Glossary Security Glossary You will encounter many of the acronyms, terms, and names listed in this glossary as you study or implement Internet security. Glossary 802.2 An Ethernet frame format as well as a standard. Learn more here: http://www.optimized.com/COMPENDI/EN-FrF83.htm. 802.3 SNAP An Ethernet frame format. Learn more here: http://www.optimized.com/COMPENDI/EN-FrFSn.htm. 10BASE-2 Coaxial (thinwire) Ethernet that, by default, transports data to distances of 600 feet. 10BASE-5 Coaxial (thickwire) Ethernet that, by default, transports data to distances of 1,500 feet. 10BASE-T Twisted pair Ethernet that, by default, transports data to distances of 600 feet. 100BASE-T Twisted pair fast Ethernet that transmits data at 100Mbps. abuse of privilege A violation of computer network policy or improper network access exceeding a user's authorization. access control Any means, device, or technique that allows an administrator to selectively grant or deny users access to a given resource, whether that resource is a file, directory, subnet, network, or server. Access Control List (ACL) A list that stores information on users and what resources they are allowed to access. Active Server Pages (ASP) A Microsoft technology for server-side programming for Web sites. Not to be confused with Application Server Providers. ActiveX A Microsoft technology that allows executable code to be downloaded to Web browsers and executed on the client. ActiveX has a weak security model and is a potentially very dangerous security hole. adaptive pulse code modulation Methods of encoding voice into digital format over communication lines. Address Resolution Protocol (ARP) Maps IP addresses to physical addresses. administrator In the general sense, a human being charged with controlling a network. In the more specific sense, the all-powerful, supervisory account in Windows NT. Whoever has Administrator privileges in Windows NT controls their network, workgroup, or domain. Advanced Encryption Standard (AES) The new standard for data encryption for the U.S. government. AES was selected at the end of 2000 and should be deployed by 2003. See also Data Encryption Standard, which AE will be replacing. anlpasswd A proactive password checker similar to passwd+. You can obtain it at ftp://coast.cs.purdue.edu/pub/tools/unix/anlpasswd/. anonymous email Email that is untraceable because path headers have been removed. anonymous remailer A machine that removes path headers from email messages, thus making the email sender anonymous. To try one out, go to http://www.replay.com. ANSI C A specification of the C programming language set forth by the American National Standards Institute. applet A small program for use within a Web browser environment. Written in the Java programming language, which was developed by Sun Microsystems. Applets generally enhance your surfing experience with graphics, animation, and enhanced text. They are significant from the security viewpoint because Java can flow through a firewall unfettered, unless precautions are taken to prevent it. However, by default, applets run in a security sandbox intended to prevent dangerous access. AppleTalk Apple Computer's networking suite that supports Ethernet and Token Ring. AppleTalk Address Resolution Protocol Apple's version of ARP; this protocol maps IP addresses to physical addresses. AppleTalk Data Stream Protocol (ADSP) Peer-to-peer streamed communication protocol for use in transporting large amounts of data over a network. (This is integrated into OpenTransport.) AppleTalk Echo Protocol (AEP) Apple's version of the Echo protocol; used to test the network by having a remote server echo packets you send. AppleTalk Remote Access Protocol (ARAP) Enabling this protocol turns your Macintosh server into a remote access server, allowing others to access your network from remote locations. application gateways (firewalls) These are firewall devices that disallow direct communication between the outside world and an internal network strung to the Internet. Information flows in and out using a series of proxies that filter that information along the way. Think of these as the lawyers of Internet security. The gateway speaks for both ends, without allowing direct access between them. Application Service Providers Companies that provide services, such as payroll services, across the Internet. Using these services requires secure connections and quite a bit of trust. appz Slang term. See warez which means the same thing. Ascend Inverse Multiplexing (AIM) Proprietary protocol created by Ascend Communications (router manufacturer) for managing multiplexers. To learn more, go to http://www.lucent.com/ins. Asymmetric Digital Subscriber Line (ADSL) A high-speed, digital telephone technology that allows you to connect to the Internet at blazing speeds. ADSL is incredibly fast when you are downloading data (up to nearly 6Mbps). However, when uploading data, you are confined to as low as 64kbps. The distance from the phone company central office limits maximum speed. asynchronous PPP Run-of-the-mill PPP; the kind generally used by PPP dial-up customers. Asynchronous Transfer Mode (ATM) An ATM network is one type of network that can transfer information in standard blocks at high speed. (These are not to be confused with Automatic Teller Networks.) attribute The state of a given resource (whether file or directory), and whether that resource is readable, hidden, system, or other. (This is a term primarily used in reference to files on Microsoft-based file systems.) This can also refer to the state of objects in JavaScript and even HTML. audit Any review, independent or in-house, of existing security policies and procedures. Audits help system administrators and security personnel identify key strong and weak points in a given network's overall state of security. Audits are typically performed according to a very rigid, well-developed, predetermined plan of attack that is designed specifically for the target system. audit trail Logs, written documents, and other records that demonstrate the activity and use of a particular system. Audit trails are of chief importance when conducting an investigation. Without at least a minimal audit trail, a system administrator has almost no hope of catching crackers. An audit trail, in simple terms, is possibly evidence. AUP Acceptable Use Policy. Originally established by the National Science Foundation, AUP once forbade use of the Internet for commercial purposes. Today, AUP refers to rules a user must adhere to when using a network's services. authenticate Verifying a particular user's or host's identity. authentication The process of authenticating either a user or host. Such authentication can be simple and applied at the application level (demanding a password), or can be complex (as in challenge-response dialogs between machines, which generally rely on algorithms or encryption at a discrete level of the system). Authentication Server Protocol A TCP-based authentication service that can verify a user's identity. For more information, see RFC 931. Automated Information System (AIS) Any system (composed of hardware and software) that allows the maintenance, storage, and processing of information. back door A hidden program, left behind by an intruder a disgruntled employee, that allows him future access to a victim host. This term is synonymous with the more antiquated term trap door. back up To preserve a file system or files, usually for disaster recovery. Generally, backup is done on tape, floppy disk, or other, portable media that can be safely stored for later use. bastion host A server that is hardened against attack and can therefore be used outside the firewall as your "face to the world." These are often sacrificial. Bell-La Padula Model A system that utilizes access controls based on user need-to-know and data-sensitivity formulas. (For example, fewer users access sensitive data, and the procedures and mechanisms that protect that data are more stringent, as are the methods of access control and authentication associated with them.) biometric access controls Systems that authenticate users by physical characteristics, such as their face, fingerprints, retinal pattern, or voice. buffer overflow A type of attack which causes a program to overrun the end of a data storage area. The result is that the attacker can overwrite part of the program and get it to execute his code. This is primarily a problem with software written in C and C++. Other languages such as a Java are immune to it. bug A hole or weakness in a computer program. See also vulnerability. call back Call back systems implement security in a rather interesting way: A host connects to the server, and a brief exchange is had, after which the connection is cut. The server then calls the requesting host. This way, the server ensures that the connection was initiated from a trusted host. Cast-128 An encryption algorithm that uses extremely large keys and can be incorporated into cryptographic applications. (You can learn more by obtaining RFC 2144.) CERT The Computer Emergency Response Team. CERT is a security organization, and its purpose is to assist computer networks that have been brought under attack by malicious users of crackers. They can be reached at http://www.cert.org. certificate authority Trusted third-party clearinghouse that is known to be reliable and secure. These clearinghouses issue security certificates and ensure their authenticity. Probably the most renowned commercial certificate authority is VeriSign, which issues certificates for Microsoft-compatible ActiveX components, among other things. certification There are two common definitions for this term. First, certification can refer to the result of a successful evaluation of any security product or system (certification of any product on the National Security Agency's Evaluated Products List, for example.) In this context, a product has been certified at a particular level of assurance. Still another definition is this: certification of a human being known to have successfully completed courses (and other training) that qualifies her in a particular field (such as certification as a Novell Network Engineer). See also NSA. CGI-based attack An attack that exploits vulnerabilities in Common Gateway Interface programs, usually via a World Wide Web site. Challenge Handshake Authentication Protocol (CHAP) Protocol that challenges users to verify their identity. The user is authenticated if the challenge is met with the right response. If not, the user is denied access to the requested resource. (This protocol is commonly used when establishing PPP sessions.)See RFC 1344 for further information. checksum A cryptographic value that constitutes a file's digital fingerprint. Virus scanners and audit tools use checksums to detect changes made to files (the former to check for virus attachment and the latter to check for Trojan horses). chroot A restricted environment in which processes run with limited access to the disk; the technique (and command) used to create such an environment (UNIX). Common Gateway Interface (CGI) Refers to a programming style and standard used to provide programmatic functionality to Web sites. Search engines are generally built to CGI specifications. (CGI standards are not platform specific and provide a generalized standard for any type of Web-based programming.) Perl is today's most popular language used for CGI programming. However, CGI programs can also be written C, C++, Python, Visual Basic, BASIC, and several shell languages. COPS Computer Oracle and Password System. A system-based tool that will scan your local host for common configuration problems and security vulnerabilities. Developed by Gene Spafford and Dan Farmer. copy access User privileges to copy a particular file. crack This can be either a noun or a verb. As a noun, crack refers to software (or any technique) used to circumvent security, including the very famous password-cracking utility Crack. As a verb, it means to breach system security or break the registration scheme on commercial software. cracker Someone who, with malicious intent, unlawfully breaches the security of computer systems; someone who breaks registration schemes on commercial software. crash The sudden failure of a system, requiring a reboot. cyberwar Active information warfare conducted over the Internet. DAC Discretionary Access Control. A system by which a central authority on a computer system or network can either permit or deny access to users, and do so incisively, based on time, date, file, directory, or machine. data-driven attack An attack that relies upon hidden or encapsulated data, which can be designed to flow through a firewall undetected. (Java and JavaScript can be used for such attacks.) Data Encryption Standard (DES) Encryption standard by IBM, developed in 1974 and published in 1977. Currently, DES is the U.S. government standard tool for encrypting non-classified data. See also Advanced Encryption Standard. data integrity (file integrity) The state of files. If files are unchanged and have not been tampered with, they have integrity. If they have been tampered with, data integrity has been breached or degraded. DDoS Distributed Denial of Service. A denial of service attack, which, instead of coming from a single source, comes from a large number of hosts. digest access authentication A security extension for Hypertext Transfer Protocol that provides only basic (and not encrypted) user authentication over the Web. To learn more, see RFC 2069. digital certificate Any digital value used in an authentication procedure. Digital certificates are typically numeric values, derived from cryptographic processes. (There are many values that can used as the basis of a digital certificate, including but not limited to biometric values, such as retinal scans.) See also biometric access controls. DNS spoofing A technique through which the attacker compromises a Domain Name Service server. This can be done either by corrupting the DNS cache or by man-in-the-middle attacks (in which your machine impersonates the legitimate DNS server). DoD Department of Defense. DoS Denial of service. A condition that results when a user maliciously renders an Internet information server inoperable, thereby denying computer service to legitimate users. dual-homed gateway Configuration or machine that supports two or more disparate protocols or means of network transport, and provides packet screening between them. EFT Electronic Funds Transfer. encryption The process of scrambling data so it is unreadable by unauthorized parties. In most encryption schemes, you must have a password to reassemble the data into readable form. Encryption is primarily used to enhance privacy or to protect classified, secret, or top secret information. (For example, many military and satellite transmissions are encrypted to prevent spies or hostile nations from analyzing them.) Ethernet spoofing Any procedure that involves assuming another host's Ethernet address to gain unauthorized access to the target. firewall Loosely, any device or technique that refuses unauthorized users access to a particular host. Minimally, a device that examines each packet and determines its source address. If that address is on an approved list, the packets gain entry. If not, they are rejected. Flood, Floods, or Flooder Tool or tools that overflow the connection queue of a TCP/IP enabled system, thereby causing denial of service. Fragmentation The process of breaking up a large packet into small pieces to send it across a network that can only handle small packets. Often used in attacks against systems. Frame relay A technology that allows networks to transfer information in bursts. This is a cost-effective way of transferring data over networks because user only pay for the resources they use. (Unfortunately, users might also be sharing the frame relay connection with someone else. Standard frame relay connections run at 56kbps.) FTP security extensions Extensions to the File Transfer Protocol that provide authentication, integrity, and confidentiality checking for FTP-based sessions. See RFC 2228. gigabit 1,000,000,000 bits, or 1024 Megabits, depending on who is using the term. granularity The degree to which one can incisively apply access controls. The more incisively a system allows controls to be set, the more granularity that system has. hacker Someone interested in operating systems, software, security, and the Internet generally. Also a programmer; an individual who codes for a living. hacking Any activity performed by a hacker. hijacking Seizing control of another user's session. Such attacks are rare occurrences, and when a hijacking happens, it indicates that the target's security has been breached. HTPASSWD A system used to password-protect sites on the World Wide Web (UNIX). Also known as basic authentication. Hypertext Transfer Protocol (HTTP) The protocol used to traffic hypertext across the Internet, and the WWW's underlying protocol. Identification Protocol (IDENT) A TCP-based protocol for use in identifying users. This is a more advanced and updated version of the Authentication Protocol. You can find out more by obtaining RFC 1413. information warfare The practice of or field of attacking another's information; a term often used in military or intelligence circles to describe the destruction, degradation, or disintegration of another's information infrastructure. International Data Encryption Algorithm (IDEA) A powerful a block-cipher algorithm encryption system that operates with a 128-bit key by default. IDEA encrypts data faster than DES and is far more secure. Internet Engineering Task Force (IETF) The standardization body for the Internet. The IETF's Web site is http://www.ietf.org/. Internet Protocol Security Option IP security option used to protect IP datagrams according to U.S. classifications, whether unclassified, classified secret, or top secret. See RFC 1038 and RFC 1108. Internet Relay Chat (IRC) A popular chat facility on the Internet. Internet worm Also called the Morris Worm; a program that attacked the Internet in November 1988. To get a good overview of this attack, check out RFC 1135. intrusion detection The practice of deploying automated procedures and applications to detect intrusion attempts. Intrusion detection typically involves the use of intelligent systems or agents. IP Internet Protocol. IPSec An encrypted form of IP. It is currently not widely deployed but might be in a few years. IP spoofing Any procedure by which an attacker assumes another host's IP address to gain unauthorized access to the target. ISO International Standards Organization. jack in The act of breaching the security of an Internet information server; slang term used by crackers. Java A network programming language, created by Sun Microsystems, that marginally resembles C++. It is object oriented and exploits the networking support built in to the Internet. It can be used to generate graphics applications, multimedia applications, and even standalone, windowed programs. However, Java is most well known for its cross-platform capabilities. Java has some security issues of its own. JavaScript Programming language used in Netscape and Internet Explorer environments. JavaScript was created by Netscape Communication Corporation and has support for most programmatic functions. (It is also used to generate Web pages with increased functionality, and is the cornerstone of Dynamic HTML, a new form of creating Web pages that supports many multimedia features.) It has had many security problems. JScript Microsoft's version of JavaScript. However, it is mostly compatible with JavaScript. Kerberos Encryption and authentication system developed at the Massachusetts Institute of Technology. It is used in many network applications, and works on a system of tickets and trusted third-party servers for authentication. Kerberos Network Authentication Service Third-party, ticket-based authentication scheme that can be (and has been) easily integrated into network applications. See RFC 1510 for more information. keystroke capture The act of using a Keystroke Recorder. Keystroke Recorder A program that surreptitiously captures keystrokes typed by an unsuspecting victim. These tools are used to steal someone's username and password. logic bomb Any program or code generally malicious that causes a system to lock up or fail. Maximum Transmission Unit (MTU) A user-definable parameter that denotes the largest packet that can be transmitted. Many people adjust this value and often get better performance by either increasing or decreasing its size. MD4 A message digest algorithm used to check the integrity of files. Examine the original specification in RFC 1186. MD5 A message digest algorithm used to check the integrity of files. Examine the original specification in RFC 1321. NASIRC NASA Automated Systems Incident Response Capability. An incident-tracking and response body for the U.S. government. NASIRC is located at http://www-nasirc.nasa.gov/nasa/index.html. NCSC National Computer Security Center, which is located at http://www.radium.ncsc.mil/. NetBEUI A version of NetBIOS that runs on top of TCP/IP. NetBIOS The protocol used by Windows to share files. netstat UNIX command (also available in Windows) that shows the current TCP/IP connections and their source addresses. npasswd A proactive password checker for UNIX that screens potential passwords before they are committed to the password file. You can obtain it here: ftp://ftp.cc.utexas.edu/pub/npasswd/. NSA National Security Agency. The National Security Agency/Central Security Service is responsible for protecting classified and unclassified national security systems against exploitation through interception, unauthorized access, or related technical intelligence threats. Find them here: http://www.nsa.org. one-time password A password generated on-the-fly during a challenge/response exchange. Such passwords are generated using a predefined algorithm, but, because they are good for the current session only, they are extremely secure. owner The person (or process) with privileges to read, write, or otherwise access a given file, directory, or process. The system administrator assigns ownership. However, ownership can also be assigned automatically by the operating system in certain instances. password shadowing A technique used to prevent crackers from capturing and cracking encrypted passwords previously stored in the /etc/passwd file. In shadowing, the encrypted password is hidden elsewhere on the drive. In the /etc/passwd file, this password is abstractly represented by a token, usually a single character. penetration testing The process of attacking a host from outside to ascertain remote security vulnerabilities. Perl Practical Extraction and Report Language. A programming language commonly used in network programming and CGI programming. Perl has features that make it exceptionally suitable for system administration tasks on the UNIX platform. Its key characteristic is its capability to convert mountains of data (such as log files) into easily readable and understandable information. (Perl also has powerful networking support and is an excellent choice if you are contemplating socket programming.) phreaking The process of manipulating the telephone system, usually unlawfully. Point-to-Point Protocol (PPP) A communication protocol used between machines that support serial interfaces, such as modems. PPP is commonly use to provide and access dial-up services to Internet service providers. Point-to-Point Tunneling Protocol (PPTP) A specialized form of PPP. This protocol's unique design makes it possible to encapsulate, or wrap, non-TCP/IP protocols within PPP. PPTP allows two or more LANs to connect using the Internet as a conduit. (PPTP is a great stride ahead of PPP because expensive, leased lines were used in the past to perform this task, which was cost-prohibitive in many instances.) PPP Authentication Protocols A set of protocols used to enhance security of Point-to-Point Protocol, supported at both the router and host levels. See RFC 1334 for more information. PPP DES A protocol that applies standard Data Encryption Standard protection to Point-to- Point links. (This is one method of hardening PPP traffic against sniffing.) To learn more, see RFC 1969. Pretty Good Privacy (PGP) An encrypted email program and message format created by Phil Zimmerman. proxy A type of firewall that has clients talk to the proxy server. Then the proxy server forwards the request to the Internet. This way, the client machine and the Internet do not talk directly, reducing the possibility of security problems. read access User privileges to read a particular file. Reverse Address Protocol (RARP) A protocol that maps Ethernet addresses to IP addresses. RFC Request for Comment. Request for Comments documents (RFCs) are working notes and standards of the Internet development community. They are often used to propose new standards. RFCs are generated by the Internet Engineering Task Force. A huge depository of RFC documents can be found here: http://rs.internic.net. risk management The field of ascertaining security risks, designing solutions, and implementing those solutions, based on a formula of need versus cost. RSA A public-key encryption algorithm named after its creators, Rivest, Shamir, and Adelman. RSA is probably the most popular of such algorithms and has been incorporated into many commercial applications, including but not limited to Netscape Navigator, Communicator, and even Lotus Notes. Find out more about RSA at http://www.rsa.com. router A device that routes packets into and out of a network. Many routers are sophisticated and can serve as firewalls. SATAN Security Administrator's Tool for Analyzing Networks. A TCP/IP port scanner that checks remote hosts for common misconfiguration problems and security vulnerabilities. An updated version known as saint is available at http://www.wwdsi.com/saint. scanner Any utility that probes remote hosts, looking for weaknesses in their security. Secure Socket Layer (SSL) A security protocol (created by Netscape Communications Corporation) that allows client/server applications to communicate free of eavesdropping, tampering, or message forgery. SSL is now used for secure electronic commerce. To find out more, see http://home.netscape.com/eng/ssl3/draft302.txt. security audit An examination (often by third parties) of a server's security controls and disaster recovery mechanisms. SET Secured Electronic Transaction. A standard of secure protocols associated with online commerce and credit-card transactions. (VISA and MasterCard are the chief players in development of the SET protocol.) Its purpose is ostensibly to make electronic commerce more secure. shadowing See password shadowing sharing The process of allowing users on other machines to access files and directories on your own. File sharing is a fairly typical activity within LANs, and can sometimes be a security risk. shell In general, a command interpreter or any program that takes standard input and relays those commands to the system. More specifically, either one of the shells in UNIX (csh, bash, sh, ash, ksh, tcsh, or zsh); COMMAND.COM in DOS; or CMD.EXE in Windows NT. shell scripts Small programs written in shell languages that operate much like batch files. They are composed of various regular expression operations, pipes, redirects, system calls, and so forth. Site Security Handbook An excellent document that discusses basic security measures for maintaining a site. Every system administrator should have a copy. You can obtain it from RFC 2196. S/Key One-time password system to secure connections. In S/Key, passwords are never sent over the network and therefore cannot be sniffed. See RFC 1760 for more information. smart cards Small, plastic cards that house tiny microprocessors that can store data. They closely resemble credit cards, however, smart cards are more advanced than standard credit cards. Smart cards are very popular in Europe but haven't yet caught on here in the United States. sniffer Program that surreptitiously captures datagrams across a network. A sniffer can be used legitimately (by an engineer trying to diagnose network problems) or illegitimately (by a cracker looking to steal usernames and passwords). sniffing The practice of using a sniffer. SNMP Security Protocols Simple Network Management Protocol is used for remote management and protection of networks and hosts. There are a series of security-related protocols within the SNMP suite. You can find out about them by obtaining RFC 1352. social engineering The practice of tricking unwary system personnel into revealing passwords or other information about their network. SOCKS Protocol A protocol that provides unsecured firewall traversal for TCP-based services. SP3 Network Layer Security Protocol. SP4 Transport Layer Security Protocol. spoofing Any procedure that involves impersonating another user or host to gain unauthorized access to the target. Telnet Authentication Option Protocol options for Telnet that add basic security to Telnet-based connections based on rules at the source routing level. See RFC 1409 for details. TEMPEST Transient Electromagnetic Pulse Surveillance Technology. The practice and study of capturing or eavesdropping on electromagnetic signals that emanate from any device in this case, a computer. TEMPEST shielding is any computer security system designed to defeat such eavesdropping. time bomb Any program that waits for a specified time or event to disable a machine or otherwise cause that machine or system to fail. See also logic bomb. TCPDUMP A utility for UNIX that captures packets. (This is a packet sniffer of sorts and is often used to obtain very detailed logs of network traffic.) The software can be found at http://www.tcpdump.org/. Traceroute A TCP/IP program that traces the route between your machine and a remote host. traffic analysis The study of patterns in communication, rather than the content of the communication. For example, studying when, where, and to whom particular messages are being sent, without actually studying the content of those messages. Traffic analysis can be revealing, primarily in determining relationships between individuals and hosts. trap door See back door Trojan (Trojan horse) An application or code that, unbeknownst to the user, performs surreptitious and unauthorized tasks. Those tasks can compromise system security. trusted system An operating system or other system secure enough for use in environments where classified information is warehoused. tunneling The practice of employing encryption in data communication between two points, thus shielding that data from others who might be sniffing the wire. Tunneling procedures encrypt data within packets, making it extremely difficult for outsiders to access such data. UDP User Datagram Protocol. A connectionless protocol from the TCP/IP family. (Connectionless protocols transmit data between two hosts, even though those hosts do not currently have an active session. Such protocols are considered unreliable because there is no absolute guarantee that the data will arrive as intended.) UID See user ID user Anyone who uses a computer system or system resources. user ID In general, any value by which a user is identified, including his username. More specifically, and in relation to UNIX and other multiuser environments, any process ID usually a numeric value that identifies the owner of a particular process. See also owner and user. Virtual Private Network (VPN) VPN technology allows companies with unsecured connections to form a closed and secure circuit between themselves over the Internet. In this way, such companies ensure that data passed between them and their counterparts is secure (and usually encrypted). virus Self-replicating or propagating program (sometimes malicious) that attaches itself to other executables, drivers, or document templates, thus infecting the target host or file. vulnerability This term refers to any weakness in any system (either hardware or software) that allows intruders to gain unauthorized access or deny service. Also called a hole. WAN Wide Area Network. warez Stolen or pirated software, often traded on the Usenet network. worm A computer program (not necessarily malicious) that replicates, spreading itself from host to host over the network. Worms sometimes consume significant network resources and are therefore possible tools in denial of service attacks. write access User privileges to write to a particular file. | 