============================================================================= SA-93:03A SERT Advisory 31-May-1993 Suggested Login Banner ----------------------------------------------------------------------------- On 7-May-1993, the Security Emergency Response Team released Advisory SA-93:03. Since then, it has been brought to our attention that the word "permission" could be considered ambiguous as Unix file systems use "permission" bits to specify if access is granted to a file or not. Further advice from the Commonwealth Director of Public Prosecutions indicates: "'Permit' does seem to include a meaning of 'allow or let happen even by accident or carelessness'." "'Authority' or 'authorisation' suggest that someone has deliberately turned their mind to an action and formally approved that action." "In light of the fact that there does appear to be a difference in meaning between words 'permit or permission' and 'authority or authorisation' and the fact that computer scientists refer to 'permission' bits on Unix files, it does appear desirable that the words 'authority' or 'authorisation' be used instead of the word 'permission'." Therefore, the Security Emergency Response Team has reissued SA-93:03 as SA-93:03A taking into account the new recommendations. The new Advisory is included below. ---------------------------------------------------------------------------- The SERT team wishes to thank Kate Lance at the University of Newcastle for bringing this problem to our attention. ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- Body of SERT Advisory SA-93:03A ---------------------------------------------------------------------------- The Security Emergency Response Team has received information that a successful prosecution of a computer cracker has taken place in New South Wales. The prosecution was aided by the use of an appropriate login banner. The following is an extract from a letter by the Australian Federal Police: "A major factor, commented upon by the magistrate, was the repeated warning message displayed at logon to your system. Your agreement to implement this feature has certainly started to pay dividends and demonstrates a certain willingness to accept [that] tertiary institutions are not fair game." A recommended login banner is: ----- Warning Message ----- ***** This service is for authorised clients only ***** **************************************************************************** * WARNING: It is a criminal offence to: * * i. Obtain access to data without authority * * (Penalty 2 years imprisonment) * * ii Damage, delete, alter or insert data without authority * * (Penalty 10 years imprisonment) * **************************************************************************** This example login banner was supplied to the Australian Federal Police by the office of the Commonwealth Director of Public Prosecutions. Legal opinion from the Commonwealth Director of Public Prosecutions indicates that this warning will assist in prosecutions of computer crackers for two reasons: "The prosecution in a criminal case must show that the computer hacker's actions are intentional. It would be extremely difficult for a hacker to argue that his actions were by accident or inadvertent when he has to go past such a warning on the system." "A hacker may admit that his actions were intentional. However, upon his sentence, he may argue that he was ignorant of the law or that he was unaware that his actions were unauthorised, thereby inducing the court to mitigate the penalty that it imposes. If the above warning is used, it will be extremely difficult for a hacker to present such arguments." SERT recommends the use of this, or similar banners on ALL systems and access points into the network (such as a modem pool and ftp access). This not only provides forewarning to any crackers that may intrude your system that certain types of activity are illegal, but also advises any legitimate users of their obligations relating to acceptable use of the computer system. The warning is deliberately general in nature as it has not yet been established what type of (if any) crime has been committed. Subsequent prosecution may be performed under Federal or State law, or handled by local institution disciplinary procedures. SERT recommends that any login banner or system initial message should not imply consent to use the computer services (E.g., words such as "greeting" or "welcome"), unless it is the express intention that any user is free to use the system, whether they are authorised or not. You may wish to include some identification information (such as the hostname) so that genuine users know that they have connected to the correct system. For example, "You have connected to node FRED at The University of Wooloomooloo" and follow this with an appropriate warning message. Examples methods for login messages are: VMS: Edit the file SYS$MANAGER:SYSTARTUP_V5.COM and include the line: $DEFINE/SYSTEM SYS$ANNOUNCE "@SYS$MANAGER:ANNOUNCE.TXT" then create the file SYS$MANAGER:ANNOUNCE.TXT with the text that you wish displayed when a user connects to your system. Note that this has implications for LAT as the default service identification is the logical SYS$ANNOUNCE (which will translate to @SYS$MANAGER:ANNOUNCE.TXT). In this case, you should edit the LAT startup procedures to explicitly define a LAT service identification. Unix: Edit the "message of the day" file, (e.g., /etc/motd) and include the text that you wish displayed when a user logs in to your system. This does not cover all ways to connect to a computer (e.g., rlogin, telnet, SET HOST, ftp), but serves as one point of warning in a number of cases. Warnings such as this are a positive step towards providing adequate notice of the obligations and responsibilities relating to the use of the computer equipment. If a person is known to have seen the warning, they cannot subsequently claim ignorance of their responsibilities. ---------------------------------------------------------------------------- The SERT team wishes to thank The University of Sydney, the University of South Australia, the Australian Federal Police, and the Commonwealth Director of Public Prosecutions for their advice and cooperation in this matter. ---------------------------------------------------------------------------- If you believe that your system has been compromised, contact SERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: sert@sert.edu.au Facsimile: (07) 365 4477 Telephone: (07) 365 4417 SERT personnel answer during business hours (AEST). Security Emergency Response Team Prentice Centre The University of Queensland Qld. 4072.