draft-ietf-ssh-users-07.txt Erik Guttman / Sun Microsystems
Lorna Forey/ COLT Internet
G. Malkin / Bay Networks
July 30, 1998
Users' Security Handbook
Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
To view the entire list of current Internet-Drafts, please check
the "1id-abstracts.txt" listing contained in the Internet-Drafts
Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
(Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au
(Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu
(US West Coast).
Abstract
The Users' Security Handbook is the companion to the Site Security
Handbook (SSH). It is intended to provide users with the information
they need to keep their networks and systems secure.
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 1]
Internet Draft Users' Security Handbook July 1998
Table of Contents
Part One: Introduction. . . . . . . . . . . . . . . . . . 3
1. READ.ME . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Wires have Ears . . . . . . . . . . . . . . . . . . . 3
Part Two: Users in a centrally-administered network . . . 4
3. Watch out! . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. The Dangers of Downloading . . . . . . . . . . . . . . 5
3.2. Don't get caught in the Web . . . . . . . . . . . . . . 5
3.3. Email Pitfalls . . . . . . . . . . . . . . . . . . . . 6
3.4. Passwords . . . . . . . . . . . . . . . . . . . . . . . 7
3.5. Viruses and Other Illnesses . . . . . . . . . . . . . . 7
3.6. Modems . . . . . . . . . . . . . . . . . . . . . . . . 8
3.7. Abandoned Terminals . . . . . . . . . . . . . . . . . . 9
3.8. File Protections . . . . . . . . . . . . . . . . . . . 9
3.9. Encrypt Everything . . . . . . . . . . . . . . . . . . 10
3.10. Shred Everything Else . . . . . . . . . . . . . . . . . 10
3.11. What program is this, anyway? . . . . . . . . . . . . . 11
4. Paranoia is Good . . . . . . . . . . . . . . . . . . . . 11
Part Three: Users self administering a networked computer 13
5. Make your own security policy . . . . . . . . . . . . . . 14
6. Bad Things Happen . . . . . . . . . . . . . . . . . . . . 14
6.1. How to prepare for the worst in advance . . . . . . . . 14
6.2. What to do if you suspect trouble . . . . . . . . . . . 16
6.3. Email . . . . . . . . . . . . . . . . . . . . . . . . . 16
7. Home Alone . . . . . . . . . . . . . . . . . . . . . . . 17
7.1. Beware of Daemons . . . . . . . . . . . . . . . . . . . 17
7.2. Going Places . . . . . . . . . . . . . . . . . . . . . 18
7.3. Secure It! . . . . . . . . . . . . . . . . . . . . . . 19
8. A Final Note . . . . . . . . . . . . . . . . . . . . . . 19
Appendix: Glossary of Security Terms . . . . . . . . . . . . . 20
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 29
References . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Security Considerations . . . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 29
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 2]
Internet Draft Users' Security Handbook July 1998
Part One: Introduction
This document is meant to provide guidance to the end users of
computer systems and networks about what they can do to keep their
data and communication private, and their systems and networks
secure. The first part of this document concerns "corporate users"
in small, medium and large corporate and campus sites. The second
part of the document addresses users who administer their own
computers, such as home users.
System and network administrators may wish to use this document as
the foundation of a site-specific users' security guide; however,
they should consult the Site Security Handbook first [RFC2196].
A glossary of terms is included in an appendix at the end of the
document introducing computer network security notions to those not
familiar with them.
1. READ.ME
Before getting connected to the Internet, you should obtain the
security policy of the site that you intend to use as your access
provider, and read it. A security policy is a formal statement of the
rules by which users who are given access to a site's technology and
information assets must abide. As a user, you are obliged to follow
the policy created by the decision makers and administrators at your
site.
A security policy exists to protect a site's hardware, software and
data. It explains what the security goals of the site are, what
users can and cannot do, what to do when problems arise and who to
contact, and generally informs users what the "rules of the game"
are.
2. The Wires have Ears
It is a lot easier to eavesdrop on communications over data networks
than to tap a telephone conversation. Any link between computers may
potentially be insecure, as can any of the computers through which
data flows. All information passing over networks may be
eavesdropped on, even if you think "No one will care about this..."
Information passing over a network may be read not only by the
intended audience but can be read by others as well. This can happen
to personal Email and sensitive information that is accessed via file
transfer or the Web. Please refer to the "Web Browsing Safely" and
"Email Pitfalls" sections for specific information on protecting your
privacy.
As a user, your utmost concerns should, firstly, be to protect
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 3]
Internet Draft Users' Security Handbook July 1998
yourself against misuse of your computer account(s) and secondly, to
protect your privacy.
Unless precautions are taken, every time you log in over a network,
to any network service, your password or confidential information may
be stolen. It may then be used to gain illicit access to systems you
have access to. In some cases the consequences are obvious: If
someone gains access to your bank account, you might find yourself
losing some cash, quickly. What is not so obvious is that services
which are not financial in nature may also be abused in rather costly
ways. You may be held responsible if your account is misused by
someone else!
Many network services involve remote log in. A user is prompted for
his or her account ID and password. If this information is sent
through the network without encryption, the message can be
intercepted and read by others. This is not really an issue when you
are logging in to a "dial-in" service where you make a connection via
telephone and log in, say to an online service provider, as telephone
lines are more difficult to eavesdrop on than internet
communications.
The risk is there when you are using programs to log in over a
network. Many popular programs used to log in to services or to
transfer files (such as telnet and ftp, respectively) send your name
and password and then your data over the network without encrypting
them.
The precaution commonly taken against password eavesdropping by
larger institutions, such as corporations, is to use one-time
password systems. Until recently this has been far too complicated
and expensive for home systems and small businesses. However, an
increasing number of products allow this to be done without fancy
hardware, using cryptographic techniques. An example of such a
technique is Secure Shell [SSH], which is both freely and
commercially available for a variety of platforms. Many products
(including SSH-based ones) also allow data to be encrypted before it
is passed over the network.
Part Two: End users in a centrally administered network
The following rules of thumb provide a summary of the most important
pieces of advice discussed in Part Two of this document:
- Know who your security point-of-contact is.
- Keep passwords secret.
- Use a password-locked screensaver or log out when you leave your
desk.
- Don't let just anyone have physical access to your computer or
your network.
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 4]
Internet Draft Users' Security Handbook July 1998
- Be aware what software you run and very wary of software of
unknown origin. Think hard before you execute downloaded
software.
- Do not panic. Consult your security point-of-contact if possible
before spreading alarm.
- Report security problems as soon as possible to your security
point-of-contact.
3. Watch out!
3.1. The Dangers of Downloading
An ever expanding wealth of free software has become available on the
Internet. While this exciting development is one of the most
attractive aspects of using public networks, you should also exercise
caution. Some files may be dangerous. Downloading poses the single
greatest risk.
Be careful to store all downloaded files so that you will remember
their (possibly dubious) origin. Do not, for example, mistake a
downloaded program for a common program just because they have the
same name!
Programs can use the network without making you aware of it. One
thing to keep in mind is that if a computer is connected, any program
has the capability of using the network, with or without informing
you. Say for example:
You download a game program from an anonymous file server. This
appears to be a shoot-em-up game, but unbeknownst to you, it
transfers all your files, one by one, over the Internet to a
cracker's machine!
Many corporate environments explicitly prohibit the downloading and
running of software from the Internet.
3.2. Web Browsing Safety
The greatest risk when web browsing is downloading files. Web
browsers allow any file to be retrieved from the Internet. See "The
Dangers of Downloading."
Web browsers are downloading files even when it is not entirely
obvious. Thus, the risk posed by downloading files may be present
even if you do not actively go out and retrieve files overtly. Any
file which you have loaded over the network should be considered
possibly dangerous (even files in the web browser's cache.) Do not
execute them by accident, as they may be malicious programs.
(Remember, programs are files, too. You may believe you have
downloaded a text file, when in fact it was a Trojan Horse program,
script, etc.)
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 5]
Internet Draft Users' Security Handbook July 1998
Web browsers may download and execute programs on your behalf. You
may disable these features. If you leave them enabled, be sure that
you understand the consequences. You should read the security guide
which accompanies your web browser as well as the security policy of
your company. You should be aware that downloaded programs may be
quite risky to execute on your machine. (See "What program is this,
anyway?").
Web pages often include forms. Be aware that, as with Email, data
sent from a web browser to a web server is not secure. Several
mechanisms have been created to prevent this, most notably Secure
Sockets Layer [SSL]. This facility has been built into many web
browsers. It encrypts messages which are sent between the user's web
browser to the web server so no one along the way can read it.
3.3 Email Pitfalls
All the normal concerns apply to messages received via Email that you
could receive any other way. For example, the sender may not be who
he or she claims to be. If Email security software is not used, it
is very difficult to determine for sure who sent a message. This
means that Email is a not a suitable way to conduct many types of
business. It is very easy to forge an Email message, so that it
appears to come from anyone.
Another security issue you should consider when using Email is
privacy. Email passes through the Internet from computer to
computer. As the message moves between computers, and indeed as it
sits in a user's mailbox waiting to be read, it is potentially
visible to others. For this reason, it is wise to think twice before
sending confidential or extremely personal information via Email.
You should never send credit card numbers and other sensitive data
via unprotected Email. Please refer to "The Wires Have Ears."
To cope with this problem, there are privacy programs available, some
of which are integrated in with Email packages.
One service many Email users like to use is Email forwarding. This
should be used very cautiously. Imagine the following scenario:
A user has an account with a private Internet Service Provider and
wishes to receive all her mail there. She sets it up so that her
Email at work is forwarded to her private address. All the mail
she would receive at work then moves across the Internet until it
reaches her private account. All along the way, the Email is
vulnerable to being read. A sensitive Email message sent to her
at work could be read by a network snoop at any of the many stops
along the way the Email takes.
Note that Email sent or received at work may not be private. Check
with your employer, as employers may (in some instances) legally both
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 6]
Internet Draft Users' Security Handbook July 1998
read your mail and make use of it. The legal status of Email depends
on the privacy of information laws in force in each country.
Many mail programs allow files to be included in mail messages. The
files which come by mail are files like any other. Any way in which
a file can find its way onto a computer is possibly dangerous. If
the attached file is merely a text message, fine. But it may be more
than a text message. If the attached file is itself a program or an
executable script, extreme caution should be applied before running
it. See the section entitled "The Dangers of Downloading."
3.4 Passwords
Passwords may be easily guessed by an intruder unless precautions are
taken. Your password should contain a mix of numbers, punctuation,
and upper and lower case letters. Avoid all real words in any
language or combinations of words, license plate numbers, names and
so on. The best password is a made up sequence (e.g., an acronym
from a phrase you won't forget), such as "2B*Rnot2B" (but don't use
this password!)
Resist the temptation to write your password down. If you do, keep
it with you until you remember it, then shred it! NEVER leave a
password taped onto a terminal or written on a whiteboard. You
wouldn't write your PIN code on your automated teller machine (ATM)
card, would you? You should have different passwords for different
accounts, but not so many passwords that you can't remember them.
You should change your passwords periodically.
You should also NEVER save passwords in scripts or login procedures
as these could be used by anyone who has access to your machine.
Be certain that you are really logging into your system. Just
because a login prompt appears and asks you for your password does
not mean you should enter it. Avoid unusual login prompts and
immediately report them to your security point-of-contact. If you
notice anything strange upon logging in, change your password.
You should, if possible, use "one time passwords" if you are logging
in over a network, unless precautions have been taken to encrypt your
password when it is sent over the network. (Some applications take
care of that for you.) See "The Wires Have Ears" for more
information on the risks associated with logging in over a network.
3.5 Viruses and Other Illnesses
Viruses are essentially unwanted pieces of software that find their
way into a computer. What the virus may do once it has entered its
host depends on several factors: What has the virus been programmed
to do? What part of the computer system has the virus attacked?
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 7]
Internet Draft Users' Security Handbook July 1998
Some viruses are 'time bombs' which activate only when given a
particular condition, such as reaching a certain date. Others remain
latent in the system unless a particular afflicted program is
activated. There are still others which are continually active,
exploiting every opportunity to do mischief. A subtle virus may
simply modify a system's configuration, then hide.
Be cautious about what software you install on your system. Use
software from "trusted sources" if possible. Check your site policy
before installing any software: Some sites only allow administrators
to install software to avoid security and system maintenance
problems.
Centrally-administered sites have their own policy and tools for use
in countering the threat of viruses. Consult your site policy or ask
your system administrator to find out what the correct procedures are
to stay virus free.
You should report it if a virus detection tool indicates that your
system has a problem. You should notify your site's systems
administrators as well as the person you believe passed the virus to
you. It is important to remain calm. Virus scares may cause more
delay and confusion than an actual virus outbreak. Before announcing
the virus widely, make sure you verify its presence using a virus
detection tool, if possible, with the assistance of technically-
competent personnel.
Trojan Horse programs and worms are often categorized with viruses.
Trojan Horse programs are dealt with in the "What program is this,
anyway?" section. Worms should be considered a type of virus for the
purposes of this section.
3.6 Modems
You should be careful when attaching anything to your computer, and
especially something which allows data to flow. You should get
permission before you connect anything to your computer in a
centrally administered computing environment.
Modems present a special security risk. Many networks are protected
by a set of precautions designed to prevent a frontal assault from
public networks. If your computer is attached to such a network, you
must exercise care when also using a modem. It is quite possible to
use the modem to connect to a remote network while *still* being
connected to the 'secure' net. Your computer can now act as a hole
in your network's defenses. Unauthorized users may be able to get
onto your organization's network through your computer!
Be sure you know what you are doing if you leave a modem on and set
up your computer to allow remote computers to dial in. Be sure you
use all available security features correctly. Many modems answer
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 8]
Internet Draft Users' Security Handbook July 1998
calls by default. You should turn auto-answer off unless you are
prepared to have your computer respond to callers. Some 'remote
access' software requires this. Be sure to turn on all the security
features of your 'remote access' software before allowing your
computer to be accessed by phone.
Note that having an unlisted number will not protect you from someone
breaking into your computer via a phone line. It is very easy to
probe many phone lines to detect modems and then launch attacks.
3.7 Don't leave me...
Do not leave a terminal or computer logged in and walk away. Use
password-locked screensavers whenever possible. These can be set up
so that they activate after the computer has been idle for a while.
Sinister as it may seem, someone coming around to erase your work is
not uncommon. If you remained logged in, anyone can come by and
perform mischief for which you may be held accountable. For example,
imagine the troubles you could be in for if nasty Email were sent to
the president of your company in your name, or your account were used
to transfer illegal pornography.
Anyone who can gain physical access to your computer almost certainly
can break into it. Therefore, be cautions regarding who you allow
access to your machine. If physically securing your machine is not
possible, it is wise to encrypt your data files kept on your local
hard disk. If possible, it is also wise to lock the door to one's
office where the computer is stored.
3.8 File Protections
Data files and directories on shared systems or networked file
systems require care and maintenance. There are two categories of
such systems:
- Files to share
Shared files may be visible to everyone or to a restricted group
of other users. Each system has a different way of specifying
this. Learn how to control sharing permissions of files and
implement such control without fail.
- Protected files
These include files which only you should have access to, but
which are available to anyone with system administrator
privileges. An example of this are files associated with the
delivery of Email. You don't want other users to read your Email,
so make sure such files have all the necessary file permissions
set accordingly.
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 9]
Internet Draft Users' Security Handbook July 1998
3.9 Encrypt Everything
Additionally, there are files that are private. You may have files
which you do not wish anyone else to have access to. In this case,
it is prudent to encrypt the file. This way, even if your network is
broken into or the systems administrator turns into Mr. Hyde, your
confidential information will not be available. Encryption is also
very important if you share a computer. A home computer may be used
for preparing taxes and also for playing computer games by children.
By backing up the data and using encryption, this kind of shared use
may be done safely.
Before you encrypt files you should check with your site's security
policy. Some employers and countries expressly forbid the storing
and/or transferring of encrypted files.
Be careful with the passwords or keys you use to encrypt files.
Locking them away safely not only helps to keep them from prying eyes
but it will help you keep them secure too; for if you lose them, you
will lose your ability to decrypt your data as well! It may be wise
to save more than one copy. This may even be required, if your
company has a key escrow policy, for example. This protects against
the possibility that the only person knowing a pass phrase may leave
the company or be struck by lightning.
Whilst encryption programs are readily available, it should be noted
that the quality can vary widely. PGP (which stands for "Pretty Good
Privacy") for example, offers a strong encryption capability. Many
common software applications include the capability to encrypt data.
The encryption facilities in these are typically very weak.
You should not be intimidated by encryption software. Easy to use
software is being made available.
3.10 Shred Everything Else
You would be surprised what gets thrown away in the wast paper
basket: notes from meetings, old schedules, internal phone lists,
computer program listings, correspondence with customers, even market
analyses. All of these would be very valuable to competitors,
recruiters and even an overzealous (hungry?) journalist looking for a
scoop. The threat of dumpster diving is real - take it seriously!
Shred all potentially useful documents before discarding them.
You should also be aware that deleting a file does not erase it in
many cases. The only way to be sure that an old hard disk does not
contain valuable data may be to reformat it.
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 10]
Internet Draft Users' Security Handbook July 1998
3.11 What Program is this, anyway?
Programs have become much more complex in recent years. They are
often extensible in ways which may be dangerous. These extensions
make applications more flexible, powerful and customizable. They
also open the end-user up to all sorts of risks.
- A program may have "plug-in" modules. You should not trust the
plug-ins simply because you are used to trusting the programs they
plug into. For example: Some web pages suggest that the user
download a plug-in to view or use some portion of the web page's
content. Consider: What is this plug-in? Who wrote it? Is it
safe to include it in your web browser?
- Some files are "compound documents." This means that instead of
using one single program, it will be necessary to run several
programs in order to view or edit a document. Again, be careful
of downloading application components. Just because they
integrate with products which are well-known does not mean that
they can be trusted. Say you receive a mail message which can
only be read if you download a special component. This component
could be a nasty program which reformats your hard drive!
- Some programs are downloaded automatically when accessing web
pages. While there are some safeguards to make sure that these
programs may be used safely, there have been security flaws
discovered in the past. For this reason, some centrally-
administered sites request that certain web browser capabilities
be turned off.
4. Paranoia is Good
Many people do not realise it but social engineering is a tool which
many intruders use to gain access to computer systems. The general
impression that people have of computer break-ins is that they are
the result of technical flaws in computer systems which the intruders
have exploited. People also tend to think that break-ins are purely
technical. However, the truth is that social engineering plays a big
part in helping an attacker slip through security barriers. This
often proves to be an easy stepping stone onto the protected system
if the attacker has no authorized access to the system at all.
Social engineering may be defined, in this context, as the act of
gaining the trust of legitimate computer users to the point where
they reveal system secrets or help someone, unintentionally, to gain
unauthorized access to their system. Using social engineering, an
attacker may gain valuable information and/or assistance that could
help break through security barriers with ease. Skillful social
engineers can appear to be genuine but are really full of deceit.
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 11]
Internet Draft Users' Security Handbook July 1998
Most of the time, attackers using social enginering work via
telephone. This not only provides a shield for the attacker by
protecting his or her identity, it also makes the job easier because
the attacker can claim to be a particular someone with more chances
of getting away with it.
There are several types of social engineering. Here are a few
examples of the more commonly used ones:
- An attacker may pretend to be a legitimate end-user who is new to
the system or is simply not very good with computers. This
attacker may approach systems administrators and other end-users
for help. This "user" may have lost his password, or simply can't
get logged into the system and needs to access the system
urgently. Attackers have also been known to identify themselves
as some VIP in the company, screaming at administrators to get
what they want. In such cases, the administrator (or it could be
an end-user) may feel threatened by the caller's authority and
give in to the demands.
- Attackers who operate via telephone calls may never even have seen
the screen display on your system before. In such cases, the
trick attackers use is to make details vague, and get the user to
reveal more information on the system. The attacker may sound
really lost so as to make the user feel that he is helping a
damsel in distress. Often, this makes people go way out their way
to help. The user may then reveal secrets when he is off-guard.
- An attacker may also take advantage of system problems that have
come to his attention. Offering help to a user is an effective
way to gain the user's trust. A user who is frustrated with
problems he is facing will be more than happy when someone comes
to offer some help. The attacker may come disguised as the
systems administrator or maintenance technician. This attacker
will often gain valuable information because the user thinks that
it is alright to reveal secrets to technicians. Site visits may
pose a greater risk to the attacker as he may not be able to make
an easy and quick get-away, but the risk may bring fruitful
returns if the attacker is allowed direct access to the system by
the naive user.
- Sometimes attackers can gain access into a system without prior
knowledge of any system secret nor terminal access. In the same
way that one should not carry someone else's bags through Customs,
no user should key in commands on someone's behalf. Beware of
attackers who use users as their own remotely-controlled fingers
to type commands on the user's keyboard that the user does not
understand, commands which may harm the system. These attackers
will exploit system software bugs and loopholes even without
direct access to the system. The commands keyed in by the end-
user may bring harm to the system, open his own account up for
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 12]
Internet Draft Users' Security Handbook July 1998
access to the attacker or create a hole to allow the attacker
entry (at some later time) into the system. If you are not sure
of the commands you have been asked to key in, do not simply
follow instructions. You never know what and where these could
lead to...
To guard against becoming a victim of social engineering, one
important thing to remember is that passwords are secret. A password
for your personal account should be known ONLY to you. The systems
administrators who need to do something to your account will not
require your password. As administrators, the privileges they have
will allow them to carry out work on your account without the need
for you to reveal your password. An administrator should not have to
ask you for your password.
Most maintenance work will require special privileges which end-users
are not given. Users should guard the use of their accounts, and
keep them for their own use. Accounts should not be shared, not even
temporarily with a maintenance staff or administrator. Systems
administrators will have their own accounts to work with and will not
need to access a system via an end-user's account.
Systems maintenance technicians who come on site should be
accompanied by the local site administrator (who should be known to
you). If the site administrator is not familiar to you, or if the
technician comes alone, it is wise to give a call to your known site
administrator to check if the technician should be there. Yet many
people will not do this because it makes them look paranoid and it is
embarrassing to show that they have no, or little trust in these
visitors.
Unless you are very sure that the person you are speaking to is who
he or she claims to be, no secret information should ever be revealed
to such people. Sometimes, attackers may even be good enough to make
themselves sound like someone whose voice you know over the phone.
It is always good to double check the identity of the person. If you
are unable to do so, the wisest thing to do is not to reveal any
secrets. If you are a systems administrator, there should be
security procedures for assignment and reassignment of passwords to
users, and you should follow such procedures. If you are an end-
user, there should not be any need for you to have to reveal system
secrets to anyone else. Some companies assign a common account to
multiple users. If you happen to be in such a group, make sure you
know everyone in that group so you can tell if someone who claims to
be in the group is genuine.
Part Three: End users self administering a networked computer
The home user or the user who administers his own network has many of
the same concerns as a centrally-administered user. The following is
a summary of additional advice given in Part Three:
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 13]
Internet Draft Users' Security Handbook July 1998
- Read manuals to learn how to turn on security features, then turn
them on.
- Consider how private your data and Email need to be. Have you
invested in privacy software and learned how to use it yet?
- Prepare for the worst in advance.
- Keep yourself informed about what the newest threats are.
5. Make your own security policy
You should decide ahead of time what risks are acceptable and then
stick to this decision. It may be wise to simply avoid downloading
any software from the network which comes from an unknown source to a
computer storing business records, other valuable data and data which
is potentially damaging if the information was lost or stolen.
If the machine has a mixed purpose, say recreation, correspondence
and some home accounting, perhaps you will hazard some downloading of
shareware applications. You take some risk of acquiring software
which is not exactly what it seems to be.
It may be worthwhile installing privacy software on a computer if it
is shared by multiple users. That way, a friend of a roommate won't
have access to your private data, and so on.
6. Bad Things Happen
If you notice that your files have been modified or ascertain somehow
that your account has been used without your consent, you should
inform your security point-of-contact immediately. In many cases you
will not know who your security point-of-contact is: Try calling
your Internet service provider's help desk as a first step.
6.1 How to prepare for the worst in advance
- Read all user documentation carefully. Make sure that it is clear
when services are being run on your computer. If network services
are activated, make sure they are properly configured (set all
permissions so as to prevent anonymous or guest logins, and so
on). Increasingly, many programs have networking capabilities
built in to them. Learn how to properly configure and safely use
these features.
- Back up user data. This is always important. Backups are
normally thought of as a way of ensuring you will not lose your
work if a hard disk fails or if you make a mistake and delete a
file. Backing up is also critical to insure that data cannot be
lost due to a computer security incident. One of the most vicious
and unfortunately common threats posed by computer viruses and
Trojan Horse programs is erasing a computer's hard disk.
- Obtain virus checking software or security auditing tools. Learn
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 14]
Internet Draft Users' Security Handbook July 1998
how to use them and install them before connecting to a public
network. Many security tools require that they be run on a
"clean" system, so that comparisons can be made between the
present and pristene states. Thus, it is necessary for some work
to be done ahead of time.
- Upgrade networking software regularly. As new versions of
programs come out, it is prudent to upgrade. Security
vulnerabilities will likely have been fixed. The longer you wait
to do this, the greater the risk that security vulnerabilities of
the products will be become known and be exploited by some network
assailant. Keep up to date!
- Find out whom to contact if you suspect trouble. Does your
Internet Service Provider have a security contact or Help Desk?
Investigate this before trouble happens so you won't lose time
trying to figure it out should trouble occur. Keep the contact
information both online and offline for easy retrieval.
There are 3 ways to avoid problems with viruses:
1. Don't be promiscuous
If at all possible, be cautious about what software you install on
your system. If you are unaware of or unsure of the origin of a
program, it is wise not to run it. Do not execute programs or
reboot using old diskettes unless you have reformatted them,
especially if the old diskettes have been used to bring software
home from a trade show, and other potentially security-vunlerable
places.
Nearly all risk of getting infected by viruses can be eliminated
if you are extremely cautious about what files are stored on your
computer. See "The Dangers of Downloading" for more details.
2. Scan regularly.
Give your computer a regular check-up. There are excellent
virus-checking and security audit tools for most computer
platforms available today. Use them, and if possible, set them to
run automatically and regularly.
3. Notice the unusual.
It's not true that a difference you cannot detect is no difference
at all, but it is a good rule of thumb. You should get used to
the way your system works. If there is an unexplainable change
(for instance, files you believe should exist are gone, or strange
new files are appearing and disk space is 'vanishing'), you should
check for the presense of viruses.
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 15]
Internet Draft Users' Security Handbook July 1998
The best way to avoid problems with viruses is to keep important
files backed up. This way, if worse comes to worse, you can always
restore your system to its state before it was afflicted.
You should take some time to be familiar with computer virus
detection tools available for your type of computer. You should use
an up-to-date tool (i.e. not older than three months). It is very
important to test your computer if you have been using freeware,
other peoples' used floppy disks to transfer files, and so on.
6.2 What to do if you suspect trouble
If you suspect that your home computer has a virus, that a malicious
program has been run, or that a system has been broken into, the
wisest course of action is to first disconnect the system from all
networks. If available, virus detection or system auditing software
should be used.
Checking vital system files for corruption, tampering or malicious
replacement is very tedious work to do by hand. Fortunately there
are many virus detection programs available for PCs and Macintosh
computers. There are security auditing programs available for UNIX-
based computers. If software is downloaded from the network, it is
wise to run virus detection or auditing tools regularly.
If it becomes clear that a home system has been attacked it is time
to clean up. Ideally, a system should be rebuilt scratch. This
means erasing everything on the hard disk. Next, install the
operating system and then all additional software the system needs.
It is best to install the operating system and additional software
from the original distribution diskettes or CD-roms, rather than from
backup storage. The reason for this is that a system may have been
broken into some time ago, so the backed up system or program files
may already include some altered files or viruses. Restoring a
system from scratch is tedious but worthwhile. Do not forget to re-
install all security related fixes you had installed before the
security incident. Obtain these from a verified, unsuspicious
source.
6.3 Email
Remember to be careful with saved mail. Copies of sent or received
mail (or indeed any file at all) placed in storage provided by an
Internet service provider may be vulnerable. The risk is that
someone might break into the account and read the old mail. Keep
your mail files, indeed any sensitive files, on your home machine.
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 16]
Internet Draft Users' Security Handbook July 1998
7. Home Alone
A home system can be broken into over the Internet if a home user is
unwary. The files on the home system can be stolen, altered or
destroyed. The system itself, if compromised, could be accessed
again some time in the future. This section describes issues and
makes recommendations relevant to a home user of the Internet.
7.1 Beware of Daemons
A home system which uses PPP to connect directly to the Internet is
increasingly common. These systems are at the greatest risk if they
run certain kinds of programs called "services." If you run a
service, you are in effect making your computer available to others
across the network. Some services include:
- File servers (an NFS server, a PC with 'file sharing' turned on)
- An FTP server
- A Web server
There are, in general, two types of programs which operate on the
Internet: Clients (like web browsers and Email programs) and Servers
(like web servers and mail servers).
Most software which runs on home systems is of the client variety;
but, increasingly, server software is available on traditionally
client platforms (e.g., PCs). Server software which runs in the
background is referred to as a "daemon" (pronounced dee-mon). Many
Internet server software programs that run as daemons have names that
end in `d', like "inetd" (Internet Daemon) and "talkd" (Talk Daemon).
When set to run, these programs wait for clients to request some
particular service from across the network.
There are four very important things to keep in mind as far as the
security implications of running services on a home computer are
concerned. First and most important,
- If a server is not properly configured, it is very vulnerable to
being attacked over a network. It is vital, if you run services,
to be familiar with the proper configuration. This is often not
easy, and may require training or technical expertise.
- All software has flaws, and flaws exploited deviously can be used
to breach computer security. If you run a server on your home
machine you have to stay aware. This requires work: You have to
stay in touch with the supplier of the software to get security
updates. It is highly recommended that you keep up with security
issues through on-line security forums. See [SSH] for a list of
references.
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 17]
Internet Draft Users' Security Handbook July 1998
If security flaws in your server software are discovered, you will
need to either stop using the software or apply "patches" or
"fixes" which eliminate the vulnerability. The supplier of the
software, if it is a decent company or freeware author, will
supply information and updates to correct security flaws. These
"patches" or "fixes" must be installed as soon as possible.
- As a rule of thumb, the older the software, the greater the chance
that it has known vulnerabilities. This is not to say you should
simply trust brand new software either! Often it takes time to
discover even obvious security flaws in servers.
- Some servers start up without any warning. There have been web
browsers and telnet clients in common use which automatically
start FTP servers if not explicitly configured to not do so. If
these servers are not themselves properly configured, the entire
file system of the home computer can become available to anyone on
the Internet.
In general, any software MAY start up a network daemon. The way to
be safe here is to know the products you are using. Read the manual,
and if any questions arise, call the company or mail the author of
free software to find out if you are actually running a service by
using the product.
A home user running a remote login service on his home machine faces
very serious risks. This service allows the home user to log in to
his home machine from other computers on the Internet and can be
quite convenient. But the danger is that someone will secretly
observe the logging in and then be able to masquerade as the user
whenever they choose to do so in the future. See "The Wires Have
Ears" which suggests precautions to take for remote log in.
If possible, activate all "logging" options in your server software
which relate to security. You need to review these logs regularly in
order to gain any benefit from this logging. You should also be
aware that logs often grow very quickly in size, so you need to be
careful they don't fill up your hard disk!
7.2 Going Places
Remote logins allow a user privileged access onto a physically remote
system from the comfort of his own home.
More and more companies are offering their employees the ability to
work from home with access to their computer accounts through dial-up
connections. As the convenience of Internet connectivity has led to
lowered costs and wide-spread availability, companies may allow
remote login to their systems via the Internet. Customers of
companies with Internet access may also be provided with remote login
accounts. These companies include Internet service providers, and
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 18]
Internet Draft Users' Security Handbook July 1998
even banks. Users should be very careful when making remote logins.
As discussed in "The Wires have Ears" section, Internet connections
can be eavesdropped on. If you intend to use a remote login service,
check that the connection can be done securely, and make sure that
you use the secure technologies/features.
Connections may be secured using technologies like one-time
passwords, secure shell (SSH) and Secure Sockets Layer (SSL). One-
time passwords make a sniffed password useless to the intruder, while
secure shell encrypts data sent over the connection. Please refer to
"Web Browsing Safely" for a discussion on SSL. Secure services such
as these have to be made available on the systems to which you log in
remotely.
7.3 Secure It!
Administering your own home computer means you get to choose what
software is run on it. Encryption software provides protection for
data. If you keep business records and other sensitive data on your
computer, encryption will help to keep it safe. For example, if you
ran a network service from your home computer and missed setting
restrictions on a private directory, a remote user (authorised or
not) may gain access to files in this private directory. If the
files are encrypted, the user will not be able to read them. But as
with all forms of encryption running on any system, the keys and
passwords should first be kept safe!
8. A Final Note
This document has provided the reader with an introduction and as
much concise detail as possible. Present security issues go out-of-
date quickly, and although effort has been made to keep discussions
general, examples given may not be relevant in the future as the
Internet and computer industry continue to grow.
Just as home-owners are now taking increased cautions, at the expanse
of convenience, to secure their homes in the changing world we live
in, computer network users should not ignore security. It may be
inconvenient, but it is always better to be safe than sorry.
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 19]
Internet Draft Users' Security Handbook July 1998
Appendix: Glossary of Security Terms
Acceptable Use Policy
A set of rules and guidelines that specify in more or less detail
the expectations in regard to appropriate use of systems or
networks.
Client
Depending on the point of view, a client might be a computer
system that serves an end user to access services hosted on
another computer system called server, which are provided for a
larger group of clients. 'Client' might also refer to a program or
a part of a system that is used from an end user to access
services provided by another program (for example, a web browser
is a client which accesses pages provided by a Web Server).
(Computer) Account
This term describes the authorization to access a specific
computer system or network. Each end user has to use an account,
which consists most probably of a combination of user name and
password or another means of proving that the end user is the
person the account is assigned to.
Daemons (inetd, talkd, etc.)
These are processes that run on a computer system and provide
services to other computer systems or processes. Typically they
are considered to be a server.
Dial-in Service
A way of providing access to computer systems or networks via a
telecommunication network. A computer uses a modem to make a
telephone call to a another modem, which in turn provides 'network
access service'. See also: PPP.
Email packages
To communicate via electronic mail, end users usually make use of
an email client that provides the user interface to create, send,
retrieve and read electronic mail. Various different email
packages provides email client with the same set of basic
functionality but have different user interfaces and
functionality. Some Email packages provide encryption and digital
signature capabilities.
End User
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 20]
Internet Draft Users' Security Handbook July 1998
An (human) individual that makes use of computer systems and
networks.
FTP (File Transfer Protocol)
A protocol to transfer files between an FTP client and FTP server.
File Server
A computer system that provides a way of sharing and working on
files stored on the system among users with access to these files
over a network.
File Transfer
> The process of transfering files between two computer systems
over a network, using a protocol such as FTP or HTTP.
Fixes, Patches and installing them
Vendors, in response to the discovery of security vulnerabilities,
provide sets of files that have to be installed on computer
systems. These files 'fix' or 'patch' the computer system and
remove the security vulnerability.
Internet
A collection of interconnected networks that use a common set of
protocols called the TCP/IP stack to enable the communication
between the connected computer systems.
Masquerade (see Remote Log In)
Anyone who pretends to be someone they are not in order to obtain
access to a computer account is said to 'masquerade.' This may be
accomplished by providing a false user name, or stealing someone
else's password and logging in as him.
One-Time Password System
Instead of using the same password over and over again, a
different password is used on each subsequent log in. Even if the
password is transmitted over a network and stolen, it doesn't
provide any benefit to an attacker. This is especially important
for protocols like FTP and telnet where passwords are transmitted
unencrypted over the network.
PGP
PGP is an application package that provides tools to encrypt and
digitally sign files on computer systems. It is especially useful
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 21]
Internet Draft Users' Security Handbook July 1998
to do this with files and messages before sending them via Email.
PPP
Today many dial-in services provides a mechanism to establish a
PPP connection over a telephone line. The PPP connection can then
be used to use the TCP/IP protocol for any further
communication, making the connected computer system like an end
user PC part of the Internet. For example, PPP may provide
systems with an IP address.
SSL
This protocol provides security services to otherwise insecure
protocols which operate over a network. These services may
include privacy (encryption of data) and authentication. SSL is
typically used by web browsers to encrypt data which is sent to
and downloaded from a web server. SSL also allows a web browser
to verify it is communicating with a web servers that has been
'certified' (but discussion of this is beyond the scope of this
Glossary).
SSH (Secure Shell)
Similar to SSL the approach of SSH provides a protocol between a
client and server to access computer systems remotely while
securing the communication and providing strong mechanisms for
user authentication and confidentiality.
Server
A Server is a computer system, or set of processes on a computer
system, which provide services to clients across a network.
Site
Depending on the context in which this term is used, it might
apply to computer system(s) that are grouped together by
geographical location, organizational jurisdiction, or network
addresses. A Site typically refers to a network under a common
administration.
Trojan Horse
A program which carries within itself a means to allow the creator
of the program access to the system using it.
Virus
A program which replicates itself on computer systems by
incorporating itself into other programs which are shared among
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 22]
Internet Draft Users' Security Handbook July 1998
computer systems.
Web Server
A server program that provides access to web pages. Some web
servers provide access to other services, such as databases, and
directories.
Worm
A computer program which replicates itself and is self-
propogating. Worms, as opposed to viruses, are meant to spawn in
network environments.
account
see (Computer) Account
anonymous and guest log in
Services may be made available without any kind of authentication.
This is commonly done, for instance, with the FTP protocol to
allow anonymous access. Other systems provide a special account
named "guest" to provide access, typically restricting the
privileges of this account.
auditing tool
Tools to analyze computer systems or networks in regard to their
security status or in relation to the set of services provided by
them. COPS and SATAN are famous examples of such tools.
centrally-administered network
A network which is administration lay in the responsibility of a
single group that is not distributed but work centrally to take
care of the network.
common account
A common account is one which is shared by a group of users as
opposed to a normal account which is available to only one user.
If the account is misused, it is impossible to know which of the
group of users was responsible.
compound documents
A 'document' is a file used by application software to save user
information. A 'compound' document is a file which contains data
which may require a variety of programs to be used in order to
interpret and manipulate it. These programs may be used without
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 23]
Internet Draft Users' Security Handbook July 1998
the user's knowledge.
configuring network services
The part of the administrators task that is related to specify the
conditions and details for network services that gover the service
provision. In regard to a Web server this includes which Web pages
are available to whom and what kind of information is logged to
review the use of the Web server.
cracker
These term is used to name attackers, intruders or other bad guys
that do not play by the rules and try to circumvent the security
mechanisms or attack individuals and organisations.
decrypting
The process of reversing the encryption of a file or message to
recover the original text in order to use or read it.
digital signature
This is a mechanism which attaches a 'signature' to a file or
Email message which allows others to verify who 'signed' the data.
The signature can only be generated by someone who holds some
private data. It is possible for others to verify that only
someone who possesses this private data could have produced the
digital signature.
downloaded software
Software packages that were retrieved from the Internet (using for
example the FTP protocol).
downloading
The act of retrieving files from a server on the network.
email security software
Software like PGP provides security functionalities like
encryption (and decryption) to enable the end user to protect
messages and documents prior to sending them over a possible
insecure network.
encrypting / encryption
The act of appliying specific cryptographic algorithms to disables
other than the desired communication partner to access the so
protected information. Encryption makes use of mathematical
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 24]
Internet Draft Users' Security Handbook July 1998
algorithms and secrets (usually represented by strings which are
known to the communication partners) to provide this protection.
encryption software
The software that actually provides the needed functionality for
end users to encrypt messages and files. PGP is one example.
files (programs, data, text and so on)
Files include user data, but also programs, the computer operating
system and the system's configuration data.
group of users
Security software often allow permissions to be set for groups of
users as opposed to individuals.
help desk
A support entity that can be called in order to get help with a
computer or communication problem.
key escrow
Keys are used to encrypt and decrypt files. These keys are
legitimately used by parties who have agreed to share data. If
the keys are available to third parties this is known as key
escrow. This may be used to prevent key loss or to allow the
third party (for example, government agencies) to be able to have
access to the encrypted data.
keys used to encrypt and decrypt files
To make use of encryption an end user has to provide some secret,
in the form of some data, usually called a key. There are two
kinds of cryptographic keys. Symmetric keys allow anyone who
possesses it to either encrypt or decrypt data. Public key
cryptography provides a pair of keys, one decrypts it. Public key
cryptography has the advantage that not all communicating parties
need to know the same secret key.
log in, logging into a system
This is an action performed by an end user, when he authenticates
himself to a computer system.
log in prompt
The chracters that are displayed when logging into a system to ask
for user name and password.
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 25]
Internet Draft Users' Security Handbook July 1998
logged in
If an end user has successfully proved to have a legitimate right
to access a system, he is considered to be logged in.
logging into your system
network file system (NFS, file sharing with PCs, etc.)
NFS is a application and protocol suite that provides a way of
sharing files between clients and servers. There are other
protocols which provide file access over networks. These provide
similar functionality, but do not interoperate with each other.
network services
Services which are not provided on the local computer system the
end user is working on but on a server located in the network.
networking features of software
Some software has features which make use of the network to
retrieve or share data. It may not be obvious that software has
networking features.
password locked screensaver
A screen saver obscures the normal display of a monitor. A
password locked screensaver will only deactivate if the end user's
password is supplied. This prevents a logged in system from being
abused and hides the work currently being done from passers by.
permissions
Another word for the access controls that are used to control the
access to files and other resources.
plug-in modules
Software components that integrates into other software (such as
web browsers) to provide additional features.
point-of-contact, security
In case of security breaches or problems many organisations
provide a designated point of contact which can alert others and
take the appropriate actions.
privacy programs
Another term for encryption software that highlights the use of
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 26]
Internet Draft Users' Security Handbook July 1998
this software to protect the confidentiality and therefore privacy
of the end users that make use of it.
remote Log In
If an end user uses a network to log in to a system this is called
a remote log in.
remote access software
This software allows a computer to use a modem to connect to
another system. It also allows a computer to 'listen' for calls
on a modem (this computer provides 'remote access service'.)
Remote access software may provide access to a single computer or
to a network.
security features
These are features which provide protection or enable end users
and administrators to assess the security of a system, for
example, by auditing it.
shareware
Shareware is software that is not for free but is provided to a
fair small price that actually contributes to the effort of the
programmer and enables him to improve the software or distribute
it at all.
sharing permissions
Many computer systems allow users to share files over a network.
These systems invariably provide a mechanism to users to control
who has permission to read or overwrite these files.
system administrator privileges
System administrators have more rights (greater permissions) as
their work involve the maintenance of system files.
system files
The set of files on a system that are not belonging the end users
and are governing the functionality of the system. Especially
these system files have a great influence on the security of the
system.
systems administrator
The individual that maintain the system and has system
administrator privileges. In order to avoid errors and mistakes
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 27]
Internet Draft Users' Security Handbook July 1998
done by the individual while not acting as an administrator, the
individual should limit the time she/he acts as an administrator
to a minimum.
telnet
A protocol that enables remote log in to other computer systems
using the network.
terminal
A dumb device that is connected to a computer system in order to
provide (text based) access to it for users and administrators.
threats
The potential that an existing vulnerability can be exploited to
compromise the security of systems or networks. Even if a
vulnerability is not known, it represents a threat by this
definition.
trusted source
A source of of downloaded software that is trusted, to the extent
that the software obtained from it should not be malicious.
virus detection tool
Software that detects and possibly removes computer viruses,
alerting the user appropriately.
vulnerability
A vulnerability is the existence of a weakness, design, or
implementation error that can lead to an unexpected, undesirable
event compromising the security of the system, network,
application, or protocol involved.
web browser capabilities
The set of functionalities that describe the web browser as seen
by the end user. This includes the set of plug-ins available.
web browsing cache
This is the part of the file system that is used to store web
pages and related files. It can be utilized to reload these files
from the cache instead of loading it every time from the network.
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 28]
Internet Draft Users' Security Handbook July 1998
Acknowledgments
Simson Garfinkle provided very helpful feedback on this document.
Klaus-Peter Kossakowski's contribution to the Glossary is much
appreciated.
References
[GLOSSARY] Malkin, G, ed, "Internet User's Glossary", RFC 1983 (FYI
18), August, 1996.
[RFC2196] Frasier, Barbara, ed, "Site Security Handbook," RFC 2196
(FYI 8), June, 1996.
Security Considerations
This document discusses what computer users can do to improve
security on their systems.
Authors' Addresses
Erik Guttman Lorna Leong Gary Malkin
Sun Microsystems COLT Internet Bay Networks
Bahnstr. 2 250 City Road 8 Federal Street
74915 Waibstadt City Forum, London Billerca, MA 01821
Germany England USA
Phone: +49 7263 911701 +44 171 390 3900 +1 508 916 4237
Email: erik.guttman@sun.com lorna@colt.net gmalkin@baynetworks.com
Guttman, Forey, Malkin Expires: 30 January 1999 [Page 29]