by Rik Farrow
<rik@spirit.com>

Special Issue editor Rik Farrow provides UNIX and Internet security consulting and training. He is the author of UNIX System Security and System Administrator's Guide to System V.

When someone first asked me about security, I laughed. I had been working with UNIX for several years and especially appreciated the relative openness of the system when compared to other operating systems. I also had learned that I could email new user accounts to the password file or use a trick with vi to run scripts as root. Security, especially in the context of UNIX, appeared to be a joke.

I'm not laughing anymore. Joe Campbell, the English professor at Berkeley who had asked me about security, explained that if UNIX was to be used by businesses, security was essential. This was news to me, as I was coming from a programming perspective where security was "interesting" because of the clever ways of abusing system utilities to gain privileges.

Joe was right, but not just about UNIX. Our computer systems and networks are now the backbone of business, whether you are ordering fast food, making stock trades, flying in airplanes, or going in for heart surgery. But what was true in the early eighties when I was asked this question is still true today: Our computer systems and networks are vulnerable.

Scripts exist that will permit an attacker to connect to a network service and fool it into running a shell ­ a stack overrun. Software exists for both UNIX and NT systems for efficiently guessing passwords, along with tricks and techniques for acquiring encrypted passwords. You can find exploits using Web search engines that will grant you root privileges on UNIX systems. All you need to do is get interactive use of the system, upload and run the exploit script.

Bill Cheswick's keynote speech at the Seventh USENIX Security Symposium in January 1998 included pictures of castles and fortifications from around the world to make several important points about security. The best fortifications offered protection in depth. The castle (or the Great Wall) would be located on top of a hill or, better yet, a sheer bluff. The next line of defense would be a difficult-to-scale wall, topped by embrasures for the defenders. The castle gate would actually be a series of gates, connected by tunnels or narrow passageways. If the attackers got through the outer gate, they would find themselves in these enclosed spaces facing well-protected defenders with arrows, spears, and even boiling oil. And still more gates to batter down.

In his talk, Bill described how Robert the Bruce took Edinburgh castle. He led a small group of men up a trail that was used by one of the defenders to reach his girlfriend in the small town below. A guard spotted the group, but just laughed at them because they were outside the wall. Robert and his men scaled the wall, went to the front gates, and threw them open after overcoming the guards. An inside attack. Bill pointed out that many other fortifications had been overthrown through the help of insiders.

The common wisdom about computer security is that most security incidents have an internal origin. This was true for many years, but apparently not anymore. The 1997 CSI/FBI security survey reported that sites reported the Internet as equivalent to internal sources for security events last year (<http://www.gocsi.com>). Financial losses were up from the previous year by 36%, and the most serious losses were from unauthorized use and theft of proprietary information.

The time for ignoring security has long since passed. People used to rob banks because that's where the money was. Today, value is on line, in our computer systems, in the form of information and cash equivalents. The layered defenses that Bill described have become critical to our computer and network infrastructure. This special issue of ;login: attempts to add to the body of knowledge about improving security, by pointing out weaknesses, new defenses, and future directions. Included are the reports from conference scribes and nine additional articles.

We include a speech about the future of security from a vendor's viewpoint that Dan Geer gave at a security conference. Actually, Dan goes quite a bit further in his predictions, including having IBM taking over the desktops and Microsoft the high end. Before you get too upset, I suggest you start reading.

David Martin writes a lively and useful article about anonymity on the net. I had heard of some of the projects, but David has done a lot of research in this area and shares it with us, along with pointers to sites that let us use existing services or add to such services as the Mixmaster. Creating true, bidirectional, anonymity turns out to be difficult but arguably useful.

Peter Brundrett of Microsoft contributes an article about the Kerberos version 5 implementation that will be found in NT version 5. His article provides an overview of the authentication mechanisms used in all NT versions and of how these mechanisms will be supported using Kerberos for authentication. Brundrett explains that NT systems, because of their reliance on sets of security identifiers (SIDs) for naming, will not be completely compatible with UNIX-based Kerberos systems.

Elias Levy, also known as Aleph One, the moderator of the Bugtraq mailing list, shares some information about recent network-based attacks with us. Aleph One has done research into finding patches, configuring routers, and tuning operating systems to prevent these attacks (to the degree that it is possible).

Matt Curtin and Justin Dolske write about the great DES challenge and the tools used to launch an Internetwide "crack." In January 1997, RSA issued several challenges, all involving discovering passwords of varying lengths. The DES challenge meant cracking a 56-bit key and during the process involved over 78,000 unique IP addresses (which does not translate directly in a count of hosts).

Jon Meek describes some software he wrote to provide new options for authenticating Web users. His software is designed to work as an Apache Web server module and supports UNIX passwords for two NIS domains, NT domain passwords for two domains, VAX/VMS passwords, SecurID, and standard Web authentication.

Scott Guthery provides an excellent article explaining some of the history and present and future uses of smart cards. Smart cards have the potential to become the ubiquitous token for identification and the keepers of our private keys.

Yair Frankel and Moti Yung share with us some of their work in the field of split keys used in certification authorities (CAs). If a business entity is controlled by many companies, it makes sense to distribute a private key over all of the companies involved. Frankel and Yung discuss techniques for splitting keys as an attempt to improve trust and reduce fraud.

Chris Lalonde writes a software review of Network Flight Recorder. Lalonde is an obviously enthusiastic user of NFR, and his article provides a quick tutorial in using it to collect data from a network.