1995-09-26 - Re: Hack Microsoft NT C2 Rating?

Header Data

From: Bill Stewart <stewarts@ix.netcom.com>
To: cypherpunks@toad.com
Message Hash: cacfa98f74ec4c56a05f934f4b2aba09222b18eaefd312bcfcac794f2a52561a
Message ID: <199509261856.LAA24022@ix6.ix.netcom.com>
Reply To: N/A
UTC Datetime: 1995-09-26 18:58:55 UTC
Raw Date: Tue, 26 Sep 95 11:58:55 PDT

Raw message

From: Bill Stewart <stewarts@ix.netcom.com>
Date: Tue, 26 Sep 95 11:58:55 PDT
To: cypherpunks@toad.com
Subject: Re: Hack Microsoft NT C2 Rating?
Message-ID: <199509261856.LAA24022@ix6.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 07:27 AM 9/26/95 -0700, todd@lgt.com (Todd Glassey) replied to Ray:
>>So, if one can find bugs in NT's security, one can
>>toss a little more egg on the NSA's face and the sham that part of
>>their activies to *help* to secure american computers. A simple
>>violation of NT's C2 status would be to demostrate a flaw in it's
>>memory protection implementation.

One of the bigger cracks on VMS was after it got its C2 rating;
a strong system doesn't do you much good if you don't change
the default passwords for the SYSTEM and FIELD service accounts :-)

I'm more surprised by the rating since the Orange Book is basically
for non-networked systems; Red Book rating is _much_ harder, unless
the NSA's taking a different view of trustability of software encryption 
for authentication purposes than they used to.

>As per NT's orange book C2 Rating... C2 is about the lowest level of Secure
>that you can get. In fact I personally am unimpressed, rather it is a box
>on an RFQ that gets checked.  Very few people run C anything sites in reality.

A C2 rating says that most of the obvious bugs have been found, access to
the system and individual files requires authentication, and you can do an 
audit trail to find out who accessed what data when.  Ignoring networks,
that's not too bad.  But, yeah, one of the big reasons for C2 rating is that
government RFPs generally require C2 security, at least for military or
sensitive non-military purchases.  B-level ratings give you multi-level
security, so you can run SECRET and CONFIDENTIAL on the same box;
it's not a very useful security model for non-military applications,
but does let you do a better-trusted job of system integrity.

>IMHO - Military sites passing real classified data usually are not run on
>anything as low as C2. If you want a secure os, look at the Harris Computer
>Corp's B1-Certified version of ES/MP UNIX (they call it CX/SX). 

Hah.  Maybe it's changed since I was working with the AT&T System V/MLS folks,
but the vast majority of classified processing back then was done on unrated
or C2 systems running System High - everybody's cleared, and the boxes
with the classified stuff aren't connected to the outside except by
limited sneakernet.  You can get a _lot_ of security by keeping your
computers in locked rooms, and the average PC of those days could fit
in a big safe at night even if it couldn't fit in a locked file cabinet.
(And floppy disks or external shoeboxes were easy to lock up.)


Dan B. wrote
>For fun ways to hack NT, check out http://www.somar.com/security.html.
>Some of these are really laughable.  You can use NT's LogonUser API
>call to repeatedly guess passwords until you hit it, since NT offers
>no way to limit number of login attempts.
That's the kind of thing that would get changed for a C2 version,
just as the Unix login program had to be souped up for C2 and B1.
Even adding a constant delay, or an increasing delay after bad attempts,
is a good start for systems like that.  (It turns out that logging
user names on bad attempts has to be done carefully to avoid
increasing risk - if users get out of sync on typeahead when
entering their login and password, you can end up logging 
passwords, which was especially bad when that sort of data got
printed on the paper console...)
#---
# Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com
# Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281
#---






Thread