A beginner's guide to data, computer and network security

Ronja Addams-Moring, 36750E, TiN
4th November 1997

Home assignment # 7 of 11
Course Tik-110.300 Telecommunication architectures, Fall term 1997

Helsinki University of Technology


Table of Contents


Introduction

The intended audience and scope of this essay

This essay is primarily intended as a practical starting point for such students, faculty and guests at Helsinki University of Technology (HUT) who at the moment find the Finnish language in the Computing Centre (CC) guide "Tietoturva TKK:ssa" too demanding. However, I hope that this essay could be useful for others, too. Any English speaker who wishes to get started with issues concerning data, computer and/or network security and has little prior knowledge of this area should be able to benefit from this text, especially from the References and the Link list.

This essay discusses almost exclusively UNIX computers and TCP/IP networks related issues, often in relation to how things are currently done in the HUT CC campus network (HUTnet). Some short references to Windows 3.1 and Windows 95 based PCs might also be made, but this is definitely not a text on PC security.

Why I wrote this essay

Firstly, I could not find a practical beginner's guide on security issues in English on the Web when a friend needed one. I did find on general tutorial on basic security concepts and issues, though. The searches were done between 22nd October and 3rd November 1997, first in the hut.fi area, then covering "the whole world". Both Yahoo, HotBot and AltaVista were used with several variations of the basic search expression: "(guide or tutorial or beginner) and (data or computer or network) and security".

Secondly, I need to write an essay for my course this week, too. So why not try to get two flies with one blow. As this is a weekly home assignment it is not a complete presentation of the subject of security. However, the References and the Link list seem to have turned out rather nicely. All that Web searching gave something, even if it was not exactly what was originally sought.

Note! If you know of any other documents like this or have other comments, please send me email.

Why should I care about security, anyway?

It is easy to claim that one does not need to worry about computer security, if one does not have anything to hide. By this is often meant that if you are not doing anything questionable and/or the data you have on a computer is not sensitive or valuable, you would not need to "waste your energy" on "being paranoid". Before I became a student of computer networks, I, too, was inclined to buy this argument.

However, over the years I have come to believe that all arguments which are based on the assumption that the innocent and honest do not need any formal or technical protection are plain wrong. Such arguments grossly oversimplify complex issues about our computer networks - and about our communities.

In computer networks, there are at least four basic issues to consider when one tries to assess the need for security measures. The first is the question of how important the information you have on a computer is for you personally, for your group or your laboratory. How much labor would go into reproducing the information if it was destroyed? How big an inconvenience would it be if the information became inaccessible for some length of time? How much damage could result from the information being tampered with, say, altered without your knowledge? [1]

The second big issue is whether you can put others at risk by following relaxed security practices yourself. In a multi-user multi-computer environment, such as the HUTnet, the answer is always an emphatic yes. If an intruder gets hold of one account on one computer, they can use it as a stepping stone to attack other accounts in the same computer or other computers reachable through the network. Any computer is only as strong against attacks as its most weakly guarded user account or service. [2]

The third issue, which is especially important in large organizations such as HUT, is who owns and controls the equipment you use. Do you know those people and how much do you trust them? Computer administrators are required by Finnish law as well as the legislation of the EU and other areas of the world, to work ethically - but so are politicians, bank clerks and judges, too. Yet we have seen that every once in a while one of them can slip. So blind trust in unknown people is seldom likely to be a wise policy. [3]

The fourth issue is akin to the third. Who else uses the computer or the network you are using? Do you know those people and how much do you trust them? Could some other user be curious about, say, your email and try to get to read those files? What about files containing next weeks exam questions? Or could someone try to copy your link list for an essay or your program code to get easier points on a home assignment? If they succeeded, could they get you in trouble?

Your personal answers to these questions will naturally vary depending on what your role is at a given time and what kind of data you are handling. In my opinion, though, it would be short-sighted if you did not to consider them at all.

Detailed examples of risks related to data, computer and network security are well covered in, for example, the Stoll and Garfinkel books, the Langley guide and RFC 1244. They are warmly recommendable for further study.

Basic security tools, measures and mechanisms

Together with "static" passwords, the file protection mechanisms in UNIX are your two most basic and best standardized security tools. That is why they are presented more in depth in this guide than the other tools.

Passwords

Passwords are one of the oldest security measures on multi-user computers. They can be compared with a key or a passport: an active user id (login) together with the correct password for it is enough to convince your generic UNIX computer. It will allow the person or program presenting this electronic ID to log on and use the full privileges of the user in question. [4].

When using the computers on HUTnet, you might have several "static" passwords, i.e. passwords you change yourself. These "static" passwords might include (but are by no means limted to):

These "static" passwords are usually relatively long-lived. For example, the HUT CC expects you to change your general purpose computers' password every six months. You should therefor choose your passwords with care. In six months time it is quite possible to crack a poor quality password, either by guessing (based on information about you personally) or by systematically going through word lists .

A good password fills all the following criteria [4, 5, 6]:

Note that a bad password does not become noticeably better by any of the following letter or syllable replacements:
1 = i or L, 2 = Z, 3 = E, 4 = A, 5 = S, 6 = G, 0 = O,
4 = "for", 2 = "to" or "too", 8 = "ate" or "eigh"

In short: use password with lower case and UPPER CASE letters and numbers mixed. You may also throw in some punctuation character(s) - but do chose them from the ones that can easily be found on most keyboard layouts, for example: , . ! # % [5].

Here are a few examples of methods which, combined with the above described letter or syllable replacements and/or some inserted numbers or punctuation marks, produce good quality passwords [4, 5, 6]:

File and directory protection in UNIX

In UNIX, unlike many personal computer operating systems, you have a home directory, a place of your own in the computers directory tree (often called "file system"). This is the place where you end up when you log on to the computer and where all your files and subdirectories are stored, unless you explicitly tell the computer to do otherwise.

To see what you have under your home directory, type the command "ls -la" in one of the CC UNIX computers (alpha, beta, gamma, delta, vipu, oboe, kantele, setri, kastanja, safiiri or other). The output should resemble this:

  
  gamma ~ 14 % ls -la
  total ...
  drwx------  23 yourid    users       8192 Nov  4 21:58 .
  drwxr-xr-x 141 root      users       8192 Oct 13 11:05 ..
  -rwx------   1 yourid    users       1814 Sep 18 17:44 .cshrc
  -rw-------   1 yourid    users       3043 Nov  4 21:44 .history
  -rwx------   1 yourid    users        351 Mar 23  1993 .login
  drwx------   2 yourid    users       8192 Oct 31 15:56 .netscape
  -rw-r--r--   1 yourid    users      10351 Oct 20 15:18 .pinerc
  -rw-r--r--   1 yourid    users       1073 Sep 18 18:01 .plan
  drwx------  38 yourid    users       8192 Nov  3 16:08 mail
  drwx------   2 yourid    users       8192 Sep 10 16:03 News
  drwxr-xr-x  11 yourid    users       8192 Oct 23 20:09 public_html
  -rw-------   1 yourid    users      21167 Sep 12  1996 topi.log
  gamma ~ 15 %
  
where "yourid" is your user name (your login). The name of the file or directory is always the last "word" on a line.

The first 10 characters on each line of output (for example: "drwxr-xr-x") tell you each file's or subdirectory's mode. The first of these 10 characters tells you whether the object is a directory "d" or a file "-". The next 9 characters are actually three groups of three characters each (rwx) which tell the rights different users of the computer have to that file or directory.

The characters from second to fourth report what rights you have yourself. The next three are related to the group (in the example above "users") and the last three describe what "others" (not you nor your group) may do with that file or directory. Within these groups of three:

So, in the example above, as the rights on the first line are "drwx------", only the user in question may look into her/his home directory. Nobody else may do anything within this user's home directory. (The current directory is called "." ).

In this case, however, this seems rather counterproductive, because the user in this example appears to have intended some material to be world-readable. Yet they cannot be seen if the home directory is "closed".

The file ".plan" has the mode "-rw-r--r--", meaning that the user may read and write it and both the group members and others may read it (but not write). The subdirectory "public_html" has the mode "drwxr-xr-x" meaning that everybody (user, group and others) may read the contents and even the contents of the sub-subdirectories under "public_html", if there are any, but the user is the only one who may write (change) the directory.

To change the mode of a file or directory, one uses the command "chmod". The "chmod" command takes as its first argument a three-part character combination, where the first character is one of four letters: u, g, o or a (for "user", "group", "other" or "all", respectively), the next is either + (to add rights) or - (to limit rights) and the last is one of the mode characters, r, w or x. As its second argument "chmod" needs the name of the file(s) or directory/ies to change the mode of.

For example, if this user wants her/his .plan file to show, when other's use the "finger" command on her/him or wishes to have a home page on WWW, (s)he should alter her/his home directory mode. The command would be "chmod a+x ~", adding the right to execute (access) the home directory ("~" for shorters) for all.

On the other hand, after making that change, (s)he may feel that it is unnecessary to let anyone else see what the email program's control file ".pinerc" contains. So (s)he can give the commands "chmod g-r .pinerc" and "chmod o-r .pinerc" to take away the right to read from both group and other.

If you want to learn more about the "ls" and "chmod" commands, you can type the command "man ls" or "man chmod" in one of the CC UNIX computers, or, if you prefer a less technical approach, consult some UNIX tutorial.

Other security tools

The more advanced security tools are described briefly, with references to further information.

One time passwords - the s/key system at HUT

It is possible to use one-time passwords when logging onto the HUT CC computers, for added security if you are abroad, for example. However, the instructions only exist in Finnish at the moment [7].

If you would need one-time passwords, you can visit the Computing Centre's User Services in room U133 in the Main Building. It is open from Mon-Fri 8.00 AM to 3.45 PM. [8]

Note! If you use one-time passwords, your further connections are not secure. Never use any service that requires a "static" password during a one-time password based session.

Secure remote connections with ssh, slogin and scp

A much more secure way to connect to remote computers, provided that they are also running the programs in question, are the SSH programs.

From the HUT CC computers, you can securely use remote computers with the command "ssh host" where "host" is the name of the computer you want to contact. You can also securely copy files from one computer to another over the net with the command "scp sourcefile targetfile" where the syntax of the source and target file names is somewhat more complicated than with the normal "cp" command. You can also securely log onto remote computers, the command is "slogin host".

For further information on ssh, consult the manual pages "man ssh", "man scp" or "man slogin", or, if you prefer a slightly less technical approach, consult the SSH related links in the link list.

Encryption of files and email with PGP

PGP ("Pretty Good Privacy") differs from both s/key and the ssh product family in that it does not secure your connection to a computer, but instead the files that reside on the computer and thus also the messages (e.g. email) composed of such files.

Alike s/key, and unlike the ready-to-use ssh (on the HUT CC UNIX computers, that is, where ssh is pre-installed), PGP requires you to take certain steps before you can use it. Most pressingly you will need to create your own public and secret encryption keys and plan on how to keep your secret key(s) safe.

The good news is that there are relatively easy-to-use on-line guides. Consult them and try out PGP's help function with the command "pgp -h".

Final words of encouragement

By now you may have the impression that this security business is only a mess of WWW links and that there are just too many things to learn. Relax. Take your time. Even if you learn nothing else from this document except to use good passwords and adequate file protection, you are still very likely to be much better off than before.

You don't have to learn everything about computer security today or even this week. Most of us aren't able to take in huge amounts of information quickly so that the new knowledge also becomes useful skills in the process (I certainly am not). But if you make a habit of regularly seeking out and coming back to security related Web sites, books, courses and newsgroups, you will steadily accumulate your knowledge and understanding.

A basic understanding of computer network security is fast becoming one of the equivalents to reading and writing skills for the 21st century. Good luck in claiming your part of the global information society!

The link evaluation scales explained

The links in the References and the Link list below have all been evaluated for both their content quality and their intended audience.

The content quality has been judged on a five star scale based on three quality factors (QF) approximately like this:

The intended audience has been judged based on what seems to be the level of expertise required of the person studying the material behind the link. The levels used are: beginner, user, advanced user and administrator/expert.


References

[1] Langley Research Center and the University of Virginia's School of Commerce, 28 april 1995
"Langley Data Security Training Tutorial"
<http://sunkj.larc.nasa.gov/tutorial/security.fix/homepage.html>
A good, in places theoretical introduction to the concepts of data security. Includes a couple of broken links, though
*** / beginner - advanced user

[2] Cliff Stoll, 1989
"The Cuckoo's Egg - Tracking a Spy Through the Maze of Computer Espionage"
Pocket Books, ISBN 0-671-72688-9
Old but good - reads like a detective story yet more informative than many an educational publication
**** / beginner - admin/expert

[3] Simson Garfinkel, 1995
"PGP: Pretty Good Privacy"
O'Reilly & Associates Inc, ISBN 1-56592-098-8
All you ever thought of asking about PGP. Well written, too, and the history of PGP is quite enlightening. Not very new, though.
**** / beginner - admin/expert

[4] P. Holbrook and J. Reynolds, July 1991
"RFC 1244 - Site Security Handbook"
<ftp://ftp.funet.fi/pub/standards/RFC/rfc1244.txt>
A guide for security in e.g. a company network. Technical and long, very authoritative
**** / user - admin/expert

[5] Kai Vorma, 20 May 1997
"Tietoturva TKK:ssa" (In Finnish)
<http://www.hut.fi/Yksikot/ATK/oppaat/tietoturva/>
A general data security guide, clear and conscice
***** / beginner - admin/expert

[6] Jukka Korpela, 14 April 1997
"Unix-opas" (In Finnish)
<http://www.hut.fi/Yksikot/ATK/oppaat/unix/9.3.html>
A general UNIX guide, clear and conscice
***** / beginner - advanced user

[7] Personal communication from the HUT CC customer service personnel, 30 October 1997

[8] Jukka Korpela ja Raija Kukkonen, 7 June 1997
"Palvelupisteet ja yhteystiedot" (In Finnish)
<http://www.hut.fi/Yksikot/ATK/oppaat/asiakkaan/12.1.html#aspalv>
Where and when you can find the HUT CC customer service personnel
(link not scaled - no technical information)

Link list

Information about the Internet

UNIX tutorials

Information on WWW

Information on SSH

Information on PGP

General security information

Finnish legislation

Search engines


Ronja Addams-Moring <ronja@iki.fi>
http://www.iki.fi/~ronja/

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQBVAwUBNGub6dCPVTXr+uGZAQE67AH7BP5Po/F8RQOm0EfLrS94YM8Pryv7zG7Y
qQzX2c6cmsWmD4yFGhS3dtSFQnfYurNqGBmaE1BlCHW2dLL7sOKOkQ==
=z9Q/
-----END PGP SIGNATURE-----