"Shall we dust Moscow?"

(A Semi-Statistical) Security Survey of Key Internet Hosts & Various Semi-Relevant Reflections

Recently there have been some security incidents on the Internet (most notably some break-ins and alterations of the contents of some high-profile Web sites, such as the CIA and the US Department of Justice) that caused a bit of commotion in the popular press. Perhaps simply another day on the Internet, where machines are routinely broken into, but, coupled with a recent advertisement I received that offered on-line balances and seemed to indicate that I could schedule payments via the Internet, it caused me to think more about the current situation on the Internet with respect to the hosts that are socially vital or otherwise high-profile (e.g. banks, federal sites, newspapers, commercial sites that make all of their money on the Web, etc.), especially with the current popular emphasis on Internet commerce and the mad rush of individuals and organizations willing to put massive amounts of information on the Web. Are the virtual versions of these organizations as trustworthy and as safe as their real-life counterparts?

I decided to investigate what were to me the most interesting of the online sites - banks and credit unions, some US federal computers, newspapers, and some pure online Internet commerce systems. It is important to note that there is a significant difference between a bank or credit union WWW site and a real bank - currently a Web site is primarily an advertisement on the Internet. Although some banks allow you to do simple balance queries via the Internet, even if you could break into one of the bank Web sites you couldn't actually steal any money!

After doing a non-intrusive survey of approximately 1700 of these interesting Web sites on the Internet (and another 500 as a control study) I discovered that the hosts that I studied are not only more vulnerable than their real-life counterparts, but shockingly so. Using relatively crude, non-intrusive (i.e., no sites were actually broken into, no port- scanning was done, etc.), and, as far as I am aware, perfectly legal techniques to analyze their security, I found that:

I want to reiterate - the methods used by this survey were NOT rocket science! I barely electronically breathed on these hosts. I used a widely-known and freely available security scanning tool (SATAN) at a very modest scan level and some relatively simple additional tests that were all based on widespread knowledge (such as CERT advisories and the WWW security FAQ). All of the tests used will be released in the next version of SATAN.

I would estimate that an additional 10-20% of the hosts that I examined could be compromised (broken into or rendered unusable by other than denial of service attacks) relatively easily by using more advanced and intrusive break-in techniques (such as NIS attacks, IP spoofing, packet snarfing, attacking hosts that the targets trust, name service attacks, or by utilizing tests that I could not run on these survey hosts without their explicit and express permission.) If I am correct, this would mean that somewhere around 70 and 80 percent of the surveyed hosts have serious flaws in their security; this does not count resorting to more effective methods (like social engineering and insider attacks), nor does it count various simple and more effective denial of service methods (such as routing attacks, SYN attacks (Panix, a network provider, was attacked heavily by these), and the recent "ping of death" problem) that would bring many of these machines down in seconds. I would say that to claim that we have a serious problem is an understatement. It seems obvious from these findings that security and system administration are very difficult to perform effectively and that the latent problems of securing a host or site are ill-understood.

I think that the greatest injustice is being done to the USERS of such sites and services. They simply are not informed of the incredible number of potential security problems on these systems. And much of the security information that gets widespread popular coverage is so watered down or simply incorrect as to be almost useless. But who would use an on-line bank or trust their credit card on the Web if they knew in advance that their site could be so easily compromised by casual intruders, and even more easily by determined ones?

The rest of this paper will discuss the technical methods used to perform the survey, how the survey participants were selected, current web methods of gathering info and how they work and apply to security, and my more detailed and technical conclusions and recommendations.

dan farmer
Independent security researcher and consultant
December 18th, 1996

Next page...