Network Working Group E. Guttman
Request for Comments: 2504 Sun Microsystems
FYI: 34 L. Leong
Category: Informational COLT Internet
G. Malkin
Bay Networks
February 1999
Network Working Group E. Guttman
Request for Comments: 2504 Sun Microsystems
FYI: 34 L. Leong
Category: Informational COLT Internet
G. Malkin
Bay Networks
February 1999
Users' Security Handbook
用户安全手册
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (1999). All Rights Reserved.
版权所有(C)互联网协会(1999年)。版权所有。
Abstract
摘要
The Users' Security Handbook is the companion to the Site Security Handbook (SSH). It is intended to provide users with the information they need to help keep their networks and systems secure.
用户安全手册是站点安全手册(SSH)的配套手册。它旨在为用户提供他们需要的信息,以帮助他们保持网络和系统的安全。
Table of Contents
目录
Part One: Introduction . . . . . . . . . . . . . . . . . . . . 2
1. READ.ME . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. The Wires have Ears . . . . . . . . . . . . . . . . . . . 3
Part Two: End-users in a centrally-administered network . . . 4
3. Watch Out! . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. The Dangers of Downloading . . . . . . . . . . . . . . 4
3.2. Don't Get Caught in the Web . . . . . . . . . . . . . . 5
3.3. Email Pitfalls . . . . . . . . . . . . . . . . . . . . 6
3.4. Passwords . . . . . . . . . . . . . . . . . . . . . . . 7
3.5. Viruses and Other Illnesses . . . . . . . . . . . . . . 7
3.6. Modems . . . . . . . . . . . . . . . . . . . . . . . . 8
3.7. Don't Leave Me... . . . . . . . . . . . . . . . . . . . 9
3.8. File Protections . . . . . . . . . . . . . . . . . . . 9
3.9. Encrypt Everything . . . . . . . . . . . . . . . . . . 10
3.10. Shred Everything Else . . . . . . . . . . . . . . . . . 10
3.11. What Program is This, Anyway? . . . . . . . . . . . . . 11
4. Paranoia is Good . . . . . . . . . . . . . . . . . . . . 11
Part Three: End-users self administering a networked computer 14
5. Make Your Own Security Policy . . . . . . . . . . . . . . 14
Part One: Introduction . . . . . . . . . . . . . . . . . . . . 2
1. READ.ME . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. The Wires have Ears . . . . . . . . . . . . . . . . . . . 3
Part Two: End-users in a centrally-administered network . . . 4
3. Watch Out! . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. The Dangers of Downloading . . . . . . . . . . . . . . 4
3.2. Don't Get Caught in the Web . . . . . . . . . . . . . . 5
3.3. Email Pitfalls . . . . . . . . . . . . . . . . . . . . 6
3.4. Passwords . . . . . . . . . . . . . . . . . . . . . . . 7
3.5. Viruses and Other Illnesses . . . . . . . . . . . . . . 7
3.6. Modems . . . . . . . . . . . . . . . . . . . . . . . . 8
3.7. Don't Leave Me... . . . . . . . . . . . . . . . . . . . 9
3.8. File Protections . . . . . . . . . . . . . . . . . . . 9
3.9. Encrypt Everything . . . . . . . . . . . . . . . . . . 10
3.10. Shred Everything Else . . . . . . . . . . . . . . . . . 10
3.11. What Program is This, Anyway? . . . . . . . . . . . . . 11
4. Paranoia is Good . . . . . . . . . . . . . . . . . . . . 11
Part Three: End-users self administering a networked computer 14
5. Make Your Own Security Policy . . . . . . . . . . . . . . 14
6. Bad Things Happen . . . . . . . . . . . . . . . . . . . . 15
6.1. How to Prepare for the Worst in Advance . . . . . . . . 15
6.2. What To Do if You Suspect Trouble . . . . . . . . . . . 16
6.3. Email . . . . . . . . . . . . . . . . . . . . . . . . . 17
7. Home Alone . . . . . . . . . . . . . . . . . . . . . . . 17
7.1. Beware of Daemons . . . . . . . . . . . . . . . . . . . 17
7.2. Going Places . . . . . . . . . . . . . . . . . . . . . 19
7.3. Secure It! . . . . . . . . . . . . . . . . . . . . . . 20
8. A Final Note . . . . . . . . . . . . . . . . . . . . . . 20
Appendix: Glossary of Security Terms . . . . . . . . . . . . . 21
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31
References . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Security Considerations . . . . . . . . . . . . . . . . . . . 32
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 32
Full Copyright Statement . . . . . . . . . . . . . . . . . . . 33
6. Bad Things Happen . . . . . . . . . . . . . . . . . . . . 15
6.1. How to Prepare for the Worst in Advance . . . . . . . . 15
6.2. What To Do if You Suspect Trouble . . . . . . . . . . . 16
6.3. Email . . . . . . . . . . . . . . . . . . . . . . . . . 17
7. Home Alone . . . . . . . . . . . . . . . . . . . . . . . 17
7.1. Beware of Daemons . . . . . . . . . . . . . . . . . . . 17
7.2. Going Places . . . . . . . . . . . . . . . . . . . . . 19
7.3. Secure It! . . . . . . . . . . . . . . . . . . . . . . 20
8. A Final Note . . . . . . . . . . . . . . . . . . . . . . 20
Appendix: Glossary of Security Terms . . . . . . . . . . . . . 21
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31
References . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Security Considerations . . . . . . . . . . . . . . . . . . . 32
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 32
Full Copyright Statement . . . . . . . . . . . . . . . . . . . 33
Part One: Introduction
第一部分:导言
This document provides guidance to the end-users of computer systems and networks about what they can do to keep their data and communication private, and their systems and networks secure. Part Two of this document concerns "corporate users" in small, medium and large corporate and campus sites. Part Three of the document addresses users who administer their own computers, such as home users.
本文件为计算机系统和网络的最终用户提供了关于如何保持其数据和通信私有以及其系统和网络安全的指导。本文件第二部分涉及小型、中型和大型企业及校园网站中的“企业用户”。本文档的第三部分介绍了管理自己计算机的用户,如家庭用户。
System and network administrators may wish to use this document as the foundation of a site-specific users' security guide; however, they should consult the Site Security Handbook first [RFC2196].
系统和网络管理员可能希望使用该文档作为站点特定用户的安全指南的基础;但是,他们应首先查阅现场安全手册[RFC2196]。
A glossary of terms is included in an appendix at the end of this document, introducing computer network security notions to those not familiar with them.
本文件末尾的附录中包含了术语表,向不熟悉计算机网络安全概念的人介绍了这些概念。
Before getting connected to the Internet or any other public network, you should obtain the security policy of the site that you intend to use as your access provider, and read it. A security policy is a formal statement of the rules by which users who are given access to a site's technology and information assets must abide. As a user, you are obliged to follow the policy created by the decision makers and administrators at your site.
在连接到Internet或任何其他公共网络之前,您应该获取您打算用作访问提供商的站点的安全策略,并阅读该策略。安全策略是一种正式的规则声明,允许访问站点技术和信息资产的用户必须遵守这些规则。作为用户,您有义务遵守您站点的决策者和管理员创建的策略。
A security policy exists to protect a site's hardware, software and data. It explains what the security goals of the site are, what users can and cannot do, what to do and who to contact when problems arise, and generally informs users what the "rules of the game" are.
安全策略用于保护站点的硬件、软件和数据。它解释了网站的安全目标是什么,用户可以做什么和不能做什么,在出现问题时做什么和联系谁,并通常告知用户“游戏规则”是什么。
It is a lot easier to eavesdrop on communications over data networks than to tap a telephone conversation. Any link between computers may potentially be insecure, as can any of the computers through which data flows. All information passing over networks may be eavesdropped on, even if you think "No one will care about this..."
窃听数据网络上的通信要比窃听电话对话容易得多。计算机之间的任何链接都可能不安全,数据流经的任何计算机也可能不安全。所有通过网络传递的信息都可能被窃听,即使你认为“没人会在意这个…”
Information passing over a network may be read not only by the intended audience but can be read by others as well. This can happen to personal Email and sensitive information that is accessed via file transfer or the Web. Please refer to the "Don't Get Caught in the Web" and "Email Pitfalls" sections for specific information on protecting your privacy.
通过网络传递的信息不仅可以被目标受众阅读,也可以被其他人阅读。这可能发生在通过文件传输或网络访问的个人电子邮件和敏感信息上。有关保护隐私的具体信息,请参阅“不要在网络中被抓到”和“电子邮件陷阱”部分。
As a user, your utmost concerns should, firstly, be to protect yourself against misuse of your computer account(s) and secondly, to protect your privacy.
作为一个用户,您最关心的应该是,首先,保护您自己不被滥用您的计算机帐户,其次,保护您的隐私。
Unless precautions are taken, every time you log in over a network, to any network service, your password or confidential information may be stolen. It may then be used to gain illicit access to systems you have access to. In some cases, the consequences are obvious: If someone gains access to your bank account, you might find yourself losing some cash, quickly. What is not so obvious is that services which are not financial in nature may also be abused in rather costly ways. You may be held responsible if your account is misused by someone else!
除非采取预防措施,否则每次通过网络登录到任何网络服务时,您的密码或机密信息都可能被盗。然后,它可能被用来非法访问您所访问的系统。在某些情况下,后果是显而易见的:如果有人进入你的银行账户,你可能会发现自己很快失去一些现金。不太明显的是,非金融性质的服务也可能以相当昂贵的方式被滥用。如果您的帐户被其他人滥用,您可能要承担责任!
Many network services involve remote log in. A user is prompted for his or her account ID (ie. user name) and password. If this information is sent through the network without encryption, the message can be intercepted and read by others. This is not really an issue when you are logging in to a "dial-in" service where you make a connection via telephone and log in, say to an online service provider, as telephone lines are more difficult to eavesdrop on than Internet communications.
许多网络服务都涉及远程登录。系统会提示用户输入其帐户ID(即用户名)和密码。如果此信息通过网络发送而未加密,则其他人可能会截获和读取此消息。当您登录到“拨号”服务时,这并不是一个真正的问题,在该服务中,您通过电话建立连接并登录,例如登录到在线服务提供商,因为电话线比互联网通信更难被窃听。
The risk is there when you are using programs to log in over a network. Many popular programs used to log in to services or to transfer files (such as telnet and ftp, respectively) send your user name and password and then your data over the network without encrypting them.
使用程序通过网络登录时存在风险。许多用于登录服务或传输文件的流行程序(分别为telnet和ftp)在不加密的情况下通过网络发送用户名和密码,然后发送数据。
The precaution commonly taken against password eavesdropping by larger institutions, such as corporations, is to use one-time password systems.
大型机构(如公司)通常采取的防范密码窃听的措施是使用一次性密码系统。
Until recently, it has been far too complicated and expensive for home systems and small businesses to employ secure log in systems. However, an increasing number of products enable this to be done without fancy hardware, using cryptographic techniques. An example of such a technique is Secure Shell [SSH], which is both freely and commercially available for a variety of platforms. Many products (including SSH-based ones) also allow data to be encrypted before it is passed over the network.
直到最近,对于家庭系统和小型企业来说,使用安全登录系统过于复杂和昂贵。然而,越来越多的产品使用密码技术,在没有花哨硬件的情况下实现了这一点。这种技术的一个例子是SecureShell[SSH],它可以在各种平台上免费和商用。许多产品(包括基于SSH的产品)还允许在数据通过网络之前对其进行加密。
Part Two: End-users in a centrally-administered network
第二部分:集中管理网络中的最终用户
The following rules of thumb provide a summary of the most important pieces of advice discussed in Part Two of this document:
以下经验法则总结了本文件第二部分中讨论的最重要的建议:
- Know who your security point-of-contact is. - Keep passwords secret at all times. - Use a password-locked screensaver or log out when you leave your desk. - Don't let simply anyone have physical access to your computer or your network. - Be aware what software you run and very wary of software of unknown origin. Think hard before you execute downloaded software. - Do not panic. Consult your security point-of-contact, if possible, before spreading alarm. - Report security problems as soon as possible to your security point-of-contact.
- 知道你的安全联系人是谁。-始终对密码保密。-使用密码锁定的屏幕保护程序,或在离开办公桌时注销。-不要让任何人直接访问您的计算机或网络。-请注意您运行的软件,并对来历不明的软件保持高度警惕。在执行下载的软件之前,请仔细考虑。-不要惊慌。如有可能,在发出警报之前,请咨询您的安全联系人。-尽快向您的安全联系人报告安全问题。
An ever expanding wealth of free software has become available on the Internet. While this exciting development is one of the most attractive aspects of using public networks, you should also exercise caution. Some files may be dangerous. Downloading poses the single greatest risk.
越来越多的自由软件可以在互联网上使用。虽然这一令人兴奋的发展是使用公共网络最吸引人的方面之一,但你也应该谨慎行事。有些文件可能很危险。下载是最大的风险。
Be careful to store all downloaded files so that you will remember their (possibly dubious) origin. Do not, for example, mistake a downloaded program for another program just because they have the same name. This is a common tactic to fool users into activating programs they believe to be familiar but could, in fact, be dangerous.
请小心存储所有下载的文件,以便记住它们(可能可疑)的来源。例如,不要仅仅因为一个下载的程序与另一个程序同名而将其误认为是另一个程序。这是一种常见的策略,可以欺骗用户激活他们认为熟悉但实际上可能很危险的程序。
Programs can use the network without making you aware of it. One thing to keep in mind is that if a computer is connected, any program has the capability of using the network, with or without informing you. Say, for example:
程序可以使用网络而不让您意识到它。需要记住的一点是,如果连接了计算机,任何程序都可以使用网络,无论是否通知您。比如说:
You download a game program from an anonymous FTP server. This appears to be a shoot-em-up game, but unbeknownst to you, it transfers all your files, one by one, over the Internet to a cracker's machine!
您可以从匿名FTP服务器下载游戏程序。这似乎是一个射击游戏,但你不知道,它传输所有的文件,一个接一个,通过互联网到一个饼干的机器!
Many corporate environments explicitly prohibit the downloading and running of software from the Internet.
许多公司环境明确禁止从Internet下载和运行软件。
The greatest risk when web browsing is downloading files. Web browsers allow any file to be retrieved from the Internet. See "The Dangers of Downloading".
网络浏览的最大风险是下载文件。Web浏览器允许从Internet检索任何文件。请参阅“下载的危险”。
Web browsers are downloading files even when it is not entirely obvious. Thus, the risk posed by downloading files may be present even if you do not actively go out and retrieve files overtly. Any file which you have loaded over the network should be considered possibly dangerous (even files in the web browser's cache). Do not execute them by accident, as they may be malicious programs. (Remember, programs are files, too. You may believe you have downloaded a text file, when in fact it is a Trojan Horse program, script, etc.)
网络浏览器正在下载文件,即使它不是很明显。因此,即使您不主动出去公开检索文件,下载文件所带来的风险也可能存在。通过网络加载的任何文件都可能被认为是危险的(即使是web浏览器缓存中的文件)。不要意外地执行它们,因为它们可能是恶意程序。(请记住,程序也是文件。您可能认为您下载了一个文本文件,而实际上它是特洛伊木马程序、脚本等。)
Web browsers may download and execute programs on your behalf, either automatically or after manual intervention. You may disable these features. If you leave them enabled, be sure that you understand the consequences. You should read the security guide which accompanies your web browser as well as the security policy of your company. You should be aware that downloaded programs may be risky to execute on your machine. See "What program is this, anyway?".
Web浏览器可以自动或在手动干预后代表您下载和执行程序。您可以禁用这些功能。如果让它们处于启用状态,请确保您了解其后果。您应该阅读web浏览器附带的安全指南以及公司的安全策略。您应该知道,在您的计算机上执行下载的程序可能有风险。看看“这到底是什么程序?”。
Web pages often include forms. Be aware that, as with Email, data sent from a web browser to a web server is not secure. Several mechanisms have been created to prevent this, most notably Secure Sockets Layer [SSL]. This facility has been built into many web browsers. It encrypts data sent between the user's web browser and the web server so no one along the way can read it.
网页通常包含表单。请注意,与电子邮件一样,从web浏览器发送到web服务器的数据不安全。已经创建了几种机制来防止这种情况,最著名的是安全套接字层[SSL]。该功能已内置于许多web浏览器中。它对在用户的web浏览器和web服务器之间发送的数据进行加密,因此沿途没有人可以读取。
It is possible that a web page will appear to be genuine, but is, in fact, a forgery. It is easy to copy the appearance of a genuine web page and possible to subvert the network protocols which contact the desired web server, to misdirect a web browser to an imposter.
网页可能看起来是真实的,但实际上是伪造的。复制真实网页的外观很容易,并且可能破坏与所需web服务器联系的网络协议,将web浏览器错误地指向冒名顶替者。
That threat may be guarded against using SSL to verify if a web page is genuine. When a 'secure' page has been downloaded, the web browser's 'lock' or 'key' will indicate so. It is good to double-check this: View the 'certificate' associated with the web page you have accessed. Each web browser has a different way to do this. The certificate will list the certificate's owner and who issued it. If these look trustworthy, you are probably OK.
使用SSL来验证网页是否真实,可以防止这种威胁。下载“安全”页面后,web浏览器的“锁定”或“密钥”将显示安全页面。最好再次检查:查看与您访问的网页相关联的“证书”。每个web浏览器都有不同的方法来实现这一点。证书将列出证书的所有者和颁发者。如果这些看起来值得信赖,你可能就没事了。
All the normal concerns apply to messages received via Email that you could receive any other way. For example, the sender may not be who he or she claims to be. If Email security software is not used, it is very difficult to determine for sure who sent a message. This means that Email itself is a not a suitable way to conduct many types of business. It is very easy to forge an Email message to make it appear to have come from anyone.
所有正常的问题都适用于通过电子邮件接收的消息,您可以通过任何其他方式接收这些消息。例如,发件人可能不是他或她自称的人。如果未使用电子邮件安全软件,则很难确定是谁发送了邮件。这意味着电子邮件本身不是开展多种业务的合适方式。伪造一封电子邮件,让它看起来像是来自任何人,这是非常容易的。
Another security issue you should consider when using Email is privacy. Email passes through the Internet from computer to computer. As the message moves between computers, and indeed as it sits in a user's mailbox waiting to be read, it is potentially visible to others. For this reason, it is wise to think twice before sending confidential or extremely personal information via Email. You should never send credit card numbers and other sensitive data via unprotected Email. Please refer to "The Wires Have Ears".
在使用电子邮件时,你应该考虑的另一个安全问题是隐私。电子邮件通过因特网从一台计算机传到另一台计算机。当消息在计算机之间移动时,实际上,当它位于用户的邮箱中等待读取时,其他人可能会看到它。因此,在通过电子邮件发送机密或极为私人的信息之前,明智的做法是三思而后行。你不应该通过不受保护的电子邮件发送信用卡号和其他敏感数据。请参阅“电线有耳”。
To cope with this problem, there are privacy programs available, some of which are integrated into Email packages.
为了解决这个问题,有一些隐私程序可用,其中一些被集成到电子邮件包中。
One service many Email users like to use is Email forwarding. This should be used very cautiously. Imagine the following scenario:
许多电子邮件用户喜欢使用的一项服务是电子邮件转发。这应该非常谨慎地使用。想象一下以下场景:
A user has an account with a private Internet Service Provider and wishes to receive all her Email there. She sets it up so that her Email at work is forwarded to her private address. All the Email she would receive at work then moves across the Internet until it reaches her private account. All along the way, the Email is vulnerable to being read. A sensitive Email message sent to her at work could be read by a network snoop at any of the many stops along the way the Email takes.
用户在私人互联网服务提供商处拥有一个帐户,并希望在那里接收她的所有电子邮件。她将其设置为将工作中的电子邮件转发到她的私人地址。她在工作中收到的所有电子邮件都会在互联网上移动,直到到达她的私人帐户。一直以来,电子邮件都很容易被阅读。她在工作时收到的一封敏感邮件,在邮件发送过程中的任何一站都可以被网络窥探者看到。
Note that Email sent or received at work may not be private. Check with your employer, as employers may (in some instances) legally both read your Email and make use of it. The legal status of Email depends on the privacy of information laws in force in each country.
请注意,在工作中发送或接收的电子邮件可能不是私人的。与你的雇主核实一下,因为雇主可能(在某些情况下)合法地阅读和使用你的电子邮件。电子邮件的法律地位取决于各国现行的信息隐私法。
Many mail programs allow files to be included in Email messages. The files which come by Email are files like any other. Any way in which a file can find its way onto a computer is possibly dangerous. If the attached file is merely a text message, fine. But it may be more than a text message. If the attached file is itself a program or an executable script, extreme caution should be applied before running it. See the section entitled "The Dangers of Downloading".
许多邮件程序允许在电子邮件中包含文件。通过电子邮件发送的文件与其他文件一样。文件以任何方式进入计算机都可能是危险的。如果附带的文件只是一条短信,可以。但它可能不仅仅是一条短信。如果所附文件本身是程序或可执行脚本,则在运行它之前应格外小心。见题为“下载的危险”一节。
Passwords may be easily guessed by an intruder unless precautions are taken. Your password should contain a mixture of numbers, upper and lower case letters, and punctuation. Avoid all real words in any language, or combinations of words, license plate numbers, names and so on. The best password is a made-up sequence (e.g., an acronym from a phrase you won't forget), such as "2B*Rnot2B" (but don't use this password!).
除非采取预防措施,否则入侵者很容易猜到密码。您的密码应该包含数字、大小写字母和标点符号。避免使用任何语言中的所有真实单词,或单词、车牌号、姓名等的组合。最好的密码是一个虚构的序列(例如,一个你不会忘记的短语的首字母缩略词),例如“2B*Rnot2B”(但不要使用此密码!)。
Resist the temptation to write your password down. If you do, keep it with you until you remember it, then shred it! NEVER leave a password taped onto a terminal or written on a whiteboard. You wouldn't write your PIN code on your automated teller machine (ATM) card, would you? You should have different passwords for different accounts, but not so many passwords that you can't remember them. You should change your passwords periodically.
抵制写下密码的诱惑。如果你记得的话,就把它随身带着,直到你记起来,然后把它撕碎!切勿将密码贴在终端上或写在白板上。你不会在自动取款机(ATM)卡上写你的PIN码吧?对于不同的帐户,您应该有不同的密码,但密码不要太多,以至于您无法记住它们。您应该定期更改密码。
You should also NEVER save passwords in scripts or login procedures as these could be used by anyone who has access to your machine.
您也不应该在脚本或登录过程中保存密码,因为有权访问您机器的任何人都可能使用这些密码。
Be certain that you are really logging into your system. Just because a login prompt appears and asks you for your password does not mean you should enter it. Avoid unusual login prompts and immediately report them to your security point-of-contact. If you notice anything strange upon logging in, change your password.
确保您真正登录到您的系统。登录提示出现并要求您输入密码并不意味着您应该输入密码。避免出现异常登录提示,并立即向您的安全联系人报告。如果您在登录时发现任何奇怪的情况,请更改您的密码。
Unless precautions have been taken to encrypt your password when it is sent over the network, you should, if possible, use "one-time passwords" whenever you log in to a system over a network. (Some applications take care of that for you.) See "The Wires Have Ears" for more information on the risks associated with logging in over a network.
除非已采取预防措施在通过网络发送密码时对其进行加密,否则在可能的情况下,无论何时通过网络登录到系统,都应使用“一次性密码”。(某些应用程序会为您解决这一问题。)有关通过网络登录的风险的更多信息,请参阅“电线有耳朵”。
Viruses are essentially unwanted pieces of software that find their way onto a computer. What the virus may do once it has entered its host, depends on several factors: What has the virus been programmed to do? What part of the computer system has the virus attacked?
病毒本质上是不需要的软件碎片,它们会进入计算机。病毒一旦进入宿主后会做什么取决于几个因素:病毒被编程做了什么?病毒攻击了计算机系统的哪个部分?
Some viruses are 'time bombs' which activate only when given a particular condition, such as reaching a certain date. Others remain latent in the system until a particular afflicted program is activated. There are still others which are continually active, exploiting every opportunity to do mischief. A subtle virus may simply modify a system's configuration, then hide.
有些病毒是“定时炸弹”,只有在特定条件下才会激活,例如到达特定日期。在激活某个特定的受影响程序之前,其他程序仍潜伏在系统中。还有一些人不断地活跃起来,利用每一个机会做坏事。一个微妙的病毒可能只是修改系统的配置,然后隐藏。
Be cautious about what software you install on your system. Use software from "trusted sources", if possible. Check your site policy before installing any software: Some sites only allow administrators to install software to avoid security and system maintenance problems.
对系统上安装的软件要谨慎。如有可能,使用“可靠来源”的软件。在安装任何软件之前,请检查您的站点策略:某些站点仅允许管理员安装软件,以避免安全和系统维护问题。
Centrally-administered sites have their own policy and tools for dealing with the threat of viruses. Consult your site policy or find out from your systems administrator what the correct procedures are to stay virus free.
中央管理的站点有自己的策略和工具来应对病毒威胁。请咨询您的站点策略或向系统管理员了解保持无病毒的正确步骤。
You should report it if a virus detection tool indicates that your system has a problem. You should notify your site's systems administrators as well as the person you believe passed the virus to you. It is important to remain calm. Virus scares may cause more delay and confusion than an actual virus outbreak. Before announcing the virus widely, make sure you verify its presence using a virus detection tool, if possible, with the assistance of technically-competent personnel.
如果病毒检测工具显示您的系统有问题,您应该报告。您应该通知站点的系统管理员以及您认为将病毒传染给您的人。保持冷静很重要。病毒恐慌可能比实际的病毒爆发造成更多的延迟和混乱。在广泛公布病毒之前,请确保在技术合格人员的协助下,使用病毒检测工具(如果可能)验证病毒的存在。
Trojan Horse programs and worms are often categorized with viruses. Trojan Horse programs are dealt with in the "What Program is This, Anyway?" section. For the purposes of this section, worms should be considered a type of virus.
特洛伊木马程序和蠕虫通常被归类为病毒。特洛伊木马程序在“这到底是什么程序?”一节中介绍。就本节而言,蠕虫应被视为一种病毒。
You should be careful when attaching anything to your computer, and especially any equipment which allows data to flow. You should get permission before you connect anything to your computer in a centrally-administered computing environment.
在将任何东西连接到计算机上时,尤其是连接任何允许数据流动的设备时,应小心。在集中管理的计算环境中,在将任何内容连接到计算机之前,您应该获得许可。
Modems present a special security risk. Many networks are protected by a set of precautions designed to prevent a frontal assault from public networks. If your computer is attached to such a network, you must exercise care when also using a modem. It is quite possible to use the modem to connect to a remote network while *still* being connected to the 'secure' net. Your computer can now act as a hole in your network's defenses. Unauthorized users may be able to get onto your organization's network through your computer!
调制解调器存在特殊的安全风险。许多网络受到一系列预防措施的保护,这些预防措施旨在防止来自公共网络的正面攻击。如果您的计算机连接到这样的网络,在使用调制解调器时必须小心。当*仍然*连接到“安全”网络时,很可能使用调制解调器连接到远程网络。您的计算机现在可以充当网络防御中的一个漏洞。未经授权的用户可以通过您的计算机进入您组织的网络!
Be sure you know what you are doing if you leave a modem on and set up your computer to allow remote computers to dial in. Be sure you use all available security features correctly. Many modems answer calls by default. You should turn auto-answer off unless you are prepared to have your computer respond to callers. Some 'remote access' software requires this. Be sure to turn on all the security features of your 'remote access' software before allowing your computer to be accessed by phone.
Be sure you know what you are doing if you leave a modem on and set up your computer to allow remote computers to dial in. Be sure you use all available security features correctly. Many modems answer calls by default. You should turn auto-answer off unless you are prepared to have your computer respond to callers. Some 'remote access' software requires this. Be sure to turn on all the security features of your 'remote access' software before allowing your computer to be accessed by phone.translate error, please retry
Note that having an unlisted number will not protect you from someone breaking into your computer via a phone line. It is very easy to probe many phone lines to detect modems and then launch attacks.
请注意,拥有一个未列出的号码并不能保护您免受有人通过电话线闯入您的计算机。探测许多电话线以检测调制解调器然后发起攻击是非常容易的。
3.7 Don't Leave Me...
3.7 不要离开我。。。
Do not leave a terminal or computer logged in and walk away. Use password-locked screensavers whenever possible. These can be set up so that they activate after the computer has been idle for a while.
不要让终端或计算机登录,然后走开。尽可能使用密码锁定的屏幕保护程序。这些可以设置为在计算机闲置一段时间后激活。
Sinister as it may seem, someone coming around to erase your work is not uncommon. If you remained logged in, anyone can come by and perform mischief for which you may be held accountable. For example, imagine the trouble you could be in for if nasty Email were sent to the president of your company in your name, or your account were used to transfer illegal pornography.
尽管看起来很邪恶,但有人过来抹掉你的作品并不罕见。如果您保持登录状态,任何人都可以过来进行恶作剧,您可能要为此负责。例如,想象一下,如果你以你的名义向公司总裁发送了恶意电子邮件,或者你的帐户被用来传输非法色情内容,你可能会遇到什么麻烦。
Anyone who can gain physical access to your computer can almost certainly break into it. Therefore, be cautious regarding who you allow access to your machine. If physically securing your machine is not possible, it is wise to encrypt your data files kept on your local hard disk. If possible, it is also wise to lock the door to one's office where the computer is stored.
任何人只要能物理访问你的电脑,几乎肯定能闯入你的电脑。因此,对于允许谁访问您的机器,请谨慎。如果无法对计算机进行物理保护,则明智的做法是加密保存在本地硬盘上的数据文件。如果可能的话,锁上存放电脑的办公室的门也是明智的。
Data files and directories on shared systems or networked file systems require care and maintenance. There are two categories of such systems:
共享系统或网络文件系统上的数据文件和目录需要维护。此类系统分为两类:
- Files to share
- 要共享的文件
Shared files may be visible to everyone or to a restricted group of other users. Each system has a different way of specifying this. Learn how to control sharing permissions of files and implement such control without fail.
共享文件可能对所有人或受限制的其他用户组可见。每个系统都有不同的指定方法。了解如何控制文件的共享权限,并成功实施此类控制。
- Protected files
- 受保护文件
These include files that only you should have access to, but which are also available to anyone with system administrator privileges. An example of this are files associated with the delivery of Email. You don't want other users to read your Email, so make sure such files have all the necessary file permissions set accordingly.
这些文件包括只有您有权访问的文件,但任何具有系统管理员权限的人都可以访问这些文件。这方面的一个例子是与电子邮件传递相关的文件。您不希望其他用户阅读您的电子邮件,因此请确保这些文件具有相应的所有必要文件权限。
Additionally, there are files that are private. You may have files which you do not wish anyone else to have access to. In this case, it is prudent to encrypt the file. This way, even if your network is broken into or the systems administrator turns into Mr. Hyde, your confidential information will not be available. Encryption is also very important if you share a computer. For example, a home computer may be shared by room mates who are friends but prefer to keep their Email and financial information private. Encryption allows for shared yet private usage.
此外,还有一些文件是私有的。您可能有您不希望其他人访问的文件。在这种情况下,对文件进行加密是谨慎的。这样,即使您的网络被入侵或系统管理员变成海德先生,您的机密信息也将不可用。如果您共享一台计算机,加密也非常重要。例如,一台家庭电脑可能由室友共享,他们是朋友,但更愿意将电子邮件和财务信息保密。加密允许共享但私有的使用。
Before you encrypt files, you should check your site's security policy. Some employers and countries expressly forbid or restrict the storing and/or transferring of encrypted files.
在加密文件之前,您应该检查站点的安全策略。一些雇主和国家明确禁止或限制存储和/或传输加密文件。
Be careful with the passwords or keys you use to encrypt files. Locking them away safely not only helps to keep them from prying eyes but it will help you keep them secure too; for if you lose them, you will lose your ability to decrypt your data as well! It may be wise to save more than one copy. This may even be required, if your company has a key escrow policy, for example. This protects against the possibility that the only person knowing a pass phrase may leave the company or be struck by lightning.
使用密码或密钥加密文件时要小心。把它们安全地锁起来,不仅有助于防止它们被窥探,而且也有助于确保它们的安全;因为如果你丢失了它们,你也将失去解密数据的能力!保存多个副本可能是明智的。例如,如果您的公司有密钥托管政策,甚至可能需要这样做。这可以防止唯一知道密码的人可能离开公司或被闪电击中。
Whilst encryption programs are readily available, it should be noted that the quality can vary widely. PGP (which stands for "Pretty Good Privacy") for example, offers a strong encryption capability. Many common software applications include the capability to encrypt data. The encryption facilities in these are typically very weak.
虽然加密程序随时可用,但应注意的是,质量可能会有很大差异。例如,PGP(相当好的隐私)提供了强大的加密功能。许多常见的软件应用程序都具有加密数据的功能。这些国家的加密设施通常非常薄弱。
You should not be intimidated by encryption software. Easy-to-use software is being made available.
你不应该被加密软件吓倒。易于使用的软件正在提供。
You would be surprised what gets thrown away into the waste-paper basket: notes from meetings, old schedules, internal phone lists, computer program listings, correspondence with customers and even
你会惊讶地发现那些被扔进废纸篓的东西:会议记录、旧日程安排、内部电话清单、计算机程序清单、与客户的通信,甚至
market analyses. All of these would be very valuable to competitors, recruiters and even an overzealous (hungry?) journalist looking for a scoop. The threat of dumpster diving is real - take it seriously! Shred all potentially useful documents before discarding them.
市场分析。所有这些对于竞争对手、招聘人员,甚至是一个寻找独家新闻的狂热记者来说都是非常有价值的。垃圾桶潜水的威胁是真实的-认真对待!将所有可能有用的文档切碎后再丢弃。
You should also be aware that deleting a file does not erase it in many cases. The only way to be sure that an old hard disk does not contain valuable data may be to reformat it.
您还应该知道,在许多情况下,删除文件并不会删除它。确保旧硬盘不包含有价值数据的唯一方法可能是重新格式化它。
Programs have become much more complex in recent years. They are often extensible in ways which may be dangerous. These extensions make applications more flexible, powerful and customizable. They also open the end-user up to all sorts of risks.
近年来,项目变得更加复杂。它们通常以危险的方式扩展。这些扩展使应用程序更加灵活、强大和可定制。它们还让最终用户面临各种风险。
- A program may have "plug-in" modules. You should not trust the plug-ins simply because you are used to trusting the programs they plug into. For example: Some web pages suggest that the user download a plug-in to view or use some portion of the web page's content. Consider: What is this plug-in? Who wrote it? Is it safe to include it in your web browser?
- 一个程序可能有“插件”模块。您不应该仅仅因为习惯于信任插件插入的程序就信任插件。例如:一些网页建议用户下载插件以查看或使用网页内容的某些部分。思考:这个插件是什么?谁写的?将其包含在web浏览器中是否安全?
- Some files are "compound documents". This means that instead of using one single program, it will be necessary to run several programs in order to view or edit a document. Again, be careful of downloading application components. Just because they integrate with products which are well-known does not mean that they can be trusted. Say, you receive an Email message which can only be read if you download a special component. This component could be a nasty program which wipes out your hard drive!
- 有些文件是“复合文档”。这意味着,为了查看或编辑文档,需要运行多个程序,而不是使用单个程序。同样,下载应用程序组件时要小心。仅仅因为它们与众所周知的产品相结合并不意味着它们可以被信任。比如说,您收到一封电子邮件,只有在您下载一个特殊组件时才能阅读。这个组件可能是一个肮脏的程序,它会毁掉你的硬盘!
- Some programs are downloaded automatically when accessing web pages. While there are some safeguards to make sure that these programs may be used safely, there have been security flaws discovered in the past. For this reason, some centrally-administered sites require that certain web browser capabilities be turned off.
- 有些程序在访问网页时会自动下载。虽然有一些安全措施可以确保这些程序可以安全使用,但过去也发现了一些安全缺陷。因此,一些集中管理的网站要求关闭某些web浏览器功能。
Many people do not realize it, but social engineering is a tool which many intruders use to gain access to computer systems. The general impression that people have of computer break-ins is that they are the result of technical flaws in computer systems which the intruders have exploited. People also tend to think that break-ins are purely technical. However, the truth is that social engineering plays a big
许多人没有意识到这一点,但社会工程是许多入侵者用来访问计算机系统的工具。人们对计算机入侵的总体印象是,它们是入侵者利用计算机系统中的技术缺陷造成的。人们还倾向于认为入室盗窃纯粹是技术性的。然而,事实是,社会工程起着很大的作用
part in helping an attacker slip through security barriers. This often proves to be an easy stepping-stone onto the protected system if the attacker has no authorized access to the system at all.
帮助攻击者通过安全屏障。如果攻击者根本没有经过授权的系统访问权限,这通常被证明是进入受保护系统的一块容易的垫脚石。
Social engineering may be defined, in this context, as the act of gaining the trust of legitimate computer users to the point where they reveal system secrets or help someone, unintentionally, to gain unauthorized access to their system(s). Using social engineering, an attacker may gain valuable information and/or assistance that could help break through security barriers with ease. Skillful social engineers can appear to be genuine but are really full of deceit.
在这种情况下,社会工程可以定义为获得合法计算机用户信任的行为,直到他们泄露系统机密或无意中帮助他人获得对其系统的未经授权访问。通过使用社会工程,攻击者可以获得有价值的信息和/或帮助,帮助轻松突破安全壁垒。熟练的社会工程师可能看起来是真实的,但实际上充满了欺骗。
Most of the time, attackers using social enginering work via telephone. This not only provides a shield for the attacker by protecting his or her identity, it also makes the job easier because the attacker can claim to be a particular someone with more chances of getting away with it.
大多数时候,攻击者通过电话使用社会工程工作。这不仅可以通过保护攻击者的身份为其提供保护,还可以使工作更轻松,因为攻击者可以声称自己是某个特定的人,有更多的机会逃脱惩罚。
There are several types of social engineering. Here are a few examples of the more commonly-used ones:
有几种类型的社会工程。以下是一些更常用的示例:
- An attacker may pretend to be a legitimate end-user who is new to the system or is simply not very good with computers. This attacker may approach systems administrators and other end-users for help. This "user" may have lost his password, or simply can't get logged into the system and needs to access the system urgently. Attackers have also been known to identify themselves as some VIP in the company, screaming at administrators to get what they want. In such cases, the administrator (or it could be an end-user) may feel threatened by the caller's authority and give in to the demands.
- 攻击者可能会假装是合法的最终用户,对系统不熟悉,或者根本不擅长使用计算机。此攻击者可能会向系统管理员和其他最终用户寻求帮助。该“用户”可能丢失了密码,或者根本无法登录系统,需要紧急访问系统。攻击者也被认为是公司中的一些重要人物,他们向管理员尖叫,要求得到他们想要的东西。在这种情况下,管理员(或者可能是最终用户)可能会感到受到呼叫者权限的威胁,并屈服于要求。
- Attackers who operate via telephone calls may never even have seen the screen display on your system before. In such cases, the trick attackers use is to make details vague, and get the user to reveal more information on the system. The attacker may sound really lost so as to make the user feel that he is helping a damsel in distress. Often, this makes people go out their way to help. The user may then reveal secrets when he is off-guard.
- 通过电话进行操作的攻击者以前可能从未见过系统上的屏幕显示。在这种情况下,攻击者使用的伎俩是使细节模糊,并让用户透露有关系统的更多信息。攻击者可能听起来真的迷失了方向,从而让用户觉得他在帮助一个陷入困境的少女。通常,这会让人们不遗余力地提供帮助。用户可能会在失去警惕时泄露秘密。
- An attacker may also take advantage of system problems that have come to his attention. Offering help to a user is an effective way to gain the user's trust. A user who is frustrated with problems he is facing will be more than happy when someone comes to offer some help. The attacker may come disguised as the systems administrator or maintenance technician. This attacker will often gain valuable information because the user thinks that it is alright to reveal secrets to technicians. Site visits may
- 攻击者还可能利用其注意到的系统问题。向用户提供帮助是获得用户信任的有效途径。当有人来提供帮助时,对自己面临的问题感到沮丧的用户会非常高兴。攻击者可能伪装成系统管理员或维护技术人员。该攻击者通常会获得有价值的信息,因为用户认为向技术人员泄露秘密是可以的。可进行实地考察
pose a greater risk to the attacker as he may not be able to make an easy and quick get-away, but the risk may bring fruitful returns if the attacker is allowed direct access to the system by the naive user.
对攻击者造成更大的风险,因为他可能无法轻松快速地逃脱,但如果天真的用户允许攻击者直接访问系统,则该风险可能带来丰厚的回报。
- Sometimes, attackers can gain access into a system without prior knowledge of any system secret nor terminal access. In the same way that one should not carry someone else's bags through Customs, no user should key in commands on someone's behalf. Beware of attackers who use users as their own remotely-controlled fingers to type commands on the user's keyboard that the user does not understand, commands which may harm the system. These attackers will exploit system software bugs and loopholes even without direct access to the system. The commands keyed in by the end-user may bring harm to the system, open his own account up for access to the attacker or create a hole to allow the attacker entry (at some later time) into the system. If you are not sure of the commands you have been asked to key in, do not simply follow instructions. You never know what and where these could lead to...
- 有时,攻击者可以在事先不知道任何系统机密或终端访问的情况下访问系统。正如不应携带他人的行李通过海关一样,任何用户都不应代表他人输入命令。谨防攻击者将用户用作自己的远程控制手指,在用户键盘上键入用户不理解的命令,这些命令可能会损害系统。即使没有直接访问系统,这些攻击者也会利用系统软件缺陷和漏洞进行攻击。最终用户键入的命令可能会对系统造成伤害,打开自己的帐户以供攻击者访问,或者创建一个漏洞以允许攻击者(稍后)进入系统。如果您不确定要求您输入的命令,请不要简单地按照说明操作。你永远不知道这些会导致什么和哪里。。。
To guard against becoming a victim of social engineering, one important thing to remember is that passwords are secret. A password for your personal account should be known ONLY to you. The systems administrators who need to do something to your account will not require your password. As administrators, the privileges they have will allow them to carry out work on your account without the need for you to reveal your password. An administrator should not have to ask you for your password.
为了防止成为社会工程的受害者,需要记住的一件重要事情是密码是秘密的。您个人帐户的密码应该只有您自己知道。需要对您的帐户执行某些操作的系统管理员不需要您的密码。作为管理员,他们拥有的特权将允许他们在您的帐户上执行工作,而无需您透露密码。管理员不必询问您的密码。
Users should guard the use of their accounts, and keep them for their own use. Accounts should not be shared, not even temporarily with systems administrators or systems maintenance techinicians. Most maintenance work will require special privileges which end-users are not given. Systems administrators will have their own accounts to work with and will not need to access computer systems via an end-user's account.
用户应保护其帐户的使用,并将其保留供自己使用。帐户不应共享,甚至不应临时与系统管理员或系统维护技术人员共享。大多数维护工作都需要最终用户没有的特权。系统管理员将拥有自己的帐户,无需通过最终用户的帐户访问计算机系统。
Systems maintenance technicians who come on site should be accompanied by the local site administrator (who should be known to you). If the site administrator is not familiar to you, or if the technician comes alone, it is wise to give a call to your known site administrator to check if the technician should be there. Yet, many people will not do this because it makes them look paranoid and it is embarrassing to show that they have no, or little trust in these visitors.
到现场的系统维护技术人员应由本地站点管理员(您应该知道该管理员)陪同。如果您对站点管理员不熟悉,或者如果技术人员单独来,最好打电话给您已知的站点管理员,检查技术人员是否应在场。然而,许多人不会这样做,因为这会让他们看起来很偏执,而表现出他们对这些来访者没有信任或很少信任是令人尴尬的。
Unless you are very sure that the person you are speaking to is who he or she claims to be, no secret information should ever be revealed to such people. Sometimes, attackers may even be good enough to make themselves sound like someone whose voice you know over the phone. It is always good to double check the identity of the person. If you are unable to do so, the wisest thing to do is not to reveal any secrets. If you are a systems administrator, there should be security procedures for assignment and reassignment of passwords to users, and you should follow such procedures. If you are an end-user, there should not be any need for you to have to reveal system secrets to anyone else. Some companies assign a common account to multiple users. If you happen to be in such a group, make sure you know everyone in that group so you can tell if someone who claims to be in the group is genuine.
除非你非常确定与你交谈的人是他或她自称的人,否则任何秘密信息都不应该透露给这些人。有时,攻击者甚至可能表现得足够好,让自己听起来像是你在电话里听到的声音。仔细检查这个人的身份总是好的。如果你不能做到这一点,最明智的做法是不要泄露任何秘密。如果您是系统管理员,则应该有向用户分配和重新分配密码的安全程序,并且您应该遵循这些程序。如果您是最终用户,则不必向任何其他人透露系统机密。一些公司将一个公共帐户分配给多个用户。如果你恰好在这样一个群体中,确保你认识该群体中的每个人,这样你就可以判断声称在该群体中的人是否是真实的。
Part Three: End-users self administering a networked computer
第三部分:最终用户自行管理联网计算机
The home user or the user who administers his own network has many of the same concerns as a centrally-administered user. The following is a summary of additional advice given in Part Three:
家庭用户或管理自己网络的用户与集中管理用户有许多相同的问题。以下是第三部分中给出的附加建议的摘要:
- Read manuals to learn how to turn on security features, then turn them on. - Consider how private your data and Email need to be. Have you invested in privacy software and learned how to use it yet? - Prepare for the worst in advance. - Keep yourself informed about what the newest threats are.
- 阅读手册,了解如何打开安全功能,然后再打开它们。-考虑一下你的数据和电子邮件需要保密的程度。您是否投资过隐私软件并学会了如何使用它提前做好最坏的打算让自己了解最新的威胁是什么。
You should decide ahead of time what risks are acceptable and then stick to this decision. It is also wise to review your decision at regular intervals and whenever the need to do so arises. It may be wise to simply avoid downloading any software from the network which comes from an unknown source to a computer storing business records, other valuable data and data which is potentially damaging if the information was lost or stolen.
你应该提前决定哪些风险是可以接受的,然后坚持这个决定。定期和在需要的时候回顾你的决定也是明智的。明智的做法可能是避免从网络下载任何来自未知来源的软件到存储业务记录、其他有价值数据和信息丢失或被盗时可能造成损害的数据的计算机。
If the system has a mixed purpose, say recreation, correspondence and some home accounting, perhaps you will hazard some downloading of software. You unavoidably take some risk of acquiring stuff which is not exactly what it seems to be.
如果这个系统有一个混合的用途,比如娱乐、通信和一些家庭会计,也许你会冒险下载一些软件。你不可避免地要冒一些风险去获取一些看起来并不完全一样的东西。
It may be worthwhile installing privacy software on a computer if it is shared by multiple users. That way, a friend of a room mate won't have access to your private data, and so on.
如果一台计算机由多个用户共享,那么在该计算机上安装隐私软件可能是值得的。这样,室友的朋友就不能访问你的私人数据,等等。
If you notice that your files have been modified or ascertain somehow that your account has been used without your consent, you should inform your security point-of-contact immediately. When you do not know who your security point-of-contact is, try calling your Internet service provider's help desk as a first step.
如果您注意到您的文件已被修改或以某种方式确定您的帐户未经您的同意已被使用,您应立即通知您的安全联系人。如果您不知道您的安全联系人是谁,请尝试首先致电您的互联网服务提供商的帮助热线。
- Read all user documentation carefully. Make sure that it is clear when services are being run on your computer. If network services are activated, make sure they are properly configured (set all permissions so as to prevent anonymous or guest logins, and so on). Increasingly, many programs have networking capabilities built in to them. Learn how to properly configure and safely use these features.
- 仔细阅读所有用户文档。确保在您的计算机上运行服务时是清楚的。如果网络服务已激活,请确保它们已正确配置(设置所有权限以防止匿名或来宾登录等)。越来越多的程序内置了联网功能。了解如何正确配置和安全使用这些功能。
- Back up user data. This is always important. Backups are normally thought of as a way of ensuring you will not lose your work if a hard disk fails or if you make a mistake and delete a file. Backing up is also critical to insure that data cannot be lost due to a computer security incident. One of the most vicious and unfortunately common threats posed by computer viruses and Trojan Horse programs is erasing a computer's hard disk.
- 备份用户数据。这总是很重要的。备份通常被认为是一种确保在硬盘出现故障或出错并删除文件时不会丢失工作的方法。备份对于确保数据不会因计算机安全事件而丢失也至关重要。计算机病毒和特洛伊木马程序构成的最邪恶、最不幸的常见威胁之一是擦除计算机硬盘。
- Obtain virus checking software or security auditing tools. Learn how to use them and install them before connecting to a public network. Many security tools require that they be run on a "clean" system, so that comparisons can be made between the present and pristine states. Thus, it is necessary for some work to be done ahead of time.
- 获取病毒检查软件或安全审计工具。在连接到公共网络之前,了解如何使用和安装它们。许多安全工具要求它们在“干净”的系统上运行,以便在当前状态和原始状态之间进行比较。因此,有必要提前做一些工作。
- Upgrade networking software regularly. As new versions of programs come out, it is prudent to upgrade. Security vulnerabilities will likely have been fixed. The longer you wait to do this, the greater the risk that security vulnerabilities of the products will be become known and be exploited by some network assailant. Keep up to date!
- 定期升级网络软件。随着新版本程序的推出,谨慎的做法是升级。安全漏洞可能已经修复。您等待的时间越长,产品的安全漏洞被某些网络攻击者发现和利用的风险就越大。跟上时代!
- Find out who to contact if you suspect trouble. Does your Internet Service Provider have a security contact or Help Desk? Investigate this before trouble happens so you won't lose time trying to figure it out should trouble occur. Keep the contact information both online and offline for easy retrieval.
- 如果您怀疑有问题,请找出要联系的人。您的互联网服务提供商是否有安全联系人或服务台?在问题发生之前调查一下,这样当问题发生时,你就不会浪费时间去想办法了。保持联系信息在线和离线,以便于检索。
There are 3 ways to avoid problems with viruses:
有3种方法可以避免病毒问题:
1. Don't be promiscuous
1. 不要乱交
If at all possible, be cautious about what software you install on your system. If you are unaware of or unsure of the origin of a program, it is wise not to run it. Obtain software from trusted sources. Do not execute programs or reboot using old diskettes unless you have reformatted them, especially if the old diskettes have been used to bring software home from a trade show and other potentially security-vulnerable places.
如果可能的话,请小心在系统上安装的软件。如果您不知道或不确定程序的来源,最好不要运行它。从可信来源获取软件。除非已重新格式化,否则不要使用旧磁盘执行程序或重新启动,尤其是在旧磁盘用于将软件从贸易展和其他可能存在安全漏洞的地方带回家的情况下。
Nearly all risk of getting infected by viruses can be eliminated if you are extremely cautious about what files are stored on your computer. See "The Dangers of Downloading" for more details.
如果您对计算机上存储的文件极其谨慎,几乎所有感染病毒的风险都可以消除。有关更多详细信息,请参阅“下载的危险”。
2. Scan regularly.
2. 定期扫描。
Give your system a regular check-up. There are excellent virus checking and security audit tools for most computer platforms available today. Use them, and if possible, set them to run automatically and regularly. Also, install updates of these tools regularly and keep yourself informed of new virus threats.
定期检查您的系统。目前,大多数计算机平台都有优秀的病毒检查和安全审计工具。使用它们,如果可能,将它们设置为自动定期运行。此外,定期安装这些工具的更新,并随时了解新的病毒威胁。
3. Notice the unusual.
3. 注意不寻常的地方。
It's not true that a difference you cannot detect is no difference at all, but it is a good rule of thumb. You should get used to the way your system works. If there is an unexplainable change (for instance, files you believe should exist are gone, or strange new files are appearing and disk space is 'vanishing'), you should check for the presense of viruses.
你无法检测到的差异并不是完全没有差异,但这是一条很好的经验法则。你应该习惯你的系统的工作方式。如果有无法解释的变化(例如,您认为应该存在的文件消失了,或者出现了奇怪的新文件,磁盘空间正在“消失”),您应该检查是否存在病毒。
You should take some time to be familiar with computer virus detection tools available for your type of computer. You should use an up-to-date tool (i.e. not older than three months). It is very important to test your computer if you have been using shared software of dubious origin, someone else's used floppy disks to transfer files, and so on.
您应该花一些时间熟悉适用于您的计算机类型的计算机病毒检测工具。您应该使用最新的工具(即不超过三个月)。如果您一直在使用来历不明的共享软件、他人使用软盘传输文件等,测试您的计算机是非常重要的。
If you suspect that your home computer has a virus, that a malicious program has been run, or that a system has been broken into, the wisest course of action is to first disconnect the system from all networks. If available, virus detection or system auditing software should be used.
如果您怀疑您的家庭计算机有病毒、运行了恶意程序或系统被入侵,最明智的做法是首先断开系统与所有网络的连接。如果可用,应使用病毒检测或系统审计软件。
Checking vital system files for corruption, tampering or malicious replacement is very tedious work to do by hand. Fortunately there are many virus detection programs available for PCs and Macintosh computers. There are security auditing programs available for UNIX-based computers. If software is downloaded from the network, it is wise to run virus detection or auditing tools regularly.
手动检查重要系统文件是否存在损坏、篡改或恶意替换是一项非常繁琐的工作。幸运的是,PC和Macintosh电脑上有很多病毒检测程序。有可用于基于UNIX的计算机的安全审核程序。如果软件是从网络下载的,明智的做法是定期运行病毒检测或审计工具。
If it becomes clear that a home system has been attacked, it is time to clean up. Ideally, a system should be rebuilt from scratch. This means erasing everything on the hard disk. Next, install the operating system and then all additional software the system needs. It is best to install the operating system and additional software from the original distribution diskettes or CD-roms, rather than from backup storage. The reason for this is that a system may have been broken into some time ago, so the backed up system or program files may already include some altered files or viruses. Restoring a system from scratch is tedious but worthwhile. Do not forget to re-install all security related fixes you had installed before the security incident. Obtain these from a verified, unsuspicious source.
如果很明显家庭系统受到了攻击,那么是时候进行清理了。理想情况下,系统应该从头开始重建。这意味着删除硬盘上的所有内容。接下来,安装操作系统,然后安装系统需要的所有附加软件。最好从原始分发磁盘或CD-ROM安装操作系统和附加软件,而不是从备份存储安装。原因是系统可能在一段时间前被入侵,因此备份的系统或程序文件可能已经包含一些修改过的文件或病毒。从零开始恢复一个系统是乏味但值得的。不要忘记重新安装安全事件发生前安装的所有安全相关修复程序。从经过验证的、不易察觉的来源获取这些信息。
Remember to be careful with saved Email. Copies of sent or received Email (or indeed any file at all) placed in storage provided by an Internet service provider may be vulnerable. The risk is that someone might break into the account and read the old Email. Keep your Email files, indeed any sensitive files, on your home machine.
记住要小心保存的电子邮件。由互联网服务提供商提供的存储中的已发送或接收电子邮件(或任何文件)的副本可能容易受到攻击。风险在于有人可能闯入该帐户并阅读旧电子邮件。将您的电子邮件文件,甚至任何敏感文件,保存在您的家庭计算机上。
A home system can be broken into over the Internet if a home user is unwary. The files on the home system can be stolen, altered or destroyed. The system itself, if compromised, could be accessed again some time in the future. This section describes issues and makes recommendations relevant to a home user of the Internet.
如果家庭用户不小心,家庭系统可以通过互联网被入侵。家庭系统上的文件可能被盗、篡改或销毁。如果系统本身遭到破坏,将来可能会再次访问。本节介绍与互联网家庭用户相关的问题并提出建议。
A home system which uses PPP to connect directly to the Internet is increasingly common. These systems are at the greatest risk if they run certain kinds of programs called "services". If you run a service, you are in effect making your computer available to others across the network. Some services include:
使用PPP直接连接到互联网的家庭系统越来越普遍。如果这些系统运行某些称为“服务”的程序,则风险最大。如果您运行一项服务,实际上就是让网络上的其他人可以使用您的计算机。一些服务包括:
- File servers (an NFS server, a PC with 'file sharing' turned on) - An FTP server - A Web server
- 文件服务器(NFS服务器、打开“文件共享”的PC)-FTP服务器-Web服务器
There are, in general, two types of programs which operate on the Internet: Clients (like web browsers and Email programs) and Servers (like web servers and mail servers).
通常,有两种类型的程序在Internet上运行:客户端(如web浏览器和电子邮件程序)和服务器(如web服务器和邮件服务器)。
Most software which runs on home systems is of the client variety; but, increasingly, server software is available on traditionally client platforms (e.g., PCs). Server software which runs in the background is referred to as a "daemon" (pronounced dee-mon). Many Internet server software programs that run as daemons have names that end in `d', like "inetd" (Internet Daemon) and "talkd" (Talk Daemon). When set to run, these programs wait for clients to request some particular service from across the network.
在家庭系统上运行的大多数软件都是客户机类型的;但是,服务器软件越来越多地出现在传统的客户端平台(如PC)上。在后台运行的服务器软件称为“守护进程”(发音为dee-mon)。许多作为守护进程运行的Internet服务器软件程序的名称以“d”结尾,如“inetd”(Internet守护进程)和“talkd”(Talk守护进程)。当设置为运行时,这些程序等待客户端通过网络请求某些特定服务。
There are four very important things to keep in mind as far as the security implications of running services on a home computer are concerned.
就在家庭计算机上运行服务的安全影响而言,有四件非常重要的事情需要牢记。
- First and most important, if a server is not properly configured, it is very vulnerable to being attacked over a network. It is vital, if you run services, to be familiar with the proper configuration. This is often not easy, and may require training or technical expertise.
- 首先也是最重要的一点,如果服务器配置不当,它很容易受到网络攻击。如果您运行服务,熟悉正确的配置是至关重要的。这通常并不容易,可能需要培训或技术专业知识。
- All software has flaws, and flaws exploited deviously can be used to breach computer security. If you run a server on your home machine, you have to stay aware. This requires work: You have to stay in touch with the supplier of the software to get security updates. It is highly recommended that you keep up with security issues through on-line security forums. See [RFC2196] for a list of references.
- 所有软件都有缺陷,恶意利用的缺陷可以用来破坏计算机安全。如果您在家庭计算机上运行服务器,您必须保持警惕。这需要工作:您必须与软件供应商保持联系以获取安全更新。强烈建议您通过在线安全论坛了解安全问题。参考文献列表见[RFC2196]。
If security flaws in your server software are discovered, you will need to either stop using the software or apply "patches" or "fixes" which eliminate the vulnerability. The supplier of the software, if it is a decent company or freeware author, will supply information and updates to correct security flaws. These "patches" or "fixes" must be installed as soon as possible.
如果发现服务器软件中存在安全缺陷,您需要停止使用该软件,或者应用“补丁”或“修复程序”来消除该漏洞。该软件的供应商,如果它是一个体面的公司或免费软件的作者,将提供信息和更新,以纠正安全缺陷。必须尽快安装这些“修补程序”或“修复程序”。
- As a rule of thumb, the older the software, the greater the chance that it has known vulnerabilities. This is not to say you should simply trust brand new software either! Often, it takes time to discover even obvious security flaws in servers.
- 根据经验,软件越老,发现漏洞的可能性就越大。这并不是说你应该简单地相信全新的软件!通常,发现服务器中甚至明显的安全缺陷都需要时间。
- Some servers start up without any warning. There are some web browsers and telnet clients which automatically start FTP servers if not explicitly configured to not do so. If these servers are not themselves properly configured, the entire file system of the home computer can become available to anyone on the Internet.
- 有些服务器在没有任何警告的情况下启动。有些web浏览器和telnet客户端在未明确配置为不启动FTP服务器的情况下会自动启动FTP服务器。如果这些服务器本身未正确配置,则家庭计算机的整个文件系统可供Internet上的任何人使用。
In general, any software MAY start up a network daemon. The way to be safe here is to know the products you are using. Read the manual, and if any questions arise, call the company or mail the author of free software to find out if you are actually running a service by using the product.
通常,任何软件都可以启动网络守护进程。安全的方法是了解你使用的产品。阅读手册,如果有任何问题,请致电公司或邮寄免费软件的作者,以了解您是否正在使用该产品运行服务。
A home user running a remote login service on his home machine faces very serious risks. This service allows the home user to log in to his home machine from other computers on the Internet and can be quite convenient. But the danger is that someone will secretly observe the logging in and then be able to masquerade as the user whenever they choose to do so in the future. See "The Wires Have Ears" which suggests precautions to take for remote log in.
在家庭计算机上运行远程登录服务的家庭用户面临着非常严重的风险。这项服务允许家庭用户从互联网上的其他计算机登录到他的家庭计算机,而且非常方便。但危险的是,有人会偷偷地观察登录,然后在将来任何时候选择伪装成用户。请参阅“电线有耳朵”,其中建议远程登录时应采取的预防措施。
If possible, activate all "logging" options in your server software which relate to security. You need to review these logs regularly in order to gain any benefit from this logging. You should also be aware that logs often grow very quickly in size, so you need to be careful they don't fill up your hard disk!
如果可能,激活服务器软件中与安全相关的所有“日志”选项。您需要定期查看这些日志,以便从此日志中获益。您还应该意识到日志的大小通常增长得非常快,所以您需要小心它们不会填满您的硬盘!
Remote logins allow a user privileged access onto physically remote systems from the comfort of his own home.
远程登录允许用户在舒适的家中以特权访问物理远程系统。
More and more companies are offering their employees the ability to work from home with access to their computer accounts through dial-up connections. As the convenience of Internet connectivity has led to lowered costs and wide-spread availability, companies may allow remote login to their systems via the Internet. Customers of companies with Internet access may also be provided with remote login accounts. These companies include Internet service providers, and even banks. Users should be very careful when making remote logins.
越来越多的公司向员工提供在家工作的能力,通过拨号连接访问他们的计算机帐户。由于互联网连接的便利性降低了成本和广泛的可用性,公司可能允许通过互联网远程登录其系统。可以访问互联网的公司的客户还可以获得远程登录帐户。这些公司包括互联网服务提供商,甚至包括银行。用户在进行远程登录时应该非常小心。
As discussed in "The Wires have Ears" section, Internet connections can be eavesdropped on. If you intend to use a remote login service, check that the connection can be done securely, and make sure that you use the secure technologies/features.
正如“电线有耳朵”一节所讨论的,互联网连接可以被窃听。如果您打算使用远程登录服务,请检查连接是否安全,并确保使用安全技术/功能。
Connections may be secured using technologies like one-time passwords, secure shell (SSH) and Secure Sockets Layer (SSL). One-time passwords make a stolen password useless to steal, while secure shell encrypts data sent over the connection. Please refer to "Don't Get Caught in the Web" for a discussion on SSL. Secure services such as these have to be made available on the systems to which you log in remotely.
可以使用一次性密码、安全外壳(SSH)和安全套接字层(SSL)等技术保护连接。一次性密码使被盗密码无法窃取,而secure shell则对通过连接发送的数据进行加密。有关SSL的讨论,请参阅“不要陷入网络”。必须在远程登录的系统上提供此类安全服务。
Administering your own home computer means you get to choose what software is run on it. Encryption software provides protection for data. If you keep business records and other sensitive data on your computer, encryption will help to keep it safe. For example, if you ran a network service from your home computer and missed setting restrictions on a private directory, a remote user (authorized or not) may gain access to files in this private directory. If the files are encrypted, the user will not be able to read them. But as with all forms of encryption running on any system, the keys and passwords should first be kept safe!
管理您自己的家庭计算机意味着您可以选择在其上运行什么软件。加密软件为数据提供保护。如果您在计算机上保存业务记录和其他敏感数据,加密将有助于确保其安全。例如,如果您从家庭计算机运行网络服务,但未设置专用目录的限制,则远程用户(授权或未授权)可能会访问此专用目录中的文件。如果文件被加密,用户将无法读取它们。但是,与任何系统上运行的所有形式的加密一样,密钥和密码应该首先保持安全!
This document has provided the reader with an introduction and as much concise detail as possible. Present security issues go out of date quickly, and although effort has been made to keep discussions general, examples given may not be relevant in the future as the Internet and computer industry continue to grow.
本文件为读者提供了一个介绍和尽可能多的简明细节。目前的安全问题很快就过时了,尽管已经做出努力使讨论保持一般性,但随着互联网和计算机行业的持续增长,给出的例子在未来可能并不相关。
Just as home-owners are now taking increased cautions at the expense of convenience, to secure their homes in the changing world we live in, computer network users should not ignore security. It may be inconvenient, but it is always better to be safe than sorry.
正如房主们现在以牺牲便利为代价越来越谨慎一样,为了在我们生活的不断变化的世界中保护他们的家,计算机网络用户不应该忽视安全。这可能不方便,但安全总比后悔好。
Appendix: Glossary of Security Terms
附录:安全术语表
Acceptable Use Policy (AUP)
可接受使用政策(AUP)
A set of rules and guidelines that specify in more or less detail the expectations in regard to appropriate use of systems or networks.
一组规则和指南,或多或少地详细说明了有关系统或网络的适当使用的期望。
Account
账户
See (Computer) Account
见(计算机)账户
Anonymous and Guest Log In
匿名和来宾登录
Services may be made available without any kind of authentication. This is commonly done, for instance, with the FTP protocol to allow anonymous access. Other systems provide a special account named "guest" to provide access, typically restricting the privileges of this account.
服务可以在没有任何身份验证的情况下提供。这通常是通过FTP协议来实现的,例如,允许匿名访问。其他系统提供一个名为“guest”的特殊帐户来提供访问权限,通常限制此帐户的权限。
Auditing Tool
审计工具
Tools to analyze computer systems or networks in regard to their security status or in relation to the set of services provided by them. COPS (Computer Oracle Password and Security analyzer) and SATAN (Security Administrator's Tool for Analyzing Networks) are famous examples of such tools.
分析计算机系统或网络的安全状态或其提供的一组服务的工具。COPS(计算机Oracle密码和安全分析器)和SATAN(用于分析网络的安全管理员工具)是此类工具的著名示例。
Authentication
认证
Authentication refers to mechanisms which are used to verify the identity of a user. The process of authentication typically requires a name and a password to be supplied by the user as proof of his identity.
身份验证是指用于验证用户身份的机制。身份验证过程通常要求用户提供名称和密码作为其身份证明。
Centrally-Administered Network
中央管理网络
A network of systems which is the responsibility of a single group of administrators who are not distributed but work centrally to take care of the network.
由一组管理员负责的系统网络,这些管理员不是分布式的,而是集中管理网络。
Certificate
证明书
Certificates are data which is used to verify digital signatures. A certificate is only as trustworthy as the agency which issued it. A certificate is used to verify a particular signed item, such as an Email message or a web page. The digital signature, the item and the certificate are all processed by a mathematical
证书是用于验证数字签名的数据。证书的可靠性取决于颁发证书的机构。证书用于验证特定的已签名项目,如电子邮件或网页。数字签名、项目和证书都由数学模型处理
program. It is possible to say, if the signature is valid, that "According to the agency which issued the certificate, the signer was (some name)".
程序如果签名有效,可以说“根据签发证书的机构,签名人是(某个姓名)”。
Clean System
清洁系统
A computer which has been freshly installed with its operating system and software obtainied from trusted software distribution media. As more software and configuration are added to a computer, it becomes increasingly difficult to determine if the computer is 'clean' or has been compromised by viruses, trojan horse or misconfiguration which reduces the security of the system.
一种新安装的计算机,其操作系统和软件是从可信的软件分发媒体获得的。随着越来越多的软件和配置添加到计算机中,越来越难以确定计算机是否“干净”,或者是否受到病毒、特洛伊木马或错误配置的危害,从而降低了系统的安全性。
Client
客户
Depending on the point of view, a client might be a computer system which an end-user uses to access services hosted on another computer system called a server. 'Client' may also refer to a program or a part of a system that is used by an end-user to access services provided by another program (for example, a web browser is a client that accesses pages provided by a Web Server).
根据不同的观点,客户端可能是最终用户用来访问托管在另一个称为服务器的计算机系统上的服务的计算机系统。”“客户端”还可指最终用户用于访问另一程序提供的服务的程序或系统的一部分(例如,web浏览器是访问web服务器提供的页面的客户端)。
Compound Documents
复合文档
A 'document' is a file containing (a set of) data. Files may consist of multiple parts: a plain document, an encrypted document, a digitally-signed documents or a compressed document. Multi-part files are known as compound documents and may require a variety of programs to be used in order to interpret and manipulate it. These programs may be used without the user's knowledge.
“文档”是包含(一组)数据的文件。文件可能由多个部分组成:普通文档、加密文档、数字签名文档或压缩文档。多部分文件称为复合文档,可能需要使用多种程序来解释和操作它。这些程序可以在用户不知情的情况下使用。
(Computer) Account
(计算机)帐户
This term describes the authorization to access a specific computer system or network. Each end-user has to use an account, which consists most probably of a combination of user name and password or another means of proving that the end-user is the person the account is assigned to.
此术语描述访问特定计算机系统或网络的授权。每个最终用户都必须使用一个帐户,该帐户很可能由用户名和密码的组合或其他方式组成,以证明最终用户就是分配给该帐户的人。
Configuring Network Services
配置网络服务
The part of an administrator's task that is related to specifying the conditions and details of network services that govern the service provision. In regard to a Web server, this includes which Web pages are available to whom and what kind of information is logged for later review purposes.
管理员任务中与指定管理服务提供的网络服务的条件和详细信息有关的部分。就Web服务器而言,这包括哪些网页可供谁使用,以及记录了哪些类型的信息以供以后查看。
Cookies
曲奇饼
Cookies register information about a visit to a web site for future use by the server. A server may receive information of cookies of other sites as well which create concern in terms of breach of privacy.
Cookie注册有关访问网站的信息,以供服务器将来使用。服务器也可能接收到其他站点的cookie信息,这些信息会引起对侵犯隐私的担忧。
Cracker
饼干
This term is used to describe attackers, intruders or other bad guys that do not play by the rules and try to circumvent security mechanisms and/or attack individuals and organisations.
该术语用于描述攻击者、入侵者或其他不遵守规则并试图绕过安全机制和/或攻击个人和组织的坏人。
Daemons (inetd, talkd, etc.)
守护进程(inetd、talkd等)
These are processes that run on computer systems to provide services to other computer systems or processes. Typically, daemons are considered "servers".
这些进程在计算机系统上运行,为其他计算机系统或进程提供服务。通常,守护进程被视为“服务器”。
Decrypting
解密
The process of reversing the encryption of a file or message to recover the original data in order to use or read it.
为使用或读取原始数据而对文件或消息进行反向加密以恢复原始数据的过程。
Default Account
默认帐户
Some systems and server software come with preconfigured accounts. These accounts may be set up with a predefined (user name and) password to allow anyone access and are often put there to make it convenient for users to login initially. Default accounts should be turned off or have their predefined passwords changed, to reduce the risk of abuse to the system.
一些系统和服务器软件带有预配置的帐户。这些帐户可以使用预定义的(用户名和)密码设置,以允许任何人访问,并且通常放在那里以方便用户最初登录。应关闭默认帐户或更改其预定义密码,以降低系统被滥用的风险。
Dial-in Service
拨号服务
A way of providing access to computer systems or networks via a telecommunications network. A computer uses a modem to make a telephone call to a another modem, which in turn provides 'network access service'. See also: PPP.
通过电信网络提供对计算机系统或网络的访问的一种方式。计算机使用调制解调器与另一个调制解调器进行电话呼叫,而另一个调制解调器又提供“网络接入服务”。另见:购买力平价。
Digital Signature
数字签名
A digital signature is created by a mathematical computer program. It is not a hand-written signature nor a computer-produced picture of one. The signature is like a wax seal that requires a special stamp to produce it, and is attached to an Email message or file. The origin of the message or file may then be verified by the digital signature (using special tools).
数字签名是由数学计算机程序创建的。这不是手写签名,也不是电脑制作的签名图片。签名就像一个蜡制印章,需要一个特殊的印章来制作,并附在电子邮件或文件上。然后可通过数字签名(使用专用工具)验证消息或文件的来源。
Downloaded Software
下载的软件
Software packages retrieved from the Internet (using, for example, the FTP protocol).
从Internet检索的软件包(例如,使用FTP协议)。
Downloading
正在下载
The act of retrieving files from a server on the network.
从网络上的服务器检索文件的行为。
Email Packages
电子邮件包
To communicate via electronic mail, an end-user usually makes use of an Email client that provides the user-interface to create, send, retrieve and read Email. Various different Email packages provide the same set of basic functions but have different user-interfaces and perhaps, special/extra functions. Some Email packages provide encryption and digital signature capabilities.
为了通过电子邮件进行通信,最终用户通常使用电子邮件客户端,该客户端提供创建、发送、检索和读取电子邮件的用户界面。各种不同的电子邮件包提供相同的基本功能集,但具有不同的用户界面,可能还有特殊/额外功能。一些电子邮件包提供加密和数字签名功能。
Email Security Software
电子邮件安全软件
Software which provides security through digital signatures and encryption (and decryption) to enable the end-user to protect messages and documents prior to sending them over a possibly insecure network. PGP is an example of such software.
通过数字签名和加密(和解密)提供安全性的软件,使最终用户能够在通过可能不安全的网络发送消息和文档之前保护它们。PGP就是这种软件的一个例子。
Encrypting / Encryption
加密/加密
This is a mathematical process of scambling data for privacy protection.
这是一个为了隐私保护而篡改数据的数学过程。
Encryption Software
加密软件
The software that actually provides the needed functionality for end users to encrypt messages and files. PGP is one example.
为最终用户提供加密消息和文件所需功能的软件。PGP就是一个例子。
End-User
最终用户
An (human) individual that makes use of computer systems and networks.
利用计算机系统和网络的人。
Files (programs, data, text and so on)
文件(程序、数据、文本等)
Files include user data, but also programs, the computer operating system and the system's configuration data.
文件包括用户数据、程序、计算机操作系统和系统配置数据。
File Server
文件服务器
A computer system that provides a way of sharing and working on files stored on the system among users with access to these files over a network.
一种计算机系统,它提供了一种在通过网络访问系统中存储的文件的用户之间共享和处理这些文件的方法。
File Transfer
文件传输
The process of transferring files between two computer systems over a network, using a protocol such as FTP or HTTP.
通过网络在两个计算机系统之间传输文件的过程,使用FTP或HTTP等协议。
Fixes, Patches and installing them
修复、补丁和安装它们
Vendors, in response to the discovery of security vulnerabilities, provide sets of files that have to be installed on computer systems. These files 'fix' or 'patch' the computer system or programs and remove the security vulnerability.
为了应对安全漏洞的发现,供应商提供了必须安装在计算机系统上的文件集。这些文件“修复”或“修补”计算机系统或程序,并删除安全漏洞。
FTP (File Transfer Protocol)
FTP(文件传输协议)
A protocol that allows for the transfer of files between an FTP client and FTP server.
允许在FTP客户端和FTP服务器之间传输文件的协议。
Group of Users
用户组
Security software often allow permissions to be set for groups (of users) as opposed to individuals.
安全软件通常允许为组(用户)而不是个人设置权限。
Help Desk
服务台
A support entity that can be called upon to get help with a computer or communication problem.
一种支持实体,可以被要求在计算机或通信问题上获得帮助。
Internet
互联网
A collection of interconnected networks that use a common set of protocols called the TCP/IP stack to enable communication between the connected computer systems.
一组相互连接的网络,使用一组称为TCP/IP协议栈的通用协议来实现连接的计算机系统之间的通信。
Key Escrow
密钥托管
Keys are used to encrypt and decrypt files. key escrow is used to store keys for use by third parties to access the data in encrypted files.
密钥用于加密和解密文件。密钥托管用于存储密钥,以便第三方访问加密文件中的数据。
Keys Used to Encrypt and Decrypt Files
用于加密和解密文件的密钥
To make use of encryption, an end-user has to provide some secret, in the form of some data, usually called a key.
为了使用加密,最终用户必须以数据的形式提供一些秘密,通常称为密钥。
Log In, Logging into a System
登录,登录到一个系统
This is an action performed by an end-user, when he authenticates himself to a computer system.
这是最终用户在向计算机系统进行身份验证时执行的操作。
Log In Prompt
登录提示
The characters that are displayed when logging into a system to ask for user name and password.
登录系统以询问用户名和密码时显示的字符。
Logged In
登录
If an end-user has successfully proven to have legitimate access to a system, he is considered to be logged in.
如果最终用户已成功证明能够合法访问系统,则认为他已登录。
Logging
登录中
Systems and server software often provide the ability to keep track of events. Events may be configured to be written out to a file known as a log. The log file can be read later and allows for system failures and security breaches to be identified.
系统和服务器软件通常提供跟踪事件的能力。可以将事件配置为写入称为日志的文件。日志文件可以稍后读取,并允许识别系统故障和安全漏洞。
Masquerade (see Remote Log In)
伪装(请参阅远程登录)
Anyone who pretends to be someone they are not in order to obtain access to a computer account is said to be in 'masquerade'. This may be accomplished by providing a false user name, or stealing someone else's password and logging in as him.
任何人假扮自己不是为了进入电脑账户的人都被称为“伪装”。这可以通过提供一个虚假的用户名,或者窃取其他人的密码并以他的身份登录来实现。
Network File System (NFS, file sharing with PCs, etc.)
网络文件系统(NFS、与PC的文件共享等)
NFS is an application and protocol suite that provides a way of sharing files between clients and servers. There are other protocols which provide file access over networks. These provide similar functionality, but do not interoperate with each other.
NFS是一个应用程序和协议套件,它提供了一种在客户端和服务器之间共享文件的方法。还有其他协议通过网络提供文件访问。它们提供类似的功能,但彼此之间不互操作。
Networking Features of Software
软件的网络特性
Some software has features which make use of the network to retrieve or share data. It may not be obvious that software has networking features.
有些软件具有利用网络检索或共享数据的功能。软件是否具有联网功能可能并不明显。
Network Services
网络服务
Services which are not provided on the local computer system the end-user is working on but on a server located in the network.
不是在最终用户正在使用的本地计算机系统上提供的服务,而是在网络中的服务器上提供的服务。
One-Time Passwords (OTP)
一次性密码(OTP)
Instead of using the same password over and over again, a different password is used on each subsequent log in.
与反复使用相同的密码不同,每次后续登录时都会使用不同的密码。
Passphrase
密码短语
A passphrase is a long password. It is often composed of several words and symbols to make it harder to guess.
密码短语是一个长密码。它通常由几个单词和符号组成,使其更难猜测。
Password-Locked Screensaver
密码锁定屏幕保护程序
A screen saver obscures the normal display of a monitor. A password-locked screensaver can only be deactivated if the end-user's password is supplied. This prevents a logged-in system from being abused and hides the work currently being done from passers-by.
屏幕保护程序使显示器的正常显示变得模糊。只有在提供最终用户密码的情况下,才能停用密码锁定的屏幕保护程序。这可以防止登录系统被滥用,并对路人隐藏当前正在进行的工作。
Patch
色斑
See "Fixes, Patches and installing them"
请参阅“修复程序、修补程序和安装”
Permissions
权限
Another word for the access controls that are used to control the access to files and other resources.
用于控制对文件和其他资源的访问的访问控制的另一个词。
PGP (Pretty Good Privacy)
PGP(相当好的隐私)
PGP is an application package that provides tools to encrypt and digitally sign files on computer systems. It is especially useful to encrypt and/or sign files and messages before sending them via Email.
PGP是一个应用程序包,它提供了对计算机系统上的文件进行加密和数字签名的工具。在通过电子邮件发送文件和消息之前,对其进行加密和/或签名尤其有用。
Plug-in Modules
插入式模块
Software components that integrate into other software (such as web browsers) to provide additional features.
集成到其他软件(如web浏览器)以提供附加功能的软件组件。
Point-of-Contact, Security
联络点、安全
In case of security breaches or problems, many organisations provide a designated point-of-contact which can alert others and take the appropriate actions.
如果出现安全漏洞或问题,许多组织都会提供一个指定的联络点,可以提醒其他人并采取适当的行动。
PPP (Point to Point Protocol)
PPP(点对点协议)
PPP is the mechanism which most end-users establish a network connection between their PC and their Internet service provider with. Once connected, the PC is able to transmit and receive data to any other system on the network.
PPP是大多数最终用户在其PC和互联网服务提供商之间建立网络连接的机制。一旦连接,PC就能够向网络上的任何其他系统发送和接收数据。
Privacy Programs
隐私程序
Another term for encryption software that highlights the use of this software to protect the confidentiality and therefore privacy of the end-users that make use of it.
加密软件的另一个术语,强调使用该软件保护使用该软件的最终用户的机密性和隐私。
Remote Access Software
远程访问软件
This software allows a computer to use a modem to connect to another system. It also allows a computer to 'listen' for calls on a modem (this computer provides 'remote access service'.) Remote access software may provide access to a single computer or to a network.
此软件允许计算机使用调制解调器连接到另一个系统。它还允许计算机“监听”调制解调器上的呼叫(此计算机提供“远程访问服务”)。远程访问软件可提供对单个计算机或网络的访问。
Remote Log In
远程登录
If an end-user uses a network to log in to a system, this act is known as remote log in.
如果最终用户使用网络登录到系统,此行为称为远程登录。
Security Features
安全特性
These are features which provide protection or enable end-users and administrators to assess the security of a system, for example, by auditing it.
这些功能提供保护,或使最终用户和管理员能够评估系统的安全性,例如,通过审核系统。
Security Policy
安全策略
A security policy is written by organisations to address security issues, in the form of "do's" and "don'ts". These guidelines and rules are for users with respect to physical security, data security, information security and content (eg. rules stating that sites with sexual content should not be visited, and that copyrights should be honoured when downloading software, etc).
安全策略由组织编写,以“应做”和“不应做”的形式解决安全问题。这些指南和规则针对用户,涉及物理安全、数据安全、信息安全和内容(例如,规定不得访问含有色情内容的网站,下载软件时应尊重版权等)。
Server
服务器
A server is a computer system, or a set of processes on a computer system providing services to clients across a network.
服务器是一个计算机系统,或计算机系统上的一组进程,通过网络向客户端提供服务。
Shared Account
共享帐户
A common account is one which is shared by a group of users as opposed to a normal account which is available to only one user. If the account is misused, it is very difficult or impossible to know which of users was responsible.
公共帐户是由一组用户共享的帐户,而不是只有一个用户可用的普通帐户。如果账户被滥用,很难或不可能知道是哪位用户造成的。
Sharing Permissions
共享权限
Many computer systems allow users to share files over a network. These systems invariably provide a mechanism for users to use to control who has permission to read or overwrite these files.
许多计算机系统允许用户通过网络共享文件。这些系统总是为用户提供一种机制,用于控制谁有权读取或覆盖这些文件。
Site
地点
Depending on the context in which this term is used, it might apply to computer systems that are grouped together by geographical location, organizational jurisdiction, or network addresses. A Site typically refers to a network under a common administration.
根据使用该术语的上下文,它可能适用于按地理位置、组织管辖权或网络地址分组在一起的计算机系统。站点通常是指在公共管理下的网络。
SSH (Secure Shell)
SSH(安全外壳)
SSH provides a protocol between a client and server, allowing for encrypted remote connectivity.
SSH提供客户端和服务器之间的协议,允许加密远程连接。
SSL (Secure Sockets Layer)
SSL(安全套接字层)
This protocol provides security services to otherwise insecure protocols which operate over a network. SSL is typically used by web browsers to encrypt data sent to and downloaded from a server.
该协议为在网络上运行的不安全协议提供安全服务。SSL通常由web浏览器用于加密发送到服务器和从服务器下载的数据。
Systems Administrator
系统管理员
The individual who maintains the system and has system administrator privileges. In order to avoid errors and mistakes done by this individual while not acting as an administrator, he/she should limit the time he/she acts as an administrator (as known to the system) to a minimum.
维护系统并具有系统管理员权限的个人。为了避免此人在不担任管理员时犯错误,他/她应将其担任管理员(系统已知)的时间限制在最低限度。
System Administrator Privileges
系统管理员权限
System administrators have more rights (greater permissions) as their work involve the maintenance of system files.
系统管理员拥有更多的权限(更大的权限),因为他们的工作涉及系统文件的维护。
System Files
系统文件
The set of files on a system that do not belong to end-users, which govern the functionality of the system. System files have a great impact on the security of the system.
系统上不属于最终用户的一组文件,控制系统的功能。系统文件对系统的安全性有很大的影响。
Telnet
电信网
A protocol that enables remote log in to other computer systems over the network.
允许通过网络远程登录到其他计算机系统的协议。
Terminal
航空站
A dumb device that is connected to a computer system in order to provide (text-based) access to it for users and administrators.
连接到计算机系统以便为用户和管理员提供(基于文本的)访问权限的哑设备。
Terms of Service (TOS)
服务条款(TOS)
See "Acceptable Use Policy (AUP)".
请参阅“可接受使用政策(AUP)”。
Threats
威胁
The potential that an existing vulnerability can be exploited to compromise the security of systems or networks. Even if a vulnerability is not known, it represents a threat by this definition.
利用现有漏洞危害系统或网络安全的可能性。即使不知道某个漏洞,根据此定义,它也代表了一种威胁。
Trojan Horse
特洛伊木马
A program which carries within itself a means to allow the creator of the program access to the system using it.
一种程序,它本身带有允许程序创建者访问使用它的系统的方法。
Virus
病毒
A program which replicates itself on computer systems by incorporating itself (secretly and maliciously) into other programs. A virus can be transferred onto a computer system in a variety of ways.
通过将自身(秘密或恶意地)合并到其他程序中,在计算机系统上复制自身的程序。病毒可以通过多种方式传播到计算机系统上。
Virus-Detection Tool
病毒检测工具
Software that detects and possibly removes computer viruses, alerting the user appropriately.
检测并可能清除计算机病毒的软件,适当地提醒用户。
Vulnerability
弱点
A vulnerability is the existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the system, network, application, or protocol involved.
漏洞是指存在的弱点、设计或实施错误,可能导致意外、不希望发生的事件,危及所涉及的系统、网络、应用程序或协议的安全。
Web Browser Cache
Web浏览器缓存
This is the part of the file system that is used to store web pages and related files. It can be utilized to reload recently accessed files from the cache instead of loading it every time from the network.
这是用于存储网页和相关文件的文件系统的一部分。它可以用来从缓存中重新加载最近访问的文件,而不是每次从网络中加载。
Web Browser Capabilities
Web浏览器功能
The set of functionalities on a web browser for use by the end-user. This includes the set of plug-ins available.
web浏览器上供最终用户使用的一组功能。这包括可用的插件集。
Web Server
网络服务器
A server program that provides access to web pages. Some web servers provide access to other services, such as databases, and directories.
提供对网页访问的服务器程序。一些web服务器提供对其他服务的访问,例如数据库和目录。
Worm
蠕虫
A computer program which replicates itself and is self-propogating. Worms, as opposed to viruses, are meant to spawn in network environments.
一种计算机程序,它可以自我复制并自我传播。与病毒相反,蠕虫是在网络环境中繁殖的。
Acknowledgments
致谢
The User Security Handbook was a collaborative effort of the Site
Security Handbook Working Group of the IETF. There were also others
who made significant contributions --- Simson Garfinkle and Eric
Luiijf provided very helpful feedback on this document. The Glossary
contribution by Klaus-Peter Kossakowski is much appreciated.
The User Security Handbook was a collaborative effort of the Site
Security Handbook Working Group of the IETF. There were also others
who made significant contributions --- Simson Garfinkle and Eric
Luiijf provided very helpful feedback on this document. The Glossary
contribution by Klaus-Peter Kossakowski is much appreciated.
References
工具书类
[GLOSSARY] Malkin, G., Ed., "Internet User's Glossary", FYI 18, RFC 1983 August 1996.
[词汇表]Malkin,G.,Ed.“互联网用户词汇表”,供参考18,RFC 1983年至1996年8月。
[RFC2196] Fraser, B., Ed., "Site Security Handbook", FYI 8, RFC 2196 September 1997.
[RFC2196]弗雷泽,B.,编辑,“现场安全手册”,第8期,RFC 2196,1997年9月。
Security Considerations
安全考虑
This document discusses what computer users can do to improve security on their systems.
本文档讨论计算机用户可以做些什么来提高其系统的安全性。
Authors' Addresses
作者地址
Erik Guttman Sun Microsystems Bahnstr. 2 74915 Waibstadt Germany
埃里克·古特曼太阳微系统公司。274915德国威伯斯塔特
Phone: +49 7263 911701
EMail: erik.guttman@sun.com
Phone: +49 7263 911701
EMail: erik.guttman@sun.com
Lorna Leong COLT Internet 250 City Road City Forum, London England
Lorna Leong COLT互联网250城市道路城市论坛,英国伦敦
Phone: +44 171 390 3900
EMail: lorna@colt.net
Phone: +44 171 390 3900
EMail: lorna@colt.net
Gary Malkin Bay Networks 8 Federal Street Billerca, MA 01821 USA
加里·马尔金湾网络美国马萨诸塞州比尔卡联邦街8号01821
Phone: +1 508 916 4237
EMail: gmalkin@baynetworks.com
Phone: +1 508 916 4237
EMail: gmalkin@baynetworks.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (1999). All Rights Reserved.
版权所有(C)互联网协会(1999年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。