From: CSBVAX::CSBVAX::MRGATE::"SMTP::CRVAX.SRI.COM::RELAY-INFO-VAX" 24-NOV-1988 02:11 To: MRGATE::"ARISIA::EVERHART" Subj: Re: Viruses Received: From KL.SRI.COM by CRVAX.SRI.COM with TCP; Wed, 23 NOV 88 18:45:34 PDT Received: from ucbvax.Berkeley.EDU by KL.SRI.COM with TCP; Wed, 23 Nov 88 18:41:50 PST Received: by ucbvax.Berkeley.EDU (5.59/1.31) id AA29772; Wed, 23 Nov 88 17:31:58 PST Received: from USENET by ucbvax.Berkeley.EDU with netnews for info-vax@kl.sri.com (info-vax@kl.sri.com) (contact usenet@ucbvax.Berkeley.EDU if you have questions) Date: 23 Nov 88 23:05:48 GMT From: rti!bcw@mcnc.org (Bruce Wright) Organization: Research Triangle Institute, RTP, NC Subject: Re: Viruses Message-Id: <2590@rti.UUCP> References: <8811220459.AA08090@ucbvax.Berkeley.EDU>, <986@uwovax.uwo.ca> Sender: info-vax-request@kl.sri.com To: info-vax@kl.sri.com In article <986@uwovax.uwo.ca>, brent@uwovax.uwo.ca writes: > In article <8811220459.AA08090@ucbvax.Berkeley.EDU>, KCASSIDY@STMARYS.BITNET ("Kevin Cassidy, System Operator") writes: > > > > The only disavantage to this setup is some jerk going around and attempting > > to login to everyone's account with wrong passwords, and in the process > > disables everyone's account. > This could be as bad as actually getting in! (-: > Seriously though, the weakest link in any password-based > security system is the passwords themselves. Your comment > suggests a method of breakin which even VMS is not very good > at detecting - select a "dumb" password (eg PASS) and try it > on every account you can see on the system (SHO USERS). When > you reach the end, pick another dumb password and loop. Chances > are the cycle is long enough that VMS won't notice. This may or may not be the case. VMS _can_ be set up to disable the account and the terminal after a single failed attempt, but in practice this is an enormous pain and I have never seen any site actually use it (even some that one would normally think would be concerned with security - it is usually operationally easier to provide physical security than to deal with the zillions of user requests about "I made a typo in my password". Most sites are set up as you indicated - the account / terminal is only disabled TEMPORARILY which may or may not be enough. Unfortunately this entire approach is not adequate for dealing with the really serious problems - it is almost entirely directed at the random cracker who dials in to a modem and trys to break into a system. Although this type of attack can (rarely) cause serious problems, the more deadly attack is likely to come from within - someone who has (or knows someone who is willing to lend him) a valid account which just doesn't have "enough" privileges to do damage. (Think about it - the random cracker really doesn't have much incentive to do anything particular except wander around and maybe cause a little bit of confusion as a lark; whilst the insider has the opportunity to use the machine to engineer or cover up serious thefts [of tangible objects, money, or information] and may have the motive of revenge). (This is in fact a general problem - many businesses think a great deal about how to prevent OUTSIDERS from stealing from the company, but in fact most losses due to theft come from INSIDERS which, statistically, most businesses spend much less time and effort trying to prevent). You have to assume that the really dangerous attempts will come from someone who knows: 1. Who the users on the system are 2. What the interesting accounts on the system are 3. Information about the owners of those accounts (possibly even to the point of shrewd gueses about their passwords - or even having seen them type the password in!) 4. How the system is operated (what sorts of things the operators/ system programmers are likely to notice, how the system security parameters are set up) and so on. At least a terminal over which you have physical control provides a level of protection that a modem does not - this is why I said that the only way to have a secure connection on a machine with a modem is to have about two feet of air between the modem and the phone line jack. (You can set up accounts to only allow logging in to a set of specific physical terminals). The remarks in the note about selection of passwords were pretty good - it is strongly recommended to have a password which is not a word and which is fairly long. Bruce C. Wright