Questions and Answers

Bjorn Satdeva

It has finally happened. On March 5, 1996, CERT published the first CERT Advisory regarding a security flaw in the Netscape Navigator 2.0 Java implementation and in Release 1.0 of the Java Developer's Kit from Sun Microsystems, Inc. I don't think that this came as a surprise to anybody in the security community, as concerns and unofficial bug reports about Java have been circulating for several months. In fact, it may be just the first of many security flaws in the Java design and implementation.

If you have been following the security discussions in the Java NetNews newsgroup, you will know that most of discussion has not been about the various security flaws in Java, but rather how the little security that has been included does not allow various types of implementation. The few people who do point out the security weaknesses and problems often get flamed for their effort.

What makes all this very, very scary, is that most people are completely unaware of the many security risks that already exist on the World Wide Web. In my opinion, the efforts that are in progress are hopelessly inadequate from an overall security perspective. Implementation of SSL or S-HTML will only be able to address part of the problem. Unfortunately, the only way this mess will ever be cleaned up, is if the current generation of Web browsers and servers, together with HTML, is thrown out and a replacement is created that will allow the Web to operate securely. This will of course will not happen until after Hell has frozen over.

We can therefore expect an outbreak of security incidents related to the World Wide Web. From a system administrator or security personnel standpoint, unfortunately, there is not much that can be done. Unlike with other threats coming from the Internet, there is currently no firewall technology available that can protect a site from these problems, and it is not likely that we will soon see any solutions to effectively address these issues.

This issue cannot be addressed at the protocol level, because the threat is not apparently at that level. If you want to implement a protection against bad applets, it will be necessary to implement a check of malicious code within the applet, something which certainly is a very nontrivial task. And you will need to do so with every other kind of file downloaded by a World Wide Web client. Another example along the same line is the downloading and display of Postscript. Postscript is really implemented in the language Forth and the Postscript interpreter will execute Forth commands. It is therefore possible to create a Postscript file with the side effect that when the Postscript viewer displays the file, it will also remove files from the hard disk. I believe that most modern Postscript viewers on UNIX (like the GNU program gs) will now reject such a request, but it is not necessarily so for older implementations and some PC-based Postscript viewers.

It is not just Java that has proven to be a security problem. Abug in Netscape Navigator 2.0 allows a browser to send email to a third party without the person accessing the web page having any idea of what is taking place. This is going a step further than the old mail spoofing issue, where somebody telnets to port 25 on a remote machine, and starts typing at the sendmail daemon. In this case, the mail actually originates on the machine it claims to come from. Taken to an extreme, somebody could create a web page, and when you accessed the web page, you would unknowingly send email to whitehouse.gov, saying "The President is a Fool. Shoot Him," then the Secret Service would beat down your door, arrest you, and sieze your machine. And lo and behold, the machine's log would prove that you did indeed send the offending email. Although the above scenario is a bit extreme, in my opinion, if you are using Netscape 2.0, you better upgrade as soon as possible.

Tool of the Month

This month's tool is Argus, a public domain package that provides a generic IP network transaction auditing tool. Argus runs as an application level daemon, promiscuously reading network datagrams from a specified interface, and generates network traffic status records for the network activity that it encounters. Argus has been built and tested under SunOS 4.x, Solaris 2.3, and SGI IRIX5.2.

Argus enables a site to generate comprehensive network transaction audit logs in a fashion that provides for high degrees of data reduction semantic preservation. This allows the system administrator to perform extensive historical analysis of network traffic. The package includes two example programs for analyzing the network transaction audit logs.

Argus is available from:

ftp::ftp/sysadmin.com/pub/admin/tools/hosts/argus

I recently received a warning about a mail virus called the Good Time virus. It is supposedly a virus on America Online being sent by email. I was told that it will erase the hard drive. Do you have any information about this?

Virus is a PC problem, and as such is in an area I do not know too much about. The Good Time email virus, however, is one of the few viruses I do know about. It is a hoax!!! It is only a virus to the extent that people worry about it, and rebroadcast the phoney warning to various mailing lists from time to time. Please ignore any messages you get about this virus, as otherwise you only continue giving life to this urban legend. You can find more information about the Good Time virus from CIAG:

http://ciac.llnl.gov/ciac/notes/  Notes09.shtml

We are mostly a Digital VAX site, but also have a few RS/6000 systems. On OpenVMS we have a tool called IRIS that records a user's terminal in- and output and calculates all kinds of results such as network delay time, service time, response time, etc. Now I am looking for such a product on AIX, but haven't found anything. Have you any idea if such a product exists?

Not to my knowledge, but it sounds like a nice package. You might be able to get some of the statistics you are looking for under UNIX, by using tools such as ping and traceroute; it will not be as easy and handy as with your tool though. If anybody knows of a publicly available tool for UNIX similar to IRIS, send me a note, and I will announce it here.

Do you know of any modified xlock utilities that log failed attempts at entry? I'm looking for something better than what comes standard with Sun's OpenWindows.

I don't think that anybody has done this, however, it is a good idea. It should probably not be too difficult to modify the program to provide this. If anybody has done this, send me a note, and we can make it available on the ftp server and notify the readers.

How do I display a UNIX bitmap or raster file in a cmdtool, shell-tool, or xterm window? I want to be able to create pop-up windows with pictures/drawings in them on OpenWindows.

There is a shareware program called xv that does what you want. It is able to display a number of different, including X11 bitmaps and Sun raster files, as well as the more common JPEG and GIF formats. It is also able to convert between the various formats and is capable of doing color editing. It is available by anonymous ftp from:

ftp://ftp.cis.upenn.edu/pub/xv

If you like the software, there is a shareware license fee of $25 per copy. The source file has the necessary information on how to register your copy.

I have heard about something called Swip, which should help increase security on the Internet. Do you have any further information about this.

I think there must be some crossed wires somewhere. SWIP stands for Shared WHOIS Project. It is something that Internet Service Providers use to submit information to the Internic (who, among other things, assign IP addresses and domain names).

What you might have been thinking of the swiPe project, which is used to create encrypted IP tunnels through packet encapsulation.

I am looking for write-ups or comparisons about configuration management tools for Windows, Windows/NT and UNIX client server environments. Do you know where I might find them. I do not have web access yet.

I don't know of any such comparison that has any technical validity. It is unfortunately a highly charged religious issue, in which most people are only interested in the part of the facts that supports their chosen operating system as being the only true OS.

You might find parts of the firewall mailing list archives of use, as there has for some time been an intense UNIX versus NT flame war going on. You can find a copy of the archives at:

ftp://ftp.sysadmin.com/pub/admin/ \
firewalls/archives/firewall

It looks to me that the UNIX geeks think NT is not yet ready for prime time, while the NT supporters seem to say that it doesn't matter as long as they can run something that is not UNIX. But then, I am a confessed UNIX geek and may be biased in this discussion.

About the Author

Bjorn Satdeva is the president of /sys/admin, inc., a consulting firm which specializes in large installation system administration. Bjorn is also co-founder and former president of Bay-LISA, a San Francisco Bay Area user's group for system administrators of large sites. Bjorn can be contacted at /sys/admin, inc., 2787 Moorpark Ave., San Jose, CA 95128; electronically at bjorn@sysadmin.com; or by phone at (408) 241-3111.