Information Technology Services

1
Information Technology Services

• Information Technology Servicessupports QUTs
  vision with leading information technology
  services in partnership with the QUT community.

2
Security Update

• Barry Lynam
• Senior Network Engineer - Security

3
Agenda

• Slapper Worm
• Tripwire

4
Slapper

• DISCLAIMER This is not a criticism of just
  Student Copying and Printing Services. It is
  criticism of lots of System Administrators.
• This incident is being used as an example that we
  can all learn from.

5
Slapper What is it?

• Worm that exploits a bug in the OpenSSL
  implementation of SSLv2 on Linux based Apache web
  servers.
• Patches released by,
• OpenSSL, 30 July 2002,
• Redhat, 5 August 2002.
• Uploads a source file to /tmp and compiles it.
• OpenSSL bug effects more than just Apache,
  anything that it compiled/linked against OpenSSL
  0.9.6d or earlier and uses SSLv2.
• SSLv1, SSLv3 or TLSv1 OK.
• Following attacks,
• Executing arbitrary commands,
• Creating TCP floods,
• Creating DNS floods,
• Searching for email addresses,
• Supports IPv4 and IPv6.

6
Slapper What happened?

• Monday 23 September
• Packet loss QUT Internet link.
• SCPS two infected machines.
• Parts of IAS accounting system crashed.
• Steps to resolve the problem.
• SCPS
• two machines rebuilt,
• removed from QUT firewall,
• blocked at QRNO router,
• blocked by IAS.
• AARNet and Optus blocked traffic to or from UDP
  ports listed as trojan ports.
• At least 3 variants.
• SCPS hosts had to change IP addresses as large
  amounts of traffic were still directed to them.

7
Slapper Other costs/impacts

• SCPS
• IAS 170
• External clients inconvenienced (downtime), maybe
  SLA agreement costs???
• Dented reputation.
• QUT
• Dented reputation.
• Same released date as QUT Virtual 2002
• Possible uncertainty of problem.

8
Slapper How to avoid
Patch
9
Make the time to patch

• Talk to your management to arrange a schedule
  downtime period.
• Explain to them the potential problems of not
  having the downtime. Use this as an example.
• Use ITS maintenance windows as an example. Does
  not have to be at night.

10
Testing patches

• Work out the risk of applying patches verses not
  applying them.
• Find out what your vendor does for patches, for
  example,
• Redhat backports security patches, never add or
  change features, nothing should break.
• Microsoft Windows update separates critical
  updates, recommended updates (enhancements) and
  device driver updates.
• Find out what the patch fixes. May be a work
  around or part of a feature that you dont use.

11
Questions
12
Tripwire

• Why is it being provided?
• Security Strategy
• People
• Operations
• Technology
• Tripwire is a technology.
• QUT site licence, costs you nothing.

13
Tripwire

• What does Tripwire do?
• Monitors your server for changes to
  files/directories and Windows Registry
  keys/values.
• Changes can be,
• Creation, modification, access times,
• Change in size, or no change,
• Ownerships,
• New file in directory,
• File checksums, various methods.
• Isnt real-time monitoring.
• Wont stop changes.
• But does at least report them.

14
Tripwire

• Two products
• Tripwire Server,
• Tripwire Manager.
• Platforms supported,
• Server,
• Windows NT/2000/XP
• Solaris,
• Compaq UNIX,
• HPUX,
• Linux,
• FreeBSD,
• AIX etc.
• Manager,
• Windows and Solaris.

15
Tripwire

• Tripwire Server runs on you servers and monitors
  files.
• Tripwire Manager is not needed, but make
  management of Tripwire Server easier especially
  if you have lots of servers.
• Communication between TWS and TWM encrypted and
  protected.
• TWS runs an agent that TWM connects to.
• Notifies of changes via e-mail, SNMP, and syslog.

16
Tripwire

• Get it from, http//net.qut.edu.au/security
• Click on Tripwire under Host Security.
• Demo Manager

17
Questions