From:	CSBVAX::CSBVAX::MRGATE::"SMTP::CRVAX.SRI.COM::RELAY-INFO-VAX" 24-NOV-1988 02:11
To:	MRGATE::"ARISIA::EVERHART"
Subj:	Re: Viruses


Received: From KL.SRI.COM by CRVAX.SRI.COM with TCP; Wed, 23 NOV 88 18:45:34 PDT
Received: from ucbvax.Berkeley.EDU by KL.SRI.COM with TCP; Wed, 23 Nov 88 18:41:50 PST
Received: by ucbvax.Berkeley.EDU (5.59/1.31)
	id AA29772; Wed, 23 Nov 88 17:31:58 PST
Received: from USENET by ucbvax.Berkeley.EDU with netnews
	for info-vax@kl.sri.com (info-vax@kl.sri.com)
	(contact usenet@ucbvax.Berkeley.EDU if you have questions)
Date: 23 Nov 88 23:05:48 GMT
From: rti!bcw@mcnc.org  (Bruce Wright)
Organization: Research Triangle Institute, RTP, NC
Subject: Re: Viruses
Message-Id: <2590@rti.UUCP>
References: <8811220459.AA08090@ucbvax.Berkeley.EDU>, <986@uwovax.uwo.ca>
Sender: info-vax-request@kl.sri.com
To: info-vax@kl.sri.com

In article <986@uwovax.uwo.ca>, brent@uwovax.uwo.ca writes:
> In article <8811220459.AA08090@ucbvax.Berkeley.EDU>, KCASSIDY@STMARYS.BITNET ("Kevin Cassidy, System Operator") writes:
> > 
> > The only disavantage to this setup is some jerk going around and attempting
> > to login to everyone's account with wrong passwords, and in the process
> > disables everyone's account.
> 	This could be as bad as actually getting in! (-:
> 	Seriously though, the weakest link in any password-based
> 	security system is the passwords themselves.  Your comment
> 	suggests a method of breakin which even VMS is not very good
> 	at detecting - select a "dumb" password (eg PASS) and try it
> 	on every account you can see on the system (SHO USERS).  When
> 	you reach the end, pick another dumb password and loop.  Chances
> 	are the cycle is long enough that VMS won't notice.

This may or may not be the case.  VMS _can_ be set up to disable the
account and the terminal after a single failed attempt, but in practice
this is an enormous pain and I have never seen any site actually use it
(even some that one would normally think would be concerned with security -
it is usually operationally easier to provide physical security than to
deal with the zillions of user requests about "I made a typo in my password".

Most sites are set up as you indicated - the account / terminal is only
disabled TEMPORARILY which may or may not be enough.

Unfortunately this entire approach is not adequate for dealing with the
really serious problems - it is almost entirely directed at the random
cracker who dials in to a modem and trys to break into a system.  Although
this type of attack can (rarely) cause serious problems, the more deadly
attack is likely to come from within - someone who has (or knows someone
who is willing to lend him) a valid account which just doesn't have "enough"
privileges to do damage. (Think about it - the random cracker really doesn't
have much incentive to do anything particular except wander around and maybe
cause a little bit of confusion as a lark;  whilst the insider has the
opportunity to use the machine to engineer or cover up serious thefts
[of tangible objects, money, or information] and may have the motive of
revenge).

(This is in fact a general problem - many businesses think a great deal
about how to prevent OUTSIDERS from stealing from the company, but in
fact most losses due to theft come from INSIDERS which, statistically,
most businesses spend much less time and effort trying to prevent).

You have to assume that the really dangerous attempts will come from
someone who knows:

    1.	Who the users on the system are
    2.	What the interesting accounts on the system are
    3.	Information about the owners of those accounts (possibly even
	to the point of shrewd gueses about their passwords - or even
	having seen them type the password in!)
    4.	How the system is operated (what sorts of things the operators/
	system programmers are likely to notice, how the system security
	parameters are set up)

and so on.  At least a terminal over which you have physical control
provides a level of protection that a modem does not - this is why I
said that the only way to have a secure connection on a machine with a
modem is to have about two feet of air between the modem and the phone
line jack.  (You can set up accounts to only allow logging in to a set
of specific physical terminals).

The remarks in the note about selection of passwords were pretty good -
it is strongly recommended to have a password which is not a word and
which is fairly long.

						Bruce C. Wright