8/6/2019 Home Computer Security http://slidepdf.com/reader/full/home-computer-security 1/38 i
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 1/38
i
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 2/38
ii
This work was produ ced for FedCIRC an d th e Gen eral ServicesAdm inistration by the CERT® Coordin ation Center, Software
Engineering Institute, Carnegie Mellon University.
Copyright 2002 Carnegie Mellon University
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 3/38
ii i
Contents
Int rod uct ion ..........................................................................1
Thin king About Securin g You r Hom e Com pu ter..................3
Thin gs You Ou gh t To Kno w ..................................................4
Wh at Sh ou ld I Do To Secure My Hom e Com pu ter? .............7
Sum m ary .............................................................. ................33
En d Not es ............................................................................34
Ackn ow ledgem en ts .............................................................34
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 4/38
iv
Property h as its du ties
as well as its righ ts.Th om as Drumm on d (1797-1840)
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 5/38
1
IntroductionYour h om e comp uter is a popular target
for intruders. Why? Because intruders want
wh at you ’ve stored t h ere. Th ey look for
credit card n um bers, bank accoun t
information , and an yth ing else th ey can
fin d. By stealin g that information , intruders
can use your mon ey to buy them selves goods
an d services.
But it’s no t just m on ey-related
information th ey’re after. Intru ders
also want your computer’s resources,
m eanin g your hard disk space, your
fast p rocessor, an d you r Intern et
con n ection . Th ey use these resources
to attack oth er com puters on the
Internet. In fact, th e more comp uters
an intrud er uses, th e harder it is
for law enforcem ent to figure out
wh ere the attack is really com ing
from . If intrud ers can’t be found ,th ey can ’t be stopped, and th ey can’t
be prosecuted.
Wh y are in truders payin g attention
to hom e com puters? Home
com put ers are typically not very
secure an d are easy to break in to.
Wh en com bined with h igh-speed
Internet connections that are always
turned on , intruders can q uickly find an d th en attack hom e computers.
Wh ile intruders also attack hom e compu ters conn ected to the Internet
through dial-in connections, high-speed connections (cable modems
an d DSL m odem s) are a favorite target.
No matter how a ho me com puter is conn ected to th e Internet,
intrud ers’ attacks are often successful. Many h om e com pu ter own ers
don ’t realize that th ey need to pay atten tion t o com pu ter security. In
th e sam e way that you are respon sible for havin g in surance when you
Home Computer Security
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 6/38
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 7/38
3
Thinking About Securing Your Home ComputerBefore diving into the tasks you need to
do t o secure your h om e com pu ter, let’s first
th ink about th e problem by relating it to
someth ing you already kn ow h ow to do. In
this way, you can apply your experience to
th is n ew area.
So, thin k of your comp uter as you would your h ouse, your apartm ent,
or your condo. Wh at do you know about how that l iving space works,wh at do you rou tinely do to keep it secure, and wh at have you in stalled
to im prove its security? (We’ll use th is “comp ut er-is-like-a-ho use-and -
th e-th ings-in-it” an alogy th rough out, dep arting on ly a few times to
make a point.)
For examp le, you kn ow th at if you h ave a loud conversation, folks
outside your space can probably h ear you. You also rou tinely lock the
doors and close the wind ows when you leave, an d you do n ’t give the
keys to just anyon e. Som e of you m ay install a security system to
com plemen t you r practices. All of th ese are part of living in you r ho m e.
Let’s no w app ly similar thin king to you r h om e com pu ter. Em ail,
instan t m essagin g, and m ost web traffic go across the Intern et in th e
clear; th at is, anyon e who can captu re th at information can read it.These are th ings you o ugh t to kno w. You shou ld always select an d
use strong passwords and exercise due care when reading all email,
especially the un solicited variety. Th ese are th ings you o ugh t to do.
Finally, you can add a firewall, an an ti-virus program , patch es, and file
encryption to imp rove the level of security on you r hom e comp uter, an d
we’ll call these thin gs you ou ght to in stall.
The rest of this pamp h let describes the th ings you ough t to kn ow, do,
an d install to imp rove the security of your h om e comp uter.
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 8/38
Home Computer Security
4
Things You Ought To KnowOn e starting point for solvin g hom e
computer security problems is being aware
of how th e In ternet an d some of its
techn ologies work. If you know h ow th ey
work, you can evaluate solution s to th e
problems th at com e up. You can also u se
the Internet more safely and responsibly. In
th is section , we’ll talk about two t op ics: trustan d inform ation in th e clear as it crosses the
Internet.
Trust
Hum an bein gs are trusting by nature. We trust m uch o f what we h ear
on th e radio, see on television, an d read in th e newspaper. We trust th e
labels on packages. We trust the mail we receive. We trust our parents,
our p artner or spou se, an d o ur ch ildren. We trust ou r co-workers. In fact,
those who don ’t trust much are thought to be cynical. Th eir opinions
m ay be all too q uickly ignored or d ism issed.
The In ternet was built on trust.1 Back
in th e mid 1960s, com put ers were
very expensive and slow by today’s
stan dard s, but still qu ite useful. To sh are
th e expensive and scarce comp uters
installed aroun d th e coun try, the U.S.
governm ent fun ded a research p roject
to con nect th ese comp uters together so
th at oth er researchers could use them
rem otely. This project was called th e
ARPAn et, nam ed after the govern m ent
research agency – ARPA, the Advanced
Research Projects Agency – th at fun ded
and m anaged the project .Key to th e ARPAn et was t h e level of
trust placed in its users; there was little th ough t given to m alicious
activity. Comp uters com m un icated using a straigh tforward schem e that
relied on everybody p layin g by th e rules. Th e idea was to make sharin g
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 9/38
5
ideas an d resources easy and as efficient as the tech n ology of the
day provided. This philosoph y of trust colors man y of the p ractices,
procedures, and techn ologies that are still in place today.
On ly within t h e last few years, when Internet com m erce (kno wn
as e-comm erce) began to spread, it has becom e inadeq uate to rely
prin cipally on t rust. Since th e days of th e ARPAn et, we’ve chan ged
the way we use compu ter networks while oth ers have chan ged th e
un derlying techn ologies, all in an attem pt to im prove th e security of the
Internet an d th e trust we place on i t .
Let’s dig deeper int o two ex am ples of what we t rust in o ur da ily lives.
Wh en you receive mail through th e post office, man y envelopes and th eletters in th em cont ain th e sender’s address. Have you ever wondered
if th ose addresses were valid; th at is, do t h ey match th e address of th e
person or persons wh o really sent th em? Wh ile you could ch eck to see
th at th ose addresses are valid an d refer to th e person th ey nam e, it’s
n ot an easy task.
How would you go about i t? Would you call the ph on e num ber
provided with th e letter? That n um ber could also be in valid, and
the p erson th at answers the ph one could be as misleadin g as the
original address. Perhaps you could call directory assistance or the police
departm ent th at has jurisdiction over th e town wh ere th e letter was
supposedly from . Th ey migh t be h elpful, but th at is likely to take lots of
time. Most people wouldn ’t bot h er.
An d it’s n ot just retu rn addresses eith er. How abo ut advertisemen ts,
n ews stories, or th e information printed on groceries? Supp ose you were
on a low-fat diet. You ’d wan t to b uy food s low in fat. To select the righ t
foods, you’d read th e produ ct label at th e grocery store. How do you
kno w th at th e label in formation is valid? Wh at’s to say it’s no t forged?
And ho w would you kno w?
The Internet h as man y of the same issues, and em ail is on e of the best
examp les. In an email message, an in truder can easily fabricate wh ere the
came from. But th is in formation forging – called spoofin g by intrud ers
and security professionals – is not limited to just email. In fact, the basic
un it of in formation transferred on th e Internet – called a packet – can
also be easily forged o r spoo fed.
Wh at does this m ean an d wh y sho uld you care? It m eans that an y
information you receive from some oth er computer on the Internet
should n ot be trusted autom atically and u ncon dition ally. Wh en you
trust an em ail m essage that tu rns out to h ave a harmful virus attached
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 10/38
Home Computer Security
6
to it, your comp uter can be in fected, your files destroyed, and your work
lost. An d th at’s why you sh ould care.
This is how t h e Internet works. It was built on trust. Over tim e, there
h ave been tech n ological chan ges th at are worthy of a higher level of our
trust th an before. Noneth eless, a true sense of insecurity is better than
a false sense of security. So, think about the information you trust. Be
critical and cautious.
Informat ion in the Clear
Wh en you h ave a conversation with someone in your l iving space,
everybody within earshot can hear th e words and p robably un derstand
th em. If your con versation is especially loud an d your win dows open ,
even p assersby can h ear. If you wan t p rivacy, you an d you r con versation
partner need to go to ano ther room an d close the doors and windo ws.
The Internet works much the sam e way, except th e room is much,
m uch bigger. When you send email, browse a web site, or ch at on lin e
with someone, the con versation between you and that p erson does not
go directly from your com put er to h is or h er comp uter. Instead, it goes
from your comp uter to anoth er com puter to st il l anoth er com puter and
so on , even tually reachin g his or her com put er. Th ink of all of th ese
compu ters as an Internet “room.”
An yon e, or, more accurately, any program , in th at Internet roo m
that can h ear that con versation can also probably und erstand i t . Why?Because just like the con versation at h om e, most Intern et conversations
are in the clear, meaning that the information exchanged between
com put er systems is not con cealed or
hidden in an y way.
Again , this is h ow th e Internet wo rks.
You n eed to kn ow th at th e information
sent across th e Internet m ay be at risk of
oth ers listening in, capturing wh at you
send, and u sin g it for th eir own benefit.
Later in th is pamp h let, we’ll talk abou t
encryption as a way to add ress this
problem. Encryption uses mathematicsto con ceal information . Th ere are m an y
programs you can in stall to encrypt
the information you send across the
Internet.
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 11/38
7
What Should I Do To Secure My Home Computer?Securin g your ho m e comp uter is n ot a trivial
task. Th ere are m an y topics to consider and
m an y steps to follow. Th ey take time to
learn an d do . If you can , read th is entire
pam ph let before you begin to secure your
com pu ter. You ’ll h ave a better un derstan din g
of th e effort an d all its facets. Th is ou ght to
h elp you wh en you begin to tackle th e tasksdescribed h ere.
In th e followin g section s we describe two typ es of activities. Som e
you can d o using the programs that came with you r computer: workin g
with passwords and email at tachm ents, runn ing programs, and backing
up you r work. For oth er activities, you m ight n eed to obtain some
specialized programs: app lyin g patch es, and run n ing an ti-virus, firewall,
and file encryption programs. Th ough some vend ors’ produ cts provide
th ese features, we’ll assum e your com put er doesn’t h ave any of th em so
you’ll n eed to add all of them .
Here then is th e list of tasks you n eed to do to secure your h om e
comp uter. Their order is based on h ow intru ders attack comp uters,begin n ing with th e mo st-often used attack m eth ods. By starting with
th e lower nu m bered tasks, you ad dress th e biggest problems you face in
securing your ho m e compu ter. Remem ber that m ost section s end with a
reference to a web site that you can use to find an examp le of h ow to do
th e task on a Microsoft Wind ows 2000 comp uter.
Task 1 - Install and Use Ant i-Virus Programs
If someon e ran g your doorbell and wan ted to com e in to your living
space to sell you som eth ing or to use your telepho n e, you’d need to
m ake a decision wh eth er or n ot to let them in. If they were a neighbor or
someon e you knew, you’d probably let them in. If you didn ’t kno w th em
but b elieved their story and foun d th em t o be oth erwise acceptable, say
th ey were neat an d clean an d n ot th reatening, you’d probab ly also letth em in , but you’d watch t h em closely while they were in your space.
Wh at are you doin g here? You are profiling th is person an d th en
decidin g wh at to do based on th at p rofile. It’s your responsibility to
be con cerned abou t wh o en ters your livin g space. Furth er, if you h ave
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 12/38
Home Computer Security
8
children, you’ve probably also taught th em h ow to deal with strangers
who com e to your door.
An ti-virus programs work m uch th e same way. Th ese program s look
at th e conten ts of each file, search ing for specific pattern s that m atch a
profile – called a virus signatu re – of someth ing kn own to be h armful.
For each file that m atches a sign ature, th e an ti-virus program typically
provides several option s on h ow to respond , such as remo ving th e
offend ing pattern s or destroying th e file.
To un derstand h ow an ti-virus programs work, th ink abou t scam
artists – people who visit your hom e to try to get you to bu y a pho n y
produ ct or service, or to let th em in . Once inside, they m ay try to stealyour valuables or try to h arm you in som e way.
There are a variety of ways you m igh t fin d ou t abou t a specific scam
artist lurking in you r neighbo rho od. Perhaps you see a television report
or read a newspaper article about th em. They m igh t include pictures and
excerpts of th e story th e scam artist uses to scam th eir victims. Th e n ews
report gives you a p rofile of someon e you n eed to be on th e lookout for.
You watch for that p erson un til either th e story fades away or you h ear
that they’ve been caught.
An ti-virus programs work mu ch th e same way. When th e anti-virus
program ven dors learn abou t a new virus, th ey provide an u pdat ed set of
virus signatu res th at include th at n ew one. Th rough features provided by
th e updated an ti-virus program , your hom e com put er also autom atically
learn s of this new virus an d begins ch eckin g each file for it, along with
ch ecking for all the o lder viruses. However, un like scam artists, viruses
n ever com pletely fade away. Th eir signatures remain part of th e m aster
version of all virus signatu res.
Sup pose a scam artist was at your front door. What wou ld you do ?
Perhaps you’d n ot encourage them to come in nor bu y their product but,
at th e same tim e, you’d try n ot to up set them . You’d p olitely listen to
th eir story and th en send th em o n t h eir way. After you closed th e door,
you m ay call the p olice or the telephon e nu m ber given in the report th at
init ially brought them to your attention .
With viruses, you often h ave the chan ce to react to them when th ey’ve
been discovered on your h ome compu ter. Depend ing upon the specific
characteristics of the virus, you m igh t be ab le to clean th e infected file.
Or you m igh t be forced to destroy the file an d load a n ew copy from yo ur
backups or original distribution m edia. Your opt ions depen d up on your
choice of anti-virus program an d th e virus th at’s been d etected.
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 13/38
9
In your living space, you look at those who com e to your door an d
you look at wh at you receive in th e mail. Th ese are two of the ways that
items can get in to your living space, so you exam ine th em, sometim es
closely, sometimes not.
Viruses can reach your com put er in m any ways, th rough flo ppy disks,
CD-ROMs, email, web sites, and dow n loaded files. All n eed to b e checked
for viruses each tim e you use th em. In ot h er words, when you in sert a
flopp y disk in to th e drive, ch eck it for viruses. Wh en you receive em ail,
check it for viruses (remem ber to u se the KRESV tests described in Task
3, Use Care W hen Reading Email with At tachm ents). When you download a
file from th e Intern et, check it for viruses before usin g it. You r an ti-virusprogram m ay let you specify all of these as places to ch eck for viruses
each tim e you op erate on th em. Your an ti-virus program m ay also do
th is autom atically. All you n eed to do is to op en o r run th e file to cause
it to be checked.
Just as you w alk aroun d you r living space to see if everythin g is OK, you
also n eed to “walk” aroun d your h om e comp uter to see if th ere are any
viruses lurkin g abou t. Most an ti-virus p rogram s let you sch edule p eriodic
exams of all files on your h om e comp uter on a regular basis, daily for
examp le. If you leave your comp uter turn ed on o ver n ight, thin k about
sch eduling a full-system review durin g th at tim e.
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 14/38
Home Computer Security
10
Som e anti-virus programs have m ore advanced features th at extend
th eir recognition capabilities beyon d virus sign atures. Som etimes a file
won’t m atch an y of the known signatures, but i t may h ave som e of
the characteristics of a virus. This is comparable to getting that “there’s
someth ing n ot qu ite righ t h ere, so I’m n ot going to let them in” feelin g
as you greet som eon e at you r door. Th ese heu ristic tests, as th ey’re called,
h elp you to keep up with n ew viruses th at aren’t yet defined in your
list o f virus signa tu res.
An an ti-virus program is frequen tly an add-on t o your h om e comp uter,
th ough your n ewly purch ased com put er might include a trial version. At
some po int, say after 60 days, you m ust purch ase it to con tinu e usin g it.To decide wh eth er to m ake that purch ase or to look elsewhere, use th ese
steps for evaluating anti-virus programs:
1. The Demand test: Can you ch eck a file on d eman d, for
example, when you want to send an attachm ent as part of the
KRESV tests?
2. The Update test: Can you u pdate th e virus signatures
aut om atically? Daily is best.
3. The Respond test: Wh at are all th e ways th at you can respond
to an infected file? Can th e virus checker clean a file?
4. The Check test: Can you ch eck every file that gets to your
hom e computer, no matter how it gets there, and can th ose
checks be automated?
5. The Heuristics test: Does the virus checker do heuristics tests?
How are th ese defin ed?
These tests – th e DURCH tests – h elp you com pare an ti-virus programs.
Once you’ve made your selection, install it and use all of its capabilities
all of the tim e.
Intrud ers are th e m ost successful in attackin g all com put ers – n ot just
h om e compu ters – wh en th ey use viruses and worms. In stallin g an an ti-
virus program an d keeping it up to date is amon g the best defenses for
your h om e com put er. If your fin an cial resources are lim ited, they are
better spent purchasing a commercial anti-virus program than anything
else.
To see an exam ple th at sho ws how t o op erate a virus checker, see
http://www.fedcirc.gov/homeusers/HomeComputerSecurity/examples.html .
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 15/38
11
Task 2 - Keep Your System Patched
If on e of your app liances broke, you’d p robably try to h ave it repaired.
You’d call a repairperson wh om you h ope cou ld do th e job. You’d get an
estimat e an d th en yo u’d eith er get it fixed or replace it. You r goal is to
someh ow restore the function s th at th e applian ce provides.
Wh at do you d o wh en a software “applian ce” – a program – or th e
operating system itself breaks? How do you restore th e function s that
th ey provide? Do you know wh om to call or even wh ere to look to
determin e what to do n ext?
Most vendors provide patches that are supposed to fix bu gs in th eir
produ cts. Frequen tly these patches do wh at th ey’re sup posed to do.However, sometimes a patch fixes one p roblem bu t causes anoth er. For
examp le, did you ever have a repairperson fix an ap pliance but in th e
process, they scratched th e floor or damaged a coun tertop du rin g their
visit? For a com put er, th e repair cycle m ight h ave to be repeated un til a
patch comp letely fixes a problem.
Vend ors often provide free patch es on t h eir web sites. Wh en you
purch ase program s, it’s a good idea to see if and h ow th e vend or supplies
patch es, an d if an d h ow th ey provide a way to ask questions about th eir
produ cts. Just as app lian ce vend ors often sell exten ded warranties for
th eir products, some software vendors m ay also sell supp ort for th eirs.
Have you ever received a recall no tice for your car or an oth er product
you’ve purchased? Vend ors send th ese n otices to prod uct own ers whena safety-related problem has been discovered. Registering your purchase
through the warranty card gives the vend or the information th ey need to
con tact you if th ere is a recall.
Program ven do rs also p rovide a recall-like service. You can receive
patch n otices th rough email by subscribin g to m ailing lists operated
by th e programs’ vend ors. Th rough th is type of service, you can learn
about p roblems with yo ur comp uter even before you discover th em an d,
h opefully, before in truders have the ch an ce to exploit th em. Con sult the
vend or’s web site to see how t o get em ail notices about p atches as soon
as th ey’re available.
Som e vendo rs have gone beyon d m ailing lists. Th ey provide program s
bun dled with t h eir system s that autom atically cont act their web
sites looking for patches specifically for your home computer. These
autom atic upd ates tell you wh en p atches are available, down load them ,
and even install them . You can tailor th e upd ate features to do on ly
want you wan t, such as just telling you someth ing n ew is waiting but
doing noth ing more.
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 16/38
Home Computer Security
12
Wh ile th e patchin g process is getting easier, even to th e point wh ere
it can be com pletely autom ated, it is n ot yet foolproof. In some cases,
installing a patch can cause an oth er seemin gly un related program to
break. The challenge is to do as mu ch h om ework as you can to learn
what a p atch is supposed to do and what p roblems it might cause once
you ’ve installed it.
This is a hard job. Often, th e vendo rs don ’t tell you abo ut p roblems
their patches can cause. Why? Because it is simply impossible to test
all possible program s with all possible patches to discover un expected
side effects. Imagine doing th at job and th en con tinu ing to do th at for
each new p rogram an d p atch th at comes along. Vendors rely on theircustomers to tell them when something un expected happ ens once a
patch is installed. So, if th is h appen s to you, let th em kno w.
Imagine th en th at you’ve eith er foun d a patch on th e vendor’s site or
you’ve received n otice that a p atch is available. What d o you d o n ext?
Follow the steps below to evaluate a patch before you install it:
1. The Affected test: Does this patch affect on e of the p rograms
on your com pu ter? If it doesn’t affect your com put er, you’re
don e. Wh ew!
2. The Break test: Can you t ell from th e vend or’s web site or
th e patch ’s description if in stallin g it breaks som ethin g else th at
you care about? If installation d oes break someth ing, then you
h ave to decide h ow to proceed. Try notifyin g the vend or of theprogram th at m igh t break to learn wh at th eir strategy is for
addressing this problem. Also, use your web browser to learn if
anyon e else has experienced th is problem and what h e or she
did about i t .
3. The Undo test: Can you un do th e patch? That is, can you
restore your com put er to th e way it was before you in stalled
th e patch ? Curren tly, vendors are building m ost patch es with
an un install feature that enables you to remo ve a patch th at
has unwanted consequences. In addition, some computers also
com e with features that h elp you restore them to a previously
kno wn an d working state shou ld th ere be a problem. You n eed
to know wh at your computer provides so th at you can un do a
pat ch if necessary.
Recall from th e Introdu ction t h at int ruders exploit vulnerabilities to
gain access to h ome compu ters. How do intruders find out abou t th ese
vulnerabilities? In m any cases, they read th e same ven dor m ailing lists
and use the same autom atic notification schem es that you use. This
mean s that you n eed to evaluate and install patches on your hom e
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 17/38
13
computer as soon as they’re available. The longer a vulnerability is
known , the greater the chan ces are that an intruder will find i t on your
hom e computer and exploit i t . With th e ABU tests, you can quickly
evaluate an d in stall patches to keep intrud ers off your h om e comp uter.
On e last th ing: patches are usually distributed as programs. Th is means
th at you n eed to use th e DCAL steps described in Task 7, Use Care
W hen Down loading and Installing Program s, before loading an d in stallin g
a patch.
Intrud ers often take advan tage of vulnerabilities wherever they m ay be.
In m an y cases, th e vulnerabilities they exploit may h ave patches, but
th ose patches were not in stalled. For your ho m e comp uter, m ake tim eto keep you r programs patch ed wh erever possible. If you can’t patch a
program, shop around for an equivalent program and use it un ti l the
original program is fixed or you’ve aband on ed it in favor of someth ing
more reliable.
You can spend m oney on m ainten ance where you get patches
for programs, but t h at’s usually not n ecessary. Since m ost ven dors
provide free patch es, m ailing lists, and autom atic updates, keepin g your
comp uter patched u sually only costs you time.
To see an exam ple that shows h ow to ch eck for, down load, and in stall
patches, see http://www.fedcirc.gov/homeusers/HomeComputerSecurity/
examples.html.
Task 3 - Use Care When Reading Email with Attachments
We’ve all heard stories about people receiving an item in th e m ail
th at in some way caused them h arm. We’ve heard of letter bomb s
and exploding packages, and in 2001, we learned abo ut Anth rax-laden
letters. Althou gh th eir frequen cy is low, th ey do m ake news.
These unsolicited items are sent to u n suspectin g recipien ts. Th ey may
cont ain a return address, a provocative en velope, or som eth ing else
that encourages its receiver to open it. This technique is called social
engineering. Because we are trusting and curious, social engineering is
often effective.
In th e case of th e An th rax letters addressed to United States sen ators,
th e envelopes con tained a schoo l’s return address as an indu cemen t
to open them . What governm ent official wouldn ’t want to serve their
constituen cy by reading and respon ding to a letter supp osedly sent by a
class at a schoo l, especially an element ary school? By op enin g th e letter
and subsequent ly spreading its lethal conten ts, th e recipien t com plied
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 18/38
Home Computer Security
14
with th e wish es of th e sender, a key foun dation of social engineering.
In th e pre-An th rax letter days, a mail han dler might h ave given little
th ough t to th e conten ts of th e letter or th e validity of the return address.
Th ose days are behind us.
You prob ably receive lots of mail each d ay, m uch of it un solicited
and cont aining u n familiar but plausible return ad dresses. Som e of this
m ail uses social engineering to tell you of a con test that you m ay have
won or th e details of a produ ct th at you m igh t like. Th e sen der is
trying to encou rage you to op en th e letter, read its con ten ts, an d interact
with th em in some way th at is fin ancially beneficial – to them . Even
today, man y of us open letters to learn wh at we’ve won o r what fan tasticdeal awaits us. Since th ere are few con sequen ces, th ere’s no h arm in
opening them.
Em ail-born e viruses and wo rms op erate mu ch t h e same way, except
th ere are con sequences, som etimes significant on es. Malicious email
often con tains a return address of someon e we know and often h as
a provo cative Sub ject lin e. Th is is social en gineerin g at its fin est –
something we want to read from som eone we know.
Em ail viruses an d wo rms are fairly comm on . If you’ve n ot received o n e,
chan ces are you will. Here are steps you can use to h elp you d ecide wh at
to do with every email message with an attachm ent th at you receive. You
shou ld on ly read a m essage that passes all of th ese tests.
1. The Know test: Is th e email from som eon e that you kno w?
2. The Received test: Have you received email from this sender
before?
3. The Expect test: Were you expecting email with an at tachm ent
from th is sender?
4. The Sense test: Does email from th e sen der with th e conten ts as
described in th e Subject line and th e nam e of th e attachm ent(s)
make sense? For example, would you expect the sender – let’s
say your Moth er – to send you an em ail m essage with th e
Subject lin e “Here you h ave, ;o)” that con tains a m essage with
attach m en t – let’s say An n aKou rn ikova.jpg.vbs? A m essage like
th at probably doesn’t m ake sense. In fact, it happ ens to be
an in stance of th e An n a Kourn ikova worm, an d reading it candam age your system .
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 19/38
15
5. The Virus test: Does th is email contain a virus? To d etermine
th is, you n eed to install and u se an an ti-virus program. That
task is described in th e section ent itled Install and Use Anti-Virus
Program s.
You sh ou ld app ly these five tests – KRESV – to every piece of ema il
with an attachm ent th at you receive. If any test fails, toss that em ail.
If th ey all pass, then you still need to exercise care and watch for
un expected results as you read it.
Now, given t h e KRESV tests, im agin e that you wan t to send em ail
with an attachm ent to som eone with wh om you’ve never correspon ded
– what sh ould you do? Here’s a set of steps to follow to begin an emaildialogue with someone.
1. Since th e recipient do esn’t already Know you, you need to
send them an introductory email. It m ust not con tain an
attachment. Basically, you’re introducing yourself and asking
their perm ission to send email with an attachm ent th at they
m ay oth erwise be suspicious of. Tell th em wh o you are, wh at
you’d like to do, an d ask for permission to con tinu e.
2. This introdu ctory email qu alifies as th e m ail Receivedfrom you.
3. Hopefully, th ey’ll respon d; an d if th ey do, h on or their wish es.
If th ey ch oose not t o receive email with an att achm ent from
you, don ’t send on e. If you n ever h ear from t h em, try yourintroductory email one m ore t im e.
4. If th ey accept your offer to receive em ail with an attach m ent,
send it off. They will Know you an d will have Received email
from yo u b efore. Th ey will also Expect th is email with an
attachm ent , so you’ve satisfied th e first th ree requiremen ts of th e
KRESV tests.
5. Wh atever you send sho uld make Sense to th em. Don ’t use a
provocative Subject line or an y oth er social engineering p ractice
to en courage th em to read your email.
6. Check the attachm ents for Viruses. Th is is again based o n
having virus-checking programs, and we’ll discuss that later.
Th e KRESV tests h elp you focus on t h e most imp ortan t issues wh ensendin g and receivin g email with attachm ents. Use it every tim e you
send em ail, but be aware that t h ere is no foolproof sch eme for workin g
with em ail, or security in gen eral. You still need to exercise care.
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 20/38
Home Computer Security
16
Wh ile an an ti-virus program alerts you to m an y viruses th at m ay find
th eir way to you r ho m e comp uter, there will always be a lag between
wh en a virus is discovered and wh en an ti-virus program ven dors provide
th e n ew virus signatu re. Th is m eans th at you shou ldn’t rely en tirely
on your an ti-virus programs. You m ust con tinu e to exercise care wh en
reading em ail.
Task 4 - Install and Use a Firewall Program
This section describes a firewall, its impo rtance to your h om e com put er
strategy, and a way to th ink abou t th e job you n eed to do . We’re
going to depart from our “comp uter-is-like-a-h ouse-an d-the-thin gs-in-it”
an alogy to u se anoth er that you are probably also fam iliar with : an officebuilding.
Have you ever visited a business where you
first stopped at th e reception desk to interact
with a security guard? That guard ’s job
is to assess everybody who wishes
to en ter or leave the building to
decide if th ey sh ould con tinu e
on or be stopp ed. Th e guard
keeps the unwan ted out and
permits only appropriate
people and o bjects to ent er and
leave th e bu siness’s prem ises.
Let’s dig deeper int o th is an alogy. Wh en
someon e enters a building, the security guard
usually greets them . If they h ave an app ropriate iden tification badge,
th ey show it t o th e guard or swipe it th rough a reader. If all is OK, th ey
pass throu gh th e guard’s checkpoint . However, if som eth ing’s wrong o r
if th ey are a visitor, th ey m ust first stop at t h e guard desk.
The guard asks wh om th ey wish to see. Th e guard m ay also ask for
identification such as a driver’s license or th eir com pan y ID. Th e guard
reviews th e list of expected gu ests to see if this person is approved to
visit th e party in question. If the guard decides everything is all righ t,
th e visitor may p ass. Th e visitor usually signs a logbook with th eir nam e,
the com pan y they represent, whom they are seeing, and th e t im e of day.
On a comp uter, th e firewall acts much like a guard when it looks at
n etwork traffic destin ed for or received from an oth er comp uter. The
firewall determines if th at traffic sh ould con tinu e on to its destination
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 21/38
17
or be stopped . Th e firewall “guard” is im portan t because it keeps th e
un wanted ou t an d p ermits only appropriate traffic to enter an d leave
the com puter.
To d o th is job, th e firewall has to look at every piece of information –
every packet – th at tries to ent er or leave a com put er. Each packet is
labeled with wh ere it came from an d wh ere it wan ts to go. Som e packets
are allowed to go an ywhere (the em ployee with th e ID badge) wh ile
oth ers can on ly go to specific places (visitors for a specific person). If th e
firewall allows th e packet to proceed (bein g acceptable according to th e
rules), it mo ves the packet on its way to the d estin ation. In m ost cases,
th e firewall records wh ere the packet came from , wh ere it’s going, andwhen it was seen. For people entering a building, th is is sim ilar to th e
ID card system keeping track of who ent ers or the visitor sign ing th e
visitor’s log.
The bu ilding’s guard m ay do a few more tasks before deciding th at
th e person can pass. If th e person is a visitor and is n ot on th e visitors
list, the guard calls the em ployee being visited to an n oun ce th e visitor’s
arrival and to ask if they may pass. If the employee accepts the visitor,
th ey may p roceed. The guard m ay also give the visitor a badge th at
identifies them as a visitor. That badge m ay lim it where in th e building
th ey can go an d ind icate if th ey need to be escorted. Finally, no m atter
wheth er the person is a visitor or an em ployee, th e guard may inspect
their briefcase or computer case before they pass.
The firewall can also check wheth er a given p acket sh ould p ass,
allowing th e comp uter’s user to respon d to u n ant icipated n etwork
traffic (just as th e guard d oes with th e un expected visitor). Individual
packets can be allowed to pass, or th e firewall can be ch anged t o
allow all futu re packets of the sam e type to pass. Som e firewalls h ave
advan ced capabilities that m ake it possible to d irect packets to a different
destination an d p erhaps even have th eir contents con cealed in side oth er
packets (sim ilar to th e visitor b eing escorted ). Finally, firewalls can filter
packets based not o n ly on th eir poin t of origin or destin ation, but also
on th eir cont ent (in spectin g the briefcase or comp uter case before being
allowed to p ass).
Back to th e office building, when emp loyees leave th e building, theymay also have to swipe their ID card to show that they’ve left. A visitor
signs out an d return s their tempo rary badge. Both m ay be subject to
h aving th eir possessions in spected before bein g allowed t o leave.
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 22/38
Home Computer Security
18
Firewalls can also recogn ize an d record wh en a com put er-to-compu ter
conn ection end s. If th e conn ection was temporary (like a visitor), the
firewall rules can chan ge to den y futu re similar conn ection s unt il th e
system’s user aut h orizes th em (just as visitors mu st re-iden tify them selves
and be re-approved by an emp loyee). Finally, outgoing con n ection s
can also be filtered according to con ten t (again, sim ilar to inspecting
possessions at the exit).
Wh at does this all mean ? It m eans th at with a firewall, you can con trol
which p ackets are allowed to en ter your hom e compu ter and which are
allowed to leave. Th at’s th e easy part.
The h ard part is deciding th e details about t h e packets that are allowedto en ter and exit your ho m e comp uter. If your firewall supp orts con tent
filtering, you also n eed to learn wh ich conten t to allow and which n ot
to allow. To h elp you get a h and le on t h is h arder task, let’s return to our
security guard analogy.
Imagin e th at you are th at security guard an d it’s your first day on th e job.
You h ave to decide wh o’s allowed in , who’s allowed out, an d wh at peop le
can bring into an d take out of the building. How do you do th is?
On e strategy is to be very con servative: let no on e in or ou t an d let no
possessions in or out. This is very simple, very easy to achieve, but not
particularly helpful to th e bu sin ess if non e of its emp loyees or visitors
can get in or out. Nor is it helpful if they can ’t bring an yth ing with
th em. With th is type of strategy, your ten ure as a security guard m ay
be short-lived.
If you try th is, you qu ickly learn th at you n eed to ch an ge your strategy
to allow people in and out o n ly if they h ave acceptable identification
and possession s usin g some agreed-to criteria. Add t h e requiremen t th at
if you d on ’t m eet th e precise criteria for adm ittance, you d on ’t get in.
With m ost firewalls, you can d o th e sam e thin g. You can program you r
firewall to let n oth ing in an d n oth ing out. Period. This is a deny-all
firewall strategy and it does work, though it effectively disconnects you
from th e In ternet. It is im practical for m ost ho m e comp uters.
You can d o wh at th e security guard did: review each p acket (emp loyee
or visitor) to see wh ere it’s com ing from an d wh ere it’s going. Som efirewall produ cts let you easily review each p acket so that you can decide
what to do with it. Wh en yo u are shopp ing for a firewall, look for th is
review featu re because it can be q uite h elpful. Practically speakin g, it
isn ’t easy to d ecide wh ich traffic is all right and which is not all righ t.
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 23/38
19
An y feature th at m akes this job easier helps you achieve your goal of
securing your home computer.
Just like the security guard wh o learn s that an ybody with a com pan y
ph oto ID is allowed to pass, you t oo can create firewall rules th at allow
traffic to p ass witho ut reviewin g each p acket each time. For exam ple,
you m ay choo se to allow you r In ternet b rowsers to visit an y web site.
Th is rule would defin e th e source of th at traffic to be you r browsers
(Netscape Navigator and Microsoft Internet Explorer, for example) and
th e destin ation location to be any web server. Th is m eans th at an ybody
using your h om e comp uter could visit any Intern et web site, as long as
th at web server used th e well-kno wn stan dard locations.Now th at you h ave an idea of what your firewall security guard is trying
to do, you n eed a meth od for gathering information and programm ing
you r firewall. Here is a set of steps to use to d o just th at:
1. The Program test: Wh at’s the program th at want s to make
a conn ection to th e Internet? Although man y programs may
need to m ake the same type of conn ection to th e same Internet
destination , you n eed to know th e nam e of each. Avoid gen eral
rules th at allow all program s to m ake a conn ection. This often
results in un wanted an d u nch ecked beh avior.
2. The Location test: Wh at’s the Intern et location of the com put er
system to which your computer wants to connect? Locations consist
of an add ress and a port n um ber. Som etimes a program is allowed toconn ect to any Intern et location, such as a web browser con n ecting
to an y web server. Again, you wan t to limit program s so th at th ey
on ly conn ect to specific locations where possible.
3. The Allowed test: Is th is conn ection allowed o r den ied? Your
firewall rules will contain some of each.
4. The Temporary test: Is th is conn ection tem porary or
perman ent ? For examp le, if you’re goin g to conn ect to th is
specific location m ore than five tim es each tim e you use
the com puter, you probably want to m ake the conn ection
permanen t. This means that you ought to add a rule to your
firewall rules. If you aren’t going t o m ake th is con n ection often,
you sho uld defin e it as temporary.
With each conn ection, apply the PLAT tests to get the inform ation you
n eed to bu ild a firewall rule. Th e an swer to th e PLAT tests tells you if
you n eed to include a n ew firewall rule for th is n ew conn ection. For m ost
firewall programs, you can t emp orarily allow a conn ection but avoid
m aking it perm anen t by no t including it in your rules. Where possible,
allow only temporary connections.
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 24/38
Home Computer Security
20
As you run each program on your h om e compu ter, you’ll learn h ow
it uses the Internet. Slowly you’ll begin to build th e set of rules that
defin e what t raffic is allowed int o an d ou t of your comp uter. By on ly
lettin g in an d ou t wh at you ap prove and den ying all else, you will strike
a practical balance between allowin g everythin g and allowing not h ing
in or out.
Along th e way, you m ay com e across exception s to you r rules. For
example, you m ight decide that an ybody who u ses your hom e computer
can visit an y web site except a ch osen few web sites. This is an alogou s
to th e security guard lettin g every emp loyee pass except a few who n eed
more attention first .To d o th is with firewall rules, th e exception rules must b e listed b efore
th e general rules. For examp le, th is m eans th at th e web sites whose
conn ection s are not allowed m ust be listed before the rules that allow all
conn ection s to any web site.
Wh y? Most firewall programs search th eir rules starting from th e first
through the last . When the firewall finds a rule that m atches the packet
being examin ed, th e firewall h on ors it, does what th e rule says, and looks
n o furth er. For exam ple, if the firewall find s th e general rule allowing an y
web site conn ection s first, it h on ors this rule and doesn’t look furth er
for rules th at m igh t den y such a con n ection . So, the o rder of firewall
rules is im portan t.
Man y firewalls can b e programm ed to require a password before
changing the rules. This extra level of protection safeguards against
un want ed chan ges n o m atter their source, th at is, you, an in truder, or
another user. Follow the guidance in Task 6, Use Strong Passwords, when
assigning a password to your firewall.
Finally, make a b ackup of you r firewall rules. You ’ve pro bably ta ken a
lot of t ime to build and tun e them to m atch ho w your hom e com puter
is used. These rules are im po rtan t to yo ur com pu ter’s security, so back
th em u p using th e guidan ce in Task 5, Make Backups of Important Files
and Folders.
Firewalls come in two general types: hardware and software (programs).
The software versions also come in two types: free versions and
comm ercial versions (ones th at you p urchase). At a m inimu m , you
shou ld use one of th e free versions on your h om e comp uter. This is
especially im portant if you h ave a laptop th at you con nect to your h om e
n etwork as well as a netwo rk at a h otel, a conferen ce, or your office.
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 25/38
21
If you can afford a h ardware firewall, you sh ould in stall on e of
th ese too. We’ve recomm end ed th is as som eth ing to do later. (Firewall
programs are task 4 on our list of recomm end ed actions, and h ardware
firewalls are task 8.) The same issues apply to the hardware versions that
apply to th e software versions. Many can also be p assword p rotected
again st un want ed chan ges. Search th e In ternet with your browser to see
what’s available and what they cost. The price of hardware firewalls is
coming down as the dem and grows.
A firewall is your security guard th at stand s between your h om e
comp uter and th e In ternet. It lets you con trol which traffic your
comp uter accepts. It also con trols wh ich of your programs can con n ectto th e In ternet. With a firewall, you defin e which con n ection s between
your computer and oth er comp uters on the Internet are allowed an d
which are denied. There are free firewall produ cts that p rovide the
capabilities you n eed to secure your h om e comp uter. Com m ercial
versions h ave even m ore features that can further protect your com put er.
Firewalls are an im portan t part of your h om e com put er’s security
defenses. To see an examp le that shows h ow to operate a firewall, see
http://www.fedcirc.gov/homeusers/HomeComputerSecurity/examples.html .
Task 5 - Make Backups of Im port ant Files and Folders
Wh eth er you kn ow it or n ot, you’ve divided everythin g you own into
two broad categories: those items you can replace and th ose you can ’t.
For th e items you can’t replace, you’ve probably stored th em in a safe
place, either som ewhere in your livin g space or elsewhere, in a lockbox
at a ban k, for exam ple. In either case, you’ve probably also bo ugh t
insurance th at provides the fun ds you’d n eed to buy replacemen ts. Your
insurance po licy covers alm ost everyth ing you o wn.
On your ho m e com put er, have you sim ilarly divided everything into
th e sam e categories? What h ave you don e about th e item s – files in th is
case – that you can ’t replace? Exam ples are th e files th at m ake up your
checking accoun t records, th at n ovel you’ve been writing for the p ast
few years, and th ose pictures you to ok last sum m er with your digital
camera. What h appen s if your com pu ter malfun ctions or is destroyed by
a successful at tacker? Are th ose files gon e forever?
Now th ink abou t your car for a mom ent . Do you h ave a spare tire?
Is it in flated? Wh en was th e last time you used it? Can you im agin e
buying a car witho ut a spare tire? Even if you bou ght a used car withou t
a spare, how soon did you bu y a spare so that you’d have on e when
you n eeded i t?
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 26/38
Home Computer Security
22
Think back to you r hom e comp uter. Do you h ave a “spare tire,”
mean ing a way to continue compu ting when you h ave a “blowout”
caused by a malfunction or an intrud er? Said ano th er way, can you back
up your files onto some oth er media so th at you can recover them if you
n eed to? If you’d n ever buy a car with out a spare tire, why did you buy a
comp uter withou t a device to back up your files?
Wh en d eciding wh at to do about backing u p files on your computer,
ask these questions:
1. The Files qu estion : What files sh ould you back up? Th e files youselect are tho se that you can n either easily recreate n or reinstall
from somewh ere else, such as the CD-ROMs or th e flopp y disks
that came with your computer.
Be realistic. Th at ch eck register you printed does n ot con stitute
a backup from wh ich you can easily recreate the files needed
by your ch eckin g accoun t program. You’re probably n ot going
to re-ent er all th at dat a if th e files are destroyed. Just as you
protect you r irreplaceable valuables, back up th e files you cann ot
replace, easily or oth erwise.
2. The Often question : How often sh ould you back them up? In
th e best of all cases, you shou ld back up a file every time it
chan ges. If you don ’t, you’ll have to reintrodu ce all th e chan ges
th at h appen ed sin ce your last backup. Just as you store your
precious jewelry in a lockbox at th e local bank lest th e lucky
robber find it in your jewelry box, you n eed to store your files
safely (back th em up ) after every use (ch an ge in th e file) lest an
intrud er destroys the file or t h ere’s a system catastroph e.
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 27/38
23
3. The Media question: Wh ere should you back them u p to; that
is, what m edia sh ould you u se to hold backed up files? The
answer is: whatever you have. It’s a question of how many of that
m edia you have to u se an d h ow con venient it is. For example,
m ost comp uters have a flop py disk drive. You could back up your
irreplaceable files to flop pies. Th at p rocess just t akes lots of time
and m ay not be as convenien t as using anoth er media. Larger
capacity rem ovable disk drives and writable CD-ROMs also work
well, take less time, and are more convenient.
If you don ’t h ave a backup device, th ere are alternatives. Th ere
are In ternet services th at let you back up you r files to anot h er
Internet comp uter. Som e of th ese services provide “tran sparentaccess” to th e backups. Th at is, th ey look like anot h er hard
drive attached to your com put er. You u se the file copy schem e
th at your comp uter provides to back up files an d recover th em
from backed up storage. To fin d t h ese services, do som e Internet
search es using you r browser.
Remem ber that th e in form ation you tran sfer across the In ternet
could be viewed an d captured by oth ers; th at is, the information
is in t h e clear. Be sensitive to th at if you use an Intern et-based
backup com put er. In ad dition, you n eed to be able to trust th e
information wh en you recover a file from th at service.
4. The Store question : Where sho uld you store that m edia once
it contains your backed up files? No matter h ow you back up
your files, you need to be con cern ed about wh ere th ose backedup copies live.
You already know th at intrud ers try to break into you r hom e
com put er to gain access to your files and you r comp uter’s
resources. An oth er way to gain access to t h e same in formation
is by stealing you r backups. It is more d ifficult, tho ugh , sin ce a
robber m ust ph ysically be wh ere your backups are, whereas an
intrud er can access your h om e comp uter from literally anywh ere
in th e world. The key is to know wh ere the m edia is that
cont ains your backed up files.
Just like impo rtant papers stored in a fireproof contain er at your
h ouse, you also n eed to be con cern ed about you r backups being
destroyed if your living space is destroyed or damaged. This
mean s that you ou ght to keep a copy of your backed up files in afireproof con tainer or somewh ere beyon d your livin g space, your
office for example. It is th e eternal com prom ise between security
an d u sability. If you n eed to recover a file and th e backed up
copies are at th e office, th at’s incon venient . However, wh ile
storing them at hom e is more convenien t and more usable, they
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 28/38
Home Computer Security
24
share th e same risks th at your com pu ter faces shou ld your living
space be destroyed. Be aware of the issues an d m ake a con scious
decision, perh aps keepin g copies in bo th places.
If you have that spare tire for your car or a lockbox for your valuables,
you’ve already plann ed for the worst th at can h appen around your
living space. Contin ue th at good practice by backing up your critical files
on to m edia that you can safely store elsewhere. Do th ose backups often
enough that you can capture the chan ges you’ve made. With the FOMSquestions, you h ave a structured app roach to u se to back up your critical
files. You ’ve no w plan n ed for th e worst.
As you com put erize the routine aspects of your daily life, makin gbackup copies of important files and folders becomes critical. Even if
you can ’t store the backup cop ies in a fireproof contain er or som ewhere
outside your h om e, make backups anyway. An y backup is better th an
none .
Task 6 - Use Strong Passwords
Your livin g space has doo rs an d wind ows, and perh aps mo st of th e time
th ey’re locked. For each lo ck th at u ses a key, chan ces are th at each key is
different. You kn ow to lock up an d n ot to share th e keys with strangers,
and probably no t with m ost of your friends. You sh ould n ot h ide keys
un der the mat or in a flowerpot on your front porch.
Passwords for com put ers are much th e same. For each com put er andservice you u se (on lin e purch asin g, for examp le), you sho uld h ave a
password. Each password sh ould be un ique an d un related to an y of your
oth er passwords. You sh ouldn ’t write th em d own n or should you sh are
them with anyon e, even you r best friend s.
Take a look at you r front do or key. It’s pretty com plicated. There are lots
of n otch es and grooves. If th ere weren’t so m any possible variations, a
th ief could easily make a key for every possible com bination an d th en
try each on your front d oor. This trial-an d-error meth od, (for com put ers,
called b rute force) is likely to be effective even if it ta kes a lon g tim e.
Non eth eless, no m atter how com plicated, if th e th ief gets h old of your
key, he or she can copy it and u se th at copy to open your door.
A password can also be com plicated. Most schem es let you use anycomb ination of letters, both u pper and lower case, an d n um bers; an d
some also let you u se pun ctuation m arks. Length s can vary. You can
create a password to be as com plicated as you wan t. Th e key (n o pu n
inten ded) is to be able to rem emb er this password when ever you n eed it
withou t h aving to write i t down to jog your mem ory.
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 29/38
25
Like the thief at your door, computer intruders also use trial-and-error,
or brute-force techniques, to discover passwords. By bombarding a login
sch eme with all th e words in a diction ary, they m ay “discover” th e
password th at un locks it. If they know som eth ing about you , such as
your spouse’s name, the kind of car you drive, or your interests, clever
intrud ers can n arrow the ran ge of possible passwords an d try th ose first.They are often successful. Even slight variation s, such as addin g a digit
on to th e end of a word or replacin g the letter o (oh) with th e digit 0
(zero), don ’t pro tect pa sswords. In trud ers know we u se tricks like this to
m ake our p asswords m ore difficult to gu ess.
Just like th e fron t d oor key, even a com plicated p assword can be copied
and th e copy reused. Remem ber the earlier discussion abo ut in formation
on th e In ternet bein g in th e clear? Supp ose that really stron g password
you too k a long time to create – th e on e th at’s 14 characters lon g and
cont ains 6 letters, 4 n um bers, and 4 pun ctuation m arks, all in rand om
order – goes across the Internet in t h e clear. An intrud er may be able
to see it, save it, and use it. Th is is called sniffing an d it is a com m on
intrud er practice.
The poin t is th at you n eed to follow the practice of usin g a uniqu e
password with every accoun t you h ave. Below is a set of steps that you
can u se to h elp you create passwords for your accoun ts:
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 30/38
Home Computer Security
26
1. The Strong test: Is th e password as stron g (m eanin g length andcont ent ) as th e rules allow?
2. The Unique test: Is th e password un ique and u n related to an yof your oth er passwords?
3. The Practical test: Can you rem emb er it with out h aving towrite it down ?
4. The Recent test: Have you ch anged it recent ly?
In spite of th e SUPR tests, you need to b e aware that sn iffin g happ ens,
and even th e best of passwords can be captured an d used by an in truder.
You sho uld use passwords not on ly on your h om e computer butalso for services you use elsewhere on the Internet. All should
h ave the strongest passwords you can use and remem ber, and each
password shou ld be un ique and un related to all oth er passwords. A
strong password is a password that is longer th an it is short, th at
uses com bination s of upp ercase and lowercase letters, nu m bers, and
pun ctuation, an d th at is usually not a word found in a diction ary.
Also remem ber th at n o m atter ho w strong a password is, it can still
be captured if an in truder can see it “in th e clear” somewh ere on th e
Internet. (See the Information in the Clear section.)
Task 7 - Use Care When Downloading and InstallingPrograms
Wh en you buy an appliance, you give li t t le thou ght to i t doing you
or your h ouse an y h arm. Wh y? Because there are organ izations like
Underwriters Laboratories2 th at set stan dards and certify products. When
you see a certifier’s label, you h ave m ore con fiden ce th at a p roduct will
be safer than a comp eting produ ct that d oes not carry the same label.
You ’re willing to accept th e risk because you believe th e prod uct h as met
some stan dards and h as been certified by a respected auth ority.
Unfortun ately, the Intern et is n ot th e sam e. There are neith er stan dards
n or man y certification organization s. An yon e who writes a program can
distribute it through an y mean s available, such as throu gh th e web or by
sending you a copy. Speaking of that, have you ever received a CD-ROM
in th e mail? How do you kn ow th at it con tains what th e label says? Th e
an swer is: you d on ’t kn ow. More im po rtan tly, it’s difficult to kn ow.
No m atter how you acquire a program, i t runs on your computer at th em ercy of the program’s auth or. An yth ing, any op eration , any task that
you can do, th is program can also do . If you’re allowed to rem ove an y
file, th e program can too . If you can sen d em ail, the program can too.
If you can in stall or remove a program, th e program can to o. An yth ing
you can do , the intrud er can d o also, throu gh th e program you ’ve just
installed an d run .
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 31/38
27
Som etimes there’s no explan ation o f what a program is sup posed to d o
or wh at it actually does. Th ere may b e n o u ser’s guide. Th ere may b e
n o way to con tact th e auth or. You’re on your own , tryin g to weigh a
program’s benefits again st the risk of the h arm th at it might cause.
Wh at’s the p roblem you ’re trying to solve h ere? You are trying to
determin e if the program you’ve just foun d satisfies your n eeds (say it
provides a service that you wan t or you ’re just experimen ting) with out
causing harm to your computer and ult imately the inform ation you h ave
on th e com put er. How do yo u d ecide if a program is wh at it says it
is? How do you gauge the r isk to you and your computer by run ning
this program?You address these sam e risk issues when you p urchase an appliance;
you m ay just n ot h ave realized that th at’s what you were doing. Wh en
you m ake that pu rchase, you bu y from eith er a local store you kno w or
a n ational ch ain with an establish ed reputation . If there’s a problem with
your pu rchase, you can take it back to th e store an d exchan ge it or get
your m on ey back. If it causes you h arm, you can seek relief th rough th e
legal system. Th e reputation of the m erch an t, the refund /return policy,
and th e availability of the legal system reduce your risk to a p oint wh ere
you m ake the purchase.
Apply th ese sam e practices when you b uy a p rogram . You sh ould
• Learn as mu ch as you can about th e product and wh at it does
before you pu rch ase it.
• Understand th e refund /return p olicy before you make your
purchase.
• Buy from a local store that you already kno w or a nation al
chain with an established reputation .
Presen tly, it is no t as clear wh at t h e legal system ’s role is for a p rogram
th at causes h arm or does not work as advertised. In th e mean time, the
LUB practices are a good first step.
Today’s In ternet h as a feature th at stand ard produ cts don ’t h ave, or
at least have b ut t o a lesser exten t. This featu re is free program s. Th ere
is a mu ltitud e of free program s available for all types of system s, with
m ore available each day. Th e challenge is to decide which programsdeserve your con fiden ce and are, therefore, worth th e risk of installing
and runn ing on your home computer.
So th en, h ow do you d ecide if a program is worth it? To decide if
you should install and run a program on your hom e computer, follow
th ese steps:
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 32/38
Home Computer Security
28
1. The Do test: Wh at does th e program do ? You sh ould be able
to read a clear description of what th e program d oes. Th is
description cou ld be on th e web site where you can down load it
or on th e CD-ROM you use to in stall it. You n eed to realize th at
if th e program was written with m alicious inten t, the auth or/
intrud er isn’t going to tell you th at th e program will harm you r
system. They will probably try to mislead you. So, learn what
you can, but con sider the source an d con sider wheth er you can
trust th at information.
2. The Changes test: Wh at files are in stalled and wh at oth er
chan ges are made on your system wh en you in stall and run th e
program? Again , to do th is test, you m ay have to ask the auth or/ intrud er h ow th eir program chan ges your system . Consider th e
source.
3. The Author test: Wh o is th e auth or? (Can you u se em ail,
telephon e, letter, or some oth er means to con tact them ?) On ce
you get this in formation , use it to try to contact th em to verify
th at th e contact information works. Your interactions with th em
m ay give you m ore clues about th e program an d its poten tial
effects on your comp uter and you .
4. The Learn test: Has anybody else used th is program, an d wh at
can you learn from h im or h er? Try some Intern et searches usin g
your web b rowser. Som ebody h as probably used th is program
before you, so learn what you can before you in stall it.
If you can ’t determ ine th ese th ings – th e DCAL tests for sho rt – about
th e program you’d like to install, th en strongly consider wheth er it’s
worth th e risk. On ly you can d ecide wh at’s best. Wh atever you do, be
prepared to rebuild your comp uter from scratch in case th e program goes
awry and destroys it. The section on backups (Task 5) tells you h ow to
make a copy of your imp ortant information should you need i t .
Your an ti-virus program prevents som e of th e problems caused by
down loading and in stallin g program s. However, you n eed to rem emb er
th at th ere’s a lag between recognizing a virus and when your com put er
also kn ows about it. Even if that n ifty program yo u’ve just down loaded
doesn’t con tain a virus, it m ay beh ave in an un expected way. You sh ould
continue to exercise care and do your h om ework when downloading,
installing, and running new programs.
Task 8 - Install and Use a Hardware Firewall
Com plemen t your firewall program by in stallin g a h ardware firewall.
Together, th ese two firewalls stand between your h om e comp uter and
th e In ternet. This is ano th er place where your m on ey is well spen t.
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 33/38
29
Please go to Task 4, Install and Use a Firewall Program , to learn m ore
about firewalls. That section concen trates primarily on firewall programs,
but m uch of the inform ation ap plies to h ardware firewalls as well.
To fin d ou t wh at h ardware firewall produ cts are available, search th e
Internet with your web browser.
Task 9 - Install and Use a File Encryption Program andAccess Cont rols
Let’s return to yo ur livin g space and our o riginal an alogy. Think ab out
your ch eckbook, your insuran ce policies, perhap s your birth certificate or
passport , and other important d ocumen ts you h ave at h ome. Wh ere are
th ey? Th ey’re probab ly stored in a filing cabin et or a safe, eith er of whichth at can be or is routinely locked. Why do yo u store these im portan t
items in a locked contain er?
Withou t realizing it, you are satisfying on e of the th ree com pon ent s
of in formation security – con fiden tiality. Con fiden tiality mean s keeping
secrets secret. On ly those wh o are supposed to see that in form ation
shou ld h ave access to it. You are keepin g information sensitive to you
and oth ers away from th ose who sho uld n ot be able to get to it, for
examp le a fam ily mem ber or an in truder. By th e way, the oth er two
comp on ent s of information security are integrity (Has m y information
chan ged?) an d availability (Can I get to m y information wh enever I
need it?).
You furth er protect in formation con fiden tiality when you en force it by
using an access con trol device, nam ely the lock on your filing cabinet
or safe. Th is device stands between t h e information an d th ose seekin g
access, and it gran ts access to all who h ave the com bination , the key,
or wh atever tool un locks th e con tainer. Wh en several layers of access
cont rol devices are used (called “defense in d epth ”) – you m igh t also
find th at th ese con tainers are them selves in locked room s. Would-be
intrud ers mu st pass throu gh several levels of protection before fin ally
gain ing access to th e information th ey seek.
Now, th ink back to your ho m e comp uter. Th e problem is to con trol
access to files an d folders. Th e access con trol device h ere is th e access
cont rol list or ACL. ACLs define who can perform actions on a file or
folder: readin g an d writin g, for exam ple. ACLs are equivalent to a lockedfilin g cabinet for paper docum ent s.
Different com pu ter system s provide differen t typ es of ACLs. Som e h ave
fine-grained con trols wh ile oth ers h ave virtually non e. Th e key is to use
all th e controls that are available on you r comp uter.
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 34/38
Home Computer Security
30
Frequ en tly, vend ors defin e ACLs th at are overly perm issive. This
satisfies th eir n eed to en sure that access lim itation s don ’t get in th e way
of using th eir system s. You r challen ge is to tigh ten th ose ACLs so th at
th ey properly restrict access to on ly tho se who n eed access. Th is mean s
th at you n eed to m odify the ACLs from th e settings set by th e vendo r.
We’ll talk m ore about h ow to do t h is shortly.
Returning to the h ome en vironm ent, do you remember a t ime wh en
adults in your hou se wanted to say someth ing to one an other in front of
their children but in such a way that th e children couldn’t un derstand
wh at was bein g said? Perhap s th ey spelled th eir message or used Pig Latin
(ig-pay Atin-lay) to conceal the meaning. This worked for a while, untilth e children learned to spell or could oth erwise und erstan d wh at was
being said. What’s really hap pen ing h ere?
Very simply, th e adults could no t con trol who cou ld h ear their
conversation . It was in con venient or perhap s im possible for th em t o go
to an other room where they couldn’t be h eard. They h ad to talk in a
way that on ly those who knew th e concealing schem e could u nd erstand
what was bein g said.
On a comp uter, wh en access to inform ation can ’t be lim ited, such
for an e-comm erce transaction over the In ternet, th at information is
concealed th rough a m ath ematical process called encryption . En cryption
transforms in formation from on e form (readable text) to anoth er
(en crypted text). Its inten t is to h ide in formation from t h ose who h aveneither th e transformation m ethod nor the particulars (the decryption
keys) to transform th e encrypted text in to readable text. Th e encrypted
text appears to be gibberish and remains so for people wh o do n ’t h ave
the scheme an d th e keys.
Back on t h e hom e front , the children eventu ally learned h ow to spell
and perhap s also learned th e trick to u sin g Pig Latin. They can n ow
un derstand th e conversations th e adults are h aving. While th ey could
also un derstand th e conversation s held weeks, m on th s, or even years
before, th e in formation in t h ose con versations is n o longer im portan t.
Th e encryption schem e – spellin g or Pig Latin – is stron g eno ugh to
guard th e information durin g its useful lifetime.
Computer-based encryption schemes must also withstand the test of time. For examp le, if a credit card encryption schem e needs six m on th s
of com put er time to break, the resulting clear text credit card nu m ber
is probably still valid and, therefore, useful to an intruder. In this case,
the en cryption schem e isn’t strong enou gh to guard th e information for
its ent ire useful lifetime.
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 35/38
31
So, to guard pap er or compu ter files, you n eed to limit who h as access
to th em b y using th e access cont rol devices, wheth er filing cabinets and
safes for pap er or access con trol lists for inform ation on a com pu ter
system. For assets whose access cannot be sufficiently limited, you need
to encrypt th em strongly enou gh so th at the t im e i t takes to decrypt
th em is longer th an th eir useful life.
Now, what can you do?
First, if m ore than on e person uses your com put er, you can adjust th e
ACLs th at con trol access to sen sitive files an d folders. You r goal is to
allow th e correct type of access to th e files an d folders that each user
needs, and no thing m ore. The steps below h elp you to decide h ow toadjust th e ACLs for files an d folders:
1. The Who test: Wh o – which users – n eed access to files besides
you?
2. The Access test: Wh at type of access do th ey n eed? Read?
Write?
3. The Files/ Folders test: Which files and folders need special
access? Just like your firewall rules, your gen eral policy sh ou ld be
to limit access to on ly you first, and th en gran t access beyond
that wh ere needed.
By applying th e WAF tests, you can limit access to sensitive files on
your computer to on ly those who need i t .Settin g prop er ACLs is not a trivial task. Be prep ared t o rep eat it a few
times un til you get it righ t for th e way your com put er is used. It’s worth
the t ime spent, but kno w that i t m ay take lon ger than you expect.
For very sensitive files an d for files that are on a lapto p, do n ’t rely solely
on file and folder ACLs. You n eed to go furth er and use encryption .
Som e vendors provide encryption with th eir system s righ t from th e
start. This means th at all you h ave to do is follow th e vend or’s
instructions on h ow to use th ose features, but be certain t o use them .
On systems wh ere encryption is n ot included, you n eed to install
addition al encryption programs. For encryption p rogram s that you
down load from th e In ternet, be sure to follow the instruction s in Task 7, Use Care W hen Downloading and Installing Programs. Also follow t h e
instructions in Task 6, Use Strong Passwords, for addition al guidan ce on
passwords required by encryption programs.
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 36/38
Home Computer Security
32
There are free an d com m ercial encryption programs, and in m ost
cases, th e free version s suffice. However, com m ercial program s may
provide more features and m ay keep up better with n ewer and , therefore,
stronger en cryption m eth ods. If you rely on a laptop com pu ter, you
shou ld consider purchasin g a com m ercial file encryption programs.
Wh eth er paper files aroun d you r living space or files and folders on
your com put er, limit access where you can . On you r comp uter, use
encryption programs either when you can ’t restrict access to th e extent
th at you’d like or when you wan t even m ore security protecting your
comp uter files and folders.
To see examp les th at show h ow to use an en cryption programand how to adjust ACLs, see
http://www.fedcirc.gov/homeusers/HomeComputerSecurity/examples.html
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 37/38
33
SummaryGrowing up, you learn m any of the th ings
you need to know about h ow to operate and
care for a car by sittin g in th e back seat
wh ile adu lts drive an d care for th eir veh icles.
Similarly, you learn many of the things you
need to kn ow about h ow to care for and
maintain a h om e by watching what is don e
to t h e on e wh ere you live. It is a slow, gradu al
process, so slow in fact you are proba blyun aware that you are learn ing th e skills you
need to do these same jobs yourself.
You d on ’t h ave that sam e luxury of tim e to learn h ow to care for and
operate your h ome com puter. When you attach i t to th e Internet for
th e first tim e, it instantly becom es a target for intrud ers. You n eed to be
ready right from th e start.
As you grow up, you also learn that you n eed to spend tim e and mo ney to
repair and replace th ose things aroun d your livin g space and your car th at
need your attention . You learn th at you have to spend m ore tim e and m ore
mo ney to tailor them to m eet your n eeds and to keep you and oth ers safe
durin g th eir use. You accept th ese respon sibilities and th eir costs as part of
th e total cost of own ersh ip of that car and living space.
Your h om e comp uter is m uch th e sam e. Th ere is th e initial m on ey
th at you pay to p urchase that system. Th en th ere are addition al costs to
tailor it and t o keep you an d th e oth ers wh o use your system safe. Th ese
addition al costs are also your respon sibility, and th ey are part of th e total
cost of own ersh ip of your ho m e com put er.
Th is pam ph let h elps you thin k about th e problem s you face when you
have a h om e compu ter and gives you advice on h ow to address th ese
problem s. On th e web, th ere are checklists and worksheets th at help you
keep t rack of important inform ation abou t th e steps you take to secure your
com pu ter, and a list of additional resources if you wan t to kn ow m ore.
Checklists:http://www.fedcirc.gov/homeusers/HomeComputerSecurity/checklists/checklist1-9.pdf
Additional Resources:
htt p:/ / www.fedcirc.gov/homeusers/ HomeComput erSecurity/ index.html#resources
8/6/2019 Home Computer Security
http://slidepdf.com/reader/full/home-computer-security 38/38
Home Computer Security
34
By takin g the t ime to read th is pamp hlet , you kn ow m ore about
securing your h om e compu ter and th e extra costs required to do th is job.
Do th e tasks described here an d share th is pam ph let with your friends.
We all benefit from a m ore secure In ternet.
End Notes1 W here W izards Stay Up Late: The Origins of th e Internet by Katie
Hafner and Matthew Lyon. ISBN: 0684832674. Read a review at http://
www.mantex.co.uk/reviews/hafner.htm.
2 The Underwriters Laboratories web site is http://www.ul.com/
Acknowledgments:This pam ph let was designed and written by Lawrence R. Rogers
([email protected] u.edu ). It was ed ited b y Lind a Hu tz Pesante
(lh [email protected] u.edu ). The graph ic design an d illustration s were created
by David Biber ([email protected] u.edu ). All work in th e Netwo rked
System s Survivability Program at C arn egie Mellon Un iversity’s Software
Engineering Institute in Pittsburgh, PA.