Annex 3. Electronic Resources

There is a certain irony in trying to include a comprehensive list of electronic resources in a printed document. Electronic resources such as Web pages, news-groups, and mailing lists are updated on an hourly basis; new releases of computer programs can be published every few weeks.

We thus present the following electronic resources with the understanding that this list necessarily cannot be complete nor completely up to date. What we hope, instead, is that it is useful. By reading it, we hope that you will gain insight into places to look for future developments in computer security. Along the way, you may find some information you can put to immediate use.

Mailing Lists

There are many mailing lists that cover security-related material. We describe a few of the major ones here. However, this is not to imply that only these lists are worthy of mention! There may well be other lists of which we are unaware, and many of the lesser-known lists often have a higher volume of good information.

Never place blind faith in anything you read in a mailing list, especially if the list is unmoderated. There are a number of self-styled experts on the net who will not hesitate to volunteer their views, whether knowledgeable or not. Usually their advice is benign, but sometimes it is quite dangerous. There may also be people who are providing bad advice on purpose, as a form of vandalism. And certainly there are times where the real experts make a mistake or two in what they recommend in an off-hand note posted to the net.

There are some real experts on these lists who are (happily) willing to share their knowledge with the community, and their contributions make the Internet a better place. However, keep in mind that simply because you read it on the network does not mean that the information is correct for your system or environment, does not mean that it has been carefully thought out, does not mean that it matches your site policy, and most certainly does not mean that it will help your security. Always evaluate carefully the information you receive before acting on it.

A Big Problem With Mailing Lists

The problem with all these lists is that you can easily overwhelm yourself. If you are on lists from two response teams, four vendors, and another half-dozen general-purpose lists, you may find yourself filtering several hundred messages a day whenever a new general vulnerability is discovered. At the same time, you don’t want to unsubscribe from these lists, because you might then miss the timely announcement of a special-case fix for your own systems.

One method that we have seen others use with some success is to split the mailing lists up among a group of administrators. Each person gets one or two lists to monitor, with particularly useful messages then redistributed to the entire group. Be certain to arrange coverage of these lists if someone leaves or goes on vacation, however!

Another approach is to feed these messages into Usenet newsgroups you create locally especially for this purpose. This strategy allows you to read the messages using an advanced newsreader that will allow you to kill message chains or trigger on keywords. It may also help provide an archiving mechanism to allow you to keep several days or weeks (or more) of the messages.

Finally, most security mailing lists offer the option of subscribing to a daily digest of the list. Digest subscribers usually receive a single message each day that contains all of the day’s messages. Managing these digests can be easier than sorting through each individual message as they arrive. Of course, you may learn about new vulnerabilities several hours later than other system administrators — or attackers.

Response Teams and Vendors

Many of the incident response teams (listed in Appendix

E) have mailing lists for their advisories and alerts. If you can be classified as one of their constituents, you should contact the appropriate team(s) to be placed on their mailing lists.

Many vendors also have mailing lists for updates and advisories concerning their products. These include computer vendors, firewall vendors, and vendors of security software (including some freeware and shareware products). You may wish to contact your vendors to see if they have such lists, and if so, join. To subscribe to Microsoft’s Security Notification Service mailing list, for example, visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp and register.

Major Mailing Lists

These are some of the major mailing lists.

Bugtraq

Bugtraq is a full-disclosure computer security mailing list. This list features detailed discussion of UNIX security holes: what they are, how to exploit them, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities (although that is known to be the intent of some of the subscribers). It is, instead, about defining, recognizing, and preventing use of security holes and risks. To subscribe, sign up at http://www.securityfocus.com. Note that we have seen some incredibly incorrect and downright bad advice posted to this list. Individuals who attempt to point out errors or corrections are often roundly flamed as being “anti-disclosure.” Post to this list with caution if you are the timid sort.

SecurityFocus also runs several other mailing lists that cover areas of security (such as IDS, honeypots, or viruses) or specific flavors of Unix (such as Linux or Sun systems). A particularly interesting list is “incidents” which is for reporting actual attacks and break-ins. SecurityFocus is owned by the Symantec Corporation

NTBugtraq

A full-disclosure computer security mailing list for Microsoft Windows NT-based systems (including Windows 2000 and XP). Non NT-based releases are off-topic for this list. In other ways, it resembles the Bugtraq list. Subscribe at http://www.ntbugtraq.com.

CERT-advisory

New CERT/CC advisories of security flaws and fixes for Internet systems are posted to this list. This list makes somewhat boring reading; often the advisories are so watered down that you cannot easily figure out what is actually being described. Nevertheless, the list does have its bright spots. Send subscription requests to majordomo@cert.org. Put “subscribe cert-advisory” in the message body.

Archived past advisories are available at

http://www.cert.org/nav/alerts.html.

Computer underground digest

A curious mixture of postings on privacy, security, law, and the computer underground fill this list. Despite the name, this list was not a digest of material by the “underground”—it contained information about the computing milieu. Unfortunately, it stopped publishing in 2000, and it is unclear if the list will ever resume. This list was available as the newsgroup

comp.society.cu-digest on the Usenet; the newsgroup was the preferred means of distribution. The list is archived at numerous places around the Internet, including its home page:

http://sun.soci.niu.edu/~cudigest/

Firewalls

The Firewalls mailing list, which is hosted by the Internet Software Consortium, is a primary forum for folks on the Internet who want to discuss the design, construction, operation, maintenance, and philosophy of Internet firewall security systems. To subscribe, visit http://www.isc.org/services/public/lists/firewalls.html .

The Firewalls mailing list is usually high volume (sometimes more than 100 messages per day, although usually it is only several dozen per day). To accommodate subscribers who don't want their mailboxes flooded with lots of separate messages from Fire-walls, a digested version of the list is also available, and the list is archived on the web site.

Firewall-Wizards

The firewall-wizards mailing list is a moderated list focused not only on the design and implementation of firewalls but also other network security topics. You can subscribe (or browse the archives) at

http://honor.icsalabs.com/mailman/listinfo/firewall-wizards.

RISKS

RISKS is officially known as the ACM Forum on Risks to the Public in the Use of Computers and Related Systems. It’s a moderated forum for discussion of risks to society from computers and computerization. RISKS is also distributed as the comp.risks Usenet newsgroup, and this is the preferred method of subscription. If you don’t get Usenet (and don’t want to read it via http://groups.google.com), you can send email subscription requests to RISKS-Request@csl.sri.com with the word “subscribe” in the body.

Back issues are available through Google (as above) or from http://www.risks.org

SANS Security Alert Consensus

Security Alert Consensus is a weekly digest of alerts and announcements from several other security mailing lists and vendors. Subscriptions can be customized to include only those operating systems for which you are responsible. Subscribe at http://www.sans.org.

Usenet Groups

There are several Usenet newsgroups that you might find to be interesting sources of information on network security and related topics. However, the unmoderated lists are the same as other unmoderated groups on the Usenet: repositories of material that is often off-topic, repetitive, and incorrect. Our warning about material found in mailing lists, expressed earlier, applies doubly to newsgroups.

comp.security.announce (moderated)

Computer security announcements, including new CERT/CC advisories

comp.security.unix

UNIX security

comp.security.misc

Miscellaneous computer and network security

comp.security.firewalls

Information about firewalls

comp.virus (moderated)

Information on computer viruses and related topics

comp.admin.policy

Computer administrative policy issues, including security

comp.protocols.tcp-ip

TCP/IP internals, including security

comp.unix.admin

UNIX system administration, including security

sci.crypt

Discussions about cryptology research and application

sci.crypt.research (moderated) Discussions about cryptology research

comp.risks (moderated) As described above

microsoft.public.security, microsoft.public.win2000.security, microsoft.public.windowsxp.security_admin Microsoft hosts dozens of Usenet groups for its operating systems and applications, include several devoted specifically to security.

WWW Sites

There are literally thousands of WWW pages with pointers to other information. Some pages are comprehensive, and others are fairly narrow in focus. The ones we list here provide a good starting point for any browsing you might do. You will find most of the other useful directories linked into one or more of these pages, and you can then build your own set of “bookmarks.”

CIAC

The staff of the CIAC keep a good archive of tools and documents available on their site. This archive includes copies of their notes and advisories, and some locally developed software:

http://ciac.llnl.gov

CERIAS

CERIAS (Center for Education and Research in Information Assurance and Security), the successor to COAST (Computer Operations, Audit, and Security Technology) is an inter-disciplinary center in information security research and education at Purdue University. It functions with close ties to researchers and engineers in major companies and government agencies. CERIAS focuses on real-world research needs and limitations.

From a purely historical perspective, this represents what may be the oldest, and longest-running Internet archive of security tools and reference materials. Created in 1989 as an ftp-only site, the archive started as a collection of anti-virus tools and gradually expanded to include scanners, firewalls, and documents of all kinds. The site transitioned through gopher and WWW servers, and from a personal archive (Spafford’s) to the COAST Laboratory archive, to the current CERIAS archive. For its first decade the site was generally believed to be the largest archive of security material on the Internet.

Over the last few years, the archive and hotlist have diverged somewhat, and fewer items are currently stored there than before. (Many of the commercial sites have resources to pay a staff to maintain more comprehensive archives.) Nonetheless, the current archive contains many items of historical interest, a large collection of useful tools and documents, including items not carried elsewhere, and items that are produced by CERIAS and CERIAS partners. There are also extensive lists of pointers to organizations and resources.

http://www.cerias.purdue.edu/infosec/">http://www.cerias.purdue.edu/infosec/

ftp://ftp.cerias.purdue.edu

FIRST

The FIRST (Forum of Incident Response and Security Teams) Secretariat maintains a large archive of material, including pointers to WWW pages for other FIRST teams: http://www.first.org

NIST CSRC

The National Institute of Standards and Technology’s Computer Security Division maintains a comprehensive archive of documents and tools. This is a trusted, useful site for documentation, standards, and software. http://csrc.nist.gov/index.html

Insecure.org

Home of the nmap portscanning tool, the Insecure.org web site links to archives of many important mailing lists and other security information:

http://www.insecure.org

NIH

The WWW index page at NIH provides a large set of pointers to internal collections and other archives: http://www.alw.nih.gov/Security/

Software Resources

This appendix describes some of the tools and packages available on the Internet that you might find useful in maintaining security at your site. Although this software is (or was) freely available, some of it is restricted in various ways by the authors (e.g., it may not be permitted to be used for commercial purposes or be included on a CD-ROM, etc.) or by the U.S. government (e.g., if it contains cryptography, there may be constraints on export or use in certain locales). Carefully read the documentation files that are distributed with the packages. If you have any doubt about appropriate use restrictions, contact the author(s) directly.

Although we have used most of the software listed here, we can't take responsibility for ensuring that the copy you get will work properly and won't cause any damage to your system. As with any software, test it before you use it!

Some software distributions carry an external PGP signature. This signature helps you verify that the distribution you receive is the one packaged by the author. It does not provide any guarantee about the safety or correctness of the software, however.

Because of the additional confidence that a digital signature can add to software distributed over the Internet, we strongly encourage authors to take the additional step of including a stand-alone signature. We also encourage users who download software to check several other sources if they download a package without a signature.

Crossplatform Tools

Kerberos

Kerberos is a secure network authentication system that is based upon private key cryptography. The Kerberos source code and papers are available from the Massachusetts Institute of Technology. Contact: MIT Software Center

W32-300

20 Carlton Street Cambridge, MA 02139 (617) 253-7686

You can use anonymous FTP to transfer files over the Internet from: ftp://athena-dist.mit.edu/pub/kerberos Kerberos is integrated into Microsoft Windows 2000 and later releases.

nmap

nmap is the port scanner of choice for both attackers and defenders. It can perform a wide variety of TCP, UDP, and ICMP scans (including various "stealth scans" that attackers might use to disguise their activities), and has a sophisticated ability to "fingerprint" operating systems and determine their vendor and version remotely. It is available from: http://www.insecure.org

OpenSSH

OpenSSH is a free software implementation of the Secure Shell protocol (versions 1 and 2) for cryptographically-secured remote terminal emulation, command execution, and file transfer. It is developed and maintained by the OpenBSD project, but the “portable” version compiles and runs on most Unix systems and several other operating systems. There are also several good free software SSH clients for Windows, including PuTTY. Disable the telnet daemon before you connect your system to a network; install OpenSSH (or another SSH server) if you need to be able to connect to your system over the network. You can get OpenSSH at: http://www.openssh.org

OpenSSL

OpenSSL is a free software implementation of the Secure Sockets Layer (versions 2 and 3) and Transport Layer Security (version 1) protocols. It provides libraries for these protocols that are commonly required by other server software (such as web servers). It also provides a command line tool for generating cryptographic certificate requests, certificates, signatures, and random numbers. OpenSSL is available from: http://www.openssl.org

Snort

Snort is a powerful open source packet sniffer and network intrusion detection system. Its IDS ruleset is regularly updated, enabling it to parse the TCP/IP packets that it monitors in real time, and report suspicious traffic. Get Snort from: http://www.snort.org

Tripwire

Tripwire, written by Gene H. Kim and Gene Spafford of Purdue University, is a file integrity checker, a utility that compares a designated set of files and directories against information stored in a previously generated database. Added or deleted files are flagged and reported, as are any files that have changed from their previously recorded state in the database. Run Tripwire against system files on a regular basis. If you do so, the program will spot any file changes when it next runs, giving system administrators information to enact damage-control measures immediately.

You can get the freeware version of Tripwire from: http://www.tripwire.com/downloads/

Unix Tools

chrootuid

The chrootuid daemon, by Wietse Venema, simplifies the task of running a network service at a low privilege level and with restricted file system access. The program can be used to run WWW and other network daemons in a minimal environment: the daemons have access only to their own directory tree and run with an unprivileged user ID. This arrangement greatly reduces the impact of possible security problems in daemon software.

You can get chrootuid from: ftp://ftp.porcupine.org/pub/security/index.html or ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/ chrootuid/

portmap

The portmap daemon, written by Wietse Venema, is a replacement program for Sun Microsystem’s portmapper program. Venema’s portmap daemon offers access control and logging features that are not found in Sun’s version of the program. It also comes with the source code, allowing you to inspect the code for problems or modify it with your own additional features, if necessary.

You can get portmap from: ftp://ftp.porcupine.org/pub/security/index.html or ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/portmap/

Portsentry

The portsentry program is a proactive defense against portscans that may precede an attack. portsentry listens on a unused TCP/IP ports and takes action when outsiders attempt to establish connections to one or more monitored ports. Actions can include adding the scanning host to /etc/hosts.deny, adding the scanning host to a packet-filtering firewall, or running other arbitrary commands. portsentry is available at: http://sourceforge.net/projects/sentrytools/

Swatch

Swatch, by Todd Atkins of Stanford University, is the Simple Watcher. It monitors log files created by syslog, and allows an administrator to take specific actions (such as sending an email warning, paging someone, etc.) in response to logged events and patterns of events.

You can get Swatch from: http://www.oit.ucsb.edu/~eta/swatch/ or ftp://ftp.cerias.purdue.edu/pub/tools/unix/logutils/swatch

tcpwrapper

The tcpwrapper is a system written by Wietse Venema that allows you to monitor and filter incoming requests for servers started by inetd. You can use it to selectively deny access to your sites from other hosts on the Internet, or, alternatively, to selectively allow access. You can get tcpwrapper from: ftp://ftp.porcupine.org/pub/security/index.html ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/tcp_wrappers/

Tiger

Tiger, originally written by Doug Schales of Texas A&M University (TAMU), is a set of scripts that scan a UNIX system looking for security problems. Tiger was originally developed to provide a check of the UNIX systems on the A&M campus that users wanted to be able to access off-campus. Before the packet filtering in the firewall would be modified to allow off-campus access to the system, the system had to pass the Tiger checks. Tiger was dormant from 1994-1999, but is once again being actively maintained and updated.

You can get Tiger from: http://www.tigersecurity.org

trimlog

David Curry’s trimlog is designed to help you to manage log files. It reads a configuration file to determine which files to trim, how to trim them, how much they should be trimmed, and so on. The program helps keep your logs from growing until they consume all available disk space.

You can get trimlog from: >ftp://ftp.cerias.purdue.edu/pub/tools/unix/logutils/trimlog/

wuarchive ftpd

The wuarchive FTP daemon offers many features and security enhancements, such as perdirectory message files shown to any user who enters the directory, limits on number of simultaneous users, and improved logging and access control. These enhancements are specifically designed to support anonymous FTP.

You can get the daemon from: http://www.wu-ftpd.org

Windows Tools

Antivirus software

There are many fine antivirus products produced by companies that regularly issue updated virus lists. It is less important which antivirus product you choose than that you choose one, and use it consistently. The best products offer real-time antivirus protection as a background service, rather than just virus scanning on demand.

Microsoft Baseline Security Analyzer

The Microsoft Baseline Security Analyzer (BSA) is a security-checking application for Windows NT 4 and later systems. It performs a variety of checks on the local system or on remote systems under your administrative control, including checking for updated security patches, password quality, filesystem configuration, auditing, and application-specific checks for IIS and SQL Server. Highly recommended as the first tests to run – if it can’t pass this, you’ve got problems.

Get it from: http://www.microsoft.com/technet/security/tools/Tools/mbsahome.asp

Microsoft IIS Lockdown Wizard

IIS, the Windows web server, has repeatedly been the source of system compromises. If you don’t choose to replace it completely with Apache (http://httpd .apache.org) or another web server, at minimum you should run this Wizard, which disables unnecessary components and tightens security of the IIS installation and configuration. Get it from: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43955