1 / 4

SLAC Security Compromise 1998

SLAC Security Compromise 1998. R. Les Cottrell SLAC , Presented at the ESCC meeting, Baton Rouge, Jan 2012. Friday May 29, 1998 evening. Unix host compromised Intruder account ( jroberts } discovered, / etc / passwd had been copied to offsite

Download Presentation

SLAC Security Compromise 1998

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SLAC Security Compromise 1998 R. LesCottrellSLAC, Presented at the ESCC meeting, Baton Rouge, Jan 2012

  2. Friday May 29, 1998 evening Unix host compromised Intruder account (jroberts} discovered, /etc/passwd had been copied to offsite Account disabled, found on other hosts faster than could disable account or shutdown hosts SLAC head of systems was at CERN, found hosts apparently “crashed” and restarted adding to confusion Head of cybersecurity recommends cutting off from Internet to Computing Services Director. Internet connectivity disabled.

  3. Experience • SLAC was phasing out AIX hence patches may not have been fully up to date • Over 300 of ~2500 accounts had simple passwords that could be cracked by widely available software • Decide to require changing of all Unix passwords • Password had to be changed by Wednesday or account disabled • Remote users no net access, need to phone and get authenticated to get password • SLAC off net for a week • Detection of jroberts account added

  4. Survey overview Following weekend jrobertsfound to have returned using rlogin/rhosts from Esnet Lab to access a non-centrally managed SLAC Next host. Then going onto William and Mary, another Esnet Lab , MSU, UIC Review of /etc/passwdrevealed we were able to crack 1 account ( as opposed to 321 before the password change). Also the number of accounts had dropped from 2800 to 1800.

More Related