Frequently Asked Questions About Computer Security

1. What do we mean by computer security anyway?

2. I only have a Windows or Macintosh PC, why should I be concerned about computer security?

3. How do I safely operate and secure my computer?

4. Can't someone do this for me?

5. What are viruses, worms, and Trojan horses? How can I prevent them? What do I do if I get one?

6. Virus Hoaxes

7. What's all this about Subseven, Back Orifice, and Netbus (or why is my CD-ROM opening and my mouse moving around by itself)?

8. Is my email secure?

9. Is my email reader/web browser safe to use?

10. Why is it so hard to secure computers?

11. How often does JMU have problems?

12. What computer security organizations exist within JMU?

13. What are the rules regarding computer security at JMU?

14. How do I report a security incident?

15. What happend to Yahoo, E-Bay, Amazon, etc. in early February 2000? Can it happen here?

16. How can I detect if my computer has been compromised?

17. How is my privacy affected when using a computer?

18. What about personal firewalls?

1. What do we mean by computer security anyway?

The goals of computer security are:

Keep privileged and private information confidential and available only to authorized people.

 

This is generally accomplished by identifying the individual requesting access with a login ID, authenticating their identity with a password, configuring computer access controls to match authorization rules (i.e. limit login IDs to particular files), and encrypting data which may travel outside the computer access controls (over the network, for example).  Note that most desktop computers do not require a login ID and password. Therefore all access control for confidentiality depends upon the operator's actions rather than computer controlled mechanisms. In particular, if a program is run on most desktops, it turns control of the desktop over the author of the program... for better or worse.

 

Keep data intact.

 

This is done primarily through the same mechanisms that keep the data confidential with additional access controls to limit who can change the data and, perhaps, mechanisms to alert that the data has been changed. Data that travels outside the computer (over the network, for example) can be protected by cryptographic methods which make it difficult or impossible for the data to be modified without detection. As with confidentiality, most desktop computers depend upon operator actions rather than computer controlled access control to ensure data integrity.

 

Keep services available.

 

A variety of things come into play here. Access controls limit the number of avenues of potential attack. Redundant power and hardware limit the effect of failures. Backups serve as a recovery mechanism when the inevitable failure occurs. Capacity planning in concert with access controls help prevent service overloads. Constant monitoring provides trend data and ongoing operational status which in turn improve response to events or changes in use.

The various mechanisms described above (passwords, encryption, access control rules, etc.) are preventive measures that can never be foolproof against any attack. Just like any other preventive measure (locks, guards, safes, etc.), a measurable amount of time, money, and motivation can circumvent them. This doesn't even take into account mistakes in the preventive measures' designs or implementations, or compromises we accept in the protective measures to enable easier access to functionality. Therefore, to help ensure our security goals are being met, we check up on them with audits, logs, and monitoring software.

Back to Contents ->

2. I only have a Windows or Macintosh PC, why should I be concerned about computer security?

In the days of standalone computers, cavalier, reckless, or unauthorized use of a computer just affected one computer. With a networked computer and its access to networked resources and shared communications lines, the same recklessness or outside access may affect many computers, accounts, services, or people. For example, those not so innocent screen savers and games we once downloaded with abandon can cause much more damage and affect many more people. Or a compromised personal web server may be used to access our PeopleSoft and email accounts or attack a company's web server making front page headlines.

With our computers interconnected and our resources shared, we are somewhat interdependent upon one another. One clicked attachment, downloaded file, or poorly maintained computer can quickly result in the compromise of that computer and associated accounts. One compromised account can lead to the compromise of other accounts, shared disk space, or an entire server. One compromised computer can lead to another compromised computer right across campus or an attack on a computer on the other side of the world.

Your particular computer may not seem to be a desirable target of a compromise attempt but any computer is attractive as a stepping stone or attack vehicle. In addition, computer vandals and their code don't need a reason to attack a specific computer...many are just out to do as much opportunistic mischief or damage as possible.

Newer technology turns compromised computers into armies of drones that do the bidding of their masters. They may be used to seed viruses, send SPAM, distribute child pornography and copyrighted materials, or extort money from web sites they threaten with traffic overload. News articles on these types of activities can be found here.

As long as we want to continue to have relatively open computing and communications choices, each one of us must do his or her part to help ensure the integrity of our network. The only person in control of each of the 13,000 or so desktop computers on this campus is the person in front of the keyboard. That person has the freedom to run any code they wish and communicate with anyone around the world. RUNSAFE

Back to Contents ->

3. How do I safely operate and secure my computer?

The STARTSAFE recommendations will help you set up a computer in a manner that reduces risk and the R.U.N.S.A.F.E. information is provided to inform you of ways you can reduce risk in day to day operation of your computer. 

Back to Contents ->

4. Can't someone do this for me?

To a degree yes. Someone could limit network access, put limits on functionality and sharing (no email attachments or dynamic documents, no file sharing, no unauthorized web servers, etc.), enforce strong identification measures (long and frequently changed passwords, in-person authentication, etc.), and strictly mandate the software and operation of your desktop (no file downloads, no floppies, no unauthorized configuration changes, etc.). This would decrease, but not eliminate, the need for security awareness on the part of individual computer operators. 

However, these steps are not generally compatible with the open environment of an academic institution. They're not even compatible with the growing desire for instant and open access, communications, innovation, and sharing in the wider computing marketplace.

To provide security in an environment encouraging freedom of choice, innovation, access, and open communication, personal involvement and responsibility is necessary. Even if we were willing to give up those things, today's technology, for the most part, was designed with those goals in mind (think Internet and personal computers) so there are limits to what even draconian external security measures can accomplish without the help of the individual computer operators.

With that said, JMU IT does take some centralized measures to decrease vulnerability. Most of these are rather transparent and consist of things like desktop management of anti-virus software, network access controls on high-risk, infrequently used services, and blocking of infrequently used email attachments.

Computers are with us to stay. Their incorporation into our personal lives, our jobs, and into society in general produces a complex environment that each of us will have to take some steps to understand in order to function safely and effectively.

Back to Contents ->

5. What are viruses, worms, spyware, and Trojan horses? How can I prevent them? What do I do if I get one?

See http://www.jmu.edu/computing/security/index.shtml#virus

6. Virus Hoaxes

See http://www.jmu.edu/computing/security/index.shtml#virus

Back to Contents ->

7. What's all this about SubSeven, Back Orifice, IRCBOTS, and Netbus (or why is my CD-ROM opening and my mouse moving around by itself)?

If one of these programs, or one of the tens of thousands like them, are installed on your computer, anyone on the Internet can control your computer and do things like:

• Read, modify, and/or delete all your local and network files and make them sharable with the rest of the world
• See your screen
• Capture your keystrokes including all your passwords and subsequently access any servers you can access
• Turn on your microphone and camera

Back to Contents ->

8. Is my email secure?

In some ways, its security is comparable to postal mail:

• You really don't know who a letter is from. A person can write anything as a return address and falsely sign it.
• When you leave email in a mail server for delivery, its similar to dropping it off at a post office. As long as its in the post office/server, its relatively safe. To pick up your mail from the post office, you need to present ID for authentication. To pick it up from the server you need to present a password for authentication.
• Mail traveling to other mail servers is susceptible to compromise at the various ISPs and organizations it goes through. Its security depends upon the security and integrity of those organizations just as postal mail depends upon the security and integrity of postal carriers.
• If you leave your mail lying on your desk, its only as secure as your desk. Similarly, if you leave your computer logged in to the email server, your email is only as secure as your computer keyboard.
• Just as someone can send you a bomb via postal mail, someone can send you a program that can take complete control of your computer.

Back to Contents ->

9. Is my email reader/web browser safe to use?

Lately, many, many critical security defects have been found in Microsoft's Internet Explorer and Outlook email clients. Almost every other month. To safely use these products, they must be regularly updated. The easiest way to do this is via the Windows Update Service. Other browsers and email clients should be similarly kept up to date as they too have regularly discovered defects though they're not as often exploited.

More and more web and email clients are getting increasingly sophisticated and complicated with a wealth of automated functionality. Some folks have taken advantage of this to devise ways of making you run a program on your computer. Once they can get you to run a program on your computer, they can do anything that you can do and maybe more. So how do they do this and what can you do to prevent it?

• The most common method is social engineering. Basically, they talk you into doing something that isn't in your (or JMU's) best interest. They may make something available to you that looks attractive or innocent so you do what they want. This may involve downloading and running a picture, sound, movie, or program file, clicking a button, or typing in passwords or other personal information that ultimately results in you compromising yourself. They may send you mail that looks like it comes from someone you trust urging you to run the attached program.
• Added to the social engineering aspect, there are increasingly devious ways to exploit architectural problems in today's technology. The complexity of today's products and the desire to provide easy to use yet powerful features results in defects and vulnerabilities. It is important to keep your computer up to date. Critical updates will usually be posted to the Hot Topics List. Windows operators should set up their computers to auto update their Windows software. Instructions are on the STARTSAFE web page.
• Today's web and email clients have numerous internal programming languages that may provide unwanted access to your computer through intentional functionality or unintentional defects. JavaScript, Visual Basic for Applications, VB Scripting, and various application macro programming languages are all potential exploit vectors. Use the minimum functionality you can fulfill your purpose and be more cautious of those functions that require the languages mentioned.
• You may want to turn off scripting, ActiveX, and Java as you're browsing the web unless you're on a known, trusted web site. Similarly, you may want to configure your other applications so as to disable scripting languages and automated executions and downloads. If you find you need the functionality, it may be worth the couple extra mouse clicks to manually re-enable it to make sure you're only getting what you want and not any additional surprise packages.

Back to Contents ->

10. Why is it so hard to secure computers?

If you're told to "secure your home" you may lock the doors, put up some security lights, install an alarm system, and consider your home secure. But how secure would it be if someone could "teleport" themselves into your home.... from their living room across the world...in milliseconds...with near anonymity? How secure would it be if someone really wanted to get in? My guess is not very. It boils down to opportunity and the degree of motivation. Unfortunately, as the opportunities increase, the amount of motivation needed to take advantage of them probably decreases...maybe to that provided by a few beers and the desire for some excitement.

What if you were told to secure your home from flies and ants? How would you go about finding and sealing the hundreds of places the insects could invade your home? How would you prevent them from accompanying you when you enter your home? What about gnats or fleas?

Consider the job of securing your car. You want to be able to travel anywhere. You want to be able to see through windows. How do you protect it from vandalism when its parked? How do you prevent it or its contents from being stolen? How do you prevent someone from following you around, recording your license number, and documenting your travels and passengers? Worse, consider the problems of public transportation.

How about a public sporting event. You want the public to attend. You don't want to alienate them with searches and long lines. You want them to be able to feel free to move around, visit refreshment vendors, use bathroom facilities, and visit with other fans. Some will be drunk and disorderly. Others have varying expectations, experience, and values regarding social interaction. Can you prevent insults, irritations, and harassment? Can you prevent theft and bodily harm? I think not. You depend upon social mores and the threat of punishment. What common social mores exist in cyberspace? What behavior actually breaks a law and what can or will enforcement agencies do about it?

Providing complete security to publicly networked computers presents similar challenges to those scenarios:

• When connected to the Internet, millions of people around the world have access to the front door of your computer. If the door is unlocked or has insufficient strength to protect against a motivated attacker, your computer can be compromised in milliseconds from anywhere in the world with near anonymity. Firewalls limit access to computers through the network just as gates do at a closed community. However, the purpose of a network is to communicate. Foiling communications breaks the network. When it is possible to finely define the types of communications that are desired, then firewall rules can be formulated that limit access to only those communications. However, this is nearly impossible to do in an organization consisting of a diverse population with diverse jobs, needs, and desires. Without a block on communications, we're dependant upon social mores and the threat of punishment to prevent this type of behavior. If we can't prevent it, we're dependant upon imperfect technology and our own reaction times to clean up any mess. Even if we have firewalls, some communications must get through or we wouldn't need a network. The fly may come in the email, off a web page, through instant messaging software, or some other desired and permitted communications mechanisms.
• Today's desktops have tens of millions of lines of code, tens of thousands of files, and many applications. The pieces are supplied by many different vendors. The operator of the computer has thousands of configuration options. An ant (or hacker) only has to find one opening. Completely ridding the computer of holes would involve testing every line of code in every possible application configuration with every possible operator action. In today's fast paced market, this just isn't going to be done. There will be holes for ants to get in and they'll have to be patched as they're found. Even if all the holes could be plugged, insects often piggyback through authorized doors. When you run a new program or allow programs to be run by your browser or email reader, it provides a way for ants to get in without having to find an obscure hole.
• Today's desktop computers had "ease of use" and functionality as prime design goals. They try to let their operators do what they want with as few steps as possible. They often come out of the box in their most lenient configuration. Sometimes, this makes them as susceptible to risk as a public sporting event, public transportation, or your local grocery store. They are subject to a wide variety of risks due to their free access.

Computer security is a compromise between safety and freedom just as are other areas of day to day life. However, there are some aspects of computer security that cause difficulties unique to the field.

There are no comparisons (except perhaps those related to radio communications or air attack) to the global, instantaneous, and anonymous access associated with networked computer security.

Laws may not exist. Our computers can be scanned and probed from around the world virtually without fear of breaking a law. Networks can be mapped and vulnerability databases created that can be used later by automated exploitation tools to compromise and/or disable systems in milliseconds. If we want to retain full network functionality and access, we're accepting the risk of being the target of such behavior.

Even if the laws exist, jurisdictional issues may render them ineffective. Political considerations or misunderstandings may result in contradicting, vague, or otherwise troublesome legislation. Law enforcement agencies and prosecutors are hesitant to pursue crimes having hard to estimate or relatively low financial losses which may involve expensive, complex, and time consuming investigations.

Finally, with 600 million or more people on the Internet, and a lot of them relatively new and inexperienced, it is difficult to educate them on acceptable behavior...assuming we could get everyone to agree on what acceptable behavior actually is.

Finally, the bad guys only have to find one hole or mistake in our network consisting of tens of thousands of computers, hundreds of thousands of network ports, and millions, if not billions, of lines of software.

So, in summary, the difficulties with computer security are:

• Global access without global social mores or education.
• Ineffective law enforcement deterrent due to lack of resources, lack of jurisdiction, and/or lack of legislation.
• Instantaneous, anonymous access negating any social mores or fear of punishment.
• Ease of use features combined with the aforementioned access traits decrease the needed motivation to the level of spurious curiosity or thrill seeking.
• Holes that constantly need to be filled in our complex technology environment.
• The constant compromise between risk, freedom, usability, and access.

For an economic viewpoint, check out the paper "Why Information Security is Hard - An Economic Viewpoint" Ross Anderson  (pdf format)

Back to Contents ->

11. How often does JMU have problems?

Our most common computer security incidents and abuse are email spam, malware (viruses, IRCBOTs, spyware, etc.) and inappropriate use of electronic messaging. The fingertip accessibility of email and instant messaging and its quick delivery conspire to create an environment where it is tempting to send things without thinking that you'd never consider sending over the phone or postal mail. Think twice before you send something. Harassment and threats are as illegal over email as they are over the phone or postal mail. A complaint may result in your having to deal with state or federal penalties and law enforcement officials...not your local RA or JMU Judicial Affairs. A few summers ago, a person was sentenced to two years in jail for emailing threatening messages. 

Our router logs show daily, and often hourly, scanning by people all over the world looking for vulnerable systems. Basically, they "touch" each and every one of our computers to "rattle the doorknob" to see if its locked. Many of these probes are blocked by the router filters and intrusion prevention devices but many are let through as blocking them would keep the associated service from working. This is why computers must be properly configured, kept up to date, and monitored.

Back to Contents ->

12. What computer security organizations exist within JMU?

Information Technology is responsible for overall IT planning. The Information Security Officer oversees policy and risk assessment. Audit and Management Review provides audit reports on the security of our technology environment to senior management.

Various Information Technology operating areas are responsible for ongoing operational and system administration issues as well as researching, developing, and implementing security related procedures and products. They also perform evidence gathering activities for internal and external complainants for delivery to internal and external enforcement and prosecution organizations.

The Computer Incident Response Team is responsible for assessing computer security incidents, assisting recovery, helping to gather information for prosecution, and helping to perform an autopsy to learn how to prevent future events. It is made up of individuals from several areas.

Public Safety, Judicial Affairs, Honor Council, and external law enforcement organizations may be involved in evidence gathering, prosecuting offenders, and/or assessing punishment and damage restitution.

Back to Contents ->

13. What are the rules regarding computer security at JMU?

Policy 1207 Appropriate Use of Information Technology Resources

Policy 1201 Information Technology Resource Management

Policy 1202 Systems Implementation & Project Management

Policy 1203 End-User Computing

Policy 1204 Information Security

Policy 1205 University Data Stewardship

Policy 1206 Contingency Management for Information-Based Applications

Policy 1208 Password Management

Policy 1209 Electronic Messaging

Also see the FBI National Infrastructure Protection Center's page on ethics and laws

Back to Contents ->

14. How do I report a security incident?

Email abuse@jmu.edu or submit a violation report on the web

Back to Contents ->

15. What happend to Yahoo, E-Bay, Amazon, etc. in early February 2000? Can it happen here?

Present reports indicate it was a distributed denial of service attack. Yes, if someone wanted to target us.

Back to Contents ->

16. How can I detect if my computer has been compromised?

It depends upon how sure you want to be.

If a computer has been compromised, all the tools and data on that computer that you may want to use to determine the integrity of the machine are suspect. Sophisticated tools, commonly referred to as root-kits, are widely available that replace all the commands a person would use to investigate a unix machine. Similar kits are being developed for Windows machines.

A careful and sophisticated system cracker will not leave any evidence for you to find. Others may leave traces that may be picked up, but you will need to be familiar with the operation and layout of your particular system. Since most computers nowadays have tens of thousands of files and multiple running processes that vary widely during operation this can be a complex and tedious process. Its like finding a needle in a haystack. The cracker only has to plant one needle to get into your system and you have to examine every straw. If you're using your system to look at the straws, there is a chance that the cracker can effectively force you to wear rose colored glasses causing you to miss the needle.

That said, many compromises are done by relatively unsophisticated individuals, by random execution of mass produced hostile code, and/or on untargeted computers. In those cases, the compromises leave readily identifiable fingerprints for us to find.

Some areas to check are:

• Anti-virus tools on Windows machines (Symantec) can detect known remote control trojans
• The chkrootkit tool will detect some rootkits.
• List of running processes (unix - ps command, windows - tasklist  )
• List of programs with open doors on the network - Netstat -anp (linux), lsof (unix),  TCPViewPro (Windows), FPort (Windows), netstat -o (Windows XP)
• Desktop firewalls can tell you what network activity they're seeing. Windows desktop firewalls may tell you what applications are accessing the network.

• Access logs to see what systems have accessed your system
• Audit logs if you have auditing turned on
• Unix shell histories
• Startup files (unix inittab/rc/inetd, windows registry/win.ini/system.ini/autoexec/startup folders - tools like StartupCop and msconfig make this easier) to see what processes are being started at boot time
• Unix crontab or NT AT entries to see what regularly scheduled processes are being run
• Additional instructions on detecting remote control trojans on Windows machines
• Unix .rlogin files, particular the one for root
• Unix NFS and Windows file shares

There are two basic ways to determine what your system is doing independently of the system itself:

• Analyze network traffic to and from your machine with an external protocol analyzer or firewall logs. This is not a practical option for most system owners and won't detect actions by locally logged on operators.
• Compare the contents and attributes of the files on your computer with the contents and attributes of the files that are supposed to be there. This requires advance preparation. Tools like tripwire will allow you to compute file information for files on your computer. These should be stored off the computer to be used for later comparisons. Scripts can compare the information nightly and alert you if something has changed. However, you must be aware of which files change during the normal course of operating your computer and adjust your monitoring and reaction accordingly. Files that should be checked include at a minimum:
  • Startup files
    • Unix RC files, inittab, shell profiles, and inetd.conf
    • Windows registry entries, win.ini, system.ini, autoexec, and startup folders
  • System binaries
    • Unix bin, etc, and lib directories. Unix operating system image and loaders. System and root path variable settings.
    • Windows \windows and system folders containing system DLLs. Command folder. Windows operating system images and loaders. System and administrator path variable settings.
  • Security and audit information
    • Unix syslog configuration, ipchains configuration, audit configuration, tcpwrappers configuration
    • Windows event log configuration, audit configuration
  • Critical services
    • Unix cron configuration, web server configuration, NFS configuration, FTP server configuration, etc.
    • Windows At configuration, web server configuration, file sharing configuration

  RedHat Linux has a utility called RPM that can be used to check the installed files against prepared packages available from the vendor's web site or from CDROM distribution media.

  There are several open source and commercial file/system integrity checkers.

  Because of the difficulty in being sure all backdoors are closed, a compromised system should be rebuilt from scratch.

  CERT has published both a Windows NT Intruder Detection Checklist and a Unix Intruder Detection Checklist. 

Back to Contents ->

17. How is my privacy affected when using a computer?

To be provided.

18. What about personal firewalls?

General information about personal firewalls can be found here.

Back to Contents ->