sponsored by
OSdata.com: security 

OSdata.com

Security

Google


OSdata.com is used in more than 300 colleges and universities around the world

Find out how to get similar high web traffic and search engine placement.

general notes on security

    The fact of the matter is that you are ultimately responsible for your own security. Even if a perfectly secure operating system was created, human error (or purposeful human malice) can make it unsecure.

    More importantly, there is no such thing as a completely secure system. No matter how secure the experts might think a particular system is, there is someone out there who is clever enough to circumvent the security. If they can’t find a way to hack your system, they can always try bribing disgruntled employees.

    There are two basic kinds of attacks:

  1. direct This is any direct attack on your specific systems, whether from outside hackers or from disgruntled insiders.
  2. indirect This is general random attacks, most commonly computer viruses, computer worms, or computer Trojan horses.

    In the security game, the key question is “how important is the system or the data?”, both to you and to those who might want to break in. Your goal is to make it more expensive to break in than the value of the data. And to provide adequate back ups so that if there is a break-in, you can restore damaged data.

    It is possible to be too secure. Security always extracts a price, typically making it more difficult to use your systems for their intended purposes. Having to continually type in continually changing and complex passwords for every computer operation, or use retina and fingerprint and voice scans, along with confirmations is likely to bring any useful work to a grinding halt. If the consequences are great enough (such as the computer systems that control launch of nuclear weapons), then you might have to accept extreme security measures.

    On the other hand, if you have no security at all, you are just asking for some bored teenage kid (not to pick on teenagers) with a computer to break into your system and create all kinds of havoc. You don’t want to be an easy target.

    “Microsoft Corp., Sun Microsystems Inc., and other operating system vendors have perennially come under attack for rushing new versions of their server operating systems to market that are fraught with security holes. While it’s easy to attack the vendors, experts say users share some of the responsibility.
    “In the vendor’s defense, no piece of software can be 100 percent secure until it has been tested and used n the real world by administrators and hackers alike. So inevitably, unforeseen security holes eventually will be uncovered.” —Joe Paone, MicroTimes; Oct 8, 2001m6 See also: system patches.

need for security

    So, why do you need security? There are several reasons:

    to prevent loss of data: You don’t want someone hacking into your system and destroying the work done by your employees (and remember, the hacking doesn’t have to be direct, it can be a computer virus, worm, or Trojan horse sent out against random targets). Even if you have good back-ups, you still have to identify that the data has been damaged (which can occur at a critical moment when an employee has an immediate need for the damaged data), and then restore the data as best you can from your backup systems. Downtime to fix damage costs you money. A lesser example of this category is when the data isn’t completely lost, but just partially corrupted.

    to prevent corruption of data: A lesser example of loss of data is when the data isn’t completely lost, but just partially corrupted. This can be harder to discover, because unlike complete destruction, there is still data. If the data seems reasonable, you could go a long time before catching the problem, and cascade failure (where failure in one system taakes down an adjoining system, which in turn takes down another adjoining system) could result in serious problems spreading far and wide through your systems before discovery. Tracking down the initial problem could take substantial effort, delaying your ability to restore your systems from backups (and complicating the back-up, because some parts will be bad before other parts are).

    to prevent compromise of data: Sometimes it can be just as bad (or even worse) to have data revealed than to have data destroyed. Imagine the consequences of key trade secrets, corporate plans, financial data, etc. ending up in the hands of your competitors. Or imagine sensitive personal data (such as pay records or other employee records) becoming public.

    to prevent theft of data: Some kinds of data are subject to theft. An obvious example is the list of credit card numbers belonging to your customers. Just about anything associated with money can be stolen.

    to prevent sabotage: A disgruntled employee, an unscrupulous competitor, or even a stranger with a mean streak could use any combination of the above activities to maliciously harm your business. Because of the thought and intent, this is the most dangerous kind of attack, the kind that has the potential for the greatest harm to your business.

kinds of security

    There are three kinds of security: physical security, computer security, and data security.

    physical security: Physical (building) security is limiting access to the equipment, especially points of data entry and data retrieval.

    computer security: Computer (machine) security is the safeguarding of the physical devices themselves.

    data security: Data security is preserving the integrity of your data. Data security is the most important of the three — you can deal with breaches of the system by unauthorized personnel, you can buy new equipment, but loss or compromise of your data could put you out of business.

physical security

Checklist of physical security measures:

lack of government support

    You can’t expect the government to defend your systems. And you are unlikely to receive government assistance in tracking down those who attack your systems. If you successfully trace the attackers and put together conclusive evidence showing exactly what was done, you might be able to get the government to prosecute the attacker (after the damage has been done).

    “The grim reality is that the Justice Department is unable to investigate most hacking cases. As a result, hacking targets generally have to take matters into their own hands, and cybercriminals break into Web sites with little fear of retribution.” —Martha Mendoza, The Associated Pressn1

    “High-tech businesses know they can’t count on the Justice Department to handle their complaints. They know they must take care of their own security.” —John Palafoutas, a senior vice president if the American Electronics Associationn1

    “Hacking and even terrorist threats have become routine at Oracle Corp., the leading developer of database software based in Redwood Shores, California. But the company doesn’t go to the government for help. Oracle investigates threats itself with the help of private consultants.” —Martha Mendoza, The Associated Pressn1

    “Cybercriminals demand that we give them a certain amount of money or they will hack into our system. Last month it was from the Sudan. We’ve notified the FBI of a couple of threats, but we didn’t expect them to take any action. It seems so unlikely that they’d be able to do something.” —Bill Maimone, Oracle’s vice president of server technologiesn1

    “Federal law-enforcement agencies receive thousands of hacking complaints, ranging from computer systems that were penetrated but not damaged, to the public posting og credit card numbers stolen from CD Universe. Of the 3,700 complaints in 1998 — the most recent year for which statistics were compiled — 547 were investigated by the FBI as computer-intrusion cases, resulting in 85 prosecutions against 116 defendants. Fifty-six people were convicted for committing federal computer crimes, according to the Justice Department” —Martha Mendoza, The Associated Pressn1

    The government blames their lack of response on Congress’s refusal to pass numerous highly intrusive laws proposed by the Clinton administration. Many of these laws were defeated because of howls of complaints from both business (for being intrusive and expensive) and civil rights advocates (for being intrusive and hurting privacy).

    “We’re only able to respond to a limited number of the complaints we receive because we’re starved for resources.” —U.S. Associate Deputy Attorney General John Bentivoglion1

    “I am proud of the people at the Department of Justice who have done so much with such limited resources.” —U.S. Attorney General Janet Reno (at a “cybercrime summit” at Stanford University, April 5, 2000)n1

“under the radar”

    Many individuals and small businesses assume that they are too small a target for hackers and their entire “security” depends on the hope that they will fall “under the radar” of hackers.

    “Small businesses, in particular, should pay close attention to server security, since data and applications are more centralized than in larger organizations.
    “ ‘A lot of smaller companies have this idea that ‘I’m too small; who cares about us?; who’d want to break in to our servers?’ says Lynn Bernstein, president of ECG Consulting Inc., in Montclair, NJ. ‘But the script kiddies don’t care.’ Even bantamweight businesses are subject to data break-ins.” —Joe Paone, MicroTimes; Oct 8, 2001m6

    Unprotected home and small business computers are particularly sought after targets by hackers who want to turn the computers into “zombies” for a coordinated attack on a large system. Many of the recent Windows and Outlook virii have been designed to spread to home computers that lack professional security workers. The virii take over the computer’s internet connection and report back to the hacker for instructions. Thousands of personal computers can then be coordinated together for denial of service and other attacks on large businesses, government, or other targets.

poor administration

    The leading cause of security breaches is poor administration of the server ’ (or network of computers), laxness in security that leaves the system vulnerable to attack. You are ultimately responsible for your own security.

    “Any idiot can configure any server—UNIX or NT—so that its built-in security is compromised.”—Ed Bott of ZDNetw61

    “Elias Levy, chief technical officer of SecurityFocus.com, a provider of security information services for business based in San Mateo, CA, notes that misconfiguration of operating systems is a major reason why server systems get broken into. Because of this, a company with a low level of technical expertise should consider hiring a consultant to set up its key servers.” —Joe Paone, MicroTimes; Oct 8, 2001m6 See also: default settings.

internet security

    “For years we’ve heard about the security risks faced by businesses connected to the Internet. We’ve heard that a company should install a firewall between its internal network and the Internet; that it should run antivirus software at various points on the network; that it should use private IP addresses for the systems inside the company instead of public IP addresses. For remote access, virtual private networking (VPN) technology such as IPsec should be used.
    “In the midst of all these prominent recommendations, one aspect of network security remains more obscure and misunderstood than it probably should: server security.
    “Ultimately, the most important aspect of a network security strategy is the impenetrability of its servers to the outside world. All those firewalls, passwords, and antivirus programs are there to protect against the theft, corruption, or destruction of sensitive data and applications, most of which reside on key application, database, and Web servers.
    “For the most part, however, server security is difficult to “productize” compared with firewalls and antivirus programs, for example. Although there are software products that secure or harden specific operating systems or server applciations, there is no server-security product that applies across the board. As a result, the need for server security is not a frequently marketed message, so it often slips through the cracks in terms of user consciousness, particularly at small businesses.
    “ ‘Server security really gets lost in the shuffle, and it’s unfortunate when it does,’ says Lynn Bernstein, president of ECG Consulting Inc., in Montclair, NJ. ‘Most people don’t have a clue about it.’ ” —Joe Paone, MicroTimes; Oct 8, 2001m6

    “Protecting the site is essential too; hackers can deface or hold a site hostage, and computer viruses can ricochet through millions of machines in a matter of hours.” —Fortune Technology Guidem3

    OpenBSD’s primary focus is on correctness and security.” —“Microsoft Windows NT Server 4.0 versus UNIX”w51

    “Server security is just one aspect of an effective overall security strategy. ‘The more defenses you have up, the better,’ says Clint Kreitner, president and CEO of the Center for Internet Security (CIS), a Bethesda, MD-based nonprofit organization that assists companies with network security issues. ‘That’s the nature of security.’ Kreitner says firewalls, operating systems, and applications need to be properly secured, and organizations need to limit access points to the Internet.
    “Kreitner says, ’You want to design your network so there are as few connections to the Internet as possible. The more perimeters, and the more defenses you establish, the better. I refer to this as “defensive depth”. The whole idea is to have as many defenses as possible to protect against hackers.’
    “ ‘Security is relative, and perfection is unattainable,’ Kreitner says. Businesses of all types, however, should strive for as much perfection as they can reasonably get.” —Joe Paone, MicroTimes; Oct 8, 2001m6

    “This is the latest version of security update, the known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities, and is discussed in Microsoft Security Bulletin MS02-005.
    “Description of several well-know vulnerabilities:
    “ ‘Incorrect MIME Header Can Cause IE to Execute E-mail Attachment’ vulnerability. If a malicious user sends an affected HTML e-mail or hosts an affected e-mail on a Web site, and a user opens the e-mail or visits the Web site, Internet Explorer automatically runs the executable on the user's computer.
    “A vulnerability that could allow an unauthorized user to learn the location of cached content on your computer. This could enable the unauthorized user to launch compiled HTML Help (.chm) files that contain shortcuts to executables, thereby enabling the unauthorized user to run the executables on your computer.
    “A new variant of the ‘Frame Domain Verification’ vulnerability could enable a malicious Web site operator to open two browser windows, one in the Web site’s domain and the other on your local file system, and to pass information from your computer to the Web site.
    “CLSID extension vulnerability. Attachments which end with a CLSID file extension do not show the actual full extension of the file when saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are simple, harmless files — such as JPG or WAV files — that do not need to be blocked.” —Microsoft Corporation Security Center, “Internet Security Update”, March 12, 2002e130

anti-virus

    “As Windows users are being plagued by computer viruses, spam, buggy software, and Web pop-up ads, some are questioning why the Redmond, Wash.-based software behemoth has failed to integrate security and repair features that could make computers less prone to problems.
    “ ‘Microsoft has added lots of bells and whistles to Windows to protect their operating system franchise over the years, but when it comes to Windows security and reliability, they’ve done comparitively little until recently,’ said Alan Paller, director of research at the SANS Institute, a Bethesda, Md.-based computer security and training organization.
    “ ‘It’s like they are selling faster cars with more powerful engines but leaving off the seat belts and air bags — all those critical things that make customers safe when using their products,’ he added.
    “Microsoft’s critics say the reason the company isn’t eager to add security features is simple: Doing so wouldn’t help it fend off competitors whose products could undermine the spread of Windows.
    “ ‘You would think there would be money to be made in Microsoft having some kind of more effective antiviral program of their own,’ said Andrew Gavil, an antitrust expert and law professor at Howard University. ‘But virus programs don’t present any threat to their operating system monopoly.’ ” —Los Angeles Times, “Microsoft Runs Into Bundling Dilemma”, March 27, 2004n4

    Microsoft falsely claimed that it would make security a company-wide priority in its much publicized 2002 “trustworthy computing initiaitve”. Since then, Microsoft Windows (all versions) has become even more vulnerable to viruses and other internet attacks. Security is a purposely false and misleading marketing slogan at Microsoft.

    “Ironically, some experts say, product bundling is partly to blame for Windows’ security woes.
    “Lee A. Hollaar, a computer science professor at University of Utah, said the widespread proliferation of the Melissa computer virus stemmed from the tight integration of Microsoft’s Outlook e-mail program with its writing application, Word.
    “ ‘The Melissa virus exists only because Microsoft expanded Word documents to contain functions that let it access the Outlook address book’, Hollaar said.
    “Similarly, he explained, when the Internet Explorer Web browser was folded into the operating system, it exposed Windows to greater security risks from the Net.’ ” —Los Angeles Times, “Microsoft Runs Into Bundling Dilemma”, March 27, 2004n4

UNIX vs. Windows security

Microsoft has 26% of the Web server software market share 60% of defaced Web sites run Microsoft Web server software
Market share as of January 2002 Defacements = about 30,000 between April 2000 and February 2002
Microsoft software runs about a quarter of Web servers, but is the target of the majority of successful Web defacement attacks. —Los Angeles Times, February 13, 2002n3

    Microsoft has been running a series of television commercials claiming that Windows 2000 is secure and immune from hacker and virus attacks. Windows 2000 is in fact still less secure than the least secure version of UNIX (even the free ones), and the Windows family of operating systems (including Windows 2000) is subject to the greatest number of viruses of any operating system family (more than 10,000 as many viruses as the UNIX family of operating systems). Windows 2000 is so filled with security holes that it is the only operating system ever to be the subject of an FBI security warning.

    “Any general purpose operating system is likely to be well-known and well-studied by the hacking community, but certain server OSes attract more attention than others.
    “Lynn Bernstein, president of ECG Consulting Inc., in Montclair, NJ, says hackers often target Microsoft operating systems because there is a degree of notoriety associated with hacking Microsoft software, and also because security holes in Microsoft operating systems are so widely known. Even a novice can attempt to hack them.
    “Bernstein recalls challenging one of her students to break into one of the Windows NT servers. ‘He knew nothing about NT,’ Bernstein says. ‘Ten minutes later he comes back and says he left a message in the server log.’
    “Older operating systems, some of which largely predated the mass exodus of businesses to the Internet, such as Windows 3.x, are highly vulnerable, she says.” —Joe Paone, MicroTimes; Oct 8, 2001m6

     UNIX is a mature, technically superior group of operating systems with a proven track record for performance, reliability, and security in a server environment. The almost thirty years of continual development, performed often by volunteers who believe in what they’re doing, has produced a group of operating systems—and extremely powerful multiprocessor server hardware tailor-made to its needs, whose performance is still unparalleled by Intel hardware—that not only meets the demands of today’s computing needs, but in many cases exceeds them.
    “Why Windows NT Server 4.0 continues to exist in the enterprise would be a topic appropriate for an investigative report in the field of psychology or marketing, not an article on information technology. Technically, Windows NT Server 4.0 is no match for any UNIX operating system, not even the non-commercial BSDs or Linux.”—John Kirschw22

     “What can you expect from Windows NT Server out of the box and from UNIX out of the box? … NT can secure sensitive data and keep unauthorized users off the network. So can UNIX. Essentially, both operating systems meet the minimum requirements for operating systems functioning in a networked environment. Put briefly, UNIX can do anything that NT can do and more.”—John Kirschw22

     John Kirch: “Since Microsoft sees NT as a viable alternative to all other network-capable operating systems on the market, UNIX and Novell included, one would assume that NT would come with all the tools necessary to accomplish the most basic tasks required: file and printer services. Any systems/network administrator knows from experience that there are two important issues to be considered when setting up a file server or adding a new network user: security, i.e. passwords and file permissions; and quotas for limiting disk usage of any new or existing users or groups. Although NT provides basic password security, it only provides file-level security if you choose to use its proprietary filesystem called NTFS. Some MIS departments are reluctant to implement this file system (at least on users’ machines), because they feel that recovering from disk problems is hindered by the use of NTFS.”w22 —See John Kirch’s article “Microsoft Windows NT Server 4.0 versus UNIX” at http://www.unix-vs-nt.org/, June 4, 1998, web page, for more information on NTFS flaws.

     “Meanwhile, Windows NT already loses on many more competitive issues. Linux, FreeBSD, and other forms of Unix can be configured as a firewall right out of the box. Windows NT cannot. Free Unix operating systems have built-in features like IP masquerading. Windows NT doesn’t even do basic IP filtering without additional software.” —Nicholas Petreley, “The new Unix alters NT’s orbit”, NC Worldw74

Microsoft Security Bugs

     Notable Microsoft security incidents.n3

  • Dec. 20, 2001: Windows XP operating system shown to have flaws that could allow hackers to take control of a user’s PC over the Internet.
  • Nov. 13, 2001: Flaws revealed in Microsoft’s Internet Explorer Web browser that could allow hackers to break into cookies—the electronic files that contain personal Web surfing data and account information for e-commerce.
  • Sept. 18, 2001: “Nimda,” a malicious software “worm,” begins its infection of more than 1.3 million PCs and Web servers using MS Products.
  • July 19 and July 31, 2001: Two strains of the “Code Red” worm infect and temporarily shut down hundreds of thousands of Web servers that use Microsoft software.
  • July 15, 2001: The “Sircam” virus spreads via a security flaw in Microsoft’s Outlook e-mail product, infecting millions of PCs.
  • May 3, 2000: “Love Bug,” the worst virus ever, spreads via Microsoft Outlook, infecting millions of PCs.
  •      “Trustworthy computing is more important than any other part of our work … the highest priority” Microsoft Corp. Chairman Bill Gates wrote in a memo to Microsoft employees Jan. 15, [2002].
        The details of Gates’ strategy have been scant, but the company took a step forward Jan 31 [2002] with the hiring of former Department of Justice computer-crime head Scott Charney as chief security strategist.
        Charney, 46, is a cybersecurity specialist at the accounting firm PricewaterhouseCoopers, where he oversees anti-hacking systems and conducts cyber-crime investigations. He starts at Microsoft on April 1 [2002].
        Security experts say that to succeed, Charney must fundamentally change the company’s design process, which is widely viewed as sloppy and error-prone. In scors of cases, the company has added features to a product, waited for users to encounter inevitable security holes, issued a software “patch” for the worst problems, and ignored the others.
        “The only way to change the culture is to put a barking dog at the head … who can instill fear,” said Fred Hickey, editor of the High-Tech Strategist, a financial newsletter.
        But as the outlines of Gates’ “trustworthy computing” initiative take shape, industry experts are skeptical about whether Microsoft is prepared for the depth of change it implies.
        Charney will split his time between Washington, D.C., and Microsoft’s Redmond, Wash., headquarters. That arrangement, combined with his lack of engineering experience, suggests to some analysts that his focus will be tracking down hackers and lobbying lawmakers, instead of dealing with software design problems inside the company.
        Charney may have been selected “because Microsoft needs good PR,” said John Pescatore, a security analyst with Gartner Inc.
        “Microsoft is in a unique position to shape the future of information technology and to help drive security as a critical component of our information infrastructure,” Charney said. [Charney did not mention that security had been a high priority at every company that makes operating systems except for Microsoft, in some cases for several decades.]
        He faces a daunting challenge. Microsoft’s products have been a prime target of hackers.
        In December, a problem in the company’s flagship Windows XP operating system—falesly marketed as the safest ever—allowed hackers to take control of a user’s PC over the Internet. The problem was so dangerous that it triggered an FBI alert.
        Bugnet, an online publication that tracks software flaws, has reported 287 security-related problems in Microsoft products since January 200, or about one every 2-1/2 days.
        “Using the Web has become an increasingly unpleasant experience because of the security and privacy problems,” said Doug Tygar, a professor of computer science at UC Berkeley. “Making the Internet a safe place is going to be absolutely key to its continued success.”
        Experts are waiting to see whether Microsoft will change what they view as a flawed product development culture.
        “Look at the stars at Microsoft,” Gartner’s Pescatore said. “They’re not the ones who said let’s ship late, with fewer features, to make sure the product is secure.”
        Tygar and other security experts say that Microsoft should look at the tight integration between the Windows operating system and applications such as word processing and e-mail. Such links increase user producivity, but often open security holes.
        Microsoft has generally tried to shield users from the hassle of endless software settings by automating security functions.
        Charney subscribes to that basic approach. “You can make a system so secure that it’s not useful,” he said.
        Ironically, experience suggests that hiding complexity with too much zeal can run contrary to secure operations. For example, Microsoft boasts that its server software, designed to manage Web sites and networks of computers, is easier than competing products to set up and operate. That may encourage complacency among users, analysts say. [Note that Mac OS X is easier to set up and maintain than Windows XP, and NetWare, AIX, Tru-64 UNIX, Solaris, and HP-UX are almost as easy, and all are significantly more secure than Windows XP.]
        “You get an awful lot of Microsoft servers set up with simple default settings or security patches not installed, because the people who run those servers, on average, are less skilled,” said Jeffrey Tarter, editor of Soft-Letter, an industry newsletter.
        Vulnerabilities involving Microsoft server software accounted for more than 85% of 129,000 hacking episodes at 300 companies in the last half of 2001, according to Riptech Inc., an Alexandria, Va., computer security firm.
        “A lot of people want security to be an event, like [responding to] a fire,” Charney said. Instead, it requires continual vigilance and reevaluation of how products are designed, he said.
        Experts view that approach as enlightened. But they say that Microsoft should also tie pay raises and promotions to strong security. Craig Mundie, one of Microsoft’s two chief technical officers, said that the company plans no fundamental shift in incentives.—Los Angeles Times, February 13, 2002n3

    Windows C2 certification

         Microsoft proudly proclaimed that Windows NT received a C2 rating from the National Security Agency (NSA), falsely implying that their operating system is as secure as the best UNIXes. What Microsoft doesn’t mention is that they received the lower security “Orange Book” C2 rating, rather than the highly secure “Red Book” C2 rating. Further Microsoft was unable to get Windows NT 4.0 modified enough to meet the lower Orange Book C2 rating, instead submitting a specially modified version of Windows NT 3.5. And, the modified version of Windows NT 3.5 (not available for sale to the public because Microsoft had to remove a great deal of functionality to make it secure) only qualified under the conditions that it not be physically connected to any network. There are also rumors that the NSA relaxed their lower “Orange Book” standards for Microsoft because of political pressure.w63

    OpenVMS security

         “You will find few operating systems comparing their security features with OpenVMS.” —John Malmberge85

         “A special SEVMS version [of OpenVMS] is available that provides even more security than the standard product.” —John Malmberge85

    denial of service attacks

         OpenVMS systems are generally immune to denial of service attacks also. These typically are the result of attackers sending network packets that are larger than what is generally used in the protocol. The LINUX documentation notes that they have made much progress in fixing the problem in LINUX.” —John Malmberge85

    password attacks

        “One obvious but often neglected aspect of server security is password security. Users throughout an organization hold the keys to many important servers and applications, usually in the form of a user ID and password that they use to log on to those servers and applications.
        “If users don’t know about the importance of protecting their passwords, or if they are lax about keeping them secure, all the firewalls in the world can’t stop a hacker who obtains them.
        “ ‘I’ve been in offices, meeting with clients, and their passwords were out in the open,’ says Lynn Bernstein, president of ECG Consulting Inc., in Montclair, NJ. ‘I’m an ethical person, but not everybody is. How long does it take for someone to find the number to dial into the company’s network and use these?
        “ ‘End users who log on to the servers cannot be irresponsible with their user IDs and passwords at their workstations. I’ve heard stories where people call an end user and say, ‘I’m an administrator, and I need to access the server. Can I have the user ID and password?’ Also, users shouldn’t leave passwords on Post-It notes, .txt files, and so on.’ ” —Joe Paone, MicroTimes; Oct 8, 2001m6

         “One must note that the only known cases of an OpenVMS system being broken into have been from users using weak passwords, and not from any of the known methods that have required patches to the UNIX compatible and WINDOWS-NT operating systems.” —John Malmberge85 See also: system patches.

         OpenVMS provides superior password protection methods to either Windows NT or UNIX compatible OSs.” —John Malmberge85

        OpenVMS does not provide a minimum password lifetime, so that a user that knows that their password could be compromised can change it with out involving the system administration group.” —John Malmberge85

        “The reason for the minimum password lifetime is to prevent the users from changing their password as required by a local system policy, and then immediately changing it back, therefore compromising system security.” —John Malmberge85

        “The minimum password lifetime is bad, because it gives a window of vulnerability that the user’s password may be compromised, and in order to fix things, the user must notify the system management of the security breach. That is something that many users do not want to do because it would involve confessing to causing the breach.” —John Malmberge85

        OpenVMS deals with that problem by maintaining a password history list. The user can change their password as many times as they want, but a password can not be re-used for the system defined policy, at least one year.” —John Malmberge85

        OpenVMS also provides for system specific security policies to be implemented.” —John Malmberge85

        OpenVMS provides for passwords to be listed as illegal for the site.” —John Malmberge85

        OpenVMS also will track and lock out system break in attempts. This means that brute force attack methods to try to break into a VMS system will fail, even if the attacker does guess the correct password.” —John Malmberge85

    security logs

         “Error reporting, operator, and security logs in OpenVMS allow easy tracking of critical system events.” —John Malmberge85

    spoofing

        OpenVMS also allows the creation of network proxies that are not easily spoofed, and do not require the passing of passwords to allow file transfers. Since this is built into the Operating System, on OpenVMS you do not need to run a different program when accessing a file from a remote system than you do from a local system.” —John Malmberge85

         OpenVMS systems can not be spoofed into giving out your login credentials to a unknown system, as can be done with any Microsoft Windows based network.” —John Malmberge85

    SMB and firewalls

         Server Message Block (SMB) is a computer protocol that allows computers to connect together locally. “Most home and computer networks with computers using Windows rely on SMB.”n2

        “If you are using the file or printer-sharing features in Windows, then you are using SMB.” —Noury Bernard-Hasan, a PC group product manager for Microsoft Corp.n2

    [NOTE:] The Scour search engine stopped using the method described, but others, including hackers, can continue to use this method.

        The Scour search engine (www.scour.com), in addition to searching for multimedia files in public places such as web servers and FTP sites, also searches for any SMB connections, and then reports the locations of any multimedia files it finds. Unlike Napster, where users specifically request to be searched and can designate which folders are public and which folders are private, Scour searches through the entire hard drives of those with SMB connections without asking permission or giving any notice.n2 [NOTE: The Scour search engine stopped using this method the day after the article about it appeared on the front page of the Los Angeles Times, but others, including hackers, can use this method.]

        “Scour officials say no one has filed a complaint with them about the searching practice. If anyone did, he or she would be directed to a page on Scour’s Web site where a person’s computer can be removed from the company’s service.”n2

        “But security and technology experts were flabergasted by Scour’s rationale. Searching via the SMB protocol crosses the line between what is truely public and what may have become public by accident, they say. Consumers aren’t complaining because they aren’t aware of the practice.”n2

        “If I’m a malicious hacker, they’ve identified machines that I can break into. What’s to stop me from looking for .doc files? They’re posting the addresses of all these houses that have their doors unlocked.” —Mike Carlton, a software architect at Nomadix Inc., a Westlake Village, Calif., company that specializes in broadband technologies.n2

        Like traditional search engines such as AltaVista, Scour’s engine uses robotic software agents, known as “bots” or “spiders,” to crawl about computer networks and scoop up information.n2

        These bots freely traverse according to the accepted principal that any Web page, or download site that does not require a password, is a public forum and that the material may be viewed by anyone.n2

        AltaVista, one of the Net’s oldest search companies, lets people look for either text or digital music files. Like Scour, AltaVista’s bots search Web pages and certain download sites, which are public electronic storage spots where people house data that can be downloaded.n2

        “We try to focus on stuff where there seems to be a clear intent to publish or share information. That’s why we focused on the Web and FTP [sites], where people [obviously] are saying they want to share their stuff and tell others.” —Nick Whyte, technical director for AltaVista’s multimedia search groupn2

        Scour’s founders looked further. They also send bots to scan for multimedia files stored on any machine that uses a computer protocol called Server Message Block, or SMB.n2

        As the Internet’s popularity grew, the number of people opening their PCs to strangers on the Net—either naively or deliberately—grew as well. That trend inadvertently allowed Scour’s bots to cross a blurry line that keeps PCs—even ones connected to the Net—firmly in the private world. Because there are dozens of ways to network machines together, it is easy for consumers to forget about their own digital security.n2

        Computer managers at businesses have long relied on software programs known as firewalls to saafeguard their corporate networks from intruders. Until recently, however, there has been little demand from consumers for similar programs, largely because few perceived their computers as vulnerable and because firewall programs can be complicated to install and maintain.n2

        “Unless you put up some sort of security — like paswords on shared files or printers, or like a firewall — you’re advertising to other people what you have [on your PC]. The file-sharing feature [for Windows], in its default position, is turned off.” —Noury Bernard-Hasan, a PC group product manager for Microsoft Corp.n2

        “To say that all people are giving their permission to Scour to do this is wrong. The average lug can’t configure a VCR, let alone a secure Internet connection.” —Bruce Forest, director of new-media projects for Viant Inc., an Internet services companyn2

        “It may may unfamiliar technology to users, but it’s certainly legal and not uncommon to search publicly available content. You are responsible for your own computer. We’re not damaging [anyone’s] computer.” —Dan Rodrigues, co-founder of Scour Inc., a Beverly Hills, Calif, company funded by Michael Ovitz, a Hollywood “super agent”.n2

        “Company officials insist they’re only looking for harmless material that they say consumers have given them tacit approval to scan. They note that the company doesn’t search for sensitive material such as finacnial documents, although they acknowledge that the software could do just that.”n2

        “I had never heard of them and never downloaded anything of theirs. I expect hackers to try something like that, but not a legitimate company.” —Daniel Huggard, a graduate student at UC Irvine who discovered that Scour’s bot failed in an attempt to break through his firewall software.n2

        “Scour’s little-known searching technique illustrates the ongoing problems with personal privacy issues in cyberspace. In an age of file-sharing and Napster, where computers and information are all connected, these issues are not going to go away.” —Stuart Biegel, a professor of Internet law at UCLAn2

        Related web page: ftp://ftp.eng.auburn.edu/pub/doug/ “bootp-DH2.x” free, patched CMU BOOTP-DD2.4.x server from Doug Hughes of auburn.edu. Supports DHCP, even for Win95 clients. Adds the patches from the Samba mailing list to support PCNFS and Win95 simultaneously. For SunOS 4.x, Solaris 2.x, Linux, and NetBSD servers.


    geek humor

        “Treat your password like your toothbrush. Don’t let anybody else use it — and get a new one every six months.” —Cliff Stoll

        “Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench.” —Gene Spafford

        The Code Red worm is known to operate only from the 1st to 20th of each month, after which it launches a (so far broken) attack on US government computers. What this means for most of us is that it only plays havoc with our bandwidth for 20 days a month. Or, as a sysadmin at work remarked to me, “It’s that time of month”. The Internet now has a time of month. The Internet is female. And, as her “time of month” lasts 20 days out of every 30, she’s a real bitch. —anonymous contribution


    OSdata.com is used in more than 300 colleges and universities around the world

    Read details here.


        A web site on dozens of operating systems simply can’t be maintained by one person. This is a cooperative effort. If you spot an error in fact, grammar, syntax, or spelling, or a broken link, or have additional information, commentary, or constructive criticism, please e-mail Milo. If you have any extra copies of docs, manuals, or other materials that can assist in accuracy and completeness, please send them to Milo, PO Box 1361, Tustin, CA, USA, 92781.

        Click here for our privacy policy.


    previous page next page
    previous page next page

    home page

    one level up

    holistic issues

    peer level


    Made with Macintosh

        This web site handcrafted on Macintosh computers using Tom Bender’s Tex-Edit Plus and served using FreeBSD .

    Viewable With Any Browser


        Names and logos of various OSs are trademarks of their respective owners.

        Copyright © 1998, 1999, 2000, 2001, 2002, 2004, 2005 Milo

        Last Updated: May 9, 2005

        Created: June 21, 1998

    previous page next page
    previous page next page