Daily Security Tips from Ed Skoudis - Week of September 2, 2002
Security Tip for Friday, September 6th, 2002
Transition from Secure Shell (SSH) protocol version 1 to SSH protocol version 2. SSH is a great tool for strongly authenticating and encrypting sessions across a network. However, SSH protocol version 1 is obsolete. The stronger SSH protocol version 2 is supported by most free and commercial SSH tools and is far more secure. Furthermore, tools for conducting person-in-the-middle attacks against SSH-1 are widely available, so it is wise to move to the newer protocol version.
Security Tip for Thursday, September 5th, 2002
Sniffers are tools used to gather traffic from a LAN. Attackers use them to gather user IDs and passwords, as well as other sensitive information. Sniffers are particularly damaging in an attacker's hands when they put the Ethernet interface in "promiscuous mode," whereby all traffic from the LAN is grabbed. Your system administrators should periodically check their systems to see if sniffers are installed. To find sniffers on UNIX systems other than Solaris, run the ifconfig program locally and look for "PROMISC" in its output. On Solaris machines, use the ifstatus tool locally, available at ftp.cerias.purdue.edu/pub/tools/unix/sysutils/ifstatus. On Windows, run PromiscDetect locally, a tool available at www.ntsecurity.nu/toolbox/promiscdetect . You can remotely detect sniffers using Sentinel. If you see promiscuous mode, investigate immediately.
Security Tip for Wednesday, September 4th, 2002
To find renegade modems on your network before the bad guys do, conduct periodic war dialing of your own environment. A war dialing tool dials phone number after phone number searching for modems. When you locate a number with a modem, search for the modem and remove it from your network. You can use the free THC-Scan tool or a commercial tool like Sandstorm's PhoneSweep® or SecureLogix's Telesweep Secure®.
Security Tip for Tuesday, September 3rd, 2002
Implement an employee security awareness program. Set up a table in the lunchroom, create awareness posters, and deliver 20-minute security briefings in an auditorium or conference room. For a relatively small cost, you can do wonders to improve your security through user awareness. Your security awareness program should start by telling users how to select difficult-to-guess passwords, keep modems off the network, and use only corporate-approved wireless LANs.
Security Tip for Monday, September 2nd, 2002
For your web-based applications that use SSL, obtain real, signed certificates for your web servers and signed executable code. Many sites just generate their own, self-signed certificates, and rely on users to click "OK" at the bad certificate warning message in their browsers. This is a very bad practice! Don't train your users to hit the "OK" button when their browser warns them that the certificate for your internal services isn't trusted. Instead, buy a signed certificate from a major certificate authority (such as VeriSign, Inc.) or deploy your own certificate authority certificates in all of your users' browsers.