[Back]

[Index]

[Next]

Warfighter Guide to Intelligence 2000

SECURE WEB PAGES

Chapter 2 *
SECURE WEB PAGES *
HTML *
Hyper Text Mark up Language *
WEB PAGE BASICS *
The adventure begins *
HTML Stuff You Need to Know *
BACKGROUNDS AND COLORS: *
HEADINGS: *
TEXT: *
IMAGES; *
LINES: *
LISTS: *
LINKS: *
COULD THERE BE MORE! *
Out of the HTML domain *
PROVIDE YOURSELF WITH DIRECTION *
Well constructed Web pages *
Design Sketch Reveals Directory/File Structure *
Lets talk SECURITY *
HTML EXAMPLES *
SECTION HOME PAGE *
Publication Web Page *
PROTECT YOUR UNIX FILES *
PERMISSION COMMAND *
CHMOD SYNTAX *
MODES *
CHMOD/FCHMOD SYNTAX *
CHMOD/FCHMOD RETURN VALUES *
GETMODE/SETMODE DESCRIPTION *
SECURITY ON THE INTERNET *
Classic Hacking Methods: *
The Password: *
The Brute force Attack: *
Crypt and Compare: *
Data Interception: *
Ethernet Sniffing: *
Keystroke Logging: *
X-Windows Monitoring: *
Modified Utilities: *
Most Commonly modified UNIX utilities: *

 

 

1. SECURE WEB PAGES

"Although you might think that building Web pages requires years of training and advanced aesthetic capabilities, we hasten to point out that this just ain’t so." HTML FOR DUMMIES Ed Tittel & Steve James

With current reliance on web-based technology, it may be necessary for intelligence professionals to know how to build and secure web pages. In reality there is no great mystery in how to develop secure WEB pages. Truthfully only three things are necessary: something to say, a way to convert it to HTML, and somewhere to put it. The first requirement is fulfilled by your need to disseminate a large variety of data in support of your units’ mission. This chapter will directly address the second requirement, a way to convert your products to HTML. The last will depend upon your units’ access to the wide array of intra/internet support architectures in place today. This chapter will guide you through the basics of the development and maintenance of secure Web Pages.

2. HTML
1. Hyper Text Mark up Language

The language used by "Web Masters" all around the world is hypertext Mark up Language known as HTML. Hundreds of programs claim to simplify the procedure of converting text into HTML. Most attempt to make it a WYUSIWYG (What You See Is What You Get) desktop-publishing affair. No matter how well these programs progress, it is important that one understand how HTML works. The good news is that understanding HTML is easy; the bad news is that development of good web pages using HTML can be extremely tedious. It all boils down to writing the page in plain text, adding formatting tags, inserting instructions on how to place images, and embedding links to other pages. The quickest way to become familiar with how HTML operates is to: create a simple page from scratch using a text editor, load it into your browser as a local file (to see how it would look on the web), modify the original file and use Refresh on your browser to see the changes.

3. WEB PAGE BASICS
1. The adventure begins

Let’s begin the process:

Open your text editor (on a PC use a word processor that can save as ASCII)

 

 

 

 

 

Type the following:



Save this document as Yourname and add ".html"

Open your web browser (for this example I will use NETSCAPE)

Select "File" from the pull down menu bar

Select "Open Page" from the pull down menu

Type in the local file name "Yourname.html"

Select "Open in Navigator"

This should show you what this HTML page looks like.



Modify several of the entries and reload the page in your web browser to see the effects. Once you are comfortable with the logic of what the mark-up language can do, you can learn a lot by looking at other Web pages. With your browser, look for a page that you like. With the page in view select "View Source" from the browser pull down menu options. Now you can cut and paste the sections of the page that you like directly into one of your own. If you like a lot of the page, you can save the entire page as a file and view it in a text editor or word processor. When you view the file in this way, it will show you all of the HTML tags. A brief explanation of the term tags is necessary. Comment enclosed between less-than and greater-than symbols like this: <TITLE>. My Home Page </TITLE> are considered tags. Most tags come in pairs. The first will look like <TAG> and the closing tag will look like: </TAG>. Once you have viewed and modified the page that you have selected, save it with a new name. To see how it would look on the web, go through the above exercise using the new file name.

4. HTML Stuff You Need to Know

 

1. BACKGROUNDS AND COLORS:

It’s possible to apply formatting to the entire body of a document by placing extensions within the <BOODY> tag. For example, <BODY BGCOLOR="#00E4FF"> changes the background color to #00E4FF, the RGB code for aqua. Most HTML editors automate the color to RGB conversion, so you won’t have to know these numbers. Most browsers recognize words like blue, red, and purple. To use a graphic as a background use <BODY BACKGROUND="(LOCATION OF IMAGE FILE)".

 

2. HEADINGS:

When you want to use different size text in order to have things stand out within your text, you must employ the HTML headings tags. These tags comprise <Hn></Hn> where n=1 to 6. <H1> is the largest font and <H6> is the smallest. The browser reading of your HTML document dictates the actual size of the font.

 

3. TEXT:

HTML will ignore multiple spaces, tabs, and carriage returns. If you want all of these considered, you must place your text within the <PRE></PRE> (preformatted text) tag pair. Most HTML publishers use the <P> tag at the end of each paragraph. This tag will create a single line break. Browsers automatically wrap text so you do not need to worry about all the rest of the multiple space conventions. If you want to have more than a single line break between paragraphs, you use the <BR> tag. One <BR> tag will start the text on the next line, two will create a line break, and three will create two line breaks and so on. To center text, use <CENTER>(text here)</CENTER>. If you wish to indent from both margins, you would use < BLOCKQUOTE>(text here)</BLOCKQUOTE>. The easiest way to emphasize text is to use bold, italic, color or enlarged text. To Bold text use <B></B> or <STRONG></STRONG>. To italicize, use <I> </ I> or <EM> </ EM>. To change color or size, use <FONT COLOR=""GB""SIZE=n>insert text here)</FONT>, where RGB is the RGB color code and n(-7 to +7) is the increment above or below your regular font size.

 

4. IMAGES;

With web pages it is best not to overuse graphics because the fewer you use and the smaller they are, the quicker your page will load. Once you are comfortable with placing images on your page, practice using an image editor to reduce the byte size without sacrificing too much quality. The best way to display an image, is to place it in the <IMG> tag like this: <IMG SRC="image location here)">. This will display the image full size and bottom aligned with adjacent text. You can also insert extra specifications between IMG and SRC. <IMG HEIGHT=300 WIDTH=400 ALIGN=TOP VSPACE=60HSPACE=70 BORDER=100 SRC="IMAGE.gif"> would set the dimensions of your image.gif to 300 high by 400 wide, align its top with the tallest item in the line, give it a border of 100 and separate it from the text by 60 vertically and 70 horizontally. By the way, all of the measurements are in pixels. You can specify all manners of alignments using: ALIGN=n where n is right, left, text top, middle, absmiddle, baseline bottom. It is usually necessary to provide an alternative text version wherever an image is placed. This allows browsers with the image capabilities turned off to view a description of what would be there. This is accomplished by inserting "ALT=" description of image" Anywhere between IMG and SRC.

 

5. LINES:

A horizontal rule can be created using <HR>. If you want to be specific about your line, you can use <HR WIDTH=X% ALIGN=Y SIZE=Z>, where X is the percentage proportion of page width, Y is its positioning (center, left or right) and Z is its thickness. Many Web Masters prefer to use an image of a line or bar.

 

6. LISTS:

HTML offers three principal types of lists: ordered, unnumbered, and definition. A combination of <OLO><LI> will produce a numbered list. A combination of <UL><LI> will produce an unnumbered list with bullets, and a combination of <DL></DL> with <DT><DD> will create a definition list that can be split into levels.

 

7. LINKS:

Links are the power of HTML. The whole idea of HTML is to add another dimension to desktop publishing. The following examples illustrate how to link pages to each other. This is achieved by embedding clickable hot spots to redirect browsers to other addresses. Hot spots can be attached to text, icons, buttons, lines, or even images. To create a link to another Web page use the following: <A HREF=http://www.roughguides.com>Rough Guides</A>. Clicking on "Rough Guides" would load the Web page at http://www.roughguides. com. To create a link to a local page use <A HREF="trap.html">Step this way</A. If trap.html is in the same directory or is mapped as a local file, clicking on "Step this way" will launch it. To embed a link in an image, use the following: <A HREF="fish.html"><IMGSRC=fish.gif"></A><A HREF="bigfish.gif"><IMG SRC="fish.gif"></A>. In both cases the locally stored image fish.gif contains the hot spot. To include mail, use <A HREF=mailto:bigflint@texas.net>GPF Browne</A>. On most browsers, clicking on "GPF Browne" would bring up the send mail dialog box, already addressed to bigflint@texas.net.

5. COULD THERE BE MORE!
1. Out of the HTML domain

That’s it for HTML. If you understand the above, you have about 99% of everything you’ll ever want to know about HTML. Additional areas of HTML not covered include: tags to create tables, frames, forms, blinking text, as well as multimedia options like audio, video, animation, and virtual reality. Form processing and interactive pages are considered the top level HTML capabilities. As you move up these levels of sophistication, you’ll have to explore complex scripting and programming languages like ActiveX, Java Script, Java, PERL, CGI, and Visual Basic.

6. PROVIDE YOURSELF WITH DIRECTION
1. Well constructed Web pages

All web pages should contain the following four sections: Title, Heading, Body, and footer. Although the content of your web page may seem obvious to you, if you do not consider each of these sections, the content may not be obvious to your target audience. For this purpose I provide the following basic template that can be used to develop each of your pages.

 

 

 

 

 

 

 

 

 

 

 

 

This model will produce the following on an average browser:

It is important to note that in the development of web pages, most designers err by not allowing enough white space on their pages. This template coupled with some easy to follow guidance should assist you in defining how much white space to allow and how much is not enough. Some page designers prefer to hand sketch each page they develop in order to assist in the HTML tagging. A designers sketch would look like this:

Many page designers consider these sketches as essential to organize your page logically. Remember to stick to the purpose of the specific page on which you are working. If you find you have a great deal of additional information, then develop another page and establish a link to it. The following are some general guidelines to follow when developing pages:

1. Use a sketch to define white space
2. Stick to the topic at hand
3. Use a descriptive title
4. Limit your use of graphics
5. Keep vertical size of all pages within reasonable scrolling
6. Never allow "bells and whistles" to diminish your content

Expanding your page into a Web of Pages

Once you begin to establish your units’ home page, you will most likely find a complex network of pages. Therefore, expand the designer sketch to encompass a network of topics/pages. The following is provided to assist you with understanding how to draw the desired links from one page/topic to another.

In this example of a complex designer sketch, the green arrows indicate that links are to be established from the specified pages. The topology for this designer sketch includes the following.

A Unit Home page (used to describe the unit’s mission and overall use of the net)

A Web Page to e-mail the section’s personnel (Potential Feedback form products)

A Web Page to act as a Launch Pad or Tool Page (Section’s central launch point for a variety of tools that may be available via the network)

A Web Page to support a variety of Publications (Product Distribution, Pull dissemination)

The Unit Home Page should describe the unit’s mission and overall use of the net. The page should also describe clearly to the audience how the unit’s Web Pages are arranged and how to access each topic supported by the set of pages. A page to support consumer feedback is always a good practice. If your element is responsible for disseminating a wide variety of products, recommend your consumers to be capable of commenting on your products, both to the producer and to the manager of the section. A link between the e-mail and Publications pages is essential for this capability.

The Launch pad or tool page is the page most used by members of an organization. With the growth of resources represented on open and closed Internet architectures, it is prudent to develop a "Launch Pad" type page that allows quick and immediate access to all the commonly used resources available on the net. Naturally, this page would be constructed to support the research and publication tools used in generating your elements products. In reality, the Publication page is the central launch point for your consumers/customers to use. From this page your consumers should be able to launch into whatever products you provide. For example the consumer should be able to lunch to current intelligence products and/or to a page of historic intelligence products. Remember the link to your personnel (the producers) must be established from each of these locations.

Directory/File Structure

Now that we have discussed the development of the design sketch, we will explore the Directory and File Structure that should be used to support a Web design. In the beginning of this chapter we defined the three main requirements to producing web pages: something to say, a way to convert it to HTML, and somewhere to put it. To this point we have looked at the first two requirements. Directory and file structure allows us to put the information where it needs to go. The first step is gain access to the necessary servers outside your organization. If your organization maintains its own servers, linked to your higher organizations network, then you must find the network managers and system security officer responsible for maintaining your unit’s systems. Once you have established contact with these personnel, they must grant you permission on the system to read, write, and edit in the directories that have been mapped to support your unit’s Internet utility. If you are in a unit that does not support its own server, then you must acquire access to your parent unit’s server. Another possibility is to establish a page on INTELLINK. The network manager for INTELLINK can be reached at:

INTELLINK@DSCINT.COM

Once this access has been acquired, you are ready to place your pages on the net. Managing your Web Pages will be simplified if you use an appropriate naming convention for your directory and file structure. Using the example of the complex Design Sketch, if all of your unit’s Web Page access were granted from your /home directory, the following would be considered a workable structure:

/home/SectionName/HomePage/index.html

/home/SectionName/HomePage/Personnel/index.html

/home/SectionName/HomePage/Tool/index.html

/home/SectionName/HomePage/Publications/index.html

1. Lets talk SECURITY

Once your file structure is established, it is time to consider if you wish to limit access to one or all of your pages to any group or even individual with access to your unit’s Web server. This access leveling is accomplished using a ".htaccess" file. An example of how to use this file is as follows:



If you wish to limit access to only users on your server (usually this means only people at your location), place the .htaccesss file in the directories you wish to protect. For example if you wanted to protect your Publications page, place the .htaccess file in the /home/SectionName/HomePage Publications directory. A listing of this directory would now include both index.html and .htaccess. By the way many servers will not display the .htaccess file unless specified in the list instructions.

The "(Section Name)" is usually just the name of the page you are protecting. More importantly, the "(server extension)" is usually the same as your extension used at the end of your e-mail address (after the @). If you wanted to restrict access to only some of the products on a publications page, you would need to establish a new directory like /home/SectionName/HomePage/Publications; /RestrictAccess/ and place the .htaccess file in that directory. Any product you wanted to protect would have to reside in this directory. Links would be established using this directory name to point to the location of the requested file. If the appropriate server extension were present in the requesting person’s profile, then the product would be displayed. If an appropriate server extension were not present, then an error message would be displayed. In order to avoid an error message, a page may be defined for the server to present to users who do not have access to requested files. It is also considered good design technique to add the text "Site Access Only" or "Password Protected" next to or included in the hot spot to restricted access links.

In the world of computer security it has often proven beneficial to understand some of the nuances of computer programs and programmers. This understanding has led to the exploitation of several information sources. Throughout this chapter we have used the filename "index.html" to identify our pages. We accomplished this by nesting all our pages in separate directories. This practice stems from the browser’s inability to distinguish between an actual index of our home page and the index that it creates for every web page created. Therefore, if you use a web page to disseminate intelligence products and you name your dissemination page "dissemination.html" a user, gaining access to your page, can directly access all files that are included on the page. The intrusive user can accomplish access to each individual file posted on the dissemination page by accessing the browser index of your page. Once this is accomplished, files could be altered and resubmitted to your page as the original valid file. Even without access to your server an enemy could run a great deception campaign by resubmitting intelligence reports to other sub-net subscribers. The implications of this practice warrant a reiteration of the browser system limitation. Files named "index.html" are recognized as a root directory of sorts for web pages. This recognition provides a means of securing your computer files by virtue of the naming convention. If any other name is used e.g. "name.html", then any user can list and gain access to all of the files on the "name" web page. This access is accomplished by deleting the "name.html" from the URL and reloading the page within a browser.

Another interesting trend set by web page developers is the use of the "/images" directory for storing image, icon, and graphics. If you wish to access/download graphics from a web page, for your use, add "/image" or "/images" at the end of the URL and resubmit. In many cases you will be presented with a list of images used in the construction of the web site.

 

2. HTML EXAMPLES
1. SECTION HOME PAGE

1. <HTML>
2. <HEAD>
3. <TITLE>YOUR SECTION NAME HOME PAGE</TITLE>
4. </HEAD>
5. <BODY background="/images/paper.gif">
6. <CENTER>
7. <IMG ALIGN=TOP SRC="/images/TSC.gif" alt="CLASSIFICATION">
8. <IMG ALIGN=TOP SRC="/images/dynamic.gif" alt="dynamic">
9. </CENTER>
10. <PRE>
11. <HR>
12. <CENTER>
13. <A HREF=http://FILE STRUCTURE/logo.html><IMG
14. SRC="/images/logo-25f-64c-onwhite.gif" ALIGN=CENTER></A>
15. </CENTER>
16. </P>
17. </PRE></HR>
18. <CENTER>This page has been accessed<IMG SRC="cgi-
19. bin/counter/DIRECTORY/index.html">
20. </CENTER>
21. <CENTER><IMG SRC="/images/rainbow6.gif" ALIGN=CENTER>
22. </CENTER>
23. <CENTER>
24. <IMG SRC="/images/animated/weelcome3d.gif" ALIGN=CENTER>
25. </CENTER>
26. <CENTER>
27. <H1>TO THE<FONT color="green">PARENT ORGANIZATION
28. </FONT><FONT color="blue">SECTION</FONT>HOME PAGE
29. </H1>
30. </CENTER>
31. <P>
32. PARAGRAPH DESCRIBING YOUR MISSION AND WHAT IS THE
33. PURPOSE OF THE WEB PAGES</P>
34. <CENTER>
35. <IMG SRC="/images/rainbow6.gif" ALIGN=CENTER>
36. </CENTER>
37. <CENTER>
38. <TABLE>
39. <TR>
40. <TD><H4><A HREF="http://FILE
41. STRUCTURE/Personnel/index.html"><IMG
42. SRC="/images/boomerang_move-tr.gif" ALIGN=CENTER
43. VALIGN=MIDDLE>PERSONNEL</A></H4></TD>
44. <TD><H4><A HREF="http://FILE
45. STRUCTURE/AR/Publications/index.html"><IMG
46. SRC="/images/book_open.gif" ALIGN=CENTER VALIGN=MIDDLE>
47. Publications</A></H></TD>
48. <TD><H4><A HREF="http://FILE
49. STRUCTURE/AR/Tool/index.html"><IMG SRC="/images/tools3.gif
50. Width="32" height="32" ALIGN=CENTER>SECTION
51. Tools</A></H4></TD>
52. </TR>
53. </TABLE>
54. </CENTER>
55. <CENTER>
56. <IMG SRC="/images/rainbow6.gif">
57. </CENTER>
58. </P>
59. <CENTER>
60. <SCRIPT LANGUAGE="JavaScript"><!—
61. function doArray(){
62. var arylnth=doArray.arguments.length;
63. for (I=0;I<arylnth;i++){
64. this[I]=doArrayl.arguments[I]}}
65. function newpage(){
66. var choose=
67. eval(document.dropdown2.site.selectedIndesx);if((choose>0)&& (choose
68. <12)
69. ){
70. var section=new doArray(",
71. ‘http://www.rest.of.url/’,
72. ‘http://www.rest.of.url/’,
73. ‘http://www.rest.of.url/’,
74. ‘http://www.rest.of.url/’,
75. ‘http://www.rest.of.url/’,
76. ‘http://www.rest.of.url/’,
77. ‘http://www.rest.of.url/’,
78. ‘http://www.rest.of.url/’,
79. ‘http://www.rest.of.url/’,
80. ‘http://www.rest.of.url/’,
81. ‘http://www.rest.of.url/’,
82. location=section[document.dropdown2.site.selectedIndex];
83. }
84. }
85. //à
86. </scrip>
87. <form name="dropdown2">
88. <div align="center"><center><p><img src="/images/chain__link-tr.gif"
89. align="middle" width="28"
90. height="28"><select NAME="site" onChange="newpage();"
91. ALIGN="center" size="1">>
92. <option SELECTED>TO OTHER WEB PAGES OF INTEREST
93. </option>
94. <option>Name of Page Option</option>
95. <option>Name of Page Option</option>
96. <option>Name of Page Option</option>
97. <option>Name of Page Option</option>
98. <option>Name of Page Option</option>
99. <option>Name of Page Option</option>
100. <option>Name of Page Option</option>
101. <option>Name of Page Option</option>
102. <option>Name of Page Option</option>
103. <option>Name of Page Option</option>
104. <option>Name of Page Option</option>
105. </select><img src="/images/chain_link-tr.gif"align="middle" width="28"
106. height="28">
107. </p>
108. </center></div>
109. </form>
110. <CENTER>
111. <IMG SRC="/images/rainbow6.gif">
112. </center>
113. <CENTER>
114. <TABLE>
115. <TR>
116. <TD><A HREF=http://www.nsa/home.html><IMG
117. SRC="/images/small_seal_.gif" ALIGN=CENTER>
118. HOMEPAGE
119. </A></TD>
120. <TD><A HREF=http://STRUCTURE><IMG
121. SRC="/images/animated/back-animate-trans.gif"
122. ALIGN=CENTER>Return
123. To Rainfall Homepage</A></TD>
124. </TR>
125. </TABLE>
126. </CENTER>
127. <ADDRESS>
128. <CENTER>
129. <H5><FONT COLOR=#FFFFFF</FONT>WEB POC:<A
130. HREF=http://whois.www./whois?ansmith+fm:S>Alfred Smith</A>,
131. H51
132. <A
133. HREF="http://www.a74.a.12080/bin/feedback?ansmith@domai+A&R+H
134. Ome
135. +Page+Feedback"><IMG SRC="/images/box_full-tr.gif"
136. ALIGN=CENTER></H5></A>
137. </CENTER>
138. <HR>
139. <CENTER>
140. <IMG ALIGN=BOTTOM SRC="/images/dynamic.gif" alt="dynamic">
141. <IMG ALIGN=BOTTOM SRC="/images/TSC.gif"
142. alt="CLASSIFICAITION">
143. </CENTER>
144. </HR>
145. </BODY>
146. <HTML>

In this HTML code the term STRUCTURE refers to the file structure that leads to the file that you desire to have displayed. Line #7 and #141 are not used in the following graphic display of these tags in order to keep the classification of this chapter UNCLASSIFIED.

 

In order to define the function of the major elements of the example provided on the previous pages, the following are descriptions of which tags create which behavior in the browser output:

Line 1-4 provide the name on the top online of the browser

Line 5 provides the background color, in this case a picture of crumpled paper, which has been used to provide some quality to the overall appearance of the page

Lines 6-9 provide the top classification marking. Line 7 was not used for the browser output so that we would not encounter classification issues.

Lines 10-17 provide an animated picture of flags revolving around a globe.

Lines 18-20 provide the counter for this page.

Lines 21-22 provide sectionalization for the page using a multicolored line.

Lines 23-24 provide an animated word "Welcome" not seen in this screen capture of the page.

Lines 25-30 provide the multi-colored large font organization name "TO THE PARENT ORGANIZATION SECTION HOME PAGE".

Lines 31 & 58 are used as overhead for all sections using lines 32-57.

Lines 32-33 provide "PARAGRAPH DESCRIBING YOUR MISSION AND WHAT IS THE PURPOSE OF THE WEB PAGES".

Lines 34-36 provide sectionalization for the page using a multicolored line.

Lines 37-39 & 52-54 provide overhead for all elements using line 40-51.

Lines 40-43 provide the link to the Personnel Page.

Lines 44-47 provide the link to the Publications Page.

Lines 48-51 provide the link to the Tools Page.

Lines 55-57 provide sectionalization for the page using a multicolored line.

Lines 59-109 provide a view of JAVA Script, a pull down menu "TO OTHER WEB PAGES OF INTEREST".

Lines 110-112 provide sectionalization for the page, using a multicolored line.

Lines 113-115 & 124-126 provide overhead for all elements using line 115-123.

Lines 116-119 provide the link to My Parent Organization’s Parent.

Lines 120-123 provide the link to My Parent Organization.

Lines 127-137 provide the lookup tables for my username and e-mail capability for all that use these pages to provide feedback.

Line 138 provides a Horizontal Rule.

Lines 139-143 provide the bottom of the page classification marking.

Lines 141-142 were not used for the browser output so that we would not encounter classification issues.

Lines 144-146 provide overhead for the entire page.

 

1. Publication Web Page

1. <HTML>
2. <HEAD>
3. <TITLE>Publications Web Pag3e </TITLE>
4. </HEAD>
5. <BODY background="/images/paper.gif">
6. <CENTER>
7. <IMG ALIGN-TOP SRC="/images/dynamic.gif" alt="Dynamic">
8. <TD>
9. <H2>
10. </head>
11. <A HREF=http://STRUCTURE/AR/Publication/ARBRIEF/index.html><IMG SRC="images/book_open.gif" ALIGN=CENTER VALIGN=MIDDLE> Current Section Config </a></H2>
12. </CENTER>
13. <CENTER>
14. <IMG SRC="/images/rainbow5.gif">
15. </p>
16. <H2>
17. <a href=http://STRUCTURE/AR/Publications/restrictaccess/index.html><img src="images/book_open.gif" ALIGN=CENTER VALIGN=MIDDLE>Units Monthly Highlights<FontColor="GREEN"</font>1998<font color =red</font>(site Access Only)
18. </TD>
19. <P>
20. </H2>
21. </CENTER>
22. <CENTER>
23. <IMG SRC="/images/rainbow6.gif ALIGN =CENTER>
24. </CENTER>
25. <CENTER>
26. <TABLE>
27. <TR>
28. <TD><H4><A HREF=http://FILE STRUCTURE/Personnel/index..html><IMG SRC="/images/boomerang_move-tr.gif" ALIGN CNETER VALIGN=MIDDLE>personnel</A></H4></td>
29. <TD><H4><A HREF=http://STRUCTURE/AR/Tool/index.html><IMG SRC="/images/tools3.gif width="32"height="32" ALIGN=CENTER>Tools Web Page</a></h4></TD>
30. <TD><H4><A HREF="HTTP:/STRUCTURE/AR/index.html"><IMG SRC="/images/animated/doorin2.gif" ALIGN=CENTER VALIGN=MIDDLE>Section HOMEPAGE</a></h4></TD>
31. </TR>
32. </TABLE>
33. </CENTER>
34. <CENTER>
35. <IMG SRC="/images/rainbow6.gif">
36. </P>
37. <ADDRESS>
38. <CENTER>
39. <h5><FONT COLOR=RED</FONT>WEB POC:<A HREF=http://whois.www/whois?USER:ansmiht+fm:S>Alfred Smith</a ><a href=http://www.a74.a:12080/bin/feedback?ansmith@dpmain name+A&R+POC+feedback>
40. <IMG SRC="/images/box_full-tr.gif" ALIGN=CENTER></h5></A>
41. <IMG ALIGN=BOTTOM SRC="/image/dynamic.gif"alt="Dynamic">
42. </CENTER>
43. </HR>
44. </BODY>
45. </HTML>

Now, with the HTML tags on the previous pages and the sample browser output on this page, the following is a comparison of which tags create which behavior in the browser output:

Lines 1-4 provide the name on the top line of the browser.

Line 5 provides the background color, in this case a picture of crumpled paper, which has been used to provide some quality to the overall appearance of the page.

Lines 6-8 provide the top classification marking.

Lines 9-10 are used as overhead.

Lines 11-12 provide the link to a "Current Section Config". This link would most likely lead to a page describing the configuration or a graphic depicting it. Either way the document in question would most likely be in the same directory.

Lines 13-15 provide sectionalization for the page using a multicolored line.

Lines 16-21 provide a link to a secure set of "Units Monthly Highlights 1998". This link leads to a document or documents that are nested in a restricted access sub-directory protected by a .htaccess file.

Lines 22-24 provide sectionalization for the page using a multicolored line.

Lines 25-27 & 31-33 are used as overhead for all sections using lines 28-30.

Line 28 provides link to Personnel page.

Line 29 provides link to Tools Web Page.

Line 30 provides link to Section HOMEPAGE.

Lines 34-36 provide sectionalization for the page using a multicolored line.

Lines 37-38 are used as overhead for all sections using line 39-41.

Lines 39-40 provide the lookup tables for my username and e-mail capability for all who use these pages to provide feedback.

Line 41 provides the bottom of the page classification marking.

Lines 42-45 are used as overhead for the entire page.

Now that we have compared the source HTML tags to two separate web pages, it is time to go to the net and find a page of interest with which to work. Print a screen copy of the page and print a copy of its source tags. Try to evaluate which tags cause what behavior in your browser. If you find sections that you like, isolate them in the source tags and save them as separate files. Remember to use descriptive file names so you can begin to build your HTML toolbox. In addition, there are countless books on the topic of Web Page building. Also, remember that browser software keeps pace with industries upgrades. Therefore, if you are looking for a book to assist in building Web Pages for your organization’s browser, do not rely on dated material (computer software books published two years ago are only good for a basic or historic understanding of the topic). Before you know it, you will be creating great Web Pages in support of your unit’s mission.

PROTECT YOUR UNIX FILES

Unix uses the "chmod" command to change the permissions of files. Permissions are broken down into three access levels: those of the owner, the owners’ group, and the "world" (everyone else). In order for the web daemon to serve your files, they must be "world" readable. Since you might want to change the other permissions for various reasons, here is a chart which will help you do so. Remember you can only change permissions on the files that you own (in your home directory).

For more information on chmod and Unix file permissions, there are thousands of good books and web pages on the subject. A quick summation of the most popular of commands are provided here:

1. PERMISSION COMMAND

OWNER	GROUP	WORLD	COMMAND	NUMBER	FILENAME
rex	rwx	rwx	Chmod	777	filename
rwx	rwx	r-x	Chmod	775	filename
rwx	r-x	r-x	Chmod	755	filename
rw-	rw-	r--	Chmod	664	filename

r = Readable

w = writable

x = executable

- = no permission

Here is anther way of looking at it:

Permissions:

NUMBER	DEFFINITION
400	read by owner
040	read by group
004	read by anybody (other)
200	write by owner
020	write by group
002	write by anybody
100	execute by owner
010	execute by group
001	execute by anybody

To get a combination, just add them up. For example, to get read write by owner, read by group, and read by anybody, you would add:

400

200

040

+004

644

2. CHMOD SYNTAX

NAME

chmod - change file modes

SYNOPSIS

chmod [-R [-H | -L | -P]] mode file ...

DESCRIPTION

The chmod utility modifies the file mode bits of the listed files as

specified by the mode operand.

The options are as follows:

-H If the -R option is specified, symbolic links on the command line

are followed. (Symbolic links encountered in the tree traversal

are not followed.)

-L If the -R option is specified, all symbolic links are followed.

-P If the -R option is specified, no symbolic links are followed.

-R Change the modes of the file hierarchies rooted in the files instead of just the files themselves.

Symbolic links do not have modes, so unless the -H or -L option is set,

chmod on a symbolic link always succeeds and has no effect. The -H, -L

and -P options are ignored unless the -R option is specified. In addition, these

options override each other and the last one specified determines the command’s actions.

Only the owner of a file or the super-user is permitted to change the

mode of a file.

The chmod utility exits 0 on success, and >0 if an error occurs.

3. MODES

Modes may be absolute or symbolic. An absolute mode is an octal number

constructed by or constructed using the following values:

4000 set-user-ID-on-execution

2000 set-group-ID-on-execution

1000 sticky bit, see chmod (2)

0400 read by owner

0200 write by owner

0100 execute (or search for directories) by owner

0070 read, write, execute/search by group

0007 read, write, execute/search by others

The read, write, and execute/search values for group and others are encoded as described for owner.

The symbolic mode is describ ed by the following grammar:

mode ::= clause [, clause ...]

clause ::= [who ...] [action ...] last_action

action ::= op [perm ...]

last_action ::= op [perm ...]

who ::= a | u | g | o

op ::= + | - | =

perm ::= r | s | t | w | x | X | u | g | o

The who symbols ``u'', ``g'', and ``o'' specify the user, group, and other parts of the mode bits, respectively. The who symbol ``a'' is equivalent to ``ugo''.

The perm symbols represent the portions of the mode bits as follows:

r The read bits.

s The set-user-ID-on-execution and set-group-ID-on-execution

bits.

t The sticky bit.

w The write bits.

x The execute/search bits.

X The execute/search bits if the file is a directory or any

of the execute/search bits are set in the original (unmodified) mode. Operations with the perm symbol ``X'' are only

meaningful in conjunction with the op symbol ``+'', and are

ignored in all other cases.

u The user permission bits in the mode of the original file.

g The group permission bits in the mode of the original file.

o The other permission bits in the mode of the original file.

The op symbols represent the operation performed, as follows:

+ If no value is supplied for perm, the ``+'' operation has no effect. If no value is supplied for who, each permission bit specified in perm, for which the corresponding bit in the file mode creation mask is clear, is set. Otherwise, the mode bits represented by the specified who and perm values are set.

- If no value is supplied for perm, the ``-'' operation has no effect. If no value is supplied for who, each permission bit specified in perm, for which the corresponding bit in the file mode creation mask is clear, is cleared. Otherwise, the mode bits represented by the specified who and perm values are cleared.

= The mode bits specified by the who value are cleared, or, if no who value is specified, the owner, group and other mode bits are cleared. Then, if no value is supplied for who, each permission bit specified in perm, for which the corresponding bit in the file

mode creation mask is clear, is set. Otherwise, the mode bits represented by the specified who and perm values are set.

Each clause specifies one or more operations to be performed on the mode bits, and each operation is applied to the mode bits in the order specified.

Operations upon the other permissions only (specified by the symbol ``o'' by itself), in combination with the perm symbols ``s'' or ``t'', are ignored.

EXAMPLES

644 make a file readable by anyone and writable by the owner

only.

go-w deny write permission to group and others.

=rw,+X set the read and write permissions to the usual defaults,

but retain any execute permissions that are currently set.

+X make a directory or file searchable/executable by everyone

if it is already searchable/executable by anyone.

755

u=rwx,go=rx

u=rwx,go=u-w make a file readable/executable by everyone and writable by

the owner only.

go= clear all mode bits for group and others.

g=u-w set the group bits equal to the user bits, but clear the

group write bit.

STANDARDS

The chmod utility is expected to be POSIX 1003.2 compatible with the ex-

ception of the perm symbols ``t'' and ``X’’, which are not included in

that standard.

4. CHMOD/FCHMOD SYNTAX

NAME

chmod, fchmod - change mode of file

SYNOPSIS

#include <sys/types.h>

#include <sys/stat.h>

int

chmod(const char *path, mode_t mode);

int

fchmod(int fd, mode_t mode);

DESCRIPTION

The function chmod() sets the file permission bits of the file specified

by the pathname path to mode. Fchmod() sets the permission bits of the

specified file descriptor fd. Chmod() verifies that the process owner

(user) either owns the file specified by path (or fd), or is the super-

user. A mode is created from or'd permission bit masks defined in

<sys/stat.h>:

#define S_IRWXU 0000700 /* RWX mask for owner */

#define S_IRUSR 0000400 /* R for owner */

#define S_IWUSR 0000200 /* W for owner */

#define S_IXUSR 0000100 /* X for owner */

#define S_IRWXG 0000070 /* RWX mask for group */

#define S_IRGRP 0000040 /* R for group */

#define S_IWGRP 0000020 /* W for group */

#define S_IXGRP 0000010 /* X for group */

#define S_IRWXO 0000007 /* RWX mask for other */

#define S_IROTH 0000004 /* R for other */

#define S_IWOTH 0000002 /* W for other */

#define S_IXOTH 0000001 /* X for other */

#define S_ISUID 0004000 /* set user id on execution */

#define S_ISGID 0002000 /* set group id on execution */

#define S_ISVTX 0001000 /* save swapped text even after use */

The ISVTX (the sticky bit) indicates to the system which executable files

are shareable (the default) and the system maintains the program text of

the files in the swap area. The sticky bit may only be set by the super

user on shareable executable files.

If mode ISVTX (the `sticky bit') is set on a directory, an unprivileged

user may not delete or rename files of other users in that directory. The

sticky bit may be set by any user on a directory which the user owns or

has appropriate permissions.

Writing or changing the owner of a file turns off the set-user-id and

set-group-id bits unless the user is the super-user. This makes the sys-

tem somewhat more secure by protecting set-user-id (set-group-id) files

from remaining set-user-id (set-group-id) if they are modified, at the

expense of a degree of compatibility.

5. CHMOD/FCHMOD RETURN VALUES

Upon successful completion, a value of 0 is returned. Otherwise, a value

of -1 is returned and errno is set to indicate the error.

Chmod() will fail and the file mode will be unchanged if:

ERRORS	CAUSE
ENOTDIR	A component of the path prefix is not a directory
EINVAL	The pathname contains a character with the high-order bit set.
ENAMETOOLONG	A component of a pathname exceeded 255 characters, or an entire path name exceeded 1023 characters.
ENOENT	The named file does not exist
EACCES	Search permission is denied for a component of the path prefix.
ELOOP	Too many symbolic links were encountered in translating the pathname.
EPERM	The effective user ID does not match the owner of the file and the effective user ID is not the super-user.
EROFS	The named file resides on a read-only file system
EFAULT	Path points outside the process's allocated address space.
EIO	An I/O error occurred while reading from or writing to the file system.

Fchmod() will fail if:

ERRORS	CAUSE
EBADF	The descriptor is not valid
EINVAL	Fd refers to a socket, not to a file
EROFS	The file resides on a read-only file system
EIO	An I/O error occurred while reading from or writing to the file system.

NAME

getmode, setmode - modify mode bits

SYNOPSIS

#include <sys/types.h>

#include <unistd.h>

mode_t

getmode(const void *set, mode_t mode);

void *

setmode(const char *mode_str);

6. GETMODE/SETMODE DESCRIPTION

The getmode() function returns a copy of the file permission bits mode as altered by the values pointed to by set. While only the mode bits are altered, other parts of the file mode may be examined.

The setmode() function takes an absolute (octal) or symbolic value, as described in chmod(1), as an argument and returns a pointer to mode values to be supplied getmode(). Because some of the symbolic values are relative to the file creation mask, setmode() may call unmask (2). If this occurs, the file creation mask will be restored before setmode() returns. If the calling program changes the value of its file creation mask after

calling setmode(), setmode() must be called again if getmode() is to modify future file modes correctly.

If the mode passed to setmode() is invalid, setmode() returns NULL.

 

SECURITY ON THE INTERNET

Security on the Internet is precarious at best since you can not assume that you will be granted any sort of immunity from attacks. The moment you connect to the Internet, or to any large network for that matter, you open yourself up to numerous risks. It is extremely important that you understand that there is nothing you can do to become 100 percent safe from a break-in attempt over the Internet except unplug your connection. Once you accept this fact, you can understand that a good defense is your best and often your only weapon against such attacks.

Classic Hacking Methods:

Most classic hacking methods are fairly simplistic in nature. They consist of predominately trial and error attacks, and they rely on luck vice technical prowess. Like most things the old fashioned "simple way" is the way that sticks around. Many of these Classic techniques are still in use today. The first rule of hacking is to gain access to the target system. Even if your system is limited to a telephone line for its connection and the intruder is afforded no more than a login prompt to use as a basis to formulate his attack, the first step to intrusion will be to find a valid user name and password combination to gain initial access.

1. The Password:

One of the first and most basic mechanisms for computer security is the PASSWORD. Passwords and their presence in every system used by today’s professional community represent, to some, a great annoyance and/or an inconvenience. Many users select the most simplistic of passwords in order to minimize the inconvenience posed by the dreaded username and password routine. Today, passwords remain the main point of security for most of the world’s computer systems. However, most users do not recognize the importance of their choice of passwords upon initial set up or log on. A properly chosen password contains letters (upper and lower case), numbers, punctuation marks, and symbols, and is not easily associated with any word that can be found in a dictionary. Intruders count on the prevalent ambivalence of users in regard to password selection.

2. The Brute force Attack:

One way to break password security is to apply guesswork. The intruder will try an extensive list of common user names and passwords in order to find a valid combination of the two. Depending on the Operating system, the intruder will always start with the system defaults. If any default accounts are left without passwords or with their default password entries intact, then the intrusion will be successful.

Operating System	Default Accounts
UNIX	root
VMS	system
NetWare	supervisor

Because guessing correct user name and password combinations can take forever, hackers have written programs to automate this process. Simplistic programs use lists of common passwords with known default user names to attempt access. A more sophisticated intrusion method uses a combination of network services such as Finger to gather names and then tries different permutations of information gained about the account as passwords.

EXAMPLE:

Data Gained via Finger command:

unixhost {1} finger asmith

Login: asmith Name: Alfred Smith

Directory: /home/users/asmith Shell: /bin/csh

Last login Sun May 31 20:00 (CDT) on ttya0

No Plan.

Possible password permutations:

asmith

smitha

alfreds

alfred

smith

htimsa

ASMITH

SMITHA

ALFREDS

ALFRED

SMITH

HTIMSJ

Adding numbers appended to the previous permutations and the substitution of specific numbers and characters advances programs.

1 would replace I

1 would replace i

3 would replace e

3 would replace E

0 would replace o

0 would replace O

The unsuccessful attempt using these methods can be easily detected based on the generation of numerous error messages in the system administrator system log files, as well as on the system console. However if the attack is successful, the intruder will, in most cases, remove any traces of the invalid login attempts prior to detection. Therefore, this particular technique would most likely be used during non-duty times.

3. Crypt and Compare:

On UNIX systems, passwords and other user specific information are stored in the "etc" directory in a file that is generally accessible by all users on the system. Of course, the passwords are encrypted. The algorithms used to encrypt the passwords are so complex that most intruders will not have access to the resources necessary to decrypt the passwords. In these cases the technique called Crypt and Compare is used. This method basically guesses a word, uses a number of common encryption schemes associated with the process UNIX uses to encrypt passwords and then compares the two encrypted strings. If the two strings match, the password has been broken. Of course, this process is made easier if a common word is used as the target password.

EXAMPLE:

root:Xxka92hfso239fh:0:0:System Administrator:/:/bin/csh

User Name = root

Password = Xxka92hfso239fh

The Crypt and Compare program will encrypt a variety of words and compare them all to the encrypted password until it finds a match. Usually the candidate words are taken from a dictionary file. If a password is used that can be found in a dictionary (English or otherwise), the program will find it. Usually there will be a number of users who will confine their password use to a recognized word or words. The time associated with a Crypt and Compare program is incredibly short. A computer with a 486/33 processor can perform several thousand crypts per second. UNIX workstations increase this capability by a factor of 10. A parallel super computer brings the number of crypts to millions per second. Security conscience users should make a point of using non-alphanumeric characters in their passwords even if their host or system administrator does not require it.

 

4. Data Interception:

While networks are expanding and software utilities are maturing, innovative methods of intrusion are also keeping pace. Making use of tools primarily used for troubleshooting networks, the intruder can literally intercept any data sent to or from a particular machine, almost at will. Today’s intruders can literally watch data scroll by, either by listening to data sent over the Ethernet, or by capturing every keystroke pressed. The ability to intercept data has led to more break-ins over the past few years than probably any other intruding capability.

 

5. Ethernet Sniffing:

An intruder does not even need to have direct access to a target computer to gain access to data. All the intruder needs is access to the wires connecting the computer to the network, and he can employ a program known as a "sniffer". Computers that are part of a network are analogous to a rural telephone hooked into a party line. All computers on the network can access the data packets sent over the network. Sniffers use this access to find the desired information. The overall scope of their eavesdropping ability depends on the architecture of the network. Sniffers exist for almost every type of machine. UNIX versions usually require root access to work properly; however, even with root access, a tenacious administrator can detect this activity. PC versions require nothing apart from a working network interface. Therefore, they are unnoticeable and are more effective than UNIX versions.

 

6. Keystroke Logging:

Several utilities exist to monitor keystrokes typed on a host. Some have been built into utilities to monitor data sent from the host via FTP or Telnet, while others buffer all keystrokes typed on various ttys associated with a host. On PCs, there are numerous programs that accomplish the same function by watching for any input on the keyboard and saving the keystrokes to a file. From the operator’s point of view, it is next to impossible to distinguish that this keystroke monitoring is taking place. However, on PCs this activity may be detected using the MEM command to review what TSRs are running on your machine.

7. X-Windows Monitoring:

Many UNIX systems use a graphical interface known as X-Windows. There are a number of problems with X windows that allow attackers to block access to the server, execute unwanted commands on the server and capture input generated on the server. With a simple program that is available within the computer underground, an intruder can intercept and save to a file all keystrokes entered into an X-window session. When any Telnet or FTP session is executed from within an X-Window on a monitored system, an intruder can capture all user names and passwords.

8. Modified Utilities:

Intruders continue to develop sophisticated attack techniques. In the past most modifications were limited to the login program where attackers would program in a "back-door" password to allow them unrestricted access to the system. This was accomplished by merely typing in a certain string upon initial login. However, today almost every authentication or identification utility running on the Internet has been modified at one time or another. Also, the availability of UNIX source code has made it even easier for people to alter utilities. The best modifications result in the exact same byte count as the unmodified versions, and may even return the same output as an unmodified version when compared using the strings utility. Today’s "back door" and other modified utilities ensure that system logs do not give them away. To counter this capability, UNIX environments use numerous system logs to keep track of events. Common logs include invalid login attempts, normal logins and logoffs, executed commands. The UTMP file keeps track of all users currently logged into the system. The WTMP, or last log, keeps track of all times and dates users logged in and the times they logged out. Also, process accounting databases, usually named acct or pacct, keep track of all commands executed by individual users. However, all of these can be modified. For the intruder proper modifications means he is masked from commands such as who, last and lastcomm.

 

9. Most Commonly modified UNIX utilities:

Service	Description
login	The system login program
in.te.netd	The system daemon that allows incoming Telnet sessions.
in.ftpd	The system daemon that allows incoming FTP sessions.
netstat	The networking utility that shows all current net connections on a host.
ps	The utility that shows all currently running processes.
su	The switch user utility
finger	The general user information reporting tool

UNIX is not the only vulnerable operating system. However, one can debate that it is the most vulnerable system based on its use of the C programming language (as opposed to other operating system use of FORTRAN and COBAL). Many consider it to have the widest assortment of maliciously patched software currently running.

[Back]

[Index]

[Next]