Frank Swift mentions: >Of interest also was that the tools were subsequently posted at an .edu >site and then taken off the net by their administrators. Tsutomu and I discussed this attack in depth, over dinner, and he never mentioned his tools being posted somewhere; I think what may have happened is confusing definitions -- tools like "gimme which is the ankle-biters weapon of choice' vs tools like 'the interface builder builder, which I defy anyone to execute outside Tsutomu's lab having seen it in operation firsthand. It's sweet, but it's just not going to be a compressed tar file you download and uncompress, it requires a great deal of careful planning and preprocessing before use. And my comments are based on sitting with Tsutomu last summer and having him show me how the 'advanced' tools work. > >This incident is just the tip of the iceberg. I'm fear that we all may get >spooled off in a router discussion eddy and miss the importance of what the >other tools were and what they do. > >How's that for another catalyst? >frank > >Frank Swift L-321 (Sent from Home) >Unclassified Computer Security Coordinator >Lawrence Livermore National Laboratory (LLNL) >7000 East Avenue L-321 Livermore CA 94550-9516 >Voice: (510) 422-1463 FAX: (510) 423-0913 > Tsutomu Shimomura and I were on the system vulnerabilities session of the conference referenced in the article -- and it was his system that was attacked. We discussed, privately, the attack at length. The 'tools' that were stolen are far less significant than might be expected for three reasons: (1) this attack, in an even more elementary form, was launched, successfully, on his system last summer and most of the tools were originally pilfered then -- not now. (2) the tools, were more snippets of code that require the original code architect to string them together and compile and execute. (3) the crackers don't necessarily need sophisticated tools, and will be loath to use pilfered, and very complicated (i.e. easily attributed) ones if they're intelligent, because if caught intruding it will also be evidence they broke into a research system in San Diego. I would like to discuss another thread of all this though. AF testing has verified that 50% of the systems on the net, within the .af.mil domain, are vulnerable to penetration with the simplest techniques. On 80% of those 50% my team can get root use equally simple techniques. Although the IP spoofing is interesting let's work the math, because our metric data indicates that 95% of what's reported is ankle-biting not roicket science. There's no denying that IP spoofing is severe and it could hurt a lot of us and it should be fixed, unfortunately so should world hunger -- the problem is you can't fix everything, nor can you fix a lot of things at once -- you have to prioritize based on what is happening, not what might happen. For instance, if experience data indicates that sendmail is still wide open on most systems, even if you prevent IP spoofing sendmail is still vulnerable. This is important because yopu'll have stopped one IP spoofer, but 95 others crackers will have snatched the code you built using sendmail. It's a hollow argument to say sendmail should be updated because as 8lgm will demonstrate at midnight on 6 Feb -- the newest version of sendmail is still vulnerable. We need to identify the tope ten problems, and proactively prevent them. I know, metrically, what the Air Force's top ten are and we are working on the short term solution. Until that's fixed, I'm willing to bite the bullet and accept what I cannot change -- for the moment. Were am I going? First, the tools taken from Tsutomu will most likely not be seen for a while because unlike the gimme program, there were code snippets not functional shell scripts AND they can be easily attributed to him. Two, ip spoofing is bad, but the ankle biters are worse because our systems (yours and mine) are vulnerable to the most elementary attacks and as long as that stands, the exotic ones should be counted but not obsessed over. Finally, I wonder if the people on this list would share metric data? Since things like number of attacks, number of successes, and number of compromises (along with things like the top ten attacks you've seen) would not hold a site up to the microscope and would not compromise site data -- but it would let us identify the top ten, real world, problems. If we could achieve even a modest goal like this, we could confidently say "these are the immediate countermeasures that must be built." I am willing to share AF metric data at this level to help strengthen the community as a whole. I'm also willing to accept and maintain this data in something like an email server were yopu email your new input and the list gets emailed the new metrics. Any thoughts on this? I'd like to thank Frank for being a catalyst. Often times I'm reluctant to post anything because I like to listen to everyone else's thoughts first. It just seemed like everyone was thinking the same thing I was so I decided to 'share' ;) Kevin ========================================================= Capt Kevin J. Ziese ziese@chaos.csap.af.mil Chief, Countermeasures Development 1-210-377-0477 Voice AF Information Warfare Center 1-210-377-1326 Fax 1100 NW Loop 410, Suite 607 1-800-217-0570 Pager San Antonio, Texas 78213 =========================================================