Viruses, Trojans and Hackers II
This is the second of several network security related topics that are included in the Technical Notes. The intent of these articles is to present you with a fundamental understanding of the threats against your HP3000 and the impact these threats may have. Moreover, you will be able to converse intelligently with network and security administrators regarding the risks the HP3000 has on the Internet and Intranet. Last month I focused on Viruses and Trojans and how they affect the HP3000. This particular article will tackle the subject of Hackers.
Let me pose two questions. Where did you the learn the bulk of the information that you know about HP3000s? How much do Hackers know about HP3000’s ?
The truth is an ambitious Hacker can learn a great deal about an HP3000 without ever having seen one.
The average HP3000 system administrator would say that much of the information they know about MPE came from reading manuals and reading technical articles in HP3000 publications. This means that any Hacker who wants to can learn the same information considering most of the manuals are available online at http://www.hp.com/go/e3000-docs . Consequently, what you know they can and do know also. There are also Hacker web sites, where a wealth of security related various information is available. Much of this material is dated but is still usable. For an eye-opening experience go to http://www.google.com or http://groups.google.com and enter ‘hacking hp3000 mpe’ for the search string. Furthermore, there are numerous copies of HP3000 white papers, presentations, and other material available on the web. Lastly, there are answers to a large number of HP3000 questions posted in a variety of newsgroups, and forums regarding a variety of topics including security.
So, what can you do about it?
From a strict MPE approach, you can make sure that all your accounts and users have passwords, that they are changed regularly, that they are not shared between users, and that they are not easy to guess. Moreover, shut down network services that you don’t use. For example, by default INETD not only enables telnet and ftp, but also some other services such as time, echo, daytime, and chargen. Disable these services by comment them out in the INETD configuration file INETDCNF.NET.SYS. (I will cover this topic in greater detail in a separate article.) Enable FTP logging to provide documentation on who/when FTP connections are made. Make sure the system and related items (tapes) are physically secure. Logon UDC’s can also be used to add additional security and/or access logging to remote access points such as modems, or non-local IP addresses.
Turn off modems until their use is necessary. Restrict inbound telnet and FTP connections to specific IP addresses in INETDSEC.NET.SYS. Denying access to a logon prompt is one of the easiest measures you can take to thwart a hacker.
A properly configured, direct-dial HP3000 host modem aborts sessions when the modem is unexpectedly disconnected to prevent another user from connecting in the middle of an already established session, hence bypassing security. Remote console modems should not be left enabled and should be password protected. Depending upon the system model, configure the remote console port by pressing CTRL-B and entering the CA command.
Limit capabilities of accounts and users to the minimum required to do their job. Rather than doling out SM, PM, or OP capability to accounts or users, investigate alternative methods to accomplish the same tasks. Make sure that the access security on accounts, groups and HFS directories is set so that only those that need access have it. If a hacker does breech security and gets logged on every ounce of security can help lessen the potential damage.
On the network you can reduce unsecured network access by providing VPN or Remote Access Servers for remote users instead of direct Internet connections. For vendor access, create firewall rules to only allow connections from specific IP addresses. VPN is preferable to direct Internet access, even if that access is restricted, because VPN adds data encryption.
Finally, review the console logs for suspicious logon attempts to accounts such as FIELD.SUPPORT or MGR.HPOFFICE. Peruse the resulting web sites from aforementioned Google search to find out just what tips and tricks are available to hackers. Use them as a guide to beef up security and thwart unwanted system access.