PRUDENT COMPUTING

By Royal Van Horn

Illustration © 2003 by Mario Noche

RECENT REPORTS show that 90% of all large corporations and government agencies have experienced a computer security attack. Furthermore, in a recent survey of its readers, Consumer Reports found that 58% of respondents had discovered at least one computer virus on their computers in the last two years and 10% had incurred serious virus damage. Incidentally, the Consumer Reports survey also found that Windows users were three times more likely to encounter a virus than Mac users (62% versus 23%). Eleven percent of Windows users reported damage, while only 2% of Mac users did.1 Given such data and the early fall outbreak of Blaster and other viruses, computer users everywhere need to become more prudent.

There are two main computer security issues. How can you protect your computer from attack or damage, and how can you protect sensitive personal information, including your identity? My focus here will be on the desktop computer you use and not on networks or Internet service providers. If you do most of your computing on a school or business network, you should seek out advice from your network administrators. Specifically, do not install software on your computer without consulting a network administrator.

The most fundamental way to protect your computer from attack is to turn it off when you are not using it. Most people turn their computer on in the morning, check their e-mail, and then go about their business -- often ignoring the computer until late afternoon. If you want to work on your computer, but don't need e-mail or Web access, you can protect yourself by simply turning off the computer's Ethernet network connection. You are especially at risk if you leave Instant Messaging (IM) software on unattended. It helps if you configure your IM software to not send or receive anything except text, but few people do this. And I have been guilty of ignoring this advice myself. Several years ago, I had a computer that I did not turn off for two years.

Another fundamental way to protect yourself is to be careful about your passwords. Use different passwords for different software, pick passwords that are hard to decrypt or guess, and do not let your computer remember your password for you. Almost no one I know follows this simple advice. Here are a few password do's and don'ts from the Center for Information Technology at the National Institutes of Health:

• Don't use your log-in name in any form (as-is, reversed, capitalized, doubled, etc.).
• Don't use your first or last name in any form.
• Don't use the name of your spouse or child.
• Don't use other information about yourself that can be easily obtained: license plate numbers, telephone numbers, social security numbers, the brand of your automobile, the name of your street.
• Don't use a password made up of all digits or all the same letter.
• Don't use a word contained in dictionaries (English or foreign language), spelling lists, or other lists of words.
• Don't use a password shorter than six characters.
• Do use a password with mixed-case alphabetic characters.
• Do use a password with nonalphabetic characters, e.g., digits or punctuation.
• Do use a password that is easy to remember, so you don't have to write it down.
• Do use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password.2

I concur with the advice above, except for using mixed-case passwords, which I believe contradicts the last item -- be able to type it quickly.

This fall's e-mail virus epidemic was caused in large part by users who failed to follow this simple rule: never open e-mail attachments -- even if they are from a friend -- unless you are certain they are legitimate. The fall viruses used "spoofing," which is a technique hackers use to make you think you are receiving mail from a friend.

You cannot be safe unless you use antivirus software from a reliable vendor and keep it updated regularly -- preferably weekly. Consumer Reports recently tested six antivirus software packages and recommended Norton Antivirus and McAfee VirusScan 6.0 ($50 and $40 respectively). Once you install antivirus software, you need to regularly scan all of your disk drives, including your individual zip disks and any other storage media. Virus protection software starts working when you install it and use it, but it does not eliminate viruses you may already have unless you scan all old drives and files.

In addition to keeping antivirus protection current, it is important to keep your operating system current. You should regularly patch your operating system software, especially if it is a version of Microsoft Windows. In early September, Microsoft found two security holes in Windows and quickly issued patches that almost every Windows user should have installed as soon as possible -- although I doubt many did. As mentioned above, it is a good idea to speak with your system administrator before installing software, and that includes patches. Some patches require that you make a series of technical decisions after you install them, so you may need a technician's help. Web browser software such as Internet Explorer should also be updated or patched regularly.

Unbeknownst to many people, computers have about a dozen ways they can share things. Learn about this sharing and try to keep sharing turned off until you need it. My Mac, for example, has personal file sharing, personal Web sharing, Internet sharing, printer sharing, remote log-in, and FTP access. All of these services are handy if you need them. For example, using printer sharing, I could let anyone on our Ethernet network share my color printer. Likewise, using Internet sharing, you could let anyone on your home network share a single Internet connection. The problem is that every time you enable a kind of sharing, you open up another entry point for hackers. I keep all sharing disabled, which is the default setting on my Mac, but I do not know if "disabled" is the default for Windows.

Don't assume that your Internet service provider, for example AOL, can protect you. In the hacker's mind, it is better to disrupt a large user base than a small one. In other words, the larger the network, the bigger the threat.

Wireless Ethernet networks, broadband cable modems, and digital subscriber line (DSL) modems all have their own particular vulnerabilities. DSL is the safest, and wireless Ethernet is the least safe. The range of a wireless Ethernet network often extends beyond the boundaries of a house or single building. That means that unless the network is well secured, your neighbor or anyone with a laptop in a passing car could hop onto your network. Broadband cable modems connect their users to a neighborhood network that is less secure than a DSL modem, which makes each user a network node. For reasons such as these, experts suggest using a cable modem or DSL modem that contains a "router" and a hardware "firewall." These devices typically cost about $100 and hide all computers connected to them from outside intrusion.

Most experts agree that individual users who connect to networks or the Internet should install a firewall. If you are on a school or business network, this may be unnecessary since you might already be behind an institutional firewall. Installing firewall software is not a task that I believe average computer users should undertake. If you do, you have to be willing to read the manual and learn about virtual "ports" and so on. Computers have ports that are software-based that function as virtual connections to the outside world. QuickTime, for example, likes to use port 80. If a firewall disables traffic on port 80, you cannot get streaming video. There are a dozen similar settings included in most firewall software, so frankly I do not take the expert advice to install a firewall, which highlights the importance of the next two points.

As the old adage goes, "There are two kinds of users: those who have lost data, and those who will." Some nastier forms of viruses destroy the information on disk drives. So the first important point is to back up your computer files often. In like fashion, you should make a "boot disk," so that if your computer does crash you can start the rebuilding process by using your boot disk and back-up disks. If you ever do experience file or data loss, you can attempt to recover the lost data using a utility such as Norton Disk Doctor, or you can find a technician who has experience doing this kind of work.

And the second important point is to turn off your drive immediately if you have a crash and you hear the drive start to make unusual noises. Unusual noises indicate that you have a physical failure and that the read/write head of the drive might be scratching the surface of the disk. If you shut down quickly, you can hire companies such as Drive Savers to salvage the data. The Drive Savers website (www.drivesavers.com) has useful information on various topics related to data loss and drive failure.

An excellent source of additional information on computer security issues can be found at the CERT Coordination Center, Software Engineering Institute, at Carnegie Mellon University (http://www.cert.org/tech_tips/home_networks.html). Check it out if you want to explore these issues further. But following the brief advice offered in this column can help you avoid having to hire someone to recover your lost data.

2. Derived from David A. Curry, "Selecting Good Passwords," available at www.alw.nih.gov/Security/Docs/passwd.html.

PDK Home | Site Map
Last modified 27 October 2003
URL: http://www.pdkintl.org/kappan/k0311van.htm
PDK International respects your privacy
© 2003 Phi Delta Kappa International