Volume 16, Number 2, June 2000
By John Kodis
With computer security incidents on the rise and the high on-line profile of a site like NSSDCs, the National Space Science Data Center tends to draw its fair share of attention from computer hackers. Because of this NSSDCs systems administrators have taken several steps to help ensure the integrity of its computers and the data that they serve. While many of these activities involve "behind the scenes" changes that can be done solely by the systems administrators, others require the participation of the systems users.
One change that dramatically impacted all users was the expiration of all passwords on all of NSSDCs UNIX systems. Terri Shaffer handled the job of instructing users in the selection of robust passwords and reminding them of the NASA policy guidelines on password management that users should choose passwords that have at least eight characters and contain a combination of letters and numbers; nor should passwords be shared among users, and users should periodically change their passwords. Changing passwords also allowed systems administrators to weed out quickly accounts that had become inactive but that had not been deleted.
Most of the remaining security changes have had less impact on NSSDC's user community. Sean McKeown has upgraded several of NSSDC's Digital UNIX machines to use the latest set of security enhancements and is investigating the use of a set of C2-rated security features. Teresa Hall-Jackson has been keeping Building 28 UNIX machines up to the current patch level.
Jennifer Ash-Poole led the Web developers in performing a security audit of all the CGI scripts that were available on the NSSDC machine. As a result the center drastically reduced the number of scripts in use on this machine. While the Web developers were auditing their scripts, Jennifer also found ways to tighten the security of the Web server itself. As a result of this cooperation between Jennifer and the Web developers, NSSDC now has considerably better security in the highly visible Web services area.
One recent change that should provide greatly improved security, again with minimal impact on NSSDC's user community, was suggested by John Jacobi and quickly implemented. NSSDC's former policy for remote logins was to allow logins from anywhere with a few restrictions put in place as needed. NSSDC now restricts remote logins by default and sets up exceptions as required to allow legitimate users to continue to log in unhindered.
Finally, in the "future developments" category NSSDC is in the process of shifting users who wish access to its systems remotely from using Telnet to using ssh, the secure shell. The Telnet command, traditionally used to provide shell access to a remote system, has a fundamental problem: It passes all data including passwords and other sensitive information in "clear text." It is possible to capture this information by "snooping" on a Telnet session. To avoid this problem, a newer generation of protocol has been developed that encrypts all data transfers, rendering the communications immune to snooping.
NASA home page GSFC home page GSFC organizational page
Author: Miranda Beall