Carl Malamud: Internet Talk Radio, flame of the Internet. This is Geek of the Week and we’re talking to Barbara Fraser, who is a manager at the Computer Emergency Response Team, the CERT. Welcome to Geek of the Week, Barbara.
Barbara Fraser: Oh, thanks. It’s my pleasure to be here.
Malamud: Why don’t we start with what a CERT is.
Fraser: CERT is the Computer Emergency Response Team Coordination Center. We’re located at the Software Engineering Institute at Carnegie Mellon University. And that’s in Pittsburgh, Pennsylvania.
Malamud: And what do you do?
Fraser: We were formed by DARPA in 1988 in response to the Morris Worm incident. There was a post-mortem meeting after that, and a lot of recommendations came out of that meeting, one of which was to form a coordination center that could assist sites when security incidents occurred. So initially, most of our activity did involve responding to security incidents. A site that was experiencing a security problem could call us as a resource as far as how to handle it, how to figure out what happened, and how to fix it.
Malamud: So you have a bunch of very expert systems managers sitting there and just waiting for phone calls? And do they— What do these people do? Do they put up network security plans for people? Do they go to the IETF and come up with new protocols?
Fraser: Oh gee. Let’s see, we do a lot of that. All of those things. But right now our organization has both that reactive aspect to it. So we have an incident response group who does that day-to-day answering of the hotline, and answering email, and interacting with sites when security problems occur. Some portion of that effort also involves letting sites knows that they probably have a security incident. So sometimes in the process of investigating a security problem we’ll discover sites that don’t know that they too are involved. That’s our reactive work.
There are other aspects to security that we’re also involved with in a more proactive fashion. So, we’re interested in the training and education particularly of system administrators, and also their managers. So in order for system administrators to be able to get the resources they need to address security problems, you have to get buy-in at the management level. So right now we focus a lot of our attention on both of those audiences.
Malamud: So what’s an example of a reactive situation? When might you get a phone call?
Fraser: Oh, we might get a call phone call, somebody notices maybe there’s an entry in a log file that says that they had a telnet connection from a site that they don’t expect to have a connection from. And they’ll take a look at it and it looked like there was a logon, and if they go check with the person whose user ID was used, they, “Well no I wasn’t in Timbuktu at that point time. No it wasn’t me that made that connection.” So they’ll have some indication that there was a security breach at their site.
Malamud: And what do you do then?
Fraser: We will work with the site, with a system or network administrator at the technical level in which they need assistance. Now, it’s interesting, we see everything. Sometimes people will just let us know about a security incident because they want us to have the larger picture. They’ll say, “Well, we had this break-in. It came from such and such a place. We’ve taken care of everything but we wanted you to know about it and oh by the way, would you go check with that site from which it came and let them know that they may have a security problem and work with them?”
Or, it could be the case that the individual has never managed a Unix system before. And they don’t even know what log files to look at. They don’t have any notion of system configuration of what it should be. Perhaps they’re exporting all their file systems to the world. Perhaps they’re exporting writeable root partitions. They could have a host.equiv file that has a plus in it, indicating that they wouldn’t trust any host by that name.
There’s any number of things that happen. It’s really interesting, sometimes we…I can tell you a little anecdotal story. We had a call one time from a site that was being hit from another site, and they asked us if we would please go interface with that other site. We did. And we had never dealt with the site before so we contacted the NIC to find out who the network contact was for that site. Gave him call on the telephone. And said we have reason to believe that you may have problems with three of your computers there.
“Oh I’m sorry, we don’t have any computers.”
Kinda hit yourself upside the head and say hmm, this is the network administrator contact?
“Yes yes, I’m the network administrator.”
“And you have no computers.”
“No, we don’t have any computers.”
Well we stepped back, and took a look at the hostnames and said, “well, what about these hostnames?”
“Oh! Well, that first one you mentioned is our Sun over there in the corner.”
So, in this case it was a terminology problem, you know—
Malamud: A very…basic terminology problem.
Fraser: A very basic terminology problem. But the story gets worse, because they said, “Well we only have one of ’em.” Well we had three hostnames. We indicated how to send a bell signal to the keyboard to some of the other systems, and they were able to locate the second one. They never did find the third one in their system setup.
Further that night, after discussing the problems with them they said, “Well, we’ll take ourselves off the net.” Because it was the weekend, they didn’t have time to clean up the system then, and they wanted to stop the use of their host as a launching pad for these downstream sites.
Well in the middle of the night we get a call from the downstream site again saying, “Hey, I thought you said they took themselves off the network. We’re being hammered.”
Well we get back on the phone with the site in question. And they said, “Oh yes, we definitely took ourselves off the network. We turned off all the modems, and we turned off our monitors.”
‘Course the attacks were coming in over their Ethernet cables, and they didn’t even think about disconnecting them. So, that’s probably an extreme case of whom we’re dealing with with a site that really is very novice at system and network administration. And we just try to sit back and help them at the level that they need.
Malamud: Do you then try to track where those attacks are coming from. Are you guys detectives as well?
Fraser: It’s important to know we are not the Internet police. I can’t emphasize that enough. As far as tracking them, what we will do is if we were working with a site, when you look in their logs hopefully there will be logs and they haven’t been wiped away by the intruder because that also happens. You can get some indication of where the connections came in from, and where they were going to. That’s if they’re coming in via the Internet.
It’s a little more difficult if they came in through a dial-in modem. There’s a lot of red tape you have to go through in order to trace telephone numbers and things like that. We don’t actually do those traces. We discuss things with the sites. They indicate to us whether or not they’re trying to trace the intruder. And we can give them pointers of people to call, the appropriate agencies to call that might be involved. We don’t get into the middle of it. We just help facilitate putting the right people in contact with each other.
Malamud: If you’ve identified an intruder do you let the rest of the Internet know about it? Do you publish a ten most-wanted list or do you put out advisories that say “Watch out for those guys in the Netherlands?”
Fraser: Oh, I like that ten most-wanted list. No, we don’t— We would never give away confidential information. We basically don’t divulge site information, people-type information. And that’s one of our strengths, because people know that they can trust us, that we won’t divulge that type of sensitive information.
However, if we see a particular MO being used widely, then we would issue a CERT advisory describing that MO, hopefully to assist sites and looking for signs of that type of intrusion or intrusive activity at their site.
Malamud: You were formed in response to the Morris Worm. Let’s say another Morris Worm were to happen. What would you do?
Fraser: I think that the communication channels are better now than they were then. One of the problems during the Morris Worm was you had pockets of expertise, and it was a good old boys network. So that unless you knew one of the people in the know, then you didn’t know anyone to call to get help. Right now, we are established and there are a number of other response teams that are established, and the information on how to contact our groups is much more widely known. So I believe that communication would be much better now.
Malamud: So you would probably issue some form of an advisory, and proactively get that information out to sites that you know might be affected? Is that what you would do, you would mail it out, you would also respond to phone calls coming in and…?
Fraser: That’s correct. We would probably try to get the information out in a number of different ways, because obviously if you’re going to send it out on the Internet, if the Internet network itself is bogged down and the traffic can’t get through, then that presents another problem. So we probably would take care of—or try to look for other ways to get information out. We work closely with some members of the press. If it would be necessary we have a public relations person at the Software Engineering Institute that is a liaison for us. And I would guess that in a circumstance like that as soon as we had information that we wanted to get out, that perhaps we would work with this public relations person to help us to find channels in which to accomplish that.
Malamud: Now Morris was well-intentioned. He didn’t mean it to get out of control. What if somebody out there really wanted it to get out of control? Could they call you up and find out what you’d found so far and then change their virus or bomb or whatever it is they put on the net? How do you control who gets your advisories?
Fraser: Our advisories are public information. We basically don’t put anything in an advisory that we would not be comfortable with everyone, basically, receiving. As far as specific how-to information, we don’t put that in an advisory.
Malamud: How does that get out to people?
Fraser: It doesn’t. The means on how to exploit a vulnerability is not something that we would publish.
Malamud: What about when you go into a system and you find a vulnerability. You have to explain to people what that is, don’t you? Isn’t that part of the education process, saying well look you know, you don’t wanna leave a plus in an etc/host.equiv file? Does that somehow train the cracker community on things they should be looking for in other systems?
Fraser: Well there certainly is a balance. What you just spoke about was a configuration problem. And When you think about vulnerabilities, they’re really more than one type. You have configuration problems, and then you have product vulnerabilities where there might be say software bugs in some section of code. Those are a little bit more obscure. Certainly some of the things you said are the case. I mean, there are tools out there-COPS-that check for a lot of configuration problems. And we advocate the use of those tools.
Malamud: What is COPS.
Fraser: COPS is a program written by Dan Farmer when he was at Purdue, and he continues to enhance it. It basically takes a look at a lot of the features of poor configuration issues on your system. It would check to see if you had say, accounts that had no password. It would check for “+” in your host.equiv. It would check for the presence of .rhost files. I can’t begin to list all of the things that it check for here. But it is a good way to take a quick look at your system.
There’s another one, Tripwire, which is a newer public domain software package out there that is designed to help you pick up when maybe some of your software has been modified. So that if you have a checksum that you have for a particular module and then you go back and see if the checksum is the same tomorrow, say, it might alert you to that.
So there are a lot of tools out there that can help system administrators more securely configure their systems.
Malamud: Now how does somebody go about learning what those tools are? Do you have newsletters and things for the general public?
Fraser: Not at this moment. That’s something we’re playing with, actually. I’d like to see us have a newsletter that came out quarterly or maybe twice a year, something like that, that would give valuable information and pointers to people.
We have an anonymous FTP archive site that we maintain, and we try to keep information about tools and certainly all of our CERT advisories are archived there. We have quite a bit of information and would encourage people to go and select and take whatever they find interesting to them.
Malamud: What’s the name of that site?
Fraser: It’s cert.org. C E RT .org.
Malamud: That ought to be easy enough.
Fraser: Yeah, it’s pretty simple.
Malamud: Now, you mentioned you do a lot of proactive work. Does that include working for example within the standards community? Are you out there pushing for better security in the Internet protocols? Are you pushing for better security in the host configurations that vendors are selling?
Fraser: Oh, absolutely. We have a business program that we work with the vendors, both when we discover a particular product vulnerability we will let them know about it and will also work with them for the resolution of it. So they might come back with a solution. We’ll test it to the best of our abilities. If it doesn’t meet up with what we were comfortable with we’ll go back to them and say, “Well, this fixes maybe cases A, B, and C but what about D, E, and F?” And we have a real good working relationship with quite a number of vendors at this point in time.
And actually it used to be that they didn’t want to admit that they had a security problem in their product. Now, we’re seeing vendors come to us and say, “We’d like to establish a working relationship with you.”
Malamud: Do you certify these vendors or do something [crosstalk] of that sort?
Fraser: Oh no. Not right now. No, we don’t do that. We do work, or leverage off of that good relationship to suggest to them changes. You mentioned configuration changes or default configuration changes. So we might suggest to them that it’s our position we’d rather not see a “+” in the host.equiv file when it first comes up, as an example.
Sometimes system administrators will set it up with certain expectations of the way that it will be used by the net. And then there was a certain amount of activity that they didn’t expect or want, particularly. Some of the FTP daemons that are out there right now don’t provide enough logging and configuration control for some of those system administrators to configure it the way they would really like to have it being used.
Malamud: So for example not being able to write into a temp space. I’ve noticed that occasionally— We had a system called Bruno which was serving the ITU standards. And the temp space was writeable, and we found very quickly some crackers found that and used it to upload software and use it as a bulletin board. In fact some file names were names like “does anyone have a copy of the latest Lotus”; that’s a long file name. Is that the types of problems you’re alluding to in—?
Fraser: Yeah, that’s one of the problems. Another one is that if they simply use it as a place to store files they can consume all your disk space, regardless of what the content of those files are. So we want to be an advocate for the system administrator so that we can help him do his job, better, in the way he needs to do it. And the reason I’m dancing around these words is that this is an international community, and what is right and proper for me might not be the same thing that’s right and proper for someone in some different country. So we don’t want to point fingers, rather we just want to give system administrators the tools that they need in order to do the job for their constituency.
Malamud: Now many of the tools we’ve been talking about are fixes, they’re not fundamental changes to the Internet architecture, which was designed without security in mind, many would say. Are there some standards moves out there like public key encryption that you view as more fundamental, that we need to have?
Fraser: Yeah. I think that there is movement to increase the level of security within the Internet, basically. Certainly the PSRG is working in that direction.
Malamud: What is the PS—
Fraser: I’m not a member of the—
Malamud: What is that?
Fraser: Privacy Security and Research Group. I believe that’s correct. And they’re working on a security architecture. You’ll have to talk to one of the members there for more detailed information. But it’s a move in the right direction to provide guidance and a framework so that protocol developers can see if their protocols that they’re developing fit correctly within the security framework for the Internet.
There’s an IP security working group that is attempting to introduce some level of encryption at the IP level. Something like that I think has a very definite niche out there.
Privacy-enhanced mail is new to the environment but it provides the privacy, the integrity, and authentication that we need out there so that for instance, we would like to sign all of our CERT advisories. So if you receive an advisory from us, you can be assured that it came from us, and Furthermore that it hasn’t been changed in transit. So things like that are really going to help.
Malamud: Privacy-enhanced mail depends on a public key architecture, which in the current instantiation depends on on the RSA algorithms, which in the US are patented, outside the US they aren’t. Are we going to be able to come up with a global security architecture and still deal with things like export control policies? Are those two fundamentally at odds?
Fraser: I believe we have to. We have to resolve the problems because we all need a security architecture that’s out there. It’s important to remember that it’s not just the US that has export control. Probably every country out there has some statement concerning export control. In the specifics of PEM—privacy-enhanced mail—I believe there are several a compatible implementations that are going on in the world, right now. So, as long as those compatible versions can exist in the various countries, that should help us bridge that export problem.
Malamud: What about things like Pretty Good Privacy, PGP? Now, does that help solve our security problems on the Internet? Is that a move towards a better security?
Fraser: Well I think the intent behind the people that develop PGP was to give yeah, some privacy within the mail community they’re [indistinct] it around. Of course there are some problems with that, too, from a licensing or—
Malamud: Oh, there’s definite intellectual property issues [crosstalk] at stake there.
Fraser: Yes, right. Intellectual— Exactly. And for that reason, until those kinds of problems are resolved I don’t know how it could be widely accepted. In an official capacity, certainly.
Malamud: You know, some people have criticized the IAB for example for trying to put in place a security architecture that’s so good that it’s taken too long, and the result is that we have no security at all. Do you have any…views on that? I mean, are we moving in the right direction?
Fraser: Well, I see the gap between PC capabilities and say workstation capabilities is narrowing. I mean, as your operating systems are becoming more sophisticated on the PC—so look at Windows NT—I haven’t had a chance to look at it too closely myself yet, but it certainly is one of those technologies that we at CERT are going to be looking at because it’s going to be widely deployed out there. Or at least that’s what the press would have us believe at this point time. So, I believe that the capabilities of the low end are coming up.
Malamud: Part of security is technical, but part of it is also policy, and defining what you can do and what you can’t do on the network. How are we addressing those types of issues, what the laws are, and what the moral basis is? I mean, is it okay to repeatedly try to telnet into somebody’s host?
Fraser: Well that’s a tough problem, Carl, because the Internet isn’t…doesn’t reside in just a single administrative domain. There is no single body that controls or can dictate policy for all of the Internet. At one level you can think about the Internet as just being a highway to all the various different locations. And if you think about it… I can’t even remember who it was that used this analogy but I liked it. You could have a burglar driving down the street in front of your house and it’s okay for him to be doing that. It’s when he tries to break into your home, or does break into your home that problems arise.
I don’t know how we’re going to resolve that—there’s a lot of questions. People would like to restrict it or to say that there is some policy of good behavior in order to be able to access the Internet. But I think that on a realistic basis that’s very difficult to achieve because of the multinational, multijurisdictional, many different laws That govern us.
Malamud: Should it be on a country-by-country basis? Should the US Congress defining whether repeated telnet attempts are a break-in attempt or not?
Fraser: Aw gee, I hadn’t thought about that one. Um…
Malamud: Because in the physical world you can walk down the sidewalk and look in the window, but you can’t walk in the door, right. And the question is, [crosstalk] when I try to telnet in what—
Fraser: Well that’s in the US.
Malamud: Exactly, in the US. And we have different laws in different countries on what is acceptable.
Fraser: Right
Malamud: Should we be doing the same thing in the Internet? Should we have different sets of laws depending on which host you happen to be on? Say, “Well, this is a US host, I better be careful.”
Fraser: I guess I just don’t know. I haven’t given it enough log on that particular thing. I just know that there’s a tremendous and vast resource, and it would really saddened me if we did things that restricted it so much that people could no longer take advantage of the vast resources there are out there.
Malamud: Many of our standards of behavior have kind of arisen as network lore, as to what you can do and what you can’t do. We’re beginning to formalize with groups like the Internet Society. Is the Internet Society the new international United Nations for the Internet? Do we need someone thinking about those types of issues?
Fraser: I suppose you always need somebody thinking about those types of issues. I’m not sure that—again, that they would have any ability to enforce. Because again, you’ve got the multinational boundaries.
Malamud: Are you an international body, the CERT?
Fraser: At some level, I think of ourselves as being international. From a funding basis we are funded totally by ARPA right now, which is the Advanced Research Projects Agency within the US. But they look on us as being a very…neutral organization from the standpoint that we’re not in the back pocket of any particular vendor or any particular industry. And we do work internationally with whoever has a problem.
Malamud: Is there a potential conflict of interest with your funding coming from ARPA? Can you be the neutral security advisor and also be funded strictly by a particular government agency? Do you see any conflict there?
Fraser: It hasn’t been a problem, in practice.
Malamud: Are you looking to other sources of funding, or do you see ARPA as just…this is a good way to continue operating, let’s say? Are you trying to become an Internet Society, or a multivendor CERT board, or something of that sort?
Fraser: Well I think we always have to look to the future to see if…you know, to keep our doors open basically, for other avenues of funding. We do reside at Carnegie Mellon University and as such we will always maintain a nonprofit status. You wouldn’t see us going commercial, at all. That just wouldn’t be the thing to do.
Malamud: You won’t be selling those advisories.
Fraser: No.
Malamud: “We found a worm. How much are you willing to bid for that information.”
Fraser: No. Yeah. We’re able to do things on a cost recovery basis, which does bring in some revenue from other sources. certainly. It’s like you said, it hasn’t been a problem.
Malamud: Is there an email address people can send to if they want more information about the CERT?
Fraser: Definitely. It’s a very simple one. It’s cert@cert.org.
Malamud: Well there you go. This has been Geek of the Week. We’ve been talking to Barbara Fraser from the CERT. Thanks a lot.
Fraser: No, thank you.
Malamud: This is Internet Talk Radio, flame of the Internet. You’ve been listening to Geek of the Week. You may copy this program to any medium, and change the encoding, but may not alter the data or sell the contents. To purchase an audio cassette of this program, send mail to radio@ora.com.
Support for Geek of the Week comes from Sun Microsystems. Sun, the network is the computer. Support for Geek of the Week also comes from O’Reilly & Associates, publishers of the Global Network Navigator, your online hypertext magazine. For more information, send mail to info@gnn.com. Network connectivity for the Internet Multicasting Service is provided by MFS DataNet and by UUNET Technologies.
Executive Producer for Geek of the Week is Martin Lucas. Production Manager is James Roland. Rick Dunbar and Curtis Generous are the sysadmins. This is Carl Malamud for the Internet Multicasting Service, town crier to the global village.