General Security Information

General Security Information

Duke Security Office

The Duke security office maintains many important security documents including Duke data classifications and standards. For more information visit them at security.duke.edu.

Directory/file permissions
Account Sharing
Reporting suspicious activity

Our system is set up to share files in certain circumstances; we have several temporary spaces and project directories for this purpose. There should not be anyone using another user's directory to store files, or logging in as another user.

Users should always report suspicious activity. If you notice when you login it says that you last logged on from AOL and you do not have an AOL account please contact the Lab Staff. Or if things in your account seem different, or you find strange files in your directories, please contact us. If you have any suspicions that your account has been altered then please contact the Lab Staff.

Untrusted network

If you have a personally-managed computer on the department's untrusted network, please take the time to shut off ALL uneeded services. These include telnet, rlogin, FTP, syslog, NFS, etc... The only services you should run are ones you have a need for, such as web servers or ssh. If you are unsure of what services are running or how to shut them off, please contact the Lab Staff for more information. One thing is certain: hackers will know what you have running, and will find ways to exploit it! In the past, several untrusted machines, and at least one trusted departmental server, broken into this way.

Rhosts files
Rsh/telnet/rlogin

Even though ~/.rhosts files do provide entry without using a password and therefore prevent malefactors from sniffing them, they also create unintended entry points into our system.

Telnet, while a standard and well-known utility, does not fit into today's computer environment; it is a tool whose time has passed. Telnet does not protect from hackers who use network monitoring tools to sniff passwords as users connect to various machines. Also, telnet does not provide protection against session hijacking, which is a less common occurence, but is still possible. Instead of telnet, it is strongly recommended that you use ssh for connections to remote machines.

Passwords

Passwords may be one of the most overlooked keys to UNIX security. Most systems are compromised from within, using accounts that have been cracked. This runs contrary to the common assertion of users that "I have nothing important in my account, so it's not a big deal if someone breaks into it." This attitude compromises the security of the entire network! That is why it is very important to have secure passwords and to change those passwords often. Changing them after a trip where you logged into the CS system remotely is especially encouraged.

Easily-guessed passwords include the following:

  • Dictionary words (of any kind foreign, movie, Latin, obscure, high-tech...)
  • Many hackers use collections of foreign dictionaries, movie dictionaries and high-tech dictionaries in an attempt to guess passwords. Any word that might possibly be found in any dictionary is unsuitable.

  • Items of personal information
  • It is often very easy to guess a password based on the user's personal information, since much personal information is often available on the web. Such information includes names, departments, birthdays, anniversaries, pet names, mother's maiden names, social security numbers, driver's licenses, etc... Therefore, these types of password are unsuitable.

More secure passwords are those that include random strings, two words joined with selective replacement of key letters by punctuation and lyrics or verse joined in interesting ways, For example

	   random:		b4j/C5(* 
	   two words:	  	To@)fR0(    (toad frog)
	   lyrics or verse:  	AtW*$@w*    (All the world's a stage..) 
  

Do not use any of these examples; please come up with your own.

By choosing difficult passwords, you help to ensure that in the event that our encrypted password file does get out, it is very unlikely that this will help the hacker. This helps to maintain our high level of security, resulting in protection for the department at large.

If you have any questions please contact the Lab Staff.