ZDDDDDDDDDDDDDDDDDD? IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; ZDDDDDDDDDDDDDDDDDD?
 3   Founded By:    3 :  Network Information Access   : 3   Founded By:    3
 3 Guardian Of Time 3D:            12SEP90            :D3 Guardian Of Time 3
 3   Judge Dredd    3 :        Guardian Of Time       : 3   Judge Dredd    3
 @DDDDDDDDBDDDDDDDDDY :            File 52            : @DDDDDDDDDBDDDDDDDDY
          3           HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<           3
          3                IMMMMMMMMMMMMMMMMMMMMMMM;              3
          @DDDDDDDDDDDDDDDD6System Security Part 02GDDDDDDDDDDDDDDY
                           : Security For The User :
                           HMMMMMMMMMMMMMMMMMMMMMMM<

Introduction:

Welcome to Nia's System Security Series Part 02, in this particulare file I will
be attempting to describe to you Security as it relates to the user and from the
vantage point of the system operator.

$_Dialups

User Security begins when you FIRST logon to a system.  You are asked for
your username and a password. Some systems can have more than ONE password.

There are actually Seven different types of Logins:

1) LOCAL
2) DIALUP
3) REMOTE
4) NETWORK
5) BATCH
6) DETACHED
7) SUBPROCESS

Logins are either INTERACTIVE or NONINTERACTIVE.  Interactive logins is a
login made in a series of steps in which the user provides information.
Noninteractive logins is a login that the system will perform all the
functions needed, without any user interaction.

Different types of interactive and noninteractive logins follows:

LOCAL         interactive
DIALUP        interactive
REMOTE        interactive
NETWORK       noninteractive
BATCH         noninteractive
DETAHED       depends
SUBPROCESS    noninteractive

Local login is performed by users from a terminal connected directly to the
central processor or to a terminal server that communicates directly with the
central processor.

Dialup Logins are when you log in to a terminal that uses a modem, to make
your connection to the system.

Remote Logins are when you log in to a node over the network, you request
that node by entering the DCL command SET HOST.  This login is known as a
remote login. The node you reach immediately asks you for a user name and
password.

Network Logins are performed for you when you access files stored in a
directory on another node or when you initiate some other type of network
task on a remote node.  When you wish to copy files or messages, you would
specify the desired node and an optional access control string, where the
access control string includes your user name and password for the remote
node.  An example is below:

$DIRECTORY PARIS"CRAND password"::WORK2:[PUBLIC]*.*;*

The above example, user CRAND has an account on remote node PARIS and enters
the following command to get a directory listing of all the files in the
[PUBLIC] directory on disk WORK2:

Proxy Logins are very good for security, reason is this, when using Proxy
Logins, you never enter a password, the system automatically does this for
you.  Your password is never echoed back to you, and passwords are never
exchanged between systems.  And finally proxy logins keep all password files
away from where budding young hackers might be looking, like the root or in
command files.

Batch Logins are quite usefull for doing things on a VMS system. For
instance, you could have a program that would activate the payroll program
after 7:00pm ( and assumeing that you have modified the payroll program ),
you could set the time to whatever you want, OR suppose you have set up a
time bomb:

SUBMIT/AFTER=19:00 PAYROLL.COM

When the time comes to be, your user account is logged and a record is
kepted.  So if modifying programs make sure that you erase all logs and
such.

Logging in is an important part of the system, for if you can not log in,
then you can not complete jobs, perform tasks, and such other things.  All
ports and terminals should be monitored frequently and any problems to be
noted.  Never assume that something is ok, check all problems, questions and
refer to the manuals and DEC personal for assistance.

$_Passwords

There are several types of passwords on a VMS system.  Most users need to
provide a USER PASSWORD when they log in.  Some users also need to provide a
system password to gain access to a particular terminal before logging in
with their user password.  Users on systems w/ high security requirements
need to provide PRIMARY PASSWORDS and SECONDARY PASSWORDS.

When you assign a password VMS operating system applies a ONE-WAY ENCRYPTION
ALGORITHM to all passwords as it stores them.  Encryption refers to a method
of encoding in an effort to conceal it.  ONE-WAY ALGORITHMS DO NOT USE A
KEY.  Thus, if a user obtains the encryption algorithm and the encoded
password, that user COULD DEDUCE the actual password only by trying all
possible input values.

So in english it IS possible to create the format of password encryption as the
VMS system.  Remember this, if you use an Enlish Dictionary format to create
your password, you will then be able to get the password.  It may take some
time, but it is possible.  Problem is this, most system managers are either
trying to get users to use NON-ENGLISH words or use the /GENERATE password
format which ill generate your password automatically.

System passwords control access to particular terminals and are required at
the discretion of the security manager.  They are necessary to control
access to terminals that might be targets for unauthorized use, such as
dialups and public terminal lines.

Often when an account is set up your first name is used, and from there it
is up to YOU to change your password, unless your password has the privilege
of LOCKPWD, which means that you can NOT change your password.

Common passwords are as follows:

Your name
Name of a family member or loved one
Name of a pet
Favorite Automobile
Name of hometown
Name of a boat (or YOUR boat)
Any name associated with work.  Such as company, projects, or groups
And any other item that bears a strong personal association to you

The above list is the most common that people use.  The problem with a
person creating a password is that, your mind works in a matter where you
think you pulled out a word, that to you, is random, but to somone else, it
suits you just perfectly.  So when creating accounts, you should use the
/GENERATE command, and that would just about eliminate any chance of a
password that reminds someone about you.

When creating passwords, you must do the following:

$SET PASSWORD
Old password:
New password:
Verification:

If you do not complete the correct sequence, it will not take, also i fyou
are under the amount of minimum length for your password the system will
automatically tell you.

If you want the system to automatically generate passwords, just do the
following:

$SET PASSWORD/GENERATE=8
old password:

apsjawpha     aps-jaw-pha
oorsoult      oor-soult
guamixexab    gu-a-mix-ex-ab
impsapoc      imps-a-poc
ukchafgoy     uk-chaf-goy

Choose a password from this list or press RETURN to get a new list
New password:
Verification:
$

The above, shows only five passwords to choose from, and the system will
give you the syllable version of the same word to the right.  Most people
will take the syllable version, 'cause its easier ( meaning if you picked
oor-soult, your password would be OORSOULT not OOR-SOULT ).

If your password las the flag PWDLIFETIME=30, your password would then
expire in 30 days from the current date issued.  You will be notified when
your password is due with the following message:

WARNING -- Your password expires on Thursday 30-SEP-1990 15:00

If your account is set with the /GENERATE=xx, then you will then be
automatically shown your list of five words to pick from.  If you do not
have the /GENERATE=xx then you will be prompted for your New Password only.

Make a note, if you are EVER asked to change your pw, do it.  For if you
loose access to the system, you must get the system manager to restore your
pw privileges to you.

You are encouraged to add digits to your passwords, for that will increase
the combinations of letters.  For example:

Six Character password using letters equals out to 300 Million Combinations
Six Character password using BOTH Letters/Numbers equals out to 2 Billion!

You can have Secondary passwords as well as primary passwords, so if you run
into one, it will look like this:

NIA .. VMS Version 5.0

Username: Guardian of Time
Password: xxxxxxxx
Password: xxxxxxxxxx

If you wish to add to your account a secondary password, do the following

$SET PASSWORD/GENERATE=8/SECONDARY

That will generate a password of eight character length, and it will be the
secondary password.

It is suggested that with System Accounts, or accounts with full privileges
that you use a secondary password, and use the /GENERATE=xx Modifier, that
way, your password would be next to impossible to hack.

Also remember that with two passwords you have about fifteen to thirty
seconds to enter the password, if not, the system will automatically log you
off.

Some Password Tips:

Select reasonably long passwords that cannot be easily guessed.  Avoid using
words in your national language that woule appear in a dictionary.  Consider
including digits in your passwords.  Alternatively, let the system generate
passwords for you automatically.

Never write down your password.  You should have it memorized.

Give your password to other users only under special circumstances.  Change
it immediately after the need for sharing has passed.

Do not include your password in any file, including the body of an
electronic mail message.

Before you log in to a previously turned ON terminal, invoke the secure
terminal server feature ( If it is enabled ), with the BREAK key.

Unless you share your password, change it every three to six months.
DIGITAL worns against sharing passwords ( don't we all? ).  If you share
your password, change it immediately.

Chage your password immediately if you have any reason to suspect it might
have been dsicovered.  Report such incidents to your security manager.

Do NOT use the same password for your accounts on multiple systems.  But
some dummy always will, and they get what they deserve.

$_Account Expiration Times

When your acceount is created, the security manager may decide to specify a
period of time after which the account will lapse ( for example, if you will
only need the account for a specific purpose for a limited time).  At
universities, studen accounts are typically authorized for a single semester
at a time.  Expired accounts automatically deny logins.

Users receive NO ADVANCE WARNING message prior to the expiration date, so it
IS important to know in advance what your account duration will be.  The
account expiration resides in the UAF record, which can be accessed and
displayed only through the use of the VMS authorize Utility by users with
the SYSPRV privilege or equivalent -- normally your system or security
manager.

When your account expires, you receive an authorization failure message at
your next attempted login.  If you need an extension, follow the procedures
defined at your site.

$_Break In Detection

VMS is niffty to this regard, the system will automatically ( if enabled ),
after x Number of Hack Attempts disable that account for a period of time.
So even IF you got the password, after x number of attempts, the system will
continue to log you off.

Otherwise the format could look something like this:

Username:NIA
password:files
User Authorization Failure
Username:NIA
password:text
User Authorization Failure
Username:NIA
password:magazine
User Authorization Failure
Username:NIA
password:textfile          <- Correct Pw, but since it detected 3 Hack Attempts
User Authorization Failure <- The system will NOT let you on.
Username:

The time before you could actually log back on, is determined by the
security manager, and it could be one hour, one minue, two days, three
weeks, whatever the manager decides.

$_Network Considerations For Security

When switching nodes you have to have an account (unless its public and open
to whoever ) the following example is loging into another node:

NODE"username password"::disk:[directory]file.typ

The problem with this type of a sequence is that you must type the password
on the screen, and if anyone happens to be standing by you, they will see
your password and node and what directory.

Also watch out for placing your string into a command file or any txt or
message, because if it can be read, it will be.

A proxy login allow users to access files across a network without
specifying user name or password in an access control string.  This is what
a proxy login would look like:

$COPY WALNUT::BIONEWS.MEM BIONEWS.MEM

What the above did was contact NODE WALNUT and request BIONEW.MEM and copied
it back to the orignal system, notice that NO passwords where exchanged
visably, so you wouldn't have to worry about password stealing.

Also must note that BOTH nodes MUST have a proxy ACCOUNT, if they don't have
one, then your out cold.

Also remember that you will need to erase the RECALL command, because if you
do not do so, another user would be able to view all of your previous
commands.  That is ONLY if you are still CONNECTED to the system.  Once you
log off, the RECALL counter is erased automatically.  Remember that RECALL
can "recall" up to twenty previous commands.  If you want to see all of what the
RECALL has in store, just type RECALL/ALL and it will list the last twenty
commands and a mischevious person could aquire your passwords that way.

$_Logging Out Of A System

When you leave your terminal/system unlocked or online, someone else could
walk on in and pick up where you left off, also if you have SYSPRV then that
person could actually start creating accounts, and you wouldn't know it.  So
make sure that when you leave your office, LO/FULL and make sure that you
note the time/date that you where online, shut your system off and lock the
door on the way out (unless you can't).

At high-security sites, it is common practice to turn off your video
terminal every time you log out because the logout message reveals a
currently active user name.  When users log off after a remote login, the
name of the node they return to after the remote logout is also revealed.
When a user has accessed multiple accounts remotely over the network, the
final sequence of logout commands reveals all the nodes and the user names
that are accessible to the user on each nod, with the exception of the name
of the furthest node reached.  To those who can recognize the operating
system from the prompt or a logout message, this will also reveal the
operating system, and thus that person could deduct if he has sufficient
programming skills what your system is, and maybe even depending if you
where careless with your PW, might even be able to hack back onto the
system.

When logging out of a Hard Copy terminal, make sure that all printouts are
ripped off and shredded, burned, trashed or whatever your current site
specifies.

Print outs should NEVER be thrown away, since people trash, they can get it
easily back out and have a hard copy of what you where doing, what accounts
that might have been created and passwords that where set up, YOUR passwords
are not displayed when you enter one, but if you where modifying user
accounts it is possible to have it on print.

On dial ups, it is possible to log out and the phone line NOT disconnected,
that is a special flag that must be added to your account, that flag is the
PERMANENT/HANGUP.  To activate it, you must do the following:

$SET TERMINAL/PERMANENT/HANGUP

You will have to specify your terminal number or name, or port name, that
way the system will know how to react.

$_Common Commands:

DIRECTORY ( or DIR )
LO/HANGUP
MODIFY username/PWDLIFETIME=29-15:00 (29 days, expires at 3:00pm)
MODIFY username/GENERATE=8
PERMANENT/HANGUP
RECALL/ERASE
SET PASSWORD
SET PASSWORD/GENERATE=8
SET PASSWORD/SECONDARY/GENERATE=10


Note that the MODIFY command must be used in the UAF file (User
Authorization File ).

                            Guardian Of Time
                              Judge Dredd
                      Ignorance, Theres No Excuse.
                  For questions or comments write to:
                         Internet: elisem@nuchat
                           Fidonet: 1:106/69.0
                                  or
                             NIA FeedBack
                             P.O. Box 299
                       Santa Fe, Tx.  77517-0299

[OTHER WORLD BBS]