Network Working Group E. Guttman Request for Comments: 2504 Sun Microsystems FYI: 34 L. Leong Category: Informational COLT Internet G. Malkin Bay Networks February 1999 Users' Security Handbook Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (1999). All Rights Reserved. Abstract The Users' Security Handbook is the companion to the Site Security Handbook (SSH). It is intended to provide users with the information they need to help keep their networks and systems secure. Table of Contents Part One: Introduction . . . . . . . . . . . . . . . . . . . . 2 1. READ.ME . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. The Wires have Ears . . . . . . . . . . . . . . . . . . . 3 Part Two: End-users in a centrally-administered network . . . 4 3. Watch Out! . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. The Dangers of Downloading . . . . . . . . . . . . . . 4 3.2. Don't Get Caught in the Web . . . . . . . . . . . . . . 5 3.3. Email Pitfalls . . . . . . . . . . . . . . . . . . . . 6 3.4. Passwords . . . . . . . . . . . . . . . . . . . . . . . 7 3.5. Viruses and Other Illnesses . . . . . . . . . . . . . . 7 3.6. Modems . . . . . . . . . . . . . . . . . . . . . . . . 8 3.7. Don't Leave Me... . . . . . . . . . . . . . . . . . . . 9 3.8. File Protections . . . . . . . . . . . . . . . . . . . 9 3.9. Encrypt Everything . . . . . . . . . . . . . . . . . . 10 3.10. Shred Everything Else . . . . . . . . . . . . . . . . . 10 3.11. What Program is This, Anyway? . . . . . . . . . . . . . 11 4. Paranoia is Good . . . . . . . . . . . . . . . . . . . . 11 Part Three: End-users self administering a networked computer 14 5. Make Your Own Security Policy . . . . . . . . . . . . . . 14 Guttman, et. al. Informational [Page 1] RFC 2504 Users' Security Handbook February 1999 6. Bad Things Happen . . . . . . . . . . . . . . . . . . . . 15 6.1. How to Prepare for the Worst in Advance . . . . . . . . 15 6.2. What To Do if You Suspect Trouble . . . . . . . . . . . 16 6.3. Email . . . . . . . . . . . . . . . . . . . . . . . . . 17 7. Home Alone . . . . . . . . . . . . . . . . . . . . . . . 17 7.1. Beware of Daemons . . . . . . . . . . . . . . . . . . . 17 7.2. Going Places . . . . . . . . . . . . . . . . . . . . . 19 7.3. Secure It! . . . . . . . . . . . . . . . . . . . . . . 20 8. A Final Note . . . . . . . . . . . . . . . . . . . . . . 20 Appendix: Glossary of Security Terms . . . . . . . . . . . . . 21 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 References . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Security Considerations . . . . . . . . . . . . . . . . . . . 32 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 32 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 33 Part One: Introduction This document provides guidance to the end-users of computer systems and networks about what they can do to keep their data and communication private, and their systems and networks secure. Part Two of this document concerns "corporate users" in small, medium and large corporate and campus sites. Part Three of the document addresses users who administer their own computers, such as home users. System and network administrators may wish to use this document as the foundation of a site-specific users' security guide; however, they should consult the Site Security Handbook first [RFC2196]. A glossary of terms is included in an appendix at the end of this document, introducing computer network security notions to those not familiar with them. 1. READ.ME Before getting connected to the Internet or any other public network, you should obtain the security policy of the site that you intend to use as your access provider, and read it. A security policy is a formal statement of the rules by which users who are given access to a site's technology and information assets must abide. As a user, you are obliged to follow the policy created by the decision makers and administrators at your site. A security policy exists to protect a site's hardware, software and data. It explains what the security goals of the site are, what users can and cannot do, what to do and who to contact when problems arise, and generally informs users what the "rules of the game" are. Guttman, et. al. Informational [Page 2] RFC 2504 Users' Security Handbook February 1999 2. The Wires have Ears It is a lot easier to eavesdrop on communications over data networks than to tap a telephone conversation. Any link between computers may potentially be insecure, as can any of the computers through which data flows. All information passing over networks may be eavesdropped on, even if you think "No one will care about this..." Information passing over a network may be read not only by the intended audience but can be read by others as well. This can happen to personal Email and sensitive information that is accessed via file transfer or the Web. Please refer to the "Don't Get Caught in the Web" and "Email Pitfalls" sections for specific information on protecting your privacy. As a user, your utmost concerns should, firstly, be to protect yourself against misuse of your computer account(s) and secondly, to protect your privacy. Unless precautions are taken, every time you log in over a network, to any network service, your password or confidential information may be stolen. It may then be used to gain illicit access to systems you have access to. In some cases, the consequences are obvious: If someone gains access to your bank account, you might find yourself losing some cash, quickly. What is not so obvious is that services which are not financial in nature may also be abused in rather costly ways. You may be held responsible if your account is misused by someone else! Many network services involve remote log in. A user is prompted for his or her account ID (ie. user name) and password. If this information is sent through the network without encryption, the message can be intercepted and read by others. This is not really an issue when you are logging in to a "dial-in" service where you make a connection via telephone and log in, say to an online service provider, as telephone lines are more difficult to eavesdrop on than Internet communications. The risk is there when you are using programs to log in over a network. Many popular programs used to log in to services or to transfer files (such as telnet and ftp, respectively) send your user name and password and then your data over the network without encrypting them. The precaution commonly taken against password eavesdropping by larger institutions, such as corporations, is to use one-time password systems. Guttman, et. al. Informational [Page 3] RFC 2504 Users' Security Handbook February 1999 Until recently, it has been far too complicated and expensive for home systems and small businesses to employ secure log in systems. However, an increasing number of products enable this to be done without fancy hardware, using cryptographic techniques. An example of such a technique is Secure Shell [SSH], which is both freely and commercially available for a variety of platforms. Many products (including SSH-based ones) also allow data to be encrypted before it is passed over the network. Part Two: End-users in a centrally-administered network The following rules of thumb provide a summary of the most important pieces of advice discussed in Part Two of this document: - Know who your security point-of-contact is. - Keep passwords secret at all times. - Use a password-locked screensaver or log out when you leave your desk. - Don't let simply anyone have physical access to your computer or your network. - Be aware what software you run and very wary of software of unknown origin. Think hard before you execute downloaded software. - Do not panic. Consult your security point-of-contact, if possible, before spreading alarm. - Report security problems as soon as possible to your security point-of-contact. 3. Watch Out! 3.1. The Dangers of Downloading An ever expanding wealth of free software has become available on the Internet. While this exciting development is one of the most attractive aspects of using public networks, you should also exercise caution. Some files may be dangerous. Downloading poses the single greatest risk. Be careful to store all downloaded files so that you will remember their (possibly dubious) origin. Do not, for example, mistake a downloaded program for another program just because they have the same name. This is a common tactic to fool users into activating programs they believe to be familiar but could, in fact, be dangerous. Guttman, et. al. Informational [Page 4] RFC 2504 Users' Security Handbook February 1999 Programs can use the network without making you aware of it. One thing to keep in mind is that if a computer is connected, any program has the capability of using the network, with or without informing you. Say, for example: You download a game program from an anonymous FTP server. This appears to be a shoot-em-up game, but unbeknownst to you, it transfers all your files, one by one, over the Internet to a cracker's machine! Many corporate environments explicitly prohibit the downloading and running of software from the Internet. 3.2. Don't Get Caught in the Web The greatest risk when web browsing is downloading files. Web browsers allow any file to be retrieved from the Internet. See "The Dangers of Downloading". Web browsers are downloading files even when it is not entirely obvious. Thus, the risk posed by downloading files may be present even if you do not actively go out and retrieve files overtly. Any file which you have loaded over the network should be considered possibly dangerous (even files in the web browser's cache). Do not execute them by accident, as they may be malicious programs. (Remember, programs are files, too. You may believe you have downloaded a text file, when in fact it is a Trojan Horse program, script, etc.) Web browsers may download and execute programs on your behalf, either automatically or after manual intervention. You may disable these features. If you leave them enabled, be sure that you understand the consequences. You should read the security guide which accompanies your web browser as well as the security policy of your company. You should be aware that downloaded programs may be risky to execute on your machine. See "What program is this, anyway?". Web pages often include forms. Be aware that, as with Email, data sent from a web browser to a web server is not secure. Several mechanisms have been created to prevent this, most notably Secure Sockets Layer [SSL]. This facility has been built into many web browsers. It encrypts data sent between the user's web browser and the web server so no one along the way can read it. It is possible that a web page will appear to be genuine, but is, in fact, a forgery. It is easy to copy the appearance of a genuine web page and possible to subvert the network protocols which contact the desired web server, to misdirect a web browser to an imposter. Guttman, et. al. Informational [Page 5] RFC 2504 Users' Security Handbook February 1999 That threat may be guarded against using SSL to verify if a web page is genuine. When a 'secure' page has been downloaded, the web browser's 'lock' or 'key' will indicate so. It is good to double-check this: View the 'certificate' associated with the web page you have accessed. Each web browser has a different way to do this. The certificate will list the certificate's owner and who issued it. If these look trustworthy, you are probably OK. 3.3 Email Pitfalls All the normal concerns apply to messages received via Email that you could receive any other way. For example, the sender may not be who he or she claims to be. If Email security software is not used, it is very difficult to determine for sure who sent a message. This means that Email itself is a not a suitable way to conduct many types of business. It is very easy to forge an Email message to make it appear to have come from anyone. Another security issue you should consider when using Email is privacy. Email passes through the Internet from computer to computer. As the message moves between computers, and indeed as it sits in a user's mailbox waiting to be read, it is potentially visible to others. For this reason, it is wise to think twice before sending confidential or extremely personal information via Email. You should never send credit card numbers and other sensitive data via unprotected Email. Please refer to "The Wires Have Ears". To cope with this problem, there are privacy programs available, some of which are integrated into Email packages. One service many Email users like to use is Email forwarding. This should be used very cautiously. Imagine the following scenario: A user has an account with a private Internet Service Provider and wishes to receive all her Email there. She sets it up so that her Email at work is forwarded to her private address. All the Email she would receive at work then moves across the Internet until it reaches her private account. All along the way, the Email is vulnerable to being read. A sensitive Email message sent to her at work could be read by a network snoop at any of the many stops along the way the Email takes. Note that Email sent or received at work may not be private. Check with your employer, as employers may (in some instances) legally both read your Email and make use of it. The legal status of Email depends on the privacy of information laws in force in each country. Guttman, et. al. Informational [Page 6] RFC 2504 Users' Security Handbook February 1999 Many mail programs allow files to be included in Email messages. The files which come by Email are files like any other. Any way in which a file can find its way onto a computer is possibly dangerous. If the attached file is merely a text message, fine. But it may be more than a text message. If the attached file is itself a program or an executable script, extreme caution should be applied before running it. See the section entitled "The Dangers of Downloading". 3.4 Passwords Passwords may be easily guessed by an intruder unless precautions are taken. Your password should contain a mixture of numbers, upper and lower case letters, and punctuation. Avoid all real words in any language, or combinations of words, license plate numbers, names and so on. The best password is a made-up sequence (e.g., an acronym from a phrase