OS-Specific Security Issues
Modified 10 March 2008
Cisco Router Security
Here are some great references on current best practices
for Cisco router configurations:
Linux
Solaris Security
-
UNIX IP Stack Tuning Guide —
http://secinf.net/info/unix/ip-stack-tuning.html
-
My overview of how to set up SSH
-
http://secinf.net/info/unix/solaris_hardening.html
-
http://secinf.net/info/unix/securing.html
-
http://secinf.net/info/unix/harden1.html
-
http://secinf.net/info/unix/basic_security.html
-
http://secinf.net/info/unix/security-faq.html
-
Center for Internet Security benchmarks:
http://www.cisecurity.org/
-
Hardening Solaris user authentication:
-
If you have Solaris 8 or earlier, you are stuck with
the mid-1970's "classic UNIX" authentication.
Only the first 8 password characters matter, and they're
hashed in a way that was fairly secure against
brute-force attack by, oh, common computers of the
mid-1970's...
-
If you have Solaris 10 or later, it uses much more
secure password hashing by default.
Arbitrarily long pass phrases, hashed with MD5.
-
If, on the other hand, you have Solaris 9,
while it is capable of the stronger method, you have
to specify it.
-
First, modify /etc/default/passwd and change
the line now reading:
PASSLENGTH=6
to a more ambitious number.
-
Edit /etc/security/policy.conf, first verifying
that it contains this line:
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
-
Now un-comment this line by removing the
leading "#":
CRYPT_ALGORITHMS_DEPRECATE=__UNIX__
-
Change the default hashing algorithm like this:
CRYPT_DEFAULT=1
-
Once you've done that, you will need to re-set the passwords
with passwd to put the hashes into the more
secure form.
-
The algorithms are as follows, note that the
"1/2a/md5" notation was taken from Cisco:
-
1 — BSD and Linux (GNU) style
MD5 hashing.
This is probably the best for interoperability,
and should be quite strong.
-
2a — OpenBSD style
hashing, using a 1024-round lossy variation
of Blowfish as a one-way operation.
It has a password length limit,
see the manual pages for
crypt.conf,
crypt_bsdmd5,
and
crypt_bsdbf.
-
md5 — Some Solaris-specific
MD5 hashing.
-
How to integrate any sort of *NIX into a Kerberos realm
based on a Windows Active Directory server (ugh):
http://www.cromwell-intl.com/unix/kerberos.html
ULTRIX/ OSF/1 / Digital Unix / Tru64 Unix Security
The BSDish variant of Unix from Digital/Compaq/HP/whatever has bugs and fixes:
http://www.insecure.org/sploits_ultrix.html
HP-UX Security
HP-UX bugs and fixes:
http://secinf.net/info/unix/secureHP-UX.html
IRIX Security
Silicon Graphic's variant of Unix has bugs and fixes:
http://www.insecure.org/sploits_irix.html
AIX Security
IBM's variant of Unix has bugs and fixes:
http://www.insecure.org/sploits_aix.html
DOS Security
Go to the COAST archive:
ftp://coast.cs.purdue.edu/pub/tools/dos
AS/400 Security
Novell Security
VMS Security
-
Axent has VAX/VMS security tools.
http://www.axent.com/
-
Think you're secure because you run VMS, not Unix?
See the first chapter of
UNDERGROUND — Tales of Hacking, madness and
obsession on the Electronic Frontier
(ISBN 1-86330-595-5),
http://www.underground-book.com
Windows Security
Abandon hope, all ye who enter here
|
|
Jim Allchin was a vice-president and later
co-president of Microsoft.
He retired from Microsoft as of 30 January 2007,
the day on which Microsoft officially released their
Windows Vista operating system to consumers.
Allchin was co-president of Microsoft's Platforms &
Services Division, was the manager of the
Vista project, and led the development of a number
of Microsoft's operating systems.
Allchin provides some interesting information:
-
"I am not sure how the company lost sight of
what matters to our customers (both business
and home) the most, but in my view we lost
our way.
I
think our teams lost sight of what bug-free
means, what resilience means, what full
scenarios mean, what security means,
what performance means,
how important current
applications are, and really understanding
what the most important problems [our]
customers face are.
I see lots of random features and some great
vision, but that doesn't translate into great
products.
I
would buy a Mac today if I was not working
at Microsoft. ...
Apple did not lose their way. ..."
-
Then there is the problem of
privilege escalation through the Win32 API.
Microsoft says this is not fixable but not really a
problem,
which is true unless you really don't
want people breaking your OS.
While testifying before the U.S. Department of Justice
in an anti-trust case,
Allchin
referred to this as a fundamentally
unsecurable design
representing a threat to U.S. national security
due to the U.S. government's reliance on Windows.
Allchin then mentioned the Windows
message-queuing subsystem,
which allows for what's known as the "Shatter"
attack.
This was at least partly fixed in Vista,
but some issues remain.
Oh, and after Microsoft said
"Outsiders cannot be allowed to see the source
code as that would damage
US national security",
they allowed the government of the People's Republic
of China to view the source code.
See, the PRC said they didn't want to buy Windows
unless they could see the source code,
and Microsoft didn't want to miss out on a big sale....
It appears that the guy in charge of the Microsoft
operating systems has very little confidence in them.
Why should we contradict him?
Then there are the three highly placed Microsoft executives
whose internal communications were brought to light in a
US District Court case, described in
a New York Times article 9 March 2008.
Their frustrations were caused by a lack of functionality
and support in Vista, which at the time of their problems
had been released as a supposedly finished product and
was being sold for full retail price.
The angry executives included:
-
Jon A Shirley,
a Microsoft board member, former president,
and chief operating officer,
"upgraded" two XP machines to Vista.
Then he discovered that his printer, scanner,
and film scanner all lacked Vista drivers.
He had to go back to XP on one machine just to
continue using those peripherals.
-
Mike Nash,
a Microsoft vice president who oversees Windows
product management,
bought a laptop with a "Windows Vista Capable" logo.
That laptop lacked the needed graphics chip,
could not run his favorite video-editing software,
and could only run "a hobbled version of Vista".
"I got burned", he said,
"I now have a $2,100 e-mail machine."
-
Steven Sinofsky,
Microsoft's senior vice president responsible for
Windows, heard about Jon Shirley's problems and
said that drivers are missing in every category
in Vista — "This is the same across
the whole ecosystem."
If you want to reduce your security risk due to Windows:
-
Use any other operating system.
Really.
Most users need little more than a web browser,
an e-mail tool, and something to handle
documents.
-
If you really must use Windows on
some systems,
then do not use Explorer for anything.
Beyond profound code quality issues,
aspects of its design are fundamentally
insecure and unsecureable.
Use any other browser,
most people find
the Mozilla Firefox browser
an excellent tool.
Most people also find that getting rid of
Exploder means,
for the most part, an end to spyware,
and many phishing attacks become more obvious.
-
Given that, do not use Outlook for anything,
as it silently uses some of the most insecure
components of Exploder and the user can't
prevent that.
Mozilla Firefox
comes with Thunderbird, an
integrated e-mail client.
-
Use the NTFS file system, but don't expect it
to protect you from booting off
a Knoppix CD.
-
If you use Kerberos, rip out Microsoft's
weakened version and use real Kerberos,
available for free from MIT.
Weakened?
Yes, their silly "pre-authentication"
violation of the Kerberos rules
supports a known-plaintext attack
by an attacker.
-
Finally,
try to use any other operating system
in place of Windows.
On to the Windows security list.
Remember that "NT" is
Microsoft's term for an entire family of
operating systems, including
for NT 3.x, NT 4.x, Windows 2000, Windows XP,
Windows 2003, and Windows Vista.
-
A good discussion of Windows rootkits —
gets you into the technical details of how a
rootkit works:
http://www.securityfocus.com/infocus/1850
-
Breaking in with bootable media:
-
NSA recommendations for securing Windows:
http://www.nsa.gov/winsecurity/win2k/download.htm
-
Disturbing facts about Windows file system insecurity
-
The newer members of the Windows NT family
support EFS,
Encrypting File System, which originally
seemed like a decent design:
-
Every file is encrypted using a
symmetric cipher and a key randomly
generated when the file was created.
-
The collection of keys is stored in
a file encrypted with a key based
on the user's password.
-
You type your password to login,
and so your login session has
access to the key store.
-
If you change your password while
logged in, your old (current) password
is used to decrypt the key store and
then the new (future) password is
used to encrypt the key store.
-
The remaining problem is that if you
use EFS and you reset a users's
password, you lose the ability to
decrypt that key store and thus
all of that user's files are lost
as undecipherable ciphertext.
-
The good news (in this very specific
case) is that Windows password security
is so weak that you can use something
like
Rainbow Tables
to break the user's password in minutes
instead of resetting it and losing
the data.
-
The disturbing part is this disclosure on
one of Microsoft's pages:
Windows NT zero-fills memory and zeroes
the sectors on disk where a file is placed
before it presents either type of resource
to an application.
owever, object reuse does not dictate that
the space that a file occupies before
it is deleted be zeroed.
This is because Windows NT/2K is designed
with the assumption that the operating system
controls access to system resources.
However, when the operating system is not
active it is possible to use raw disk editors
and recovery tools to view and recover data
that the operating system has deallocated.
Even when you encrypt files with Win2K's
Encrypting File System (EFS), a file's original
unencrypted file data is left on the disk
after a new encrypted version of the file
is created.
-
So....
EFS only matters if you agree to play by
Microsoft's contrived rules and only use
Microsoft Windows to operate all computers
at all times.
But boot from
Knoppix
and there is cleartext data lying all over
the place.
This is a strangely narrow meaning
of the term "Encrypting File System"!
-
See the page describing this strangeness at:
http://www.microsoft.com/technet/sysinternals/FileAndDisk/SDelete.mspx
-
An article to frighten you about Microsoft
design trends:
http://www.hevanet.com/peace/microsoft.htm
-
Center for Internet Security benchmarks:
http://www.cisecurity.org/
-
http://www.ntsecurity.net/
-
http://www.ntbugtraq.com/
-
http://www.l0pht.com/advisories.html
-
http://www.warzone.org/
-
A great collection of Windows exploits:
http://www.dhp.com/~fyodor/sploits.html
-
BackOriface, NetBus, and other attacks detailed:
http://www.nttoolbox.com/ —
-
Microsoft exploit details:
http://www.insecure.org/sploits_microshit.html
-
The NetBus attack detailed:
http://www.nwi.net/~pchelp/nb/netbus.htm/
-
http://ntshop.net
-
http://sysinternals.com
-
Join the NT security mailing list, at
request-ntsecurity@iss.net
-
Microsoft's implementation of PPTP, on which they base their VPN's,
is seriously broken (although they claim it isn't):
-
The classic John Kirch paper describes in detail
why various Unix operating systems out-perform
the Windows NT family ("NT" is Microsoft's term
for NT 3.x, NT 4.x, Windows 2000, Windows XP,
Windows 2003, and Windows Vista):
http://www.lege.com/unix-nt/
- Windows NT Security Tools
-
Kane Security Monitor (network traffic and log
analysis),
http://www.intrusion.com
-
RealSecure 1.0 (traffic analysis and attack signature detection),
Internet Security Systems,
http://www.iss.net
-
NukeNabber scans and logs incoming TCP/IP traffic, including packet
attacks like Boink, TearDrop, Land, etc.
http://www.dynamsol.com/
-
There are some tools to clean BackOriface, Netbus, and other attack code
from infected NT machines.
- For Windows security problems in detail,
see Byte, November 1997, pp 81-86 for details of how Microsoft
re-invents broken wheels.
Many problems that were discovered, and fixed, in other operating systems
over the past two to twenty years are being repeated by Microsoft!
Also see Computers and Security, vol 17, no 2, pp 100-106 for details.
-
See my page on user authentication for
details on just how weak the default
Windows design is.
-
Internet Explorer bugs:
http://www.tbtf.com/resource/ms-sec-exploits.html
-
How Microsoft's poor (missing?) protection of the master cryptographic
key exposes all of a user's net communication:
http://www.cs.auckland.ac.nz/~pgut001/pubs/breakms.txt
and
http://www.techweb.com/wire/story/TWB19980123S0007
Comparing Windows to Linux and BSD
What is wrong with Linux?
It is as disorganized and resistant to organization
as a herd of cats.
The kernel of the operating system itself is fairly good.
But a Linux distribution is largely a pile of things that aren't the kernel,
and which tend to lower security:
-
Application software — possibly buggy but relied on
and assumed secure by users.
-
Graphical environments — even worse!
More likely to be buggy due to the volume of code,
and just like Windows they hide details from users
and automatically invoke programs in response to mouse events.
-
Distribution installation and configuration tools — the
installation process makes some security related assumptions
on behalf of the administrator.
The configuration tools used for ongoing administration may not
be as bad, but they still make some assumptions that the
administrator will not notice without great care.
Also, Linux is not very good for playing games.
Apparently this matters a lot more than security to an awful lot of people.
What is wrong with BSD?
The same problems as Linux, just to far less degree.
While there are just three BSD implementations —
FreeBSD,
NetBSD, and
OpenBSD,
and their releases are far better controlled those for Linux,
the BSDs use the same application software and graphical environment
(GNU, KDE, Gnome, et al) as Linux.
While their installation tools assume quite a bit of *NIX expertise
(you'd better know how to set up a BSD partition/slice scheme by hand!),
they may still hide some details from the installer.
BSD is not very good for playing games, either, if you care
more about that than security.
What is wrong with Windows?
Three crucial components seem to be far more intertwined in Windows
than in other operating systems:
-
The operating system
-
The graphical interface
-
The environment of user's processes
The accepted method for administering the system is to login to the
graphical interface as Administrator and use graphical tools.
There is next to no separation of privileges.
Compare that to the UNIX model where the operating system and the graphical
interface are relatively separate, and where cautious administrators log in
as unpriviliged users.
Only to the extent absolutely necessary do they elevate privileges,
using su or Role-Based Access Control (RBAC) tools.
Then there are the other really bad design decisions — the window
message queueing API,
really questionable TCP/IP design decisions (like file and print sharing
over IP broadcast rather than IP multicast!),
etc.
As for some commentary on the Windows source code that leaked in early 2004,
see:
http://www.kuro5hin.org/story/2004/2/15/71552/7795
Finally, don't forget hubris, which has caused trouble for its practitioners
since the Illiad and Odyssey.
Microsoft's continued claims that their latest expensive product is far more
secure or reliable will just invite attacks.
However, Windows is very good for playing games if that's what matters to you.
Security Page
