Hi, Laporte Report subscribers.

One of the keys to computer security is monitoring key system files to see if
they've been secretly modified. (See the <a
href="http://www.cert.org/security-improvement/implementations/i002.01.html"
target=_blank>CERT note</a> for more information.) To that end I run a nifty
little utility from <a href="http://personalpages.tds.net/~brian_hill/"
target=_blank>Brian Hill</a> called Checkmate on my Macs. Last night Checkmate
found traces of an intruder on my iBook.

Three files had recently been changed: sshd, slogin, and du. The first two are
for secure login to my system, the last is a unix tool called disk usage, used
to check how full the drives are. An innocuous (and little used) system file
like du is a good place for a hacker to store a trojan horse program. Modifying
sshd and slogin is a well-known way to capture the root password (see <a
href="http://206.117.28.84/ubbthreads/showthreaded.php?Cat=&Board=bugs&Number=19\
304&page=&view=&sb=&o=" target=_blank>Mike Chandler's post</a> on the message
boards). I hadn't changed either program recently, nor had any system updates.
The modified files were clear evidence of an intrusion on my system.

There was no evidence of tampering in the system logs (no surprise there - any
hacker worth his salt would have fixed that), but I quickly changed all my
passwords, replaced the affected system files, and checked all my security
settings.

What surprises me is that I have always considered this system to be basically
secure. I run the built-in FreeBSD firewall, ipfw, on it all the time. I used
Brian Hill's Brickhouse (http://personalpages.tds.net/~brian_hill/) to configure
it and I'm pretty sure I tightened everything down. At home it's sitting behind
two NAT servers, my Linksys router and an Airport which should make the system
hard to see on the net. At work it's on the firewall protected corporate net (no
idea how secure THAT is however - I know of at least one successful hack on it -
but I have to think it's at least as secure as my own system). My iBook passes
the ShieldsUp test (https://grc.com/x/ne.dll?bh0bkyd2) with flying colors (all
green). nmap (http://www.insecure.org/nmap) shows all ports closed.

The weak link is the Airport wireless network. I can only think that someone got
in through the wireless LAN either at home or, more likely, at the studio.
802.11b security is notoriously weak (http://online.securityfocus.com/news/192).
But I use Airport everywhere and I'm just not willing to stop. (OK I'm a
wireless LAN addict - I admit it.)

I probably should reformat the hard drive and reinstall everything from scratch,
but it's just too much work. There's nothing on here that's particularly
private, and the firewall prevents the system from being used in a DDOS attack
(http://www.denialinfo.com/). So I'm just going to continue as before, making
regular backups of my data, and keeping an eye out for other suspicious
activity.

I guess the moral of all this is that, even with reasonable precautions, any
system is hackable. I don't think the average user can be expected to do more
than run a firewall and cross his fingers. And that means that hackers will
continue to have free run of the net. We'll just have to learn to live with
them. Like cockroaches. But it's good to remember that they're out there, and
that there are some things we all need to do to keep them at least a little in
check.