ZDDDDDDDDDDDDDDDDDD? IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; ZDDDDDDDDDDDDDDDDDD? 3 Founded By: 3 : Network Information Access : 3 Founded By: 3 3 Guardian Of Time 3D: 12SEP90 :D3 Guardian Of Time 3 3 Judge Dredd 3 : Guardian Of Time : 3 Judge Dredd 3 @DDDDDDDDBDDDDDDDDDY : File 52 : @DDDDDDDDDBDDDDDDDDY 3 HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< 3 3 IMMMMMMMMMMMMMMMMMMMMMMM; 3 @DDDDDDDDDDDDDDDD6System Security Part 02GDDDDDDDDDDDDDDY : Security For The User : HMMMMMMMMMMMMMMMMMMMMMMM< Introduction: Welcome to Nia's System Security Series Part 02, in this particulare file I will be attempting to describe to you Security as it relates to the user and from the vantage point of the system operator. $_Dialups User Security begins when you FIRST logon to a system. You are asked for your username and a password. Some systems can have more than ONE password. There are actually Seven different types of Logins: 1) LOCAL 2) DIALUP 3) REMOTE 4) NETWORK 5) BATCH 6) DETACHED 7) SUBPROCESS Logins are either INTERACTIVE or NONINTERACTIVE. Interactive logins is a login made in a series of steps in which the user provides information. Noninteractive logins is a login that the system will perform all the functions needed, without any user interaction. Different types of interactive and noninteractive logins follows: LOCAL interactive DIALUP interactive REMOTE interactive NETWORK noninteractive BATCH noninteractive DETAHED depends SUBPROCESS noninteractive Local login is performed by users from a terminal connected directly to the central processor or to a terminal server that communicates directly with the central processor. Dialup Logins are when you log in to a terminal that uses a modem, to make your connection to the system. Remote Logins are when you log in to a node over the network, you request that node by entering the DCL command SET HOST. This login is known as a remote login. The node you reach immediately asks you for a user name and password. Network Logins are performed for you when you access files stored in a directory on another node or when you initiate some other type of network task on a remote node. When you wish to copy files or messages, you would specify the desired node and an optional access control string, where the access control string includes your user name and password for the remote node. An example is below: $DIRECTORY PARIS"CRAND password"::WORK2:[PUBLIC]*.*;* The above example, user CRAND has an account on remote node PARIS and enters the following command to get a directory listing of all the files in the [PUBLIC] directory on disk WORK2: Proxy Logins are very good for security, reason is this, when using Proxy Logins, you never enter a password, the system automatically does this for you. Your password is never echoed back to you, and passwords are never exchanged between systems. And finally proxy logins keep all password files away from where budding young hackers might be looking, like the root or in command files. Batch Logins are quite usefull for doing things on a VMS system. For instance, you could have a program that would activate the payroll program after 7:00pm ( and assumeing that you have modified the payroll program ), you could set the time to whatever you want, OR suppose you have set up a time bomb: SUBMIT/AFTER=19:00 PAYROLL.COM When the time comes to be, your user account is logged and a record is kepted. So if modifying programs make sure that you erase all logs and such. Logging in is an important part of the system, for if you can not log in, then you can not complete jobs, perform tasks, and such other things. All ports and terminals should be monitored frequently and any problems to be noted. Never assume that something is ok, check all problems, questions and refer to the manuals and DEC personal for assistance. $_Passwords There are several types of passwords on a VMS system. Most users need to provide a USER PASSWORD when they log in. Some users also need to provide a system password to gain access to a particular terminal before logging in with their user password. Users on systems w/ high security requirements need to provide PRIMARY PASSWORDS and SECONDARY PASSWORDS. When you assign a password VMS operating system applies a ONE-WAY ENCRYPTION ALGORITHM to all passwords as it stores them. Encryption refers to a method of encoding in an effort to conceal it. ONE-WAY ALGORITHMS DO NOT USE A KEY. Thus, if a user obtains the encryption algorithm and the encoded password, that user COULD DEDUCE the actual password only by trying all possible input values. So in english it IS possible to create the format of password encryption as the VMS system. Remember this, if you use an Enlish Dictionary format to create your password, you will then be able to get the password. It may take some time, but it is possible. Problem is this, most system managers are either trying to get users to use NON-ENGLISH words or use the /GENERATE password format which ill generate your password automatically. System passwords control access to particular terminals and are required at the discretion of the security manager. They are necessary to control access to terminals that might be targets for unauthorized use, such as dialups and public terminal lines. Often when an account is set up your first name is used, and from there it is up to YOU to change your password, unless your password has the privilege of LOCKPWD, which means that you can NOT change your password. Common passwords are as follows: Your name Name of a family member or loved one Name of a pet Favorite Automobile Name of hometown Name of a boat (or YOUR boat) Any name associated with work. Such as company, projects, or groups And any other item that bears a strong personal association to you The above list is the most common that people use. The problem with a person creating a password is that, your mind works in a matter where you think you pulled out a word, that to you, is random, but to somone else, it suits you just perfectly. So when creating accounts, you should use the /GENERATE command, and that would just about eliminate any chance of a password that reminds someone about you. When creating passwords, you must do the following: $SET PASSWORD Old password: New password: Verification: If you do not complete the correct sequence, it will not take, also i fyou are under the amount of minimum length for your password the system will automatically tell you. If you want the system to automatically generate passwords, just do the following: $SET PASSWORD/GENERATE=8 old password: apsjawpha aps-jaw-pha oorsoult oor-soult guamixexab gu-a-mix-ex-ab impsapoc imps-a-poc ukchafgoy uk-chaf-goy Choose a password from this list or press RETURN to get a new list New password: Verification: $ The above, shows only five passwords to choose from, and the system will give you the syllable version of the same word to the right. Most people will take the syllable version, 'cause its easier ( meaning if you picked oor-soult, your password would be OORSOULT not OOR-SOULT ). If your password las the flag PWDLIFETIME=30, your password would then expire in 30 days from the current date issued. You will be notified when your password is due with the following message: WARNING -- Your password expires on Thursday 30-SEP-1990 15:00 If your account is set with the /GENERATE=xx, then you will then be automatically shown your list of five words to pick from. If you do not have the /GENERATE=xx then you will be prompted for your New Password only. Make a note, if you are EVER asked to change your pw, do it. For if you loose access to the system, you must get the system manager to restore your pw privileges to you. You are encouraged to add digits to your passwords, for that will increase the combinations of letters. For example: Six Character password using letters equals out to 300 Million Combinations Six Character password using BOTH Letters/Numbers equals out to 2 Billion! You can have Secondary passwords as well as primary passwords, so if you run into one, it will look like this: NIA .. VMS Version 5.0 Username: Guardian of Time Password: xxxxxxxx Password: xxxxxxxxxx If you wish to add to your account a secondary password, do the following $SET PASSWORD/GENERATE=8/SECONDARY That will generate a password of eight character length, and it will be the secondary password. It is suggested that with System Accounts, or accounts with full privileges that you use a secondary password, and use the /GENERATE=xx Modifier, that way, your password would be next to impossible to hack. Also remember that with two passwords you have about fifteen to thirty seconds to enter the password, if not, the system will automatically log you off. Some Password Tips: Select reasonably long passwords that cannot be easily guessed. Avoid using words in your national language that woule appear in a dictionary. Consider including digits in your passwords. Alternatively, let the system generate passwords for you automatically. Never write down your password. You should have it memorized. Give your password to other users only under special circumstances. Change it immediately after the need for sharing has passed. Do not include your password in any file, including the body of an electronic mail message. Before you log in to a previously turned ON terminal, invoke the secure terminal server feature ( If it is enabled ), with the BREAK key. Unless you share your password, change it every three to six months. DIGITAL worns against sharing passwords ( don't we all? ). If you share your password, change it immediately. Chage your password immediately if you have any reason to suspect it might have been dsicovered. Report such incidents to your security manager. Do NOT use the same password for your accounts on multiple systems. But some dummy always will, and they get what they deserve. $_Account Expiration Times When your acceount is created, the security manager may decide to specify a period of time after which the account will lapse ( for example, if you will only need the account for a specific purpose for a limited time). At universities, studen accounts are typically authorized for a single semester at a time. Expired accounts automatically deny logins. Users receive NO ADVANCE WARNING message prior to the expiration date, so it IS important to know in advance what your account duration will be. The account expiration resides in the UAF record, which can be accessed and displayed only through the use of the VMS authorize Utility by users with the SYSPRV privilege or equivalent -- normally your system or security manager. When your account expires, you receive an authorization failure message at your next attempted login. If you need an extension, follow the procedures defined at your site. $_Break In Detection VMS is niffty to this regard, the system will automatically ( if enabled ), after x Number of Hack Attempts disable that account for a period of time. So even IF you got the password, after x number of attempts, the system will continue to log you off. Otherwise the format could look something like this: Username:NIA password:files User Authorization Failure Username:NIA password:text User Authorization Failure Username:NIA password:magazine User Authorization Failure Username:NIA password:textfile <- Correct Pw, but since it detected 3 Hack Attempts User Authorization Failure <- The system will NOT let you on. Username: The time before you could actually log back on, is determined by the security manager, and it could be one hour, one minue, two days, three weeks, whatever the manager decides. $_Network Considerations For Security When switching nodes you have to have an account (unless its public and open to whoever ) the following example is loging into another node: NODE"username password"::disk:[directory]file.typ The problem with this type of a sequence is that you must type the password on the screen, and if anyone happens to be standing by you, they will see your password and node and what directory. Also watch out for placing your string into a command file or any txt or message, because if it can be read, it will be. A proxy login allow users to access files across a network without specifying user name or password in an access control string. This is what a proxy login would look like: $COPY WALNUT::BIONEWS.MEM BIONEWS.MEM What the above did was contact NODE WALNUT and request BIONEW.MEM and copied it back to the orignal system, notice that NO passwords where exchanged visably, so you wouldn't have to worry about password stealing. Also must note that BOTH nodes MUST have a proxy ACCOUNT, if they don't have one, then your out cold. Also remember that you will need to erase the RECALL command, because if you do not do so, another user would be able to view all of your previous commands. That is ONLY if you are still CONNECTED to the system. Once you log off, the RECALL counter is erased automatically. Remember that RECALL can "recall" up to twenty previous commands. If you want to see all of what the RECALL has in store, just type RECALL/ALL and it will list the last twenty commands and a mischevious person could aquire your passwords that way. $_Logging Out Of A System When you leave your terminal/system unlocked or online, someone else could walk on in and pick up where you left off, also if you have SYSPRV then that person could actually start creating accounts, and you wouldn't know it. So make sure that when you leave your office, LO/FULL and make sure that you note the time/date that you where online, shut your system off and lock the door on the way out (unless you can't). At high-security sites, it is common practice to turn off your video terminal every time you log out because the logout message reveals a currently active user name. When users log off after a remote login, the name of the node they return to after the remote logout is also revealed. When a user has accessed multiple accounts remotely over the network, the final sequence of logout commands reveals all the nodes and the user names that are accessible to the user on each nod, with the exception of the name of the furthest node reached. To those who can recognize the operating system from the prompt or a logout message, this will also reveal the operating system, and thus that person could deduct if he has sufficient programming skills what your system is, and maybe even depending if you where careless with your PW, might even be able to hack back onto the system. When logging out of a Hard Copy terminal, make sure that all printouts are ripped off and shredded, burned, trashed or whatever your current site specifies. Print outs should NEVER be thrown away, since people trash, they can get it easily back out and have a hard copy of what you where doing, what accounts that might have been created and passwords that where set up, YOUR passwords are not displayed when you enter one, but if you where modifying user accounts it is possible to have it on print. On dial ups, it is possible to log out and the phone line NOT disconnected, that is a special flag that must be added to your account, that flag is the PERMANENT/HANGUP. To activate it, you must do the following: $SET TERMINAL/PERMANENT/HANGUP You will have to specify your terminal number or name, or port name, that way the system will know how to react. $_Common Commands: DIRECTORY ( or DIR ) LO/HANGUP MODIFY username/PWDLIFETIME=29-15:00 (29 days, expires at 3:00pm) MODIFY username/GENERATE=8 PERMANENT/HANGUP RECALL/ERASE SET PASSWORD SET PASSWORD/GENERATE=8 SET PASSWORD/SECONDARY/GENERATE=10 Note that the MODIFY command must be used in the UAF file (User Authorization File ). Guardian Of Time Judge Dredd Ignorance, Theres No Excuse. For questions or comments write to: Internet: elisem@nuchat Fidonet: 1:106/69.0 or NIA FeedBack P.O. Box 299 Santa Fe, Tx. 77517-0299 [OTHER WORLD BBS]