Computer Security for the Rest of Us It's a bit sad, but computer security conjures up images of security experts plying their arcane trade in distant bunkers. The trade comes with its own jargon and acronyms - pseudo-random-sequence generators, MD-5, one way hash functions, SSH, trojans - all designed to make it seem that ordinary people are not clever enough to handle their own security. Don't believe a word of it. You don't have to be a top-rated cryptographer to run a clean machine. All you have to do is to apply bit of common sense to understand how the crooks could break into your computer. So here is Alan's ABC of protecting your computer from those who would steal your digital property. There are a number of ways that nasties can get into your computer, so we will look at each in turn and consider how you would prevent each type of attack.
This is one of the most popular ways for the maliciously-minded to get access to your computer. What they do is to send you a program disguised as an innocent e-mail (or not so innocent; experience shows that people are more likely to click on porn than any other topic). When the program is run it takes control of your computer. These programs are usually called viruses, although strictly speaking some are not actual viruses. Not being language lawyers, we will call them viruses anyway! Depending on what its function is the virus can turn your computer into a mailbox for sending spam, send copies of itself out to anyone in your address book, and a hundred and one other nasty things, including wiping your hard drive clean. It used to be that you could avoid this sort of problem by not clicking on attachments. Nowadays, even previewing the e-mail in your e-mail client window is enough to cause the program to run. Obviously you could stop all this by simply not connecting your computer to the Internet, but that would be cutting off your nose to spite your face! So, the first line of defence is going to cost you some money - fortunately not a vast amount - and it's anti-virus (AV) software. Once you have bought an AV program there is a small annual charge to keep it up to date. AV software works by scanning your incoming mail for 'signatures' of computer viruses. Signatures are patterns that identify viruses. Since viruses are programs they contain sequences of commands in them that can be scanned for and identified. If the AV software finds one of these patterns it will take whatever action you have previously specified like deleting the offending attachment. Each virus has a unique signature - though the really clever ones can mutate to have more than one signature, just to make life difficult - and it is that signature that the AV firms must find before their programs can identify a new virus. When you update your AV program you are being given the new patterns the researchers have found since you last updated the database in your computer. Since new viruses are coming out every day it's important to keep your AV database up to date. Most AV programs have an option that lets the program contact its web site late at night and update its database. It's well worth considering using this option so you don't forget. If you don't update your AV software, then a new virus might well slip through, and then you are in real trouble.
Browsers are the second most popular way of getting virus-type programs into your computer. The problem actually goes back to the 'browser wars' of the 1990s. All the companies involved were busy adding features that increased the number of things people could use their browsers for. Unfortunately no one was thinking about what would happen if the bad guys used these features! The result, of course, was twofold - a bunch of features that the baddies just loved, plus insecure and largely untested code that was rushed out at the behest of the marketing weasels. In the case of Microsoft this was compounded when they decided that their browser would be built into the actual Windows operating system. Bad decision. It meant that anyone who controlled the browser had a line straight through to the operating system. Browsers have improved a little since then, but you still have to be careful. First you need to apply all the patches that your browser provider puts out. Frankly, that's a pain. Microsoft, for instance, is trying to only put out only one batch of patches a month. Unfortunately, some of the security holes are so dangerous that they are having to issue extra patches in between the monthly bunch. You can make your use of the browser a little more secure by turning off Java. Alternatively, if you are a Microsoft Internet Explorer user you could switch to an inherently more secure browser, like Firefox or Opera. Firefox is free, and my experience is that IE users usually like it and find it easy to make the change. Opera is available in both free (ad supported) and pay versions and is somewhat more complex to use. I switched to Firefox a few months ago and have been very pleased with it. It seems that I'm far from the only one to make the switch - Firefox has come from nowhere to take five percent of the browser market in a very short space of time. Other than that, all you can do is to be careful what sites you visit. Dodgy sites offering porn, cheap medication, and mortgages at rates too good to be true are just that - too good to be true!
Most of the programs you use fall into one of four categories - stand alone programs, client programs, server programs and peer-to-peer (P2P) programs. Stand alone programs are those that don't, or aren't supposed, to use the network so we don't need to deal with them here. Client programs are ones you use to access services on the Internet - the main ones you are likely to come across are your mail client and your browser. Another example would be a program used to play an on-line game. Server programs are, so to speak, the opposite of client programs. When you use your mail client you are connected to a mail server, similarly a browser will talk to a web server program. Server programs can be very dangerous if they are not secure, because they are, in effect, inviting people to come in to your computer and use it to provide specific services. Servers can be dangerous in two ways. First they can have bugs which allow access to your computer, and second they can be set up in such a way that they are not secure and as such allows the users of the server to access more than just the server. In an ideal world you wouldn't be running any servers, and, indeed, my advice is not to run a server on your own computer unless you are very sure you know what you are doing. However, we don't live in an ideal world and a number of Microsoft's versions of Windows ship with various servers, in particular IIS (Internet Information Server - Microsoft's web server) configured to start automatically when you switch the computer on. The result is that a lot of people are running IIS without realising it, and there are a whole bunch of known security problems associated with IIS. There are two possible solutions. The obvious one is to check carefully on what is running on your computer, and turn off anything that shouldn't be running. Unfortunately it's not as easy as that. Modern computers run an enormous number of programs as part of the operating system, and most of them have ultra-cryptic names. It's really difficult to know whether it's safe to stop a running process unless you you are an expert sysadmin - and even they have been known to blunder! The other alternative is to run a firewall program. Firewall programs, when set up for home computers, are a bit like one-way mirrors - you can see out, but no one outside can see in (or in this case get in). The way in which they work is conceptually very simple, but to understand it you need to know a little bit about how your computer communicates with the outside world. The network access to your computer is configured as a series of ports, each with its own number - you can think of them as the doors in an apartment block. In each apartment there is a single service which, if it is running, is listening for a knock on the door. Web servers, for instance, listen on port 80, the FTP file transfer program listens on port 21. If there isn't a program listening on a port then it's pretty safe, no one can break into your computer through that port. If there is a program listening on a port, then someone can connect to that program via the network, and if the program is buggy or set up wrongly, they can access the whole of your computer. Ports, like doors, are two way things, you can go out through them as well as coming in. When you use a client your computer allocates your client program a port to use for that session. Now, what the firewall does is very simple, and rather clever. It stops anything from outside your computer accessing a port unless the access is in response to a request from one of your client programs. In other words no one can come in uninvited. Neat! Actually, most firewalls are much more sophisticated than I've described. They are capable of being configured to allow connections through to specific ports even if the connection is not in response to a client request. So if you really did want to run a web server, you could tell the firewall to allow all connections to port 80, for instance. I wouldn't recommend configuring things that way though. If you really want to run your own web site use one of the hosted services, it's much safer.
Peer to peer (P2P) programs are a combination of server and client. Typical examples are file sharing programs like Kazaa and the now defunct Napster. As with any program that brings things in from the Internet, such programs can be used to bring in viruses and other nasties. It's difficult to protect against these sort of problems, because unlike, say, your browser, the programs and data being brought in are not designed to run 'within' the P2P program, but just on the computer itself. This means that there is not a lot of opportunity to fence off the program from everything else. If it's malicious it will take control of your computer. The best advice I can give is to be careful, only connect to other computers that you feel you can trust, and get your anti-virus software to scan your disk regularly. Scanning the disk takes time and you can't really do anything else while it's going on, so start the scanner running when you go out - it will tell you when you get back if it finds anything untoward.
Malware is the name for all the different types of program that can take over and/or damage your computer. It includes viruses, worms (programs that replicate themselves across computers, but nothing else), trojans (programs pretending to be a different program - as in the Trojan Horse in Greek mythology), keystroke loggers (programs which keep a record of what you type into your computer - like passwords - and send them off to logger's owner) and a whole host of other nasties. Your anti-virus software should pick this sort of stuff up, but it will only do so if you keep it up to date, and you run the scanner regularly. I've mentioned bugs in network aware programs earlier in this piece. Basically bugs are mistakes made by the programmer. Bugs can be caused by the programmer getting the logic wrong, or possibly because they weren't considering the security implications when they designed the program. It's not surprising that programmers make mistakes if you think about it. Take, for instance, my Federation game server. That has 120,000 lines of C and C++ code, and every letter of that code has to be correct in order for the program to work properly, even assuming I made no logic errors. Programmers are born optimists. You have to be an optimist to believe you can write perfect code! The real surprise is not that programmers make mistakes, but that companies skimp so badly on the testing, and that most people who teach programming don't teach how to make programs secure. This is why it's so important to patch programs in which bugs have been found. Patches apply the corrections to the code needed to block security holes in the program. The problem comes when the patch has its own, different, bugs that also create security holes... Yes, it really does happen, and no, I'm not going to finger any specific firms (though I could), since it has happened to most people at some time or another. Usually it's caused by the rush to get the patch out before someone writes a program to exploit the hole. Because of the rush, testing that the new code hasn't broken anything already in the program is skimped and the patch causes new problems. (Testing that the the program still works when you change existing code is called regression testing, by the way.) There's not a lot you can do to avoid this problem. You can wait to see if anyone else has problems before applying the patch, but you risk someone exploiting the bug while you are waiting. Like a lot of security issues you have to weigh the risks and make a decision one way or the other.
The last security problem I want to look at in this article is passwords. Traditionally passwords come in two varieties. The first is issued by the system admin which consists of a stream of random numbers and letters, which are completely impossible to memorise. The other sort is the name of your wife, daughter, pet, or car registration number. Both types have dire security records, as does having the same password for everything. Random jumbles are insecure because you have to write them down - usually on a post-it note stuck on the side of your computer monitor - while names are insecure because they are easy for other people to figure out. Using the same password everywhere is insecure because if your password is compromised on one web site, the hacker has the password to everything you have access to - including your computer! So how do you create a good password? It should be something that is easy to memorise, but not obvious. Well there are various schemes for doing this but here is the one I use. Open a dictionary at random and pick a four or five letter word. Add a number to the end of it. Open the dictionary at another page and pick another four or five letter word. Add that after the number. Voila! A password that's relatively easy to remember and not too easy to crack - for instance 'rack2flow' or 'jewel83phone'. If you need to make it more difficult to crack, capitalise one or more of the letters. Obviously, it's going to be a problem to remember dozens of these passwords. However, if you are going to use the same password for different sites then at least have a different password for your own computer - one which is not used anywhere else. It would also be wise to have a separate password that you use for any sites involving financial transactions. Alternatively, you can use one of the password management programs, which means you can have a different password for each site, but you only need to remember the password to your password management program. Of course if you forget the password to the management program you lose everything!
Security is about common sense. You close the windows and lock the door when you go out. You need to do the same when connecting your computer to the Internet. A lot of the problems we face are caused by the fact that the Internet was designed as a collaborative network - the assumption was that its users wanted to keep it running, not that they wanted to attack the network and the computers connected to it. Likewise the main operating system for home computers, Windows, was designed for a stand alone machine, not one connected to a network (early versions of Windows didn't even have software to access the Internet). These problems will be solved over time - even the marketing weasels recognise that the 'features' people want now are security features. But you can make a difference even now by how you look after your computer. Be careful. Take elementary precautions. Keep your security software up to date.
Alternative Browsers: Firefox Opera
Computer Associates F-Prot Grisoft Kaspersky McAfee Panda Sophos Symantec Trend Micro |
If you have any questions or comments about the articles on my web site, click here to send me email. |