By Melissa Mitchell "The only system which is truly secure is one which is switched off and unplugged, locked in a titanium-lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn't stake my life on it." - Gene Spafford, Purdue University professor of computer science and co-author of the book "Practical Unix Security" Conscientious homeowners routinely take various precautions to keep potential intruders at bay - from simple, common-sense procedures such as locking doors and windows to installing expensive security and surveillance systems. Despite all that, any police officer will tell you that all the security in the world won't prevent a home invasion if a burglar is determined to get inside. The same thing holds true when it comes to securing a computer system - especially one linked to a sprawling network like the Internet. Paul Pomes, a senior research programmer at the UI's Computing and Communications Services Office, manages a variety of network services, and he takes the metaphor one step further. Pomes says people commonly linked to computer networks - UI faculty and staff members and students, for example - share more than just a network; they share the responsibility of ensuring that their little corner of cyberspace isn't compromised by intruders with mischievous or malicious intent. In effect, Pomes said, the UI community of network users should function collectively in much the same way as a neighborhood watch does. "When you're on a computer network, you're part of a community, and, therefore, have a responsibility to that community," he said. Though most people don't realize it, Pomes said, users can play a big part in determining the security of the networks they use. The most common ways intruders get into a system are through its users' sloppy housekeeping and bad habits, which are comparable to leaving windows wide open and attaching a note to the door that says, "Come on in; there's lots of neat stuff inside." "Most of what we do at CCSO is stopping people at the front door," Pomes said. Meanwhile, unscrupulous "crackers" - individuals who break into computer systems - lurk around the back doors, looking for easy entry. Crackers tend to be "young males who lack social skills and don't relate well to people," Pomes said. "Cracking systems gives a cracker a sense of power and control - elements that are often missing from their lives. Someone who is failing in school, nevertheless, can be someone to be respected if he can trash your file server." As more people on campus have discovered how to send and receive e-mail and access other programs and services on the Internet, Pomes said it is essential that users become better educated about what they should do to protect their electronic interests. One of the first places users should focus their attention is on password selection. "The safest passwords are made from nonsense phrases the user likes, or two words joined together, mixed upper and lower case characters, and characters with punctuation in the middle somewhere," Pomes said. Names, variations of names, words found in a dictionary, acronyms and systematic algorithms should not be used under any circumstances, he added. "I have seen crackers with 20-megabyte dictionaries that contain multiple foreign language dictionaries; typing patterns; first-letter combinations of phrases such as 'Four score and seven years ago,' or 'fsasya'; keyboard patterns; etc.," Pomes said. "The cracking program, given long enough run time, tries plurals, appended or leading digits, and replacement of 'l' with '1' or 'o' with '0.' "The very best security - in terms of a password - is something you know, something you have that nobody else has," Pomes said. He added that the current technology requires people to use what are known as "reusable" passwords - a set of characters that has to be typed each time a person gains access to a system. In the next two to five years, he said, it will be more common for people to be using "one-time" passwords, which can be anything from "fairly cheap password devices - like plastic key cards - that you carry around with you" to pre-programmed text sequences that challenge the user to type in a predetermined response to various prompts. Choosing a relatively secure password is just the first step users should take to make their electronic neighborhoods safe, however. Because a person's password "is flying in the clear over the network" each time a person types it in to log onto a machine, "anybody with a real curiosity and knowledge of Ethernet-sniffing programs could catch it," Pomes said. "Part of the cracker's toolkit is a program that records the first 100 characters of each network session," which, Pomes said, is "more than enough to capture the log-in name and password. "Several labs on campus have been victimized this way," he said. "Such programs, if undetected, provide the means for crackers to infest hundreds of other machines." Pomes also recommended that users "think about changing their passwords anytime they've used it from an untrusted location," he said. For example, if you sign onto the Internet while attending a conference at another university or while working at a private company, your account automatically becomes more vulnerable to a break-in. Pomes also recommends that faculty and staff members with a lot to lose if their account is compromised may want to avoid using any public computing sites as well. A good rule of thumb, he said, is: "Change your password in any case after six months." Because the UI's campus network - which links about 20,000 personal computers or workstations - is so vast, and because it is by nature a fairly open system, Pomes said it is impossible for him or other CCSO specialists to devise impenetrable defenses to cracker attacks. "We always assume that five to 15 accounts on our network are being used by people who don't have access here - people who can set up back doors, put in Trojan horses, or in theory, cause all manners of mischief." However, he added, "because we're a target-rich environment with thousands of machines, chances are, your workstation won't stand out to the crackers. Nevertheless, several machines get wiped out, or compromised enough to warrant a complete reload, every year." Naturally, security has been an important issue for the architects of the university's new on-line registration system, UI DIRECT. Pomes, who created the security structure for the project, noted that the UI "is using the most secure, industry-supported authentication and encryption system-software available" to ensure that student records and other data don't wind up in the wrong hands. George Badger, associate vice chancellor for computing and communications and director of CCSO, added that while some UI mainframes - such as ux1, which services undergraduate student accounts - are generally open to the public and serve broad purposes, other machines are reserved for more restricted uses. "There are other levels of systems which, for various reasons, need to be more secure," Badger said. In those cases, he said, "it is reasonable to make much more restrictive rules about privacy. We just have to do it up front and make it clear that these machines are not open to the public." In general - at the UI and elsewhere - "security incidents are becoming more common" as a result of various factors, including the proliferation of more open systems and the ever-increasing volume of traffic on the Internet. The best means of thwarting security breaches is a cooperative approach in which users and technical support staff share the responsibililty for maintaining secure systems. "Technology and administrative measures can only go so far," Pomes said. "Administrative measures - taken to extremes without the consent of the users - make the problem worse because users will create back doors to get their work done. A system where the administrators don't work with users is insecure. Administrators must have the trust of the users and the willingness to work with them to get their jobs done while maintaining a secure environment." At the same time, Pomes said, users can do much to save themselves - and CCSO staff members - from the trouble that results when someone suspects an account has been broken into. A good starting place for those interested in doing their homework is "Practical UNIX Security" by Simson Garfinkel and Gene Spafford, Pomes said. Relevant information also is available via anonymous FTP from ftp.cert.org., and discussions of security issues are ongoing in various newsgroups - or electronic bulletin boards - such as alt.security and comp.security.misc. "I can't possibly educate people about security after the fact," Pomes said, adding that "it takes the best and brightest people CCSO has to track down a security breach to its source." And, he said, "that trail often ends at an uncooperative remote site. "Anymore, unless the victims are willing to call in law enforcement and endure the huge drain of their time that entails, I recommend that they lick their wounds, close up the holes, reload the operating system and get on with things." ******************************* To change your e-mail password, log onto the CCSO mainframe you are connected to - for instance, ux1. At the prompt, type passwd. After that you'll receive a prompt to enter your old password, followed by another prompt asking for the new password. For assistance with this or other e-mail-related questions, call the CCSO Resource Center, 244-1258.