Security on Computer Networks Joanne Costello Network Services As more computers connect to MITnet and the Internet, security on the networks has become a critical issue. Unauthorized access is part of the problem. In The CuckooÕs Egg, Clifford Stoll tells the story of computer break-ins by the Hannover Hacker. This spy gained unauthorized access to several government and military computers in this country from his home in Germany. He did this mainly by guessing passwords and exploiting software bugs. On the Home Front Should you be concerned about this kind of break-in? If you use a Macintosh and TechMail on the campus network, you donÕt need to worry, since outsiders canÕt log into your machine. This is also true for single DOS machines on the network. However, if youÕre on a Novell network, be aware that someone else on your subnet could bring up a Novell client and access your server. Multi-user systems are more vulnerable because they offer services such as remote login. Most unauthorized entries are made possible by poor passwords. Your best defense is to choose a good password (see ÒTipsÓ box below). System software also may have holes that must be closed. Vendors regularly publish security fixes; be sure to use the most current software revision. CERT Alerts One way to keep up with threats to a variety of computer systems is to read alerts put out by the Computer Emergency Response Team (CERT). CERT is a national advisory group formed after the 1988 Internet worm attack. Their alerts cover security problems such as software holes and viruses. IS Network Services forwards CERT alerts to a mailing list called net-users@mit.edu. To be put on this list, call the Network Services Help Desk at x3-4101 or send e-mail to . Passive Risks Protecting your system from unauthorized access deters active security risks. However, there are also passive risks. Passive intruders do not bother to access your system; they pry into mail and data as it travels across the network. Information is sent over the network in chunks called Òpackets.Ó Anyone with the know-how can intercept these packets and read, and possibly alter, the contents. These passive computer crimes are not innocuous. Encryption is the best defense against passive attacks. An encryption program can scramble the contents of a packet using a ÒkeyÓ before it is sent. On the receiving end, the message is unscrambled with a matching key. Other Safeguards MIT is a leader in network security. Kerberos, developed for Project Athena, has become a security standard. At present, Network Services is implementing a Privacy Enhanced Mail system. Network Services also offers a Òsecure LANÓ service to central administrative offices in certain buildings on campus. Data passed on this network is encrypted. For more information about network security, call x3-4101. ¿ ------------------------------------------------------------------------ Tips for Choosing and Using a Password * Choose an obscure password thatÕs easy to remember. Combine letters and numbers, or change a phrase like Òmany colorsÓ to Òmnyclrs.Ó * DonÕt choose your name or part of it in any form (including back- wards); your userid; the name of a relative, friend, pet, or figure from popular culture; your birthday or address; or your license plate or social security number. * DonÕt choose any word you can find in the dictionary. With an electronic dictionary and a simple computer program, it takes only a few seconds to match a dictionary word with a password on the system. * Never tell anyone your password. If you write it down, donÕt leave it where it can be easily found. And change your password often! .