==Phrack Inc.==

                     Volume Three, Issue 27, File 5 of 12


                                    COSMOS

                   COmputer System for Mainframe OperationS

                                   Part Two

                                by King Arthur


     This article will present solutions to the computer security problems
presented in my previous file.  The following are simple but often neglected
items which if properly treated can immensely increase your company's computer
security.  These points apply not merely in regards to COSMOS, but to all
computers in all companies.


A) Dial-Up Security:

     When securing a computer system, regardless of its type, it's important to
remember this: the only way someone can remotely access your system is if there
is a dial-up line leading to that system.  If your system has a dial-up, make
sure that you have taken every possible precaution to secure that line.  "The
one piece of advice I would give is:  Be careful with dial-up lines," says
Bellcore's Ed Pinnes.

     Dave Imparato, Manager of Database Management at New York Telephone, says,
"We have devices that sit in front of our computers that you have to gain
access to.  In order to even get to COSMOS, there are three or four levels of
security you have to go through, and that's before you even get to the system."

Rules for protection of Dial-Up lines:

1.  Have as few dial-up lines as possible.  Private lines or direct connections
    are often a viable replacement for dial-up lines.

2.  If you must have phone lines going to your computer, use external hardware,
    if possible.  For instance, the Datakit Virtual Circuit Switch (VCS) will
    require a user to specify an "access password" and a system destination to
    specify which system you are calling.  The VCS would then connect you to
    the requested system which would prompt you for a login and password.
    Using hardware similar to this serves a double purpose:

         A) It is harder for someone to get into your computer, due to
            additional passwords;

         B) Employees need only dial a single number to access a number of
            systems.

    Another good type of hardware is a callback modem.  A callback modem will
    prompt users for a login and password.  If these are correct, the modem
    will automatically callback to a predetermined number.  At that point you
    would login to the computer.  The advantage of callback is that unless a
    call is placed from a certain phone, there is no way to connect.
    Unfortunately, this is not always efficient for systems with large numbers
    of users.

    Lastly, and the most effective means of access, is to have a system which
    does not identify itself.  A caller has to enter a secret password, which
    doesn't display on the screen.  If a caller doesn't type the correct
    password, the system will hang up, without ever telling the caller what has
    happened.

3.  If you ever detect "hackers" calling a certain number, it is advisable to
    change that number.  Phone numbers should be unlisted.  According to a
    hacker, he once got the number to an AT&T computer by asking directory
    assistance for the number of AT&T at 976 Main Street.

4.  If dial-up lines aren't used on nights or weekends, they should be
    disabled.  Computer hackers usually conduct their "business" on nights or
    weekends.  The COSMOS system has the ability to restrict access by time of
    day.


B) Password Security:

     Using the analogy between a computer and a file cabinet, you can compare a
password to the lock on your file cabinet.  By having accounts with no
passwords you are, in effect, leaving your file cabinet wide open.  A system's
users will often want passwords that are easy to remember.  This is not an
advisable idea, especially for a database system with many users.  The first
passwords tried by hackers are the obvious.  For instance if MF01 is known to
be the user name for the frame room, a hacker might try MF01, FRAME, MDF, or
MAINFRAME as passwords.  If it's known to a hacker that the supervisor at the
MDF is Peter Pinkerton,  PETE or PINKERTON would not be very good passwords.

Rules for password selection:

1.  Passwords should be chosen by system administrators or the like.  Users
    will often choose passwords which provide no security.  They should not be
    within the reach of everybody in the computer room, but instead should be
    sent via company mail to the proper departments.

2.  Passwords should be changed frequently, but on an irregular basis -- every
    four to seven weeks is advisable.  Department supervisors should be
    notified of password changes via mail, a week in advance.  This would
    ensure that all employees are aware of the change at the proper time.  One
    thing you don't want is mass confusion, where everybody is trying to figure
    out why they can't access their computers.

3.  System administrators' passwords should be changed twice as often because
    they can allow access to all system resources.  If possible, system
    administrator accounts should be restricted from logging in on a dial-up
    line.

4.  A password should NEVER be the same as the account name.  Make sure that
    ALL system defaults are changed.

5.  Your best bet is to make passwords a random series of letters and  numbers.
    For example 3CB06W1, Q9IF0L4, or F4W21D0.  All passwords need not be the
    same length or format.  Imparato says, "We built a program in a PC that
    generates different security passwords for different systems and makes sure
    there's no duplication."

6.  It's important to change passwords whenever an employee leaves the company
    or even changes departments.  Imparato says, "When managers leave our
    organization, we make sure we change those passwords which are necessary to
    operate the system."

7.  The Unix operating system has a built-in "password aging" feature, which
    requires a mandatory change of passwords after a period of time.  If you
    run any Unix-based systems, it's important to activate password aging.

8.  When you feel you have experienced a problem, change ALL passwords,  not
    just those passwords involved with the incident.


C) Site security:

     There have been a number of articles written by hackers and published in
2600 Magazine dealing with garbage picking or what hackers call "trashing".
It's important to keep track of what you throw out.  In many companies,
proprietary operations manuals are thrown out.  COSMOS itself is not a
user-friendly system.  In other words, without previous exposure to the system
it would be very difficult to operate.  Bellcore's Beverly Cruse says, "COSMOS
is used in so many places around the country, I wouldn't be surprised if they
found books... in the garbage, especially after divestiture.  One interesting
thing about a COSMOS article written by hackers, is that there was a lot of
obsolete information, so it shows that wherever the information came from... it
was old."

Rules for site security:

1.  Although it may seem evident, employees should be required to show proper
    identification when entering terminal rooms or computer facilities.  It's
    doubtful that a hacker would ever attempt to infiltrate any office, but
    hackers aren't the only people you have to worry about.

2.  Urge employees to memorize login sequences.  It's a bad idea for passwords
    to be scribbled on bits of paper taped to terminals.  Eventually, one of
    those scraps may fall into the wrong hands.

3.  Garbage should be protected as much as possible.  If you use a private
    pick-up, keep garbage in loading docks, basements, or fenced-off areas. If
    you put your garbage out for public sanitation department pick-up, it's a
    good idea to shred sensitive materials.

4.  Before throwing out old manuals or books, see if another department could
    make use of them.  The more employees familiar with the system, the less of
    a chance that there will be a security problem.

5.  Printing terminals should be inspected to make sure that passwords are not
    readable.  If passwords are found to echo, check to see if the duplex is
    correct.  Some operating systems allow you to configure dial-ups for
    printer use.


D) Employee Security:

     When a hacker impersonates an employee, unless he is not successful there
is a great chance the incident will go unreported.  Even if the hacker doesn't
sound like he knows what he's talking about, employees will often excuse the
call as an unintelligent or uninformed person.  It's unpleasant to have to
worry about every call with an unfamiliar voice on the other end of the phone,
but it is necessary.

Rules for employee security:

1.  When making an inter-departmental call, always identify yourself with:
    1) Your name; 2) Your title; and 3) Your department and location.

2.  Be suspicious of callers who sound like children, or those who ask you
    questions that are out of the ordinary.  Whenever someone seems suspicious,
    get their supervisor's name and a callback number.  Don't discuss anything
    sensitive until you can verify their identity.  Don't ever discuss
    passwords over the phone.

3.  When there is a security problem with a system, send notices to all users
    instructing them not to discuss the system over the phone, especially if
    they do not already know the person to whom they are talking.

4.  Remind all dial-up users of systems, before hanging up.

5.  If security-minded posters are put up around the workplace, employees are
    bound to take more care in their work and in conversations on the phone.

6.  If managers distribute this and other computer security articles to
    department supervisors employee security will be increased.


E) General Security:

     Bellcore recently sent a package to all system administrators of COSMOS
systems.  The package detailed security procedures  which applied to COSMOS and
Unix-based systems.  If you are a recipient of this package, you should re-read
it thoroughly to ensure that your systems are secure.  Cruse says, "Last
year... I had a call from someone within an operating company with a COSMOS
security problem.  All we really did was give them documentation which reminded
them of existing security features...  There is built-in security in the COSNIX
operating system...  We really didn't give them anything new at the time.  The
features were already there; we gave them the recommendation that they
implement all of them."

     If you feel you may not be using available security features to the
fullest, contact the vendors of your computer systems and request documentation
on security.  Find out if there are security features that you may not be
currently taking advantage of.  There are also third party software companies
that sell security packages for various operating systems and computers.

     Computer security is a very delicate subject.  Many people try to pretend
that there is no such thing as computer crime.  Since the problem exists, the
best thing to do is to study the problems and figure out the best possible
solutions.  If more people were to write or report about computer security, it
would be easier for everyone else to protect themselves.  I would like to see
Bellcore publish security guidelines, available to the entire
telecommunications industry.  Keep in mind, a chain is only as strong as its
weakest link.