Table of Contents
- General Security Tips
- Password Security
- Securing Sensitive Data
- What is Sensitive Data?
- Securing Your Laptop or Workstation
- Network Firewalls
Whether we like it or not, we need to worry about the security of our computing environment. There are people who would take advantage of our computer systems if they had any, or more complete, access to them. This could range from the use of computer resources they have no right to access to the willful destruction and/or appropriation of the information we all have online. In order to maintain the necessary level of security in our computing environment, there are some things we all have to take responsibility for. Even though you may not feel like you personally have much to lose if someone had access to your account or files, you have to realize that as soon as someone gains ANY access to our system, it’s much easier for them to gain access to ALL of it. So when you are lax with your own account, you are endangering the work and research of everyone else working here.
Below are some general security guidelines. Please see the UNC campus security site for extensive information and help with computer security including references to University Policies and guidelines on computer security.
Probably the most common danger to anyone’s account is simply leaving the workstation while still logged-in, either to go grab something to eat, or because you thought you had logged out. It only takes a few minutes at an unattended terminal in order for someone to be able to gain access to your account whenever they want. So if you’re going to be leaving your terminal, log out, or at least lock the screen. And when you do log out, take an extra second to be sure that you really are logged out. Don’t walk away until you see the login prompt screen, because the logout may hang for some reason and and leave your system accessible.
File and Directory Protection
Even without your password, it’s possible for other users to gain access to your files and directories (and even your account) if your permissions aren’t set correctly. If you mistakenly allow other users write permissions for critical files, they can easily break in to your account. Specifically, it is very important to keep files such as .cshrc, .profile, and .login protected. Also, any other files that these source or call need to be protected as well. Giving other users write permissions on any files or programs that you execute invites their replacement by ‘trojan horse’ programs, which could cause damage to your files, or even try to get your password from you and pass it along to an intruder. Periodically do an ‘ls -alc’ command in your home directory and make sure your initialization files have appropriate permissions and modification times that make sense. Besides write access, the other issue to think about is whether you want other users to be able to read and/or execute your files. See how to secure your directory for more information.
Setting your Path
Users also need to be careful about which directories they have in their default path, because of the possibility of executing trojan horse programs, as mentioned above. If you have in your path any directory which is publically writeable, or even writeable by anybody other than yourself, you may fall into this trap. If you have one of these directories in your path before some directory(s) of system commands, a potential intruder could place a trojan horse program of the same name as a system command in that directory. Then when you try to execute the system command, you get the trojan horse version. The program then has the same access to your files as you do: It could delete your home directory, change permissions on sensitive files, or maybe even trick you into entering your password, which it would send on to the intruder. To guard against this, avoid putting any publicly writeable directory in your path, or if you really have to, make sure that all of the system directories and your own directories appear before any that are writeable by anyone else. You should also put the current directory (the “.” entry) at the very end of your path to avoid the possibility of executing a trojan horse from the current directory. In addition, you should beware of unexpectedly being asked for your password, as there are very few programs that require this.
Detecting Unauthorized Access of your Account
There are basically two ways to tell if someone has used your password. The individual may alter, remove, or add files and in some cases sub-directories in your directory. You should be aware of what is in your directory, and notice when files appear or disappear. In particular, be on the lookout for files and directories with names chosen to keep them obscure. For example, do an ls -la and look for entries that begin with a dot and be sure there are no unusual items. Intruders will often name a directory ‘…’ (dot-dot-dot) which to the untrained eye is easily overlooked when you do an ls. Only an ls with the -a option will show these dot files. Also do an ls -lat which will sort your files by modification date, and look to see if any files have changed at times you can’t recall modifying them. Second, you can tell if a user logs in as you. When you log in, Linux will print the time of your last login. Please check that each time you log in, and notify the facilities staff if the time reflects an unauthorized access. You can also check your last logins by means of the ‘last’ command. See the man page for details.
Your password is the fundamental element of security not only for your personal account, but for the whole UNIX system that we share. Without an account and password a person has NO access to our system. If someone discovers (or you tell someone) your password, not only will they have access to your personal files, but they will have a much better chance to launch attacks against the security of the entire system. Accordingly, password security should be a concern of every user. It is important that your password is *yours and yours alone*. Never tell anyone your password. If someone needs access to some of your files, you can change the permissions and/or set up a new group to control access see AFS file security information. To keep people from discovering your password, don’t choose one that is easily guessed. The ‘passwd’ command will not allow you to choose passwords which are too simple, but it cannot prevent you from choosing a password someone might guess from knowing you (or finding out about you), such as your birth date, spouse’s name, your street name, license plate, etc. Don’t use passwords derived from any personal information about yourself. See the password security help page for more information.
If you have data that is considered sensitive, here are some tips for keeping those data secure, with some references to relevant campus policies. See What is Sensitive Data? below for general guidance on what kinds of data are sensitive, or the ITS Security policy defining sensitive data for detailed information, but the most common forms of sensitive data we use in Computer Science are student data such as grades and personnel information such as performance reviews. You might also consider what data you have about yourself.
Also, all data, sensitive and otherwise, are covered by the CS Data Retention Policy.
Sensitive Data on Portable Devices
Campus policy strongly recommends against keeping sensitive data on portable devices such as laptops and smart phones, and portable storage devices such as flash drives or external hard drives. Instead of keeping sensitive data on your laptop, for example, consider whether or not keeping sensitive data on a workstation or server would work for you.
That being said, we know that many people use a laptop as their only computer, and storing data remotely may not be practical. If you need to store sensitive data on a laptop or other portable device, those data should be encrypted.
Full Disk Encryption
According to Campus Policy, if you process or store sensitive data on a Windows laptop, full disk encryption is required, and under Linux or MacOSX, full disk encryption is recommended. If you wish to pursue full disk encryption, ITS provides PGP based disk encryptions software. OS X users can also use FileVault. Current versions of Windows supports Bitlocker. The major advantage to using full disk encryption is that caches and other temporary files are encrypted as you work with documents.
Another option is to use encrypted folders or home directories, or to use a USB drive that supports hardware encryption, such as those provided by Ironkey. Regular USB keys can also be formatted as encryted volumes. Users of linux and unix system can take advantage of encfs and fuse, see docs for ubuntu. Another option is Truecrypt. The difference between Truecrypt and encfs is that Trucrypt creates a monolithic encrypted container and encfs encrypts individual files. The former is more secure and can be used to encrypt entire drives, while the latter lets out some metadata (approximate file length, for example), but is easier to backup or sync.
Laptop users should also consider using installing Prey as it can help locate or even wipe a laptop remotely.
Cellphones and PDAs are easy to steal or to lose, so if you use one to access sensitive data, please see the ITS document on securing them.
If you keep sensitive data on external hard drives, usb keys, DVDs, or any other portable medium, you should label the media with your email address (or firstname.lastname@example.org). That way it will be easier to keep up with, and we have a chance of getting it back if it is lost. If the media is not encrypted, keep it locked up when not in use. If you need a method for physical security, such as a locking file cabinet or desk drawer, send email to help. If you need to dispose of such media, please contact computer services–simply deleting files is not sufficient, as files can be recovered.
Sensitive Data on Desktops, Workstations, and Servers
Requirements for desktop and other machines that are in locations with a measure of physical security are not required to use encryption to protect sensitive data, but do include use of strong passwords, locking screen savers, and disabling autologin. Large quantities of sensitive data should be stored on a server in a secure location, if you have a need for such storage, please contact email@example.com. If you are storing sensitive data on a university owned system that is accessed by people other than yourself, please contact Computer Services so we can make a note of that system for auditing purposes.
Transferring Sensitive Data
Sensitive data should be protected in transmission, from the point of origin to the destination. Many systems, such as WEP and WPA wireless connections can provide a measure of protect for part of a transfer, but not for the entire path. The best way to secure such connections is to use a protocol that can protect the along the entire route.
- For accessing sensitive data with a browser, make sure you are using SSL (if the URL is https:// and not http://, you are). Most servers will enforce this, but not all do.
- Email is generally not considered a secure means of transferring data. Even if you use an encrypted connection to read and send email, there’s no guarantee that the person to whom you are sending the data does, and most mail transfers between mail servers are not encrypted. You can encrypt mail messages using PGP, but that is not supported by ITS, and may require an exchange of public key data before sending the message.
- Using a server as a transfer point is a good way to move sensitive files, if you use SFTP or other encrypted connection to move the files.
Disposal of Sensitive Data
Retention of all data is subject to the department’s data retention policy. In the case of secure data, please take adequate precaution when disposing of data media. Send email to help if you are unsure of how to dispose of sensitive data, but here are some general guidelines.
- Paper We have a shredder in SN107. Alternatively, sensitive paper work can be boxed up for pickup for secure recycling. Computer Services can provide boxes for this purpose. Please label the box “Confidential-Shred” and tape it closed, and we will come pick it up. Do not leave such boxes in an unlocked space.
- Hard Drives All hard drives, internal or external, should be passed to Computer Services so that we can perform multiple writes across the entire disk.
- USB Keys, DVDs, CDROMs and SSDs The best way to secure these for disposal is to encrypt them and then physically destroy them.
The security policies in force at UNC CH require that we take measures to secure data that is considered sensitive from unwarranted access. For more information on how ITS defines sensitive data, please see the policy document from ITS Security. Generally speaking, the data we have in Computer Science that would be considered sensitive falls into one of the following areas. Also, it is worth pointing out that your own personal data is yours and you can do with it what you will–these guidelines deal with cases in which a person or organization keeps sensitive data that belong to others. Also, this is not an exhaustive list, just an outline of types of sensitive data that are known to be used here in Computer Science.
Educational data such as grades, covered under FERPA
The most common sensitive data that fall under FERPA is grades. Any information linking grades to individual students is considered sensitive, but other data are also covered under FERPA guidelines. For example, while FERPA allows disclosure of directory information such as phone number and address or honors and awards, it also requires that schools provide a method for students to request that such information not be disclosed. At UNC this is done by giving everyone the right to request that their data be treated as private. The Registrar has more information on FERPA guidelines, but a quick rule of thumb is that if you can see the data for a particular individual in the online Telephone Directory, it’s not considered sensitive and accessible to the general public.
Personnel Information covered under the State Personnel Act
Article Seven of the State Personnel Act sets guidelines for what personnel data are considered public or confidential. Information of a general nature such as name, age, date of hire, title, and salary are considered public. Other information such as performance reviews are considered sensitive.
Financial Account Information
Any data containing account numbers or codes such as credit card numbers or bank account numbers should be considered sensitive. These data are covered by Chapter 132 of the North Carolina Public Records Act. You can find guidelines for handling such data at the PCI Security Standards Council web site.
Research Data containing personal identifying information
Research data may be considered sensitive if the data contains information that can be linked to an individual. Generally speaking, the process of acquiring and using such data are vetted by UNC’s IRB. Data that has been anonymized is not considered sensitive. Details on the levels of security required for various IRB data are available, contact Computer Services if you need help addressing those requirements.
Raw Network Traces
We do research in networking and computer security, and some of that research requires acquisition of network traffic from multiple computers. Such data are considered sensitive if they are not anonymized.
Do I have Sensitive Data?
One thing to note: you are free to do whatever you want with your personal data. This document addresses the personal data of others that you have.
I have information about individual students
Under FERPA guidelines, any private data about students is consider sensitive. Grades are private, as is pretty much any information about a student that is not found in the Campus Directory.
I have clinical or medical data
Under HIPAA guidelines, clinical data that can be linked to an individual person is considered sensitive. Data from which personally identifying information has been purged is considered research data and is not considered sensitive.
I have other research data from experiments on human test subjects
Data from experiments using human test subject are covered under local IRB guidelines. Sanitized data are not considered sensitive, but any data that might be linked to individuals are. See the research guidelines, and if you have any IRB data or will be collecting IRB data for storage on a computer system, send email to firstname.lastname@example.org to let us know about it, and we’ll help you meet the guidelines.
I have financial account data
Financial or other data including information such as account numbers that could be used for fraud or theft, including identity theft, are considered sensitive. Credit card numbers, driver license numbers, social security numbers, and bank account numbers fall into this category. SSNs are considered particularly sensitive, and should not be used as an ID where not required.
I have personnel data
Data such as an employee’s name, age, title, salary, and date of employment are considered public records and are thus not considered sensitive. Other information placed in any employee’s file are considered private and thus sensitive.
First, assess what degree of risk you have. If you do not have sensitive data, the basics presented here are a good start.
You are more likely to suffer data loss from other causes, but making backups is a good measure to take in order to preserve your data. You should have three copies of everything important, in two different locations–you mightn’t know that a backup instance has failed until you need to restore from it.
Use antivirus and antimalware software
ITS provides Symantec’s Antivirus software from their Shareware Distribution site. If this does not suit, a free alternative is ClamAV, which is cross platform and open source. Also consider using antimalware software to detect problems.
Enable the firewall
Most operating systems come with the firewall enabled by default. If you want to test your firewall, the easiest way is to use Gibson Research’s Shields Up, a free online scanning service (do keep in mind that if you do this from behind a NAT hosted in a cable modem router or wireless access point, what you are really scanning is the NAT). But these firewalls offer minimal protection, and you may wish to go further. We have more detailed information on firewalls if you want to pursue more advanced options.
Using encrypted connections helps prevent others from being able to read the data that you are transmitting over the network. On campus, this is not much of an issue, but when you are out and about in the world, keep in mind that the networks you are using vary widely in terms of their relative security.
- For any web site that requires a password, use https:// instead of http://
- For IMPA connections to read email or SMTP connections to send mail, use the encrypted ports and enable SSL. But keep in mind that email is generally not considered a secure means of communication for sensitive data.
- Use SFTP and SSH to move files and login, and avoid use of FTP and Telnet.
Install VPN software on portable computers or PDAs
ITS provides Virtual Private Networking through a cisco system. What this does is enable encryption on all connections to and from unc.edu, so it is a good security measure if you travel. See the Best Practices for Using the Campus VPN for more details.
Use strong passwords and require their usage
The password rules we use in Computer Science yield relatively strong passwords, but make sure you use strong passwords for any important data. Also, disable autologin and require a password to wake from sleep and at the screen saver.
Be careful where you click
Much of the malware out there these days can infect your system when a web page or similar link is clicked. Be careful to not open attachment or click on links as they are provided to you unless you are sure of their source.
Keep your system up to date
Installing system updates in a timely fashion reduces your exposure.
A firewall controls access to the network ports on your machine at a low level so that intruders have less chance to breach a service. They also allow you to grant access to particular IP numbers or ranges. For example, if you want to use a web or file server so you can access your home machine from work, you can set the firewall to block access to the ports used by those services from all machines on the internet except the ones you use. To machines not granted access, the port apparently doesn’t exist, so there is nothing there to attack.
Is my cable modem a Firewall?
In a sense, yes. Most folks have a wireless access point that contains a switch for wired connections, and acts as a Network Address Translation router. These devices use private addresses to allow multiple computers to share a single ip number on the outbound side. The machines behind such a device are not reachable from the outside unless port forwarding is enabled.
Simple firewalls just look at the packet for IP source and destination addresses, protocol, and ports, so you have to identify what ports you need to open for your software to work. This kind is a little trickier to configure since you need to know which ports to open and which to close.
Application firewalls also look for what applications are involved in the conversation (most of the windows software falls into this category). This type of firewall software generally has a learning mode, in which the first time a port is used, the firewall software prompts you to allow or deny that use, with an opportunity to build a rule for future reference. This kind is pretty easy to configure, although you should take care to not get in the habit of allowing everything (which defeats the purpose, really). This kind generally prompts for outgoing and well as incoming connections, so they have the additional advantage of helping detect activity by viruses or “spyware”.
In general, outgoing connections and incoming packet resulting from outgoing connections should be allowed. Windows users have a bit more to worry about in this area since they are more prone to viruses which often install software that trys to propogate the virus further via outbound connections, but use of anti-virus and anti-spyware software should mitigate this risk.
So it’s really only new incoming connections that you need to worry much about (these are connections initiating by remote machines trying to start a conversation with your machine). If you’re running a service on your machine that you want others to be able to use, you’ll need to make sure that service is accessible. In general, you’ll need to consider the following when configuring your system:
- What ports does this service require to function?
- Which ip numbers or range or numbers do you want to open this service to?
- Does this service rely on UDP, TCP, or perhaps both?
As an example, if you’re running a web service that you want anyone on the internet to access, you’d open port 80 for inbound connections to the entire internet. This would mean, of course, that anyone could have a go at breaching your system through your web server. But if you only need that webservice so that you can check your online calendar (for example), you could limit access to the service to a particular network range or even individual machines that you use.
A quick note on ports
How ports are used is often confusing. Generally speaking, servers will listen on a specific well known or registered port. Clients may start a connection from a particular port, or randomly choose one of the dynamic ports. And once a network conversation is started, services may stay put on a pair of ports, or may “walk” through a range of port numbers.
There are about 65k of ports, broken into three ranges:
- 1-1023 are “well-known” ports. Use of these ports should be restricted by the OS on the local machine to the root or other priviledged accounts (but should is a big word). Consequently, breaches on these ports are generally considered more dangerous for most operating systems.
- 1024-49151 are registered ports. Programmers are supposed to register these ports with the IANA for use with client-server software.
- 49152-65535 are dynamically assigned ports. This range is a free for all zone used by any program.
As a general guideline, the lower the port number, the more closely it should be guarded.
Check the firewall’s logs regularly
This is especially helpful when you are setting up the firewall. Most firewalls log blocked connections, so when you make a configuration change, you can try to use the services affected by that change and then check the log if things don’t work as expected.
But you should also review the firewalls logs regularly just to get a feel for what kind of activity your machine is experiencing.
Take advantage of scanning software and services
There are a number of software packages and on line service you can use to check out your system. Some programs such as netstat can be used to look for ports locally (although some trojan horses can hide their use of a port!), others can be used to scan a machine remotely (but you want to take care with these–on some networks, scanning ports is considered a security breach in and of itself, so check with your network admin). Do NOT use this kind of software to scan more than one machine at a time, this kind of usage not only consumes lots of bandwidth, but is also very suspicious–poking around your house is one thing, but scoping out the neighbors is questionable at best.
- Nmap: This unix program is used by both forces of light and dark, it’s an excellent CLI port scanner. See also this nmap guide.
On line services will scan your system for you. Do be aware that some of these sites are also selling services, and using the free scans as advertizing. Also, some of these sites are a bit, shall we say, histrionic in their characterization of potential problems.
- Gibson Research: This is a good place to start. Steve’s Shields Up service scans for the most commonly used ports. It’s not comprehensive, but it’s fast and free.
Sniffers are another good resource, if a bit more technical. A sniffer shows lists of individual packets, not just connections, so you can step through connections, packet by packet, to see how your software is using ports.
- TCP dump: this one’s venerable, and there are front ends available such as MacSniffer
- Wireshark: the defacto standard in sniffing software.
Gee, this is all pretty vague
Yep. There’s a lot of variation in how the individual software packages are configured, and it’s impossible to predict exactly what your needs for access and security might be. Although pretty much every operating system comes with a minimal firewall these days, it’s worth going to a little extra effort. For example, Windows XP, OS X, and Redhat all just open a port when you enable a service, and that’s not the real power of a firewall–the real power is in opening a port to a limited range of network addresses.
Ok, so I’ve got a firewall, what now?
This is one way you might approach configuring a firewall–there are others, and what is described here might not be appropriate for your needs.
Putting it all together
- With the firewall off, or before you install it, go to http://www.grc.com/ and use Shields Up to scan your system. This will tell you what a scan of your system looks like without any security measures in place. Don’t worry too much about it if you fail the tests even with a firewall, Steve’s rules for passing are pretty strict.
- If your system has a default firewall (pretty much all of them do), try that first.
- Now repeat your scan at grc. If the firewall is working, you’ll see that all ports are now reported to be in stealth mode. Also check the firewall’s logs, there you should be able to see a list of the connections that were denied.
- Try to use your computer the way you normally do–use your favorite programs, test moving files, and so on. If your firewall is application oriented, you will likely receive numerous notices from the firewall noting that various applications are requesting access to outbound ports. Take your time, and examine each proposed rule. Generally it is ok to accept outbound connections, but you want to make sure you’re not enabling any spyware or virus software to open connections to the internet.
- Also test your ability to use file servers (assuming you use a file server). For example, if you AFS, you may find that you need to enable inbound connections on ports 7000-7007, but you should only need to do this for the AFS servers you used (you should be able to find a list of these servers in the local CellServDB file). For other types of file services, you might consider enabling a range of ports. For example, CS affiliates might enable access to their home machine to addresses in the cs-old.sites.unc.edu–this would allow any cs machine to attempt a connection.
- If something doesn’t work, check the firewall’s logs to see what was blocked (it’s helpful in this case to clear the log, then try what isn’t working again, so that most if not all log entries are from the failed connection). This should give you an idea of what rules are blocking the connection.
- If you can’t figure it out from the firewall’s logs, you might try a sniffer program. First disable the firewall, then activate the sniffer, and try the program that doesn’t work through the firewall. The sniffer should catch all packets that were involved in establishing the connection. Each packet will have information on what port was used for that packet, what protocol was used (generally UDP or TCP), and what IP numbers were used as source and destination.
Refining your filters
- The most pwerful use of a filewall is to restrict trafffic to a service to a particular range of network addresses. For example, there’s not much reason for a workstation at UNC to allow SSH from anywhere, so it’s probably pretty easy to restrict it to unc.edu addresses. So you can limit access to port 22 to 188.8.131.52/16, 184.108.40.206/16, and 220.127.116.11/16. (if you don’t understanding this notation, 18.104.22.168/16 is means all number from 22.214.171.124 through 126.96.36.199. For help on understanding subnet ranges and mapping them out, see this online subnet calculator.
- If you want to refine ICMP filters see http://www.iana.org/assignments/icmp-parameters for a listing of icmp types.