-----BEGIN PGP SIGNED MESSAGE-----

________________________________________________________________________________
                Silicon Graphics Inc. Security Advisory

        Title:   Network Snooping and Promiscuous Network Interfaces
        Title:   CERT CA-94:01 Ongoing Network Monitoring Attacks
        Number:  19940301-01-I
        Date:    February 22, 1995
________________________________________________________________________________

Silicon Graphics provides this information freely to the SGI community
for its consideration, interpretation and implementation.   Silicon Graphics
recommends that this information be acted upon as soon as possible. 

Silicon Graphics will not be liable for any consequential damages arising
from the use of, or failure to use or use properly, any of the instructions
or information in this Security Advisory.
________________________________________________________________________________


Silicon Graphics acknowledges this issue as reported by the CERT 
Coordination Center.

The issue as reported involves capturing account names and passwords as 
new FTP, telnet and rlogin sessions are started between two systems on 
a network.  

Silicon Graphics engineering has investigated this issue and has the 
following observations and recommendations. 



A. All systems can snoop network traffic

Provided with the correct hardware and software combination, most computer
systems today can be used to capture or "snoop" network traffic.   This is 
normally a function left to protocol analyzers and network monitoring 
devices but technical advances allow even a minimally configured personal 
computer to accomplish the same task.  This means that all systems on a 
network can be a potential platform for snooping of traffic.  A complete
knowledge of all systems connected to a network, the network topology and 
the snooping capability of each network connection is useful in determining 
a particular sites vulnerability to this kind of activity.



B. /dev/nit

The Silicon Graphics IRIX operating system does not make use of the
/dev/nit network interface file.   There is also not an equivalent by 
any other filename on the system.



C. Network interface promiscuous mode

Promiscuous mode for a network interface means that the network interface
has been put into a state of operation in which each and every network 
packet is picked up regardless if it is for this hosts interface or not.  
Use of the promiscuous mode is normal for the IRIX operating system in order
to accomplish certain network tasks.  This normal use is controlled by the 
IRIX kernel and is privileged and protected making it unavailable to users.  
It is not possible to remove this operation from the kernel.   Additionally, 
network monitoring programs such as the SGI NetVisualyzer product, also 
use the promiscuous mode to do their work.  This is acceptable behavior
since the purpose of these products is to capture and monitor network
traffic.  Since these tools can be use for bad intent as well as good,
these products generally require root or special predefined privileges 
in order to be used on the system.  At anytime, should the system root 
account be compromised or privileged promiscuous mode software be 
misconfigured, network snooping can occur.



D. Root privileges

Restricted use of the root account, root password and su privileges is 
very prudent.  Denial of these privileges to the general user is both 
necessary and sufficient to prevent a user from using an IRIX workstation 
to perform network snooping.

Failure to limit access to these elevated privileges, a system could be 
compromised potentially resulting in various unauthorized activities 
including network snooping.



E. Social engineering

It is often reported by compromised sites,  that the most common 
factor contributing to break-ins is the weakest link - people.  

Parties with bad intentions will often use techniques to obtain 
information from insider people in order to assist access to systems.
This is know as social engineering.  Social engineering relies on the
way people behave and how that behavior can be manipulated in-order to
get information that can be used in helping gain access to a system.

Examples include people giving out passwords and other access information 
to persons who claimed to work for other divisions of their companies, 
displaying accounts and passwords on post-it notes on terminal, and using 
easily guessed passwords (birthday, employee number, name, etc).  

Only user community education regarding security and the awareness of
social engineering can help to strengthen this area of weakness.



F. Clear text transmission of passwords 

Presently, the implementation of the TCP/IP protocol does not define
any mechanism to prevent network snooping of transmitted, reusable,
clear-text passwords on a network.

However, if a site desires enhanced security, there are a number of 
commercial and public softwares that implement encrypted and/or one-time 
use password schemes.





- ------------------------------------
- --- Further Information/Contacts ---
- ------------------------------------

For obtaining security information, patches or assistance, please
contact your SGI support provider.

If there are questions about this document, email can be sent to
cse-security-alert@csd.sgi.com .

For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com .



-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUBMLtq27Q4cFApAP75AQFqOgQAqksjC+ggjT0H0iCcbHECVuBESP4E6+KF
6m1DWnk+pGEoh0ni0Jw519Qa4Lb3Y7HvGxPoUHMy/BJIQOGTY4O7j99Td+2IjNHv
FAWR36C3+cZUm3aubaeP7jl4ClrQmAPSTM7UAf3d1VEW8XiQN4QQ502TnsCDJHwN
8tcdCsxWvak=
=RnEJ
-----END PGP SIGNATURE-----