administration has done nothing but

keep accepting more and more of these motherxxxxx black jelly

beans.

These dirty cheating son of xxxxx

....[edited]....

================================================================

Firstname Lastname

Engineering-Economic Systems & Operations Research

Address

Stanford University

Stanford CA 94305

http://www.geocities.com/CollegePark/Grounds/2511

Quick Response

• August 8, 1999– 46 Solaris machines compromised

– trin00 installed

– 24 hours for cleanup

• Quite possibly avoided large scale internet attack

Protection

• SULinux

• Best use documents

• Policy enforcement

Public Service

• Feb 1999 - ShadowKnight compromises Stanford hosts

• Feb 1999 - Aug 1999 Stanford monitors hacker

• Nov 2000 - Jason Diekman, aka ShadowKnight, convicted

Protect

• Assess critical infrastructure security

• Legal point of contact for problems

• Advise and help deploy security infrastructure

• Help keep network available for academic use

Summary

• Need policies and procedures

• Need staff

• Need Plan

It really is that easy!

Resources

• Slides available athttp://theorygroup.com/Theory

• See handout for additional resources