draft-ietf-ssh-users-05.txt Erik Guttman / Sun Microsystems Lorna Leong / COLT Internet G. Malkin / Bay Networks April 30, 1998 Users' Security Handbook Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." To view the entire list of current Internet-Drafts, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). Abstract The Users' Security Handbook is the companion to the Site Security Handbook (SSH). It is intended to provide users with the information they need to keep their networks and systems secure. Guttman, Malkin Expires: 27 November 98 [Page 1] Internet Draft Users' Security Handbook April 1998 Table of Contents Part One: Introduction. . . . . . . . . . . . . . . . . . 1. READ.ME . . . . . . . . . . . . . . . . . . . . . . . . . 2. The Wires have Ears . . . . . . . . . . . . . . . . . . . Part Two: Users in a centrally-administered network . . . 3. Watch out! . . . . . . . . . . . . . . . . . . . . . . . 3.1. The Dangers of Downloading . . . . . . . . . . . . . . 3.2. Don't get caught in the Web . . . . . . . . . . . . . . 3.3. Email Pitfalls . . . . . . . . . . . . . . . . . . . . 3.4. Passwords . . . . . . . . . . . . . . . . . . . . . . . 3.5. Viruses and Other Illnesses . . . . . . . . . . . . . . 3.6. Modems . . . . . . . . . . . . . . . . . . . . . . . . 3.7. Abandoned Terminals . . . . . . . . . . . . . . . . . . 3.8. File Protections . . . . . . . . . . . . . . . . . . . 3.9. Encrypt Everything . . . . . . . . . . . . . . . . . . 3.10. Shred Everything Else . . . . . . . . . . . . . . . . . 3.11. What program is this, anyway? . . . . . . . . . . . . . 4. Paranoia is Good . . . . . . . . . . . . . . . . . . . . Part Three: Users self administering a networked computer 5. Make your own security policy 6. Bad Things Happen . . . . . . . . . . . . . . . . . . . . 6.1. What to do if you suspect trouble . . . . . . . . . . . 6.2. How to prepare for the worst in advance . . . . . . . . 7. Home Alone . . . . . . . . . . . . . . . . . . . . . . . 7.1. Beware of Daemons . . . . . . . . . . . . . . . . . . . 7.2. Going Places 7.3. Code It! 8. A Final Note Appendix: Glossary of Security Terms . . . . . . . . . . . . . Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . Security Considerations . . . . . . . . . . . . . . . . . . . Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . Guttman, Malkin Expires: 27 November 98 [Page 2] Internet Draft Users' Security Handbook April 1998 Part One: Introduction This document is meant to provide guidance to the end users of computer systems and networks on what they can do to keep their data and communication private, and their systems and networks secure. The first part of this documents concerns "corporate users" in small, medium and large corporate and campus sites. The second part of the document addresses users who administer their own computers, such as home users. System and network administrators may wish to use this document as the foundation of a site-specific users' security guide; however, they should consult the Site Security Handbook first [SSH]. A glossary of terms is included in an appendix at the end of the document introducing computer network security notions to those not familiar with them. Terms in the glossary are in all capital letters the first time they are used. 1. READ.ME Before getting connected to the Internet, where available, you should get hold of the security policy of the site where you intend to get connected, and read it. A security policy is a formal statement of the rules by which users who are given access to a site's technology and information assets must abide. As a user, you are obliged to follow the policy created by the decision makers and administrators at your site. When using an outside network, you have an obligation to follow its Acceptable Use Policy (if it has one). A security policy exists to protect a site's hardware, software and data. It explains what the security goals of the site are, what users can and cannot do, what to do when problems arise and who to contact, and generally informs users what the "rules of the game" are. 2. The Wires have Ears It is a lot easier to evesdrop on communications over data networks than to tap a telephone conversation. Any link between computers may potentially be insecure, as can any of the computers through which data flows. All information passing over networks may be evesdropped on, even if you think "No one will care about this..." Information passing over a network may be read not only by the intended audience but can be read by others as well. This can happen to personal Email and sensitive information that is accessed via file transfer or the Web. Please refer to the "Web Browsing Safely" and "Email Pitfalls" sections for specific information on protecting your privacy. Guttman, Malkin Expires: 27 November 98 [Page 3] Internet Draft Users' Security Handbook April 1998 As a user, your utmost concerns should, firstly, be to protect yourself against misuse of your computer account(s) and secondly, to protect your privacy. Unless precautions are taken, every time you log in over a network, to any network service, your password or confidential information may be stolen. It may then be used to gain illicit access to systems you have access to. In some cases the consequences are obvious: If someone gains access to your bank account, you might find yourself losing some cash, quickly. What is not so obvious is that services which are not financial in nature may also be abused in rather costly ways. You may be held responsible if your account is misused by someone else! Many network services involve remote log in. A user is prompted for his or her account ID and password. If this information is sent through the network without encryption, the message can be intercepted and read by others. This is not really an issue when you are logging in to a "dial-in" service where you make a connection via telephone and log in, say to an online service provider, as telephone lines are more difficult to evesdrop on than internet communications. The risk is there when you are using programs to log in over a network. Many popular programs used to log in to services or to transfer files (such as telnet and ftp, respectively) send your name and password and then your data over the network without encrypting them. The precaution commonly taken against password evesdropping by larger institutions, such as corporations, is to use one-time password systems. Until recently this has been far too complicated and expensive for home systems and small businesses. An increasing number of products allow this to be done without fancy hardware, using cryptographic techniques. An example of such a technique is Secure Shell [SSH], which is both freely and commercially available for a variety of platforms. Many products (including SSH-based ones) also allow data to be encrypted before it is passed over the network. Part Two: End users in a centrally administered network The following rules of thumb provide a summary of the most important pieces of advice discussed in Part Two of this document: - Know who your security point-of-contact is. - Keep passwords secret. - Use a password-locked screensaver or log out when you leave your desk. - Don't let just anyone have physical access to your computer or your network. - Be aware what software you run and very wary of software of Guttman, Malkin Expires: 27 November 98 [Page 4] Internet Draft Users' Security Handbook April 1998 unknown origin. Think hard before you execute downloaded software. - Do not panic. Consult your security point of contact if possible before spreading alarm. - Report security problems as soon as possible to your security point-of-contact. 3. Watch out! 3.1. The Dangers of Downloading An ever expanding wealth of free software has become available on the Internet. While this exciting development is one of the most attractive aspects of using public networks, you should also exercise caution. Some files may be dangerous. Downloading poses the single greatest risk. Be careful to store all downloaded files so that you will remember their (possibly dubious) origin. Do not, for example, mistake a downloaded program for a common program just because they have the same name! Programs can use the network without making you aware of it. One thing to keep in mind is that if a computer is connected, any program has the capability of using the network, with or without informing you. Say for example: You download a game program from an anonymous file server. This appears to be a shoot-em-up game, but unbeknownst to you, it transfers all your files, one by one, over the Internet to a cracker's machine! Many corporate environments explicitly prohibit the downloading and running of software from the Internet. 3.2. Web Browsing Safety The greatest risk when web browsing is downloading files. Web browsers allow any file to be retrieved from the Internet. See "The Dangers of Downloading." Web browsers are downloading files even when it is not entirely obvious. Thus, the risk posed by downloading files may be present even if you do not actively go out and retrieve files overtly. Any file which you have loaded over the network should be considered possibly dangerous (even files in the web browser's cache.) Do not execute them by accident, as they may be malicious programs. (Remember, programs are files, too. You may believe you have downloaded a text file, when in fact it was a Trojan Horse program, script, etc.) Guttman, Malkin Expires: 27 November 98 [Page 5] Internet Draft Users' Security Handbook April 1998 Web browsers may download and execute programs on your behalf. You may disable these features. If you leave them enabled, be sure that you understand the consequences. You should read the security guide which accompanies your web browser as well as the security policy of your company. You should be aware that downloaded programs may be quite risky to execute on your machine. (See "What program is this, anyway?"). Web pages often include forms. Be aware that, as with Email, data sent from a web browser to a web server is not secure. Several mechanisms have been created to prevent this, most notably Secure Sockets Layer [SSL]. This facility has been built into many web browsers. It encrypts messages which are sent between the user's web browser to the web server so no one along the way can read it. 3.3 Email Pitfalls All the normal concerns apply to messages received via Email that you could receive any other way. For example, the sender may not be who he or she claims to be. If Email security software is not used, it is very difficult to determine for sure who sent a message. This means that Email is not a suitable way to conduct business. It is very easy to forge an Email message, so that it appears to come from anyone. Another security issue you should consider when using Email is privacy. Email passes through the Internet from computer to computer. As the message moves between computers, and indeed as it sits in a user's mailbox waiting to be read, it is potentially visible to others. For this reason, it is wise to think twice before sending confidential or extremely personal information via Email. You should never send credit card numbers and other sensitive data via unprotected Email. Please refer to "The Wires Have Ears". To cope with this problem, there are privacy programs available; some of which are integrated with Email packages. One service many Email users like to use is Email forwarding. This should be used very cautiously. Imagine the following scenario: A user has an account with a private Internet Service Provider and wishes to receive all her mail there. She sets it up so that her Email at work is forwarded to her private address. All the mail she would receive at work then moves across the Internet until it reaches her private account. All along the way, the Email is vulnerable to being read. A sensitive Email message sent to her at work could be read by a network snoop at any of the many stops along the way the Email takes. Note that Email sent or received at work may not be private. Check with your employer, as employers may (in some instances) legally both Guttman, Malkin Expires: 27 November 98 [Page 6] Internet Draft Users' Security Handbook April 1998 read your mail and make use of it. The legal status of Email depends on the privacy of information laws in force in each country. Many mail programs allow files to be included in mail messages. The files which come by mail are files like any other. Any way in which a file can find its way onto a computer is possibly dangerous. If the attached file is merely a text message, fine. But it may be more than a text message. If the attached file is itself a program or an executable script, extreme caution should be applied before running it. See the section entitled "The Dangers of Downloading." 3.4 Passwords Passwords may be easily guessed by an intruder unless precautions are taken. Your password should contain a mix of numbers, punctuation, and upper and lower case letters. Avoid all real words or combinations of words, license plate numbers, names and so on. The best password is a made up sequence (e.g., an acronym from a phrase you won't forget), such as "2B*Rnot2B" (but don't use this password!) Resist the temptation to write your password down. If you do, keep it with you until you remember it, then shred it! NEVER leave a password taped onto a terminal or written on a whiteboard. You wouldn't write your PIN code on your automated teller machine (ATM) card, would you? You should have different passwords for different accounts, but not so many passwords that you can't remember them. You should change your passwords periodically. You should also NEVER save passwords in scripts or login procedures as these could be used by anyone who has access to your machine. Be certain that you are really logging into your system. Just because a login prompt appears and asks you for your password does not mean you should enter it. Avoid unusual login prompts and immediately report them to your security point-of-contact. If you notice anything strange upon logging in, change your password. You should use "one time passwords" if you are logging in over a network, unless precautions have been taken to encrypt your password when it is sent over the network. (Some applications take care of that for you.) See "The Wires Have Ears" for more information on the risks associated with logging in over a network. 3.5 Viruses and Other Illnesses Viruses are essentially unwanted pieces of software that find their way into a computer. What the virus may do once it has entered its host depends on several factors: What the virus has been programmed to do? What part of the computer system has the virus attacked? Some viruses are 'time bombs' which activate only when given a Guttman, Malkin Expires: 27 November 98 [Page 7] Internet Draft Users' Security Handbook April 1998 particular condition, such as reaching a certain date. Others remain latent in the system unless a particular afflicted program is activated. Still, there are others which are continually active, exploiting every opportunity to do mischief. A subtle virus may simply modify a system's configuration, then hide. Be cautious about what software you install on your system. Use software from "trusted sources" if possible. Check your site policy before installing any software: Some sites only allow administrators to install software to avoid security and system maintenance problems. Centrally-administered sites have their own policy and tools for use in countering the threat of viruses. Consult your site policy or ask your system administrator to find out what the correct procedures are to stay virus free. You should report it if a virus detection tool indicates that your system has a problem. You should notify your site's systems administrators as well as the person you believe passed the virus to you. It is important to remain calm. Virus scares may cause more delay and confusion than an actual virus outbreak. Before announcing the virus widely, make sure you verify its presence using a virus detection tool, if possible, with the assistance of technically- competent personnel. Trojan Horse programs and worms are often categorised with viruses. Trojan Horse programs are dealt with in the "What program is this, anyway?" section. Worms should be considered a type of virus for the purposes of this section. 3.6 Modems You should be careful when attaching anything to your computer, and especially something which allows data to flow. You should get permission before you connect anything to your computer in a centrally administered computing environment. Modems present a special security risk. Many networks are protected by a set of precautions designed to prevent a frontal assault from public networks. If your computer is attached to such a network, you must exercise care when also using a modem. It is quite possible to use the modem to connect to a remote network while *still* being connected to the 'secure' net. Your computer can now act as a hole in your network's defenses. Unauthorized users may be able to get onto your your organization's network through your computer! Be sure you know what you are doing if you leave a modem on and set up your computer to allow remote computers to dial in. Be sure you use all available security features correctly. Many modems answer calls by default. You should turn auto-answer off unless you are Guttman, Malkin Expires: 27 November 98 [Page 8] Internet Draft Users' Security Handbook April 1998 prepared to have your computer respond to callers. Some 'remote access' software requires this. Be sure to turn on all the security features of your 'remote access' software before allowing your computer to be accessed by phone. Note that having an unlisted number will not protect you from someone breaking into your computer via a phone line. It is very easy to probe many phone lines to detect modems and then launch attacks. 3.7 Don't leave me... Do not leave a terminal or computer logged in and walk away. Use password-locked screensavers whenever possible. These can be set up so that they activate after the computer has been idle for a while. Sinister as it may seem, someone coming around to erase your work is not uncommon. If you remained logged in, anyone can come by and perform mischief for which you may be held accountable. For example, imagine the troubles you could be in for if nasty Email were sent to the president of your company in your name, or your account were used to transfer illegal pornography. Anyone who can gain physical access to your computer can almost certainly break into it. This means that you should be careful with who you allow access to your machine. If this is impossible, it is wise to encrypt your data files kept on your local hard disk. It is wise to lock the door to one's office where the computer is stored, if possible. 3.8 File Protections Data files and directories on shared systems or networked file systems require care and maintenance. There are two categories of such systems: - Files to share Shared files may be visible to everyone or to a restricted group of other users. Each system has a different way of specifying this. Learn how to control sharing permissions of files and implement such control without fail. - Protected files These include files which only you should have access to, but which are available to anyone with system administrator privileges. An example of this are files associated with the delivery of Email. You don't want other users to read your Email, so make sure such files have all the necessary file permissions set accordingly. Guttman, Malkin Expires: 27 November 98 [Page 9] Internet Draft Users' Security Handbook April 1998 3.9 Encrypt Everything Additionally, there are files that are private. You may have files which you do not wish anyone else to have access to. In this case, it is prudent to encrypt the file. This way, even if your network is broken into or the systems administrator turns into Mr. Hyde, your confidential information will not be available. Encryption is also very important if you share a computer. A home computer may be used for preparing taxes and also for playing computer games by children. By backing up the data and using encryption, this kind of shared use may be done safely. Before you encrypt files you should check with your site's security policy. Some employers and countries expressly forbid the storing and/or transferring of encrypted files. Be careful with the passwords or keys you use to encrypt files. Locking them away safely not only helps to keep them from prying eyes but will help you to keep them secure too; for if you lose them, you lose your ability to decrypt your data as well! It may be wise to save more than one copy. This may even be required, if your company has a key escrow policy, for example. This protects against the possibility that the only person knowing a pass phrase may leave the company or be struck by lightning. Whilst encryption programs are readily available, it should be noted that the quality can vary widely. PGP (which stands for "Pretty Good Privacy") for example, offers a strong encryption capability. Many common software applications include the capability to encrypt data. The encryption facilities in these are typically very weak. You should not be intimidated by encryption software. Easy to use software is being made available. 3.10 Shred Everything Else You would be surprised what gets thrown away in the wast paper basket: notes from meetings, old schedules, internal phone lists, computer program listings, correspondence with customers, even market analyses. All of these would be very valuable to competitors, recruiters and even an overzealous (hungry?) journalist looking for a scoop. The threat of dumpster diving is real - take it seriously! Shred all potentially useful documents before discarding them. You should also be aware that deleting a file does not erase it in many cases. The only way to be sure that an old hard disk does not contain valuable data may be to reformat it. Guttman, Malkin Expires: 27 November 98 [Page 10] Internet Draft Users' Security Handbook April 1998 3.11 What Program is this, anyway? Programs have become much more complex in recent years. They are often extensible in ways which may be dangerous. These extensions make applications more flexible, powerful and customizable. They also open the end-user up to all sorts of risks. - A program may have "plug-in" modules. You should not trust the plug-ins simply because you are used to trusting the programs they plug into. For example: Some web pages suggest that the user download a plug-in to view or use some portion of the web page's content. Consider: What is this plug-in? Who wrote it? Is it safe to include it in your web browser? - Some files are "compound documents." This means that instead of using one single program, it will be necessary to run several programs in order to view or edit a document. Again, be careful of downloading application components. Just because they integrate with products which are well-known does not mean that they can be trusted. Say you receive a mail message which can only be read if you download a special component. This component could be a nasty program which reformats your hard drive! - Some programs are downloaded automatically when accessing web pages. While there are some safeguards to make sure that these programs may be used safely, there have been security flaws discovered in the past. For this reason, some centrally- administered sites request that certain web browser capabilities be turned off. 4. Paranoia is Good Many people do not realise it but social engineering is a tool which many intruders use to gain access to computer systems. The general impression that people have of computer break-ins is that they are the result of technical flaws in computer systems which the intruders have exploited. People also tend to think that break-ins are purely technical. However, the truth is that social engineering plays a big part in helping an attacker slip through security barriers. This often proves to be an easy stepping stone onto the protected system if the attacker has no authorized access to the system at all. Social engineering may be defined, in this context, as the act of gaining the trust of legitimate computer users to the point where they reveal system secrets or help someone, unintentionally, to gain unauthorized access to their system. Using social engineering, an attacker may gain valuable information and/or assistance that could help break through security barriers with ease. Skillful social engineers can appear to be genuine but are really full of deceit. Guttman, Malkin Expires: 27 November 98 [Page 11] Internet Draft Users' Security Handbook April 1998 Most of the time, attackers using social enginering work via telephone. This not only provides a shield for the attacker by protecting his or her identity, it also makes the job easier because the attacker can claim to be a particular someone with more chances of getting away with it. There are several types of social engineering. Here are a few examples of the more commonly used ones: - An attacker may pretend to be a legitimate end-user who is new to the system or is simply not very good with computers. This attacker may approach systems administrators and other end-users for help. This "user" may have lost his password, or simply can't get logged into the system and needs to access the system urgently. Attackers have also been known to identify themselves as some VIP in the company, screaming at administrators to get what they want. In such cases, the administrator (or it could be an end-user) may feel threatened by the caller's authority and give in to the demands. - Attackers who operate via telephone calls may never even have seen the screen display on your system before. In such cases, the trick attackers use is to make details vague, and get the user to reveal more information on the system. The attacker may sound really lost so as to make the user feel that he is helping a damsel in distress. Often, this makes people go way out their way to help. The user may then reveal secrets when he is off-guard. - An attacker may also take advantage of system problems that have come to his attention. Offering help to a user is an effective way to gain the user's trust. A user who is frustrated with problems he is facing will be more than happy when someone comes to offer some help. The attacker may come disguised as the systems administrator or maintenance technician. This attacker will often gain valuable information because the user thinks that it is alright to reveal secrets to technicians. Site visits may pose a greater risk to the attacker as he may not be able to make an easy and quick get-away, but the risk may bring fruitful returns if the attacker is allowed direct access to the system by the naive user. - Sometimes attackers can gain access into a system without prior knowledge of any system secret nor terminal access. Just like how one should not carry someone else's bags through Customs, no user should key in commands on someone's behalf. Beware of attackers who use users as their own remotely-controlled fingers to type away on the user's keyboard, commands the user does not understand which may harm the system. These attackers will exploit system software bugs and loopholes even without direct access to the system. The commands keyed in by the end-user may bring harm to the system, open his own account up for access to the attacker or Guttman, Malkin Expires: 27 November 98 [Page 12] Internet Draft Users' Security Handbook April 1998 create a hole to allow the attacker entry (at some later time) into the system. If you are not sure of the commands you have been asked to key in, do not simply follow instructions. You never know what and where these could lead to... To guard against becoming a victim of social engineering, one important thing to remember is that passwords are secret. A password for your personal account should be known ONLY to you. The systems administrators who need to do something to your account will not require your password. As administrators, the privileges they have will allow them to carry out work on your account without the need for you to reveal your password. An administrator should not have to ask you for your password. Most maintenance work will require special privileges which end-users are not given. Users should guard the use of their accounts, and keep it for their own use. Accounts should not be shared, not even temporarily with a maintenance staff or administrator. Systems administrators will have their own accounts to work with and will not need to access a system via an end-user's account. Systems maintenance technicians who come on site should be accompanied by the local site administrator (who should be known to you). If the site administrator is not familiar to you, or if the technician comes alone, it is wise to give a call to your known site administrator to check if the technician should be there. Yet many people will not do this because it makes them look paranoid and it is embarrassing to show that they have no, or little trust in these visitors. Unless you are very sure that the person you are speaking to is who he or she claims to be, no secret information should ever be revealed to such people. Sometimes, attackers may even be good enough to make themselves sound like someone whose voice you know over the phone. It is always good to double check the identity of the person. If you are unable to do so, the wisest thing to do is not to reveal any secrets. If you are a systems administrator, there should be security procedures for assignment and reassignment of passwords to users, and you should follow such procedures. If you are an end- user, there should not be any need for you to have to reveal system secrets to anyone else. Some companies assign a common account to multiple users. If you happen to be in such a group, make sure you know everyone in that group so you can tell if someone who claims to be in the group is genuine. Part Three: End users self administering a networked computer The home user or the user who administers his own network has many of the same concerns as a centrally-administered system user. The following is a summary of additional advice given in Part Three: Guttman, Malkin Expires: 27 November 98 [Page 13] Internet Draft Users' Security Handbook April 1998 - Read manuals to learn how to turn on security features, then turn them on. - Consider how private your data and Email need to be. Have you invested in privacy software and learned how to use it yet? - Prepare for the worst in advance. - Keep yourself informed about what the newest threats are. 5. Make your own security policy You should decide ahead of time what risks are acceptable and then stick to this decision. It may be wise to simply avoid downloading any software from the network which comes from an unknown source, to a computer storing business records, other valuable data and data which is potentially damaging (if the information was lost or stolen). If the machine has a mixed purpose, say recreation, correspondence and some home accounting, perhaps you will hazard some downloading of shareware applications. You take some risk of acquiring software which is not exactly what it seems to be. It may be worthwhile installing privacy software on a computer if it is shared by multiple users. That way, a friend of a roommate won't have access to your private data, and so on. 6. Bad Things Happen If you notice that your files have been modified or ascertain somehow that your account has been used without your consent, you should inform your security point-of-contact immediately. In many cases, you will not know who your security point-of-contact is: Try calling your Internet service provider's help desk as a first step. 6.1 What to do if you suspect trouble If you suspect that your home computer has a virus, that a malicious program has been run, or that a system has been broken into, the wisest course of action is to first disconnect the system from all networks. If available, virus detection or system auditing software should be used. Checking vital system files for corruption, tampering or malicious replacement is very tedious work to do by hand. Fortunately there are many virus detection programs available for PCs and Macintosh computers. There are security auditing programs available for UNIX- based computers. If software is downloaded from the network, it is wise to run virus detection or auditing tools regularly. If it becomes clear that a home system has been attacked, it is time to clean up. Ideally, a system should be rebuilt from scratch. This means erasing everything on the hard disk. Next, install the operating system and then all additional software the system needs. Guttman, Malkin Expires: 27 November 98 [Page 14] Internet Draft Users' Security Handbook April 1998 It is best to install the operating system and additional software from the original distribution diskettes or CD-roms, rather than from backup storage. The reason for this is that a system may have been broken into some time ago, so the backed up system or program files may already include some altered files or viruses. Restoring a system from scratch is tedious but worth while. Do not forget to re-install all security related fixes you had installed before the security incident. Obtain these from a verified, unsuspicious source. 6.2 How to prepare for the worst in advance - Read all user documentation carefully. Make sure that it is clear when services are being run on your computer. If network services are activated, make sure they are properly configured (set all permissions so as to prevent anonymous or guest logins, and so on). Increasingly, many programs have networking capabilities built in to them. Learn how to properly configure and safely use these features. - Back up user data. This is always important. Backups are normally thought of as a way of ensuring you will not lose your work if a hard disk fails or if you make a mistake and delete a file. Backing up is also critical to insure that data cannot be lost due to a computer security incident. One of the most vicious and unfortunately common threats posed by computer viruses and Trojan Horse programs is erasing a computer's hard disk. - Obtain virus checking software or security auditing tools. Learn how to use them and install them before connecting to a public network. Many security tools require that they be run on a "clean" system, so that comparisons can be made between the present and pristine states. Thus, it is necessary for some work to be done ahead of time. - Upgrade networking software regularly. As new versions of programs come out, it is prudent to upgrade. Security vulnerabilities will likely have been fixed. The longer you wait to do this, the greater the risk that security vulnerabilities of the products will become well known and be exploited by some network assailant. Keep up to date! There are 3 ways to avoid problems with viruses: 1. Don't be promiscuous If at all possible, be cautious about what software you install on your system. Do not run programs which origin you are unaware or unsure of. Do not execute programs or reboot using old diskettes unless you have reformatted them, especially if the old diskettes have been used to bring software home from a trade show, and other Guttman, Malkin Expires: 27 November 98 [Page 15] Internet Draft Users' Security Handbook April 1998 potentially security-vulnerable places. Nearly all risk of getting infected by viruses can be eliminated if you are extremely cautious about what files are stored on your computer. See "The Dangers of Downloading" for more details. 2. Scan regularly. Give your computer a regular check-up. There are excellent virus-checking and security audit tools for most computer platforms available today. Use them, and if possible, set them to run automatically and regularly. 3. Notice the unusual. It's not true that a difference you cannot detect is no difference at all, but it is a good rule of thumb. You should get used to the way your system works. If there is an unexplainable change (for instance, files you believe should exist are gone, or strange new files are appearing and disk space is 'vanishing'), you should check for the presence of viruses. The best way to avoid problems with viruses is to keep important files backed up. This way, if worse comes to worse, you can always restore your system to its state before it was afflicted. You should take some time to be familiar with computer virus detection tools available for your type of computer. You should use an up-to-date tool (i.e. not older than three months). It is very important to test your computer if you have been using freeware, other peoples' used floppy disks to transfer files, and so on. 6.3 Email Remember to be careful with saved mail. Copies of sent or received mail (or indeed any file at all) placed in storage provided by an Internet service provider may be vulnerable. The risk is that someone might break into the account and read the old mail. Keep your mail files, indeed any sensitive files, on your home machine. 7. Home Alone A home system can be broken into over the Internet if a home user is unwary. The files on the home system can be stolen, altered or destroyed. The system itself, if compromised, could be accessed again some time in the future. This section describes issues and makes recommendations relevant to a home user of the Internet. Guttman, Malkin Expires: 27 November 98 [Page 16] Internet Draft Users' Security Handbook April 1998 7.1 Beware of Daemons A home system which uses PPP to connect directly to the Internet is increasingly common. These systems are at the greatest risk if they run certain kinds of programs called "services". If you run a service, you are in effect making your computer available to others across the network. Some services include: - File servers (an NFS server, a PC with 'file sharing' turned on) - An FTP server - A Web server There are, in general, two types of programs which operate on the Internet: Clients (like web browsers and Email programs) and Servers (like web servers and mail servers). Most software which runs on home systems is of the client variety; but, increasingly, server software is available on traditionally client platforms (e.g., PCs). Server software which runs in the background is referred to as a "daemon" (pronounced dee-mon). Many Internet server software programs that run as daemons have names that end in `d', like "inetd" (Internet Daemon) and "talkd" (Talk Daemon). When set to run, these programs wait for clients to request some particular service from across the network. There are four very important things to keep in mind as far as the security implications of running services on a home computer are concerned. First and most important, - If a server is not properly configured, it is very vulnerable to being attacked over a network. It is vital, if you run services, to be familiar with the proper configuration. This is often not easy, and may require training or technical expertise. - All software has flaws, and flaws exploited deviously can be used to breach computer security. If you run a server on your home machine you have to stay aware. This requires work: You have to stay in touch with the supplier of the software to get security updates. It is highly recommended that you keep up with security issues through on-line security forums. See [SSH] for a list of references. If security flaws in your server software are discovered, you will need to either stop using the software or apply "patches" or "fixes" which eliminate the vulnerability. The supplier of the software, if it is a decent company or freeware author, will supply information and updates to correct security flaws. These "patches" or "fixes" must be installed as soon as possible. - As a rule of thumb, the older the software, the greater the chance that it has known vulnerabilities. This is not to say you should Guttman, Malkin Expires: 27 November 98 [Page 17] Internet Draft Users' Security Handbook April 1998 simply trust brand new software either! Often, it takes time to discover even obvious security flaws in servers. - Some servers start up without any warning. There have been web browsers and telnet clients in common use which automatically start FTP servers if not explicitly configured to not do so. If these servers are not themselves properly configured, the entire file system of the home computer can become available to anyone on the Internet. In general, any software MAY start up a network daemon. The way to be safe here is to know the products you are using. Read the manual, and if any questions arise, call the company or mail the author of free software to find out if you are actually running a service by using the product. A home user running a remote login service on his home machine faces very serious risks. This service allows the home user to log in to his home machine from other computers on the Internet and can be quite convenient. But the danger is that someone will secretly observe the logging in and then be able to masquerade as the user whenever they choose to do so in the future. See "The Wires Have Ears" which suggests precautions to take for remote log in. If possible, activate all "logging" options in your server software which relates to security. You need to review these logs regularly in order to gain any benefit from this logging. You should also be aware that logs often grow very quickly in size, so you need to be careful they don't fill up your hard disk! 7.2 Going Places Remote logins allow a user privileged access onto a system which is far away physically, in the comfort of his own home. More and more companies are offering their employees the ability to work from home with access to their computer accounts through dial-up connections. As the convenience of Internet connectivity has led to lowered costs and wide-spread availability, companies may allow remote login to their systems via the Internet. Customers of companies with Internet access may also be provided with remote login accounts. These companies include Internet service providers, and even banks. Users should be very careful when making remote logins. As discussed in "The Wires have Ears" section, Internet connections can be eavesdropped on. If you intend to use a remote login service, check that the connection can be done securely, and make sure that you use the secure technologies/features. Connections may be secured using technologies like one-time passwords, secure shell (SSH) and Secure Sockets Layer (SSL). One-time passwords make a sniffed password useless to the intruder, while secure shell encrypts data sent over the connection. Please refer to "Web Browsing Safely" for a discussion on SSL. Secure services such as these have to be made available on the systems you make remote logins on. 7.3 Code It! Administering your own home computer means you get to choose what software is run on it. Encryption software provides protection on data. If you keep business records and other sensitive data on your computer, encryption will help to keep it safe. Say, if you ran a network service from your home computer and missed setting restrictions on a private directory, a remote user (authorised or not) may gain access to files in this private directory. If the files are encrypted, the user will not be able to read them. But as with all forms of encryption running on any system, the keys and passwords should first be kept safe! ......... 8. A Final Note This document has provided the reader with an introduction and as much detail as possible while keeping it concise. Present security issues go out-of-date quickly, and although effort has been made to keep discussions general, examples given may not be relevant in the future as the Internet and computer industry continue to grow. Just as home-owners are now taking increased caution, at the expanse of convenience, on securing their homes in the changing world we live in, computer network users should not ignore security. It may be inconvenient, but it is always better to be safe than sorry. Guttman, Malkin Expires: 27 November 98 [Page 18] Internet Draft Users' Security Handbook April 1998 Appendix: Glossary of Security Terms Trojan Horse A program which carries within itself a means to allow the creator of the program access to the system using it. Virus A program which replicates itself on computer systems by incorporating itself into other programs which are shared among computer systems. Worm A computer program which replicates itself and is self- propogating. Worms, as opposed to viruses, are meant to spawn in network environments. Guttman, Malkin Expires: 27 November 98 [Page 19] Internet Draft Users' Security Handbook April 1998 References [GLOSSARY] Malkin, G, ed, "Internet User's Glossary", RFC 1983 (FYI 18), August, 1996. [SSH] Frasier, Barbara, ed, "Site Security Handbook," RFC 2196 (FYI 8), June, 1996. Security Considerations This document discusses what computer users can do to improve security on their systems. Authors' Addresses Erik Guttman Lorna Leong Gary Malkin Sun Microsystems COLT Internet Bay Networks Bahnstr. 2 250 City Road 8 Federal Street 74915 Waibstadt City Forum, London Billerca, MA 01821 Germany England USA Phone: +49 7263 911701 +44 171 390 3900 +1 508 916 4237 Email: erik.guttman@sun.com lorna@colt.net gmalkin@baynetworks.com Guttman, Malkin Expires: 27 November 98 [Page 20]