Who gets your trust?

January, 2000

Summary
Systems administrators have extraordinary access to all the data on corporate systems. What can be done to ensure that your administrators will not betray that trust? (3,000words)

	WIZARD'S GUIDE TO SECURITY

	By Carole Fennelly

In the business world you will often hear the statement "We don't hire hackers." When pressed for a reason, the speaker usually reveals a fear that a "hacker" will install a back door in the system. Time and time again, however, I have seen back doors installed by employees or security professionals whose integrity is never questioned. When confronted, they usually say it's no big deal. After all, they have the root password. They just wanted to set up a root account with a different environment. That's not hacking, right? Wrong. Their intention did not matter -- the security of the system has been bypassed.

This article discusses how administrative privileges can be abused and suggests some methods for countering that abuse. It is not meant to imply that every administrator abuses privileges or has malicious intent -- just that you shouldn't assume anything.

What is a back door?

Quite simply, a back door is a method for gaining access to a system that bypasses the usual security mechanisms. (Has everyone seen WarGames?) Programmers and administrators love to stick back doors in so they can access the system quickly to fix problems. Usually, they rely on obscurity to provide security. Think of approaching a building with an elaborate security system that does bio scans, background checks, the works. Someone who doesn't have time to go through all that might just rig up a back exit so they can step out for a smoke -- and then hope no one finds out about it.

In computer systems, a back door can be installed on a terminal server to provide direct access to the console remotely, saving the administrator a trip to the office. It can also be a program set up to invoke system privileges from a nonprivileged account.

A simple back door is an account set up in the /etc/passwd file that looks like any other userid. The difference is that this userid doesn't have to su to root (and it won't show up in /var/adm/sulog) -- it already is root:

auser:x:0:101:Average User :/home/auser:/bin/ksh

If you don't see it, look again at the third field (userid) and compare it to the root account. They are the same (0). If you are restricting direct root logins to the console only (via /etc/default/login), then this account will have the same limitation. The difference is that if someone does su to this account, it will not be apparent in /var/adm/sulog that it is root. Also, a change to the root password will not affect the account. Even if the person who installed the account intends no harm, he or she has left a security hole.

It is also pretty common for an administrator to abuse the /.rhosts file by putting in desktop systems "temporarily." These have a way of becoming permanent.

Back doors can also be set up in subtler ways though SUID 0 programs (which set the userid to root). Usually, the motivation for setting up back doors is one of expediency. The administrator is just trying to get a job done as quickly as possible. Problems arise later when either (1) he leaves under normal circumstances and the hole remains or (2) he leaves under bad circumstances and wants revenge.

Proprietary data

A manager may also be reluctant to hire "hackers" for fear that they may divulge proprietary information or take copies of proprietary data. Several years ago, I was consulting at a company when a new administrator joined the group. In an effort to ingratiate himself with the team, he confided that he had kept the backup tapes from his old job (a competitor) and that they had some "really cool tools." It so happened that a consultant with my own business worked at the competitor's site. A scan of the tape revealed the proprietary software that the consultant had been working on, which eventually sold for a significant amount of money. While the admin probably did not intend to steal the software, his actions could have left his new employer facing a large lawsuit -- all for the sake of a few shell scripts. In this particular case, no one believed that the administrator had any ulterior motives. I wonder if people would have felt that way if he had been a "known hacker"?

System monitoring

Administrators are supposed to monitor system logs. How else can problems be investigated? But there is a difference between monitoring logs for a legitimate reason and monitoring them to satisfy prurient curiosity. Using the system log files to monitor a particular user's behavior for no good reason is an abuse of privileges.

What is a good reason? Your manager asks you to monitor specific logs. Or maybe you notice suspicious activities, in which case you should inform the management. Or, more commonly, a user complains about a problem and you are trying to solve it. What is a bad reason? A user ticks you off and you want to see how he is spending company time. Or a user has a prominent position in the company and you want to know what kinds of websites she goes to.

Countermeasures

You can take some actions to ensure the integrity of privileged users, but none of them carries any guarantee.

Background checks

You can have an investigative agency run a background check on an individual and you can require drug tests. These tell you only about past behavior (if the individual has been caught).

The state of New Jersey (where I live) has adopted a law commonly referred to as Megan's Law (see Resources). The law mandates that a community be notified of any convicted sex offender living in the community. On the surface, it sounds like a great idea and a way to protect children from predators.

As a parent, I am particularly sensitive to crimes against children. I received a Megan's Law notification this past year about a convicted sex offender who moved into town. It did not change a thing for me. My feeling is that every child molester has to have had a first time and that in any case not all molesters have been identified. Therefore, I take appropriate precautions with my children, regardless of who has moved to the area.

In the technical field, hackers are considered the molesters. (Yes, I know all about the politically correct terms cracker, defacer, etc., but the common term these days is hacker.) How do you know if someone is a "hacker"? Some people try to refine the term to mean "someone who has been convicted of a computer crime." But let's say, for example, that you attend Defcon, the hackers' conference, and encounter an intelligent job seeker with bright blue hair and funky clothes. Would you hire him? Chances are that you would at least scrutinize his credentials and make sure your contract spelled out all details of the work to be performed and the legal repercussions for any violations. What if the same person showed up for an interview with the blue dye rinsed out and in a nice pressed suit? Be honest: would you perform the same background checks regardless of a person's appearance?

Technical measures

Some technical software packages can limit or control superuser privileges. I recommend using them to prevent the inadvertent abuse of superuser privilege. Unfortunately, knowledgeable administrators and programmers with privileged access will be able to circumvent these measures if they really want to.

sudo
The freely available sudo package provides more granular control over the system by restricting which privileged commands can be run on a user basis. See Resources for the Sudo main page, which has a more complete description.
Tripwire
Tripwire is a file integrity package that, following the policy determined by the administrator, reports any changes made to critical files. Tripwire was originally developed at Purdue University by Gene Kim under the direction of Eugene Spafford. I plan to evaluate the merits of the commercial version of Tripwire in a future column. Tripwire is a good way for an administrator to tell whether the system files or permissions have been modified.
What can be done, however, if the senior administrator who monitors the system has malicious intent?

Professionalism
The best defense against the abuse of administrator privileges is to rely on a certain level of professionalism. The medical Hippocratic oath includes the mandate Do No Harm. While there is no such professional oath for systems administrators, you can establish guidelines for acceptable behavior. During the mid-1980s, I worked as an administrator in a computer center at a large telecommunications research facility. We had a code of ethics that a user had to sign before an account could be installed. We also had a code of ethics for privileged users that included additional restrictions, such as:

No SUID 0 (set userid to root) programs will be installed without the consent, in writing, of the senior administrator.
All users' email is to be considered private and confidential and may not be read by anyone other than the intended recipient.
Users' files may not be modified or read except in the case of a predetermined problem or security investigation. Be prepared to justify.
Privileged users are often entrusted with sensitive information, such as an employee termination, before other employees. This information is to be kept confidential.
The root passwords are changed monthly and are to be distributed by the senior administrator only. The passwords must be kept in a safe location, such as your wallet. If the password is lost, notify the senior administrator or your manager immediately.
Keystroke monitoring of user activities is strictly prohibited without senior management approval, in writing.
All administrative procedures and tools are to be considered proprietary information and are the property of the computer center.
Tape archives may not be removed from the facility without written approval.

Discretion
A code of ethics for privileged users should not be considered a punitive device, but rather a statement about the integrity of the person who signs it. At one point during my years in the computer center, the secretary to the president of the company came to me with a printer problem. As I was assisting her, she became upset when she realized that the test job she had sent to the printer was highly confidential. I was able to reassure her that all administrators were bound by a code of ethics and would be terminated for violations. (Besides, I wasn't really reading it, I was just looking for garbage characters!) Professionals must establish a certain level of trust. This is especially important for those privy to sensitive information regarding terminations or investigations.

Final thoughts

Would I hire someone who showed up for an interview with blue hair, body piercings, and a name like 3v1l HaK0rZ? No. Not because he might install a back door, but because he was ignorant about what was acceptable on Wall Street. As for the back doors? More are installed by well-groomed "professionals" in suits than by "hackers." Anyone with the required skills can be either a "security consultant" or a "hacker." The only difference is the label.

Disclaimer: The information and software in this article are provided as-is and should be used with caution. Each environment is unique, and readers are cautioned to investigate, with their companies, the feasibility of using the information and software in this article. No warranties, implied or actual, are granted for any use of the information and software in this article, and neither the author nor the publisher is responsible for any damages, either consequential or incidental, with respect to the use of the information and software contained herein.

	Resources and Related Links
	Megan's Law: http://www.state.nj.us/lps/meganm .htm Sudo main page: http://www.courtesan.com/sudo/s udo.html Sudo implementation issues: http://www .attrition.org/~jericho/works/misc/bugtraq-01.html Tripwire Security: http://www.tripwiresecurity.com
Copyright 2003, ITworld - Please direct questions and comments to Carole Fennelly. Permission is granted to quote, reprint or redistribute provided the text is not altered, and the author and ITworld are credited.