------------------------------ Date: Tue, 10 Sep 91 11:45:43 PDT From: Dark Adept TNET> Subject: File 7--Review of Site Security Handbook (by Dark Adept) (Reviewed by Dark Adept) The RFC 1244 - Site Security Handbook Reviewed The Dark Adept -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The RFC (Request for Comment series) has produced a new tome: The Site Security Handbook. This little gem aired on July 26, 1991 on the newsgroup comp.doc. At 250K+, it is a somewhat large file to transfer around, but well worth it. It has its good points and bad points, but the good seem to outweigh the bad. So, saving the best for last, I will address some of the major bad points first. I. Stereotyping and other falsities ----------------------------------- This document completely explodes hacker myths and stereotypes. Here is an example: "As an illustration of some of the issues that need to be dealt with in security problems, consider the following scenarios (thanks to Russell Brand [2, BRAND] for these): - A system programmer gets a call reporting that a major underground cracker newsletter is being distributed from the administrative machine at his center to five thousand sites in the US and Western Europe. Eight weeks later, the authorities call to inform you the information in one of these newsletters was used to disable "911" in a major city for five hours." (RFC1244 p. 6) Very cute. Very believeable. Very much impossible, and very much a lie. I think we all know what this refers to (the Phrack/E911 incident), and I think that it is unprofessional of the editors of RFC 1244 to use this example which is nothing more than a scare tactic. Also please note that all the examples, while not as blatant as this, deal with someone on the outside breaking in. It makes one wonder why this is true when later in the document the editors state: "As an example, there is a great deal of publicity about intruders on computers systems; yet most surveys of computer security show that for most organizations, the actual loss from "insiders" is much greater." (RFC1244 p. 10) Why oh why, then, are all your examples so one-sided? Why the stereotyping of intruders? Why the little E911 parody? II. Relies more on accepted sources than reality ------------------------------------------------- Over and over and over and over again, ad nauseum, this manual refers to those security gods, CERT. Allow me to let you in on a little secret. CERT has not said anything revolutionary. In fact, much of what CERT says, and much of what is stated in this manual, has been found in hacker G-Philes over the years. examples: "...the Computer Emergency Response Team/Coordination Center (CERT/CC) at Carnegie-Mellon University (CMU) estimates that 80% or more of the problems they see have to do with poorly chosen passwords." (RFC1244 p. 8) Gee, does that sound familiar, or what? Every G-Phile around has in bold-faced italicized triple underlined print: "Try his wife's maiden name" or "try his name backwards" or "here is a list of common passwords" or, more to the point "people are idiots when they choose passwords" (hmm. I think that particular one was in one of my previous CuD articles). Here is another "cute" one: "The Computer Emergency Response Team (CERT - see section 3.9.7.3.1) has observed that well-known universities, government sites, and military sites seem to attract more intruders." (RFC1244 p. 12) Those veritable gods of observation! Gee, what would hackers break into? Maybe John Doe's collection of x-rated .gifs? I doubt it. In fact, 90% or more of every "hacker's atlas" (a G-Phile which is more or less a phonebook of data lines and who owns them) consists of phone numbers to the above named institutions. The main point is that RFC1244 does nothing more than collect statistics from G-Philes. This in itself is useful, however, but it would be more beneficial if the editors read the G-Philes themselves rather than using watered down information from CERT et al. Now for the good points. There are so many that I dare not try to list them all, just some highlights. It contains an extensive overview of a step-by-step way to implement security. From deciding who is to be involved to selecting a method (or methods) of security, this document mentions it. It has a list of many resources such as (ugh!) CERT, magazines (on-line and printed), software companies, etc. This is good since it provides the prospective securer with a starting point. It deals with security issues not usually thought of until a disaster happens, such as: how much should we tell the press? who should we notify? etc. This handbook is directed mainly at the Internet user/sysadmin, but it can be applied to a PC in a dentist's office. For a security novice, or someone who just wants to find out what real security entails, this is the book, and it's free! So, before you go hiring Tacky Thacky or ex-LoD, read this handbook first. At least then you'll know what you're buying. My rating: 3.5 hacks (out of 4). It loses the 0.5 for the stereotypes and lack of first hand info, but otherwise something to have around the office/terminal. Downloaded From P-80 International Information Systems 304-744-2253