How to avoid the wily hacker.
General Computer Security
Here's a short list of important computer security topics. Please make
sure that you follow these practices with your home and laptop computers;
their security is ultimately part of the security of all of our computers.
There's a lot to consider, but each step is actually pretty easy. Make them
a habit, like locking your car doors, and pretty soon you won't
even notice that you're doing the safe thing.
- Use common sense!
- Trust your instincts. If it looks suspicious, don't touch it.
- If you don't want to get mugged, stay out of dark alleys.
If you're surfing for porn, crackz, warez and other such questionable
material, you will expose yourself to danger. Just say no.
- Never, ever open an e-mail (or IM) attachment unless you are 100%
certain of what it is, and you are expecting to receive it. Just because it
says that it's from your mother doesn't mean that it really is, and
even if it is, Mom might have an infected PC. Trust no one.
- Similarly, never install any program if you aren't certain
of its safety. P2P file sharing applications are notorious for having spyware
bundled with them. The
Sony-BMG rootkit affair has shown us all to trust no one.
- When you do install software, read the instructions. Many "free" applications these days come bundled with annoying adware. They even tell you so, if you actually read the installer prompts.
- Keep your software up-to-date.
Microsoft Update at least once a
month to get the latest security patches. Better still, enable
and let your computer do the work for you.
- Note that the old, separate "Windows Update" and "Office Update"
services have become "Microsoft Update". The new version will update both
Windows and Office in a single step.
- Keep third-party apps like Java, Adobe Flash and Adobe Reader up-to-date as well. Many
hacks now use vulnerabilities in popular software. Many of these apps now offer automatic updating. Use it. Better still, if you don't really need these services, don't install them in the first place. Flash, in particular, is rapidly being replaced by HTML5 and you may be able to live without it.
- Install, maintain and use anti-virus and anti-spyware programs.
- Trend Micro OfficeScan antivirus is both required and available free to all
K-Staters using Windows or Mac OS X via the
KSU Antivirus page. Linux users are on their own, but have a variety
of options, including the free ClamAV
(Yes, OS X and Linux can get viruses. The Flashback
Trojan proved that. Even if they don't suffer symptoms they can still spread the disease).
- If you have an "always on" network connection (DSL or a cable modem), configure
the program to download new updates every night. If you rely on intermittent or, Heaven forbid, a dialup connection,
then make it a habit to update your definitions often - no less than once a month.
- See below for a full discussion of spyware protection.
- Turn on your firewalls.
- Windows has a built-in software firewall. Updated versions have
this turned on by default. To check that yours is on, go to the "Control Panel"
and open "Windows Firewall".
- The paranoid or the advanced user might want to use a third-party
ZoneAlarm. Don't do this unless you know what
you're doing; setting up these tools requires some specialized knowledge of
how Windows does networking.
- If you have an "always on" broadband connection at home, buy and use
a DSL/Cable router with a built-in hardware firewall. Nowadays most broadband
packages come with these.
- Use strong passwords everywhere.
- You will have already noticed that both KSU and Physics require you
to use a
strong password and to
change it regularly.
Your password is the only thing between the bad guys and your data, so make it
a good one. Always remember that a password is like a toothbrush: change it often
and never let anyone else use it!
- Do it with your home PC, laptops, other devices, and web services, too. Sure,
automatic login is convenient, but if you lost your phone or your laptop, would you want whoever found it to be
able to read all about you? Do you want
Rupert Murdoch hacking your
- Windows now comes with User Account Control, which automatically prompts you when
administrative access is required. Don't override it. In Windows 7, you can
adjust the level
of intrusiveness, but don't do this unless you kow what you're doing.
- Don't do your regular computing with an administrative account. Modern versions
of Windows, OS X and Linux don't let you do this by default. Don't circumvent this.
Sure, like auto-logon, it's more convenient, but if you catch a virus through
web surfing or e-mail while you're an admin, the virus will be an admin, too.
Then you're sunk. A virus without privileges is usually harmless.
- If you're really paranoid, use encryption.
- If your data is sensitive, the ultimate protection is encryption.
Windows offers BitLocker
built-in encryption keyed to your password. Apple offers
FileVault on OS X.
- If you do use Windows encryption, be sure to make a
backup of the encryption certificate and keep it in a safe place. I know from bitter experience
that if your machine crashes and takes that certificate with it, you're sunk.
- For even stronger protection, or to use open encryption techniques
with e-mail, consider third-party encryption products like
Before you can use your laptop on the Physics network, you must register it
with the PCSC and show that it
has been updated and virus protected. For details, see our laptop policy.
The University requires these steps as well. Please visit the
Microsoft Security sites for
If you are ever in doubt about computer security, please contact
PCSC and we will happily
give you our advice.
Spyware and Adware
Spyware and adware are unwanted, parasitic programs that surreptiously
install themselves on your computer in order to show you ads, steal
personal information, or both. Their insidiously clever designers have
made them fiendeshly difficult, if not impossible, to remove. If your
computer suddenly starts barraging you with pop-up ads (even if your
browser is closed!), you suddenly sprout unexpected icons on the
desktop, or your machine slows down to a crawl, you probably have spyware.
The best defense against spyware is not to get infected. Most infections
come from surfing where you shouldn't be, or installing pirate programs
(see the "common sense" item above). Don't do daily computing on an administrative account.
Don't go surfing for porn, pirated
programs ("crackz" or "warez"), or other shady stuff. Don't install
P2P file sharing programs or pirated versions of commercial software;
they're frequently sabotaged.
If you suspect that you've been exposed, or as part of your regular
security routine, run a spyware detection program. Microsoft now offers
and Security Essentials
for free. Lavasoft offers a free version of
Both offer easy ways to scan your computer, and will try to remove any
infections (or even try to prevent infections).
Removing spyware can be very hard, though, so if you suspect that the
automatic process didn't work, come visit
Spam is the bane of modern existence. Nicknamed "spam" after the the
Hormel spiced ham that inspired a famous
Monty Python sketch,
unsolicited commercial e-mail now constitutes about 75% of all the e-mail
received by the department. Besides clogging up your inbox with unwanted,
insulting and/or obscene material, spam sometimes comes with nasty surprises
like virus or "phishing" fraud schemes.
To stem the tide, the department use a
Barracuda Networks anti-spam
appliance. This device does a wonderful job of filtering out spam, viruses
and other nasty stuff before it ever reaches our e-mail server. I have a
special description of
how this works in the
Computer User's FAQ.
If you have other e-mail accounts, especially web-based mail like
Yahoo Mail, your provider probably offers a similar service.
Advanced users might consider running their own personal filter.
For more advice on fighting unsolicited email, see:
Spam is so pervasive that it has even entered into our cultural and
literary life. I'm fond of the following excerpt:
"You could get a phantascopic system planted directly on your
retinas, just as Bud's sound system lived on his eardrums. You could
even get telaesthetics patched into your spinal column at various key
vertebrae. But this was said to have its drawbacks: some concerns
about long-term nerve damage, plus it was rumored that hackers for
big media companies had figured out a way to get through the
defenses that were built into such systems, and run junk
advertisements in your peripheral vision (or even spang in the
middle) all the time - even when your eyes were closed.
Bud knew a guy like that who'd somehow gotten infected with a
meme that ran advertisements for roach motels, in Hindi,
superimposed on the bottom right-hand corner of his visual field,
twenty-four hours a day, until the guy whacked himself."
The Diamond Age, or, A Young Lady's Illustrated Primer