Computer Systems Security

Because of the nature of the research done at the Martinos Center, keeping security in mind is of utmost importance. All users should have a good understanding of the basic issues involved with account security, network security and data security.

Account Security

The first rule of computing systems security is:


This means others in your research group, your family and even the administrators in the IT Support Group. Occasionally in the latter case you may need an administrator to debug things with your account. In this case you should reset your password to a temporary password and share it only in person or by phone, NEVER BY EMAIL.

Every unique person using the computing systems at the Martinos Center needs to have their own account. This is very easy to get using the Account Request Form.

Other "best practices" include:

  • Setup your screensavers to lock your desktops
  • Change your password every six months or less
  • Use a different password at the Center than you do at other locations to minimize the damage if one gets compromised

It is important to note that if a malicious individual gains access to your account, it is more than your files on our systems that become exposed. Most likely they have write access to your group's files and the typical default is read access to all other accounts. Also, anyone who can get any kind of login on a computer then has many more vectors of exploitation to attempt in their hacker toolbox.

Malicious Email: Trojans and Phishing Scams

We often get questions from users wondering whether a suspicious piece of email is a scam of some sort. It nearly always is, which means your intuition about strange email from unknown addresses is usually correct. The most common scams involve asking you to open an attachment of some sort (this is a way of getting you to execute a "trojan horse" program which will try to take over your computer) or to send private information about an account you may have, either on a computer, or with an online retailer or bank. We try to block these emails before they reach you, but it is not possible for us to filter out all of them.

NMR staff will NEVER ask you for your password via an E-mail message. Anyone who does this or asks for any personal information is trying to perpetrate a crime of identity theft. DO NOT RESPOND TO SUCH E-MAIL, EVER. This form of attempted identity theft is refered to as phishing. The sender of the message is trying to steal your account or other personal information with which they can do other damage to whatever system that account and password controls or to the rest of your life. Any such E-mail asking for a password or personal information should be ignored.

Network Security

With the ever increasing tide of spam, viruses, worms, phish and other scams, it is extremely important to maintain proper defenses on all your computers whether they be workstations or laptops or running Windows, Linux or Mac OSX. On Windows machines it is especially important to be running an anti-virus and anti-spyware program as well as making sure your machine is kept up to date with security patches released by Microsoft. OSX is less of a target but running an anti-virus program is still recommened and keeping up to date with security fixes is still critical. The Linux systems at the Center are kept up to date by the IT Support Group, but if you have a Linux laptop, you should consult with the IT Support Group about how to best keep up to date.

Information on installing the McAfee anti-virus packages for Windows can be found here.

Data Access Security

Data Access Security concerns who has access to read and/or write your files. For the most part, access permissions work the same whether the files are local or mounted over a network system such as NFS. However, the mere fact data is available over a network makes it inherently less secure and this will be discussed in more detail later. Even for local only data, security is related to who can login to the computer where the data is stored, either locally or via remote methods such as ssh or even the Web.

It is important to note that NO NETWORK ACCESSIBLE DISK SPACE in the Martinos center is safe for HIPAA sensitive files.

Basic File Permissions

When dealing with file access security in UNIX, it is critical to have a good understanding of the standard permission settings. These are shown when using the -l option to the 'ls' command. For example:

$ ls -l drwxr-xr-x 2 raines raines 4096 Oct 7 13:29 hosts -rw-r--r-- 1 raines raines 129 Aug 16 08:44 NOTES -rw------- 1 raines raines 798 Jan 15 2003 private

The critical access information is in the first column of 10 characters which holds the permissions and the third and fourth columns that have a user (aka owner) and group name respectively.

The first characters of the permission settings is the file type. Mostly you will see either '-' for regular files or 'd' for directories. There are other possibilities that are beyond the scope of this intro. The next three characters are read, write and execute permissions for the owner. The next three characters after those are read, write and execute permissions for the group. Run the command groups to see what groups you are in. The final three characters are read, write and execute permissions for "other" (somtimes refered to as "world" but this just means anyone with a login to the system, not really anyone in the world).

An 'r' at the read permission position of any of the three categories means that category has read access. In the example above, all categories have read access to both the hosts directory and NOTES files while only the owner 'raines' has read access to private file. Read access to a directory means you can list (with 'ls') the files in it.

A 'w' at the write permission position of any of the three categories means that category has write access. In the example above, only the owner raines has write access to the given directory and files. Write access to a directory means you can create new files in it and also delete files it contains. IMPORTANT: This means the ability to delete a file is NOT controlled by the permissions on the file itself, but by the permissions of the directory it is in.

The execute permission position can actually have several values (besides the '-' meaning not set). Typically it is 'x' which for files means you can run that file as a program/script. For a directory, 'x' means you can change directory (i.e. 'cd') into it. You may sometimes see an 's' instead of 'x' which is an advanced feature called setuid/setgid. We will not discuss that here but it is vitally important to group file sharing for which I direct you to more information on our Group Permissions page.

Local login implications

No operating system is perfectly free of security holes. If someone can remotely login to your system and knows a security hole to exploit, they can get root access and then have complete access to the files no matter what the permissions settings. So if you have local data you have to keep extremely secure, you should ask us to put user login restrictions on your desktop so only a given set of users (maybe only you!) can login. By default, since we are an open academic environment here with lots of cross collaboration, new Linux boxes we setup have no user login restrictions.

Network mountable data implications

The primary method of network sharing of data in UNIX in NFS. This makes things much less secure as each machine in the network of trust depends on the "security" of every other machine. If someone breaks the security of just one of the machines (we have hundreds now), then they can bypass the file permissions. So to make any data extremely secure, you should not share data over the network. In certain case, we can have volumes share to a limited subset of other machines. This step is not something we want to do in general as it significantly adds to our administrative load. Also, though it makes things more secure, it is not a complete solution. If just one of the machines in the trusted subset is down, some knowledgeable hacker can bring up their laptop with that offline machine's IP address and then be inside the trusted group.

Because of this, it is important to note that NO NETWORK DISK SPACE in the Martinos center is safe for HIPAA sensitive files.

Contact the Webmaster