- Set up your device so it protects itself as much as possible by following StartSafe recommendations.
- Refuse unknown programs. A malicious program can undo all your security.
- Unfamiliar or unsolicited files from any source should be treated with caution. Particularly unsolicited download offers from web sites.
- Verify the sender of messages and message content whenever financial, account, or computer changes are involved.
- e-mail attachments
- e-mail links
- text messages
- Peer-to-Peer sharing services (music, videos, etc)
- Files found on open windows file shares
- Files offered from Web links found in e-mail, text messages, or any other unsolicited source
- Don't believe everything you see on your computer or the Internet.
- The FROM field in an e-mail message is absolutely worthless in determining the who sent the message.
- Anyone can put up a web site that says anything or looks like any other
- File names are often meaningless
- Do not make critical decisions based on unsolicited e-mail or text messages without verifying the source
- Providing passwords
- Providing sensitive information like account numbers
- Running programs on your computer
- Reconfiguring your computer
- Don't let someone else force their way into your computer
- Be aware of computer related threats and crime.
- Immediate threats are posted to the Computing alerts page
- Trending threats and issues are included with the security awareness content displayed during password changes
- Prepare for the inevitable failure. Backup critical data regularly.
- Recovery instructions for a security failure (infected computer, compromised account or computer)
Did you know that with one wrong mouse click you could make it possible for someone to read all your email, documents, or instant messages? That they could also view your grades, online bank accounts, or change your course schedule? That they could read or change anything on your computer? Or anything accessed from it? That they could turn on your computer's microphone to listen in on conversations or web cam to view your room? Or command your computer to attack other network users or sites? Or use your computer for a computer crime for which you may be blamed?
Did you know several such incidents have occurred on computers at JMU...from three year old windows laptops to linux servers? That they've been used to attack other computers and divulge information? Did you know all our computers are scanned constantly from around the world by people hoping to take advantage of them? Did you know that legitimate university, corporate, media, and government web sites have been hacked and subsequently used to publish fraudulent or harmful content to visitors?
Did you know that your behavior impacts your neighbors' security and their behavior yours?
The Internet, paired with today's software, provides us astonishing capabilities for sharing and communication. However, these same capabilities also provide access and computer power to more than 600 million people around the world...some of whom may not share our behavioral expectations. Examples, such as random acts of vandalism, can be found in any local newspaper.
The threats associated with online folks' behavior are very different from similar threats in the physical world. Using the same freedom and functionality we treasure, they can communicate with our computers almost instantaneously, almost anonymously, and en masse from around the world. They don't even need to be a computer expert. It only takes one person to write a destructive program to enable many people without technical knowledge to cause problems, just as all of us use word processors and web browsers without knowing how they work or being able to write one ourselves.
While the risks associated with these threats can be decreased by limiting communications, limiting computer functionality, and increasing the complexity involved with our computing environment, they can't be eliminated. Moreover, the more we wish to maintain our current freedom in communications and computing, the more necessary it is that we individually take steps to take care of ourselves and reduce the need for outside controls and limitations.
The only person ultimately in control of a computer is the operator in front of the keyboard. That person presently has the freedom to run any software he or she wants and communicate with anyone around the world. Our computers can do almost anything we tell them to do. Unfortunately, this versatility makes them very complicated. Perhaps the most complicated devices we are exposed to on a regular basis. This is true despite our most fervent wishes, occasional profanity, and manufacturers efforts. Computers have more decision points and varying functionality than almost anything else we use. They are not cars, televisions, or radios and efforts to make them appear to be so have sometimes backfired and caused security problems.
The goal of the R.U.N.S.A.F.E. program is to help you attain the knowledge and skills necessary to more safely operate an Internet connected computer. R.U.N.S.A.F.E. workshops are offered once per semester that describe the incidents we've seen at JMU, the threats we're exposed to, and that teach the defensive concepts and procedures described here. Onsite workshops are also available to groups. (contact IT Security Engineering to schedule one).
REFUSE to Run Unknown Programs
Our computing devices operate the way they do entirely because of the programs we run on them. When we run a program, we give control of our computer, its data, and our keystrokes to the author of the program. In fact, a computer break-in is typically just someone running a program on our computer to make it do what we don't want it to do.
A malicious individual may try to convince us to run their program which then takes control of our computer. Or they may force our computer to run their program by using software defects or unintentional access. The program may then tell our computer to email viruses to our friends. It may tell our computer to collect and reveal our passwords. It may tell our computer to disable its anti-virus and personal firewall protection. It may tell our computer to flood a web site with traffic in an attempt to disable it. Or it may tell our computer to break into someone else's computer to help hide the identity of the perpetrator.
Since programs control the computer and everything the computer does or has access to, it is very important that we not run programs written by people we don't know or trust. Almost every other security precaution depends upon our having control of our computers. If we run unknown programs, we don't.
A program can take many forms. It might be a Windows .exe file. It might be a Microsoft Word macro. It might be a script.
We may find programs in many places. They may be offered to us in email attachments. They may be on web sites. They may be on shared folders. As we'll see later, they even may be forced on us over the network or from a web site if we don't keep our computers up to date. For now, we'll concentrate on the programs over which we have a choice about running.
In our point and click world, knowing what to click and what not to click can be confusing. We are conditioned to click on everything. Here are some rules of thumb that may be helpful:
- We should pause a moment to consider the nature of the site, file, or message and how much we want to trust our computer to it before clicking:
- when our browser asks us if we want to allow extra access. For example, to download or execute a file, plug-in, or ActiveX control.
- when the file or icon is an email attachment or associated with a text message
- when the file or icon is in a shared directory accessible to other people on the network. For example, a public share or Windows File Sharing directory.
- when our Word processor or spreadsheet asks us if we want to allow a macro to run.
- when we don't know for certain where the file came from or through whose hands it passed
- We're generally safe to click in the following situations as long as our computer software is kept up to date.
- When the file is on our own computer. Note that an icon may point to a file actually on a shared drive or web site.
- When we go to a site expecting to download a file or program. Beware, however, of unexpected popups or false claims of virus infection or need for software updates.
In all cases, risk is decreased if we save a file and open it with its related application rather than double-click it or choose "Open this file from its current location".
- By design or defect, a file displayed on our screen may not always appear as it should. It may look like a relatively harmless Word document (resume.doc), picture file (mydog.jpg) or sound file but may actually be a malicious executable program (resume.doc.spy.exe). By saving it to disk and opening it with the application that should go with it, we'll protect ourselves from this scenario. The couple of additional mouse clicks it takes to do this may save a lot of aggravation or worse.
- For example, if you are offered a file displayed as "resume.doc" in an email attachment or on a web site, don't double-click it or open it from its current location. Instead, save it to disk, open Word, and use Word's File->Open menu to open the file you saved. If the file doesn't open properly, or its name changes, its almost a sure sign something is badly wrong with the file.
There have been many instances of malicious programs spread automatically or getting passed around purposely or innocently. When such a program is discovered, vendors of anti-virus software update their products to recognize the new program. Running the anti-virus product on our computers protects us from this recognized program if we fail in our efforts at refusing unknown programs. But like flu shots, anti-virus software won't protect us from new viruses. Fast moving, email based viruses can circle the globe in hours and infect a lot of computers before antivirus software can be updated. Nevertheless, installing and maintaining anti-virus software is an important part of maintaining the security of our computers. JMU has purchased licenses for Symantec anti-virus for faculty, staff, and students home and office computers. It is fully supported by the helpdesk. Why not install it now?
Once malicious software is run on our computer, it can do anything including disabling anti-virus software and personal firewalls. We can limit the damage malicious software can cause by operating our computers using safer accounts for day to day use. For Windows computers, this translates into using a 'standard' or 'limited' account for daily use. The run-as command can be used on the few occasions when Administrator privilege is necessary. Windows UAC feature makes it even easier. Macintosh computers should also be set up to use a safer account. Likewise, unix users should not use the root account for daily activities.
When we receive email, we can rarely be sure who sent it. The FROM: information is as easily falsified as the return address on a paper envelope. Virus programs running on an infected computer can easily send out email in anyone's name. Accordingly, email attachments, which may contain malicious programs, should all be treated with caution. One click is all it takes to lose complete control of our computer and everything it accesses.
- Be particularly careful of unexpected or unusual email or attachments regardless of the source, content, or attachment name.
- Treat any email attachment whose name ends in ".exe", ".com", ".bat", ."scr", ".pif", ".shs", ".js", ".hta", ".vbs", or any ending you're not familiar with as you would hazardous waste material. Find out what it is from the sender before opening it!
- Treat email attachments ending in .zip cautiously. They can hold harmless documents or more hazardous executable files.
- The appearance of e-mail links do not tell you where they lead. Hover your mouse over the link and the destination should appear in the email client's or browser status bar. Deciphering the real target and determining whether it is legimiate can be tricky, particularly in Microsoft Outlook Web Access. If you do click a link, check your browser's address bar to see if the domain is what you expect (.e.g. "jmu.edu"). Most modern browsers highlight the domain in some way making it harder to spoof.
Portable storage devices, such as USB drives, MP3 players, and cellphones, can harbor malicious programs or become infected by them.
- Use a USB drive with a write protect switch and set it to read-only when before plugging the drive into an unknown or untrusted computer. In fact, leave it in read-only mode unless you are planning to write from it.
- If your USB drive does not have a write protect switch, a partially effective workaround is to:
- Mark all files on the drive read-only
- If an autorun.inf file does not exist, create an empty one and mark it read-only.
- Use caution when plugging an unknown USB drive into your computer. On Windows computers, hold down the Shift key while inserting the drive to keep programs on the drive from automatically running on your computer. Better yet, disable the autorun feature on your computer.
-->more information on refusing unknown programs...
UPDATE YOur Computers Regularly
Computer programs frequently contain defects. Some of these defects can allow third parties to run programs of their choice on our computers without any action on our part. This allows the third party to take control of our computers, and all the resources and data they have access to, for their own purposes.
- Defects in client programs like browsers, email clients, and media players may allow unwanted programs to run if we click a link to a malicious web page or receive malicious email. These types of defects can cause us to lose control of our computer simply by browsing the web or starting our email client.
- Defects in server programs like web or file servers, can allow someone to force unwanted programs to be run on our server. They exploit the defect by making malicious web or file requests. The exploitation might be carried out by an individual or by an automated program like a worm.
Running defective, vulnerable software on our networked computers is similar to leaving broken windows in our homes and offices for strangers to enter. Except with the Internet, people can enter these "windows" from anywhere in the world. Large scale scans from around the world are often seen within days of new vulnerabilities being announced. Machines with defective software or vulnerable configurations have been known to be compromised within hours of being attached to the network both here and elsewhere. Most software is out-of-date and full of vulnerable defects on the installation CDs and even sometimes when downloaded from vendor web sites. Scanners and automated worms may find a vulnerable server almost as soon as it is connected to the network. It is necessary to check for updates as soon as new software is installed and regularly thereafter.
All computer operators:
Defects in popular add-on programs are often discovered that are not covered by automatic update sites. If you run any of the following programs, you will be responsible for making sure you have the latest security updates from the vendor:
- Messaging and Communications Programs (Skpye, Pidgeon, etc.)
- Media players (RealPlayer, Winamp, etc.)
- Document viewing or presentation programs (Adobe Reader, Adobe Flash, Shockwave, etc.)
Keeping track of all your installed software and needed updates is tedious, time consuming, and errorprone. If your Windows computer is managed by JMU IT (set up by IT Desktop Services and joined to the IT domain) many of these tedious tasks are taken care of for you. Currently, IT manages over 2000 campus Windows computers.
One company that makes a product that can help with the update task and that has had favorable reviews is Secunia. They offer a web based service you can visit with a browser that will check your computer for needed updates for a few dozen of the most popular programs. If you want, they will email you reminders on a periodic basis to rescan your computer. They also offer a more comprehensive program that can be downloaded and installed on home computers that can check for updates for thousands of programs. Installing this program on JMU owned computers violates the license terms. As always when using a web service that requires downloading software, the terms and conditions and privacy policies should be examined.
* Click here for the web based service.
* Click here to download the program for home computers.
Microsoft Windows Systems
Windows Desktop Operators:
- Follow StartSafe procedures to set up automatic updates.
- Make plans to upgrade or replace software which Microsoft doesn't or soon won't support with security patches. Of particular importance in this respect are:
- Internet Explorer versions versions prior to 8
- Windows XP
- Microsoft Office versions prior to 2007
- Macintosh OSX versions prior to Snow Leopard (10.6)
- Cygwin users must also check for defect updates in Unix programs packaged with Cygwin or installed separately. For example, OpenSSH.
Windows Server Operators:
Servers need to have more timely patches as they run software that is accessible to anyone on the Internet. Patches should be installed as they become available.
Linux and other Unix Systems
These systems often have server programs running after even a default desktop installation.
MacIntosh OSX is based on unix. Many unix related defects also affect MacIntosh OSX.
- Keep anti-virus software up to date.
- If available, check your vendor's security site monthly for critical security updates.
-->more information on updating our computers...
NULLIFY Unneeded Risks
Whether by operator mistakes, attempts at making computers easy to use, or encouraging open access, our computer's software sometimes grants more access to our computers than is needed. We can decrease risk by eliminating unneeded access to our computers.
JMU Highly Confidential data (e.g. SSN, banking account numbers, credit cards) about people other than yourself must not be stored on personally owned devices. Any unauthorized storage of JMU Highly Confidential or Protected Data is a violation of university policy. Such data must not be stored in a way that it is exposed to unauthorized access physically or electronically.
When ordering Dell laptops from the JMU purchasing pages, be sure to specify the encrypting hard drive option.
-->more information on nullifying unneeded risk...
SAFEGUARD YOur Identity and Password
Some services and data you access are private or sensitive. Nobody should access or change your email, files, class schedules, medical history, budget, research data, or grades but you. Access to those services are authorized based on your identity. Your password is your proof of your identity. When passwords are compromised, the criminal takes on your identity and can do anything you can do (and perhaps even more!).
Passwords may be compromised by any of a number of methods. Here they are in relative order of frequency along with the things you can do to decrease risk.
You give them to criminals who fooled you with a "phishing" message or fake web site.
This is probably the most common way passwords are compromised. It is up to you to determine if an email message or web site is real. Unfortunately, in this day and age that can be difficult. Still, some basic practices and tells can be used to validate most JMU email messages and web sites.
- Learn how to avoid fake e-mail and web sites and protect both your JMU and personal accounts. View the video and take the IsItReal? game challenge.
- Look Where You're Going - hover over email links to make sure they're pointing to a domain associated with the message. For JMU, that would almost always be jmu.edu. For non-JMU messages, you'll need to acquant yourself with the organizations' official web sites and domains. Online tools can help. If in doubt, don't click.
- Look Where You're At - if you click a link and get to a web site, look at the browser address bar and make sure it displays a domain associated with the organization you think you're dealing with. For JMU, that would almost always be jmu.edu. For non-JMU organizations, you'll need to acquaint yourself with the organizations' official web sites and domains. Online tools can help. If in doubt, close the browser.
Criminals break into one of your service providers and steal them in bulk.
There isn't a lot you can do about a failure of security at one of your service providers but you can limit losses.
Generally, the provider protects the stored secrets with cryptography but can they can still be cracked given enough time. And if the intruder isn't detected, they're free to gather unprotected passwords as they pass through the service in real time for as long as they maintain control.
If you use the same password on multiple sites, a security failure by one site may allow the criminal to access your other sites.
- Using a unque password for each service, or at least for each level of service (e.g. financial/medical vs youtube/facebook) will limit the spread of damage from one service to another.
You type them into a compromised, untrustworthy, or shared device.
The device may be your own virus infected computer or someone else's device. The device may be set up purposely to collect passwords or may inadvertently store them...sometimes at your behest (e.g. "Would you like to remember this password?").
- Follow StartSafe procedures to set up a device with the best chance of fending off compromises and follow RUNSAFE operating advice to help keep them that way.
- Refrain from typing passwords into unknown or shared devices.
Have you logged into Gmail from a lab or library computer lately? If you didn't sign out of Gmail or restart the computer when you were done, the next person who used the computer and visited the Gmail web site was automatically logged into your Gmail account. Even if you logged out of the computer. You may experience similar issues with other services you patronize. The Amazon site will remember who you are but fortunately will make you sign in again to view any information or submit any orders.
This is all brought to you by the miracle of web cookies. They are bits of information about you that web sites store on your computer...or on a shared computer if that is what you happen to be using. When you visit the site again, the web site can retrieve them to remember information about you or even automatically log you in...even if someone else happens to be at the keyboard at the time. Google decided to make automatic login the default behavior.
What to do?
For Gmail, uncheck the box labeled "Stay Signed In" before logging in. If you forget to do that, you can still protect yourself. After you are done using the service, click your account photo or email address in the top right corner and select "sign out". (Taken from Google's Gmail Security Checklist step 9 - advice for shared computers).
Dukes email (Office 365) offers the same automatic login functionality but it is disabled by default. (The Keep Me Signed In box is unchecked)
When computers in most computer labs on campus are restarted, they overwrite everything that currently exists on the computer. They effectively reinstall themselves and you get a new computer. There are at least two benefits associated with this:
- If the computer is restarted before you use it, any malware, keystroke recording software, spyware, and similar undesirable material is overwritten. If you don't restart the computer, anything you type into it and accounts you access from it are vulnerable to whatever the previous person installed - intentionally or not.
- If the computer is restarted after you use it, any saved passwords, form data, cached web sites, tracking cookies, and other mechanisms that might affect your privacy or accounts will be overwritten.
Simply logging out does not provide those benefits. Only completely restarting the computer will overwrite the data. The downside is the time it takes to restart the computer.
Not all providers of public computers offer this functionality. Check with your provider. If they don't provide the feature, you can clear private data (e.g. cookies, cache) using the browser menus to accomplish similar results.
- Internet Explorer: Tools -> Internet Options -> General Tab -> Browsing History -> Delete
- Firefox: Tools -> Clear Private Data
- Chrome: Tools -> Clear Browsing Data
- Safari: Preferences -> Privacy -> Remove All Website Data
Keep in mind that if you log into a computer belonging to an acquaintance, the same scenarios apply.
If maximum security is required, a public, shared computer should not be used.
You use vulnerable communications links or protocols.
For example, a poorly configured wireless network or a service like FTP, Telnet, or even HTTP with no S (i.e. HTTPS).
- Set up your wireless network according to present day best practices (WPA2) using strong secrets.
- Refrain from typing passwords to critical accounts through unknown wireless networks unless you are using a VPN. Even then, beware of browser security warnings (e.g. certificate mismatch) and cease use if they appear.
- Use only web sites that protect passwords and sensitive data with SSL encryption. These sites can usually be identified by their address starting with https and a browser lock icon. However, some sites may secure their login with SSL in other ways and it won't be apparant. Likewise, some sites may show https and a lock icon but pass data unsecurely. The technical details about the exceptions are beyond the scope of end user training.
- Do not use FTP sites that require a password. Responsible, professionally run sites use secure FTP (FTPS, SFTP), SCP, HTTPS, or similar protocols to pass passwords and other sensitive data when performing file transfers.
You choose a password that is easy to guess or use a password reset mechanism that is easy for a criminal to use.
For example, if you can reset your password with a secret question like "What color is my favorite sweater", how many times do you think it will take a criminal to guess the right color? Using public information for the answer to a secret question is similarly ineffective as a security measure.
- Choose password reset "secret questions and answers" carefully. Make up nonsensical answsers. Remember - the answers to most "secret questions" violate almost all accepted security practices for passwords. And they're often shared with several service providers.
What to do if your password is compromised
Your mailbox may be full of spam, bounced messages, and angry responses and threats from those who received spam and criminal mail from your account. They may have read or deleted everything you've sent in the past month. But that may be the least of the problems.
ASSURE Sufficient Resources for Proper System Care
Do you want your organization's web server to become known as the one that makes headlines when it is used to bring down a high profile Internet site? That is used to break into your neighbors computer? That harbors illegal or inappropriate files? That gives away any privileged information that is stored on it? That is unreliable?
A publicly accessible network resource needs special care in its initial setup. Today's development projects often encompass many architectures, products, and technologies. Depending upon the level of your involvement with each component, you or your project team may need to be aware of a wide variety of issues. For example, a safe deployment of a web based application may involve taking into account implementation and development issues in any of the following environments:
- Core operating system issues in Unix or Windows
- Web server issues in Internet Information Services or Apache
- Web development issues in server and client side scripting and components
- Issues with transaction processors or application servers like Tuxedo or MTS
- Backend database issues with Access, Oracle, or MySQL
Issues with authentication, file access controls, data authorization, encryption, and network access controls often cross OS, web server, web development, application server, and database realms.
Perhaps less well known due to vendor marketing efforts and perhaps our own wishful thinking, a service needs ongoing monitoring and maintenance regardless of platform. Without this care, the server may not remain in operation long, it may not preserve the confidentiality and integrity of resident data and accounts, or it may be used as a base of operations for criminal activity including attacks on other computers.
- Budget planning, hiring procedures, staffing levels, and job descriptions should reflect the need for developer and administrator training and ongoing monitoring and maintenance in a complex and ever changing environment.
- Allow time for regular maintenance
- Elevate security and ongoing maintenance to the same level of consideration as cost, ease of use, functionality, and performance.
-->more information on assuring system care...
It is impossible to provide absolute security for our computers just as it is impossible to provide absolute security for ourselves or our possessions in the physical world. Insecurity is a fact of life. There are no technical panaceas.
There are over 600 million people with Internet access and we cannot control their actions. They have world-wide, almost instantaneous and anonymous access to our computers' network ports. There are practical compromises in the design of our computers and networks that may leave them vulnerable to certain activities. Accordingly, we must temper our actions with awareness and take some precautions.
- Keep up to date with current threats and scams
- Regularly backup critical or hard to replace data
- Be careful about whom and what you trust. Don't believe everything you see on the web or in email messages.
- Do not ignore warning messages. In particular, those associated with:
- Web browsers warning about site certificate mismatches
- Web browsers warning about file downloads or potential security problems
- SSH clients like Putty, F-Secure, and SecureCRT warning about host key mismatches
- Repeated virus warnings
-->more information on facing insecurity...
EVERYBODY Needs to Do Their Part
Your particular computer may not seem to be a desirable target of a compromise attempt but any computer is attractive as a stepping stone or attack vehicle. Simple Windows and Macintosh desktops have been involved in security incidents. Even with switched networks, a compromised computer may be used to sniff network traffic from neighboring computers. Thus, your security is dependant upon your neighbors' security and their security on yours.
In the days of standalone computers, reckless or unauthorized use of a computer affected just one computer. With a networked computer and its access to shared network resources and common communications lines, the same actions may affect many computers, accounts, services, or people.
As long as we want to continue to have relatively open computing and communications choices, and preserve our privacy, services, and data, each one of us must do his or her part to help ensure the integrity of our network.
- Do your part - RUNSAFE
- Encourage and help your peers to do their part - RUNSAFE
-->more information on doing our part...