Desktop Security 101: A Quick Course In Safer Computing
Whether you're a student, faculty member or staff person, life at Penn
without a personal computer has become almost unthinkable. In dorm rooms, labs, offices, libraries and countless other campus locations, access to computers is a virtual necessity. With increasing reliance on personal computing has also come greater degrees of risk in the way that electronic data (personal, business, academic, etc.) is stored and handled, and the number and amount of computer exploits and malicious software ("malware") and people who attempt to use them have increased exponentially in just the last few years. Computing and information security is no longer an esoteric, theoretical field, it is a major concern in all corners of the computing world, right down to your personal, desktop computer.
Computers in use at Penn come in all shapes and sizes, and use just about
every operating system available, but whether you're running a "classic" desktop tower or a laptop, or Windows, or linux, or Mac OS X, there are a number of basic concepts and practices that you can - and should - adopt and use that will protect not only you, your computer and your data, but those of other Internet users at Penn and around the world. These fundamentals apply, regardless of your particular hardware or operating system:
1. Keep your passwords strong, and keep them in your head (as much as possible).
The single biggest computing security problem today, as it has been for
decades, is poor selection, maintenance and protection of user passwords. Most systems still rely heavily on passwords for authenticating user access, and human nature being what it is, people tend to choose passwords that are easy for themselves to remember - the dog's name, daughter's birthday, favorite singer, etc. - and in many cases, they will write the password down on a post-it note and stick it on the monitor where they (and anyone else) can see it as a reminder. Or, they will choose a word at random from the dictionary, thinking "no one could possibly guess".
Password "cracking" is a favorite activity of people who get
their kicks trying to break into computer systems, and the power of modern
computers has given them some very effective tools to do it with. "Cracking
dictionaries" can try not only every English dictionary word, but
also well-known phrases, slang words, substitutions (e.g., "time2go")
and a surprising number of other obscure things. In 2002, Penn Information
Security was asked to find out why "zzyzzx" would not
meet PennKey password criteria. On investigation, it turned out that it's
a word from a popular video game of the late 1980s, and does in fact appear
in a number of cracking dictionaries.
Penn recommends that, in choosing a strong password, you choose one that
is at least 6 characters long, but less than 16 (some systems may require
them to be longer/shorter), that it be a mixture of at least three of
the following: UPPERCASE (A-Z), lowercase (a-z), digits (0-9), special
characters (@#$%&*, etc.). It should not contain whole dictionary
words, and should avoid names or phrases that people with personal knowledge
of you might be able to guess. One technique often recommended is to think
of a phrase that has meaning only to you (it can even be nonsensical)
and take the first letter of each word to "assemble" your password.
For example, "Orange elephants invade Alaska; film at eleven"
would yield 'OeiA;fae' as the password. For even better security, replace
"at" with "@" and "eleven" with "11",
for a password of 'OeiA;f@11'. (Note: "Orange elephants..."
is a famous example - don't use this as your password). It's also
a good idea to change your password periodically, and some system administrators
will require this (and will enforce strong password selection as well).
Above all, don't share your password with anyone, and don't write it
down - the only secure place for your password is in your head.
It is slowly becoming more common for operating systems (Windows XP, for one) to permit use of "passphrases", which are essentially the same thing as passwords, but can be much longer and can include spaces and punctuation. Though they take a few more seconds to type in, passphrases tend to be exponentially more secure than passwords, especially if you mix upper/lower case, digits and special characters as recommended with passwords. Many people also find that passphrases are actually easier to remember than passwords.
Unfortunately, with more and more computing resources becoming available,
we all have more and more different account names and passwords to remember.
With the introduction of PennKey
in October, 2002, this has become somewhat less of a problem at Penn
as more and more campus computing resources provide user authentication
via PennKey. It is tempting to try and use the same password for all your
accounts, but as noted above, different systems have differing parameters
with regard to password length, etc., so it will likely not be possible
to have one, single password for everything. More to the point, it is
recommended that you not use your PennKey password, or any other
Penn passwords for outside computing resources. This helps prevent unauthorized
access to your Penn data in the event your "non-Penn" password
For most of us, however, it has become virtually impossible to remember all the passwords associated with all the various online accounts we have. To cope with this, a number of "Password Vault" applications have appeared over the last few years. These are essentially small databases that store account names/numbers, user names, passwords and other confidential information in encrypted form and protect them all with a "master password" for use in accessing the data. While this relieves the need to keep the information needed to access all your accounts i your head, it obviously does place a critical importance on remembering the "master password" - and making sure it's a strong one. These "vault" programs are available commercially at reasonable prices, and Macintosh OS X comes with one for free ("Keychain Access"), as do many Linux distributions.
2. Don't open it - you don't know where it's been...
Without a doubt, the Number One method by which viruses, trojans, worms
and "backdoor" programs are propagated is via e-mail attachments,
and this is particularly true with computers running Microsoft Windows.
More often than not, if you receive an attachment that you weren't expecting,
or is from someone you don't know (and don't know why they're sending
it), chances are that the attachment carries some variety of "malware"
just waiting for you to set it loose by opening the attachment, particularly
if the attachment has a filename extension of .exe, .pdf, .pif, .scr or .vba
(this is not a complete list, though). One of the favorite tricks of virus
writers, et al, is to hide the virus in an attachment that, when run,
produces a clever or entertaining animation on the screen that people
like to forward on to all their friends without thinking.
So, in short: if you get an email attachment, unless you feel very confident
about what it is, where it came from, and why it was sent to you - DON'T OPEN IT! At the very least, scan it with your anti-virus software to see if anything is lurking inside.
Speaking of which...
3. Get anti-virus software. Use it. Keep it up to date.
Penn makes this very easy to do for Windows and Macintosh users by providing
site-licensed copies of Symantec Anti-Virus (SAV) for both operating
systems to Penn users at no cost. To obtain a copy, visit the Computing
Resource Center and pick up the PennConnect CD, or visit the
Supported Products website at http://www.upenn.edu/computing/product/.Once
installed, be sure to update the virus signature files (a very easy process)
on a regular basis. Weekly, at the very least. Daily is even better, though
daily changes aren't always made by the vendors.
Although it is true that unix and linux users (this includes Mac OS X, which is essentially a unix-type operating system) are substantially less
likely to acquire a virus infection on their system, it is possible, and Mac- and linux-specific viruses have appeared in the last couple of years. There are anti-virus software applications available for these systems, and some of them are open-source, i.e., free.
4. If you can't trust the source you're downloading from, you can't
trust the file.
The ability to transfer files back and forth - "uploading"
and "downloading" - has been the backbone of the Internet since its inception in the early 1970s, and with the rise of peer-to-peer ("P2P") networks like KaZaa, LimeWire and BitTorrent over the last few years, "file-swapping" and downloading are as popular as ever. In most cases, such as purchasing and downloading application software from a well-known commercial website, there's a high level of confidence that you're dealing with reputable people, and the transaction is usually done using a secured connection. There are many cases, though, where you can't be entirely sure who or what is at the other end, and whether or not you can trust the files you're getting from them. As with e-mail attachments (see #2 above), it's a good idea to run downloaded files through your anti-virus software (see #3 above) before opening or installing them. Also, if you're running peer-to-peer sharing software, get in the habit of reviewing the sharing settings of not only the directory you use for file-swapping, but your entire directory structure to make sure that nothing has been changed without your knowledge. And, be on the lookout for the sudden appearance of files that you don't recognize and/or don't recall downloading. "Mystery" files may be a signal that someone has gained access to your system beyond what you intended.
5. Don't leave a computer you're logged into unattended or unprotected.
This is very important not only when using your personal computer in
your office or dorm room, but also when you are using public lab computers that are used by many other people, often in rapid succession. If you forget to log off a lab computer after finishing your session, you give the next person at the keyboard an open door into your account which they can use to read your email, personal financial information and other sensitive data. They could even change your password and lock you out of your own account!
Even in your office or dorm room (especially if you're in an "open
suite" or a "cubicle warren"), if you get up and leave
your computer unattended for no more than a few moments you provide an
opportunity for someone to physically compromise your system. It takes
less than a minute to install a backdoor program that will allow them
complete remote access and control, or "spyware" that shows
them everything you look at on your screen and everything you type on
All the major operating systems provide the ability to "lock"
and password-protect the screen and system so that an unauthorized person
with physical access cannot tamper with your computer. It's easy to say,
"I'll only be gone a minute," only to get roped into
that card game going on down the hall, or an extended chat at the water
cooler. It's a good habit to get into to either log out or lock the system
every time you get up.
6. Data on paper is the same as data on the screen.
Sometimes it's necessary to print out copies of important or sensitive
data. If you have sensitive printouts, don't leave them lying around where
unauthorized, prying eyes can see them. The data is just as sensitive
and confidential on a printed page as it is on a computer screen, and
if you don't want it read on the monitor, you probably don't want it read
anywhere else. Keep important printouts in a secure location, and when
you don't need them anymore, don't just throw them in the waste basket
- shred them. Personal shredders ("cross-cut" preferred over "strip") are inexpensive
and very useful in not only disposing of confidential printouts, but also
junk mail, credit card offers and other printed material that may contain information
about you that could be useful to identity thieves.
7. Your operating system needs to live and breathe. Don't let it get
"Hackers" are continually probing and testing for vulnerabilities
in all the major computer operating systems (this goes for mainframes as well), and are generally pretty adept at finding them. When this happens, the company that markets and distributes the operating system rushes to develop a "patch" to fix the problem and makes it available at no charge to users of the operating system. The problem is, many users rarely if ever check for availability of patches and system upgrades, let alone apply them. This is why the Code Red (I & II) and Nimda worms were able to spread so rapidly during the summer of 2001. They targeted and compomised systems that were running unpatched versions of Microsoft's Internet Information Server (IIS), even though the patch had been available for more than a year.
Along with weak passwords and virus-spreading e-mail attachements, unpatched
computer systems constitute one of the premier security threats on the Internet. A compomised system threatens not only your personal data, it can be "hijacked" for use in remote proxy attacks such as a Distributed Denial of Service (DDoS), thereby becoming a threat to someone else's computer. DON'T LET THIS HAPPEN TO YOU! All the major operating system vendors, including Microsoft, offer mechanisms that will allow you to regularly check for updates and apply them relatively easily if they are available. Keeping your system at "current patch level" is not an iron-clad guarantee that your system will never be hacked, but it's a heck of a good start
Likewise, there's often a security aspect to individual software applications
(word processing, spreadsheet, database, etc.) as well. When updates appear (though they're not usually free in these cases), it's a good practice to see if there's a security update included.
8. Don't use it? Lose it.
All the major operating systems come packaged with all sorts of application
and server software (the marketers call them "features"), and a major problem is that not only do they often turn these services on by default, they frequently give you very little explanation about what they do and little flexibility with regard to configuration settings. In general, the more services you have running on your computer, the more potential targets you have for hackers to exploit (see "IIS" in #7 above), not to mention slowing down your computer running things you don't need. These services include well-known, standard things like ftp, telnet, Samba, SQL, SMTP (e-mail server), Apache (web server) and others. If you really have use or need to run, for example, an ftp server, then go ahead and set it up, but make sure you fully understand the configuration, operation and potential vulnerabilities. Otherwise, if you don't need it, don't run it.
When considering what services should be running on your system, here
are a few easy rules of thumb:
- If you don't know what it is or what it does, don't turn it on.
In most every case, if you find out later that you need it, you can go back and turn it on.
- If it's on, and you don't need it, turn it off.
- If it's off, and you don't need it, don't turn it on.
9. Watch out for those "Social Engineers".
No, we're not talking about extroverted locomotive drivers. "Social
engineering" is a term that has come into use in the computer security
field over the last few years to describe the activities of what are,
essentially, con men (and women). Their game is to get someone to willingly
give them privileged information by exploiting some combination of:
A) The innate, good-natured desire to be of help to a fellow human
B) The belief that everyone basically honest.
C) The person's current state of being extremely busy and distracted.
D) The belief that bad things happen only to other people.
F) All of the above.
A social engineer is the kind of guy who will walk into a busy office
in a manner that suggests he belongs there, announce he's been sent to
fix the president's computer, impatiently demand to be shown where it
is, then calmly say, "I need his user name and password - what
are they?", secure in the knowledge that someone will at least
try to get the information for him. Sometimes he'll call on the phone
and say, "This is Joe from the Help Desk. There's a problem with
your account I'm trying to fix, and I need your password to test it."
In short, social engineers use trickery, subterfuge, human nature and
sheer audacity to collect nuggets of information they can put together
in a way that tells them more about the "Big Picture", thus
making it easier for them to make the "Big Score". To thwart
them, it takes little more than paying attention to who is around, what
they're doing, and being aware of whether or not it's appropriate for
them to be there and doing that. In other words, common sense.
10. Scanning is a two-way street.
At any given time, the Internet is buzzing with people using scanning
software to survey entire networks at a time, searching for vulnerable
machines to direct attacks at. You may feel like "nothing I have
on my computer is worth protecting, and they wouldn't bother with me anyway",
but the truth is that any vulnerable machine is a target that can be put
to use for all sorts of things when compomised (see "DDoS" in
#7 above). And, when you come down to it, some hackers like to take over
someone else's system for no other reason than to show that they can.
The flip side of this is that scanning can be used to alert a system
owner about what vulnerabilties are present and what can - or should -
be done to remove or lessen them. Many network scanning software applications
can be downloaded for free and used to scan your own system without getting
an OK from Penn Information Systems and Computing. However, running
scans against other systems at Penn, or from Penn's network without permission
is not allowed, and is considered a violation of the Acceptable
Penn Information Security can scan your PennNet-connected system for vulnerabilities, provided
you contact us and make arrangements in advance. Contact us at firstname.lastname@example.org
if you would like to arrange this.
Last updated: Friday, April 23, 2010