Received: From KL.SRI.COM by CRVAX.SRI.COM with TCP; Fri, 11 NOV 88 09:54:13 PDT
Received: from ucbvax.Berkeley.EDU by KL.SRI.COM with TCP; Fri, 11 Nov 88 09:25:58 PST
Received: by ucbvax.Berkeley.EDU (5.59/1.31)
	id AA17265; Fri, 11 Nov 88 07:37:15 PST
Received: from USENET by ucbvax.Berkeley.EDU with netnews
	for info-vax@kl.sri.com (info-vax@kl.sri.com)
	(contact usenet@ucbvax.Berkeley.EDU if you have questions)
Date: 10 Nov 88 23:46:34 GMT
From: mailrus!uflorida!haven!uvaarpa!hudson!astsun1!jvb7u@tut.cis.ohio-state.edu  (brinkmann jonathan v)
Organization: University of Virginia, Charlottesville, Astronomy Department
Subject: How to plug DECNET security hole
Message-Id: <748@hudson.acc.virginia.edu>
Sender: info-vax-request@kl.sri.com
To: info-vax@kl.sri.com

The recent discussion regarding security holes in DECnet reminds me of the
NASA breakin a couple of years ago by some West German hackers.

I'll summarize how to take care of those holes:

1)	Add the command CLEAR OBJECT TASK ALL to the file
	SYS$MANAGER:STARTNET.COM.  It should be placed after the last NCP
	command in that file.

	This closes the door to all the trojan horse command files (TELL.COM,
	etc.).  The object TASK is a generic task which can be used to
	execute commands remotely via the DECnet account.

2)	Protect all sensitive files (not only system files, but also anything
	you wouldn't want someone outside your organization to have access to.

	The easiest way to do this is with ACL...
		SET FILE/ACL=(IDENTIFIER=NETWORK, ACCESS=NONE) filename(s)


3)	If you are not satisfied with these changes (they will stop 99% of
	all breakins), you can remove the DECnet default account.  However,
	this makes access by authorized users difficult without seting up
	a NETUAF.DAT file, which opens up a security hole if the burglar
	uses password guessing (as the Internet virus did), since he then
	has full access to any machine with NETUAF.DAT entries for the
	user he breaks in as.

I haven't mentioned the non-network security steps that should be taken, as
these should already be in place, e.g., denying DIALUP and REMOTE access
to public accounts with known passwords, protecting the files in the
SYS$MANAGER and SYS$SYSTEM directories from WORLD access except when necessary
and using the security auditing package to keep track of breakin attempts.

--------------------------------------------------------------------------------
Bradley's Bromide:
	If computers get too powerful, we can organize them into a
	committee -- that will do them in.
================================================================================
                    __
     /             /  )              /
    / _   __      /--<  __  o ____  /_ ______  __.  ____  ____
(__/ (_)_/ <_    /___/ / (_<_/ / <_/\_/ / / <_(_/|_/ / <_/ / <_
================================================================================
Dr. Jon Brinkmann			Bitnet:		jvb7u@Virginia.EDU
Astronomy Department			Internet:	jvb7u@128.143.20.40
University of Virginia			SPAN/HEPnet:	6654::jvb7u
P.O. Box 3818
Charlottesvile, VA  22903-0818
================================================================================