Net Safety for New Users

by Wendy Russ, © 1995

It's unsettling to think that, at this very moment, someone could be rooting through your electronic belongings, looking for something juicy to read. Your love letters, your plans to overthrow small governments and the recipe for Aunt Matilda's secret sauce -- all of these could be found and spread across the Net within minutes, unless you make the effort to keep your Internet account secure.

You've heard the horror stories about hackers such as tales of bandits breaking into well-known systems and stealing credit cards numbers or legends of a "worm" that was set loose to destructively propagate on the Internet. Unfortunately, the almost noble title of "hacker" has been misused (primarily by the media), giving plenty of good guys a bad name.

Let's set the record straight. A "hacker" is someone with remarkable computer skills who likes to write or explore programs and the systems on which they run. A hacker likes to find the limitations of a system and work beyond them using skill and clever thinking. For instance, a hacker might write a program that checks his mail, sorts it, saves the messages in particular files, then generates a report that prioritizes the mail according to parameters he has set. In his leaner, hungrier, pre-Leonardo-da-Vinci years, Bill Gates might have been referred to as a hacker.

Around 1985, the term "cracker" started being used in reaction to the misuse of the word "hacker". A cracker is a hacker with malicious intent. While a hacker is happy to dig around in your computer system just for fun, a cracker looks for the weaknesses and thinks of ways he can exploit them. The motivation is not always for personal gain. Sometimes a cracker will just want to cause trouble, destroy something, or make life miserable for other people.

Those of you who use commercial online services or bulletin board systems don't have as much to worry about as users with Unix shell accounts. In menu-driven or point-and-click environments, there is very little that is within your control: most of the thinking is done by the software. Administrators set up the system to give you a limited number of choices, thereby restricting access to information belonging to other users. All you need to do to keep your account secure is to pick a password that is hard to crack and have faith that your service provider is doing a good job.

For people using Unix systems directly on the Internet, however, it gets a little more complex. (If you use an Internet service provider, chances are you are dialing into a Unix system, even if you use graphical software with SLIP or PPP. If you use an information provider -- such as America Online, Prodigy or Compuserve -- this will not be the case.)

Although Unix can take time to master, don't let that discourage you from using the system. Once you understand the concepts and commands used to make your account secure, you will have the same feeling of security as when you walk around your home, making sure that everything is closed up tight. You will be in control of your environment.

Logging In and Out

Last login: Fri Jul 14 12:18:16 on ttyq3

It's a good habit to take note of this message. If anyone ever gets access to your account, the login message is one way that you may notice. For instance, say you have been gone an entire weekend and haven't logged in to check your mail for three days. (For most of us, this will never happen, but it's a remote possibility for those with more willpower.) The next time you log in, if you see a message that you were logged in yesterday, you will know that something suspicious is afoot.

This login message also tells the place from where you last logged in. If a cracker comes in from a remote site, the place where he telnets from will show up on this message. If you ever see that you were last logged in from a remote host that is unfamiliar to you, you should change your password and notify your system administrator.

There is also a command you can issue to display a record of your login and logout times. It's called the last command. You can see this information about yourself or about any user on the system. The command syntax is:

last [username]

Here is a sample of the output from that command:

roxie  ttyp2  widget.com  Sat Jul 22 12:18   still logged in
roxie  ttyp2  widget.com  Fri Jul 21 23:43 - 23:50  (00:07)
roxie  ttyp2  widget.com  Thu Jul 20 15:06 - 15:18  (00:12)
roxie  ttyp2  user.net    Wed Jul 19 11:07 - 19:09  (08:02)
roxie  ttyp2  widget.com  Tue Jul 18 13:40 - 14:04  (00:24)
roxie  ttyp2  widget.com  Mon Jul 17 00:11 - 00:23  (00:11)
roxie  ttyp2  widget.com  Sun Jul 16 15:23 - 15:30  (00:07)

This is a record of the last few times that a user named Roxie (userid roxie) was logged in to her account. It's Roxie's pattern to log in at some time during the day and check her mail, staying on only long enough to read and reply to the messages. She always logs in from the same place.

In this example, though, you can see that on Wednesday she was logged in from another site and was connected for over eight hours. If you notice unusual behavior, such as in the example above, you should take steps to make sure your account is secure. Check your files, change your password and notify your system administrator.

When you are finished with your connection, you should always make sure that you log out: don't just hang up the phone or turn off your computer. Sometimes it is easy to forget to log out: for instance, you may have started multiple sessions, logged in through another person's telnet session, or perhaps you are just in a hurry. If you leave yourself logged in, it will be possible for someone to come along and have some fun using your identity as a cover.

If you log in from home, it's okay to leave the computer unattended, but if you are in a public place, never leave your computer while you are logged in -- not even to just run out to the candy machine to snag a bag of M&M's. You can see this happen often if you read Usenet: mischievous people will find someone logged in and quickly dash off an embarrassing note to the alt.sex.wanted newsgroup.

If you absolutely must take a bathroom break and don't want to log out and log back in again, your system may have a "lock" command that you can use to restrict access to your computer. A typical lock command asks you for a password and then locks your screen and keyboard until you type the password again.

Passwords

An Internet user named Janice logged in to check her mail only to find a dozen letters from men detailing erotic fantasies that she requested -- only she didn't make such a request. A cracker had gotten her password, logged into her account and posted a steamy invitation for erotica on an alt.sex discussion group.

Once I asked a hacker friend what was the most careless thing he has seen people do which makes them vulnerable to attack by crackers. "Passwords", he said. "People who think a good password is spelling their userid backwards. People who use 'password' as their password."

Password cracking programs utilize a wide variety of word lists to try to break the encryption on password files. By following these guidelines, you can almost be sure your password will not be cracked:

• don't use proper names
  
• don't use personal information such as your birthdate, address, or license number
  
• don't use words in dictionaries or glossaries of any language
  
• don't use words from television shows or movies such as Star Trek and Monty Python
  
• do use a mixture of upper and lower case letters, punctuation, symbols or numbers
  

Pick a password that is easy to remember, but hard to guess. One idea is to choose a meaningful phrase and turn it into an acronym or abbreviation. For example, Madonna's personal password is Igot2Bme.

If you are assigned a password by your system administrator, change it immediately. You should be the only one who knows your password. Don't give your password out to anyone and don't write it down. You are responsible for everything that originates from your account no matter who is logged in.

A final tip on passwords: While it is tempting to use the same password to log in to different places, it's unwise to do so. If a cracker manages to get one password, he can find the other places you hang out on the Net and break in with the same password.

Keep Personal Information to a Minimum

To see what people can find out about you, use the finger command:

finger [your userid]

Here is some typical output:

Login name: agent007                    In real life: James Bond
Directory: /home/u2/users/agent007      Shell: /bin/menus
Last login Fri Jul 21 14:18 on ttyta
New mail received Sat Jul 22 19:36:41 1995;
  unread since Fri Jul 21 18:46:40 1995
Plan:
        I could tell you my plan, but then I would have
        to kill you.

In the example above, there are only two things that the user can change. First, he doesn't have to show his real name. He can use any name he wants or he can leave that field blank. To do this, he should use the chfn (change finger) command. Second, he can change is his plan. That information is found in a hidden file called .plan and is created by the individual user. If you don't have a file called .plan, your finger information will simply say "No Plan." Anything in the .plan file will be seen when someone fingers your userid.

There are some systems that return only a single line of information about a user. Here is an example:

Login        Name      TTY     Idle    When     Where
agent007  James Bond  pts/11    uie.co.uk

Some systems will not allow you to get finger information about users. It depends on the system administrators and how much they are concerned about the privacy and security of their users.

On commercial systems and BBS's, there are a number of ways you can get information about users and they vary from system to system. There are often member directories that will list your real name, your mailing address and even your marital status. You should thoroughly understand the kind of information that anyone can see about you then decide if that's acceptable.

Women have an extra concern on any system. For instance, when I first got my Internet account, I used my first initial and last name as my userid. At a glance you couldn't tell if I was male or female, although if you looked at my finger information it was obvious.

I decided I wanted to change my userid to be the same as my name. A friend of mine warned me not to do it. "You'll be bombarded, you know. Random guys are going to start bugging you."

"That's ridiculous," I said. "I can't believe it's going to make much difference."

He shrugged, "Well, do it and see, but I bet I'm right."

Just between you and me, he was right. I hadn't had my new userid for two days when I started getting talk requests from men I didn't know who wanted to know where I lived and other personal information.

To some people, getting unsolicited attention is a big deal. If it bothers you, make up a userid that is gender neutral, and be sure that there is no personal information that can be seen by other users. Occasionally, you'll hear about harassment or stalking on the Net, but such occurrences are uncommon. Most of the time, a polite "I'm not interested" will discourage someone who is trying to talk to you or is sending you unwanted mail.

Keeping Your Files Private

However, if you have a Unix shell account, it's vital that you understand file permissions. They are easy to learn and allow for great flexibility once you know how everything works.

In the Unix operating system, file permissions regulate who has read, write and execute permission of all your files. These permissions can be set for you, your group, or anyone on your system. You have to make sure that you set these restrictions. Because Unix was originally designed to be a shared environment, the default settings allow anyone to read, write and execute any files that are on the system, even if they don't own the files.

An Internet user named Richard had a big meeting with the Board of Directors of a local company. For two weeks he and an assistant had been planning their strategy by electronic mail. Two days before the meeting, he was notified that a file containing his correspondence had been posted to a local newsgroup where anyone, including members of the Board could read it. Richard's files were not restricted, so they could be read and copied by anyone.

Most users will want to limit access to their files for everyone but themselves. To do so, use the chmod (change mode) command to change your file modes to 600 for the files that you want to view or modify (regular text files) and to 700 for directories or files that are executable (scripts or programs). The syntax for the command is:

chmod [filemode] [filename]

It's an annoyance to check your file permissions every time you create a new file or directory. By putting a umask (user mask) command in your .login file (.profile for Korn Shell users), you tell Unix that you are the only one who can have access to any files or directories that you create.

One last thing to watch for is what file permissions are assigned when you transfer files with FTP. The FTP program will often leave your newly uploaded or downloaded files with global read permission: that is, anyone can look at them. Therefore, after using FTP, be sure to use the chmod command to set the proper permissions for your new files.

I have shown you an overview of the essential commands, but to learn in more detail how file permissions work, I recommend getting a good Unix book such as The Unix Companion by Harley Hahn. This book explains Unix in a thorough and easy-to-understand manner.

Electronic Mail

An important idea to remember is that an email message, like a regular letter, is something tangible. While you can't hold it in your hand, it is an object that can be passed around and viewed by more than one person. At some point in your life on the Internet, it's likely that some of your mail is going to eventually be read by someone other than the original recipient.

This isn't as sinister as it sounds. It's just that email is so easy to pass around that, when anything interesting comes into your mailbox, the temptation to forward it to someone else is often hard to resist. Remember that anything you put in writing can be saved to a file, forwarded, copied, posted to Usenet, added to an archive and so on. Any message you send puts you at the mercy of the recipient, so choose your words with care.

When sending and receiving mail, here are some things to watch out for:

1) Some people make it a habit to keep copies of all the mail they send and receive. There is no way to know how long your correspondence will be "on file" with them. This can get particularly tricky if the person has not taken care to set their file permissions properly. Other people may be able to read the person's files (including your messages).

2) Always note the "Cc:" line to ascertain whether copies of mail you receive has been sent to another individual. This is also one way you lose privacy. If you are trying to keep your email address hidden, being on a group mailing list or being Cc'd blows your cover.

3) Some mail systems insert a "Reply to:" line in message headers. It's possible for someone to send you mail and put another address in the "Reply to:" line. If you don't notice and you use a general reply, your mail will go to whomever was specified in that line.

With the exception of mail that is forwarded, most of the things that I mentioned above will be easy to spot when you are using email. However, there is one line in the mail header that you won't see: the blind copy or "Bcc:" line. This is an option that works just like "Cc:" except that it is invisible. When someone sends you a piece of mail with a blind copy to someone else, there is absolutely no way for you to know that another party has gotten copies of the message.

On some systems, people can not only forward mail, they can "bounce" it. Here is how it works.

When you forward email, the mailing system puts a notation, such as (fwd), in the subject heading, as well as various other markings in the body of the letter. Thus, it is easy for the recipient to see that the message has been forwarded and who did the forwarding.

However, when you bounce a piece of mail, it doesn't look like it comes from you. It looks like it was sent by the person who originally wrote the message. For instance, say that I receive this message from Fabio:

My Darling:

How I have longed to be with you in person.
Please meet me in Paris tonight at 8:00 on
the Rue de Hunks or else I will jump to my
death from the nearest clock tower.

-- Fabio

This is likely to cause a great deal of excitement which I will want to share with my nearest and dearest. So when I bounce Fabio's letter to my best friend, she is going to think the letter has come from him.

Although there will be a line in the header that says that the message was originally addressed to me, in her frantic hopping around she might fail to notice this. Instead, she hits the reply key quickly and dashes off a note that says she's as good as there and -- the worse-case scenario happens -- her reply goes directly back to him. A fine mess all around.

The bounce command is deadly and a good thing to avoid. Even if you know how to use it, there is chance that whoever you are bouncing mail to may slip up and accidentally reply with some embarrassing comments.

Encrypting Your Data

If it happens that you are conducting business or discussing secret plans using email, you can take steps to encrypt your correspondence and any files that are sensitive. Two good ways to encode your messages and data are the Unix crypt command or a popular resource called PGP (Pretty Good Privacy).

To find out more about crypt, check the online Unix manual by using the command man crypt.

For more information about PGP, check out the Web page at MIT. This will get you to a page with a PGP FAQ (list of frequently asked questions) as well as some general information about privacy and security.

There is no magic or mystery in protecting your privacy on the Internet. The tools you need are available to everyone and, with a few simple precautions, you can keep your Internet account secure from those curious people who are blessed with too much time and an underdeveloped sense of propriety.