From: CSBVAX::MRGATE!AWALKER@RED.RUTGERS.EDU@SMTP 25-SEP-1987 22:28 To: EVERHART Subj: Simson Garfinkel's article, part 1 of 3 Date: 25 Sep 87 14:02:37 EDT From: *Hobbit* Subject: Simson Garfinkel's article, part 1 of 3 To: Security: ; Errors-to: Message-ID: <12337480155.23.AWALKER@RED.RUTGERS.EDU> From Simson L. Garfinkel To: security@red.rutgers.edu Subject: security article I've gotten over 50 requests for this article. I'm not answering them any more. Instead, I'm posting the article to the list... -simson % (C) 1987, Simson L. Garfinkel. % May not be transmitted or copied without permission Introduction to Security An Introduction to Computer Security For Lawyers (Most of the examples in this article are based on actual events.) A small business has its accounting records erased by a malicious high school student using a home computer and a modem. Did the business take reasonable security precautions to prevent this sort of damage? A friend gives you a public domain program which greatly improves your computer's performance. One day, you find that the program has stopped working, along with all of your wordprocessor, spreadsheet and database programs. It is important for legal practitioners to understand issues of computer security, both for the protection of their own interests and the interests of their clients. Lawyers today must automatically recognize insecure computer systems and lax operating procedures in the same was as Lawyers now recognize poorly written contracts. Additionally, as computers become more pervasive, more legal cases will arise which revolve around issues of computer security. Unless familiar with the basic concepts of computer security, a lawyer will not know how to approach the question. Not being a lawyer, the author will not attempt to address the legal aspects surrounding computer security. Instead, the goal of this article is to convey to the reader a basic understanding of the technical issues in the field. Even a simple understanding of computer security will afford the average lawyer protection from the accidental loss or theft of documents and data stored in the firm's computer systems, and allow the lawyer to begin to evaluate cases in which bypassing of computer security is of primary interest. This article attempts to broadly cover questions of computer security in the small business or law firm. Because of its objectives, this article is not a step-by-step guide on how to make a law firm computer more secure: Instead, this article hopes to acquaint the reader with the issues involved so that the reader may then be able to analyze systems on a case-by-case basis and recognize when outside assistance is required. Simply defined, computer security is the process, procedures, or tools which assure that data entered into a computer today will be retrievable at a later time by, and only by, those authorized to do so. The procedures should additionally include systems by which computer system managers (simply ``management'' on future references) will be notified when attempts at penetrating security are made. Security is violated when some person or persons (the ``subverter'') succeedes in retrieving data without authorization. Security is also breached when the subverter manages to destroy or altering data belonging to others, making retrieval of the original data impossible. Although a substantial effort has been spent in the academic and computer research communities exploring issues of computer security, little of what is understood has been put into practice on a wide scale. Computers are not inherently insecure, but there is a great temptation to build and run computers with lax security procedures, since this often results in simpler and faster operation. If security considerations are built into a product from the beginning they are relatively low cost; security added as an after-thought is often very expensive. Additionally, many computer users are simply not aware of how their facilities are insecure and how to rectify the situation. Who are the subverters? It is a mistake to assume that all people bent on stealing or destroying data can be grouped together and that similar defenses are equally effective against all subverters. In practice, the are two major groups: those who want to steal data and those who wish to destroy it. The first group can be called ``spies,'' the second group can be called ``vandals'' or ``crackers.'' Different security measures are targeted at each group. Spies are sometimes exactly that: spies, either governmental or corporate who stand to gain from the possession of confidential or secret data. Other times, spies are employees of the organization that owns the computer -- employees who seek information in the computer for personal advancement or blackmail. Crackers are typically adolescent boys who have a computer and a modem. They are usually very intelligent and break into computer systems for the challenge. They communicate with their friends via computer bulletin boards, often using stolen ATT credit card or MCI numbers to pay for the calls. On these boards, crackers report phone numbers, user names, passwords and other information regarding computer systems they have ``discovered.'' Many crackers are aware that their actions are illegal and cease them on their 18th birthday to avoid criminal liability for their actions. ``Vandals'' describes a larger group which includes both crackers and other people likely to vandalize data, such as disgruntled employees. Computer security has two sets of mutual goals, each tailored to a particular set of opponents. The first goal is to make the cost of violating the computer security vastly greater than the value of the data which might be stolen. This is designed to deter the spies, who are interested in stealing data for its value. The second goal of security is to to make it too difficult for crackers to gain access to a computer system within a workable period of time. Three terms: operating system, accounts and passwords The program which controls the basic operations of a computer is referred to as the computer's ``operating system.'' Often the same computer can be used to run several different operating systems (but not simultaneously). For example, the IBM PC/AT can run either the MSDOS operating system or Xenix, a Unix-based operating system. Under these two operating systems, the PC/AT has completely different behavior. If a computer system is intended for use by many people, the operating system must distinguish between users to prevent them from interfering with each other. For example, most multi-user operating systems will not allow one user to delete files belonging to another user unless the second user gave explicitly permission. Typically, each user of the computer is assigned an ``account.'' The operating system then does not allow commands issued by the user of one account to modify data which was created by another account. Accounts are usually named with between one and eight letters or numbers which are also called ``usernames.'' Typical usernames that the author has had include ``simsong'', ``Garfinkel'', ``slg'', ``SIMSON'' and ``ML1744.'' Most operating systems require that a user enter both the account name and a ``password'' in order to use the account. Account names are generally public knowledge while passwords are secret, known only to the user and the operating system. (Some operating systems make passwords available to system management, an insecure practice which will be explored in a later section.) Since the account can not be used without the password the name of the account can be made public knowledge. If a cracker does break into an account, only the password needs to be changed. Knowing a person's username is mandatory in order to exchange electronic mail. How much security? In most computer systems, security is purchased at a cost in system performance, ease of use, complexity and management time. Many government systems have a full time ``security officer'' whose job is to supervise and monitor the security operations of the computer facility. Many universities are also extremely concerned about security, since they are well-marked targets for crackers in the surrounding community. Most businesses, however, are notoriously lax in their security practices, largely out of ignorance and a lack of direct experience. Security exists in many forms: An operating system may be programmed to prevent users from reading data they are not authorized to access. Security may be procedures followed by computer users, such as disposing of all printouts and unusable magnetic media in shredders or incinerators. Security may be in the form of alarms and logs which tell the management when a break-in is attempted and/or successful. Security may be a function of hiring procedures which require extensive security checks of employees before allowing them to access confidential data. Lastly, security may be in the form of physical security, such as locks on doors and alarm systems intended to protect the equipment and media from theft. In a secure environment, the many types and layers of security are used to reinforce each other, with the hope that if one layer fails another layer will prevent or minimize the damage. Established protocol and judgment are required to determine the amount and cost of security which a particular organization's data warrant. Security through obscurity Security through obscurity is the reliance upon little known and often unchangeable artifacts for security. Security through obscurity is not a form of security, although it is often mistaken for such. Usually no mechanism informs site management that the ``security'' has been circumvented. Often intrusions are not detected until significant damage has been done or the intruder gets careless. Once damage is detected, management has little choice but to choose a new security system which does not depend on obscurity for its strength. The classic example of security through obscurity is the family that hides the key to the front door under the ``Welcome'' mat. The only thing to stop a burglar from entering the house is the ignorance that there is a hidden key and its location -- that is, the key's obscurity. If the house is burglarized and the burglar returns the key to its original place, the family will have no way of knowing how the burglar got in. If the family does change the location of the hidden key, all the burglar needs to do is to find it again. A higher level of security would be achieved by disposing of the hidden key and issuing keys to each member of the family. For an example of security through obscurity on a computer, imagine the owner of a small business who uses her IBM PC for both day-to-day bookkeeping and management of employee records. In an attempt to keep the employee records hidden from his employees, she labels the disk ``DOS 1.0 BACKUP DISK.'' The owner's hope is that none of the employees will be interested in the disk after reading the label. Although the label may indeed disinterest inquisitive employees, there are far better ways to secure the disk (such as locking it in a file cabinet). In a second example of security through obscurity, a secretary stores personal correspondence on her office wordprocessor. To hide the documents' existence, she chooses filenames for them such as MEMO1, MEMO2, ..., and sets the first three pages of the documents to be the actual text of old, inter-office memos. Her private letters are obscurely hidden after the old memos. Once her system is discovered, none of her correspondence is secure. Physical Security Physical security refers to devices and procedures used to protect computer hardware and media. Physical security is the most important aspect of computer security. Because of the similarities between computers and other physical objects, physical security is the aspect of computer which is best understood. Like typewriters and furniture, office computers are targets for theft. But unlike typewriters and furniture, the cost of a computer theft can be many times the dollar value of the equipment stolen. Often, the dollar value of the data stored inside a computer far exceeds the value of the computer itself. Very strict precautions must be taken to insure that computer equipment is not stolen by casual thieves. Hardware A variety of devices are available to physically secure computers and computer equipment in place. Examples are security plates which mount underneath a computer and attach it to the table that it rests on. Other approaches include the use of heavy-duty cables threaded through holes in the computer's cabinet. It is important, when installing such a restraining device, to assure that they will not damage or interfere with the operation of the computer (more than one installation has had workmen drill holes through circuit boards to bolt them down to tables.) Backups To ``back up'' information means to make a copy of it from one place to another. The copy, or ``backup,'' is saved in a safe place. In the event that the original is lost, the backup can be used. Backups should be performed regularly to protect the user from loss of data resulting from hardware malfunction. Improved reliability is a kind of security, in that it helps to assure that data stored today will be accessible tomorrow. The subverter in such an event might be a the faulty chip or power spike. Backups stored off site provide insurance against fire. Backups are also vital in defending against human subverters. If a computer is stolen, the only copy of the data it contained will be on the backup, which can then be restored on another computer. If a cracker breaks into a computer system and erases all of the files, the backups can be restored, assuming that the cracker does not have access to or knowledge of the backups. But backups are a potential security problem. Backups are targets for theft by spies, since they can contain exact copies of confidential information. Indeed, backups warrant greater physical security than the computer system, since the theft of a backup will not be noticed as quickly as the theft of media containing working data. With recognition of the potential security hole of backups, some computer systems allow users to prevent specific files from being backed up at all. Such action is justified when the potential cost of having a backup tape containing the data stolen is greater than the potential cost of losing the data due to equipment malfunction, or when the data stored on the computer is itself a copy of secure master source, such as a tape in a file cabinet. Sanitizing Floppy disks and tapes grow old and are often discarded. Hard disks are removed from service and returned enact to the manufacture for repair or periodic maintenance. Disk packs costing thousands of dollars are removed from equipment and resold. If these media ever contained confidential data, special precautions must be taken to ensure that no traces of the data remain on the media after disposal. This process is called ``sanitizing.'' To understand sanitizing, first it is necessary to understand how information is recorded on magnetic media: The typical PC floppy disk can store approximately 360 thousand characters. Each of these each of these characters consists of 8 binary digits, called ``bits,'' which can be set to ``0'' or ``1.'' Information on the disk is arranged into files. One part of the disk, called the directory, is used to list the name and location of every file. Using the operating system's delete-file command (such as the MSDOS ``erase'' command) is not sufficient to insure that data stored cannot be recovered by skilled operators. Most delete-file commands do not actually erase the target file from a diskette: instead, the command merely erases the name of the file from the diskette's directory. This action frees the storage area occupied by the file for use but does not modify the data in any way. The file itself remains intact and can be recovered at a later time if it has not been overwritten. Many programs exist on the market to do just this. Even if the actual file contents are overwritten or erased -- that is, even if all of the bits used to store the contents of the file are set to ``0'' -- it is still possible to recover the original data, although not with normal operating procedures. Imagine a black and white checkerboard used for a computer memory. Assume that the value of any square on the checkerboard is proportional to the darkness of the square: the black squares are 1s and the white squares are 0s. Now consider what happens when the checkerboard is painted with one coat of white paint: the original checkerboard pattern is still discernible, but less so. The squares which formerly had a value of 1 now evaluate to 0.1 or 0.2. When the computer reads the memory, the 0.1 or 0.2 are rounded to 0. But an expert with special equipment could easily recover the original pattern. Just as the pattern can be recovered from a checkerboard uniformly painted, data can be recovered from a floppy disk which has been uniformly erased or reformatted. Typical sanitization procedures involve writing a 1 to every location on the media, then to write a 0 to every location, then to fill the media with random data. To use the checkerboard analogy, this would be the same as painting the board black, then white, then with a different checkered pattern. The original pattern should then be undetectable. Additional effort might be desired when dealing with very sensitive data. Sanitizing is obviously an expensive and time consuming process. Physical destruction of the media represents an attractive alternative -- simply feeding the floppy disk (or the checkerboard) into a paper shredder does very well. Unfortunately, physical destruction is not economically possible with expensive media which must be returned for service or for resale in order to recover costs of purchase. Authentication Authentication is the process by which the computer system verifies that a user is who the user claims to be, and vice versa. Systems of authentication are usually classified as being based on: Something the user has. (keys) Something the user knows. (passwords) Something the user is. (fingerprints) Passwords A password is a secret word or phrase which should be known only to the user and the computer. When the user attempts to use the computer, he must first enter the password. The computer compares the typed password to the stored password and, if they match, allows the user access. Some computer systems allow management access to the list of stored passwords; doing so is generally regarded as an unsound practice. If a cracker gained access to such a list, every password on the computer system would have to be changed. Other computers store passwords after they have been processed by a non-invertible mathematical function. The user's typed password cannot be derived by the processed password, eliminating the damage resulting from the theft of the master password list. The password that the user types when attempting to log on is then transformed with the same mathematical function and the two processed passwords are compared for equality. What makes a secure password? Insecure passwords are passwords which are easy for people to guess. Examples of these include passwords which are the same as usernames, common first or last names, passwords of four characters or less, and English words (all english words, even long ones like ``cinnamon.''). A few years ago, the typical cracker would spend many hours at his keyboard trying password after password. Today, crackers have automated this search with personal computers. The cracker can program his computer to try every word in a large file. Typically, these files consist of thirty thousand word dictionaries, lists of first and last names and easy-to-remember keyboard patterns. -------