Title : COSMOS: COmputer System for Mainframe OperationS (Part Two)
Author : King Arthur
==Phrack Inc.==
Volume Three, Issue 27, File 5 of 12
COSMOS
COmputer System for Mainframe OperationS
Part Two
by King Arthur
This article will present solutions to the computer security problems
presented in my previous file. The following are simple but often neglected
items which if properly treated can immensely increase your company's computer
security. These points apply not merely in regards to COSMOS, but to all
computers in all companies.
A) Dial-Up Security:
When securing a computer system, regardless of its type, it's important to
remember this: the only way someone can remotely access your system is if there
is a dial-up line leading to that system. If your system has a dial-up, make
sure that you have taken every possible precaution to secure that line. "The
one piece of advice I would give is: Be careful with dial-up lines," says
Bellcore's Ed Pinnes.
Dave Imparato, Manager of Database Management at New York Telephone, says,
"We have devices that sit in front of our computers that you have to gain
access to. In order to even get to COSMOS, there are three or four levels of
security you have to go through, and that's before you even get to the system."
Rules for protection of Dial-Up lines:
1. Have as few dial-up lines as possible. Private lines or direct connections
are often a viable replacement for dial-up lines.
2. If you must have phone lines going to your computer, use external hardware,
if possible. For instance, the Datakit Virtual Circuit Switch (VCS) will
require a user to specify an "access password" and a system destination to
specify which system you are calling. The VCS would then connect you to
the requested system which would prompt you for a login and password.
Using hardware similar to this serves a double purpose:
A) It is harder for someone to get into your computer, due to
additional passwords;
B) Employees need only dial a single number to access a number of
systems.
Another good type of hardware is a callback modem. A callback modem will
prompt users for a login and password. If these are correct, the modem
will automatically callback to a predetermined number. At that point you
would login to the computer. The advantage of callback is that unless a
call is placed from a certain phone, there is no way to connect.
Unfortunately, this is not always efficient for systems with large numbers
of users.
Lastly, and the most effective means of access, is to have a system which
does not identify itself. A caller has to enter a secret password, which
doesn't display on the screen. If a caller doesn't type the correct
password, the system will hang up, without ever telling the caller what has
happened.
3. If you ever detect "hackers" calling a certain number, it is advisable to
change that number. Phone numbers should be unlisted. According to a
hacker, he once got the number to an AT&T computer by asking directory
assistance for the number of AT&T at 976 Main Street.
4. If dial-up lines aren't used on nights or weekends, they should be
disabled. Computer hackers usually conduct their "business" on nights or
weekends. The COSMOS system has the ability to restrict access by time of
day.
B) Password Security:
Using the analogy between a computer and a file cabinet, you can compare a
password to the lock on your file cabinet. By having accounts with no
passwords you are, in effect, leaving your file cabinet wide open. A system's
users will often want passwords that are easy to remember. This is not an
advisable idea, especially for a database system with many users. The first
passwords tried by hackers are the obvious. For instance if MF01 is known to
be the user name for the frame room, a hacker might try MF01, FRAME, MDF, or
MAINFRAME as passwords. If it's known to a hacker that the supervisor at the
MDF is Peter Pinkerton, PETE or PINKERTON would not be very good passwords.
Rules for password selection:
1. Passwords should be chosen by system administrators or the like. Users
will often choose passwords which provide no security. They should not be
within the reach of everybody in the computer room, but instead should be
sent via company mail to the proper departments.
2. Passwords should be changed frequently, but on an irregular basis -- every
four to seven weeks is advisable. Department supervisors should be
notified of password changes via mail, a week in advance. This would
ensure that all employees are aware of the change at the proper time. One
thing you don't want is mass confusion, where everybody is trying to figure
out why they can't access their computers.
3. System administrators' passwords should be changed twice as often because
they can allow access to all system resources. If possible, system
administrator accounts should be restricted from logging in on a dial-up
line.
4. A password should NEVER be the same as the account name. Make sure that
ALL system defaults are changed.
5. Your best bet is to make passwords a random series of letters and numbers.
For example 3CB06W1, Q9IF0L4, or F4W21D0. All passwords need not be the
same length or format. Imparato says, "We built a program in a PC that
generates different security passwords for different systems and makes sure
there's no duplication."
6. It's important to change passwords whenever an employee leaves the company
or even changes departments. Imparato says, "When managers leave our
organization, we make sure we change those passwords which are necessary to
operate the system."
7. The Unix operating system has a built-in "password aging" feature, which
requires a mandatory change of passwords after a period of time. If you
run any Unix-based systems, it's important to activate password aging.
8. When you feel you have experienced a problem, change ALL passwords, not
just those passwords involved with the incident.
C) Site security:
There have been a number of articles written by hackers and published in
2600 Magazine dealing with garbage picking or what hackers call "trashing".
It's important to keep track of what you throw out. In many companies,
proprietary operations manuals are thrown out. COSMOS itself is not a
user-friendly system. In other words, without previous exposure to the system
it would be very difficult to operate. Bellcore's Beverly Cruse says, "COSMOS
is used in so many places around the country, I wouldn't be surprised if they
found books... in the garbage, especially after divestiture. One interesting
thing about a COSMOS article written by hackers, is that there was a lot of
obsolete information, so it shows that wherever the information came from... it
was old."
Rules for site security:
1. Although it may seem evident, employees should be required to show proper
identification when entering terminal rooms or computer facilities. It's
doubtful that a hacker would ever attempt to infiltrate any office, but
hackers aren't the only people you have to worry about.
2. Urge employees to memorize login sequences. It's a bad idea for passwords
to be scribbled on bits of paper taped to terminals. Eventually, one of
those scraps may fall into the wrong hands.
3. Garbage should be protected as much as possible. If you use a private
pick-up, keep garbage in loading docks, basements, or fenced-off areas. If
you put your garbage out for public sanitation department pick-up, it's a
good idea to shred sensitive materials.
4. Before throwing out old manuals or books, see if another department could
make use of them. The more employees familiar with the system, the less of
a chance that there will be a security problem.
5. Printing terminals should be inspected to make sure that passwords are not
readable. If passwords are found to echo, check to see if the duplex is
correct. Some operating systems allow you to configure dial-ups for
printer use.
D) Employee Security:
When a hacker impersonates an employee, unless he is not successful there
is a great chance the incident will go unreported. Even if the hacker doesn't
sound like he knows what he's talking about, employees will often excuse the
call as an unintelligent or uninformed person. It's unpleasant to have to
worry about every call with an unfamiliar voice on the other end of the phone,
but it is necessary.
Rules for employee security:
1. When making an inter-departmental call, always identify yourself with:
1) Your name; 2) Your title; and 3) Your department and location.
2. Be suspicious of callers who sound like children, or those who ask you
questions that are out of the ordinary. Whenever someone seems suspicious,
get their supervisor's name and a callback number. Don't discuss anything
sensitive until you can verify their identity. Don't ever discuss
passwords over the phone.
3. When there is a security problem with a system, send notices to all users
instructing them not to discuss the system over the phone, especially if
they do not already know the person to whom they are talking.
4. Remind all dial-up users of systems, before hanging up.
5. If security-minded posters are put up around the workplace, employees are
bound to take more care in their work and in conversations on the phone.
6. If managers distribute this and other computer security articles to
department supervisors employee security will be increased.
E) General Security:
Bellcore recently sent a package to all system administrators of COSMOS
systems. The package detailed security procedures which applied to COSMOS and
Unix-based systems. If you are a recipient of this package, you should re-read
it thoroughly to ensure that your systems are secure. Cruse says, "Last
year... I had a call from someone within an operating company with a COSMOS
security problem. All we really did was give them documentation which reminded
them of existing security features... There is built-in security in the COSNIX
operating system... We really didn't give them anything new at the time. The
features were already there; we gave them the recommendation that they
implement all of them."
If you feel you may not be using available security features to the
fullest, contact the vendors of your computer systems and request documentation
on security. Find out if there are security features that you may not be
currently taking advantage of. There are also third party software companies
that sell security packages for various operating systems and computers.
Computer security is a very delicate subject. Many people try to pretend
that there is no such thing as computer crime. Since the problem exists, the
best thing to do is to study the problems and figure out the best possible
solutions. If more people were to write or report about computer security, it
would be easier for everyone else to protect themselves. I would like to see
Bellcore publish security guidelines, available to the entire
telecommunications industry. Keep in mind, a chain is only as strong as its
weakest link.
_______________________________________________________________________________