Memorandum on Computer and Network Security

Intended audience: All UK Particle Physics users (this note does not aim to cover detailed technical measures by system managers)

SUMMARY

The CNAP notes the dramatic increase in network attacks on computers, necessitating much effort by system managers to defend users from harm. This memorandum is addressed to all computer users, urging them to play an active part in protecting themselves and their colleagues from these threats, and working together with their system managers.

INTRODUCTION

The last year saw a major growth in threats to computer and network security on the Internet. There have been several major penetrations in the Particle Physics community alone; numerous lesser penetrations caught, and most likely others that have gone undetected. System managers report a continual level of probing and attempted penetration.

All these events have to be taken seriously, defences prepared, and anomalies investigated. Some serious cases have forced the shutdown of site network connections for several days, with real consequences for work at those sites and knock-on effects at other sites.

System managers have invested considerable effort over this period, to identify and deploy more-secure methods of working. The CNAP wishes to emphasise the importance of all users playing their part in this effort, to protect themselves, their colleagues and their experiments from harm.

BACKGROUND

The use of computers and networks in the UK Academic Community is regulated not only by the Law, but also by the regulations of each University and Institute, and by the Acceptable Use Policy of the JANET network.

Where Particle Physics is somewhat unusual is that our close international collaborations lead to users holding computer accounts at several sites: their University, RAL, CERN, DESY, SLAC etc.: it also leads to projects for farming out computations amongst remote sites. These features bring special risks and threats, and prompts the CNAP to draw special attention to the responsibilities that this places on users. Carelessness on one site could deliver to an attacker the direct ability to penetrate other sites. Most computer systems have at least one unidentified vulnerability whereby an attacker, having got access as a normal user, can achieve more-privileged status.

Due to the ever-shifting nature of the threat, it would be neither helpful nor feasible for the CNAP to spell out a detailed list of rules. Rather, this Memorandum draws attention to principles, urges every user to be vigilant, to cooperate with the measures being adopted by their system managers, and above all to consult closely with system managers when setting up systems of working that represent an especial risk, such as multiple-site facilities, unattended operations etc.

The bad news is that many users may need to make some kind of change to the way they are accustomed to working, and that even the more-secure facilities are no magic bullet - vigilance is still needed. The good news is that the replacement facilities are not hard to use; some are an almost transparent drop-in for existing facilities, and some offer additional benefits.

THE THREAT

All computer systems have points of weakness, and are capable of being penetrated by particular tricks. The Internet is infested with individuals and groups who dedicate time to locating and exploiting these tricks. Not all attacks depend initially on carelessness by a particular user; but once a computer has been penetrated, the opportunities for further mayhem depend on what users have left lying around, such as pointers to accounts on other systems and, worse, passwords for those accounts.

System managers of course try to keep abreast of the security fixes for loopholes as they are discovered, but each new discovery is a window of opportunity for the attackers, who use automated systems for scanning thousands of hosts, hunting for vulnerable systems on the network and penetrating them. These compromised systems are then used as a base of operations either for collecting passwords ("sniffing") or for attacking other systems.

Every account holder has a vital role to play both in defending themselves and their colleagues from harm, and in minimising the consequences if a penetration should be successful. No system manager, no matter how industrious, can entirely protect users from themselves and from each other; it is especially mischievous if users undermine the measures that are being adopted for their protection.

Some users are heard to remark "I have nothing worth protecting": this attitude is very dangerous. Once a accomplished attacker has access to even one user acccount, the whole system is at risk, and maybe many other systems too.

RECOMMENDATIONS

The CNAP encourages the system managers to continue their work for improving security. This Memorandum concentrates on issues that directly relate to users. It is noted that more and more users want machines that they administer themselves (Linux being of particular note): this brings additional risks.

The following items address issues that have come to particular notice.

• Every user account should have a single user responsible for it: this rule is indeed incorporated in some campus regulations. Shared resources should be managed in other ways (e.g groups) than by having one account used by several users. If it be found necessary to deviate from this general principle in a particular instance, the situation must be carefully assessed, responsibility clearly assigned, and the facility closed promptly when no longer needed. Where guest accounts are used for short-term visitors, each account should be issued clearly to one guest, and its password changed before issuing it to another. Some actual breakins have been traced to guest accounts whose password became widely known.
• The CNAP calls on users to follow the guidelines for choosing good passwords and pass-phrases, and changing them from time to time, whether or not these are formally imposed at their site. It is appreciated that it is awkward to keep track of a number of cryptically devised passwords which are different for different systems, but CNAP feels that users must now be urged to do this to guard against commonly employed hacking techniques. Encoded passwords can be picked up by remote exploits, and then subjected to all kinds of cracking attempts, using dictionaries and variations on them, at the cracker's convenience. The cracker can only test complete password guesses, but can generate guesses at high speed; users should therefore devise passwords that are unlikely to be easily generated by automatic techniques. Even if your passwords are hard to crack, you should seriously consider the consequences of them being discovered by other means, such as network snooping; it will save much inconvenience and embarrassment if discovery of one password does not give carte blanche to all your accounts. In all this it should be understood that, nowadays, the security of your password is not just a matter for yourself, but affects the security of the whole system. CERN's rules are at http://wwwinfo.cern.ch/dis/security/passwords.html
• Accounts that are no longer actively required should be shut down. Break-ins have been based on such derelict accounts. Mail for a departed user can be forwarded to them without needing to keep their logon account active. For a prolonged absence, e.g secondment to another location, ask to have your email forwarded and the account temporarily disabled.
• Where systems of cooperative working are set up, they should use the narrowest range of facilities needed for getting the job done. It is very dangerous to have the same account and password valid at many sites, or to use lists of identifiers and passwords stored on file. Any system of working that relies on a plain text password stored on computer must now be rated unacceptable, and some improved system devised without delay, in consultation with the relevant system managers.
• Having loosely-managed systems (such as user-managed linux systems) in a position of close mutual trust with managed shared-access systems is a recipe for disaster. Some sites are banning user-managed systems altogether: worth emulating if feasible. If that cannot be achieved, such systems are best quarantined from mission-critical systems, and trust should be kept to the minimum necessary to get the job done. Offering internet services (daemons) on user- managed systems is a particular risk: all unneeded services must be closed down, and users should consult with their system managers to audit any needed service daemons for known vulnerabilities. Having a firewall or at least an Etherswitch between trusted and non-trusted systems is now practically indispensible.
• "ssh" is a currently popular mechanism for increased security, and indeed when used appropriately it can be useful (where legislation permits). But it must not be regarded as a magic bullet: if configured inappropriately or used carelessly, it could give an attacker encrypted access to systems, defying the usual means of monitoring unauthorised network access.
• X Windows security is a topic for itself: poor X Windows configuration could render other security measures useless. Consult with your system manager to be sure that you have an effective scheme configured. Background information is available for example at http://consult.cern.ch/writeup/security/security_4.html
• Significant security compromises have been caused by the incautious handling of email attachments. Do not execute (nor configure your email software to execute) email attachments from untrusted senders.
• Untrusted sites such as conference venues are a special problem. Users who have logged on to their account(s) from such a site are strongly urged to change their password at the first secure opportunity afterwards; where a safer scheme such as one-time passwords (OTP) or key challenges (S/Key etc) is available, please make use of it.
• If you wish to connect a laptop to the network, be sure to follow any relevant advice offered locally, or to consult with your local system manager about appropriate precautions to be taken.
• If you as user discover a security compromise in progress, there will be valuable evidence to be analysed, so please AVOID hasty deletion of files etc. Contact the system manager without delay: according to circumstances, it may be desirable to promptly isolate the compromised system from the network, if that is feasible. The evidence may help to locate and assist other compromised accounts and sites.

This is not, and cannot be, a complete detailed list, nor does it cover extra measures adopted by system managers. It cannot be emphasised too strongly that careless or inconsiderate actions by one user can put an entire shared-user system at risk and, in our kind of environment, can very easily put at risk systems on other sites too. While it is neither feasible nor desirable to turn our systems into Fort Knox, and a certain level of risk must be accepted in order to get our work done, it's a truism that a chain is no stronger than its weakest link. The threat from these network vandals isn't going to go away; the CNAP urges every user to respect the duty of care which they owe to their colleagues and experiments, to remain vigilant, and to adopt safer systems of computing.