VULNERABILITIES MEETING
November 20, 1998
2:00 – 3:00
1131 ENG II

In attendance:
Matt Bishop (MB), Tuomas Aura (TA), Brian Cameron (BC), Todd Herberlein (TH), Keith Herold (KH)

TOPICS:
Review of Progress on Projects
Tuomas Aura gives a talk on Historical Flaw in SSH (Unix Version 1.2.17)
Matt summarizes the Incidence Response Meeting
Next Meeting – December 4th
    Tuomas Aura to finish Presentation
    Matt to talk about PA to find faults/analyze in MULTICS

    1) Review of Progress on Projects
            a) MB: Vulnerabilities database converted from SGML to HTML.  It should be up on the web tonight.  Same for RTF and Jade
                    i) MB: Generate signatures for Windows – SMILE (opens/closes) and NETBUS (can control everything)
                    ii) TH:  Is that the same approach at Back Orfice?  MB:  Yes
                    iii) TH:  Can I get the code for NETBUS and SMILE?  MB:  It’s currently on the isolated network (Unix).  Get copy of code from Riccardo (Gomez)
                    iv) TH:  Is there a machine where I can bring up source code and leave in the lab for others?  MB:  Yes, on the isolated network.
                    v) TH:  Is it above SPARK 1?
                    vi) BC:  SPARK 5, 5, 20 on Unix isolated network

            b) KH:  I need to get the specs from you on the Cisco router.  Meet with Matt and Brian on Monday at 2:00.
                    i) MB:  Will call Cisco to ask about the recommended routers.  We want to start using the router, get used to it and eventually use the router to split the two isolated networks.

    2) Tuomas Aura gives a talk on Historical Flaws in SSH (Unix Version 1.2.17)
            a) Slide Titles (see handout)
                    i) SSH Key Exchange Protocol
                    ii) SSH Packet Protocol
                    iii) DNS Attack Remapping “Local Host”
                    iv) RSAR Hosts Flaw
                    v) RSAR Hosts Flaw – Trust Model

            b) Questions
                    i) TH:  Buffer overflow problem in SSH?  MB:  No, that’s wrong.  The overflow was transmitted through SSH, but not caused by it.
                    ii) TH:  Client authentication done at higher level than SSH?  TA:  Yes
                    iii) TH:  Phil Rogaway did some work with Kuberos – encrypting with messages but couldn’t prove that it was secure.  Now he only does provably secure encryption.
                    iv) DNS Attack Remapping Local Host
                            (1) TH:  Is Javabug similar?  TA: Yes

    3) Matt summarizes the Incidence Response Meeting
            a) SPAM – campus-wide tracking system
            b) Function and purpose of the response group
            c) Problems of multiple reports of the same thing
            d) Connections between SPAM and security are not obvious.
            e) Remedy Database and SPAM
            f) 4 working groups:
                    i) Interface Layout
                    ii) Guidelines and Procedures
                    iii) Problem Resolution
                    iv) Education

    4) Next Meeting – December 4th
            a) Tuomas Aura to finish Presentation
            b) Matt to talk about PA to find faults/analyze in MULTICS