* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * PROTOCOL * * * * The Bulletin for Users of NIST Computer Networks * * and Telecommuniations Services * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Volume 4 Number 3 October 1992 _________________________________________________________________ Sysop Note: Because this issue of "Protocol" was devoted primarily to computer security, I thought it important to share the articles related to computer security. This is not a complete copy of the newsletter, rather just the articles that would be beneficial to those outside of NIST. ------------------------------------------------------------------ PROPER PROCEDURES REDUCE RISK Acceptable Security Is Achieved When Everyone Adopts Common Sense Rules For Good Practice John Wack, Computer Security Division, CSL Computer systems and the information they store are valuable resources that must be protected. Increasingly sophisticated threats including computer viruses, system intruders, and other "malicious" behavior can exploit a variety of weaknesses in computer security and cause significant damage. The increased use of networks and interconnected systems, permits attacks on seemingly isolated systems to jump to other systems, making the problem many times worse. NIST has not been spared this damage, and has already weathered many problems with computer viruses and with intruder activity on multi-user systems connected to the TCP/IP network, which is con- nected to Internet (see The Threat is Real). Since the number of viruses is increasing, and intruder activity connected with the Internet and the switched telephone network appears to be on the rise, more and bigger computer security incidents can be expected in the future. However, the future forecast for computer security may not be all that bad. At NIST, relatively simple steps can protect our systems and networks and can result in significant improvements over present levels of security. Following basic policies and taking common-sense measures to protect equipment and data, we can reduce the likelihood that computer viruses will be a problem, or that intruder activity will be a fact of network life. The starting point is to know what those policies are and to follow them con- sistently, or to automate them. Risk Assessment It is important to know what to protect: the type of data, soft- ware, and equipment. A risk analysis is the customary method for assessing the risk to system and data and for determining the con- trols (or steps) needed to achieve the desired level of protec- tion. Without performing a risk analysis, it is difficult to know where are the security weaknesses and what controls are cost effective. Managers of LAN servers, systems that act as servers for other systems, or publicly-accessible systems should consider perform- ing a risk analysis on their systems, as penetrations or failures of these systems could potentially affect many other systems. NIST has published guidance on risk analysis, FIPS 65, available from the CSL Document Room, Technology B68. Physical Security The foundation to computer security is physical security. Although often neglected in favor of more "technical" solutions, common- sense physical security for computers should never be ignored. Always lock your systems and equipment in your office at the end of the day. Laboratories or areas with concentrations of systems should be protected with an additional lock. During the day, it's a good idea to lock your office when you're out, use a keyboard lock (the physical key and lock with some personal computers) or a software-based program which locks your computer. These measures help prevent theft and reduce the likelihood that your system will be used by anyone else. LAN Servers Local Area Network (LAN) servers often store software that can be executed by the connected personal computers. A virus on a LAN server is a contamination; each personal computer will likely become infected by executing the virus-infected program. LAN servers should be scanned for viruses frequently, perhaps on a daily basis. The ability of users to copy programs to the LAN server's disk should be reviewed and restricted, if possible. All software must be scanned prior to placing it on a LAN server. Computer viruses affect personal computers (PC's), and because of the networking of PC's and multi-user systems using prod- ucts such as PC/TCP or PCNFS, multi-user systems must also be considered as vulnerable to computer viruses. Viruses are being written more frequently and have greater potential for damage. Consequently, personal computer users at NIST need to pay attention to the existence of viruses and incorporate virus pro- tection into their personal computing practices. It is strongly recommended that you use anti-virus software to protect your systems, especially PC's and Macintoshes. There are three primary types of anti-viral software: scanners, monitors, and change detectors. Scanners should be used at boot time to scan the computer's hard disk, and prior to using new software (regardless of the source). Monitors should be loaded at boot time to remain resident in the computer's memory so that the monitor can continually check programs, as they execute, for signs of virus activity. Change detectors can be used on systems which have fairly stable software configurations. The program is run once to compute a number for each program file. Any subsequent alteration of the file changes the number and is detected by the change detector monitoring program. Multi-user Systems Multi-user systems are finding their way with increasing fre- quency on to the desktops of many people at NIST. In parts of NIST, NFS (Network File System) software is used to turn our multi-user systems into personal computer LAN servers. These systems, primarily UNIX and VAX/VMS, provide disk space that can be utilized by personal computers in much the same way as a true LAN server (e.g., Novell, Banyan). The advice for protecting LAN servers from viruses applies to such multi user systems as well. (At least one major outbreak of viruses at NIST has been due to placing infected personal computer software on a multi-user system that acted as a LAN server.) Computer "crackers" have made several inroads into networked systems at NIST. Incident response teams such as the CERT/CC, and investigative agencies such as the FBI, all note that the level of intruder activity on the Internet is quite high. It has been suggested that the odds are increasing that any networked system on the Internet will, sooner or later, have its security tested by some form of intruder activity. These desktop, multi-user, sytems, although small in size, are often as powerful as former systems that occupied an entire office. System management is no less complicated. The number of "full-time" system managers is declining, and they are managing these systems in a more or less part-time mode. This means that computer security is often neglected, because there "isn't enough time." The outlook for networked multi user systems may not be grim. Most breaches of security are not caused by obscure or inherent weaknesses in systems and networks, but rather are due to improper system configuration and use of poor passwords. The most important steps you can take towards protecting your sys- tem are to first ensure that it is installed correctly and then to use the security controls included with your system. The controls discussed here are passwords, file access controls, controls for "trusted" systems, and network file system controls. Advanced authentication systems for passwords are an important current development. Passwords There is much advice on selecting and using passwords. Don't choose a password that can be found in a dictionary, as crackers often "break" passwords by simply comparing them to the words in on-line dictionaries. If you have accounts on multiple systems, don't use the same password for each account. After choosing a "good" password, how often should it be changed? Some advise changing passwords frequently, perhaps every three months. Changing passwords too frequently is not necessarily better if the password is poorly selected. File Access Controls These controls permit you to designate which files are readable, writable, and executable for any and all users. Ensure that system files, in particular those that control system configurations, are not writable by anyone except the system administrator. Trusted Hosts UNIX permits one to designate other systems as "trusted" systems through the use of the .rhosts and hosts.equiv files. By specify- ing certain systems in these files, users from those systems can log into your system without specifying a password. While this can be convenient for users, it presents serious problems if a trusted system is penetrated, because now any system can be penetrated very easily. Allow trusted systems only under very carefully controlled circumstances or, preferably not at all. Network File System Controls To permit PCs and other systems to use (or mount) file space on your UNIX or VAX/VMS system, you must "export" the space (directo- ries), or make it available for mounting. To ensure that not just any system can mount your directories and write to them, there are access controls one can use to denote which systems should have access. Spot checks at NIST have shown that some systems do not use any access controls whatsoever and, further more, export directories that contain password files and important system information. Thus, anyone connected to the Internet could write to these directories and, potentially, gain access to these systems. Advanced Authentication Passwords, when typed from a location on a network (i.e., a PC or other system), travel across the wires in clear text and are thus readable to anyone monitoring network traffic. Can and do people monitor network traffic? The FBI's computer crime squad says that the availability and use of network monitors, called sniffers, is so common that the FBI recommends using means of authentication that carry less risk of exposure. An office at NIST has actually implemented a device known as a smartcard, a credit card-sized device that uses encryption algo- rithms for authenticating users to a system. Similar devices, sometimes called authentication tokens, have been commercially available and work with most common operating systems. These devices are immune to sniffers, as they generate onetime passwords that cannot be repeated. Should you use a smartcard or authentication token? It is a good idea, however the cost is best justified for use with server systems and systems that are likely targets for intruder activity. If users from non-NIST locations are logging in to your system via the Internet, you should consider using one of these devices. See User Authentication Technology in this issue for more information about advanced authentication. Tools for Increasing Multi-User Security There are public-domain and commercially available tools for helping administer multi-user system security. In addition, VAX/VMS and some UNIX systems can utilize a "C-level" mode of operation, in which the system uses controls associated with NSA's Orange Book "C" level of system classification. The tools help to check passwords, file permissions and modes, and whether files have changed. Some can be run automatically, with the results e-mailed to the system administrator. Such tools can be a real boon to the part-time system administrator, as much of the monitoring and checking is automated. What tools should you use? COPS is recommended for UNIX; it's available via anonymous ftp from enh.nist.gov in the MISC directory. Another tool for UNIX is log_tcp, available from CERT, which permits one to re- strict/grant network access on a system/domain basis. For VAX/ VMS, there are commercial tools, most notably Clyde Digital, as well as a tool from the Department of Energy called SPI/VMS. Keeping Up-to-Date Computer security is not a one time project; systems need to be tuned and patched as things break or as new problems occur. First subscribe to the lan_group mailing list, administered at NIST, by sending mail to lan_group-request@enh.nist gov. Computer security alerts, patch information, and other warnings are sent out on the lan_group regularly, so if you're not subscribed, you're missing a lot of useful information. Secondly, it's worth investigating some of the Usenet news groups such as comp.security.misc or alt.security where valuable informa- tion gets posted from time to time. Third, the Computer Security Division runs a computer security BBS that is accessible via the Internet (telnet cs-bbs.nist.gov,). This BBS contains a large number of documents about computer security in general, as well as specific information on viruses, computer security alerts, and patch information. Access to the BBS is unrestricted; the ftp archive for the BBS is also located at csrc.ncsl.nist.gov. COMPUTER VIRUSES: Present and Future Danger Ted Landberg, Systems and Software Technology Divison, CSL Stanley Winkler, CSCD Of course, it could not happen to you. You are the only one who uses your computer. You never add software to your computer except from certified, virus-free diskettes. Your computer stands alone, unconnected to any network; and you do not have a modem. Clearly, a virus could not possibly infect your machine. Or could it? If it is possible that your computer may become vulnerable to a virus infection, the following discussion may be of some help. What is a Virus? A Computer Virus is a program which reproduces parts of itself and attaches those parts to other programs. There are two general types of viruses that attack PCs: the boot sector virus and the program virus. A boot sector virus replaces the original boot sector with itself, stores the original somewhere else, and on boot-up hides in RAM. It then loads and executes the original boot code and everything appears normal except that every diskette used becomes infected. A program virus infects other files which are most often execut- able files (*.exe or *.com) but which can be data, bat or overlay files. When the infected file is executed, the virus program is activated. What it does after it is activated depends on the virus program. The damage done by a virus is a function of the mali- ciousness and ability of the virus author. It can disrupt systems and networks. A virus can invade any memory, media or storage. Other damaging programs which can invade a computer system are Worms, Trap Doors, Logic (time) Bombs and Trojan Horses. These programs are not viruses, although they are sometimes called psuedoviruses. They can be included in a virus for additional damaging effect. There is no apparent limit to what can be programmed into a virus, as must be expected since viruses are programs. >From Where do Viruses Come? A virus can be introduced into your computer by any program which is added to your computer from a floppy disk, a network or from another computer (e.g. bulletin board) through a modem. The most common ways in which viruses are propagated are by a diskette from a "friend", by a file downloaded from a Bulletin Board, by programs in purchased software, by programs transmitted across a network, by using an infected rental computer, by software accompanying an adapter board and by software included in a book. In short, any program or file which is used on a computer can be the source of a virus infection. That is the bad news. The good news is that there is only a small chance that any individual PC will become infected. While it is difficult to estimate the number with any accuracy, the best guesses among security experts suggest that less than five per cent of the more than 22 million PC's in operation become infected. The computers most susceptible to infection are those for which proper procedures and precau- tions are not routinely used. Since effective protection proce- dures and mechanisms exist, virus infections can almost always be avoided. Detecting a Virus Attack Have you ever noticed ... strange behavior by your machine? Strange or unusual behavior is very often the first sign of a virus infection. An infection should be suspected if peculiar messages or abnormally slow performance occur, or if utilities or applications that always worked suddenly seemingly do not, or if, for no apparent reason, the system "hangs". Other symptoms of an infection are unexpected changes in program size, or a sudden increase in bad disk sectors, or larger than normal delays in the performance of tasks. The best way to detect a virus infection is to use a virus protec- tion program. Protection programs perform two functions: scanning or monitoring. Some protection programs provide both functions. Other programs can perform a removal operation or the disinfec- tion of the computer. Scanning examines all the files on a hard (or floppy) disk for the existence of a virus. The most common technique is to look for known "signatures" and sound the alarm if one is detected. Only known viruses or their variants can be reliably detected. As the number of known viruses increase the time for a complete scan gets significantly long. Sometimes to speed up the scan only executable files are examined. The jury is still out on the wisdom of this procedure. It should be noted that no single virus protection program recognizes all of the more than 1,000 known viruses. The best reported recognition rate was 92%. Monitoring requires the protection program to be resident in the computer's memory and is intended to detect, on a continu- ous basis, any indication of virus activity in programs whenever they are executed or activated. Monitoring uses memory, increases the time needed to execute programs, and creates false alarms which, depending on the protection scheme, can shut down the computer. If scanning is performed regularly and new software introduced only after it is scanned, then monitoring does not seem necessary under ordinary circumstances. If a virus is detected, don't panic. Don't reboot yet. Log the incident with as much detail as possible and call for help1 with the removal of the virus. Check all places where the virus may exist: hard disks, diskettes, backups and computer memory. After removal, check the system again to be certain the virus has been eliminated. Finally, alert others about the contaminated software and the procedures used to disinfect. Conclusions Reasonable protection is possible using reasonable precautions, although determining when and how a system was infected often can not be done and reinfection following an initial attack sometimes occurs. When eliminating viruses, take care and take time. Viruses are no joke and the successful detection, protection and recovery require awareness of threats and sources of contamination, alertness for infection, preparedness for reconstructing the system if necessary, a clean boot disk, clean backups and documen- tation of the system environment. In summary, the basic rules for the detection of viruses: - Know your system and its performance - Be alert to odd behavior or unexpected changes in performance - when suspicious behavior occcurs, protect your system first then investigate the cause - Log all suspicious occurrences - If a virus is detected, do not destroy the evidence; call for help - Periodically scan for known viruses - Scan disks received from or being sent outside of NIST - Scan programs are necessary, but not sufficient Protection - Report all incidents to your OU Computer Security Officer The First Law of Virus Protection: BACKUP! BACKUP! BACKUP! Make frequent backups. It is the safest and surest way to protecta system against loss of data and programs. In addition, there are sensible protection procedures for organizations and for individu- als. Protection procedures for individuals: - Always use a "clean", write-protected boot disk - Never assume a source is trustworthy - Always scan new software from any source - Write-protect original software and copy only on a known clean machine - Do not share diskettes -- you can give them away, but never take them back - Always consider network programs as "new" - Remove disks from the A: drive when not needed to protect against accidental disk boots Protection procedures for organizations: - Have a security and a virus protection plan - Have a contingency plan in case of attack - Develop user awareness - Develop a software management plan - Control access - Monitor periodically - Provide a designated "expert" to help users USER AUTHENTICATION TECHNOLOGY Elizabeth B. Lennon, Office of the Director, CSL Organizations in both government and industry are increasingly concerned with the protection of vital information resources contained in computer systems and networks. Protecting valuable data in computer systems from unauthorized use or malicious tampering is a primary goal of all organizations, large and small. While a comprehensive computer security program encompasses a variety of management and technical solutions, the starting point in securing a computer system is to limit access to the system to authorized users. Limiting access to a computer system or network depends upon the ability to verify the identity of users, a process known as user authentication. This process is typically accomplished by means of a password, but the use of passwords alone does not adequately protect a system from unauthorized access. This article summarizes the CSL Bulletin on Advanced Authentica- tion Techniques issued in November 1991. Why Password Systems Fail The traditional password system is effective if the system is well man- aged by users and administrators. Users tend to be their own worst enemy, however, when selecting, using, and safeguarding a password. When users select their own pass- word, they often choose one that is easy to remember and therefore easy for others to guess. If users decide on a longer and more complex password, they write it down, jeopardizing the secrecy of the password and the security of the system. Users may also share passwords with friends and coworkers, change them infrequently, and in general fail to safeguard the secrecy of passwords. While passwords will continue to be a popular method to verify user authentication, the use of alternative methods alone or in combination with password systems can provide further assurance that only authorized users are granted access to the system. Alternative User Authentication Techniques The need for additional means of user authentication has spawned the development of advanced authentication techniques which supplement or replace the use of passwords. There are three basic methods for verifying identification: something the user knows, something the user possesses, and some physical characteristic of the user. While traditional methods of verifying user identity are based on something the user knows, such as a password, alternate methods are based on something the user possesses, such as a token or smart card, or some physical characteristic of the user, such as a fingerprint or voice pat- tern, or combinations of these methods. These alternate authen- tication techniques build upon advances in electronic recognition systems. Token-Based Authentication This type of user authentication technique usually requires a physi- cal token which is used to verify the identity of the user before access to the system is allowed. A typical token, is the size of a credit card. Some tokens require that the user insert it into a reader. These tokens contain data that is physically, mag- netically, or electrically coded in a format which the host system recognizes. For example, automated teller machines request users to insert a magnetic card and enter a password. Some sophisticated tokens, known as smart cards, are designed in a credit-card format which contains microprocessors and memory. Other tokens do not require readers, but display a number which the user types into the computer. One type of these tokens looks like a small calculator with keys. When signing on to the computer, the user is presented with one number which is then typed into the card. In response, the card displays a second number which the user types into the computer. Another type of card displays numbers which change every one or two minutes. The user types the number currently displayed on the card into the computer when signing on. Token-based systems provide an added level of security because someone must actually steal or fabricate a physical object to gain access to the system. When combined with a password system, a token-based system affords a fairly effective barrier to unautho- rized access to a computer system or network. Biometric Authentication Biometric authentication verifies the identify of a user by recognizing some physical characteristic unique to that user. Fingerprints, written signatures, voice patterns, typing patterns, retinal scans, and hand geometry are common biometric identifiers. The process starts with an enrollment procedure during which the user produces a unique pattern, such as a fingerprint, from which a template is produced. When the user attempts to access a system, a second biometric pattern is taken and compared against the original template to verify the user's identity. Although biometric authentication systems cost more than other systems due to the expense of the complex hardware involved, these systems offer a very high level of security and may be well worth the expense when critical information must be protected. As with other alternatives, the best solution may be a combination of user authentication systems coupled with good computer security management practices. Summary While password-based authentication is widely used to verify the identity of users requesting access to computer resources, this type of authentication often fails to prevent unauthorized access. Alternatives such as token-based and biometric authenti- cation, used alone or in combination with passwords, significant- ly improve the security of networked computer systems. For more information on NIST's ongoing work in advanced authenti- cation technology, con- tact Jim Dray, Computer Security Division, on extension 3356. References CSL Bulletin on Advanced Authentication Technology, November 1991, incorporating by reference the sources listed in that document.