Michael Sinatra, College of Chemistry
I don't care much about security. I don't have any secret files on my computer and my email isn't even that interesting.
I often hear this said by both faculty and staff, and I am usually quick to respond: What if you lost all of your files? What if all of your email were erased? What if a system cracker caused your email server to go down and you were without email for days, maybe a week?
The spread of the Internet has been extraordinarily beneficial to educational institutions and businesses alike. But this growth has also created an undesirable element--crackers, thieves, corporate spies, and those who are out for personal gain by any means necessary, legal or illegal. Educational institutions have generally been slow to react to the growing threat lurking on the Internet, as exemplified by the attitude depicted by the above quotation. The result is that universities are often seen as easy targets for crackers, and we have paid the price. For example,
Losing access to our files and having our vital link to the Internet jeopardized is enough to warrant action, but there are other reasons we should be concerned about the security of our files. If you have information about students, such as grades or financial-aid information, the confidentiality of such information may be protected by federal law. Personnel information is also confidential and may only be accessed by those specifically authorized. Our important financial systems could be used to defraud the University if care were not taken to protect the information they hold.
Although campus administrators have begun to address the problem of computer security on a campuswide basis (see Report from Security Working Group, BC&C, September-October 1998), individual users also need to take action to protect themselves and their files. These actions can be broadly placed in the categories of logical and physical security.
Logical security refers to the protection of the intangible stuff that resides on the computer--files, email, passwords, etc. Examples of logical security enhancements follow.
Password-protection of PCs. Many PCs can be password-protected in their Basic Input/Output System (BIOS). This is the base level at which the computer operates, regardless of operating system, and enabling this feature greatly enhances the security of a PC. Once the PC is protected by password, only authorized users should be given the password, and it should not be written down anywhere.
Password-protection of Macintoshes. Macintosh PowerBooks running Mac OS 7.5 or better can be password-protected using the operating system control panels. Desktops, on the other hand, require the use of a commercial product such as At Ease or After Dark to restrict access.
Password-protection of shared accounts. If you cannot password-protect your desktop computer, you should store sensitive files on a server, and all accounts on the server should be password-protected. This applies to Unix, Macintosh, Windows NT, and Novell servers.
Encryption. Much of the data sent over the network is transmitted in clear text. Moreover since most of our networks are shared among hundreds of computers, anyone on the network can eavesdrop on the data being transmitted over that network. This requires only the installation of one of many freely-available software tools. Passwords are particularly vulnerable to capture over the network. You should verify that passwords and other sensitive information are encrypted to prevent eavesdropping. If you use telnet, rlogin, ftp, or Eudora (with password authentication), your information is not being encrypted. Consider using SSH (see http://www.ssh.org/ or http://www.ssh.fi/ for more information, and see Securing client-server communications with SSH, BC&C, April-May 1998). To protect sensitive email, consider using PGP (see http://www.pgpi.com/ for the freeware versions, or http://www.nai.com/default_pgp.asp for the commercial versions). PGP plug-ins for popular email programs, such as Eudora, are available.
Servers. If you operate a Unix, NT, or Novell server or workstation, you should be especially concerned about security. Make sure that the latest patches and service packs are installed on your machine, and keep up with security news by subscribing to Bugtraq (http://www.geek-girl.com/bugtraq/) or NTBugtraq (http://www.ntbugtraq.com/). Macintosh servers have suffered fewer security compromises, compared to their NT, Novell, and Unix brethren, but precautions should still be taken. Appleshare/Macintosh security information can be found at MacInTouch (http://www.macintouch.com/), MacFixIt (http://www.macfixit.com/), or by searching Apple's Tech Info Library (http://til.info.apple.com/). Administrators of all types of servers should also periodically check the CERT (http://www.cert.org/) and CIAC (http://ciac.llnl.gov/) security websites. UC Berkeley has its own security mailing list; see IST's Computer Security page (http://socrates.berkeley.edu:2001/security/).
Computers also need to be secured physically to prevent theft and unauthorized access. It is possible that a thief could steal a hard disk containing sensitive information and access that information, even if the computer from which the disk was stolen is password-protected. For this and other obvious reasons, steps should be taken to physically secure computer equipment.
Lockdowns. In general, computer equipment should be kept in locked offices with very few authorized key-holders. Where this is not possible, such as in a shared office or semipublic facility, lockdowns should be used. The UC Police Department has information on how to physically secure computers in this manner, and they are available for consultation. For more information, contact the UCPD's Crime Prevention Unit, 642-3722.
Laptops. Given their relative expense and ease of transportation, laptops are extremely vulnerable to theft. Even if you lock your office door, you should still keep your laptop in a locked desk or file cabinet, or take it with you when you leave. Leaving your laptop out on your desk, even in a locked office, invites theft.
Berkeley Computing & Communications,
Volume 8, Number 5 (November-December 1998)
Copyright 1998, The Regents of the University of California