Today's ISN Sponsor: Repent Security Incorporated
[Moderator: Remember the idea of this article for some of the following
posts and my comments on them.]
DOD-Cracking Team Used Common Bug
by James Glave
3:10pm 5.Mar.98.PST
The two California teenagers who
roamed through unclassified military
Web servers in recent weeks used a
widely known and easily patched
server security hole.
Through this opening the pair
attempted break-ins on 800 separate
occasions, according to Dane Jasper,
the owner of Sonic, the Internet
service provider (ISP) that provided
Internet access to the youths.
The vulnerability that was used is
known as the "statd" exploit, and
was first announced on the BugTraq
mailing list and a security Web site
called rootshell on 21 November. The
Computer Emergency Response Team
(CERT) issued an advisory on the
exploit on 5 December.
"If you leave your garage door open
and someone comes in and steals your
car, it's still grand theft auto,"
said Jasper. "But CERT is a
government-funded organization whose
function is to keep system
administrators appraised about
security matters.
"Don't you think the government
ought to be listening to its own
security organization?" Jasper
asked. "Why didn't the Pentagon
apply these patches?"
According to Pam Hess, editor of the
Defense Information and Electronic
Report, non-classified but secure
military networks are commonly
maintained and upgraded by low-level
enlisted personnel who, until
recently, had very little
accountability for security
breaches.
The statd exploit, a version of
which dates back as far as 1996,
allows a malicious user to gain root
access - or top-level administrator
access - on a target Unix machine
running Sun Microsystems' Solaris
operating system. Once obtained,
root access allows a cracker to
deface or delete entire Web sites,
or install malicious and
near-invisible programs.
The exploit works with a Solaris
operating system function that is
normally used to block access to a
specific file being used by another
program. A malicious user could run
statd on his own machine to remotely
exploit a vulnerable machine on
another network.
"You could use this to log into a
computer without a password after
just running this program," said Kit
Knox, a senior system administrator
for Connectnet Ins Inc., and
co-maintainer of the rootshell site,
a full-disclosure resource for
security enthusiasts.
"You can run it on any [vulnerable]
Unix system, and that will allow
access to the target machine,
assuming there are not a lot of
firewalls," said Knox.
Jasper said that the two teenagers
in Cloverdale, California, who go by
the aliases TooShort and Makaveli,
used statd to gain root access to
military servers. Then they created
new accounts for themselves on those
systems.
Under the guidance of their mentor,
an 18-year-old named Analyzer, the
pair used these backdoors to install
password sniffers, which silently
record the keystrokes - and
passwords - of other users. The
youths then reportedly used those
passwords to obtain access to other
systems.
But while the three were sniffing,
Jasper and federal agents were
sniffing right back.
"We modified our network and
rerouted all our Cloverdale traffic
into a terminal server that was
being watched," said Jasper. The FBI
contacted Jasper on 9 February, and
the monitoring program was set up
the following day. That monitoring
continued until the warrants were
served on the youths on 25 February,
at which point the data was turned
over as evidence.
"We allocated two 64-address
subnets, one to each of these
individuals, so we could be assured
we only monitored these individuals'
traffic, and not that of other
customers," Jasper said.
Jasper said that he has captured 1.3
gigabytes worth of the cracker
team's network activity, and that he
and authorities are in the process
of sifting through the evidence.
A critical piece of that evidence is
likely to be the role of Analyzer,
who Jasper believes is based in
Israel. On Tuesday night, Analyzer
told Wired News that he was teaching
the pair his secrets because he was
preparing to retire from his hacking
career.
"Analyzer did a lot of tutoring with
TooShort and Makaveli," said Jasper.
"I have some ... chat sessions where
he is teaching [Makaveli] how to
modify DNS [Domain name servers] and
set up bogus host names."
On Tuesday, Analyzer told Wired News
he still had root access at more
than 400 military computer systems.
Though the two teenagers had their
equipment confiscated by federal
agents last week, Analyzer remains
at large.
The FBI has refused to comment on
the investigation.
If you wish to receive ISN directly, mail majordomo@sekurity.org with "subscribe isn".
ISN is a non-profit list designed to keep Security Professionals aware.
Received on Sat Mar 14 23:29:58 1998