| From
Dave's Desk We
would like to wish everyone a safe and happy holiday season.
See all of you next semester!
Computer
Security
Why should anyone
care about computer security? Apart from all of the technical
issues surrounding computer security, individual perceptions
about the need for security are essential to maintaining a
reliable and secure network. In the open environment of the
academic world many question concerns about secure networks
and servers. For example, some wonder why one should have
a password-protected PC and password-protected access to the
network. Some of us are very concerned about some aspects
of security. For example, many of us are quite leery about
using our credit cards for Internet purchases; however, on
other matters, we tend to be lax. For example, some wonder
why they need to be careful with E-mail passwords, leaving
their PC unattended (while Lotus Notes is open or while they
are accessing student data), using anti-virus programs, E-mailing
grades, and other recommended practices. Still others wonder
about the fuss over authentication and authorization. Some
question the need for password protection, digital certificates,
and other such measures.
These points illustrate
a problem about security noted by Jeffrey I. Schiller, MIT's
network manager. He calls security a negative deliverable.
As he states, "You don't know when you have it. You only
know when you've lost it." We can be doing things in
a very insecure way, but if we succeed in communicating, we
are usually pleased. We do not wonder much about whether that
communication was also intercepted or monitored. If it was
a highly confidential E-mail, however, we can become very
upset if there was lax security and the wrong eyes see it.
We at the CTC believe
it is useful to highlight some of our vulnerabilities to show
why it is important to have security policies in place and
to follow good practices. This will not be an exhaustive list,
in part because engineers are producing a number of technological
innovations that enhance security and others with more malicious
intent are cleverly finding new ways to break into or to exploit
systems.
Networked
Computers
First, some background
information may be useful. The context of computing has changed.
When PCs and Macs were islands, not connected in a network,
they were subject only to physical break-ins. However, that
all changed when PCs became part of a network. In fact, Sun
used to say the network is the computer or the computer is
the network (I always forget which). Because computers are
connected on a network and because computers access the world
through the Internet, there is great potential for mischief.
Being connected
opens up a number of vulnerabilities. When the computers are
always on and always connected, as with our campus Ethernet,
then they are subject to probes and viruses from the local
area network (the inside) and from the Internet (the outside).
Further, the very tools that enable powerful searches useful
for research on the Internet can be used as tools to target
types of users or specific users. When we accept free software
tools, utilities, screen savers, etc., over the Internet,
those software components can enable interested parties to
monitor our activities. Some of those components send updated
information back to servers regularly. When one enables peer-to-peer
computing, such as instant messaging, this also increases
the risk. System administrators are quite aware that certain
file-transfer programs used to transfer MP3, video, and other
files sometimes require the recipient to make his or her computer
into a server, open to the world (sometimes unknown to the
recipient). Those of us who are not system administrators
are not often aware which applications open up our computers
to the outside world in an insecure way.
Vulnerabilities
E-Mail
Spoofing and IP-Spoofing (Pretending to be someone else)
We are seeing more
and more cases of E-mail spoofing, E-mail pretending to come
from a sender other than the real sender. Sometimes the sender
pretends to be someone in authority to get the recipient to
do something. Other times the sender recommends pyramid schemes,
pornographic sites, commercial products, and other benign
or malicious things.
E-Mail
Spoofing
How does this happen?
Some use the old-fashioned, sneak-into-the-office way. Someone
could use your computer without your knowledge if you leave
your machine unattended and logged in to your E-mail account.
The intruder just types the message and sends it, and it goes
out under your name. More sophisticated intruders may gain
access to your computer remotely and do the same thing or
they may guess your password and access it in that way. A
further approach involves electronically intercepting a message
that you have sent, changing the message, and sending it on
either to the person intended, to someone else, or to multiple
lists of persons. Another common method also involves some
technical sophistication. Someone with knowledge of SMTP (simple
mail transport protocol) can insert commands in headers to
alter E-mail information. Some spammers have perfected these
techniques to flood networks with thousands of E-mails. When
someone reports that his or her E-mail has been spoofed there
are ways, after the fact, of checking whether that E-mail
originated from somewhere other than it pretends to originate.
E-Mail spoofing
is a serious matter. There are spammers scattered throughout
the world looking for E-mail accounts, vulnerable PCs, and
E-mail servers from which to launch spam across the network.
Universities are often targeted because universities house
quite a few powerful servers and PCs, often have lax security
practices, and the university tradition of experimentation
and openness. We and other university computing centers receive
calls from a variety of network administrators around the
world informing us that spam (apparently) originates from
PCs on our network and ordering us to cease and desist sending
it.
IP-Spoofing
One common technique
for protecting resources accessible to a limited audience
is to verify the IP address of the sender. The IP address
is numeric. If the IP address is in a certain range of numbers,
the sender is considered to be a legitimate user. For example,
the FHSU library pays to subscribe to a variety of databases
accessible over the Internet. The database vendors require
us to restrict access to FHSU students. They obviously do
not want to give away their services for nothing. The database
subscription service checks to see whether a user is a legitimate
FHSU student by checking to see if the IP address of the person
trying to log in as an FHSU student falls within the range
of numbers reported to them by us. The workstations in the
range are sometimes referred to as trusted hosts. Those trusted
hosts are within the range of valid IP numbers, and they are
allowed access.
Gaining read-only
access to library-sponsored databases is one thing; however,
using IP-Spoofing to modify sensitive data is quite another.
If a user spoofs an IP address to gain access to student grades
or sensitive financial information, that is a serious breach
of privacy. IP-spoofing is also used in attempts to gain access
to system-administrator level of security on servers, routers,
switches, or telecommunications systems.
Launching
Attacks Using Your PC
Another reason
to secure your PC as much as possible is to prevent others
from using it as a launch pad for attacks on others. Universities
have been prime resources for hackers in launching a variety
of attacks on commercial web sites, governmental sites, and
military sites. Some hackers target specific sites with denial
of service attacks. They attempt to bombard a site with so
many requests that it effectively shuts down the site (and
thereby denying service to others). A hacker targets vulnerable
PCs or servers and uses them to send thousands of communications
over the Internet to the targeted site. The systems administrators
from those sites or systems administrators from Kanren notify
us that an attack is being launched from FHSU computers, and
we then work to locate them and shut them down.
Stealing
Resources
Another tactic
involves using hard drive space on remote PCs. Someone may
download an application that lets them share files over the
Internet. Unknown to the user, that application opens up their
hard drive for use by others on the Internet. Those applications
make the connected PCs file servers. Those savvy remote users
then use the hard drive for their own files (often music or
video files). Unless PC users are especially vigilant about
monitoring system resources, the typical PC user would not
notice this unless he or she were nearly out of hard drive
space. The individual user can protect his PC by doing a little
research on software being used to transfer files, and by
installing only to relatively secure kinds of software.
Stealing
Passwords and Viewing Messages on the Web
A variety of freely
available applications called sniffers can view traffic going
across the web. Hackers use these sniffers to steal passwords
going across the network, to view E-mail messages, and to
view data being entered into databases. For example, if passwords
used by the Registrar's Office were not protected for entering
student data, a hacker could use a sniffer to get the passwords
and then use those passwords to view and to change sensitive
data. Sniffers can be used to view unencrypted E-mail going
across the network. Because of sniffers we have some concerns
about sending grades to students using E-mail over the web.
If unencrypted E-mail is sent, those grades are visible to
those who have access to messages going over the public Internet
using a sniffer.
Unfortunately,
there are no good, easy-to-use methods of encryption available
across E-mail systems. This is an area where technology needs
to improve before secure systems are universally adopted.
Mitigating
Sniffer Vulnerabilities
On campus we have
mitigated potential harm from sniffing in several ways. The
Lotus Notes IDs do not go across the network because the client
verifies the ID from an ID file stored on individual PCs.
Further, when logging on to Lotus Notes on the Internet the
IDs are encrypted (using https). So, in neither case can they
be seen by sniffers.
In the early days
of Ethernet deployment, FHSU had a shared network. That meant
that the bandwidth was shared by everyone. The Ethernet packets
traversed the whole network. Placing a sniffer on this network
meant that every packet could be viewed by the sniffer, so
as sniffer technology developed and became more widespread
the network became more vulnerable. Some years ago most of
the shared hubs were replaced by switched hubs. These hubs
"switch" the data to the desired location from the
hub so that the data packets no longer traverse the whole
network. This increased security greatly because sniffers
used in offices and labs can only see data flowing to a particular
"jack". Except for the Student Union, all hubs across
campus are switched hubs.
Well-designed Internet applications protect against various
kinds of abuse. They use several techniques involving encryption.
Student data from Student Web Services (SWS) is secure over
the web. There is an encrypted layer (secure sockets layer)
that protects against intruders. Similarly, web access to
the Sungard data will be protected. The current version of
Blackboard is not encrypted, but future versions
have the option of encryption.
What are we doing about computer security?
I have mentioned
a number of things in passing. The following are a few of
the things we are doing, though the list is not exhaustive.
* In the Sungard
system, there is password-based security defined by roles:
students see a subset of the data, faculty a subset, faculty
who are advisors see a larger but targeted subset, Department
Chairs, and Deans another. All have access to data important
and relevant to them, some of it private and other data is
public. The Registar's Office has access to all of the student
data, and the system administrators by necessity also have
access.
* As mentioned, Sungard has encrypted both Internet and local
area network access to University data on the Oracle database.
* Access to the
Sun administrative server from the Internet is strictly controlled
by a Virtual Public Network solution (special encryption of
the sessions over the Internet).
* We formed a CTC
Security Council which is developing security policies and
which discusses security incidents. The Council will work
with ITPAC and the campus community on campus-wide security
solutions.
* The Security
Council maintains a database of security incidents.
* The CTC has purchased
and deployed an Intrusion Detection System (IDS). This system
monitors incoming and outgoing Internet traffic as well as
traffic on the local area network. It can be used to resist
denial of service attacks, monitor unusual network traffic,
log attempts at accessing servers (including routers and switches),
and it can selectively restrict intrusive activities. The
IDS often detects unusual activity before system administrators
notice it. It can also assist in monitoring the wireless network.
* CTC System administrators
work constantly at keeping up with the security patches to
operating systems and applications. Because of the complexity
of the operating systems, there are many patches supplied
by the vendors as problems are discovered. System administrators
are alerted by a variety of listservs.
* The Semantic
anti-virus program issues new data (.dat) files regularly
that protect against known viruses. These updates are useful
in protecting the PCs across campus as the files are refreshed.
Symantic also works with Lotus Notes.
* In case protective
measures fail, it is important to have files and systems backed
up. We currently back up many files on a tape system off-site
(not in the same building as the servers). These backups greatly
assist in restoring damaged systems.
* Some of our servers are not connected on the public LAN
but are directly connected on their own data network. That
further reduces risk.
Securing
Your Computer
What can you do
about computer security? The following are a few of the ways
in which users can make their computers more secure, though
the list is not exhaustive.
* You should shut
down applications when you leave your computer unattended.
* You can press
F5 to protect Lotus Notes from intruders.
If you press F5 and leave your computer unattended with LN
open, if someone tries to use Lotus Notes, it will require
them to enter your LN password.
* You should keep
passwords hidden.
* You should never
give out your passwords to anyone.
* You should change
your passwords occasionally or any time that you feel they
might have been compromised.
* You should mix
upper and lower case and include numbers in passwords.
* You should password-protect
your PC so that it requires a password when you boot it up.
* If you do not
have virus protection software on your University PC, you
can request it from the CTC.
* You should be
careful about launching or saving E-mail attachments, especially
from people that you do not know.
* If you do have
peer-to-peer (chat, file-sharing) software on your computer,
do some research to find out whether it opens up your computer
to the outside world. There are big differences among peer-to-peer
applications. Some are much more respectful than others.
* If you or your
department has a server, keep up with the software and security
patches as recommended by vendors.
* If you have questions
about security, contact the CTC.
E-mail
Confusion
by Mark Griffin, Manager of Servers &
Desktop Systems
I would encourage
everyone that they always read E-mail addresses carefully
and do not make assumptions about those E-mail addresses,
particularly those E-mails from off-campus. Some may have
the same or similar ID as an FHSU faculty, staff, or student
but the node is different from our fhsu.edu or tiger.fhsu.edu.
Please make sure that the person you are communicating with
electronically is really the person with whom you want to
communicate.
How
to Make Conference Calls
by Melanie Chapman, Sr. Admin. Assistant
Do you ever find
the need to bring several people together on a phone call
but just don't know how? If so, this is the article for you.
The fewer the people you want to conference together, the
easier it gets (and the less expensive per line). Here are
the options that are available to you on our system.
Three
Party Calls (including you)
If you are using
an analog phone, (most folks are), the cost is just the cost
of any long distance charges.
- You just need
to call the first party.
- Excuse yourself
and press the flash key (lightning bolt).
- You will hear
another dial-tone, dial the second party.
- Press the flash
key again to bring all the parties together.
Six
Party Calls
If you are using
a digital phone:
- Call the first
party.
- Press the "Conf"
key.
- Call the next
party.
- Press the "Conf"
key to bring all the parties together.
- Repeat steps
2, 3, and 4 until all the parties are together.
Note: you can transfer
the conference call to an analog phone, if you want.
Sprint
Personal Conferencing
You can conference
up to 30 parties, regardless of the phone, with this service.
The cost is 10 to 15 cents per minute per line (including
you). You can have everyone call a central number (meet me
call) or you can call each party and add them to the call.
You will need a Sprint Personal Conferencing card, which you
can obtain with a "Request for Telephone Service"
and training, which we will provide.
Sprint
Attended Conferencing
You can conference
a very large group together with this service (even hundreds).
The cost is 15 to 20 cents per minute per line. This method
requires a 24 hour reservation with Sprint and an operator
will help you set it up. You will also need the Sprint Personal
Conferencing card mentioned above. There are two options in
having an attended conference - have the operator call each
individual or have each caller dial in an 800 number that
is provided to them. If you decide to have each person call
into the 800 number, it will be provided when you set up the
conference with the operator. If you decide that you would
like the operator to call each individual, then you would
need to provide the names and phone numbers of each person
at that time. If you have any questions or need help, call
Melanie at 4110 or E-mail
at mchapman@fhsu.edu.
CTC
HelpDesk News
by Nancy Geier, CTC HelpDesk Supervisor
Internet
Dial-Up Service Update
The following chart
compares use of the dial-up service now to one year ago. Averages
were computed using a 15-day period from September 23 to October
7 of each year. |
