draft-ietf-ssh-users-01.txt G. Malkin / Bay Networks
Erik Guttman / Sun Microsystems
July 1997
Users' Security Handbook
Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
To learn the current status of any Internet-Draft, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
Rim).
Abstract
The Users' Security Handbook is the companion to the Site Security
Handbook (SSH). It is intended to provide users with the information
they need to keep their networks and systems secure.
Acknowledgements
This document is the work of the Site Security Handbook Working Group
of the User Services Area of the Internet Engineering Task Force.
The group was chaired by Barbara Y. Fraser of the Software
Engineering Institute at Carnegie Mellon University, who also edited
the Site Security Handbook. Contributing authors to this document
are: Erik Guttman/Sun Microsystems, Lorna Leong/Singapore Telecom.
Malkin, Guttman Expires: 20 Jan 98 [Page 1]
Internet Draft Users' Security Handbook July 1997
Table of Contents
1. Who Cares? . . . . . . . . . . . . . . . . . . . . . . . .
1.1 Why Was This Written? . . . . . . . . . . . . . . . . . .
1.2 Who Should Read it? . . . . . . . . . . . . . . . . . . .
1.3 Stuff You Should Know . . . . . . . . . . . . . . . . . .
2. The ?? Commandments . . . . . . . . . . . . . . . . . . . .
3. READ.ME . . . . . . . . . . . . . . . . . . . . . . . . . .
4. The Wires have Ears . . . . . . . . . . . . . . . . . . . .
5. Just Do It . . . . . . . . . . . . . . . . . . . . . . . .
5.1 Passwords . . . . . . . . . . . . . . . . . . . . . . . .
5.2 Viruses and Other Illnesses . . . . . . . . . . . . . . .
5.3 Modems . . . . . . . . . . . . . . . . . . . . . . . . . .
5.4 Abandoned Terminals . . . . . . . . . . . . . . . . . . .
5.5 File Protections . . . . . . . . . . . . . . . . . . . . .
5.6 Encrypt Everything . . . . . . . . . . . . . . . . . . . .
5.7 Shred Everything Else . . . . . . . . . . . . . . . . . .
5.8 Email Pitfalls . . . . . . . . . . . . . . . . . . . . . .
5.9 What program is this, anyway? . . . . . . . . . . . . . .
5.10 The Dangers of Downloading . . . . . . . . . . . . . . . .
5.11 Don't get caught in the Web . . . . . . . . . . . . . . .
6. Paranoia is Good . . . . . . . . . . . . . . . . . . . . .
7. Bad Things Happen . . . . . . . . . . . . . . . . . . . . .
7.1 Identifying a Breakin . . . . . . . . . . . . . . . . . .
7.2 What to do if you suspect trouble . . . . . . . . . . . .
7.3 How to prepare for the worst in advance . . . . . . . . .
8. Home Alone . . . . . . . . . . . . . . . . . . . . . . . .
8.1 How to pick an Internet Service Provider . . . . . . . . .
8.2 Beware of Daemons . . . . . . . . . . . . . . . . . . . .
References . . . . . . . . . . . . . . . . . . . . . . . . . .
Editor's Address . . . . . . . . . . . . . . . . . . . . . . .
Malkin, Guttman Expires: 20 Jan 98 [Page 2]
Internet Draft Users' Security Handbook July 1997
1. Who Cares?
This document is meant to provide guidance to the end users of
computer systems and networks on what they can do to keep those
systems and networks secure. It is a companion document to the Site
Security Handbook [SSH].
1.1 Why Was This Written?
This handbook is a guide which end users can follow to help keep
their computer systems and networks more secure. It contains hints
and guidelines, dos and don'ts, and anecdotes chosen to help codify
the information in users' memories.
This guide is meant to be a framework which sites can build upon to
create handbooks to distribute to their users. However, it can stand
as a users' security guide in its own right.
1.2 Who Should Read it?
This document is targetted towards end users of computer systems and
networks. This includes users working in small, medium and large
corporate and campus sites, as well as users working from home PCs
with modems. Some of the handbook applies only to users who
administer their own computers.
System and network administrators may wish to use this document as
the foundation of a site-specific users' security guide; however,
they should consult the Site Security Handbook first.
1.3 Stuff You Should Know
For the purposes of this document, a "site" is any individual or
organization that owns and uses computer or network resources. These
resources may include host computers, routers, servers, or other
devices that may be accessed from outside the site (e.g., from the
Internet).
The "Internet" is the global data network which connects users via
the TCP/IP suite of protocols.
An "administrator" is an individual or group which is responsible for
the day-to-day maintenance and operation of the site's hardware and
software. A "user" is everyone else.
2. The ?? Commandments
- Keep passwords secret.
- Read manuals and turn on security features.
- Lock your workstation or log out when you leave your desk.
Malkin,Guttman Expires: 20 Jan 98 [Page 3]
Internet Draft Users' Security Handbook July 1997
- Don't let just anyone have physical access to your computer.
- Be aware what software you run and very wary of software of
unknown origin.
- Prepare for the worst in advance.
- Do not panic. Contact a system administrator if possible before
spreading alarm.
- Report security problems as soon as possible to your system
administrator or Internet Service Provider.
- Keep yourself informed about what the newest threats are.
3. READ.ME
If there were only one thing a user should read before connection to
the Internet, it would be the security policy of the user's home
network. A security policy is a formal statement of the rules by
which users who are given access to an site's technology and
information assets must abide. As a user, you are obligated to
follow the policy created by the decision makers and administrators
at your site. When using an outside network, you are obligated to
follow its Acceptable Use Policy (if it has one).
A security policy exists to protect a site's hardware, software and
data. It explains what the security goals of the site are, what
users can and cannot do, what to do when problems arise and who to
contact, and to generally inform users what the "rules of the game"
are.
4. The Wires have Ears
It is a lot easier to evesdrop on communications over data networks
than to tap a telephone conversation. Any link between computers may
potentially be insecure, as can any of the computers through which
data flows. All information passing over networks may be worth
evesdropping on, to someone, even if you think "No one will care
about this..."
Information passing over a network may be read not only by the
intended audience but can be read by others as well. This can happen
to personal email and sensitive information that is accessed via file
transfer or the Web. Please refer to the "Caught in the Web" and
"Email Pitfalls" sections for specific information on protecting your
privacy. The point is that you need to take this very seriously.
As a user, your utmost concerns should, firstly, be to protect
yourself against misuse of your computer account(s) and secondly, to
proect your privacy.
Unless precautions are taken, every time you log in over a network,
to any service, your password or confidential information may be
stolen. It may then be used to gain illicit access to systems you
have access to. In some cases the consequences are obvious: If
Malkin,Guttman Expires: 20 Jan 98 [Page 4]
Internet Draft Users' Security Handbook July 1997
someone learns your credit card number or can gain access to your
bank account, you might find yourself losing some cash, quickly.
What is not so obvious is that services which are not financial in
nature may also be abused in rather costly ways. You may be held
responsible if your account is misused by someone else!
Many Internet services involve remote logins. A user is prompted for
his or her account name and password. If this information is sent
through the network without encryption, the message can be
intercepted and read by others. This is not really an issue when you
are logging in to a "dial-in" service where you make a connection via
telephone and log in, say to an online service provider, as telephone
lines are harder to evesdrop on than internet communications.
The risk is there when you are using programs to log in over a
network. Many popular programs used to log in to services or to
transfer files (such as telnet and ftp, respectively) send your name
and password and then your data over the network without encrypting
it.
The precaution commonly taken against password evesdropping by larger
institutions, such as corporations, is to use one-time password
systems. Until recently this has been far too complicated and
expensive for home systems and small businesses. An increasing
number of products allow this to be done without fancy hardware,
using cryptographic techniques. An example of such a technique is
"SSH" (Secure Shell), which is both freely and commercialy available
for a variety of platforms. Many products (including SSH-based ones)
also allow user-data to be encrypted before it is passed over the
network.
All these may sound very complex but it need not be, in practice. Ask
your service provider how to log in securely and what to avoid. If
you have a professional service provider they will give you detailed
information. If secure login is not available, that itself is
possibly good reason not to log in at all and to seek another service
provider.
5. Just Do It
5.1 Passwords
Passwords are easy to guess by an intruder unless precautions are
taken. Your password should contain a mix of numbers, punctuation,
and upper and lower case letters. Avoid all real words or
combinations of words, license plate numbers, names and so on. The
best password is a made up sequence (e.g., an acronym from a phrase
you won't forget).
Resist the temptation to write your password down. If you do, keep
Malkin, Guttman Expires: 20 Jan 98 [Page 5]
Internet Draft Users' Security Handbook July 1997
it with you until you remember it, then shred it! NEVER leave a
password taped onto a terminal or written on a whiteboard. You
wouldn't write your PIN code on your automated teller machine (ATM)
card, would you? You should have different passwords for different
accounts, but no so many passwords that you can't remember them. You
should change your passwords periodically.
Be certain that you are really logging into your system. Just
because a login panel or prompt appears and asks you for your
password does not mean you should enter it. Avoid unusual login
screens and immediately report them to your systems administrator.
If you notice anything strange once upon logging in, change your
password.
You should use "one time passwords" if you are logging in over a
network, unless precautions have been taken to encrypt your password
when it is sent over the network. (Some applications take care of
that for you.) See "The Wires Have Ears" for more information on the
risks associated with logging in over a network.
5.2 Viruses and Other Illnesses
Viruses are essentially unwanted pieces of software that find their
way into a computer. What the virus may do once it has entered its
host depends on several factors: What the virus has been programmed
to do? What part of the computer system has the virus attacked?
Some viruses are 'time bombs' which activate only when given a
particular condition, such as reaching a certain date. Others remain
latent in the system unless a particular afflicted program is
activated. Still, there are others which are continually active,
exploiting every opportunity to do mischief. A subtle virus may
simply modify a system's configuration, then hide.
There are 3 ways to avoid viruses:
If you are responsible for maintaining your own computer, you should
take some time to become aware of computer virus detection tools
available for your type of computer. You should use an up to date
tool (i.e., not older than a year). It is very important to test
your computer if there has been a reported virus 'outbreak' in your
organization or if you have been using freeware, other peoples' used
floppy disks to transfer files, and so on.
If your computer system or account is centrally administered, do not
use these tools. Consult your system administrator if you are
curious what their strategy is regarding computer viruses.
Malkin, Guttman Expires: 20 Jan 98 [Page 6]
Internet Draft Users' Security Handbook July 1997
1. Don't be promiscuous
If at all possible, be cautious about what software you install in
your system. Do not run programs which origin you are unaware or
unsure of. Do not execute programs or reboot using old diskettes
unless you have reformatted them, especially if the old diskettes
have been used to bring software home from a trade show, and so
on.
Viruses have to get onto a computer somehow. Nearly all risk of
viruses can be eliminated if you are extremely cautious about what
files are stored on your computer. See "The Dangers of
Downloading" for more details.
2. Scan regularly.
Give your computer a regular check-up. There are excellent
virus-checking and security audit tools for most computer
platforms available today. Use them, and if possible, set them to
run automatically.
3. Notice the unusual.
It's not true that a difference you cannot detect is no difference
at all, but it is a good rule of thumb. You should get used to
the way your system works. If there is an unexplainable change
(for instance, files you believe should exist are gone, or strange
new files are appearing, disk space is 'vanishing') you should
check to see if you have a virus.
If you are responsible for maintaining your own computer, you should
take some time to be familiar with computer virus detection tools
available for your type of computer. You should use an up-to-date
tool (i.e., not older than three months). It is very important to
test your computer if there has been a reported virus 'outbreak' in
your organization or if you have been using freeware, other peoples'
used floppy disks to transfer files, and so on.
If your computer system or account is centrally administered, you
should use the tools recommended by the systems administration. You
should report any virus you suspect has been passed onto your system.
You should notify your site's systems administrators as well as the
person you believe passed the virus to you. It is important to
remain calm. Virus scares may cause more delay and confusion than an
actual virus outbreak. Before announcing the virus widely, make sure
you verify its presense using a virus detection tool, if possible
with the assistance of technically competent personnel.
The best way to avoid problems with viruses is to keep important
files backed up. That way, if worse comes to worse, you can always
restore your system to its state before it was afflicted.
Malkin, Guttman Expires: 20 Jan 98 [Page 7]
Internet Draft Users' Security Handbook July 1997
Some people confuse the term "Trojan Horse" and "Virus". A Trojan
Horse is a program which is not what it appears to be: By running
it, you are opening yourself up to danger. This topic is covered
under "What program is this, anyway?"
5.3 Modems
You should be wary about attaching anything to your computer, and
especially something which allows data to flow. If your computer is
centrally administered, you should get permission before you connect
anything to your computer.
Modems present a special security risk. Many networks are protected
by a set of precautions designed to prevent a frontal assault from
public networks. If your computer is attached to such a network, you
must exercise care when using a modem. It is quite possible to use
the modem to connect to a remote network while *still* being
connected to the 'secure' net. Your computer can now act as a hole
in your network's defenses. Unauthorised users may be able to get
onto your your organization's network through your computer!
Be sure you know what you are doing if you leave a modem on and set
up your computer to allow remote computers to dial in. Be sure you
use all available security features correctly.
If you are a dial-in user, you should become familiar with what is
normal behavior for your modem. If you detect a lot of sustained
modem activity that cannot be explained by your work, it is possible
that your system is being probed or accessed by a remote system.
5.4 Abandoned Terminals
Do not leave a terminal or computer logged in and walk away. Anyone
can come by and perform mischief for which you may be held
accountable. Sinister as it may be, someone coming around to erase
your work is not uncommon.
Anyone who can gain physical access to your computer can almost
certainly break into it. This means that you should be careful with
who you allow access to your machine. If this is impossible, it is
wise to encrypt your data files kept on your local hard disk. You
should also NEVER save passwords in scripts or login procedures as
these could be used by anyone who has access to your machine.
5.5 File Protections
Data files and directories on shared systems or networked file
systems require care and occasional oversight. The first two
categories are:
Malkin, Guttman Expires: 20 Jan 98 [Page 8]
Internet Draft Users' Security Handbook July 1997
- Files to share
Shared files may be visible to everyone or to a restricted group
of other users. Each system has a different way of specifying
this. Learn how to control sharing permissions of files and
implement such control without fail.
- Protected files
These include files which only you should have access to, but
which are available to anyone with system administrator
privileges. An example of this are files associated with the
delivery of email. You don't want other users to read your email,
so make sure such files have all the necessary file permissions
set accordingly.
5.6 Encrypt Everything
The third category of files are those that are private. You may have
files which you do not wish anyone else to have access to. In this
case, it is prudent to encrypt the file. This way, even if the
systems administrator turns into Mr. Hyde or your network is broken
into, your confidential information will not be available.
Encryption is also very important if you share a computer. A home
computer may be used for preparing taxes and playing computer games
by children. By backing up the data and using encryption, this kind
of shared use may be done safely.
Before you encrypt files on a shared file server, you should check
with your site's security policy. Some employers and countries
expressly forbid the storing and/or transferring of encrypted files.
Be careful with the passwords or keys you use to encrypt files.
Safely lock them away to keep them from others but also for your own
security. If you lose them, you will lose your ability to decrypt
your data as well!
It should be noted that encryption programs, whilst readily
available, are of widely varying quality. PGP offers a strong
encryption capability.
You should not be intimidated by encryption software. Easy to use
software is being made available.
5.7 Shred Everything Else
You would be surprised what gets thrown away in the wast paper
basket: notes from meetings, old schedules, internal phone lists,
computer program listings, correspondence with customers, even market
analyses. All of these would be very valuable to competitors,
recruiters and even an overzealous (hungry?) jounalist looking for a
Malkin, Guttman Expires: 20 Jan 98 [Page 9]
Internet Draft Users' Security Handbook July 1997
scoop. The threat of dumpster diving is real - take it seriously!
Shred all potentially useful documents before discarding them.
5.8 Email pitfalls
All the normal caveats apply to messages received via Email that you
could receive any other way. For example, the sender may not be who
he or she claims to be. If Email security software is not used, it
is very difficult to determine for sure who sent a message. This
means that Email is a not suitable way to conduct business. It is
very easy to forge an Email message, so that it appears to come from
anyone.
Another security issue you should consider when using Email is
privacy. Email passes through the Internet from computer to
computer. As the message moves between computers, and indeed as it
sits in the user's mailbox waiting to be read, it is potentially
visible to others. Please refer to "The Wires Have Ears" section,
below. For this reason, it is wise to think twice before sending
confidential or extremely personal information via Email. You should
never send credit card numbers and the like via Email.
To cope with this problem there are privacy programs which are
available. Some mail programs make use of Privacy Enhanced Mail
(PEM). There is also a popular program which is widely available
called PGP (which stand for "Pretty Good Privacy"). To use them, you
need a mail program which employs this privacy protection software.
One service many Email users like to use is Email forwarding. This
should be used very cautiously. Imagine the following scenario:
A user has an account with a private Internet Service Provider and
wishes to receive all her mail there. She sets it up so that her
Email at work is forwarded to her private address. All the mail
she would receive at work then moves across the Internet until it
reaches her private account. All along the way, the Email is
vulnerable to being read. A sensitive Email message sent to her
at work could be read by a network snoop at any of the many stops
along the way the Email takes.
Remember to be careful with saved mail. Copies of sent or received
mail (or indeed any file at all) placed in storage provided by an
Internet service provider or BBS may be vulnerable. The risk is that
someone might break into the account and read the old mail. If you
are a home user, keep your mail files, indeed any sensitive files, on
your home machine. You may also consider using an encryption program
on your sensitive files.
Note that Email sent or received at work may not be private. In the
US, employers may legally both read your mail and make use of it.
Malkin, Guttman Expires: 20 Jan 98 [Page 10]
Internet Draft Users' Security Handbook July 1997
Many mail programs allow files to be included in mail messages. The
files which come by mail are files like any other. Any way in which
a file can find its way onto a computer is possibly dangerous, like a
disease vector. If the attached file is merely a text message, fine.
But it may be more than a text message. If the attached file is
itself a program or an executable script, extreme caution should be
applied before running it. See the section below entitled "The
Perils of Downloading."
5.9 What Program is this, anyway?
Programs have become much more complex in recent years.
- A program may have "plug-in" modules. You should not trust the
plug-ins simply because you are used to trusting the applications
they plug into. For example: Some web pages suggest that the user
download a plug-in to view or use some portion of the web page's
content. Consider: What is this plug-in? Who wrote it? Is it
safe to include it in your web browser?
- Some files are "compound documents." This means that instead of
using one single program, it will be necessary to run several
programs in order to view or edit a document. Again, be careful
of downloading application components. Just because they
integrate with products which are well-known does not mean that
they can be trusted.
- Downloading an application which has the same name as a well-known
application is dangerous. This is a well-known ploy to trick
users. You might accidentally run the downloaded program thinking
it is the well-known application. Files which have the same name
as system files, utilities or start-up batch files are especially
dangerous.
- Programs can use the network without making you aware of it. One
thing to keep in mind is that if a computer is connected, any
program has the capability of using the network, with or without
informing you. Say for example:
You download a game program from an anonymous file server. This
appears to be a shoot-em-up game, but unbeknownst to you, it
transfers all your files, one by one, over the Internet to a
hacker's machine! Or it might disconnect from your online
service, and dial into a server reached via a foreign telephone
number, doing untold mischief and sending your phone bill
through the roof in the process...
More and more software is downloaded, as part of 'normal' access of
the World Wide Web. It is of course very dangerous to simply run
software obtained anonymously, for all the reasons discussed above.
There are two basic approaches which attempt to make it the two basic
Malkin, Guttman Expires: 20 Jan 98 [Page 11]
Internet Draft Users' Security Handbook July 1997
choices that exist for this sort of thing. One does not trust the
downloaded program, the other does trust, selectively. Currently the
'don't trust' approach is employed by Java (and many scripting
languages), whereas Activex takes the 'do trust' tack.
The first strategy allows the untrusted software only a limited set
of executed does not have any direct access to resources on your
computer. The 'capability' system protects you, allowing the
downloaded software to run only in a sealed off 'sand-box.' The risk
is that the sand-box might leak, that is, that flaws in the
Capability-based security has the potential for allowing partial
access to a system's resources; it is not an 'all or nothing'
proposition. Still, it is very difficult for different pieces of
software to work together in a safe way, so software using this
approach tend to be more of the 'stand-alone' kind. Where the
software can safely work with other programs, it will be due to the
cooperation of a variety of existing security mechanisms which allow
for it. For example, capabilities might be granted to software which
correctly logs into an existing access control framework.
The second strategy does not attempt to restrict the downloaded
software's access to the computer or its files. Instead, it provides
a complicated system by which you can decide whether you want to
allow a given piece of software to run or not, to 'trust' it. The
basic idea is that downloaded software carries a 'signature.'
This signature is rather special (it uses fancy cryptographic
techniques); it allows a user to determine the software's origin.
The user can be pretty darn sure that "so and so" knows that the
software you downloaded comes from some registered source, lets call
it "Company Z." It so happens that there are several
which of these you trust. Next, you have to decide which source
of software you trust. Do you trust only a few big companies, or do
you trust "Company Z?"
The real danger of the 'signature' based approach are that it
circumvents precautions at several levels.
It may be that validly registered sources of software are actually
bad guys. The best that you can do in this case is try to sue them,
after the software has had its chance to wreak havoc on your system.
With the way the signature technology works, it takes a long time to
find out that a signature has gone wrong (say I steal Company Z's
hard disk and start to publish a bunch of virus-bouquets using their
signature...). It might take months or even years before you would
find out that Company Z's signature has changed.
More subtle, but very important, is that the signature-based approach
is more than 'all or nothing' security - it effectively short
circuits all security systems which might have been put in place on
Malkin, Guttman Expires: 20 Jan 98 [Page 12]
Internet Draft Users' Security Handbook July 1997
the network. When one accepts a piece of signed software, one does
so without requiring any interaction with authentication or security
filtering systems between the source of the software and your
machine.
5.10 The Dangers of Downloading
An ever expanding wealth of free software has become available on the
Internet. While this exciting development is one of the most
attractive aspects of using public networks, you should also exercise
caution. Some files may be dangerous. Downloading poses the single
greatest risk.
You should decide ahead of time what risks are acceptable and then
stick to this decision. It may be wise to simply avoid downloading
any software from the network which comes from an unknown source to a
computer storing business records, other valuable data and data which
are potentially damaging (if the information was lost or stolen).
If the machine has a mixed purpose, say recreation, correspondence
and some home accounting, perhaps you will hazard some downloading of
shareware applications. You take some risk of acquiring software
which is not exactly what it purports to be.
Be careful to store all downloaded files so that you will remember
their (possibly dubious) origin. Do not, for example, mistake a
downloaded program for a common program, say for doing directory
listings.
Checking vital system files for corruption, tampering or malicious
replacement is very tedious work to do by hand. Fortunately there
are many virus detection programs available for PCs and Macintosh
computers. There are security auditing programs available for UNIX-
based computers. If software is downloaded from the network, it is
wise to run virus detection or auditing tools regularly.
5.11 Don't get caught in the Web
The greatest risk when web browsing is downloading files. Web
browsers allow any file to be retrieved from the Internet. See "The
Perils of Downloading" below.
Many web browsers are downloading files even when it is not entirely
obvious. Thus, the risk posed by actively downloading files may be
present even if you do not actively go out and retrieve files
overtly. Any file which you have loaded over the network should be
considered possibly dangerous (even files in the web browser's
cache.) Do not execute them by accident, as they may be malicious
programs.
Web browsers may download and execute programs on your behalf. You
Malkin, Guttman Expires: 20 Jan 98 [Page 13]
Internet Draft Users' Security Handbook July 1997
may disable these features. If you leave them enabled, be sure that
you understand the consequences. You should read the security guide
which accompanies your web browser as well as the security policy of
your company (if you are accessing the Web from work.) You should be
aware that downloaded programs may be quite risky to execute on your
machine. (See "What program is this, anyway?").
Web pages often include forms. Be aware that, as with Email, data
sent from a web browser to a web server is not secure. Several
mechanisms have been created to prevent this, most notably SSL
(Secure Sockets Layer). This facility has been built into many web
browsers. It encrypts messages which are sent between the user's web
browser to the web server so no one along the way can read it.
One note of caution: Many network security products do support
encryption, but they use very weak encryption. The more "bits" that
the encryption keys have, the stronger the encryption can be. Many
security products have been sold which have only 40 bit keys, which
makes the encrypted data very easy to recover by knowledgable people.
At the time of writing, data encrypted with 56 bit keys was
considered to be reasonably difficult to obtain by someone without
the key. Keys need more bits as computers get faster. You should
consider how many bits a given piece of encryption software uses for
its keys before you set much faith in it.
6. Paranoia is Good
Many people do not realise it but social engineering is a tool which
many intruders use to gain access to computer systems. The general
impression that people have of computer break-ins is that they are
the result of technical flaws in computer systems which the intruders
have exploited. People also tend to think that break-ins are purely
technical. However, the truth is that social engineering plays a big
part in helping an attacker slip through security barriers. This
often proves to be an easy stepping stone onto the protected system
if the attacker has no authorised access to the system at all.
Social enginnering may be defined, in this context, as the act of
gaining the trust of legitimate computer users to the point where
they reveal system secrets or help someone, unintentionally, to gain
unauthorised access to their system. Using social engineering, an
attacker may gain valuable information and/or assistance that could
help break through security barriers with ease. Skillful social
engineers can appear to be genuine but are really full of deceit.
Most of the time, attackers using social enginering work via
telephone. This not only provides a shield for the attacker by
protecting his or her identity, it also makes the job easier because
the attacker can claim to be a particular someone with more chances
of getting away with it.
Malkin, Guttman Expires: 20 Jan 98 [Page 14]
Internet Draft Users' Security Handbook July 1997
There are several types of social engineering. Here are a few
examples of the more commonly used ones:
- An attacker may pretend to be a legitimate end-user who is new to
the system or is simply not very good with computers. This
attacker may approach systems administrators and other end-users
for help. This "user" may have lost his password, or simply can't
get logged into the system and needs to access the system
urgently. Attackers have also been known to identify themselves
as some VIP in the company, screaming at administrators to get
what they want. In such cases, the administrator (or it could be
an end-user) may feel threatened by the caller's authority and
give in to the demands.
- Attackers who operate via telephone calls may never even have seen
the screen display on your system before. In such cases, the
trick attackers use is to make details vague, and get the user to
reveal more information on the system. The attacker may sound
really lost so as to make the user feel that he is helping a
damsel in distress. Often, this makes people go way out their way
to help. The user may then reveal secrets when he is off- guard.
- An attacker may also take advantage of system problems that have
come to his attention. Offering help to a user is an effective
way to gain the user's trust. A user who is frustrated with
problems he is facing will be more than happy when someone comes
to offer some help. The attacker may come disguised as the
systems administrator or maintenance technician. This attacker
will often gain valuable information because the user thinks that
it is alright to reveal secrets to technicians. Site visits may
pose a greater risk to the attacker as he may not be able to make
an easy and quick get-away, but the risk may bring fruitful
returns if the attacker is allowed direct access to the system by
the naive user.
- Sometimes, attackers can gain access into a system without prior
knowledge of any system secret nor terminal access. Just like how
one should not carry someone else's bags through Customs, no user
should key in commands on someone's behalf. Beware of attackers
who use users as their own remotely-controlled fingers to type
away on the user's keyboard, commands the user does not understand
which may harm the system. These attackers will exploit system
software bugs and loopholes even without direct access to the
system. The commands keyed in by the end-user may bring harm to
the system, open his own account up for access to the attacker or
create a hole to allow the attacker entry (at some later time)
into the system. If you are not sure of the commands you have
been asked to key in, do not simply follow instructions. You
never know what and where these could lead to...
To guard against becoming a victim of social engineering, one
Malkin, Guttman Expires: 20 Jan 98 [Page 15]
Internet Draft Users' Security Handbook July 1997
important thing to remember is that passwords are secret. A password
for your personal account should be known ONLY to you. The systems
administrators who need to do something to your account will not
require your password. As administrators, the privileges they have
will allow them to carry out work on your account without having you
to reveal your password. An administrator should not have to ask you
for your password.
Systems administrators will have their own accounts to work with, and
will not need to access a system via an end-user's account. Besides,
systems maintenance staff will probably have more system privileges
with their accounts, giving them no reason to do work via ordinary
end-user accounts. Also, most maintenance work will require special
privileges which end-user are not given. Users should guard the use
of their accounts, and keep it for their own use. Accounts should
not be shared, not even temporarily with a maintenance staff or
administrator.
Systems maintenance technicians who come on site should be
accompanied by the local site administrator (who should be known to
you). If the site administrator is not familiar to you, or if the
technician(s) comes alone, it is wise to give a call to your known
site administrator to check if the technician(s) should be there.
Yet many people will not do this because it makes them look paranoid
and it is embarrassing to show that they have no, or little trust in
these visitors.
Unless you are very sure that the person you are speaking to is who
he or she claims to be, then no secret information should ever be
revealed to such people. Sometimes, attackers may even be good
enough to make themselves sound like someone whose voice you know
over the phone. It is always good to double check the identity of
the person. If you are unable to do so, the wisest thing to do is
not to reveal any secrets. If you are a systems administrator, there
would be security procedures for assignment and reassignment of
passwords to users, and you should follow such procedures. If you
are an end-user, there should not be any need for you to have to
reveal system secrets to anyone else. Some companies assign a common
account to multiple users. If you happen to be in such a group, make
sure you know everyone in that group so you can tell if someone who
claims to be in the group is genuine.
7. Bad Things Happen
This section concerns those who maintain their own computer systems.
For those who have an account on a shared system or a centrally
administered computer, very little in this section will apply to you.
If you notice that your files have been modified or ascertain somehow
that your account has been used without your consent, you should
inform your system administration immediately.
Malkin, Guttman Expires: 20 Jan 98 [Page 16]
Internet Draft Users' Security Handbook July 1997
The rest of this section concerns those whose systems are not
centrally administered, such as home users or employees of small
businesses.
7.1 Identifying a Breakin
Unfortunately there are no hard and fast rules, only some signs which
can be of use. Modern computers and network programs often do a lot
of work while the user is idle. So just because the computer seems
quite busy when you are not actively using it does not necessarily
imply that a computer has been broken into. Indeed, many of the
indications listed below must be considered suspicious only in the
extreme.
- Massive disk activity. This might indicate someone is copying
files from your system to a remote location.
- Abnormally poor performance. Note that this may occur for many
reasons. There should be other clues before you suspect a break-
in.
- Strangely intense and prolonged network activity. This might
arise if your home system is being probed for vulnerabilities.
- System files have modification dates more recent than can be
explained.
- Sometimes a hacker with a puerile imagination will flaunt the fact
he or she has violated a system. An obnoxious message may appear,
or the system may make irritating noises.
7.2 What to do if you suspect trouble
The incident should be reported to your network administrator. For
home users, report the incident to your Internet Service Provider.
They will tell you what the next step should be.
If you suspect that your home computer has a virus, that a malicious
program has been run, or that a system has been broken into, the
wisest course of action is to first disconnect the system from all
networks. If available, virus detection or system auditing software
should be used.
If it becomes clear that a home system has been attacked it is time
to clean up. Ideally, a system should be built back up from scratch.
This means erasing everything on the hard disk. Then you install the
operating system and then all additional software the system needs.
It is best to install the operating system and additional software
from the original distribution diskettes or CD-roms, rather than from
backup storage. The reason for this is that a system may have been
Malkin, Guttman Expires: 20 Jan 98 [Page 17]
Internet Draft Users' Security Handbook July 1997
broken into some time ago, so the backed up system or program files
may already include some altered files or viruses. Restoring a
system from scratch is tedious but worth while. Do not forget to
re-install all security related fixes you had installed before the
security incident. Obtain these from a verified, unsuspicious
source.
7.3 How to prepare for the worst in advance
- Read all user documentation carefully. Make sure that it is clear
when services are being run on your computer. If network services
are activated, make sure they are properly configured (set all
permissions so as to prevent anonymous or guest logins, and so
on). Increasingly, many programs have networking capabilities
built in to them. Learn how to properly configure and safely use
these features.
- Back up user data. This is always important. Backups are
normally thought of as a way of insuring you will not lose your
work if a hard disk fails or if you make a mistake and deletes a
file. Backing up is also critical to insure that data cannot be
lost due to a computer security incident. One of the most vicious
and unfortunately common threats posed by computer viruses and
Trojan Horse programs is erasing a computer's hard disk.
- Obtain virus checking software or security auditing tools. Learn
how to use them and install them before connecting to a public
network. Many security tools require that they are run on a
"clean" system, so they can compare the present state to the
pristine one. Thus, it is necessary to do some work ahead of
time.
- Upgrade networking software regularly. As new versions of
programs come out, it is prudent to upgrade. Security
vulnerabilities will likely have been fixed. The longer you wait
to do this, the greater the risk that security vulnerabilities of
the products will be well known and some network assailant will
exploit them. Keep up to date!
8. Home Alone
A home system can be broken into over the Internet if a home user is
unwary. The files on the home system can be stolen, altered or
destroyed. The system itself could be accessed again some time in
future, if it has been compromised. This section describes issues
and makes recommendations relevent to a home user of the Internet.
8.1 How to pick an Internet Service Provider
There are basically two ways to use the Internet: with an online
dial-in service, and with a direct connection to the Internet. In
Malkin, Guttman Expires: 20 Jan 98 [Page 18]
Internet Draft Users' Security Handbook July 1997
the former case, the work is done on a remote system; the home
computer is merely a terminal. In the latter case, the home system
is interacting directly with remote systems on the network. You
should ascertain which type of account you have from your service
provider. Each one has its own security implications for the home
user.
Examples of an online dial-in service would be a BBS or a dial-in
UNIX system which allows terminal access only. The BBS or UNIX
system may be directly connected to the Internet and provide services
to a community, such as Email, USENET news, chatting forums, file
downloading or even text-based World Wide Web access. In this case,
privacy and downloading issues are important, but the home system is
effectively unable to directly connect to the Internet. This means
that the home system can't run network services, so this serious
class of problems simply cannot arise. Still, it is wise to find out
what the service provider or sysop recommends for safe storage of
files. For example: many UNIX shell accounts provide a method for
users to publish web pages. It is important to understand how to
adjust the file permissions of files in your home directory, in this
case, to prevent others from being able to access all of your data.
A home system which uses PPP or SLIP to directly connect to the
Internet is increasingly common. These systems are at the greatest
risk if they run certain kinds of programs called "services." If you
run a service you are in effect making your computer available to
others across the network. Some services include:
- File servers (an NFS server, a PC with 'file sharing' turned on)
- An FTP server
- A Web server
If you want to run services on your system, see the section "Beware
of Daemons" below.
The single most important question to ask your service provider is:
"What stands between me and the Internet?"
Some connections to the Internet are direct, others are made behind
various protective barriers. In simplest terms, these mechanisms
prevent anyone from the outside of a trusted network from sending
messages into the trusted network. The 'firewall' is usually set up
so as to allow some information to pass in, such as Email. Users on
the inside of the trusted network can initiate connections to other
computers outside of the protective barriers. If a barrier has been
set up, the most important things to learn as a user are:
- What protection does this afford?
- What inconveniences does it entail?
Be sure that you use file protections properly if you store files
Malkin, Guttman Expires: 20 Jan 98 [Page 19]
Internet Draft Users' Security Handbook July 1997
remotely (say you have a web site maintained by your Internet Service
Provider.) See "File Protections."
8.2 Beware of Daemons
There are in general two types of programs which operate on the
Internet: Servers, which provide such services as HTTP (World Wide
Web), and DNS (Domain Name Service) and clients, such as web
browsers.
Most software which runs on home systems is of the client variety;
but, increasingly, server software is available on traditionally
client platforms (e.g., PCs). Server software which runs in the
background is referred to as a "daemon" (pronounced dee-mon). Many
of the server software program names of internet daemons end in `d',
like "inetd" (Internet Daemon) and "talkd" (Talk Daemon). These
programs wait for clients to request some particular service from
across the network.
There are four very important things to keep in mind as far as the
security implications of running services on a home computer. First
and most important,
- If a server is not properly configured it is very vulnerable to
attack over a network. It is vital, if you run services, to
become familiar with how to properly configure them. This is not
easy, and may require training or technical expertise.
- All software has flaws, and flaws exploited deviously can be used
to breach computer security. If you run a server on your home
machine you have to stay aware. This requires work: You have to
stay in touch with the supplier of the software to get security
updates. It is highly recommended that you keep up with security
through on-line security forums. See [SSH] for a list of
references.
If security flaws in your server software are discovered you will
need to either stop using the software or apply "patches" or
"fixes" which eliminate the vulnerability. The supplier of the
software, if it is a decent company or freeware author, will
supply information and updates to correct security flaws. These
"patches" or "fixes" must be installed.
- As a rule of thumb, the older the software, the greater the chance
it has known vulnerabilities. This is not to say you should
simply trust brand new software either! Frequently it takes time
to discover even obvious security flaws in servers.
- Some servers start up without any warning. There have been Web
Browsers and telnet clients in common use which automatically
start FTP servers if not explicitly configured to not do so. If
Malkin, Guttman Expires: 20 Jan 98 [Page 20]
Internet Draft Users' Security Handbook July 1997
these servers are not themselves properly configured, the entire
file system of the home computer can become available to anyone on
the Internet.
In general, any software MAY start up a network daemon. The way to
be safe here is to know the products you are using. Read the manual,
and if any questions arise, call the company or mail the author of
free software to find out if you are actually running a service by
using the product.
A very serious risk for a home user is if he or she runs a remote
login service on their home machine. This allows the home user to
log in to their home machine from other computers on the Internet.
This can be quite convenient. The danger is that someone will
secretly observe the logging in and be able to masquerade as the user
whenever they choose in the future. See "The Wires Have Ears" which
suggests precautions to take for remote log in.
Malkin, Guttman Expires: 20 Jan 98 [Page 21]
Internet Draft Users' Security Handbook July 1997
References
[SSH] Frasier, Barbara, ed, "Site Security Handbook," RFC ??? (FYI
8), June, 1996.
Security Considerations
This document discusses what computer users can do to improve
security on their systems.
Editor's Address
Gary Scott Malkin
Bay Networks
8 Federal Street
Billerica, MA 01821
Phone: (508) 916-4237
EMail: gmalkin@baynetworks.com
Erik Guttman
Sun Microsystems
Bahnstr. 2
74915 Waibstadt Germany
Phone: +49 6221 601649
Email: eguttman@eng.sun.com
Malkin, Guttman Expires: 20 Jan 98 [Page 22]
