Minutes of the May 14th 2002 Meeting of the Rocky Mountain
Internet Users Group (RMIUG)

The meeting started at 7:00 pm sharp and about 90 people were in attendance.
Dan gave a word of thanks to our new minutes sponsor, ONEWARE
(http://www.ONEWARE.com) -- a Colorado-based software company who provides
semi-custom web-based applications and is sponsoring the RMIUG meeting
minutes.

Dan also thanked MicroStaff (www.microstaff.com) for the ongoing sponsorship
of food and beverages. MicroStaff provides Creative and Technical Talent for
Web, Interactive Media, Marketing Communications and Software Development
projects.

Announcements from the audience:
Barry Gingrich announced an Internship Fair on Tuesday, June 4th, see
http://www.denverjobsearch.com/internship for details.

Meeting attendees expressed interest in possibly having a RMIUG BBQ some
time this summer.

Dan introduced the speakers for tonight’s talk: Network Security in an
Unsafe World

Trent Hein (trent@...) and Ned McClain (ned@...), founders of
Applied Trust Engineering, gave a presentation entitled Beyond the
Firewall: Completing the Security Model. (the presentation is available on
their website)

Trent:
What else do you need to be concerned about besides firewalls? (and ....)

Why (do you need to be concerned) now?
- Worldwide explosion of internet = produced hackers
- Down market business trend = produced more hackers
- Strong companies will survive and security is required for strength
- Public awareness for security and privacy issues has reached a
threshold level

What is security? (besides a firewall)
- Vigilance –
- Knowledge

Risk management (involves ...)
- Methodology and policies
- Applied science/forensics
- Architecture
- Implementation
- Operations

Myths of Security:

Myth: We aren’t a likely target – we’re small, etc. Fact: The statistics do
not support this. 90 % of survey respondents reported a breach in the last
12 months.

Myth: 70% of attacks involve insiders. Fact: This is not true today. Only
33% of hackers/attackers are insiders.

Myth: Our company is secure because we have a firewall. Fact: 95% of survey
respondents had commercial firewalls in place.

Myth: We have not been broken into, so we are secure. Fact: Most break-ins
go undetected for more than six months. People often panic when they first
discover it, and think it just happened, but the particular machine had
probably been that way for months.

Security = Rodents (analogy for illustration)

Rules for Rodents

1) do not leave food lying around
2) plug holes they use to get in
3) do not provide places that make good mouse nests
4) set traps
5) check traps daily
6) do not use buy and kill poison
7) get a cat!

These Rules can also be applied to Data Network Security

1) do not provide online access to interesting files – i.e., like storing
credit card numbers in .txt files on your server.
2) close holes that can be used to gain access – applies to home users, DSL
users, etc. Remote access is fine, but not leaving the hole OPEN
continuously.
3) don’t provide nests for hackers to establish a base, i.e, don’t leave
open file shares.
4) set traps to detect intrusion – but not so many that you spend 8 hours a
day going through log files.
5) monitor the reports that your tools are generating. Don’t waste them
6) teach yourself about security.
7) vigilantly look for unusual activity – i.e, is traffic slow today? Why
might that be?

Security Guide for busy people:

- make sure you have a packet filtering firewall
- educate EVERYONE about security (all users)
- not safe to send email in plain text -- it should be encrypted, unless it
is something that could be published on the front page.
-keep/maintain an incident handling guide

Packet filtering – Essential everywhere.
Examples – Checkpoint, PIX, Watchguard

Home users should have a firewall these days.
-Zone alarm – personal software firewall. Looks at all packets and applies
a specific set of rules.
-Personal hardware firewalls – DSL or cable modem –
Dlink
Linksys (comp USA)
Configurable DSL router

User education is very important:

-All users need to be aware of the potential security risk. At home, make
sure everyone knows to watch for signs of trouble.
-DO NOT give out passwords!
-Avoid downloading unverified software.
-Corporate users need to be educated, too ….
-Information sensitivity – what IS and is not sensitive. What should be
encrypted?

Incident handling
-Remote access policies and procedures
-System hygiene
-Encryption usage

Back ups
-Regular offline back ups should be mandatory. Online backups like RAID
do not provide you with the ability to roll back time required for security
forensics
-Full system backups must be made and verified at least every 30 days –
store in vault.
-Most organizations and households do not conform to this, and thus are
unprepared for incident management.

If an incident occurs, perform a backup, because .....
It protects user data
It captures disk firesystem

Regular back ups establish a baseline for recovering services, and if
regular back ups become normal activity, it will not tip the intruder off
that someone is onto them.

Ned:
What makes a secure firewall?

- At a minimum, a source and destination address and port.
- But allowing PC anywhere, for example, does not take into account
specific blocking except for certain - IP addresses. So IP addresses should
be selectively allowed. Many firewalls do not get that specific.

What ELSE can you do (to be secure)?

- Turn off services that you do not absolutely need
- Firewalls can be set up to block only certain (IP) addresses and
allow everything else, or vice versa, depending on the particular firewall.
- Services ON should be restricted to a minimum required access set.
- IP address limitations can be set up at the firewall level or also at
the application level – (should have several layers).
- Can use audit services that are accessible with a tool like nmap (it
tries to connect to a series of ports and then reports on services passing
through those ports)

Point – re: question asked by attendee – you need to get permission to use
any such tool, from your system administrator or whomever, if you are going
to use something like that, because it is like trying doors to see if
unlocked. Especially if you want to test across the internet and not just
on an intranet.

Patches (for security breaches):

-develop and document a patching strategy for your organization
-Monitor vendor released patches regularly . Discussion of unicode bug –
it has been fixed, but firewalls no good at detecting that. Important to
patch servers INSIDE your network, as well as on the outside. So patching
the users system is important.
-Microsoft not the only one who has released patches with problems – Sun
has also. So do you install patches immediately or wait? Do you use a
production environment clone to test? Whatever you decide for your
organization, but the point is to have a plan.
-Ensure priority of patching activity is higher than for routine
operations. Management may not appreciate the importance of this in the
organization, and it needs to become part of the corporate culture.

Scanning for unpatched vulnerabilities:

Tool – nessus and hfnetcheck – tells you what patches you do not have
installed. Every platform has a tool. Nessus checks database of known
vulnerabilities. Nessus is free, can be downloaded. Is probably being used
by hackers. Very common for these inbound scans to be happening all the
time (nessus scans)

Use Encryption on insecure networks-- Unencrypted (information) is
vulnerable: (examples)
-POP or iMAP email
-Non SSL web page logins (anyone with MS Outlook needs to beware of
this issue)
-Unprotected email and attachments
-Chat/IM messages
Be aware of insecure networks in addition to the internet, such as:
-Public networks (library, Universities)
-Wireless networks
Use standardized, encryption technologies:
-IPSSec
-SSL TLS to protect web sessions
-MS Outlook encryption or PGP for protecting email messages and
attachments

Myth: an ethernet switch will keep packet detection from outside ports. Not
true. If administering through a router on a network, use Cisco SSH or
something similar.

Incident handling – be prepared! Recovery requires a documented handling
plan. This plan defines how to:
-Communicate inside and outside the organization
-Handle evidence and documentation
-Confirm the nature and level of threat
-Respond to varying levels/types of threats
-Perform system and data backups and recoveries
-Use tools to gather digital forensic evidence
-Follow up on an incident

Incident handling ledger – Purpose: so the engineer can follow proper
procedure/evidence handling,
So there is a decision making tool for handling incidents in real time

If you DON’T have an incident handling plan ….. a potential incident is
difficult to confirm. Acting on a false positive is worse than taking the
time to confirm. Can cause panic, service interruptions. If you have a
plan, you have a baseline, and confirmation is much easier.

Deep Thoughts ….
-Must have multi-layered defense
-Cannot buy one product and be done

Most Fortune 500 companies spent less on security than on coffee.

Dan then introduced Robert Gray (bob@...), founder of Boulder
Labs, and David Clements (David.Clements@...), partner at Boulder
Labs, who gave a presentation on the security of wireless networks.

Robert Gray:
Speaking on Wireless NW security with field report from Boulder!

They were shocked at how bad things are. Nothing wrong with wireless, but
understand what you are getting into. (this talk is on their website as a
PP presentation):

http://www.boulderlabs.com

Message – wireless networks are pervasive, everywhere. It is one thing to
acknowledge that you are vulnerable – but just understand that if you or
yourco is hacked into, your time or your companys time may be wasted.
Center for astrophysics was down for two weeks. The term net
citizen is starting to make sense re: individual responsibility.

Wireless cards – 50 or 60 bucks – put one in a laptop and off you go. Does
not need a directional antenna. Just turn on public domain tools, and you
will see and be on wireless networks. If you put a directional antenna on
one, you can range well beyond a couple hundred feet.

Threats – Launching viruses wirelessly as you drive by – a stretch – but
still possible.

System administrators are now are looking for unauthorized wireless
networks. Winworks have access points, but somebody can be in the parking
lot and pick it up. Apple Air ports can literally disable or make obsolete a
firewall by coming in the easy way.

Wireless cards – most popular is 802.11b (aka WiFi) -two kinds of attacks
occur: --
Active == actively sending packets, testing, probing.
Passive == somebody is just listening nearby with a directional
antenna. And you have no idea whom.

With a wireless card, he can pick up somebody 10 miles away by line of
sight. The manufacturers of the cards and access points have developed
WEP –Wired Equivalence Privacy. But flawed due to mistakes
inimplementation, because they were not security folks. Lynxis and SMC can
crack 40 bit or 104 bit key encryption in about 30 seconds.

Message – 40 bit encryption does not do you much good. 104 bit key
encryption not easily cracked, in contrast, but it still can be. To use
these, just pretend there are 8 to 20 hops along the way, and use
precautions accordingly, then you will be fine. So lay your security on top of
it, that is key.

(list of types of WEP attacks)

WEP security goals –
-Confidentiality
-Access control
-Data integrity – can packets be trusted, altered ? But they do not
work. Cannot trust them, must take extra precautions in order to prevent
wireless hacking.

David Clements:

What has Wireless community done to catalog hacking?

Wardriving Tools
-Stumbling tools:
-Netstumbler.com –
-Dstumbler (BSD)

Capture and Crack utilities
-Airsnort (linux)
-Bsd – airtools (BSD) (see Powerpoint at Boulder Labs website for URLS)

Interesting observation – only 30 – 40 % of wireless networks they detected
are even bothering to turn ON encryption.

The tools have recently reached the maturity /simplicity level where almost
anyone can use them.

Bob Gray (again):

How can you use wireless in a secure fashion?

-Treat 802.11b as external (i.e, outside the firewall)
-802.1x
-Cisco, Agere have complete solutions
-Secure services – layer your own security on top = SSL, SSH, IMAP/S
-IPSEC (secure IP protocol)
-Use 104-bit keys and change them frequently – i.e., at least buy the
104 bit gold cards and change keys frequently.

________________________________
After the talks, the speakers sat as a panel to take questions from
attendees:

Q – how do you develop a simple contingency plan ? A - Google, (search)
incident handling – (look for templates, many out there).

Q – if all servers on one LAN? A - need individual internal intrusion
detection. There are lots of intrusion detection systems. But the internal
systems are very popular. Need to centralize logging, and you need to look
at the log files. On almost a daily basis. Which is easier with high tech
firewalls than with network intrusion systems.

Q – what types of regular maintenance should you do at home? A - Packet
filtering firewall- need it. Determine what the trade off is – you can
reinstall if you do regular backups at home. Patching, have a basic
firewall, and watching for unusual behavior. Also watch the MAC address.

Q – on push towards net citizenship; when do you think it will happen? A -
not soon enough. Vendors are currently NOT responsible, for problems with
their software – unlike a drug company! Vendors will probably be
accountable first, then perhaps users will become more so.

Q – nmap scan – what are they? Did not recognize - ? A - Unix, Solaris,
etc ….Can run a lot off them right off the shelf. But some (especially
Windows desktops) you cannot turn them off and have your machine work
normally, so the only answer is to have a firewall.

Q – what about http protocol tools? Do they have value for home users? A -
Yes – Microsoft Security Advisor, and others (Shields up, for one).

Q – do you tell them (wireless companies) that they are wide open? A - We
have not done that to companies … but we have received responses from people
in Boulder. Some are upset, and some are open and looking for input or
help.

Q – cell phones – WAP – how secure? A - Not sure. But in GENERAL, people
not doing stock stuff using WAP yet because not secure enough for basic
retail.

Q – security of VLANs? A - Depends on how configured. Cisco VLAN is
considered by some to be as secure as actual hardware LAN. (point added: it
also depends on exactly what you mean by VLAN, it can mean slightly
different things depending on context).

Q – is there a lot of bleed over from [router] switch to switch? A - Yes,
even with Cisco. Arp flooding – firewall vendors – when it fails, it stops
traffic.

Q – back up software – is any of it cross platform? A - Not really. Or not
for under 6 digits. [Reference to Amanda as not having full system back
up].

Q - what about poorly developed applications? A - Products to detect
application intrusions are only recently being developed. [SQL tool given
as example]. Security ROI /development of good practices from the start is
becoming more
prevalent.

Q - Have MS products improved in security? A – no.

Q – for large wireless networks, does CDMA help obscure the signals/traffic?
A - Not really.

Q – Guesstimate on 802.11I arrival? A – no bidirectional authentication is
available yet. Cicso stuff does have bidirectional authentication and seems
to have solved WEP deficiencies.

Q – what type of skill level of threat (in hackers) is happening now, and
where will it go? A – go to CGI and download report – but the low level of
skill [of hackers] is shocking. There are 50,000 infected code red
computers TODAY. And this has been known for months. In the computer world it
only takes the time to hack that it takes to download.

Q – for Ned and Trent – what is the customer mix? A – less than 20% of
clients come to them in a panic. But there are a lot who mess around with
Norton [antivirus software], etc., and not DO anything, so never see them.
They do not approach it pro-actively.

___________________

RMIUG minutes submitted by Elizabeth Cline, Cline Enterprises,
(phdski@...). Elizabeth is a former research scientist with fifteen
years experience in technical writing. She is currently seeking work
writing, editing, or developing online help systems in Information
Technology or academia.