Just do it: Network security lies in the hands of its users

By Melissa Mitchell

"The only system which is truly secure is one which is switched off and
unplugged, locked in a titanium-lined safe, buried in a concrete bunker,
and is surrounded by nerve gas and very highly paid armed guards. Even
then, I wouldn't stake my life on it."

        - Gene Spafford, Purdue University professor of computer science
          and co-author of the book "Practical Unix Security"

Conscientious homeowners routinely take various precautions to keep
potential intruders at bay - from simple, common-sense procedures such as
locking doors and windows to installing expensive security and surveillance
systems. Despite all that, any police officer will tell you that all the
security in the world won't prevent a home invasion if a burglar is
determined to get inside.

The same thing holds true when it comes to securing a computer system -
especially one linked to a sprawling network like the Internet.

Paul Pomes, a senior research programmer at the UI's Computing and
Communications Services Office, manages a variety of network services, and
he takes the metaphor one step further. Pomes says people commonly linked
to computer networks - UI faculty and staff members and students, for
example - share more than just a network; they share the responsibility of
ensuring that their little corner of cyberspace isn't compromised by
intruders with mischievous or malicious intent. In effect, Pomes said, the
UI community of network users should function collectively in much the same
way as a neighborhood watch does.

"When you're on a computer network, you're part of a community, and,
therefore, have a responsibility to that community," he said. Though most
people don't realize it, Pomes said, users can play a big part in
determining the security of the networks they use. The most common ways
intruders get into a system are through its users' sloppy housekeeping and
bad habits, which are comparable to leaving windows wide open and attaching
a note to the door that says, "Come on in; there's lots of neat stuff
inside."

"Most of what we do at CCSO is stopping people at the front door," Pomes
said. Meanwhile, unscrupulous "crackers" - individuals who break into
computer systems - lurk around the back doors, looking for easy entry.

Crackers tend to be "young males who lack social skills and don't relate
well to people," Pomes said. "Cracking systems gives a cracker a sense of
power and control - elements that are often missing from their lives.
Someone who is failing in school, nevertheless, can be someone to be
respected if he can trash your file server."

As more people on campus have discovered how to send and receive e-mail and
access other programs and services on the Internet, Pomes said it is
essential that users become better educated about what they should do to
protect their electronic interests.

One of the first places users should focus their attention is on password
selection.

"The safest passwords are made from nonsense phrases the user likes, or two
words joined together, mixed upper and lower case characters, and
characters with punctuation in the middle somewhere," Pomes said. Names,
variations of names, words found in a dictionary, acronyms and systematic
algorithms should not be used under any circumstances, he added.

"I have seen crackers with 20-megabyte dictionaries that contain multiple
foreign language dictionaries; typing patterns; first-letter combinations
of phrases such as 'Four score and seven years ago,' or 'fsasya'; keyboard
patterns; etc.," Pomes said. "The cracking program, given long enough run
time, tries plurals, appended or leading digits, and replacement of 'l'
with '1' or 'o' with '0.'

"The very best security - in terms of a password - is something you know,
something you have that nobody else has," Pomes said. He added that the
current technology requires people to use what are known as "reusable"
passwords - a set of characters that has to be typed each time a person
gains access to a system. In the next two to five years, he said, it will
be more common for people to be using "one-time" passwords, which can be
anything from "fairly cheap password devices - like plastic key cards -
that you carry around with you" to pre-programmed text sequences that
challenge the user to type in a predetermined response to various prompts.

Choosing a relatively secure password is just the first step users should
take to make their electronic neighborhoods safe, however. Because a
person's password "is flying in the clear over the network" each time a
person types it in to log onto a machine, "anybody with a real curiosity
and knowledge of Ethernet-sniffing programs could catch it," Pomes said.
"Part of the cracker's toolkit is a program that records the first 100
characters of each network session," which, Pomes said, is "more than
enough to capture the log-in name and password.

"Several labs on campus have been victimized this way," he said. "Such
programs, if undetected, provide the means for crackers to infest hundreds
of other machines."

Pomes also recommended that users "think about changing their passwords
anytime they've used it from an untrusted location," he said. For example,
if you sign onto the Internet while attending a conference at another
university or while working at a private company, your account
automatically becomes more vulnerable to a break-in. Pomes also recommends
that faculty and staff members with a lot to lose if their account is
compromised may want to avoid using any public computing sites as well.

A good rule of thumb, he said, is: "Change your password in any case after
six months."

Because the UI's campus network - which links about 20,000 personal
computers or workstations - is so vast, and because it is by nature a
fairly open system, Pomes said it is impossible for him or other CCSO
specialists to devise impenetrable defenses to cracker attacks.

"We always assume that five to 15 accounts on our network are being used by
people who don't have access here - people who can set up back doors, put
in Trojan horses, or in theory, cause all manners of mischief." However, he
added, "because we're a target-rich environment with thousands of machines,
chances are, your workstation won't stand out to the crackers.
Nevertheless, several machines get wiped out, or compromised enough to
warrant a complete reload, every year."

Naturally, security has been an important issue for the architects of the
university's new on-line registration system, UI DIRECT. Pomes, who created
the security structure for the project, noted that the UI "is using the
most secure, industry-supported authentication and encryption
system-software available" to ensure that student records and other data
don't wind up in the wrong hands.

George Badger, associate vice chancellor for computing and communications
and director of CCSO, added that while some UI mainframes - such as ux1,
which services undergraduate student accounts - are generally open to the
public and serve broad purposes, other machines are reserved for more
restricted uses.

"There are other levels of systems which, for various reasons, need to be
more secure," Badger said. In those cases, he said, "it is reasonable to
make much more restrictive rules about privacy. We just have to do it up
front and make it clear that these machines are not open to the public."

In general - at the UI and elsewhere - "security incidents are becoming
more common" as a result of various factors, including the proliferation of
more open systems and the ever-increasing volume of traffic on the
Internet.

The best means of thwarting security breaches is a cooperative approach in
which users and technical support staff share the responsibililty for
maintaining secure systems.

"Technology and administrative measures can only go so far," Pomes said.
"Administrative measures - taken to extremes without the consent of the
users - make the problem worse because users will create back doors to get
their work done. A system where the administrators don't work with users is
insecure. Administrators must have the trust of the users and the
willingness to work with them to get their jobs done while maintaining a
secure environment."

At the same time, Pomes said, users can do much to save themselves - and
CCSO staff members - from the trouble that results when someone suspects an
account has been broken into. A good starting place for those interested in
doing their homework is "Practical UNIX Security" by Simson Garfinkel and
Gene Spafford, Pomes said. Relevant information also is available via
anonymous FTP from ftp.cert.org., and discussions of security issues are
ongoing in various newsgroups - or electronic bulletin boards - such as
alt.security and comp.security.misc.

"I can't possibly educate people about security after the fact," Pomes
said, adding that "it takes the best and brightest people CCSO has to track
down a security breach to its source." And, he said, "that trail often ends
at an uncooperative remote site.

"Anymore, unless the victims are willing to call in law enforcement and
endure the huge drain of their time that entails, I recommend that they
lick their wounds, close up the holes, reload the operating system and get
on with things."

                  *******************************

To change your e-mail password, log onto the CCSO mainframe you are
connected to - for instance, ux1. At the prompt, type passwd. After that
you'll receive a prompt to enter your old password, followed by another
prompt asking for the new password. For assistance with this or other
e-mail-related questions, call the CCSO Resource Center, 244-1258.