Presentation - Security

Information Security

Security problems


Hackers & Crackers

Information Security

Question: What makes a system insecure?

Answer: Switching it on.

"The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn't stake my life on it." - Gene Spafford of Purdue University

Security problems manifest themselves in four main ways:

  1. Physical Security Holes
  2. Software Security Holes
  3. Incompatible Usage Security Holes
  4. A weak and inconsistent security philosophy

Physical Security Holes.

These can be caused by giving unauthorized persons physical access to the machine, where this might allow them to perform things that they shouldn't be able to do.

Example 1


The SPARC workstation room is has no restrictions as to who may sit down and use one of the machines. If a person can reboot the machine into a single-user mode, they may be able to get direct access to workstation files.


Lock terminal rooms and use something such a key-lock or swipe-card physical security system on the doors. For example, the SGI lab on the Main floor of Math Sciences.

Example 2


A company makes backup tapes of confidential files. Although network permissions are secure, anyone who has access to the backup tapes can view the information they contain.


Physically lock any backup storage so that only a small number of trusted people have access.

Software Security Holes

Most often cause by bugs in security systems. Poorly written items of "privileged" software are the most common bugs.


A user gets access to a intermediate level daemon account. A bug in the system allows them to change their file access to read/write for all files on the system.

Solutions to Software Holes:

Try to structure your system so that as little software as possible runs with high-level privileges. Choose Software that you know to be well-tested and robust. These solutions are not perfect, but will decrease the possibility of software holes.

Incompatible Usage Security Holes

A combination of hardware and software exists which, when used as a system is seriously flawed from a security point of view. It is the incompatibility of trying to do two unconnected but useful things which creates the security hole.


A computer requires a physical security key in the serial port in order for the user to access confidential files. The user has a peripheral that runs at interrupt level X. By coincidence, the software for the security key also runs at interrupt level X, and nullifies the security key's requirement. Solutions for Incompatible Usage Security Holes: It is extremely difficult to find this kind of hole if it exists. The best way to avoid this type of hole is to test security regularly and try to maintain a standard for purchasing hardware and software.

A Weak and Inconsistent security philosophy


The fourth kind of security problem is one of perception and understanding. Perfect software, protected hardware, and compatible components don't work unless you have selected an appropriate security policy and turned on the parts of your system that enforce it.


Security is relative to a set of policies and the operation of a system in conformance with that policy. It is important that system administrators are well aware of policies implemented for security. They must follow them to the letter to ensure a consistent and reliable system of security.


Why are passwords so important?

Because they are the first line of defense against interactive attacks on a system. It can be stated simply: if a cracker cannot interact with your system, and he has no access to read or write the information contained in the password file, then he has almost no avenues of attack left open to break your system.

How should passwords be created?

The only way to get a reasonable amount of variety in your passwords is to make them up.


NEVER use passwords like:

alec7 - based on users name and too short) gillian - girlfriends name (in a name dictionary) nailing - girlfriends name backwards (easily derived from gillian) porche911 - in a dictionary 12345678 - People can watch you type it easily Computer - just because it's capitalized doesn't make it safe merde - in a French dictionary mr.spock - it's in a sci-fi dictionary zeolite - it's in a geological dictionary


ANY password derived from ANY dictionary word (or personal information), constitutes a potentially guessable password.

Examples of less guessable passwords:


- fairly random, no patterns, not found in any dictionary. (Unfortunately, hard to remember)
A good method of maintaining a pseudo-random look to passwords while making them a little easier to remember is to use a combination of short acronyms and/or numbers. You don't want to have to write them down, since that immediately compromises the security of your account.

Good Password example:


Password Security: A Case Study

This case study shows how few passwords are "Hard-to-guess". Remember, a Hacker only needs one valid password to gain a toe-hold on a system

Why you should never use the same password on two systems.

You can never REALLY trust your system administrator. Tomorrow they could be logging into another account of yours because you used the same password. This is doubly important when using everyday BBS's and other connections where you don't know the administrators that well.

One-Time Password Technology

One-time passwords are generated each time you need to get into a system. By using a different password each time, hackers can not make head-way by making repeated guesses on a password. Since it changes each time, the odds never improve for the Hacker as they make more guesses.

There are two ways to generate them:

Generation Method:


Challenge Number Method:

Who tries to break Security Systems?

Answer: Hackers & Crackers

Definitions of Hackers/Crackers:

From a Sys Admin Point of View:


Someone who gets their kicks from breaking into systems. Crackers often have no justification for this, except "because it's possible". Often times, crackers have vandalistic streaks and wreak havoc by deleting files or crashing machines. They are generally considered mischievous and annoying, but of no real threat to sensitive information.


Someone who is a really good Cracker. Hackers have been given grudging respect by the security community simply because they are very good at what they do. They are also considered more dangerous, and often to have motives other than "just having fun".

Definitions of Hackers/Crackers:

From a Hacker/Cracker Point of View:


A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.


An individual who attempts to gain authorized access a computer system. These individuals are often malicious and have many means at their disposal for breaking into a system. The term was coined in 1985 by hackers in defense against journalistic misuse of "hacker".

History of Hackers and Crackers


First teenage males flung off phone system by enraged authorities over fraudulent use.


First Phone Phreaks start a Hacker magazine.


First personal computer bulletin board system created.


Florida probation office crossed with phone-sex line in switching-station stunt.


Marks the start of a series of arrests, by the US Secret Service, in the Hacker/Cracker community that lasts several years. This is commonly known as the "Hacker Crackdown"

Hacker Ethic

Defined by Stephen Levy, author of "Hackers - Heroes of the Computer Revolution"

Hacker/Cracker/Sys Admin Tools

There are a variety of tools out there that can be used by either group:

Examples of Hacker/Security tools

COPS by Dan Farmer (UNIX)

Crack by Alec Muffett

Examples of Hacker/Security tools - Sniffers

Sniffers capture the information going over the network.


[ Next | Home ]


[ Information Security | Passwords | Hackers | Security Tools | Firewalls | Data Encryption | Viruses | Piracy | HOME ]


  1. Potpourri of Security Info - US Navy
  2. Network/Computer Security Technology - Frequently Asked Questions
  3. Frequently Asked Questions (FAQ)
  4. Security FAQs
  5. The New Hacker's Dictionary - Table of Contents
  6. excite NetDirectory: General/Computing/Security_And_Encryption/

Cracking Tools:

Crack v4.1f and UFC are available from: (
In the directory: /usenet/comp.sources.misc/volume28
As: crack/part01.Z to part05.Z ( 5 files )
And ufc-crypt/part01.Z & part02.Z ( 2 files )

A UNIX password cracker for the Thinking Machine CM/2 and CM/200 Connection Machines is available for FTP from

Knock yourself out!