233 lines
11 KiB
Plaintext
233 lines
11 KiB
Plaintext
==Phrack Inc.==
|
|
|
|
Volume Three, Issue 27, File 5 of 12
|
|
|
|
|
|
COSMOS
|
|
|
|
COmputer System for Mainframe OperationS
|
|
|
|
Part Two
|
|
|
|
by King Arthur
|
|
|
|
|
|
This article will present solutions to the computer security problems
|
|
presented in my previous file. The following are simple but often neglected
|
|
items which if properly treated can immensely increase your company's computer
|
|
security. These points apply not merely in regards to COSMOS, but to all
|
|
computers in all companies.
|
|
|
|
|
|
A) Dial-Up Security:
|
|
|
|
When securing a computer system, regardless of its type, it's important to
|
|
remember this: the only way someone can remotely access your system is if there
|
|
is a dial-up line leading to that system. If your system has a dial-up, make
|
|
sure that you have taken every possible precaution to secure that line. "The
|
|
one piece of advice I would give is: Be careful with dial-up lines," says
|
|
Bellcore's Ed Pinnes.
|
|
|
|
Dave Imparato, Manager of Database Management at New York Telephone, says,
|
|
"We have devices that sit in front of our computers that you have to gain
|
|
access to. In order to even get to COSMOS, there are three or four levels of
|
|
security you have to go through, and that's before you even get to the system."
|
|
|
|
Rules for protection of Dial-Up lines:
|
|
|
|
1. Have as few dial-up lines as possible. Private lines or direct connections
|
|
are often a viable replacement for dial-up lines.
|
|
|
|
2. If you must have phone lines going to your computer, use external hardware,
|
|
if possible. For instance, the Datakit Virtual Circuit Switch (VCS) will
|
|
require a user to specify an "access password" and a system destination to
|
|
specify which system you are calling. The VCS would then connect you to
|
|
the requested system which would prompt you for a login and password.
|
|
Using hardware similar to this serves a double purpose:
|
|
|
|
A) It is harder for someone to get into your computer, due to
|
|
additional passwords;
|
|
|
|
B) Employees need only dial a single number to access a number of
|
|
systems.
|
|
|
|
Another good type of hardware is a callback modem. A callback modem will
|
|
prompt users for a login and password. If these are correct, the modem
|
|
will automatically callback to a predetermined number. At that point you
|
|
would login to the computer. The advantage of callback is that unless a
|
|
call is placed from a certain phone, there is no way to connect.
|
|
Unfortunately, this is not always efficient for systems with large numbers
|
|
of users.
|
|
|
|
Lastly, and the most effective means of access, is to have a system which
|
|
does not identify itself. A caller has to enter a secret password, which
|
|
doesn't display on the screen. If a caller doesn't type the correct
|
|
password, the system will hang up, without ever telling the caller what has
|
|
happened.
|
|
|
|
3. If you ever detect "hackers" calling a certain number, it is advisable to
|
|
change that number. Phone numbers should be unlisted. According to a
|
|
hacker, he once got the number to an AT&T computer by asking directory
|
|
assistance for the number of AT&T at 976 Main Street.
|
|
|
|
4. If dial-up lines aren't used on nights or weekends, they should be
|
|
disabled. Computer hackers usually conduct their "business" on nights or
|
|
weekends. The COSMOS system has the ability to restrict access by time of
|
|
day.
|
|
|
|
|
|
B) Password Security:
|
|
|
|
Using the analogy between a computer and a file cabinet, you can compare a
|
|
password to the lock on your file cabinet. By having accounts with no
|
|
passwords you are, in effect, leaving your file cabinet wide open. A system's
|
|
users will often want passwords that are easy to remember. This is not an
|
|
advisable idea, especially for a database system with many users. The first
|
|
passwords tried by hackers are the obvious. For instance if MF01 is known to
|
|
be the user name for the frame room, a hacker might try MF01, FRAME, MDF, or
|
|
MAINFRAME as passwords. If it's known to a hacker that the supervisor at the
|
|
MDF is Peter Pinkerton, PETE or PINKERTON would not be very good passwords.
|
|
|
|
Rules for password selection:
|
|
|
|
1. Passwords should be chosen by system administrators or the like. Users
|
|
will often choose passwords which provide no security. They should not be
|
|
within the reach of everybody in the computer room, but instead should be
|
|
sent via company mail to the proper departments.
|
|
|
|
2. Passwords should be changed frequently, but on an irregular basis -- every
|
|
four to seven weeks is advisable. Department supervisors should be
|
|
notified of password changes via mail, a week in advance. This would
|
|
ensure that all employees are aware of the change at the proper time. One
|
|
thing you don't want is mass confusion, where everybody is trying to figure
|
|
out why they can't access their computers.
|
|
|
|
3. System administrators' passwords should be changed twice as often because
|
|
they can allow access to all system resources. If possible, system
|
|
administrator accounts should be restricted from logging in on a dial-up
|
|
line.
|
|
|
|
4. A password should NEVER be the same as the account name. Make sure that
|
|
ALL system defaults are changed.
|
|
|
|
5. Your best bet is to make passwords a random series of letters and numbers.
|
|
For example 3CB06W1, Q9IF0L4, or F4W21D0. All passwords need not be the
|
|
same length or format. Imparato says, "We built a program in a PC that
|
|
generates different security passwords for different systems and makes sure
|
|
there's no duplication."
|
|
|
|
6. It's important to change passwords whenever an employee leaves the company
|
|
or even changes departments. Imparato says, "When managers leave our
|
|
organization, we make sure we change those passwords which are necessary to
|
|
operate the system."
|
|
|
|
7. The Unix operating system has a built-in "password aging" feature, which
|
|
requires a mandatory change of passwords after a period of time. If you
|
|
run any Unix-based systems, it's important to activate password aging.
|
|
|
|
8. When you feel you have experienced a problem, change ALL passwords, not
|
|
just those passwords involved with the incident.
|
|
|
|
|
|
C) Site security:
|
|
|
|
There have been a number of articles written by hackers and published in
|
|
2600 Magazine dealing with garbage picking or what hackers call "trashing".
|
|
It's important to keep track of what you throw out. In many companies,
|
|
proprietary operations manuals are thrown out. COSMOS itself is not a
|
|
user-friendly system. In other words, without previous exposure to the system
|
|
it would be very difficult to operate. Bellcore's Beverly Cruse says, "COSMOS
|
|
is used in so many places around the country, I wouldn't be surprised if they
|
|
found books... in the garbage, especially after divestiture. One interesting
|
|
thing about a COSMOS article written by hackers, is that there was a lot of
|
|
obsolete information, so it shows that wherever the information came from... it
|
|
was old."
|
|
|
|
Rules for site security:
|
|
|
|
1. Although it may seem evident, employees should be required to show proper
|
|
identification when entering terminal rooms or computer facilities. It's
|
|
doubtful that a hacker would ever attempt to infiltrate any office, but
|
|
hackers aren't the only people you have to worry about.
|
|
|
|
2. Urge employees to memorize login sequences. It's a bad idea for passwords
|
|
to be scribbled on bits of paper taped to terminals. Eventually, one of
|
|
those scraps may fall into the wrong hands.
|
|
|
|
3. Garbage should be protected as much as possible. If you use a private
|
|
pick-up, keep garbage in loading docks, basements, or fenced-off areas. If
|
|
you put your garbage out for public sanitation department pick-up, it's a
|
|
good idea to shred sensitive materials.
|
|
|
|
4. Before throwing out old manuals or books, see if another department could
|
|
make use of them. The more employees familiar with the system, the less of
|
|
a chance that there will be a security problem.
|
|
|
|
5. Printing terminals should be inspected to make sure that passwords are not
|
|
readable. If passwords are found to echo, check to see if the duplex is
|
|
correct. Some operating systems allow you to configure dial-ups for
|
|
printer use.
|
|
|
|
|
|
D) Employee Security:
|
|
|
|
When a hacker impersonates an employee, unless he is not successful there
|
|
is a great chance the incident will go unreported. Even if the hacker doesn't
|
|
sound like he knows what he's talking about, employees will often excuse the
|
|
call as an unintelligent or uninformed person. It's unpleasant to have to
|
|
worry about every call with an unfamiliar voice on the other end of the phone,
|
|
but it is necessary.
|
|
|
|
Rules for employee security:
|
|
|
|
1. When making an inter-departmental call, always identify yourself with:
|
|
1) Your name; 2) Your title; and 3) Your department and location.
|
|
|
|
2. Be suspicious of callers who sound like children, or those who ask you
|
|
questions that are out of the ordinary. Whenever someone seems suspicious,
|
|
get their supervisor's name and a callback number. Don't discuss anything
|
|
sensitive until you can verify their identity. Don't ever discuss
|
|
passwords over the phone.
|
|
|
|
3. When there is a security problem with a system, send notices to all users
|
|
instructing them not to discuss the system over the phone, especially if
|
|
they do not already know the person to whom they are talking.
|
|
|
|
4. Remind all dial-up users of systems, before hanging up.
|
|
|
|
5. If security-minded posters are put up around the workplace, employees are
|
|
bound to take more care in their work and in conversations on the phone.
|
|
|
|
6. If managers distribute this and other computer security articles to
|
|
department supervisors employee security will be increased.
|
|
|
|
|
|
E) General Security:
|
|
|
|
Bellcore recently sent a package to all system administrators of COSMOS
|
|
systems. The package detailed security procedures which applied to COSMOS and
|
|
Unix-based systems. If you are a recipient of this package, you should re-read
|
|
it thoroughly to ensure that your systems are secure. Cruse says, "Last
|
|
year... I had a call from someone within an operating company with a COSMOS
|
|
security problem. All we really did was give them documentation which reminded
|
|
them of existing security features... There is built-in security in the COSNIX
|
|
operating system... We really didn't give them anything new at the time. The
|
|
features were already there; we gave them the recommendation that they
|
|
implement all of them."
|
|
|
|
If you feel you may not be using available security features to the
|
|
fullest, contact the vendors of your computer systems and request documentation
|
|
on security. Find out if there are security features that you may not be
|
|
currently taking advantage of. There are also third party software companies
|
|
that sell security packages for various operating systems and computers.
|
|
|
|
Computer security is a very delicate subject. Many people try to pretend
|
|
that there is no such thing as computer crime. Since the problem exists, the
|
|
best thing to do is to study the problems and figure out the best possible
|
|
solutions. If more people were to write or report about computer security, it
|
|
would be easier for everyone else to protect themselves. I would like to see
|
|
Bellcore publish security guidelines, available to the entire
|
|
telecommunications industry. Keep in mind, a chain is only as strong as its
|
|
weakest link.
|
|
_______________________________________________________________________________
|