How to avoid the wily hacker.

General Computer Security

Here's a short list of important computer security topics. Please make sure that you follow these practices with your home and laptop computers; their security is ultimately part of the security of all of our computers. There's a lot to consider, but each step is actually pretty easy. Make them a habit, like locking your car doors, and pretty soon you won't even notice that you're doing the safe thing.

  1. Use common sense!
    • Trust your instincts. If it looks suspicious, don't touch it.
    • If you don't want to get mugged, stay out of dark alleys. If you're surfing for porn, crackz, warez and other such questionable material, you will expose yourself to danger. Just say no.
    • Never, ever open an e-mail (or IM) attachment unless you are 100% certain of what it is, and you are expecting to receive it. Just because it says that it's from your mother doesn't mean that it really is, and even if it is, Mom might have an infected PC. Trust no one.
    • Similarly, never install any program if you aren't certain of its safety. P2P file sharing applications are notorious for having spyware bundled with them. The Sony-BMG rootkit affair has shown us all to trust no one.
    • When you do install software, read the instructions. Many "free" applications these days come bundled with annoying adware. They even tell you so, if you actually read the installer prompts.
  2. Keep your software up-to-date.
    • Visit Microsoft Update at least once a month to get the latest security patches. Better still, enable Automatic Updates and let your computer do the work for you.
    • Note that the old, separate "Windows Update" and "Office Update" services have become "Microsoft Update". The new version will update both Windows and Office in a single step.
    • Keep third-party apps like Java, Adobe Flash and Adobe Reader up-to-date as well. Many hacks now use vulnerabilities in popular software. Many of these apps now offer automatic updating. Use it. Better still, if you don't really need these services, don't install them in the first place. Flash, in particular, is rapidly being replaced by HTML5 and you may be able to live without it.
  3. Install, maintain and use anti-virus and anti-spyware programs.
    • Trend Micro OfficeScan antivirus is both required and available free to all K-Staters using Windows or Mac OS X via the KSU Antivirus page. Linux users are on their own, but have a variety of options, including the free ClamAV (Yes, OS X and Linux can get viruses. The Flashback Trojan proved that. Even if they don't suffer symptoms they can still spread the disease).
    • If you have an "always on" network connection (DSL or a cable modem), configure the program to download new updates every night. If you rely on intermittent or, Heaven forbid, a dialup connection, then make it a habit to update your definitions often - no less than once a month.
    • See below for a full discussion of spyware protection.
  4. Turn on your firewalls.
    • Windows has a built-in software firewall. Updated versions have this turned on by default. To check that yours is on, go to the "Control Panel" and open "Windows Firewall".
    • The paranoid or the advanced user might want to use a third-party firewall like ZoneAlarm. Don't do this unless you know what you're doing; setting up these tools requires some specialized knowledge of how Windows does networking.
    • If you have an "always on" broadband connection at home, buy and use a DSL/Cable router with a built-in hardware firewall. Nowadays most broadband packages come with these.
  5. Use strong passwords everywhere.
    • You will have already noticed that both KSU and Physics require you to use a strong password and to change it regularly. Your password is the only thing between the bad guys and your data, so make it a good one. Always remember that a password is like a toothbrush: change it often and never let anyone else use it!
    • Do it with your home PC, laptops, other devices, and web services, too. Sure, automatic login is convenient, but if you lost your phone or your laptop, would you want whoever found it to be able to read all about you? Do you want Rupert Murdoch hacking your Facebook page?
    • Windows now comes with User Account Control, which automatically prompts you when administrative access is required. Don't override it. In Windows 7, you can adjust the level of intrusiveness, but don't do this unless you kow what you're doing.
    • Don't do your regular computing with an administrative account. Modern versions of Windows, OS X and Linux don't let you do this by default. Don't circumvent this. Sure, like auto-logon, it's more convenient, but if you catch a virus through web surfing or e-mail while you're an admin, the virus will be an admin, too. Then you're sunk. A virus without privileges is usually harmless.
  6. If you're really paranoid, use encryption.
    • If your data is sensitive, the ultimate protection is encryption. Windows offers BitLocker built-in encryption keyed to your password. Apple offers FileVault on OS X.
    • If you do use Windows encryption, be sure to make a backup of the encryption certificate and keep it in a safe place. I know from bitter experience that if your machine crashes and takes that certificate with it, you're sunk.
    • For even stronger protection, or to use open encryption techniques with e-mail, consider third-party encryption products like PGP or GnuPG.

Before you can use your laptop on the Physics network, you must register it with the PCSC and show that it has been updated and virus protected. For details, see our laptop policy.

The University requires these steps as well. Please visit the KSU Security and Microsoft Security sites for more information.

If you are ever in doubt about computer security, please contact PCSC and we will happily give you our advice.

Spyware and Adware

Spyware and adware are unwanted, parasitic programs that surreptiously install themselves on your computer in order to show you ads, steal personal information, or both. Their insidiously clever designers have made them fiendeshly difficult, if not impossible, to remove. If your computer suddenly starts barraging you with pop-up ads (even if your browser is closed!), you suddenly sprout unexpected icons on the desktop, or your machine slows down to a crawl, you probably have spyware.

The best defense against spyware is not to get infected. Most infections come from surfing where you shouldn't be, or installing pirate programs (see the "common sense" item above). Don't do daily computing on an administrative account. Don't go surfing for porn, pirated programs ("crackz" or "warez"), or other shady stuff. Don't install P2P file sharing programs or pirated versions of commercial software; they're frequently sabotaged.

If you suspect that you've been exposed, or as part of your regular security routine, run a spyware detection program. Microsoft now offers Windows Defender and Security Essentials for free. Lavasoft offers a free version of Ad-Aware. Both offer easy ways to scan your computer, and will try to remove any infections (or even try to prevent infections). Removing spyware can be very hard, though, so if you suspect that the automatic process didn't work, come visit PCSC for help.

Spam

Spam is the bane of modern existence. Nicknamed "spam" after the the Hormel spiced ham that inspired a famous Monty Python sketch, unsolicited commercial e-mail now constitutes about 75% of all the e-mail received by the department. Besides clogging up your inbox with unwanted, insulting and/or obscene material, spam sometimes comes with nasty surprises like virus or "phishing" fraud schemes.

To stem the tide, the department use a Barracuda Networks anti-spam appliance. This device does a wonderful job of filtering out spam, viruses and other nasty stuff before it ever reaches our e-mail server. I have a special description of how this works in the Computer User's FAQ.

If you have other e-mail accounts, especially web-based mail like Gmail or Yahoo Mail, your provider probably offers a similar service. Advanced users might consider running their own personal filter.

For more advice on fighting unsolicited email, see:

Spam is so pervasive that it has even entered into our cultural and literary life. I'm fond of the following excerpt:

"You could get a phantascopic system planted directly on your retinas, just as Bud's sound system lived on his eardrums. You could even get telaesthetics patched into your spinal column at various key vertebrae. But this was said to have its drawbacks: some concerns about long-term nerve damage, plus it was rumored that hackers for big media companies had figured out a way to get through the defenses that were built into such systems, and run junk advertisements in your peripheral vision (or even spang in the middle) all the time - even when your eyes were closed. Bud knew a guy like that who'd somehow gotten infected with a meme that ran advertisements for roach motels, in Hindi, superimposed on the bottom right-hand corner of his visual field, twenty-four hours a day, until the guy whacked himself."
-Neil Stephenson
  The Diamond Age, or, A Young Lady's Illustrated Primer