Fair Notice | Halting the Hacker: A Practical Guide to Computer Security (2nd Edition)

I l @ ve RuBoard

U.S. case law has set the standard that a computer hacker has to have prior knowledge that the his activities are not allowed. When the hacker is not breaking the law, he can contend that he would have no way of knowing that his activities were not acceptable. He will probably be able to produce other environments where the activities are acceptable as a defense. So, it has become a legal imperative that a warning message be posted so that the intruder is aware that he is committing an inappropriate act. These messages should state that the system is the property of the organization, is subject to monitoring, that there is no expectation of privacy, and that unauthorized use is prohibited . The exact wording should be determined by your legal department.

Posting Warning Banners

A requirement for successfully prosecuting those unauthorized users who improperly use a government computer is that the computer must have a warning banner displayed at all access points. That banner must warn both authorized and unauthorized users. The Department of Energy's Office of the General Council has approved the following banner for Federal Government computer systems:

NOTICE TO USERS

This is a Federal computer system and is the property of the United States Government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.

Any or all uses of this system and all files on this system may be intercepted, monitored , recorded, copied , audited , inspected, and disclosed to authorized site, Department of Energy, and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of authorized site or Department of Energy personnel.

Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. ^[81]

^[81] J-043g: Creating Login Banners, CIAC, 9 May 2000.

Any open service needs to have a warning banner. Removing services from the system improves security and eliminates the need to have a warning banner for that service. The details of implementing warning banners for UNIX machines depend on the particular vendor and service. For machines that do not use these methods for displaying banners, consult the man pages for each service to see if there is a banner mechanism available.

Terminal Access

For many recent systems (Sun, Linux), creating the file /etc/issue containing the banner text causes the banner text to be displayed before the console login and before all interactive logins such as telnet , rsh , and rlogin . Linux systems use two such files, /etc/issue for console logins and /etc/issue.net for telnet logins, so be sure to place the banner text in both.

For other systems and for services that do not respond to the /etc/issue file, put the banner text in the file /etc/motd. The contents of this file are displayed by the global /etc/.login and the /etc/profile files, depending on which shell you start ( sh or csh ), immediately after a successful login. Displaying the /etc/motd file immediately after login is also an option for the Secure Shell daemon, sshd, and is set in the /usr/local/etc/sshd_config file.

FTP Access

Newer versions of the FTP daemon provide for a banner message to be displayed prior to the remote user entering his username and password. This is configured in the /etc/ftpacces s file. The following entry displays the file /etc/ftpbanner to anyone who connects to the ftp daemon:

 banner /etc/ftpbanner

Web Access

Add a JavaScript program to your home page that is executed whenever the page is loaded. No matter which initial banner you use, each page should contain a button in the header or footer labeled "Notice To Users" that takes the user to a page that displays the banner or that runs the JavaScript banner.

The following JavaScript program is run whenever the page containing it is loaded and displays the banner in a dialog box with an OK button. To add it to a web page, copy everything between the two SCRIPT tags, including the tags, into the HEAD of the web page. To make it run whenever the page is loaded, add the onLoad="do_banner()" attribute to the BODY tag. Note that if the users have JavaScript turned off for their browser, this JavaScript banner will not be displayed.

 <HTML>  <HEAD>  <TITLE>Home Page</TITLE>  <SCRIPT LANGUAGE="JavaScript">  function do_banner() {  var msg = "<HTML><HEAD><TITLE>NOTICE TO USERS</TITLE></HEAD>\n"+  "<BODY BGCOLOR=white><FONT FACE='Times' SIZE=2>\n"+  "<CENTER>NOTICE TO USERS</CENTER>\n"+  "THE HTML FOR THE TEXT OF THE BANNER GOES HERE "+  "<CENTER>\n"+  "<FORM>\n"+  "<INPUT TYPE=button VALUE='OK' onClick=window.close()>\n"+  "</FORM>\n"+  "</CENTER>"+  "</FONT></BODY></HTML>";  win1 = window.open("", "messageWindow",  "toolbar=no,scrollbars=yes,width=600,height=500")  win1.document.write(msg)  }  </SCRIPT>  </HEAD>  <BR>  <!--The following line starts the body of the web page and runs  the JavaScript banner program whenever the page is loaded. -->  <BODY onLoad="do_banner()">   .   . <!---body of the home page--->   .  </BODY>  </HTML>

I l @ ve RuBoard