Site hosted by Angelfire.com: Build your free website today!

“So we went to Atari and said, ‘Hey, we’ve got this amazing thing, even built with some of your parts, and what do you think about funding us? Or we’ll give it to you. We just want to do it. Pay our salary, we’ll come work for you’ And they said, ‘No.’ So then we went to Hewlett-Packard, and they said, ‘Hey, we don’t need you. You haven’t got through college yet.’” – Apple Computer Inc. founder, Steve Jobs, on attempts to get Atari and H-P interested in his and Steve Wozniak’s personal computer.

Operating Systems

Security

Goals

When you complete this section you will be able to:

Lessons

Theory - This file contains the background and theory you'll need to successfully complete the lab exercises for this lesson. You should read this first.

DOS Lab - This is the Disk Operating System (DOS) lab manual. It contains activities and exercises to help you understand the theory as it applies to DOS.

Windows 98 Lab - This is the Windows 98 lab manual. It contains activities and exercises to help you understand the theory as it applies to Windows 98.

Windows XP Lab - This is the Windows XP lab manual. It contains activities and exercises to help you understand the theory as it applies to Windows XP.

Linux Lab - This is the Linux lab manual. It contains activities and exercises to help you understand the theory as it applies to Linux.

Skill Check - This set of questions will quiz your understanding of the operating system theory and practice presented in this lesson.

Challenge - This set of advanced lab exercises is designed to help you apply your understanding to new challenges.

Introduction

This lesson will introduce you to the concept of security as it applies to operating systems. For personal computers security has traditionally been of lesser importance (though it was always important in networked systems). However, in the future security will become essential.


Theory

If an operating system permits more than one user to access computer resources at the same time (multi-user systems), then there must be some way to separate the users so one cannot get into the wrong files, processes, and memory spaces. This separation is the very heart of security as it applies to operating systems.

An operating system should keep you from accidentally deleting a file that belongs to me (of course, you wouldn’t delete one of my files intentionally – would you?). At a much lower level, the operating system needs to isolate your running programs from any I may be running at the same time. It wouldn’t be good for me to be writing a document using Microsoft Word, and then suddenly have the screen change to Microsoft Excel with your spreadsheet “stuff” displayed. While a programmer may think that would be a funny joke, most users would be a bit upset (OK – really angry).

In this lesson we will look at security as it relates to operating systems.

Passwords

A multi-user system will require you to type in a password to access system resources.

Choosing A Strong Password

In Linux, your password is only eight characters long (I know you can type in a long password, but only the first eight characters are used). You may choose from letters, numbers, and some of the “special characters” (like !, =, and +). In Linux, case matters; so LiNuX is different from linux.

When you choose a password you should keep these thoughts in mind:

Remembering Your Password

To select a password you can remember, you may want to use one of these techniques:

Crackers

Crackers are programs designed to “crack” (or discover) your password. Crackers work using one of two popular methods.

The first (and easiest) is to simply try every word in the dictionary to try to find one that works. This method can find a password in just a few minutes. The best way to defeat this type of attack is to use words that are not found in the dictionary (like “razTab1e” or “eat1cod” above).

The other popular way to attack a password file is to use what’s called a “brute force” attack. This is where the cracker will try all one-letter passwords first, then all two-letter passwords, and so forth. The way to defeat this type of attack is to use eight-letter passwords (it takes much longer to crack an eight-letter password than a six-letter password), and to include mixed case, numbers, and symbols. As the number of potential letters increases the brute force attack takes longer to complete. A system administrator once cracked a password of mine - but it took about three and a half days of processing time to do it. He found other passwords on the same system in about five seconds.

Common Passwords

While it's impossible to list all the possible passwords people use, human nature is pretty predictable - the same passwords seem to come up repeatedly. That may be unavoidable, but is unfortunate from a security point of view.

In the list below you will find a number of default passwords often assigned by a system administrator to new accounts.

0 (zero) a account anonymous default
demo demonstration email enter field
go guest hello i id
info instr instructions intro introduction
mail manager mini name new
newuser passwd password pswrd root
start startup su superuser supruser
sys sysop system systest techsupport
temp tempy test testing train
trainer training tty use user
visit visitor x z  

Along with the specific words listed in the table above, you will also find administrators using the following generic types of new-user passwords:

The following list contains generic word categories that turn up frequently when users are permitted to select their own passwords:

Viruses (And Other Critters That Go Bump In The Night)

VIRUS! The very word causes computer users to fear. They think that there is a world of malicious vandal-ware out there just waiting to destroy their computers. Goodness, maybe a virus will reach out from the Internet and catch a home computer on fire!

Scope

Just how big is the virus problem? In truth, nobody knows. There are many estimates, though, that millions of computers are infected by some sort of virus. Perhaps that's true. However, remember that it could be that the people who are saying such things are also in business to sell anti-virus software.

The other related question is how many viruses are there? Again, there is no consensus from the anti-virus manufacturers. Perhaps there are thousands of viruses - McAfee, one of the most popular anti-virus software makers, claims 53,00 viruses as of Aug 2000. However, perhaps there are only about 1500 viruses with many varieties of some of the more popular ones. It would also be important to specify whether the viruses are "in the wild" (found on user's computers) or just laboratory examples.

Symantic Corporation (makers of Norton Antivirus) states:

Computer viruses are increasing at an unprecedented rate. In 1986, there was one known computer virus; three years later, that number had increased to six and by 1990, the total had jumped to 80. By November of that year, viruses were being discovered at the rate of one per week. Today, between 10 and 15 new viruses appear every day. In fact, from December 1998 to October 1999, the total virus count jumped from 20,500 to 42,000.

Whatever the truth, it seems reasonable to assume that even if there are thousands of viruses "out there," most viral infections come from a relatively small number of those viruses. The Wildlist (http://www.virusbtn.com/WildLists/) is a regularly updated listing of all viruses found "in the wild" (that is, not just in a computer laboratory somewhere). The July 2000 list (the latest available when I wrote this page) included only 217 viruses that were reported from all over the world, and an additional 331 found in only one region of the earth. That's 548 total viruses "in the wild."

This is not meant to reduce the significance of viruses. If your computer gets infected it won't matter to you if there are 10 viruses or 10-thousand - only one was enough to attack your system.

Hoaxes (and Chain Letters)

Internet hoaxes are closely related to viruses. Hoaxes are types of "urban legends" that circulate around the Web and never seem to die. These hoaxes seem to come in waves - you may see several at one time, then not see another for many months.

There are many popular hoaxes, but they tend to follow one of only a few broad themes:

One persistent hoax involves a child who is dying from (fill in a disease) in (fill in a country) and wants to set some sort of record so "please send an e-mail to him/her today."

One involves some sort of free trip or money give-away to anyone who "sends an e-mail message to xxx today."

By far, the most frequently seen type of hoax involves a "new kind of virus" that is the "most destructive ever seen." Readers are warned that their computers can become infected if they just read an e-mail message entitled (fill in a title). Generally, these messages also contain some big name in the computer industry: "IBM announced today..." One final request is to "send this warning to everyone you know" so the virus doesn't spread.

By themselves, hoaxes are not destructive in the sense that they destroy information on your computer. However, they do tie up valuable Internet resources (particularly e-mail) with foolish warnings about non-existent viruses or gifts.

You may wonder how these hoaxes can continue to circulate. The answer is simple, the Internet community is growing by tens (or hundreds) of thousands of new users every month. These folks are concerned about viruses and are ripe for a hoax.
When I get a hoax message in my e-mail, I usually just delete it. If I get a hoax message from one of the users in my small group of close friends, I will send back a quick note asking them to not forward messages about new viruses until they check with me - I always offer to check on the status of any truly new viruses using a trusted source.

What Do Viruses Do?

Viruses are potentially destructive software that spreads from program to program or from disk to disk. Computer viruses, like biological viruses, need a host to infect; in the case of computer viruses this host is a program on your computer. Not all viruses deliver a damaging payload - but all should be considered malicious since they alter your disks in ways you do not want.

While viruses are a problem they may not be the most important thing you should worry about. There are many other threats to your programs and data that are much more likely to harm you than viruses. Problems such as hardware glitches, software conflicts, software bugs, and even typos are much more likely to cause undetected damage to your data than viruses. A well-known anti-virus researcher once said that you have more to fear from a spilled cup of coffee than from viruses.

So, does this mean that viruses are nothing to worry about? Of course not! It just means that we need to put viruses into a proper perspective.

Quick Virus Guidelines

Here are a few tips to keep in mind when considering viruses:

Types of “Viruses”

There are many forms of malicious software (sometimes called “vandalware”), but the media usually calls all malicious software “viruses.” Let's examine the different types of malicious software:

What Viruses Do

Viruses come in a great many different forms, but they all potentially have two phases to their execution: the infection phase and the attack phase.

Categories of Viruses

System Sector Infectors (AKA Boot Sector Infectors)

These are viruses which plant themselves in system sectors. System sectors are special areas on your disk containing programs that are executed when you boot your PC. Sectors are not files but simply small areas on your disk that your hardware reads in single chunks. Under DOS, sectors are most commonly 512 bytes in length. These sectors are invisible to normal programs but are vital for correct operation of your PC – and are a common target for viruses.

There are two types of system sectors found on DOS PCs: boot sectors and partition sectors (also known as Master Boot Records or MBRs). System sector viruses (also commonly referred to as “boot sector viruses”) modify the program in either the DOS boot sector or the partition sector. Since there isn't much room in the system sector (only 512 bytes), these viruses often have to hide their code somewhere else on the disk. These viruses sometimes cause problems when this spot already contains data that is then overwritten.

File Infectors

In terms of sheer number of viruses, these are the most common. The simplest file viruses work by locating a type of file that they know how to infect (usually a file name ending in ".COM" or ".EXE") and overwriting part of the program they are infecting. When this program is executed, the virus code executes and infects more files. Eventually, the virus will deliver its payload and damage data on your disk.

Macro Viruses

Microsoft Office applications (like Word and Excel) have a macro languages (a BASIC-like language) built in. That means that Word documents can contain programs (written in the macro language) that are executed when you open that document. This can provide a very useful function (adding specialized formulas to a spreadsheet, for example), but can also be used to deliver a destructive payload to your disk. You must be especially vigilant of macros contained in e-mail attachments. Do not open an attachment unless you were expecting someone to send it.

Defeating Viruses

Viruses are basically two types of anti-virus software on the market. One scans your hard drive and looks for virus “signatures” while the other monitors your system for suspicious activity.

Scanners

Most viruses contain a specific “signature” that a special scanning program can detect. For example, a virus may print a message like “You Are Infected” on the computer screen. A scanner can check the files on your computer to look for that string of letters. In reality, scanners are much more sophisticated than that, but the concept is the same: they look for the “signature” of a virus. These programs rely on a signature file you can download from the program’s manufacturer. Usually, when you buy an anti-virus program you get six months or one year of free updates.

Monitors

A monitor “watches” your computer’s activity and interrupts anything that is suspicious. For example, you would not normally want to format your hard drive. A monitor would interrupt a format command to ask “Are you sure you want to do this?” Like scanners, the monitor’s work is much more sophisticated than just looking for formatting - but the concept is the same.

What To Do

You should be certain that you have a good virus detection program constantly running on your computer. There are several good ones on the market. Find one and keep the signature files updated.

When you get some program from a friend, but sure you trust that person to have sent you a “clean” program. Remember, Trojans can attack through programs that seem great - but hide a nasty surprise.

Do not permit programs you receive via e-mail to automatically run - even “innocent” programs like an animated Christmas card can carry devastating bombs.
Be smart as you work with your computer. Don’t hide in paranoia, but be aware that there are some people “out there” who take great pleasure in causing you pain.


DOS Laboratory

When DOS was created, there was no thought of multi-user systems (at least in desktop computers). In the late 1970’s, Bill Gates and crew thought DOS would be used on some scientist’s computer but no one else would ever have access to that computer - a Personal Computer was, in fact, “Personal.” However, by the late 1980’s schools, businesses, and other groups began sharing computers (in labs, for example) and the need arose to offer security for a specific user’s information. This posed a problem for folks who used DOS (nearly everyone in those days).

Because DOS was never designed for a multi-user, multi-tasking environment there is no security built into that operating system. Basically, whoever turned on the DOS computer would get full access to the entire system - and no one could prevent someone else from seeing, modifying, and even deleting files. This section of the chapter, thus, is pretty short!

Some folks in those early days discovered ways to “hide” files from other users. For example, you can set the “hidden” bit in the file’s attributes so the file name wouldn’t list with a “dir” command. However, this was not security - just a convenience feature. Anyone who had worked with DOS for more than a few days would soon learn that you can list all the files (even “hidden” ones) with dir /a. It was also possible to set or re-set any attribute (including the “hidden” one) using the DOS command attrib. I have more about this command in the DOS lab in the file systems lesson.


Windows XP Laboratory

Windows XP is a multi-user system that has a number of networking and security features built in. In this lab, we'll explore a few of these features.

User Management

Even if your computer is not connected to a network, you can set up a password system and permit multiple users to access the services on the computer. This creates a secure "zone" for every user on the computer, so Dad can have his files, Mom hers, and the kids can have their files. Each user is given access to their own files on the hard drive, but not anyone elses.

There is also a capability to add common files and areas that everyone can access. That means that the system administrator can add a new user, give that person access to the common files, and give that user access to his/her own files. However, a user would not have access to anyone else's files on the computer.

To add a new user to your Windows XP computer, select Control Panel -> User Accounts. The screen illustrated in Figure 2 appears.

Figure 1 - Managing User Accounts

In Figure 1, you can see that there is an Owner Account (the system administrator) and a Guest Account (currently inactive). To create a new user, click on the Create a New Account link. A short Wizard starts to help you create your new account.

Figure 2 - Naming a New Account

You will first have to name your account. This name will be what is displayed on the opening screen. You'll notice in Figure 2 I've named my new account Tommy.

Figure 3 - Setting Account Type

Figure 3 shows the Wizard step where I set the account type. A Computer Administrator account has full priviledges to create users, delete users, and whatever else needs to be done on the computer. This would usually be restricted to only one or two people on a home network. A Limited Account, on the other hand, can manipulate files that the account owns, but has fairly limited access otherwise.

Figure 4 - The New Account Is Ready

Figure 4 shows that the new "Tommy" account is ready. Of course, I can modify that account whenever I want. If I click on the account name, I will open the screen illustrated in Figure 5, where I can set a password for the account, change the picture, or do several other maintenance actions.

Figure 5 - Modifying an Account

It seems that many people want to change the default picture linked to the account (the chess pieces for Tommy's account in Figure 5). To change the picture, click on the "Change the Picture" link and chose the picture you want to use. Figure 6, below, shows me changing Tommy's picture.

Figure 6 - Changing the Account's Picture

Networks

Windows XP can be used as a client on a large network or even as a main server for a home (or other small) network. A small, home network is usually not configured as a Server/Client model; rather, as a peer-to-peer sharing network. For example, one computer in your home can have an Internet connection and printer and then share those resources with other computers in the home. This is cost-effective for the home or small business owner and makes it possible to use all available resources.

Networking starts with the physical connection of the computers in your home or small office. It is beyond the scope of this lab to discuss physical networking, but you can find "kits" that will provide all of the hardware you need and help you connect your computers together.

However, once you have your network connected, you can begin to share resources among the various computers.

For example, in Figure 7 you can see that I've shared My Pictures folder to allow users on other computers in the network to see (and use) those pictures. I did not, though, permit other users to change (and delete) those pictures. Also note that I could have shared that folder for "local" access. That means that if I had several users on my computer (like "Tommy," that was created above), I could grant (or deny) those users access to documents on my computer.

Figure 7 - Sharing A Folder

To share a printer, folder, or other resource, right-click on that resource's icon and choose Properties. In the Properties panel, click on the "sharing" tab and select the level of sharing you want to enable for the resource.

Firewalls

A "Firewall" is a way to isolate a network from the Internet. Windows XP comes with a built-in firewall and you can use it to help protect all of your computers from abuse. To enable your firewall, open the Control Panel -> Network Connections. Click on your Internet connection and then click on the link named Change Settings of This Connection under Network Tasks in the Task Panel on the left of the screen. In the Properties Dialog box that pops up, select the Advanced tab and check the box to "Protect my computer...".

Figure 8 - Enabling the Firewall

The firewall protection is adequate for most home computer users, but if you are running a home office and have sensitive information on your computer you should consider purchasing a commercial firewall product.


Linux Laboratory

Linux is a true multi-user system and has a number of interesting security features built in.

File Access

Every user can specify who has access to files and directories on their system. In Figure 8 you can see the result of a ls –l (that's "dash-ell," not "dash-one") command in my CIS 140 directory.

[selfg@localhost cis140]$ ls -l

	  total 16
drwxrwxr-x    5 selfg    selfg        4096 Aug 10 16:05 biology
drwxrwxr-x    7 selfg    selfg        4096 Aug 10 16:05 chemistry
drwxrwxr-x    5 selfg    selfg        4096 Aug 10 16:05 physics
-rw-rw-r--    1 selfg    selfg        2242 Aug 10 16:05 vi.txt


[selfg@localhost cis140]$

Figure 8 - LS -L Command

This is one of the lines from that listing:

-rw-rw-r--    1 selfg    selfg        2242 Aug 10 16:05 vi.txt

Figure 9 - Access Permissions

In this line, the first ten characters are permissions for the file. Here is how they are interpreted:

The first character is the type of file. The only types you will likely see are “d” for directory and “-” for normal files, though there are others.

The next nine characters actually represent access modes for three different types of users. It may be easiest to split those characters like this:

rw-   rw-   r--
Owner Group Other

You’ll note that the owner has three possible access modes, the group has three, and others have three.

Every file and directory has an owner. Normally, the owner is the user who created the file or directory, though that is not always true. It is possible for the original owner to “give away” the file to a new owner.

Every person with permission to log onto a Linux account is also placed into a group. By default, you will be placed into your own special group (no other members) - but the system administrator can add you to any other groups desired.

“Other” describes the permissions anyone else has for that file.

For each of the three types of users (owner, group, and other), there are three different access permissions: Read, Write, and Execute. For example, you’ll notice that in Figure 9 the owner has permission to read the file and write to the file, but not execute the file. (When the permission is noted by a “-” that means the permission does not exist.) For that same file, members of the group "selfg" can also read and write the file, but not execute it. Finally, all others can read the file but not write to it or execute it.

Links: In Figure 9, the “1” following the permissions is the number of files or directories linked to this one. You’ll notice in Figure 8 that the directory named “Chemistry” has 7 links.

Owner: “grself” owns all the files in Figure 8.

Group: Since I am in a group named "grself," all the files I create are automatically in that group.

Size: The file named “vi.txt” is 2242 bytes big.

Last Modified: The file “vi.txt” was last modified on Aug 10 at 16:05.

Name: Finally, the name of the file is “vi.txt”.

Changing the Access Mode

If you want to change the access permissions for a file you own, you can do so with the chmod command. The format for chmod is

chmod nnn filename

where “nnn” is replaced by three digits (each set according to the table below) and filename is the name of the file to change.

Value Meaning
0 - - -
1 - - X
2 - W -
3 - W X
4 R - -
5 R - X
6 R W -
7 R W X

For example, chmod 764 grs would set these permissions for the file “grs”: owner gets read, write, and execute; group gets read and write only; and others can only read the file.