In 1988, the Defense Advanced Research Projects Agency began funding a computer emergency response team (CERT Coordination Center) at Carnegie Mellon University as a national resource for collecting information about Internet security problems and disseminating solutions. However, this dissemination process has been slow and spotty; for example, a recent CERT summary alert (CERT Summary CS-96.02) lists seven general areas of vulnerability:

  1. Compromised system administrator privileges on systems that are unpatched or running old OS versions;
  2. Compromised user-level accounts that are used to gain further access;
  3. Packet sniffers and Trojan horse programs;
  4. Spoofing attacks, in which attackers alter the address from which their messages seem to originate;
  5. Software piracy;
  6. Send-mail attacks; and
  7. Network File System and Network Information System attacks and automated tools to scan for vulnerabilities.16

The existence of many of these problems and solutions for them were known as long as 3 to 4 years ago, yet systems are still in operation that do not employ the necessary safeguards. Much has been written in other forums about procedures for managing systems safely in modern networked environments.17

16  

Network File System, or NFS, is an Internet protocol (defined in RFC 1094; available online at http://ds.internic.net/rfc/rfc1094.txt) for remote access to shared file systems across networks. Several vulnerabilities exist in the NFS protocol that allow intruders to gain privileged system access, unless the ports used by NFS are protected by a firewall and other techniques, and care is taken to share file structures only among trusted hosts. Network Information Service, or NIS, is used among Sun computer systems for the administration of network-wide databases. A vulnerability exists in early versions of NIS that allows unauthorized users to obtain a copy of the NIS maps from a system running NIS. The remote user can attempt to guess passwords for the system using NIS password map information that might be obtained in this way.

17  

See, for example, Holbrook, P., and J. Reynolds (eds.), 1991, "Site Security Handbook," IETF RFC 1244, July; a draft revision dated June 1996 is under review (see http:// www.ietf.org/html.charters/ssh-charter.html). See also Garfinkel, Simson, and Gene Spafford, 1996, Practical UNIX and Internet Security, 2nd edition, O'Reilly and Associates Inc., Cambridge, Mass.; Cheswick, William R., and Steven M. Bellovin, 1994, Firewalls and Internet Security, Addison-Wesley, Reading, Mass.; Khanna, Raman (ed.), 1993, Distributed Computing: Implementation and Management Strategies, Prentice-Hall, Englewood Cliffs, N.J.; and Neumann, Peter, 1995, Computer Related Risks, Addison-Wesley, Reading, Mass.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement