Archive for August, 1999

Network Security by Half-Wittedness

Monday, August 16th, 1999

How to base your network security on misinformation, overreaction, nervousness and lawyers

Security cautiousness is a good thing, in the vast and wild cyberspace. A lot of networks don’t even have somebody who cares. But there are some sites which are security cautious, and there are different kinds of these: Those who care, and those who fear.

Fear and Loathing in Cyberspace

There are a lot of companies out there who fear they could be attacked by some misfit and in turn create policies, buy firewalls and try to detect any behaviour which could be interpreted as attack. Particularly
a lot of those companies are in the consulting or even network security
business. And some of them quite internationally renowned. As soon some
possible sign of an attack is detected, hell breaks loose: sysadmins of
the originating site of the possible attack are emailed, upstream
providers informed, the CERT gets an email, even the police might be
called or a lawyer to write threatening letters. In the end it probably
turns out to be some user who tried to test it’s newest movie-streaming
software. Or the sysadmin of the ISP did a portscan “to see what that
machine does”. Maybe it even was intended maliciously, but it came
from somewhere in China. What had happened was in any case something
with no importance and no actual impact which is now turned into a
great spectacle.

A very nice case is the one of the Israeli “security”
company COMSEC
versus IOS++
, the Internet Operating Systems Counter. With great
incompetence COMSEC interpreted some weird packets which reached their
webservers as attack, didn’t even bother to contact IOS++ but informed
the press instead which promptly took up a story about widespread attacks
against the isreali part of the internet.

Another typical case is people who want their DNS Zone transfers
blocked. Why would one want that when you just can do a zone transfer
of in.addr-arpa and get the whole thing anyway? This is typical for
wrong understood network security. It’s called security by obscurity,
one tries to hide something, and it never works. There are certainly
things outsiders ought not know, but certainly not which hosts you’ve
got on your external network. If you’ve got no internal (private) and
external (for the public) network, you’ll be probably in trouble

Of course, this is not the only case, I had at least three cases of
overreaction last year (one involving a user trying to stream some
movies and two portscans), and one demand of restriction of
zone-transfers from a big international consulting company which
really should know better.

What we have here is security cautiousness backed by a half-witted
knowledge about network security. People who know nothing about
network security don’t fear a security breach, neither do people
which really know what network security is all about. It’s those who
know a bit, but not enough, who fear and cry.

Why should a sysadmin start crying about some possible attack which
failed anyway, because the sysadmin keeps his systems updated and
knows that some 13 year-old script-kiddie will fail against his
walls anyway?


Essentially, there are two forms of misbehavior when it comes to
security (not counting the case of being NOT security cautious):

  • Security By Obscurity
  • Overreaction

In the first case, we’ve got the idea of being secure just because
the enemy does not know you are not. Or where you are located. The
effect is badly designed programs which appear secure just because
nobody should be able to proof they’re not; IP-adresses which do
not resolve but which can be found by broadband-scanning anyway;
crypto-software which can cracked in seconds, and so on. A strong
lock is one where you can see how it works but are still unable to break
it. The international crypto-community has condemned obscurity long
ago, see the
Snake Oil FAQ
for details.

The second case is a bit more difficult to grasp. Is a portscan or weird
packets an attack or not? You can simply ignore it if you’re confident
enough of your security, or you can investigate, meaning taking a look
at the originating host, portscan it yourself, query whois-databases and
finally sending the sysadmin of the originating host a note. There are
a lot of sysadmins out there who portscan without any intention of
attacking you. And a sysadmin of a system into which was broken in
will be very glad if you tell him some portscan originated at his site.
The wrong answer is of course to panick and make a big fuss about it. If
you detect a portscan, chances are low the portscanning person will ever
break in, because you already updated your system — otherwise you’d be
a complete moron. On the other hand, if you’ve been already broken in,
you can investigate and collect evidence that there actually was a break-in
— then it’s time to make a fuss. So it either has nothing to say, or
it’s a failed attempt, in which case you’d better update your system, or
the breakin already occurred.

There are also several projects like the

Internet Security Auditing Project
, or the above mentionned
IOS++ which
might appear as “attackers”, but surely don’t have the intention to
break into your systems. So you better get informed before you
start crying out loud.

So if you detect something which could be a failed attack, what you
should do is to simply inform the sysadmin of the originating host
(the sysadmin of the provider, if it originated from a dialup-machine,
or the sysadmin of the company. You should be smart enough to know
who you should contact, otherwise you’d better stay away from network
security altogether). In the case of an actual break-in, the most
stupid thing you can do is also panicking. If you don’t feel experienced
enough to handle the incident, you probably get help at your internet
provider or from a specialized company. In the other case, you’ll have
to investigate what the attacker did, and most important, where it
came from. Then you mail the sysadmins of the originating hosts —
chances are it was a dialup-machine (so mail or call up the ISP) or
another compromised system, so be polite and don’t threaten him with
legal action or somesuch. Normally they’ll be very glad to hear one
of their machines was compromised (actually they’re not glad to hear
that, but glad that you tell them ;))


So what do security cautious people do who actually know what
they’re doing? Simple. Updating. First, all security-relevant
mailinglist need to be read, and as soon as some vulnerability
is found, the systems need to be fixed. Either there is already
a fix, then it needs to be applied, or the services need to
be replaced or turned off until a fix comes. Sometimes even the
whole system needs to be either shut down or replaced, unless you want
to risk it; particularly the case with Windows NT since Microsoft
normally needs weeks to fix something. Another possibility is of
course to firewall such systems/services off.

And if someone seems portscan or to probe the network for
vulnerabilities or somesuch? Don’t panic. The Walls are strong
enough to whithstand a script-kiddie attack. Probably send an
email to the attacker or its sysadmin. It will either be harmless or a real attacker who will go away and seek something easier to penetrate; probably after he gets a new ISP. ;)

Peter Keel,