Reviews | Game Index | Forums | Press | Wiki | Columns | Store

A Basic Computer and Internet Security Primer

1. safe PCs: How can I keep nasty stuff off my PC?
2. safe Web Browsing: How can I keep hackers and malicious programs off my computer when I use the Internet?
3. running a Website: I run a web site-- how can I make it secure?

Overview

Practical security is balancing the risk of something goes wrong, versus the cost (in money, in time, and in hassle) of making things safe. Nothing is completely safe, and spending a little time to reduce your risk will really make things easier for you in the long run.

Who are the bad guys that put you at risk? Some are people trying to crack your system for industrial espionage. Really. Others are malicious evil hackers breaking things for fun. These include the 'script kiddies'-- folks who snag the easy-to-find automatic hacking tools (usually written to target Windows) and do a paint-by-the-numbers attack. Other foes are people who write viruses and worms, then release them to the public.

But the biggest risk is secondary infection. This is where your friend loans you a disk and it has a virus-- *poof*, now your computer is infected. Or they send you a Word document that contains a Macro virus-- as soon as your copy of Word opens the file and runs the Macro, you're infected. Or your friend gets attacked and their email program (typically MS Outlook), unbeknowest to them, sends out 50 copies of a virus to everyone on their 'friends' list. *poof* you have incoming mail from a friend, but it's a virus.

And let's not forget simple, ordinary catastrophe. A really bad lightning strike and your computer is toast. Hard disks do fail-- and typically when they're being used the most. Computers can burn out. Children can stick oatmeal in the floppy drive slot. Face it, computers aren't reliable.

safe PCs

Cheap Backups are Your Best Friend

But it's not all bad. The single best safe practice I'd recommend is to plunk down $200 for a CD-Rom burner and a stack of $1 CD-Rom blanks (not the rewritable kind, just the ordinary 'burn once and it lasts forever' type). Then, every week (or at every big project milestone), just burn a copy of your work onto the CD.

Why is this good? First, most virus and hacks alter or destroy files. By having a non-rewritable copy, you are fairly safe from programs that will try to destroy the files.

Mind you, if you were infected long ago the files on the CD may indeed contain the virus. But, you can use anti-virus software to minimize their effects, and extract the data you need.

To make the copies, there are a lot of backup programs out there. I've heard of Norton's "Ghost", and the best programs are the ones that look only for files that changed since your last backup, and copy those over. Really, you want to do two levels of backup-- a massive copy of everything every quarter or so, and weekly burns of the new, important stuff.

By the same token, this is better than backing up onto, say, a Zip disk. A Zip disk is handy, but they're small and expensive, and can have their contents erased just as easily as your main computer disk. Backing onto a Zip disk each day is a darn good idea to prevent a computer crash, though, and it's worth doing.

Recommended practice:

1. Back up your day's work onto a ZIP disk before shutting down the computer each night.

2. Burn a CD of your hard disk each week. Use backup software-- that way, the computer can just back up the stuff that changed since your last burn. There's commercial, like Norton's Utilities, or you can get software from a site like shareware.com. Make sure to run your virus checker on your backup software before using it!

3. Every quarter or so, make a set of CDs that are an exact copy of your entire hard disk. This lets you recover in the event of a catastrophic failure.

Yes, it's a pain, but the hours you'll save when problems happen will make you happy you did so.

Other Tips

1. Buy a virus checker for your computer, and update it at least monthly (make it a regular event). There's good information on antivirus stuff at About.com.
2. Never open an executable file or attachment (i.e. a program) that someone sends you by email
3. Assume any floppy disk you borrow is out to kill you (or at least, is infected with computer viruses)
4. Don't accept unsolicited email attachments
5. If you ever get an email that says "forward this to as many people as you know", don't.

1. If someone gives you an MS Word file, disable automatic Macros execution in MS Word (or MS Office) before reading it (and say "disable macros" while reading, duh). Otherwise, you'll basically allowing people to email you malicious programs.
2. Patch security holes in Outlook Express (and email in Explorer), with some details available at About.com.

For the latest details on the specifics of computer viruses, anti-virus software, and details on preventing infection, MIT keeps a virus FAQ. The NASA response team has extremely timely warnings and updates, at the NASIRC site.

safe Web Browsing

Most email worries, we covered in the section above on PCs. Another concern is using JAVA and JavaScript while browsing. A short answer is that keeping JavaScript turned on within your browser is safe. Some implementations of JAVA aren't terribly secure, though, and given that there aren't many JAVA-requiring sites, I'd recommend disabling JAVA in your browser preferences. You can always turn it on for those rare cases when it's required. If you'd like far too many details, there's a Princeton FAQ about JAVA Security.

Public vs Private Machine

The reason is that any machine networked to an internet machine is reachable by anyone on the internet. Firewalls help reduce this-- a firewall basically only allows certain types of information through. For example, a firewall may be set up to only allow email and web pages through, and block any other attempts. That reduces the risk greatly-- instead of having a thousand ways to attack you, hackers only have 2.

In any case, keep sensitive material, confidential records, financial and credit card records, and business details offline. A second machine isn't a big cost, compared with the risk if all your financial details were to be stolen. Remember, if your machine can see the internet, people on the internet can see anything on your machine, if they bother to look hard enough.

Hoaxes

Another useful site is the CIAC's site about Internet Hoaxes. This is something you should always check before panicking and especially before forwarding a virus warning to your friends. A lot of virus scares are pranks, and CIAC catches the most common ones. This is good because then you can avoid looking like Chicken Little.

Privacy, Email, and Hassassment

In general, it's safe to assume that anything that has your email on it (a web page mention, a post to Usenet, email sent to a OneList or other email list, etc) is harvested by spammers and possible competitors and hackers. A really good way to avoid stress is to always have two email addresses.

One is for public dealings, posting, and communication with the whole internet (that's what "sandy@rpg.net" is for me). The other is one you only give out to close friends and family, for private matters (and naturally, I'm not going to write what that one is for me). Never use the private one to register at a web site or join an email list, and request your friends not give it out or sign you up for things. This helps greatly in reducing the amount of email SPAM you get, as well as providing some privacy and personal security for your communications.

Finally, as a side point, there's an interesting site about dealing with Online harrassment, if that should be a problem.

running a Website

Now we get to the big time-- having your own web stuff. We'll cover this at three levels: local, pages on someone else's machine, and administering your own site.

If you run a web server off your local machine (perhaps because you have a cable modem or always-on connection), the simple rule is: do not put anything else on the machine (besides web pages) that you wouldn't want made public. It's as simple as that.

A machine that is always on and is always connected to the internet will be hacked, and any contents on it may be copied, stolen, or altered. By assuming that, you can keep yourself safe.

The risk is much less for machines that you dial in with, since you're not always connected and (since you're not running a web server) there isn't as clear a single point of entry.

Pages Elsewhere

Your primary concerns, if your website is hosted somewhere else, are twofold. First, you don't want people to be able to come in and alter and deface your pages. Second, it'd be nice if you weren't the person responsible for letting hackers flood into the system as a whole.

For the first case, you want to make sure that you have a good password for your account. No 'first name of my children' here. A good password cannot be found in a dictionary, has a mix of cases and letters and numbers and special characters. To be useful to you, though, it has to be easily remembered.

A neat trick Emma taught me is to come up with a password sentence. Then just use the first letter of each work. For example, make your password sentence be "I'm using Emma's neat password idea!". The password is then "IuEnpi!" Try to find that in a dictionary! Yet because it's just from your sentence, it's easy to remember. Quick, easy, secure.

Next, make sure your web area doesn't allow anyone to write to it. Usually, that's rarely a problem for static pages. But if you want to allow folks to upload files to your site, or you are collecting votes and storing them in a file, or doing some web scripts that need to write, well, you may have a problem.

If your script can write to something, you should assume someone else's script can also do so. But if that place isn't web visible, there's not a lot else they can do. At worst, they can dump some files to your machine-- but they can't run them, or put up fake pages, or put stolen 'warez' for their hacker buddies to download.

So the best rule is that any web script should only be able to write to a non-web-visible directory. You can ask your sys admin to set this up for you. So the script "voteme.cgi" in /web/mysite can tally its votes in /offline/mysite. Since /offline/mysite is not web visible, this means even a clever hacker is cut off at the pass.

This is quite a concern while scripting. And there are other security concerns while scripting. Really, it's quite a pain, making things secure. But you gotta do it. Read up at CGI Resource Index.

Your Own Server

If you're running your own web server, you should be familiar with some of the O'Reilly Publishing books on servers and security. Also, read the official WWW Security FAQ.

Finally, a useful resource for the curious is the amazing RISKS digest. This is an archived email list that chronicles stories of risks, hacks, break-ins, flaws, and other catastrophes in our modern technological world. Sometimes dry but always terrifying, it's a good look into just how fragile our technology is.

Best of luck,
Sandy sandy@rpg.net

Background Sandy also works at NASA, which is generally considered the most popular target of malicious hacking, and for which Emma is the center's chief webmaster. They also started and were the prime sys admins for rpg.net's first four years. Sandy is also a burst employee for a security company, which is easier because he just has to break systems, not secure them. So we run into a lot of security-- enough to know we're proficient, but not experts.

Sandy has, in the past, dealt with two portal sites that had a resident illegal hacker (i.e. an unauthorized user where moving the hacker would cause more damage than just pretending said hacker doesn't exist.) Also 2 sites that have admin tools (for companies to change their official pages and such) that weren't even password protected, relying only on people not guessing the page URL. One site had a plain text web-accessible file of customer credit cards. The excuse is always, "I haven't gotten to securing it yet".

We apologize in advance for the indiscriminate use of the term "hackers" when the more proper term is "malicious losers who crack into other people's systems". As a hacker himself, Sandy is well aware of the fine lineage of hacking, but in the case of security, the term has its dark side.