Security



  1. Terminology
    ASCII
    The American Standard for Code for Information Interchange. Coding that assigns numerical equivalents to printable letters and numbers.

    back door
    A form of access to data aside from the normal process that bypasses security checks or decryption.

    CERT
    The Computer Emergency Response Team formed after the internet worm attack in 1988. The center is at Carnegie Mellon University. It was founded to coordinate security response and increase security awareness. It acts a kind of clearinghouse for security vulnerability.

    cipher
    A system for concealing the meaning of a message by rearranging the letters and/or substituting some letters with others.

    ciphertext
    A message that has been encrypted so that it cannot be easily understood by anyone other then the intended recipient.

    Clipper chip
    A sophisticated, high-speed encryption chip designed by the National Security Agency. A Clipper chip encrypts data with the Skipjack algorithm. Clipper-encrypted communications can be decrypted by law enforcement agencies or others who possess the chip's secret key.

    code
    A system for substituting letters or words in a message with a predefined set of symbols found in a codebook.

    codebook
    A book or table for defining a code.

    Denial of service
    A denial of service (smurf) attack generates a large amount of bogus traffic for a web site so that the site is unable to respond to legislate traffic.

    DES
    The National Bureau of Standards Data Encryption Standard. A government standard of encryption that is approved for use with all unclassified data.

    encryption
    A method of scrambling data in an organized fashion so that it is not understandable. Usually based on one or more keys that are also used in the reverse process (decryption).

    File permissions
    A binary number associated with a file that allows read, write and execute permission to various users.

    Hacker
    Originally, anyone addicted to computers (i.e., anyone who stayed up till 4 a.m. programming for the fun of it). The term has come to mean anyone who spends a lot of time trying to break systems' security. A.K.A. spooks, intruders, bad guys, crackers. Hackers can be classified as tourists, collectors and vandals. Only a small percentage of hackers have a deep understanding of technology at a basic level. These write programs or exploits (a hacking tool) that are used by the vast talent less group of hackers called script kiddies.

    IDEA
    The International Data Encryption Algorithm, developed in Switzerland which use a 128 bit key.

    National Security Agency
    A branch of the U.S. Department of Defense, which is charged with making codes for the U.S. and breaking codes used by other countries.

    Password
    Protective word associated with a user name. A user logging in to the system must supply the correct password before the system will permit access.

    plaintext
    A message that can be easily read and understood.

    PGP
    Pretty Good Privacy, a program written by Phil Zimmerman, which performs public key/ private key cryptography.

    secure kernel
    An operating system that is provably secure, according to Department of Defense standards. Several versions of secure UNIX kernels exist, but their performance is an order of magnitude worse than the System V kernel.

    Set-uid bit
    A bit within the permissions of an executable file that gives the file the permissions of its owner rather than the permissions of the user who called it.

    steganography
    The science of hiding messages in messages. Microdots are an example of this. In the computer world, steganography has come to mean hiding secret messages in graphics, pictures, movies or sound.

    Superuser
    A person logged in under the special name root who is automatically granted permissions to access any file and to carry out other operations not permitted to ordinary users. The purpose of having a superuser is to provide a mechanism for carrying out essential maintenance activities that ordinary users are not permitted for security reasons.

    Trojan Horse
    A program that simulates some action (such as playing a game) while doing something else, such as initial infection of a virus into a system.

    Virus
    A program that can "infect" other programs by modifying them to include a (possibly evolved) copy of itself. At some time an event will trigger the virus to carry out its purpose usually malicious. There are three primary categories of viruses: file infectors, boot-sector viruses and macro (interpreted) viruses.
    • file infectors - for a long time the most common. They attach themselves to program files. When a user runs an infected application the virus is also run. Most of these are extinct in the wild.
    • boot-sector viruses reside as part of the OS and are loaded when the system boots. While common in Windows 3.1 they have died off with newer systems starting with Windows 95.
    • Macro viruses infect data files rather than programs. A common macro virus would be a macro in a mail file that works when the user opens the mail. Macro viruses are the future. All of the fast spreading Internet viruses are macro viruses.
    The writing of anti-virus software is a bigger business than writing viruses.

    worm
    A computer program which replicates itself. The Inter- net worm was perhaps the most famous; it successfully (and accidentally) duplicated itself on systems across the Internet.


  2. Passwords.
    The password scheme on UNIX is the first line of security. Its main function is to keep unauthorized users from accessing the system.



    1. Passwords are encoded using the DES (Data Encryption Standard).

    2. .LP Passwords are kept in /etc/passwd, which can be read by anyone. The passwords are kept in encrypted format. 
      kochis:JzYn32g/oVYJI:1123:50:Allan S. Kochis:/home/kochis:/bin/csh
      The password is the second entry. In this scheme it is difficult if not impossible to derive the password from its encoded format.


    3. However passwords can be guessed. Combinations to try with brute force to try all different passwords of length n.
      nPossible selection of characters.
      263662128
      1263662128
      23256391,8918,128
      32,6007,14037,820341,376
      414,95058,905557,84510.668M
      565,780376,9926.471M264.566M
      6230,2301.947M61.474M5.423T

      So the larger the universe, the less exposure. If we check 1 password per second (very slow) then checking all the combinations of 6 digits from 128 would take about 171 years! However supercomputers are approaching speeds of 1 nanosecond per operation. If it takes 10 operations to check a password then our time would be reduced to 15 hours!


    4. Except that we all hate to memorize a list of random digits, so we tend to make our passwords easy to remember, like our name backward, or a certain word. The Internet worm used a technique of first encoding a dictionary then comparing encoded passwords in /etc/passwd for matches. In the same Bell Labs study of 3,289 passwords.
      • 15 were a single ASCII character.
      • 72 were strings of two ASCII characters.
      • 464 were strings of three ASCII characters.
      • 477 were strings of 4 alphanumerics.
      • 706 were 5 letters either all upper or lower case.
      • 605 were 6 lower case letters.
      • 492 passwords appeared in various available dictionaries, name list, etc. The dictionary search required 5 minutes to run.

      • 86% of the passwords fell into one of these categories.


  3. File Security

    1. Classes of users
      For every file and directory there are three classes of users who may access a file.
      1. User (or Owner)
      2. Group.
      3. Other (Public).


    2. Types of permission.
      There are also three types of permission.
      1. read
      2. write
      3. execute

    3. Displaying permission.
      The ls -l command will display the owner and permissions. 
      
$ls -l
total 368
-rwxr-xr-x   1 ask    staff      3354 Oct 30 1997  a.out
-rw-r--r--   1 ask    staff     53521 Mar 24 1997  content.html
-rw-r-----   1 ask    staff      9903 May  8 1997  eduquote.htm
-rw-r--r--   1 ask    staff     11475 Oct 30 1997  form.html
-rw-r--r--   1 ask    staff     12308 Oct 30 1997  gains.html
-rw-r-----   1 ask    staff     42601 Oct 30 1997  index.html
-rw-r--r--   1 ask    staff      2530 Oct 30 1997  timeline.html


    4. Flag bits
      The flag bit meaning are:
      1. 1st Character
        • d directory flag
        • - plain file
        • b block file
        • c character serial file
        • l link
        • s socket

      2. Other characters
        • r read permission
        • w write permission
        • x execute permission
        • - no permission

      3. Grouping
        The grouping of the flags bits:
        • The first triplet is for the user.
        • The second triplet for the group.
        • The last triplet is for others.


    5. Setting permissions
      Permissions may be reset using the chmod command. 
      $ ls -l subtest
-rw-------  1 kochis       468 Mar 12 09:57 subtest

$ chmod o+r subtest
$ ls -l subtest
-rw----r--  1 kochis       468 Mar 12 09:57 subtest

$ chmod 644 subtest
$ ls -l subtest
-rw-r--r--  1 kochis       468 Mar 12 09:57 subtest


    6. umask
      The umask is a way to set up the default creation permissions. umask states which bits to turn off in file creation. This can be set for yourself in the .profile file. The system wide umask is in /etc/profile. 
      $grep umask /etc/profile
umask 077                         # set default file/dir protection


    7. groups
      A user may belong to one or more groups. Your files are created with the group id of your home (or default) group in /etc/passwd. You can list the groups you belong to from /etc/group 
      cochise : grep kochis /etc/group
chpc:*:500:jnet,jones,joyce,jrk,jtan,jwatts,kantzman,karimi,kelly,kneuper,kochis
userser:*:507:jbyrd,kochis,lwood,milfeld,sda,xxaf436,xxag057,xxus433,xxvd004
source:*:600:buming,dan,fwang,gary,jbyrd,jones,jwatts,karimi,kneuper,kochis
examine:*:601:boisseau,chpcdba,dan,fwang,gary,jbyrd,jnet,jones,kneuper,kochis
install:*:607:brux,buming,dan,fwang,gary,jbyrd,jones,karimi,kneuper,kochis,lwood
cplus:*:750:anne,brux,buming,foster,fwang,jbyrd,karimi,kochis,lwood,merworth
chpcadm:*:991:chpcadm,jones,kneuper,kochis,mamali,merworth,xxag057
xxam:*:1991:kochis,xxam226
      or by running the groups command. 
      cochise: groups
xxam chpc userser source examine install cplus chpcadm xxam
      Any files created in any of these groups that allow group access, I can use. A file can have its group changed to any group you belong to. 
      cochise : ls -alg trip
-rw-rw-r--   1 chpc        3379 Aug  2  1993 trip
cochise : chgrp userser trip
cochise : ls -alg trip
-rw-rw-r--   1 userser     3379 Aug  2  1993 trip


    8. ownership
      The ownership of a file may be changed with chown.

    9. superuser (root)
      The superuser may access any file regardless of permission bits.

    10. Sticky Bits
      Sticky bits the Guid or Suid bits set on a file (usually an executable) means the program may for its execution time change the group or owner for files. 
      $ ls -al *.cgi
-rwsr-xr-x   1 www      web         5273 Mar 23 10:56 getstat.cgi
-rwxr-sr-x   1 www      web          643 Mar 25 13:14 mich.cgi



    11. At our site we regard creating file with world write permission to be a security violation. Each week we run a routine to detect these files and report it to the use. A simple command to find these files is: 
       
$ find /stage -perm -0002 -print
/stage/Cate/birds.gif
/stage/Cate/jobs/jobs.txt
/stage/Cate/jobs/trk_num

$ find /stage -perm -0002 -print | wc -l    
     259


  4. Encryption.
    File encryption may be handled by the crypt command. 
    $ cat junk
The
rain in Spain
stays mainly on the plain.
$
$ crypt -s ask <junk >new
$ cat new
(m.mPRwt-tG-i;md}jF#Ajl
$ rm junk
$ crypt -s ask <new >junk
$ cat junk
The
rain in Spain
stays mainly on the plain.
$

    vi and ed can edit encrypted files using the -x option.
© Allan Kochis Last revision 4/6/2001