These concepts apply to home Internet users just as much
as they would to any corporate or government network. You
probably wouldn't let a stranger look through your important
documents. In the same way, you may want to keep the tasks
you perform on your computer confidential, whether it's tracking
your investments or sending e-mail messages to family and
friends. Also, you should have some assurance that the information
you enter into your computer remains intact and is available
when you need it.
Some security risks arise from the possibility of intentional
misuse of your computer by intruders via the Internet. Others
are risks that you would face even if you weren't connected
to the Internet (e.g. hard disk failures, theft, power outages).
The bad news is that you probably cannot plan for every possible
risk. The good news is that you can take some simple steps
to reduce the chance that you'll be affected by the most common
threats -- and some of those steps help with both the intentional
and accidental risks you're likely to face.
Before we get to what you can do to protect your computer
or home network, let’s take a closer look at some of these
risks.
The most common methods used by intruders to gain control
of home computers are briefly described below.
- Trojan horse programs
Trojan horse programs are a common way for intruders to
trick you (sometimes referred to as "social engineering")
into installing "back door" programs. These can allow intruders
easy access to your computer without your knowledge, change
your system configurations, or infect your computer with
a computer virus.
- Back door and remote administration programs
On Windows computers, three tools commonly used by intruders
to gain remote access to your computer are BackOrifice,
Netbus, and SubSeven. These back door or remote administration
programs, once installed, allow other people to access and
control your computer.
- Denial of Service
Another form of attack is called a Denial of Service (DoS)
attack. This type of attack causes your computer to crash
or to become so busy processing data that you are unable
to use it. In most cases, the latest patches will prevent
the attack.
It is important to note that in addition to being the target
of a DoS attack, it is possible for your computer to be
used as a participant in a Denial of Service attack on another
system.
- Being an intermediary for another attack
Intruders will frequently use compromised computers as
launching pads for attacking other systems. An example of
this is how distributed denial of service (DDoS) tools are
used. The intruders install an "agent" (frequently through
a Trojan horse program) that runs on the compromised computer
awaiting further instructions. Then, when a number of agents
are running on different computers, a single "handler" can
instruct all of them to launch a denial of service attack
on another system. Thus, the end target of the attack is
not your own computer, but someone else’s -- your computer
is just a convenient tool in a larger attack.
- Unprotected Windows shares
Unprotected Windows networking shares can be exploited
by intruders in an automated way to place tools on large
numbers of Windows-based computers attached to the Internet.
Because site security on the Internet is interdependent,
a compromised computer not only creates problems for the
computer's owner, but it is also a threat to other sites
on the Internet.
Another threat includes malicious and destructive code,
such as viruses or worms, which leverage unprotected Windows
networking shares to propagate.
There is great potential for the emergence of other intruder
tools that leverage unprotected Windows networking shares
on a widespread basis.
- Mobile code (Java/JavaScript/ActiveX)
There have been reports of problems with "mobile code"
(e.g. Java, JavaScript, and ActiveX). These are programming
languages that let web developers write code that is executed
by your web browser. Although the code is generally useful,
it can be used by intruders to gather information (such
as which web sites you visit) or to run malicious code on
your computer. It is possible to disable Java, JavaScript,
and ActiveX in your web browser. We recommend that you do
so if you are browsing web sites that you are not familiar
with or do not trust.
Also be aware of the risks involved in the use of mobile
code within e-mail programs. Many e-mail programs use the
same code as web browsers to display HTML. Thus, vulnerabilities
that affect Java, JavaScript, and ActiveX are often applicable
to e-mail as well as web pages.
- Cross-site scripting
A malicious web developer may attach a script to something
sent to a web site, such as a URL, an element in a form,
or a database inquiry. Later, when the web site responds
to you, the malicious script is transferred to your browser.
You can potentially expose your web browser to malicious
scripts by
- following links in web pages, e-mail messages, or newsgroup
postings without knowing what they link to
- using interactive forms on an untrustworthy site
- viewing online discussion groups, forums, or other
dynamically generated pages where users can post text
containing HTML tags
- E-mail spoofing
E-mail “spoofing” is when an e-mail message appears to
have originated from one source when it actually was sent
from another source. E-mail spoofing is often an attempt
to trick the user into making a damaging statement or releasing
sensitive information (such as passwords).
Spoofed e-mail can range from harmless pranks to social
engineering ploys. Examples of the latter include
- e-mail claiming to be from a system administrator requesting
users to change their passwords to a specified string
and threatening to suspend their account if they do not
comply
- e-mail claiming to be from a person in authority requesting
users to send them a copy of a password file or other
sensitive information
Note that while service providers may occasionally request
that you change your password, they usually will not
specify what you should change it to. Also, most legitimate
service providers would never ask you to send them
any password information via e-mail. If you suspect that
you may have received a spoofed e-mail from someone with
malicious intent, you should contact your service provider's
support personnel immediately.
- E-mail borne viruses
Viruses and other types of malicious code are often spread
as attachments to e-mail messages. Before opening any attachments,
be sure you know the source of the attachment. It is not
enough that the mail originated from an address you recognize.
Also, malicious code might be distributed in amusing or
enticing programs.
Never run a program unless you know it to be authored by
a person or company that you trust. Also, don't send programs
of unknown origin to your friends or coworkers simply because
they are amusing -- they might contain a Trojan horse program.
- Hidden file extensions
Windows operating systems contain an option to "Hide file
extensions for known file types". The option is enabled
by default, but a user may choose to disable this option
in order to have file extensions displayed by Windows. Multiple
e-mail-borne viruses are known to exploit hidden file extensions.
The first major attack that took advantage of a hidden file
extension was the VBS/LoveLetter worm which contained an
e-mail attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs". Other
malicious programs have since incorporated similar naming
schemes. Examples include
- Downloader (MySis.avi.exe or QuickFlick.mpg.exe)
- VBS/Timofonica (TIMOFONICA.TXT.vbs)
- VBS/CoolNote (COOL_NOTEPAD_DEMO.TXT.vbs)
- VBS/OnTheFly (AnnaKournikova.jpg.vbs)
The files attached to the e-mail messages sent by these
viruses may appear to be harmless text (.txt), MPEG (.mpg),
AVI (.avi) or other file types when in fact the file is
a malicious script or executable (.vbs or .exe, for example).
- Chat clients
Internet chat applications, such as instant messaging applications
and Internet Relay Chat (IRC) networks, provide a mechanism
for information to be transmitted bidirectionally between
computers on the Internet. Chat clients provide groups of
individuals with the means to exchange dialog, web URLs,
and in many cases, files of any type.
Because many chat clients allow for the exchange of executable
code, they present risks similar to those of e-mail clients.
As with e-mail clients, care should be taken to limit the
chat client’s ability to execute downloaded files. As always,
you should be wary of exchanging files with unknown parties.
- Packet sniffing
A packet sniffer is a program that captures data from information
packets as they travel over the network. That data may include
user names, passwords, and proprietary information that
travels over the network in clear text. With perhaps hundreds
or thousands of passwords captured by the packet sniffer,
intruders can launch widespread attacks on systems. Installing
a packet sniffer does not necessarily require administrator-level
access.
Relative to DSL and traditional dial-up users, cable modem
users have a higher risk of exposure to packet sniffers
since entire neighborhoods of cable modem users are effectively
part of the same LAN. A packet sniffer installed on any
cable modem user computer in a neighborhood may be able
to capture data transmitted by any other cable modem in
the same neighborhood.
In addition to the risks associated with connecting your
computer to the Internet, there are a number of risks that
apply even if the computer has no network connections at all.
Most of these risks are well-known, so we won’t go into much
detail in this document, but it is important to note that
the common practices associated with reducing these risks
may also help reduce susceptibility to the network-based risks
discussed above.
Seniors
