(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*) (*) (*) (*) The Lost Avenger And United Phreaker's Incorporated Proudly Presents (*) (*) (*) (*) UPi Newsletter Volume #1, Issue #3 (*) (*) (*) (*) What Corporate Users Should Know About Data Network Security (*) (*) (*) (*) Copyright 1991 - All Rights Reserved (*) (*) (*) (*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*) This article was originally published in Telecommunications - North America Edition May 1990. This article was republished without permission. What Corporate Users Should Know About Data Network Security By Stephen T. Irwin As network security becomes more critical, new approaches to preventing unauthorized use are evolving. Which kind of system is right for you needs? ---------------------------------------------------------------------------- Sometime late night last year, hackers repeatedly broke into the network of the National Aeronautics And Space Administration (NASA) (TLA: Fucking right!) and helped themselves to free telephone service from one of the nation's most technically sophisticated agencies. Whether the purloined long-distance charges totaled over $12 million (TLA: Hmm, I think that's a little too high of a estimate), as reported in the Houston Chronicle, or "only" $10,000 (TLA: Naa!, I don't think that is accurate either), as NASA estimates, cannot be determined. In an alarming admission of its inability to monitor access to the highly sensitive network, NASA says that it does not know exactly how much was illegally charged to the agency. The break-in NASA is just one in a series of many such incidents that have brought into sharp relief the problem of protecting computer networks against theft and damage by unauthorized users. A recent government report, "Computers at Risk," stated that the nation's "computer and communications systems are vulnerable to potentially catastrophic security breaches..." Experts estimate that computer crime costs American business millions of dollars a year. In response to this threat, vendors have devised a variety of network access control devices designed to limit access to host computers. Available security systems fall into five major categories. They are: o host resident-based security software (TLA: No big deal.....easy to get though) o encryption devices that encode the data before transmission and decode it upon arrival at it destination (TLA: Ahh, ok this isn't too hard. They is a ways to get by this but is hard to come by) o call-back systems that call-back preprogrammed phone numbers (TLA: again no problem here to get by this security feature) o handheld password generators (TLA: It's hard to say anything about this one as I don't have much information on this type of security) o physical token or magnetic cards that are actually inserted into the remote computer or terminal and "read." (TLA: This sucks you have to be right at the terminal or PC in order to access this. But kind of stupid to since you can loose you key or card and then you screwed) These systems have advantages and disadvantages that must be weighed carefully by the telecom manager in light of the security needs of his or her company's computer system and the price/performance trade-offs of each solution. What follows is an examination of the leading security methods, analyzing their advantages, disadvantages, and cost-effectiveness. Host Computer Security Software Resident on the host computer, this method utilizes a password system that is relatively east to use - which is simultaneously its biggest advantage and disadvantage. The user at the remote site must first enter his or her computer the password, which is then transmitted through to the security software on the host. if incorrect, the password is rejected, and the remote user is blocked from further access. In theory, a password system is relatively secure. In practice, it is highly vulnerable approach. Passwords are generally widely available among the staff (in some cases, employees even tape the password to the side if their computer). It is a simple matter for outsiders (or former employees) to obtain a password from firebds within the company and break into the system, resulting in theft of information or damage to data. Depending on the specific package utilized, hostbased computer software can be expensive and timeconsuming to install, and can tie up the system administrator's time. If a password system is selected or already in use, it important to change the password at least once a month - preferably one a week. Keep in mind, however, that passwords are child's play for computer criminals (TLA: Hehe, like me) - particularly if the password is an actual work rather than an arbitrary string or letters and numbers. Computer thieves use simple spelling checkers to randomly generate almost an infinite number of words until they finally break in. (TLA: I have noticed for this type of security method that some accounts on a system have no passwords at all which means that the system is open to hackers. There is also the possibility that you can get into the system using the system default passwords (if there is any). Also, I have noticed that some account use personal information for the passwords or a lame number/word combination too. For example 1234 or the account name as the password or the guys real name for the password. So seriously that really puts the type of system method down the drain as for reliable and secure.) Encryption The encryption method generates an unreadable version of the data stream and is generally used when transmitting highly sensitive data, such as financial transfers between banks and other institutions. Most commercially available devices utilize the Data Encryption Standard (DES) algorithm to encrypt data. Most banks, however, use a MAC system of encryption in which the information is transmitted in readable form. Included with that information is transmitted in readable form. Included with that information is an encrypted message - based on the information transmitted - which will be incorrect if the information is changed or intercepted in any way. In other words, even if someone does break into the system and transforms a $1000 credit into $1 million, the interference will be detected. Encryption systems are available as hardware, software, or a combination of the two. While the encrypted information itself is highly secure, in order to crack the code, a data thief must have a great deal of time and access to some heavy computing power. Thus, encryption methods of and by themselves do not necessarily ensure that the information is being accessed by an authorized user. Nor can users who are authorized to access some information be barred from accessing other data, unless the system has the ability to exchange "session" keys. The identification of authorized users in an encryption system requires the use of additional methods (and expense), such as software resident on the host computer. Encryption systems can also incur additional user of additional expense and administrative time as the needs of the system change. System administrators must initially set up the data access between the designated encryptors - not to mention the synchronization headaches that occur when locations of the devices are changed from one site to another. This can be a major problem when the system is expanded to accommodate a larger number of units and telephone lines. Also, to ensure the highest level of security, encryption devices are usually physically transported to the host site, where the "encryption key" is installed into the nonvolatile memory of the encryptor (or modem/encryptor) via the data port or a dedicated security port. It is possible to send the key to remote devices through the mail - which, of course, can be intercepted by a determined data thief. If the system manager wants to permit access to remote users for a specific time or application, a random one-time-only session key can be exchanged. (TLA: Hmm, this is kind of hard to get by as the key can be changed at any time and making hacking it hard to do.) A cryptographic fragment (based on the ANSI X-17 protocol) is generated, sent to the remote user's modem or encryptor device, used for the duration of the transmission, and the becomes invalid. (TLA: Well as for type of security I find that it's kind of hard to get by unless you have the right decryption code. Which for the Data Encryption Standard (DES) method is virtually impossible to get as there is hundreds of possibilities for the code. But then again nothing is impossible when you are a hacker.....hehe) Call-Back The highly publicized, sometimes spectacular computer break-ins in the 1980s fueled the development of the call-back system. Today, the majority of the network security devices in the market are call-back systems. They work in the following way: when the remote user dials in, the call-back unit intercept the call. These units can be configured on either the analog or digital side of the host modem. The user user then inputs a code or access number, which the call-back unit checks against its library of authorized users. The host computer then calls back the user at an authorized phone number, the user signals back and is allowed access to the computer. A variety of call-back systems can be put into place. Some systems allow users to enter a variety of phone numbers so that they can access the host computer from several sites (a type of "roaming" call-back). Some systems support a secure call-in mode whereby the caller enters an access code and is then passed directly to the host computer. Most systems incorporated a type of automatic disconnect after several unsuccessful attempt have been made at entry. Another feature of some call-back systems is a type of host port "deception" in which would-be illegal entrants cannot determine whether or not they have reached a modem. Some devices user voice synthesis requesting a code in order to "veil" the modem tone and disconnect if the code is invalid. (TLA: Come on a code?? That's the worst type of security method I have heard of. All you need to hack the code out is a program like Fuckin' Hacker or Code Thief. Geeze how lame!) A well-designed call-back system, such as Millidyne's Auditor system, should support what is know as modem-interchanged control (MI-MIC), which actually changes the modem's way of operating. This feature is advantageous because of the ability of a determined thief to piggyback onto phone calls in the instant when the remote user has hung up and the computer is calling back - an event known as "glare". Computer criminals with their "demon dialer" programs capable of automatically redialing a number will eventually seize on the return phone calls by the computer and gain access. To be effective, MI-MIC must be supported by both the local and remote modems. The call-back device, when calling back the designated number, actually seizes control of the remote modem by activating its MI-MIC Support leads. The host modem then acts as if it had initiated rather than answered the call. This serves two functions to foil would-be illegal entrants into the system. First, the modems assume reverse transmit and recieve frequencies so that even if the illegal user gets a return call from the host modem, his/her modem will not be able to exchange handshake protocols with host modem. Second, because the remote modem does not answer by transmitting an answer-back tone, the illegal entrant will not be aware that there was another modem on the line. Call-back systems offer many advantages for the system administrator. They are considered among the more secure systems on the market, and they are cheaper than using leased lines, which are generally not cost-effective for smaller companies. Most call-back systems have the ability to audit network activity and produce management reports, logging line activity, point-of-access origin, failed calls, network usage per user, etc. Productivity, as well as security, can be improved with these call-back system reports. Call-back systems are also less expensive than encryption devices, and are easier to maintain. According to some estimates, encryption can cost as much as 50 percent more than call-back devices. Call-back systems, however, have some disadvantages. Telephone cost are high because the company assumes the cost when the system returns the call (and costs accelerate when data are transmitted for long stretches of time). However, many less expensive telecom options, such as WATS, or various MCI or Sprint services (TLA: How about AT&T?), can support call-back devices. And for employees calling the computer from a remote location, utilizing the company's WATS line or other discount telecom service is cheaper than billing the call to a credit card. Call-back functions, however, cannot be supported if the call is intercepted by a hotel operator, office receptionist, or other human voice. (Call-back, however, can be accomplished if the PBX utilizes voice synthesis, allowing the call to be passed through after the extension is entered.) While many call-back systems can be configured to allow a password and direct password through option to be utilizes for travelers, it is a less secure option. (This of course assumes that the hotel is equipped with an RJ-11 jack.) (TLA: Well it might not cost as much to go through a service such as MCI or Sprint or a WATS line but still is going to cost quite a lot anyways, if you have a lot of people logging on and then have the system has to call you back. As for the direct passwords and normal password they aren't that hard to get through. As I mention earlier in this article there might be stupid people who don't even use one. - See above for more information -) Other Options About the size of a pocket calculator, the portable password generator can be issued to authorized personnel when a call-back is either impossible or undesirables. Each handheld password generator has a unique encryption key tied to the user's personal identification number (PIN). In response to a challenge from the network access control device (after the user enters his/her PIN number), the handheld device - which shares the same encryption algorithm as the access control device - generates a unique password that the user then enters into his PC or terminal. If correct, the user is passed through to the host computer. This system has advantages of enhanced security over a password-only system, yet requires only one phone call with no call-back in order to be effective. This is a cost-effective, relatively inexpensive and secure network access system. Finally, token devices are physical "keys" or magnetic cards that enable users to make to make one call to the host system. The caller accesses the host computer via a PC or terminal, and then, in order to obtain authentication, inserts a magnetic card or key into a reader or lock on the PC or terminal when asked to do so by the host computer. If correct, the caller is passed directly to the computer. The token system's disadvantages is that if a card or token is lost or stolen, a data thief can easily access the network. To maintain security, the lost tokens must be reported to the system administrator quickly so they can be immediately disabled. QSD Mailbox (NUA: 208057040540): UPi Member Listing Founder/President: The Lost Avenger (416) Vice President: Scarlet Spirit (416) Couriers: The Serious One (819) Programmers: Logic Master (514) Writers: Dantesque (416), Master Of Gold (Argentina) Node Listing ------------------------------------------------------------------------------- Node BBS Name Area Baud Megs BBS Sysop Number Code Rate Program ------------------------------------------------------------------------------- WHQ The Violent Underground 416 2400 85 Pc Board The Lost Avenger Node #1 The Shining Realm 416 2400 95 Telegard Scarlet Spirit -------------------------------------------------------------------------------