|
Information Systems Security Monitor, Dept. of Tre
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
--------------------------------------------------------------------------
Information Systems Security Monitor Volume 2 Number 3
--------------------------------------------------------------------------
*** *************** *************** *************************
*** *************** *************** *************************
*** *** *** *** *** ***
*** *** *** *** *** ***
*** *************** *************** *** *** ***
*** *************** *************** *** *** ***
*** *** *** *** *** ***
*** *** *** *** *** ***
*** *************** *************** *** *** ***
*** *************** *************** *** *** ***
--------------------------------------------------------------------------
Dedicated to the pursuit of security awareness.... July 1992
--------------------------------------------------------------------------
///////////////////////////// In this Issue \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Network Security Issues
Treasury Visit
SDLC...It's Really Common Sense
Clyde's Hall of Fame
Computer Poem
Dear Clyde
Sir Clyde
Did You Know That..
Computer Speak
Government Required To Gosip!
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\/////////////////////////////////////
The ISSM is a quarterly publication of the Department of Treasury,
Bureau of the Public Debt, AIS Security Branch, 200 3rd Street,
Parkersburg, WV 26101, (304) 420-6355. The ISSM is also available
in paper format. Let us know if you would like a copy or if you
would like to download a copy of the print file. The print file
can be copied to a HP II or III laser printer and you will receive
a copy with all the graphics and formatting of the printed copy.
Editors: Ed Alesius, Kim Clancy, Joe Kordella, Jim Heikkinen, Mary Clark
Kim Clancy is available at [email protected]
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\/////////////////////////////////////
==========================
Network Security Issues
==========================
In today's computer networking world the number of potential
security issues increases daily. Not only do we face natural disasters such as
fire, flood, and earthquake but we are also forced to contend with malicious and
careless users that are even more dangerous. To keep the number of problems to a
minimum we, as systems administrators, must establish some very basic preventive
measures on our networks. It is assumed that anyone reading this has some
familiarity with the Novell Netware Operating System. Three areas of securing
your network will be discussed, Physical which applies to many different
computer systems, File server security the machine that serves as your file
server, and Initial Access Security that pertains to passwords, date and time
restrictions, and other miscellaneous Netware security features.
Physical
To protect your file server from harm it should be kept in a
locked room with a proper cooling system and an uninteruptable power supply.
Should someone gain access to this room you can further protect equipment from
theft by securing items to tables, walls, or even the floor. As well as locking
the file server room, you should keep any room that contains wiring,
concentrators, bridges, and other miscellaneous servers under lock and key.
Locking these rooms with network equipment in them will discourage people from
snooping around and accidentally disconnecting something crucial to your
network's operation. Also, beware of maintenance personnel withbrooms, vacuum
cleaners, dust rags, etc... And, most importantly for security reasons, you
will deter anyone with eavesdropping equipment from setting up operations in one
of your wiring closets. To secure user workstations you may want to try
diskless workstations or disabling the floppy drive to prevent someone from
introducing a virus, trojanhorse, or other rogue program to the network. There
are currently several trojan horse type programs that were specifically designed
to capture passwords from network workstations. The most common way to implement
these programs is via a workstation's floppy drive. By disabling or removing
floppy disk drives you are decreasing your chances of encountering these types
of problems. Depending on the nature of your company's business, you may
require TEMPEST protection. TEMPEST is a nickname coined by the Department of
Defense for protecting computers from electronic eavesdropping.
File Server Security
The network file server is the heart and soul of any Local Area
Network and should be treated as such with regards to security. After
physically securing the computer acting as your file server, you should then
proceed to prevent access to that server from the keyboard and floppy drive.
One of the most effective ways to do this is with SECURE CONSOLE.
SECURE CONSOLE allows you to lock the keyboard at the console thereby preventing
anyone without the password from accessing the file server. With the console
secured, an intruder will not beable to load custom designed NLMs (Netware
Loadable Modules) from the floppy drive or any other Netware volume, that can be
used to circumvent Netware security. It will also not be possible to change the
DATE and TIME which could disable time-dependent security and accounting
features, enter the operating system debugger, or to
access DOS where one could again use special programs to change security
settings on the server. If for some reason you cannot lock the file server with
SECURE CONSOLE you can enter the command UNLOAD DOS from the : prompt. This
command will also prevent someone from loading programs from any DOS drive,
including the floppy drive on the file server. When you turn on or reboot a
Novell file server, and if you are using RCONSOLE for remote operations, the
RCONSOLE password is displayed on the screen. As you can see this is an obvious
weakness. Check the AUTOEXEC.NCF file for the line LOAD REMOTE {Password}. To
keep the password from being displayed when the server is booted up, you can
insert the switch /S which will make the RCONSOLE password the same as the
SUPERVISOR password.
Initial Access Security
The first thing you should do after installing the Novell software is change the
passwords on the two default users SUPERVISOR and GUEST. These both come without
passwords so you need to give them passwords. Depending on the circumstances,
you might want to disable the GUEST account altogether. Next, make sure that
every userid you add has a password. This can be checked by running the SECURITY
program that comes with the Novell software. Also check the Require Password
option in SYSCON for each user and group. Novell has the capability of giving
every user in a particular group certain rights and restrictions. By using user
groups, managing security on a Novell system will be considerably easier. After
defining a user group and adding selected users to that group you can then set
the security setting for that particular group by using the program SYSCON.
After accessing SYSCON you will want to pay attention to the following settings:
Intruder Detection/Lockout
Detect Intruders: (Yes/No)
Intruder Detection Threshold
Incorrect Login Attempts:
Bad Login Count Retention Time:
( Days / Hours / Minutes )
Lock Account after Detection: (Yes/No)
Length of Account Lockout: ( Days / Hours /
Minutes )
Optional User Restrictions
Account Disabled: (Yes/No)
Account Has Expiration Date: (Yes/No)
Date Account Expires: (00/00/00)
Limit Concurrent Connections: (Yes/No)
Maximum Connections:
Allow User To Change Password: (Yes/No)
Require Password: (Yes/No)
Minimum Password Length:
Force Periodic PasswordChanges: (Yes/No)
Days Between Forced Changes:
Date Password Expires:
Limit Grace Logins: (Yes/No)
Grace Logins Allowed:
Remaining Grace Logins:
Require Unique Passwords: (Yes/No)
Detect Intruders should be set to YES usually after no more than 3 unsuccessful
login attempts and the retention time should be 24 hours so that the user will
not be able to access their account with out notifying their
systems administrator. Accounts should be disabled during vacations, leaves of
absence, and any other extended period of time away from the office. An account
should only have an expiration date if the user is temporary. Concurrent
connections should be determined by the users position. Network support
personnel might need unlimited connections while a secretary will only need one.
Users should be allowed to change their own passwords in case they believe it
has been seen by someone or they have been compromised. All accounts should be
required to have a password to prevent easy access. There should be Periodic
Password Changes every 30-90 days to lockout anyone who might attain a valid
account. Grace logins should be set at between 3 and 5 to force users to change
their passwords immediately,and Unique Passwords will keep users from using the
same passwords over and over again.
A supervisor should run the SECURITY program that comes with Novell Netware
periodically to examine the security settings of all users. SECURITY will show
every user which groups they are in, any Trustee Assignments they may have, if
they have SUPERVISORY rights anywhere, their password status(length, enabled,
etc), if anyone has a password the same as their username, any ROOT DIRECTORY
PRIVILEGES, if they have a LOGIN SCRIPT, and if anyone has excessive rights to
any directory. Only a user with SUPERVISORY rights can run SECURITY.
There are also Station and Time restrictions where you can specify when and
where a user can login in to the network. For instance you may want to set up
the Tape Backup account to be able to login only at 2:00 in the morning on
Monday and Friday and set the Station restriction to that PC the tape backup is
connected to since there is no reason for the TAPE account to login anywhere
else. For users who never leave their desks it is best if they can only login
from that location. This measure will prevent anyone from attempting to
penetrate the system afterhours and from remote locations i.e. over a modem.
Miscellaneous
A Login Script contains commands that initialize environmental variables, map
network drives, and control the user's program execution. Login scripts are
similar to configurable batch files and are executed as part of
the login procedure. It is important that every user have some form of default
login script, because without a login script it is possible for someone to
insert their own login script for that user giving them a higher level of
access.
Usernames that are setup for printers, tape drives, and other network devices
should also be protected with a password. Many times these users are setup
without passwords and are extremely susceptible to being hacked. Often these
types of usernames require supervisor access for such tasks as tape backup and
print servers. By pressing CTRL-C during one of the login batch files someone
could gain supervisor access to your system.
Novell provides a systems administrator with several tools to use in securing
their system, but like any system if they are not used or used improperly the
system remains insecure. With Novell's extremely large userbase most of its
weaknesses are known and made accessible to anyone who is interested. Because of
this fact, it is pertinent that you take the time to evaluate the security
settings on your system.
Written by Joseph Tucker, a systems administrator for the law firm of
Blackwell Sanders, Matheny, and Lombardi in Kansas City, MO. He has over 7
years experience managing computer networks and has implemented several
different LANs including Novell Netware and Banyan Vines. He has been
studying the computer underground for about 5 years now and has given
presentations to various computer security groups including Local EDP auditors
associations, private consulting, and a bi annual seminar titled "Computer
Hackers, Pirates, and Viruses: what are they and how to protect your computer
from them." He has also written articles on various computer security topics
including password selection, Novell specific security and how to protect
yourself from various hacking techniques. You can contact Joseph at: Compuserve
75434,1032 Internet [email protected]
----------------END OF ARTICLE----------------------------------
@@@@@@@@@@@@@@@@@@@@
@ Treasury Visit @
@@@@@@@@@@@@@@@@@@@@
Richard Riley, Director of Security for the Department of the Treasury, paid a
visit recently to the Bureau of the Public Debt. Accompanying Mr. Riley was J.
Martin Ferris, Assistant Director Systems Security, and Gabriel Maznick from the
National Security Agency. While here, Mr. Riley met with Richard Koch, Director
of Programs and Communications, and the AIS Security Branch staff.
A brief meeting was conducted with all of the above participating. The
meeting covered various computer security issues including the Security Branch's
ISSM newsletter.
----------------END OF ARTICLE----------------------------------
(((((((((((((((((((((((((((((((((((((
( SDLC: IT'S REALLY COMMON SENSE (
( by: Kim Clancy (
(((((((((((((((((((((((((((((((((((((
SDLC, yet another acronym in the computer world. This one is a bit different in
that we are mandated to make all users, managers, and operators of computer
systems aware of its meaning. SDLC means Systems Development Life Cycle. Oh
"that" you say (grin). So what does "that" mean? Basically, it's a series of
steps in the development of any system from its "birth" (when a customer has a
need for a system to be developed) to its "demise" (when a system is no longer
needed or has outlived its purpose). Thus, the term "life cycle". It's really
common sense. When it is decided that a system is to be developed, you first
SHOULD determine all the things you want the system to do. That way, you're not
constantly changing the direction of the development project. The SDLC does not
stop there, but goes thru the entire development of the system and never stops,
even after the system is in production (being used in the real world) and
processes "live" data.
Why are we mandated to make all users, managers and operators of computer
equipment aware of the SDLC? That's easy, each of these groups play significant
roles in the SDLC process. Users of the system determine initially what it
needs to do. After the system is in production, users suggest revisions and they
are the group that really determines the success of the development. Managers,
specifically our ISSMs, play a very significant role in the SDLC. ISSMs are
responsible for ensuring that the proper security controls are defined during
the requirements gathering stage of the project. If sensitive information (as
defined in Treasury Directive 71-02) will be processed in the
system, ISSMs are responsible for ensuring that the application meets C2
requirements.
C2 requirements basically stipulate that sensitive systems must meet four
criteria. They must provide user identification and authentication, protect
privacy of sensitive data, ensure the system logging is performed, and set
residual storage to binary zeroes. ISSMs are responsible for ensuring that
proper security controls exist in these systems regardless of what type of
computer the application will run on, whether its a mainframe, LAN, WAN, or a
stand alone PC.
The AIS Security Branch, in conjunction with input and assistance from ISSMs,
is currently developing a standard to aid in the development of sensitive bureau
applications. If you have any suggestions, forward them to your ISSM. That is
yet another way you can be involved in the SDLC. The SDLC - now you know what
"that" is.
----------------END OF ARTICLE----------------------------------
****************************************
****************************************
Clyde's
Computer Security
Hall of Fame
****************************************
****************************************
Joe Kordella Inducted to Hall of Fame
Congratulations to Joe Kordella the second inductee to Clyde's Hall of Fame. The
following nomination merited this unique honor to Joe.
As ISSM for the Division of Programs and Communications, I would like to
nominate Joe Kordella into Clyde's Hall of Fame.
Joe co-developed the SOMS (Security Office Management System) with Jeff Schaff
of the Office Automation Branch. This was a major undertaking and I feel it
exemplifies the kind of technical expertise and dedication to security that has
made the Security Branch the respectable organization it is today. The first
time I accessed the SOMS, I truly thought that it was an off-the-shelf package
which had been purchased by the Security Branch. When I found out that Joe had
actually developed this system, I was amazed! I could not believe the
professional looking quality of the system with all its pull down windows and
menus! It is also very "user-friendly". Aside from Joe's technical ability, I
appreciate his patience and willingness to help his fellow workers. I am
fortunate in that I sit in the general vicinity of Joe's work station. I have
never asked Joe a question or requested assistance from Joe when he wasn't the
most patient and accommodating. Joe is always busy, and yet, he always has the
time for people. I, for one, appreciate it; as I'm sure do many of the other
ISSM's in the Bureau. Thanks! Gretchen Bergmann
----------------END OF ARTICLE----------------------------------
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Computers ^
Computers have mice ^
But they are nice ^
Computers are quick ^
Computers are slick ^
But computers can trick ^
Computers have sound ^
And mistakes can be found ^
But how they do confound! ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^
This poem is reprinted from one of the Computer Learning ^
Foundation's Student Contest entries ^
that were recently judged here at Public Debt. ^
The entry was ^
submitted by Justin Hasbrook Day a student at Keith Elementary ^
School, West ^
Bloomfield, MI. Justin's entry was a Second Prize Winner in that^
contest. ^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
----------------END OF ARTICLE----------------------------------
#########################################
# Government Required To GOSIP!! #
#########################################
Adapted from the GOSIP Users Guide by Joe Kordella
Some of us at Public Debt have been unaware of it but the entire Federal
Government is now living in an exciting new age of computer communications. To
bring you up to speed we want to describe for you the world of the Government
Open Systems Interconnection Profile (GOSIP).
Open Systems Interconnection (OSI) is a revolutionary concept in data
communications that allows computer users and diverse systems to communicate in
an open environment across great distances without knowledge of each other's
specific characteristics. The OSI approach makes possible a wide degree of
interoperability between a variety of computers manufactured by different
vendors and offers the promise of significant benefits for Public Debt. Such
benefits include (1) effective, interoperable networking solutions saving money
and providing increased communications capability, (2) minimal additional
networking related software development costs, and (3) availability of
competitive products marketed on a world-wide basis by U.S. computer vendors.
These new concepts are expected to drastically alter the Federal workplace for
each of us in the 1990s. They satisfy a need recognized in the early 1970s,
when it was realized that a lack of interoperability among heterogeneous
computer systems would not be of benefit to the U.S. Government because it would
produce isolated islands of hard to share data and processing power in each
separate agency throughout the Federal sector. With the advent of smaller, less
expensive and more powerful computer systems in today's world, Federal agencies
can now take advantage of the opportunity presented by OSI to put these islands
in touch with each other. GOSIP is a technical specification which gives the
detail necessary for Federal Agencies to accomplish this effectively.
As you may already know, computer communications can be a very complex matter.
To reduce this complexity, the OSI architecture is organized as a series of
layers or levels, each one built upon its predecessor and each performing
specific communications functions. The purpose of each is to offer certain
services to the higher layers, shielding those layers from the details of how
the offered services are actually implemented.
A layer on one machine carries on a conversation with its corresponding layer on
another machine. The rules and conventions of this conversation are
collectively known as that layer's protocol. The entities composing the
corresponding layers on different machines are called peer processes. In other
words, it is the peer processes at a layer that communicate using its layer
protocol.
Some of the principles of the OSI Reference Model are: (1) each layer performs a
well-defined function, (2) minimal information flows across layer boundaries,
and (3) internationally standardized protocols should be derivable from the
functionality of each layer.
There are seven layers in the OSI Reference Model. These layers are referenced
in the GOSIP Federal Information Processing Standards (FIPS). They are the: (1)
Physical Layer, (2) Data Link Layer, (3) Network Layer, (4) Transport Layer, (5)
Session Layer, (6) Presentation Layer, (7) Application Layer. Each layer has a
protocol specification, or a set of rules governing dialogue between peer
processes (processes at the same level), and a service definition, which
describes an abstract interface to the next higher level. Each of the layers
uses the service of the next lower layer; in turn each layer provides a service
to the next higher layer.
Layers 1 through 3 define machine-to-machine communications via intermediate
systems ( e.g., Ethernet, Token-ring, Token-bus, FDDI, etc.). Layer 4 defines
end-system to end system communication, and layers 5 through 7 address
user-oriented functionality (e.g., EDI, FTAM, X.400 MHS, etc.). It is the layer
7 services that you and I, as computer system end users, are most likely to
recognize. The interface and protocol definitions for each layer indicate that
each may be modified independently of those adjacent to it and that processes at
a certain layer need not have detailed knowledge of processes occurring above or
below it.
With all of that said, what does it mean to us right now? GOSIP is to be used
by Public Debt when acquiring computer network products and services and
communications systems or services that provide equivalent functionality to the
protocols defined in the GOSIP documents. GOSIP Version 1 was mandatory in
August, 1990. GOSIP Version 2 supersedes GOSIP Version 1. GOSIP Version 3 will
be implemented very soon. GOSIP does not require Federal agencies to completely
replace existing data communications software. However, it does require us to
procure OSI products when procuring the services which OSI products provide.
This will ensure multi-vendor interoperability. Despite GOSIP's mandatory
nature we are permitted to procure non-OSI products with additional desired
capabilities.
As you can see there is a lot going on out there. The world of communications
is changing rapidly and we should take advantage of every opportunity to learn
about and avail ourselves of these
new technologies. We in the AIS Security Branch would welcome an opportunity to
participate with and help you in such efforts. So, if you are in need of
additional information please feel free to contact us.
----------------END OF ARTICLE----------------------------------
??????????????????????????????????????????
? DID YOU KNOW THAT....... ?
??????????????????????????????????????????
...One of the most common security violations users commit when
using cc:Mail is to leave their terminal area while they are still logged into
cc:Mail. Users should never leave a workstation unattended while logged into
cc:Mail. The user should always return to the "Network Menu" or the micro
computer local menu.
...Reading the "ISSM" Newsletter is considered Information System Security
Awareness Training and as such is required reading as covered by the law,
specifically the Computer Security Act of 1987..
...Three new policies went into effect recently - Data Integrity (PDI 85-03);
Change Management (PDI 85-04); Contingency Planning (PDI 85-05).
...One resource that we have found to provide interesting reading for any
security professional is the "2600" publication. Subscription information can be
obtained by writing to 2600 Magazine, PO Box 752, Middle Island, NY 11953-0752.
----------------END OF ARTICLE----------------------------------
+++++++++++++++++++
COMPUTER SPEAK +++++++++++++++++
COMPUTER TERMS AND THEIR MEANINGS +
+++++++++++++++++++++++++++++++++++
Trojan horse... A type of programmed threat. An independent program that
appears to perform a useful function but that hides another unauthorized program
inside it.
protocol... A set of rules and formats for the exchange of information,
particularly over a communications network.
servers... The microcomputers that provide the LAN services, such as
clearinghouse and security controls, printing services, internetwork
communications services, and filing services.
----------------END OF ARTICLE----------------------------------
DEARCLYDEDEARCLYDEDEARCLYDEDEARCLYDEDEARCLYDEDEARCLYDEDEARCLYDEDEARCLYDED
/^\
_ /_ \_\ /\ Clyde....dedicated to the pursuit
/ /\ \ / \ of security ...
/__/ \__\ | |
@ @ ______
__ </ __ |
\ \______/ / |
\_______/ |
DEAR CLYDE...responses to questions for those who are searching for
the truth.............................................
DEARCLYDEDEARCLYDEDEARCLYDEDEARCLYDEDEARCLYDEDEARCLYDEDEARCLYDEDEARCLYDED
Dear Clyde,
What should we do with old software that has been replaced with newer versions?
Ann Onymus
Dear Ann,
Equipment management called the following 3 software companies and received
these responses. (Note: This does not apply to obsolete software that is not
being replaced with an upgrade.
From WordPerfect:
The registration number is the only thing WP requires us to maintain. This
number will transfer to the new (upgrade) package. Everything else can be
trashed.
From Borland: (dBase)
Replace everything that is sent with the upgrade package. If new manuals are
sent - then replace the entire manual; if only pages are sent - replace the old
pages in the old manual with the new pages and keep the manual. Old diskettes
need not be kept.
From Lotus:
Everything should be trashed. An agreement is included in the upgrade paperwork
stating that the user agrees to destroy the old diskettes.
(This information is based on conversations with Federal Sales Reps from each
software vendor.)
Send your comments or questions to Clyde c/o the AIS Security Branch in
Parkersburg, Room 1011, or leave them in Clyde's mailbox located on the Security
bulletin boards throughout the Parkersburg office.
DEARCLYDEDEARCLYDEDEARCLYDEDEARCLYDEDEARCLYDEDEARCLYDEDEARCLYDEDEARCLYDED
_______________________________________________________________
Sir Clyde! |
Our Clyde should now and forever more be known as "Sir Clyde".|
In a ceremony attended by his various admirers, Clyde was |
knighted. We were |
unable to gain any specific information, however rumor has it |
that he gained |
this honor by slaying numerous "virus dragons". |
---------------------------------------------------------------
---------------END OF ARTICLE----------------------------------
----------------------
| ---------------- |
| | | |
---------------------| | AIS BBS | |--------------------------
We run our own bbs. | | | | Give us a call sometime.
---------------------| | 304-420-6083 | |--------------------------
| | | |
| ---------------- |
----------------------
----------------END OF ARTICLE----------------------------------
|
|
