==Phrack Inc.== Volume Three, Issue 27, File 5 of 12 COSMOS COmputer System for Mainframe OperationS Part Two by King Arthur This article will present solutions to the computer security problems presented in my previous file. The following are simple but often neglected items which if properly treated can immensely increase your company's computer security. These points apply not merely in regards to COSMOS, but to all computers in all companies. A) Dial-Up Security: When securing a computer system, regardless of its type, it's important to remember this: the only way someone can remotely access your system is if there is a dial-up line leading to that system. If your system has a dial-up, make sure that you have taken every possible precaution to secure that line. "The one piece of advice I would give is: Be careful with dial-up lines," says Bellcore's Ed Pinnes. Dave Imparato, Manager of Database Management at New York Telephone, says, "We have devices that sit in front of our computers that you have to gain access to. In order to even get to COSMOS, there are three or four levels of security you have to go through, and that's before you even get to the system." Rules for protection of Dial-Up lines: 1. Have as few dial-up lines as possible. Private lines or direct connections are often a viable replacement for dial-up lines. 2. If you must have phone lines going to your computer, use external hardware, if possible. For instance, the Datakit Virtual Circuit Switch (VCS) will require a user to specify an "access password" and a system destination to specify which system you are calling. The VCS would then connect you to the requested system which would prompt you for a login and password. Using hardware similar to this serves a double purpose: A) It is harder for someone to get into your computer, due to additional passwords; B) Employees need only dial a single number to access a number of systems. Another good type of hardware is a callback modem. A callback modem will prompt users for a login and password. If these are correct, the modem will automatically callback to a predetermined number. At that point you would login to the computer. The advantage of callback is that unless a call is placed from a certain phone, there is no way to connect. Unfortunately, this is not always efficient for systems with large numbers of users. Lastly, and the most effective means of access, is to have a system which does not identify itself. A caller has to enter a secret password, which doesn't display on the screen. If a caller doesn't type the correct password, the system will hang up, without ever telling the caller what has happened. 3. If you ever detect "hackers" calling a certain number, it is advisable to change that number. Phone numbers should be unlisted. According to a hacker, he once got the number to an AT&T computer by asking directory assistance for the number of AT&T at 976 Main Street. 4. If dial-up lines aren't used on nights or weekends, they should be disabled. Computer hackers usually conduct their "business" on nights or weekends. The COSMOS system has the ability to restrict access by time of day. B) Password Security: Using the analogy between a computer and a file cabinet, you can compare a password to the lock on your file cabinet. By having accounts with no passwords you are, in effect, leaving your file cabinet wide open. A system's users will often want passwords that are easy to remember. This is not an advisable idea, especially for a database system with many users. The first passwords tried by hackers are the obvious. For instance if MF01 is known to be the user name for the frame room, a hacker might try MF01, FRAME, MDF, or MAINFRAME as passwords. If it's known to a hacker that the supervisor at the MDF is Peter Pinkerton, PETE or PINKERTON would not be very good passwords. Rules for password selection: 1. Passwords should be chosen by system administrators or the like. Users will often choose passwords which provide no security. They should not be within the reach of everybody in the computer room, but instead should be sent via company mail to the proper departments. 2. Passwords should be changed frequently, but on an irregular basis -- every four to seven weeks is advisable. Department supervisors should be notified of password changes via mail, a week in advance. This would ensure that all employees are aware of the change at the proper time. One thing you don't want is mass confusion, where everybody is trying to figure out why they can't access their computers. 3. System administrators' passwords should be changed twice as often because they can allow access to all system resources. If possible, system administrator accounts should be restricted from logging in on a dial-up line. 4. A password should NEVER be the same as the account name. Make sure that ALL system defaults are changed. 5. Your best bet is to make passwords a random series of letters and numbers. For example 3CB06W1, Q9IF0L4, or F4W21D0. All passwords need not be the same length or format. Imparato says, "We built a program in a PC that generates different security passwords for different systems and makes sure there's no duplication." 6. It's important to change passwords whenever an employee leaves the company or even changes departments. Imparato says, "When managers leave our organization, we make sure we change those passwords which are necessary to operate the system." 7. The Unix operating system has a built-in "password aging" feature, which requires a mandatory change of passwords after a period of time. If you run any Unix-based systems, it's important to activate password aging. 8. When you feel you have experienced a problem, change ALL passwords, not just those passwords involved with the incident. C) Site security: There have been a number of articles written by hackers and published in 2600 Magazine dealing with garbage picking or what hackers call "trashing". It's important to keep track of what you throw out. In many companies, proprietary operations manuals are thrown out. COSMOS itself is not a user-friendly system. In other words, without previous exposure to the system it would be very difficult to operate. Bellcore's Beverly Cruse says, "COSMOS is used in so many places around the country, I wouldn't be surprised if they found books... in the garbage, especially after divestiture. One interesting thing about a COSMOS article written by hackers, is that there was a lot of obsolete information, so it shows that wherever the information came from... it was old." Rules for site security: 1. Although it may seem evident, employees should be required to show proper identification when entering terminal rooms or computer facilities. It's doubtful that a hacker would ever attempt to infiltrate any office, but hackers aren't the only people you have to worry about. 2. Urge employees to memorize login sequences. It's a bad idea for passwords to be scribbled on bits of paper taped to terminals. Eventually, one of those scraps may fall into the wrong hands. 3. Garbage should be protected as much as possible. If you use a private pick-up, keep garbage in loading docks, basements, or fenced-off areas. If you put your garbage out for public sanitation department pick-up, it's a good idea to shred sensitive materials. 4. Before throwing out old manuals or books, see if another department could make use of them. The more employees familiar with the system, the less of a chance that there will be a security problem. 5. Printing terminals should be inspected to make sure that passwords are not readable. If passwords are found to echo, check to see if the duplex is correct. Some operating systems allow you to configure dial-ups for printer use. D) Employee Security: When a hacker impersonates an employee, unless he is not successful there is a great chance the incident will go unreported. Even if the hacker doesn't sound like he knows what he's talking about, employees will often excuse the call as an unintelligent or uninformed person. It's unpleasant to have to worry about every call with an unfamiliar voice on the other end of the phone, but it is necessary. Rules for employee security: 1. When making an inter-departmental call, always identify yourself with: 1) Your name; 2) Your title; and 3) Your department and location. 2. Be suspicious of callers who sound like children, or those who ask you questions that are out of the ordinary. Whenever someone seems suspicious, get their supervisor's name and a callback number. Don't discuss anything sensitive until you can verify their identity. Don't ever discuss passwords over the phone. 3. When there is a security problem with a system, send notices to all users instructing them not to discuss the system over the phone, especially if they do not already know the person to whom they are talking. 4. Remind all dial-up users of systems, before hanging up. 5. If security-minded posters are put up around the workplace, employees are bound to take more care in their work and in conversations on the phone. 6. If managers distribute this and other computer security articles to department supervisors employee security will be increased. E) General Security: Bellcore recently sent a package to all system administrators of COSMOS systems. The package detailed security procedures which applied to COSMOS and Unix-based systems. If you are a recipient of this package, you should re-read it thoroughly to ensure that your systems are secure. Cruse says, "Last year... I had a call from someone within an operating company with a COSMOS security problem. All we really did was give them documentation which reminded them of existing security features... There is built-in security in the COSNIX operating system... We really didn't give them anything new at the time. The features were already there; we gave them the recommendation that they implement all of them." If you feel you may not be using available security features to the fullest, contact the vendors of your computer systems and request documentation on security. Find out if there are security features that you may not be currently taking advantage of. There are also third party software companies that sell security packages for various operating systems and computers. Computer security is a very delicate subject. Many people try to pretend that there is no such thing as computer crime. Since the problem exists, the best thing to do is to study the problems and figure out the best possible solutions. If more people were to write or report about computer security, it would be easier for everyone else to protect themselves. I would like to see Bellcore publish security guidelines, available to the entire telecommunications industry. Keep in mind, a chain is only as strong as its weakest link.