Obviously, as described above, there is a strong overlap between physical security and data privacy and integrity. Indeed, the goal of some attacks is not the physical destruction of your computer system but the penetration and removal (or copying) of the sensitive information it contains. This section explores several different types of attacks on data and discusses approaches for protecting against these attacks.
Electronic eavesdropping is perhaps the most sinister type of data piracy. Even with modest equipment, an eavesdropper can make a complete transcript of a victim's actions - every keystroke, and every piece of information viewed on a screen or sent to a printer. The victim, meanwhile, usually knows nothing of the attacker's presence, and blithely goes about his or her work, revealing not only sensitive information, but the passwords and procedures necessary for obtaining even more.
In many cases, you cannot possibly know if you're being monitored. Sometimes you will learn of an eavesdropper's presence when the attacker attempts to make use of the information obtained: often, by then, you cannot prevent significant damage. With care and vigilance, however, you can significantly decrease the risk of being monitored.
By their very nature, electrical wires are prime candidates for eavesdropping (hence the name wiretapping). An attacker can follow an entire conversation over a pair of wires with a simple splice - sometimes he doesn't even have to touch the wires physically: a simple induction loop coiled around a terminal wire is enough to pick up most voice and RS-232 communications.
Here are some guidelines for preventing wiretapping:
Routinely inspect all wires that carry data (especially terminal wires and telephone lines used for modems) for physical damage.
Protect your wires from monitoring by using shielded cable. Armored cable provides additional protection.
If you are very security conscious, place your cables in steel conduit. In high-security applications, the conduit can be pressurized with gas; gas pressure monitors can be used to trip an alarm system in the event of tampering. However, these approaches are notoriously expensive to install and maintain.
Because Ethernet and other local area networks are susceptible to eavesdropping, unused offices should not have live Ethernet or twisted-pair ports inside them.
You may wish to scan periodically all of the Internet numbers that have been allocated to your subnet to make sure that no unauthorized Internet hosts are operating on your network. You can also run LAN monitoring software and have alarms sound each time a packet is detected with a previously unknown Ethernet address.
Some 10Base-T hubs can be set to monitor the IP numbers of incoming packets. If a packet comes in from a computer connected to the hub that doesn't match what the hub has been told is correct, it can raise an alarm or shut down the link. This capability helps prevent various forms of Ethernet spoofing.
Increasingly, large organizations are turning to switched 10Base-T hubs. These hubs do not rebroadcast all traffic to all ports, as if they were on a shared Ethernet; instead, they determine the hardware address of each machine on each line, and only send a computer the packets that it should receive. Switching 10Base-T hubs are sold as a tool for increasing the capacity of 10Base-T networks, but they also improve the security of these networks by minimizing the potential for eavesdropping.
Every piece of electrical equipment emits radiation in the form of radio waves. Using specialized equipment, one could analyze the emitted radiation generated by computer equipment and determine the calculations that caused the radiation to be emitted in the first place.
Radio eavesdropping is a special kind of tapping that security agencies (in the U.S., these agencies include the FBI, CIA, and NSA) are particularly concerned about. In the 1980s, a certification system called TEMPEST was developed in the U.S. to rate the susceptibility of computer equipment to such monitoring. Computers that are TEMPEST-certified are generally substantially less susceptible to radio monitoring than computers that are not, but they are usually more expensive and larger because of the extra shielding.
As an alternative to certifying individual computers, we can now TEMPEST-certify rooms or entire buildings. Several office buildings constructed in Maryland and northern Virginia are encased in a conductive skin that dampens radio emissions coming from within.
Although TEMPEST is not a concern for most computer users, the possibility of electronic eavesdropping by radio should not be discounted. Performing such eavesdropping is much easier than it would seem at first. For example, the original Heathkit H19 terminal transmitted a radio signal so strong that it could be picked up simply by placing an ordinary television set on the same table as the H19 terminal. All of the characters from the terminal's screen were plainly visible on the television set's screen. In another case, information from an H19 on one floor of a house could be read on a television placed on another floor.
Many terminals are equipped with a printer port for use with an auxiliary printer. These printer ports can be used for eavesdropping if an attacker manages to connect a cable to them. We recommend that if you do not have an auxiliary printer, make sure that no other cables are connected to your terminal's printer port.
A good type of physical protection is to use fiber optic media for a network. It is more difficult to tap into a fiber optic cable than it is to connect into an insulated coaxial cable (although an optical " vampire" tap exists that can tap a fiber optic network simply by clamping down on the cable). Successful taps often require cutting the fiber optic cable first, thus giving a clear indication that something is amiss. Fiber optic cabling is also less susceptible to signal interference and grounding. However, fiber is sometimes easier to break or damage, and more difficult to repair, than is standard coaxial cable.
Backups should be a prerequisite of any computer operation - secure or otherwise - but the information stored on backup tapes is extremely vulnerable. When the information is stored on a computer, the operating system's mechanisms of checks and protections prevents unauthorized people from viewing the data (and can possibly log failed attempts). After information is written onto a backup tape, anybody who has physical possession of the tape can read its contents.
For this reason, protect your backups at least as well as you normally protect your computers themselves.
Here are some guidelines for protecting your backups:
Don't leave backups hanging unattended in a computer room that is generally accessible. Somebody could take a backup and then have access to all of the files on your system.
Don't entrust backups to a messenger who is not bonded.
Sanitize backup tapes before you sell them, use them as scratch tapes, or otherwise dispose of them. (See Section 12.3.2.3, "Sanitize your media before disposal" later in this chapter.)
You should periodically verify your backups to make sure they contain valid data. (See Chapter 7, Backups, for details.)
Verify backups that are months or years old in addition to backups that were made yesterday or the week before. Sometimes, backups in archives are slowly erased by environmental conditions. Magnetic tape is also susceptible to a process called print through, in which the magnetic domains on one piece of tape wound on a spool affects the next layer.
The only way to find out if this process is harming your backups is to test them periodically. You can also minimize print through by spinning your tapes to the end and then rewinding them, because the tape will not line back up in the same way when the tape is rewound. We recommend that at least once a year, you check a sample of your backup tapes to make sure that they contain valid data.
Many of the hazards to computers mentioned in the first part of this chapter are equally hazardous to backups. To maximize the chances of your data surviving in the event of an accident or malicious incident, keep your computer system and your backups in different locations.
If you throw out your tapes, or any other piece of recording media, be sure that the data on the tapes has been completely erased. This process is called sanitizing.
Simply deleting a file that is on your hard disk doesn't delete the data associated with the file. Parts of the original data - and sometimes entire files - can usually be easily recovered. When you are disposing of old media, be sure to destroy the data itself, in addition to the directory entries.
Modern hard disks pose a unique problem for media sanitizing because of the large amount of hidden and reserved storage. A typical 1-gigabyte hard disk may have as much as 400 megabytes of additional storage; some of this storage is used for media testing and bad-block remapping, but much of it is unused during normal operations. With special software, you can access this reserved storage area; you could even install "hard disk viruses" that can reprogram a hard disk controller, take over the computer's peripheral bus and transfer data between two devices, or feed faulty data to the host computer. For these reasons, hard disks must be sanitized with special software that is specially written for each particular disk drive's model number and revision level.
If you are less security conscious, you can use a bulk eraser - a hand-held electromagnet that has a hefty field. Experiment with reading back the information stored on tapes that you have "bulk erased" until you know how much erasing is necessary to eliminate your data. But be careful: as the area of recording becomes smaller and smaller, modern hard disks are becoming remarkably resistant to external magnetic fields. Within a few years, even large, military degaussers will have no effect against high-density disk drive systems.
NOTE: Do not locate your bulk eraser near your disks or good tapes! Also beware of placing the eraser in another room, on the other side of a wall from your disks or tapes. People who have pacemakers should be warned not to approach the eraser.
As a last resort, you can physically destroy your backup tapes and disks before you throw them out. Unfortunately, physical destruction is getting harder and harder to do. While incinerators do a remarkably good job destroying tapes, stringent environmental regulations have forced many organizations to abandon this practice. Organizations have likewise had to give up acid baths. Until recently, crushing was preferred for hard disk drives and disk packs. But as disk densities get higher and higher, disk drives must be crushed into smaller and smaller pieces to frustrate laboratory analysis of the resulting material. As a result, physical destruction is losing in popularity when compared with software-based techniques for declassifying or sanitizing computer media.
If you are a system administrator, you have an additional responsibility to sanitize your backup tapes before you dispose of them. Although you may not think that any sensitive or confidential information is stored on the tapes, your users may have been storing such information without your knowledge.
One common sanitizing method involves overwriting the entire tape. If you are dealing with highly confidential or security-related materials, you may wish to overwrite the disk or tape several times, because data can be recovered from tapes that have been overwritten only once. Commonly, tapes are overwritten three times - once with blocks of 0s, then with blocks of 1s, and then with random numbers. Finally, the tape may be degaussed - or run through a bandsaw several times to reduce it to thousands of tiny pieces of plastic. We recommend that you thoroughly sanitize all media before disposal.
Backup security can be substantially enhanced by encrypting the data stored on the backup tapes. Many Macintosh and PC backup packages provide for encrypting a backup set; some of these programs even use decent encryption algorithms. (Do not trust a backup system's encryption if the program's manufacturer refuses to disclose the algorithm.) Several tape drive manufacturers sell hardware that contains chips that automatically encrypt all data as it is written. We discuss the issue of encrypting your backups, in more detail, in Chapter 7.
NOTE: If you encrypt the backup of a filesystem and you forget the encryption key, the information stored on the backup will be unusable. This is why escrowing your own keys is important. (See the sidebar "A Note About Key Escrow".)
In the last section, we discussed the importance of erasing magnetic media before disposing of it. However, that media is not the only material that should be carefully "sanitized" before disposal. Other material that may find its way into the trash may contain information that is useful to crackers or competitors. This includes printouts of software (including incomplete versions), memos, design documents, preliminary code, planning documents, internal newsletters, company phonebooks, manuals, and other material.
That some program printouts might be used against you is obvious, especially if enough are collected over time to derive a complete picture of your software development. If the code is commented well enough, it may also give away clues as to the identity of beta testers and customers, testing strategies, and marketing plans!
Other material may be used to derive information about company personnel and operations. With a company phone book, one could masquerade as an employee over the telephone and obtain sensitive information including dial-up numbers, account names, and passwords. Sound farfetched? Think again - there are numerous stories of such social engineering. The more internal information an outsider has, the more easily he can obtain sensitive information. By knowing the names, office numbers, and extensions of company officials and their staff, he can easily convince an overworked and undertrained operator that he needs to violate the written policy - or incur the wrath of the "vice president" - on the phone.
Other information that may find its way into your dumpster includes information on the types and versions of your operating systems and computers, serial numbers, patch levels, and other information. It may include hostnames, IP numbers, account names, and other information critical to an attacker. We have heard of some firms disposing of listings of their complete firewall configuration and filter rules - a gold mine for someone seeking to infiltrate the computers.
How will this information find its way into the wrong hands? Well, " dumpster diving" or " trashing" is one such way. After hours, someone intent on breaking your security could be rummaging through your dumpster, looking for useful information. In one case we heard recounted, a "diver" dressed up as a street person (letting his beard grow a bit and not bathing for a few days), splashed a little cheap booze on himself, half-filled a mesh bag with empty soda cans, and went to work. As he went from dumpster to dumpster in an industrial office park, he was effectively invisible: busy and well-paid executives seem to see through the homeless and unfortunate. If someone began to approach him, he would pluck invisible bugs from his shirt and talk loudly to himself. In the one case where he was accosted by a security guard, he was able to the convince the guard to let him continue looking for "cans" for spare change. He even panhandled the guard to give him $5 for a meal!
Perhaps you have your dumpster inside a guarded fence. But what happens after it is picked up by the trash hauler? Is it dumped where someone can go though the information off your premises?
Consider carefully the value of the information you throw away. Consider investing in shredders for each location where information of value might be thrown away. Educate your users not to dispose of sensitive material in their refuse at home, but to bring it in to be shredded. If your organization is large enough and local ordinances allow, you may also wish to incinerate some sensitive paper waste on-site.
In addition to computers and mass-storage systems, many other pieces of electrical data-processing equipment store information. For example, terminals, modems and laser printers often contain pieces of memory that may be downloaded and uploaded with appropriate control sequences.
Naturally, any piece of memory that is used to hold sensitive information presents a security problem, especially if that piece of memory is not protected with a password, encryption, or other similar mechanism. However, the local storage in many devices presents an additional security problem, because sensitive information is frequently copied into such local storage without the knowledge of the computer user.
Computers can transmit information many times faster than most printers can print it. For this reason, printers are sometimes equipped with "printer spoolers" - boxes with semiconductor memory that receive information quickly from the computer and transmit it to the printer at a slower rate.
Many printer spoolers have the ability to make multiple copies of a document. Sometimes, this function is accomplished with a COPY button on the front of the printer spooler. Whenever the COPY button is pressed, a copy of everything that has been printed is sent to the printer for a second time. The security risk is obvious: if sensitive information is still in the printer's buffer, an attacker can use the COPY button to make a copy for himself.
Today, many high-speed laser printers are programmable and contain significant amounts of local storage. (Some laser printers have internal hard disks that can be used to store hundreds of megabytes of information.) Some of these printers can be programmed to store a copy of any document printed for later use. Other printers use the local storage as a buffer; unless the buffer is appropriately sanitized after printing, an attacker with sufficient skill can retrieve some or all of the contained data.
One form of local storage you may not think of is the output of your workgroup printer. If the printer is located in a semi-public location, the output may be vulnerable to theft or copying before it is claimed. You should ensure that printers, plotters, and other output devices are located in a secured location. Fax machines face similar vulnerabilities.
Today many "smart" terminals are equipped with multiple screens of memory. By pressing a PAGE-UP key (or a key that is similarly labeled), you can view information that has scrolled off the terminal's top line.
When a user logs out, the memory used to hold information that is scrolled off the screen is not necessarily cleared - even if the main screen is. Therefore, we recommend that you be sure, when you log out of a computer, that all of your terminal's screen memory is erased. You might have to send a control sequence or even turn off the terminal to erase its memory.
Many X terminals have substantial amounts of local storage. Some X terminals even have hard disks that can be accessed from over the network.
Here are some guidelines for using X terminals securely:
If your users work with sensitive information, they should turn off their X terminals at the end of the day to clear the terminals' RAM memory.
If your X terminals have hard disks, you should be sure that the terminals are password protected so that they cannot be easily reprogrammed over the network. Do not allow service personnel to remove the X terminals for repair unless the disks are first removed and erased.
Many smart terminals are equipped with function keys that can be programmed to send an arbitrary sequence of keystrokes to the computer whenever a function key is pressed. If a function key is used to store a password, then any person who has physical access to the terminal can impersonate the terminal's primary user. If a terminal is stolen, then the passwords are compromised. Therefore, we recommend that you never use function keys to store passwords or other kinds of sensitive information (such as cryptographic keys).
Unattended terminals where users have left themselves logged in present a special attraction for vandals (as well as for computer crackers). A vandal can access the person's files with impunity. Alternatively, the vandal can use the person's account as a starting point for launching an attack against the computer system or the entire network: any tracing of the attack will usually point fingers back toward the account's owner, not to the vandal.
In particular, not only will this scenario allow someone to create a SUID shell of the user involved, and thus gain longer-term access to the account, but an untrained attacker could commit some email mayhem. Imagine someone sending email, as you, to the CEO or the Dean, making some lunatic and obscene suggestions? Or perhaps email to whitehouse.gov with a threat against the President?[7] Hence, you should never leave terminals unattended for more than short periods of time.
[7] Don't even think about doing this yourself! The Secret Service investigates each and every threat against the President, the President's family, and certain other officials. They take such threats very seriously, and they are not known for their senses of humor. They are also very skilled at tracing down the real culprit in such incidents - we know from observing their work on a number of occasions. These threats simply aren't funny - especially if you end up facing Federal criminal charges as a result.
Some versions of UNIX have the ability to log a user off automatically - or at least to blank his screen and lock his keyboard - when the user's terminal has been idle for more than a few minutes.
If you use the C shell, you can use the autologout shell variable to log you out automatically after you have been idle for a specified number of minutes.[8] Normally, this variable is set in your ~/.cshrc file.
[8] The autologout variable is not available under all versions of the C shell.
For example, if you wish to be logged out automatically after you have been idle for 10 minutes, place this line in your ~/.cshrc file:
set autologout=10
Note that the C shell will log you out only if you idle at the C shell's command prompt. If you are idle within an application, such as a word processor, you will remain logged in.
The ksh has a TMOUT variable that performs a similar function. TMOUT is specified in seconds:
TMOUT=600
If you use the X Window System, you may wish to use a screen saver that automatically locks your workstation after the keyboard and mouse have been inactive for more than a predetermined number of minutes.
There are many screen savers to chose from. XScreensaver was originally written by the Student Information Processing Board at MIT. New versions are periodically posted to the Usenet newsgroup comp.sources.x and are archived on the computer ftp.uu.net. Another screen saver is xautolock. In addition, HP VUE and the COSE Desktop comes with an automatic screen locker. AIX includes a utility called xss that automatically locks X screens.
NOTE: Many vendor-supplied screen savers respond to built-in passwords in addition to the user's passwords. The UNIX lock program, for example, previously unlocked the user's terminal if somebody typed hasta la vista - and this fact was undocumented in the manual. Unless you have the source code for a program, there is no way to determine whether it has a back door of any kind, although you can find simple-minded ones by scanning the program with the strings command. You would be better off using a vendor-supplied locking tool rather than leaving your terminal unattended, and unlocked, while you go for coffee. But be attentive, and beware.
Some kinds of computers have key switches on their front panels that can be used to prevent the system from being rebooted in single-user mode. Some computers also have ROM monitors that prevent the system from being rebooted in single-user mode without a password.
Key switches and ROM monitor passwords provide additional security and should be used when possible. However, you should also remember that any computer can be unplugged. The most important way to protect a computer is to restrict physical access to that computer.