Is Your e3000 Environment Secure? (Keeping your e3000 safe from hackers until 2006 or beyond) Mark Bixby TCSD/vCSY August 14, 2003
Presentation overview § Getting started with security on MPE § Auditing § Authentication § Authorization § Networking (general and product-specific) § :STORE/:RESTORE § Denial of service § The future § People & processes § Real-life security stories from the audience § General Q&A August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 2
Getting started with security on MPE August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 3
Security-related documentation § Accessing Files Programmer's Guide § New Features of MPE/iX: Using the Hierarchical File System (see also :XEQ POSIXCBT.LSN.
System logging § Enabled via :SYSGEN § Logging event data written to LOG####.PUB.SYS § :SHOWLOG – displays current log file § :SWITCHLOG – switches to a new log file § Use LOGTOOL.PUB.
System logging events § § § § § § § § § § § § 100 - System Logging 101 - System Up 102 - Job Initiation 103 - Job Termination 104 - Process Termination 105 - NM File Close 106 - System Shutdown 107 - Power Failure 111 - I/O Error 112 - Physical Mount/Dismount 113 - Logical Mount/Dismount 114 - Tape Label August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 6
System logging events (cont.
System logging events (cont.
System logging events (cont.
Auditing August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 10
There's more than just the console and system logging § Many subsystems use separate logging facilities: INETD – JINETD $STDLIST spoolfile – Apache - /APACHE/PUB/logs – DNS BIND/iX – syslog (and possibly the console) – Samba - /usr/local/samba/var – Sendmail – syslog (and possibly the console) – § Home-grown applications? § Third-party applications? § ALL logs need to be checked periodically for anomalies August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 11
Where did that :HELLO come from? § System logging and console messages don't include the IP address for terminal logons/logoffs § A system logon UDC could be used to capture the HPREMIPADDR CI variable for successful logons § But there is currently no way on MPE to capture the IP address of a failed VT-MGR logon attempt § Enable INETD connection logging option (-l) to track all telnet connections § Use external firewall SYN logging? August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 pag
Which files have been :RELEASEd? § :RELEASE is a great convenience for relaxing file security, but it opens major security holes § There are no FOS tools to conveniently scan for :RELEASEd files, but you can do this from the CI: file temp;rec=,,b;disc=2147483647 listfile /,3 >*temp xeq awk.hpbin.
Which files are world-writable? § World-writable files are equally risky § To search for all world-writable files using the POSIX shell: find / -perm –o+w –a ! –type l | xargs ls –ld § Then tighten security if appropriate August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 14
Who is using special capabilities (I.e. SM, OP, PM)? § No FOS tools for conveniently auditing special capability usage § Vesoft's VEAUDIT/3000 product does a good job § You could scan :LISTACCT, :LISTUSER, :LISTGROUP output for account, user, and group usage § You could scan VERSION.PUB.
Listing all users with SM, OP, or PM capability file temp;rec=,,b;disc=2147483647 listuser @.@ >*temp xeq awk.hpbin.sys "'& /^USER:/ { user=$2 } & /^CAP:.
Listing all PROG files with PM capability file temp;rec=,,b;disc=2147483647 listfile @.@.@,6;seleq=[code=prog] >*temp file temp2;rec=,,b;disc=2147483647 xeq version.pub.sys <*temp >*temp2 xeq awk.hpbin.sys "'& /^VERSION>/ { getline; getline prog } & /^CAP:.
Listing all NMPRG files with PM capability file temp;rec=,,b;disc=2147483647 listfile @.@.@,6;seleq=[code=nmprg] >*temp file temp2;rec=,,b;disc=2147483647 xeq version.pub.sys <*temp >*temp2 xeq awk.hpbin.sys "'& /^VERSION>/ { getline; getline prog } & /^CAPABILITIES:.
Who can write to priv-mode groups? § Non-prived users who can write to CAP=PM groups essentially have priv-mode capabilities § Make sure group-level security has restricted write and save access to authorized users § Make sure program files in PM groups are not :RELEASEd or writable by by unauthorized users § Process :LISTACCT/:LISTGROUP/:LISTFILE output yourself, or just purchase Vesoft's VEAUDIT/3000 August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 19
Would you know it if a hacker replaced a system file with a trojan horse? § Monitor system logging for unauthorized file open/close events – but what if a hacker disabled system logging or sanitized the log files? § Build a database of file checksums and other attributes for comparison purposes to detect file changes – Update the database after legitimate file changes – Various open source solutions – TripWire, Osiris, etc August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 20
Tracking account/user/group object changes § Would you be able to tell if a hacker assigned SM or PM capability to some obscure user? § Periodically compare :LISTACCT, :LISTUSER, :LISTGROUP output looking for any differences § Purchase HP Security Monitor/iX and enable command logging for :NEWACCT, :NEWUSER, :NEWGROUP, :ALTACCT, :ALTUSER, :ALTGROUP August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 21
Command file SNAPU – taking a snapshot of user attributes file temp;rec=,,b;disc=2147483647 listuser @.@;format=detail >*temp xeq awk.hpbin.
SNAPU output OPERATOR.SYS PASSWORD : ** OPERATOR.SYS UID : 142 OPERATOR.SYS GID : 1 OPERATOR.SYS MAX PRI : 150 OPERATOR.SYS LOC ATTR : $00000000 OPERATOR.SYS HOME DIR : /SYS/OPERATOR OPERATOR.SYS LOGON CI : /SYS/PUB/CI OPERATOR.
Compare SNAPU output to detect changes § :SNAPU >before § :save before § …time passes… § :SNAPU >after § :save after § :xeq diff.hpbin.sys 'BEFORE AFTER' 2304c2304 < OPERATOR.SYS CAP : GL,OP,UV,LG,ND,SF,BA,IA CAP : GL,OP,UV,LG,ND,SF,BA,IA,PM --> OPERATOR.
System logging event #115 gives incomplete picture of console activity § Only a subset of CI commands are logged by event #115 § Enable additional logging events to get a better picture of console activity § If you are really paranoid, purchase HP Security Monitor/iX and enable CI command logging for all commands and all users (might be overkill!) August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 25
Perform periodic packet sniffing § :NETCONTROL TRACEON/TRACEOFF to capture packets, and :NMDUMP to format them § :NMDUMP is cumbersome and overly verbose, so using external packet sniffing tools might be a better choice § Connection attempts to unused TCP or UDP ports can indicate hacker scanning activity § tcpdump sniffer – www.tcpdump.org § Ethereal network analyzer – www.ethereal.
Auditing events across distributed systems § A single transaction may easily span multiple systems, each with their own clock of varying accuracy § Run NTP or other time synchronization software on each system so that event timestamps on one system may be correlated reliably with event timestamps on another system § NTP for MPE: http://jazz.external.hp.
Strange network errors may be a sign of hacker scanning tools § Some common hacker tools such as Nessus (www.nessus.
Nessus example console messages 14:18/#J89/174/Could not receive data from sockets during Telnet device initialization 14:18/#J89/174/Call to initialize telnet server failed with error -7 ** NS/3000 NetIPC ERROR IN VT; Job: 0; PIN: 239; Info: 1 - Error: 42; ** NS/3000 NetIPC ERROR IN VT; Job: 0; PIN: 229; Info: 1 - Error: 42; ** NS/3000 NetIPC ERROR IN VT; Job: 0; PIN: 165; Info: 1 - Error: 42; 14:18/160/CAN'T FOPEN $STDLIST IN 'STARTLOGON' ON LDEV #14. (js 131) 14:18/160/CAN'T CLEANUP SOCKET ON LDEV #14.
Nessus example console messages (cont.
Nessus example console messages (cont.
Nessus example console messages (cont.) 14:15/#J3/72/Feb 12 14:15:12 localhost sendmail[19595483]: h1CMFCFP19595483: IDENT:root@some.hacker [12.34.56.78] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA 14:15/#J3/72/Feb 12 14:15:13 localhost sendmail[27721977]: h1CMFDFP27721977: IDENT:root@some.hacker [12.34.56.
Know your enemies (or know what your enemies know)! § Download Nessus (www.nessus.
Don't get mad, get even! § Report hacking attempts to the appropriate authorities within your organization § If the hacking originated via the Internet, use traceroute to display the network topology all the way back to the originating IP address to reveal: – the originator's organization – the originator's Internet Service Provider § Visit www.radb.
Authentication August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 35
Beware of install jobs using blank or constant passwords § Software product installation jobs (both HP and non-HP) frequently use blank or constant passwords when creating new accounts, groups, and users § Remember to manually impose custom passwords after software installations § Periodically check for blank passwords Scanning :LISTACCT, :LISTGROUP, :LISTUSER output – Running Vesoft's VEAUDIT/3000 product – August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 36
Listing users & accounts without passwords comment generate accounts without passwords file temp;rec=,,b;disc=2147483647 listacct @;pass;format=detail >*temp file tempa;rec=,,b;disc=2147483647 xeq awk.hpbin.sys "'& /^ACCOUNT/ { acct=$3 } & /^PASSWORD/ && NF == 2 { print acct }'" <*temp >*tempa comment generate users without passwords listuser @.@;pass;format=detail >*temp file tempu;rec=,,b;disc=2147483647 xeq awk.hpbin.
Listing users & accounts without passwords (cont.) comment list users & accounts without passwords save tempa save tempu xeq join.hpbin.sys '-t . -j1 2 -o "1.1 1.
VT/telnet/ftp/dtc authentication sends cleartext passwords over the network § Any idiot with a packet sniffer can capture these passwords § Don't use these protocols over an untrusted network (I.e.
Unencrypted passwords in the system directory § Passwords are stored in the system directory as cleartext by default § :STORE ;DIRECTORY copies these cleartext passwords to your backup, so control who has access to your backups § OP users can do :STORE ;DIRECTORY, so control who has access to OP capability § Purchase HP Security Monitor/iX and enable encrypted passwords – one-way encryption is used, so not even SM users can reveal passwords August 14, 2003 Is Your e3000 Environment Secure? - HPWorld
Generate random passwords in installation jobs A shell script example: PASSWORD=`echo $$ | awk ' {\ srand($0); for (i=0; i < 8; i++) \ pass=pass \ substr("ABCDEFGHIJKLMNOPQRSTUVWXYZ",1+int(26*rand()),1); print pass }'` callci "NEWACCT FOOBAR;PASS=$PASSWORD" August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 41
Prevent users from choosing weak passwords § Nothing in MPE FOS to prevent users from choosing blank or weak passwords § Purchase HP Security Monitor/iX to impose minimum password length requirements § Purchase Vesoft's Security/3000 to impose minimum length and other password content requirements August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 42
Implement password expiration § Old passwords tend to become shared passwords § No MPE FOS mechanism for expiring old passwords to prevent them from becoming stale and known by too many people § Purchase HP Security Monitor/iX or Vesoft's Security/3000 to enforce regular MPE user and account password changes § Don't forget to change database and other passwords too! August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 43
Don't use embedded passwords in job streams § :JOBSECURITY ;PASSEXEMPT= can be used to permit certain classes of users to omit !JOB passwords in batch jobs § Third-party utilities (Vesoft, others) can insert !JOB passwords prior to :STREAMing August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 44
Time-out unattended terminal sessions § An unattended keyboard with a logged-on terminal session is a security risk § The HPTIMEOUT CI variable can time-out unattended sessions sitting at a CI prompt § Various freeware and third-party utilities can time-out idle MPE sessions § A password-protected PC screen saver can also prevent unauthorized usage August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 45
Authorization August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 46
The use & abuse of OP capability § OP capability grants the ability to: :STORE/:RESTORE any file, including the system directory – Perform spoolfile and printer management – Perform job/session management – Use ;HIPRI on jobs – § Few users need ALL of these abilities § Third-party utilities exist as OP alternatives for spoolfile/printer management and job/session management August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 47
Use OP on a temporary, processlocal basis § Use priv-mode AIFs to temporarily give the local process OP capability so you don't have to give it to the user permanently § See the MPE/iX AIF:OS Reference Manual for details – http://docs.hp.com/mpeix/onlinedocs/36374-90013/3637490013.html AIFPROCGET(2119) /* obtain existing cap. mask */ set mask bit 21 for OP capability AIFPROCPUT(2119) /* modify process cap. mask */ HPCICOMMAND("OP command string") AIFPROCPUT(2119) /* restore original cap.
Some read-only diagnostic tools require potentially destructive user capabilities § :NETCONTROL requires CAP=NM § :NSCONTROL requires CAP=NM § NETTOOL.NET.
:PURGEUSER and :PURGEACCT don't clean up creators or ACDs § Results in files owned by users who no longer exist § Results in ACDs granting access rights to users who no longer exist § If you recreate one of these users, is it appropriate for that user to regain the old access rights? § Third-party solutions exist for finding missing creators, but nothing for ACD problems – Scan :LISTFILE ,ACD every time you purge a user? August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 50
Anybody can do :LISTFILE @.@.
Instead of :RELEASE, consider the use of ACDs (Access Control Definitions) § :RELEASE is easy for getting around conventional file access restrictions, but tends to create huge security holes § Instead use ACDs to grant different levels of access for different users of a file § See :HELP ALTSEC for details § For example: :ALTSEC FDATA;NEWACD=(R:@.@; W,R:@.
Networking August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 53
Null SNMP community name in SNMPSAMP § SNMPSAMP.NET.SYS gives a null community name as an example to be used in SNMPCONF.NET.SYS § Hackers know to try null or common community names such as "public" § If using SNMP, choose a unique community name in SNMPCONF.NET.SYS § SNMP queries can reveal lots of interesting information! – :XEQ SNMPWALK.NET.
MPE TCP vulnerable to sequence number spoofing § MPE TCP sequence numbers are predictable and can enable a hacker to impersonate your e3000 in order to exploit trust relationships § For more info on TCP sequence spoofing, see: http://www.sans.org/rr/threats/intro_spoofing.php § Patches are available to randomize MPE initial TCP sequence numbers: 6.5: NSTHD00 (GR) – 7.0: NSTHD01 (GR) – 7.
Use external packet filtering § MPE network transport lacks packet filtering § Many MPE network services can allow or disallow by IP address, but this can be cumbersome to manage § Use an external firewall or other network device to block all but explicitly authorized packets, I.e.
Filter outbound ICMP timestamp & netmask replies § MPE responds to ICMP timestamp & netmask requests § A hacker who knows your local time could schedule attacks during the graveyard shift § A hacker who knows your netmask is learning about your network topology § Use an external firewall or other network device to filter these outbound ICMP replies from your e3000 August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 57
Apache – allow or deny via IP address or hostname § Module mod_access – http://httpd.apache.org/docs/mod/mod_access.html order allow,deny allow from 12.34.56.
Apache – basic user/password authentication § Module mod_auth – http://httpd.apache.org/docs/mod/mod_auth.
Apache – check logs for suspicious activity § The /APACHE/PUB/logs/access_log file can indicate suspicious Microsoft IIS virus activity (Nimda, etc): 12.34.56.78 - - [20/Feb/2003:16:06:41 -0800] /scripts/root.exe?/c+dir HTTP/1.0" 404 291 12.34.56.78 - - [20/Feb/2003:16:06:41 -0800] /MSADC/root.exe?/c+dir HTTP/1.0" 404 289 12.34.56.78 - - [20/Feb/2003:16:06:42 -0800] /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 299 12.34.56.78 - - [20/Feb/2003:16:06:42 -0800] /d/winnt/system32/cmd.exe?/c+dir HTTP/1.
WebWise – use HTTPS/SSL protocol for serving web pages § https:// URLs use the Secure Sockets Layer (SSL) protocol to encrypt the data stream between the web browser and the web server § If hackers should manage to network sniff this data stream, sensitive data will be protected § If you are using unencrypted FTP to allow file downloads, consider switching to WebWise and encrypted https:// § http://www.modssl.
WebWise – X.509 client authentication § X.509 certificates aren't just for web servers! § Require web browsers to submit valid X.509 certificates to be validated by the web server – http://www.modssl.org/docs/2.8/ssl_howto.
WebWise - OpenSSL security functionality in FOS as part of the web server § OpenSSL command line utility file encryption/decryption – X.509 certificate management – S/MIME encrypted e-mail message generation – API libraries NOT included (but you can build them from source code from www.openssl.org) – § Only the X.509 functionality is supported, but the rest all works J § 7.0: patch WBWGDT7A § 7.
FTP - log authentication attempts § Recent versions of the MPE FTP server log the originating IP address for both successful and failed authentication attempts: MPE 6.5: FTPGD01 or later – MPE 7.0: FTPGD49 or later – MPE 7.5: already in FOS – § See FTPDOC.ARPA.
FTP - log authentication attempts (cont.) 11:04/#J5/138/FTP INVALID PASSWORD FOR: "HACKER,MANAGER.SYS" IP=12.34.56.78 11:04/#J5/138/FTP OPEN FOR: "SYSADMIN,MANAGER.SYS,PUB" IP=12.34.56.78 11:04/#J5/138/FTP CLOSE IP=12.34.56.78 11:07/#J5/147/FTP INVALID LOGON FOR: "BOGUS.ACCOUNT" IP=12.34.56.
FTP – who is transferring what files? § FTPSRVR doesn't explicitly log file transfer attempts § But system logging file open & close events could be scanned to derive FTP usage August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 66
FTP - protocol logging would be helpful to detect certain hacking attempts § Unfortunately FTPSRVR does not support protocol logging § If access to FTPSRVR is controlled by an external firewall, proxy, or other network device, consider enabling FTP logging on the external device August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 67
FTP - restrict server usage to specific users § MPE FTPSRVR is all or nothing – it cannot restrict access to certain users § But Vesoft's Security/3000 product can August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 68
FTP - be aware of FTPSRVR's "site stream" command § Allows remote users to stream batch jobs § Users with CAP=BA,SF could upload new batch jobs to /tmp or other writable directories and then stream those jobs § Defeats the use of "OPTION LOGON,NOBREAK" if such UDCs do not also restrict batch jobs § A future version of FTPSRVR will add a new parameter to SETPARMS.ARPA.
FTP - don't enable anonymous FTP access § Too many hacker tools scan for anonymous FTP access § :PURGEUSER USER.FTPGUEST to make sure anonymous FTP is disabled (the default) § Console messages for failed USER.FTPGUEST logons might indicate hacker scanning activity: 15:59/#J5/123/FTP INVALID LOGON FOR: "USER.FTPGUEST,PUB" IP=12.34.56.
INETD - Enable connection logging option (-l) § The default mode is no logging § Edit JINETD.NET.
INETD - connection logging output Received call for: ftp tcp ftp/tcp: Connection from unknown (12.34.56.78) at Thu Feb 20 11:48:41 2003 Received call for: telnet tcp telnet/tcp: Connection from some.host.name (87.65.43.21) at Thu Feb 20 15:58:24 2003 Received call for: ftp tcp ftp/tcp: Connection from some.host.name (87.65.43.
INETD - disable unused services § The INCNFSMP.NET.SYS template for the INETD config file INETDCNF.NET.
INETD – allow or deny via by IP address or hostname § Use /usr/adm/inetd.sec to allow or deny access to INETD services by IP address or hostname § Create /SYS/NET/INETDSEC from the INSECSMP sample file § Make sure /usr/adm/inetd.sec is a symbolic link pointing to INETDSEC – ln –s /SYS/NET/INETDSEC /usr/adm/inetd.sec § Controls all services listed in /etc/inetd.
Samba – encrypted passwords § Samba/iX 2.0.7 and earlier only supported plaintext passwords § Samba/iX 2.2.8a adds support for encrypted passwords (via patch SMBMXG3 for 6.5, 7.0, and 7.5) § Samba encrypted passwords are independent of MPE user & account passwords – stored in /usr/local/samba/private/smbpasswd – maintained with /usr/local/samba/bin/smbpasswd utility § For more information: http://de.samba.org/samba/ftp/docs/htmldocs/ENCRYPTION.
Samba – disable guest access § Many hacking scanners attempt Samba guest access § Modify /usr/local/samba/lib/smb.conf with "guest ok = no" § But if you MUST use guest access, use a minimalcapability user like GUEST.SAMBA instead of MGR.
Samba – allow or deny via IP address or hostname § In /usr/local/samba/lib/smb.conf: § hosts § hosts allow = 12.34.56.78 deny = badhost.somewhere.
Samba – check logs for suspicious activity § Look for individual client log files in /usr/local/samba/var/log.* § debug level = 2 needed to see failed authentication attempts (but also gives successful file open/close info) § log file = /usr/local/samba/var/log.
Sendmail – access database § Accept or reject incoming e-mail 1.:HELLO SERVER.SENDMAIL 2.:XEQ SH.HPBIN.SYS -L 3.shell/iX> /bin/cat - >/etc/mail/access makemoneyfast@aol.com REJECT imaspammer.com REJECT :EOD 4.
Sendmail – check syslog for suspicious activity § Unauthorized relay attempts from spammers: Oct 16 11:44:14 localhost sendmail[190251173]: f9GIi9M6190251173: ruleset=check_rcpt, arg1=, relay=spam.host.com [12.34.56.78], reject=550 5.7.1 ... Relaying denied § Hacker probes: Feb 20 16:26:10 localhost sendmail[1114264]: h1L0Q8ER1114264: hacker.host [12.34.56.
:STORE/:RESTORE August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 81
Untrusted OP users + :STORE-todisk ;DIRECTORY is a bad combination § OP users can :STORE ;DIRECTORY to obtain cleartext passwords § Now that :STORE-to-disk is in FOS, physical access to tape media is no longer required § Only give OP capability to those users who absolutely positively need it § Purchase HP Security Monitor/iX and enable encrypted passwords August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 82
:RESTORE ;CREATE results in blank passwords § If accounts, groups, or users get created by :RESTORE, they will have BLANK passwords § Upon :RESTORE completion, remember to manually assign passwords to any newly created objects § Periodically scan :LISTACCT/:LISTGROUP/:LISTUSER output for blank passwords August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 83
OP users can read or write any file using :STORE/:RESTORE § Read the contents of any file § Write arbitrary contents back to any file § Think twice before giving OP capability to users! August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 84
Denial of Service August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 85
Configure sane connection limits § Attackers can exhaust processor, memory, and disk resources by making hundreds (or thousands) of concurrent connections to network services § Make sure each network service is configured with sane connection limits :NMMGR global TCP and UDP parameters – :NSCONTROL SERVER=name,min,max – Apache MaxClients directive – Samba "max smbd processes" parameter – § Unfortunately no connection limits within INETD August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 p
Use Threshold Manager to define other limits § Included in FOS for global management of resource utilization § Only limits job & session logons, not process creations § See Performing System Management Tasks manual for details August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 87
The future August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 88
MPE security 2003-2006: the good news § HP software support continues through 2006 § HP software delivery continues through 2006 § HP patches continue through 2006 § In short, nothing has changed from a customer support perspective August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 89
MPE security 2003-2006: the bad news § MPE 6.0 and earlier already not supported by HP § MPE 6.5 end of HP support date 12/31/04 § MPE 7.0 end of HP support date 12/31/06 § MPE 7.
MPE security beyond 2006 – native bugs § Vastly fewer customers using MPE means some undiscovered native security problems may stay hidden – good news: fewer MPE-specific security problems will emerge – bad news: if problems do emerge, HP won't be willing to fix them § Third-party support providers may be willing and able to provide fixes for some new bugs August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 91
MPE security beyond 2006 – open source bugs § Internet hackers will continue to find bugs in the open source products which are bundled into MPE – Apache, BIND, Samba, Sendmail § Most of these bugs tend to be of the buffer overflow / code execution variety, which at most will cause a process abort on MPE without executing any hacker code § HP will no longer be providing updated open source binaries for MPE § If these products are critical for your homesteading environment, you should invest in learning
People & Processes August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 93
Help! I forgot my password! § How can you be sure the user is who they say they are? § What if you don't recognize their face or voice? § Is a telephone request sufficient by itself? § Is an e-mail request sufficient by itself? § Should a handwritten signature be required? § NEVER reveal an existing password – always change it to something new August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 94
Are your employee ID numbers secure? § Social Security Numbers are too widely used for too many purposes to be truly secure § Do internal corporate applications "leak" employee ID numbers to other unauthorized employees? August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 95
Terminate passwords when terminating employees § Revoke or change passwords as soon as possible after the last day of employment § But short of using mental telepathy, how do you know which passwords an employee knows? § You may never know the full password list if informal password sharing is occurring § Do you change EVERY password if you terminate the system manager? August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 96
Avoiding the phony security audit scam § A hacker phones a user and says "Hi, I'm from IT Support and I need to verify your password" § Educate your users about what to expect and not expect from IT support staff § Users should never reveal passwords to ANYBODY else! August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 97
Never share login accounts (or passwords) § When multiple people share the same login account, reliable auditing becomes impossible § Products like Vesoft's Security/3000 can help facilitate login sharing, but MPE system logging will not be aware of those extra levels of authentication August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 98
Beware of dumpster diving § Implement procedures to prevent sensitive information being exposed in hardcopy trash § Use caution when recycling – is the recycling facility secure? § If in doubt, shred and/or degauss! August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 99
Control access to used backup media § System backups contain passwords and other sensitive information § Who has physical access to on-site media? § Who can request media from off-site archives? § When used media cycles back into the scratch pool, do you zero-out the old data before making the media available for reuse? August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 100
Knowledge retention § Employees with MPE OS & local application skills may leave to seek a different career path § Will the employees who are left have sufficient skills to ensure good MPE & application security? § Make sure critical knowledge is written down somewhere August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 101
Keep current on software versions § Perform periodic OS & application software updating/patching to get fixes for security problems § MUCH Internet grief could be prevented if everybody was up-to-date on key software § For MPE patches, the unsupported freeware patchman utility can help – http://www.bixby.org/ftp/pub/mpe/patchman-2.2.
Stay informed § Subscribe to vendor security alert mailing lists § Subscribe to Internet security alert mailing lists such as CERT, CIAC, BUGTRAQ, etc § Subscribe to open source application "announce" lists § Subscribe to open source application developer lists § Subscribe to HP3000-L / comp.sys.hp.
Real-life security stories from the audience August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 104
General Q&A August 14, 2003 Is Your e3000 Environment Secure? - HPWorld 2003 page 105
Interex, Encompass and HP bring you a powerful new HP World.
