Refuse to run unknown programs.

Our computers do what they do because of the program code that runs on them. Without programs, a computer is a useless box. Microsoft Word code turns it into a word processor. Internet Explorer code turns it into a web browser. Napster and KaZaa code turns it into a file server. The functionality of today's general purpose computers is limited mostly by the imagination of the author of the program. 

Some people imagine and create programs that do things most of us would not desire. Virus code may turn our computer self-destructive. Denial of service code may turn our computers into attack vehicles used to bring down online services. Remote control trojan code may allow others to take complete control of our computer, eavesdropping on our communications, collecting our passwords, and accessing our accounts.

Since program code controls the computer, it is very important that we not run code written by people we don't know or trust. Running code turns our computer over to the author of the code. Generally, we trust software vendors not to write hostile code because it would not be good for their business. Independent software authors provide useful programs and a large amount of such code runs today's Internet. However, it is important to realize that when we run code written by someone we don't know or trust, we are taking a risk. We must weigh that risk against what we have to lose on our computer.

Today's computers are used for a variety of different functions. We must be very careful about using a computer that is used to access sensitive business or personal information as an indiscriminant Internet exploration tool or entertainment system. While that screen saver, game, or free utility may seem useful or entertaining, the code may contain surprises and it resides on the same computer that we use for other, more critical or sensitive purposes.

It is very easy these days to attach hostile code to fully functional, seemingly harmless software. This is commonly done to pirated software, executable pictures, and screen savers which may then be made available via web sites, email attachments, ftp sites, shared drives, or instant messaging. They then get passed from person to person. Quite often, when these trojaned programs are run on our computer, they notify the world or a specific individual via email or bulletin board postings that our computer is up for grabs. After that, our computer can be controlled, without our knowledge, at the whim of whomever gets the message.

The Limitations of Anti-Virus Software

Antivirus software can help us to refuse to run code that is known to be hostile but it cannot protect us against unknown hostile code. The situation is similar to flu shots. Every year, a new vaccine must be developed that recognizes the new flu virus strains. With computers, new virus strains come out almost daily so the AV software must be upgraded almost constantly.

There are always some unlucky folks who get infected before the AV software is updated. In the days of floppies and SneakerNet, this was usually only a few people because it could take weeks or months for hostile code to spread. But with today's worldwide networking, a large number of people and computers may be affected before AV updates can be created and distributed. The ILOVEYOU virus is proof of that and it was rather simple and benign. There is also the threat of hostile code that knows how to disable AV products which is getting more common.

Anti-Virus software should be viewed as a vaccine to help prevent infection from known diseases. It will not protect against newly released and rapidly traveling viruses nor will it act as a cure once an infection occurs. By then, it may be too late. The disease may have caused irreparable damage. It is also important to realize that any protective software (antivirus, personal firewall, encryption, VPN, etc.) that resides on a desktop computer and is controlled by the operator can be subverted by hostile software. The best prevention is to refuse to run unknown programs, use a safer account for day to day use, and keep computer software up to date so someone can't force their code to run on our computers because of a defect. Anything less is a game of Russian Roulette.

Where Might We Find Hostile Programs?

• Email attachments. 
  • We can rarely be sure who the real sender of an email message is. The FROM: information can easily be spoofed or a virus may have sent the email from an infected computer. Accordingly, email attachments, which may contain malicious code, should all be treated with caution. Be particularly careful of unexpected or unusual email or attachments. 
    • Any email with executable extensions (.exe, .hta, .vbs, .js, .scr, .pif, .scr, .shs, .bat, .sh, .pl, etc.) should be treated like hazardous waste. Even if you normally deal with hazardous waste on a regular basis you would be concerned if you received some unexpectedly. If you do receive such material unexpectedly, contact the sender and ask them why. In the meantime, treat the attachment as if the sender had rolled a large glowing barrel giving off greenish fumes and bearing a skull and cross-bones into your office or home! Find out why its there before opening it.
    • Some attachments carry more risk than others. Word and Excel documents (those carrying .doc and .xls extensions respectively) are generally safe assuming the software is kept up to date. However, sometimes our computers do not display attachment names properly. An attachment named "resume.doc.exe" may be displayed as "resume.doc". What looks like a low risk Word document is actually a high risk executable capable of taking complete control of our computer. This subterfuge is often used by virus writers to fool us into clicking malicious, but harmless looking, attachments.
    • We can protect ourselves from this naming subterfuge by refusing to double-click attachments to open them. Instead, save the attachment to disk, open the application indicated by the apparent extension, and use the application's File->Open menu.
    • For example, if the attachment looks like "resume.doc", right-click on it and save it to a file. Then open Microsoft Word and use Word's File->Open menu to select the file just saved. If the file was maliciously named to look like a Word document but it really wasn't, these extra mouse clicks will keep us from running code contained within the file.  Similarly, files that appear as "budget.xls" or "myVacation.jpg" should be saved and opened with the File->Open menus of Excel or Netscape/IE respectively.
    • It is not as simple as double-clicking but it may be a lot simpler than cleaning up after someone else's code run on our computer.
    • Advanced Windows operators can prevent most files from being inaccurately displayed by taking the following two steps:
      • In Windows Explorer, use the View->Options->View menu to tell Windows to disable "Hide File Extensions for Known File Types"
      • Those aware of the dangers of editing the registry can use regedit to search the registry for instances of "NeverShowExt" and deleting them. However, this has the side effect of showing the .lnk extension on desktop items and can make Internet Explorer think its not set as the default browser.
  • Download software only from trustworthy sources. Do we trust the author? Do we trust the provider? Who did they trust? Who else had access to the files? Are we willing to risk control of our computer, its files, our accounts, and our electronic privacy to them to run this software? 
  • Do not double-click file icons obtained from questionable places to open them. These might include files accessed from world-writable or untrusted shared drives. Instead, use the procedures described above for opening email attachments. Start the associated application (Word, Excel, Windows Media Player, Netscape, etc.) and use the application's File->Open menu.
• File sharing through Instant Messenger, ICQ, IRC, and similar programs
• File sharing through Microsoft File Sharing, Appleshare, and Unix NFS
• File sharing through Kazaa, Bearshare, Gnutella, and similar programs
• Web downloads. 
• Web pages containing or scripting ActiveX controls
• HTML Email messages containing or scripting ActiveX controls
• Floppies or CD-ROMS
• Newsgroups
• "Macro" scripts in documents

Examples of programs that can take control of our computer include:

• Program files like windows .exe
• Script files such as .vbs, .js, .bat, macros, unix shell scripts, and perl. These may be standalone, included in HTML email, attached to email, or part of other application documents such as spread sheets, word processing documents, presentation files, and databases.
• Microsoft ActiveX controls (which may be .exe or .dll files but you probably won't see the extension if they're loaded in a browser or other application).
• In more limited ways by HTML scripting languages such as VBScript and JavaScript embedded in web pages or email and that call ActiveX controls.
• Platform specific files like Windows HTML Applications (.hta)
• The Java applets normally seen on web pages have restrictions that make them safe assuming there are no defects in the implementation. However, beware of downloading any Java applications or signed Java applets which have no such restrictions. At this time, these are rarely seen.

Exchanging Executable Files

Do not exchange executable email attachments as it promotes unsafe practices. If you need to distribute executables, do so on a web or read-only file server. If you need to collect executables, do so from a web server submission or write-only file server...preferably one where the user is authenticated. Be aware of the risks associated with anonymous, public storage.

Configure Applications to Refuse Unknown Programs

Sometimes our programs will trust, accept, and run code on our behalf. While this behavior provides useful functionality and ease of use, it also increases risk. We can protect ourselves from such a scenario by configuring applications so macros, scripts, and other code types are either disabled or at least prompt for permission before running.

Don't Let Others Circumvent Our Refusal to Run Unknown Programs

It may seem obvious but if someone has physical access to our computer, they can almost certainly run any code they want on it. This is particularly true of single user computers running things like Windows 95/98 and MacOS regardless of any add-on security software or configuration. It is fairly easy for someone to install software that captures our keystrokes, intercepts our communications, and makes the information available to them over the network. If we can't prevent physical access to our computer, here are some things that may help prevent someone else from running unknown programs on it. While the suggestions certainly won't provide complete security, they will make it more difficult for someone to tamper with the computer which may result in a mistake you'll notice or simply cause the person to lose interest.

• Set a power-up or BIOS password if your machine supports it and don't leave the machine running when you're not present.
• Check to see that your anti-virus software is operating each time that you sit down at your computer.
• Watch for and report unusual computer behavior.
• Install a desktop firewall and check to see that it is operating each time you sit down at your computer.
• Increase the amount of time and effort required to compromise the computer by running a more sophisticated operating system on it. For example, Windows NT or Unix.

Mimimize the Consequences of Mistakes

Once malicious software is run on our computer, it can do anything including disabling anti-virus software and personal firewalls. We can limit the damage malicious software can cause by operating our computers using safer accounts for day to day use. For Windows computers, this translates into using a 'standard' or 'limited' account for daily use. The run-as command can be used on the few occasions when Administrator privilege is necessary. Windows  UAC feature makes it even easier. Macintosh computers should also be set up to use a safer account. Likewise, unix users should not use the root account for daily activities and the su command can be used when it is needed.