Who's That Knocking at My Door?
Article Date: 12/94
According to the people who keep track of this sort of thing, most computer security threats are an inside job. The highest percentage of problems are caused by internal users of the system who cause a security incident either accidentally or intentionally. The tabloids' image of the shadowy hacker out there in cyberspace is actually the least of the security officer's problems.
But that doesn't mean that the threat of external access to your system isn't real. Anyone with an external connection is exposed. In this issue, let's look at some of the things you can do to lower your risk. The CAC Customer Newsletter #34 from last year has an article on VOS security written by "DD" [Is that you, Dan Dantz? When VOS wizards speak, the rest of us should listen.] "DD" wrote: "One of the prime rules is: Deny a hacker as much information as possible."
If I'm a hacker and I know I'm connected to a VOS machine, the first thing I will try are some of the "standard" accounts. Account names like User, Guest, and Install are prime targets, so remove them from the registration database after the module is installed and running. At least change the passwords on these accounts - I have been on security audits where I have logged in on the module on my first try! Two other accounts that may serve a purpose after installation are Stratus_CAC and Stratus_FE. If you leave these accounts on the system, make sure that you change the passwords (tell the appropriate Stratus personnel). Check your back issues of StrataSphere for tips on controlling passwords.
You can make it even harder for a hacker to login if they don't know what operating system they are looking at. When the login prompt is displayed on a terminal screen, there is a line of text that looks something like this:
System/32, Release 10.4, Module %acme#m1
This tells the knowledgeable hacker that he is connected to a Stratus (so try Stratus-specific attacks), that it is a VOS 10 machine (so you aren't using the password format controls that became available in VOS 11), and that he is on an "acme" machine (so try accounts and passwords based around the company name).
This display comes from the system error_codes.text file (m$login_banner) where VOS substitutes values for the appropriate strings (&a n &). You can change the error_codes file on your module to some string which does not give out any good information (don't include &a1&, &a2&, and &a3& which is where VOS places those three strings). Follow the instructions in the System Administration manuals to make these changes without breaking all the error messages on your system!
If you want your users to know these things, you can place the information in (master_disk)>system>notices and have them use the display_notices command in their start_up.cm. They will see the information after they pass login screening.
To go one step further, the next line:
Please login 10:13:46
is built by VOS using the error_codes.text file (m$please_login), followed by the time. When I see that prompt, I know that I should try login (as opposed to logon, signon, etc., etc.). You can change that string as well.
Finally, use the login_screen_image. This is a file in (master_disk)>system which VOS displays on the screen when a terminal is connected or turned on. You can do all sorts of creative things here. Tim Gamble ran a really fun contest at the annual meeting in Orlando and had some very interesting screens displayed in the Syllog booth. However, there is also a great security opportunity with the file: post a "No Trespassing" sign. Your legal department can help you with the wording of this message, but even something simple like "Unauthorized use of this system is prohibited" may be better than nothing. A warning message like this may help to prevent the "But your honor, nobody told me I couldn't use this system" defense if you should have a problem at a later time.
In Clifford Stoll's classic story of hacking, "The Cuckoo's Egg", he notes:
"It doesn't take brilliance or wizardry to break into computers. Just patience. What this hacker lacked in originality, he made up in patience. A few of the holes he exploited were news to me. ... But mostly he took advantage of the administrator's blunders. Leaving accounts protected by obvious passwords. ... Not monitoring audit trails."
The police tell us that burglars often look around a house to see if the owner has left a spare key near the door. Don't help a hacker onto your Stratus by leaving keys out where they can be seen.
| 
