Features
"Don't open that attachment!" and other tips from a computer security guru by Sherry Bithell

Do you think hackers would never target your computer?

Think again, says Randy Marchany (computer science '80), director of Virginia Tech's Information Technology Security Lab.

"Everyone says, 'There's nothing on my computer that a hacker wants.' Which is true. Unless I've got a beef against you, there's nothing on your machine that interests me--except your machine.

"Say I steal your car to rob a 7-Eleven," he elaborates. "Whose license plate number gets written down? Yours, not mine. If I go on a rampage, so what? It’s not my car." The same holds for a hacker using your computer to commit cybercrime--any wrongdoing will be traced back to the machine performing the deeds, not the person orchestrating them.

computer

Welcome to the world of computer security, where the old joke, "Just because you're paranoid doesn't mean they're not out to get you," proves to be true. Forewarned is forearmed, however, so read on to learn Marchany's top tips for defending your computer against the potential perils of negotiating the Net.

#1: Update, update, update

Even if you think you're safe because you're running an antivirus software program--which Marchany calls "absolutely critical"--unless you update it frequently, it's useless, since every new virus necessitates its own fix. Updating your antivirus software is as easy as going to the program manufacturer's website and downloading patches, which Marchany recommends doing at least once a week.

Equally important is staying current with patches for your operating system--without them, antivirus scans may not run correctly. Additionally, some viruses are written specifically to take advantage of weaknesses in the system, such as the Sasser worm that circulated in early May. Three weeks before Sasser began circulating, Microsoft had issued patches for the Windows flaw that the worm was designed to exploit. Had the hundreds of thousands of people who were infected by Sasser downloaded the Windows patches, they would have been protected.

Like antivirus updates, operating system patches can be downloaded from their manufacturer's website. However, most companies will discontinue patches for older operating systems as use of the newer systems becomes more widespread. Also, while most computers can be configured for automatic system updates, doing so may alter the setup of other programs.

The flaw with antivirus software is that it can only detect known viruses. Usually, it takes eight to 12 hours after a virus begins circulating before antivirus companies can issue a filter for it--and before most people are even aware of it. That's when most of the damage is done, making the next tip one you should consider taping to your computer monitor.

#2: Don't open that attachment!

When it comes to contracting viruses via e-mail, an ounce of caution is worth a pound of cure.

Because hackers have grown increasingly clever about the design and delivery of viruses, Marchany emphasizes that it's vital for computer users to only open attachments from known senders. He cites as an example the MyDoom virus that circulated in February. "That one was particularly effective. The message said, 'Here are the pictures you ordered' or 'here is the spreadsheet you wanted,' and people said, 'Oh, okay' and opened the file--and bang."

In addition, it's never a bad idea to err on the side of caution by confirming that the sender deliberately e-mailed the attachment to you. Many viruses today can self-replicate by sending themselves to all entries in an e-mail address book. So even if your brother has e-mailed you a photo of your niece, be careful--it may not be what it seems.

#3: Watch out for the hook, line, and sinker

Like its maritime counterpart, "phishing" is a delicate art. E-mails designed to look like they originated from legitimate businesses, phishing scams seek to garner personal information such as a user's password, credit card number, Social Security number, or bank account numbers. "We're finding a lot of people falling for this now," Marchany says. "In fairness, some of the con jobs are quite sophisticated and they look official."

Recent examples include e-mails sent by "yahoo-billing.com" and "eBay-secure.com." In late 2003 and early 2004, one highly successful phishing e-mail that appeared to have been sent by eBay claimed that the recipient's account would be suspended unless his or her credit card information was updated. The e-mail--which sent people to a website that not only looked like the real eBay site but was linked to it--went to thousands of people, a large percentage of whom happened to be eBay account holders who were tricked into "updating" their information. So don't click on a link in an e-mail unless you're confident of the sender's identity.

Most businesses won't ask you to verify account information via e-mail, but to ascertain whether a message is legitimate or part of a current phishing scam, check with the Federal Trade Commission or the Better Business Bureau (http://www.bbb.org).

Another rule of thumb: Don't give personal information unless you implicitly trust the recipient or the site. Even if you do, there are two ways of making sure a connection is secure--or encrypted, meaning that it can't be intercepted--and therefore a safe means of providing information over the Internet. One is to look for a closed lock symbol in the bottom right-hand corner of your Web browser window (on a Macintosh, the lock will be in the bottom left-hand corner). The other is to look in the address window of the site processing the information—the url should begin with "https" instead of the standard "http."

#4: Fight fire with a firewall

Marchany recommends that anyone who surfs the Internet, particularly those who have moved from phone modems to more direct connections such as cable modems or digital subscriber lines, should install a personal firewall. A firewall regulates which of a computer's more than 65,000 ports are activated, such as those that provide e-mail and web access. The firewall will allow you to choose which ports you want left open to external communications and then will block the rest. This protects your machine from hackers who might be scanning it for weaknesses. "You can think of a firewall as a bouncer in a bar: If you don't have the right credentials, you don't get in," Marchany says.

He cautions that ports which the average computer will want to keep open, such as those related to e-mail functions, will still be vulnerable--hence the reason e-mail viruses can be so harmful. Still, industry experts say that many computers infected with the Sasser worm could have been protected had they been using firewalls. Firewall software--which is already included in the latest version of Windows XP--can be purchased from a third-party vendor.

#5: Always read the fine print

Is someone watching you? If you access the information superhighway, it's possible.

When Net surfers download a program or a file, or even visit a website that displays a seemingly harmless banner ad or pop-up window, they may be inadvertently installing spyware on their machine. Spyware acquired its nickname for a reason--it allows the person who created it to monitor what you're doing on your computer. "When you go back to the website that put it on your machine, the first thing the website does is check whether that component is still there. If it is, the website can activate it," Marchany says.

The purpose of spyware ranges from the relatively innocuous, such as reporting to marketers which websites you make purchases from, to the more harmful, such as allowing its creators to view what's on your computer monitor--or, now that computers come with extras such as cameras and microphones, to see or hear what you're doing. Additionally, because some spyware programs are poorly written, they can contain bugs or cause your computer to malfunction.

Believe it or not, spyware is perfectly legal. "There are tons of privacy issues with spyware, but because some companies put in the fine print on their Web page that they're going to be downloading this stuff unless you say no, it's okay." One example is the music-file sharing program Kazaa. Its license agreement--which must be accepted before a file can be downloaded--gives the company access to a computer's unused disk space and network bandwidth for what it calls "distributed content management."

On April 19, the Federal Trade Commission held a workshop to address the issue of spyware, but Commissioner Mozelle Thompson concluded that it is too soon for Congress and the states to pass laws banning the software. His solution? For technology businesses to educate consumers about identify theft scams and the other potential dangers of spyware.

A more immediate fix, however, is to install and run on a regular basis a spyware detection program that will find and delete any spyware currently installed on your computer.

#6: Easier is not always better

Marchany laments what he calls "the rise of the gadgets," or the shortcuts and devices that, though designed to make computers more user friendly, can often cause problems instead. One example is the "save your password" feature offered by most e-mail programs. "Those passwords have to be stored in a file somewhere," he points out, "and what we’ve found out is that that file’s not really well protected.

"Say you've saved the password, and I've managed to infect your machine with spyware. Because I've got complete control of your machine, I find your Eudora and click on it. I can't send e-mail because I don't have your password--but wait, you've saved it for me. Now I can send e-mail that's going to look like it came from you."

This scenario can pose more problems than you might initially think, he adds. "Post-Sept. 11, if I want to make life miserable for you, I send a threatening e-mail to the White House. Now it's not just a nuisance anymore--you're a national security threat."

#7: Always back up your computer

computerSometimes, there's only so much you can do to protect yourself. If, for example, you open an attachment with a brand-new virus, "The moment you click on it, it's too late," Marchany says, recalling one computer user who had 12,000 copies of the Netsky virus on his machine. "The sad thing was, he had the antivirus software and it found the virus and put the files in a quarantine area. But because he had so many copies of the virus, after 26 hours of scanning, the program had only cleaned a third of the files. In the end, we just wound up re-installing his computer."

And that's the moral of the story: In some cases, no matter how good your protection and how up-to-date your antivirus software, the only option left is to re-install all of your programs and data. That's when the tedious task of backing up your computer every day will look like the best time investment you’ve ever made.

Better safe than sorry

"People don't realize that using a computer can be a two-way street," Marchany concludes. "They tend to think, 'I'm going out onto the Internet,' rather than 'the Internet can come to me.' They're not realizing that the threat's out there."

Clearly, it's worth the potential headache that may come from the initial effort to beef up your computer’s security. If you don't know what you're doing, find an acquaintance who does or consider hiring a consultant. Once you do, Marchany says, "if you've stayed up-to-date with your patches and your antivirus stuff, and you've got a good firewall, you're going to be relatively safe. You just have to be really careful about what you do."



The lowdown on viruses

When your computer contracts a virus, it can be blamed, as with its biological namesake, on a low immune system. Because some software is what Marchany describes as "broken right out of the box," meaning the manufacturer shipped it with bugs or other problems, hackers create viruses to probe your machine and look for those vulnerabilities.

"Hackers are doing a kind of quality control for the software vendors by finding the exploits," he notes. "You can actually thank them because the vendor probably has no incentive to fix the problem until a hacker exploits it and there are a lot of complaints."

To give an idea of how many viruses can be circulating at any given time, Marchany points to the Virginia Tech e-mail system. Anything sent to one of the more than 90,000 vt.edu personal identification accounts (PIDs) is filtered for known viruses. Tech ran its first virus scan on these accounts in August 2001 and intercepted its one-millionth virus a scant three months later. As of March, the filter had flagged more than five million, including 700,000 just from the MyDoom virus that circulated in early February.

Want to learn more?

Virginia Tech offers a number of computer security resources:

• At http://www.answers.vt.edu, you can search every question ever submitted to the university's computer Help Desk. If you can't find what you’re looking for or can't access the site, call 540/231-4357.

• Alumni with Virginia Tech personal identification accounts (PIDs) can download the latest virus protection software and patches at http://www.antivirus.vt.edu. Even if you don't have a PID, the site provides information about current viruses and can direct you to other resources.

• For those more interested in the technical details, http://www.security.vt.edu provides a range of computer security information, including the latest news, access to educational resources, and risk analysis and presentations.



Phishing scams that go around, come around

Perhaps you have received an e-mail that begins something like this: "DEAR SIR. THIS LETTER MIGHT SURPRISE YOU BECAUSE WE HAVE NOT MET NEITHER IN PERSON NOR BY CORRESPONDENCE, BUT I BELIEVE IT TAKES JUST ONE DAY TO GET TO MEET OR KNOW SOMEONE EITHER PHYSICALLY OR THROUGH CORRESPONDENCE."

This is one form of phishing that has reached legendary status: the Nigerian e-mail scams. These come in the form of oddly worded pleas allegedly from members of a deposed ruler's family or military staff who have access to several million dollars that they would like to deposit into your bank account--for which, of course, they will need your account numbers and other personal information.

Believe it or not, these scams work. In one instance, a former Harvard University researcher who had bilked several acquaintances of some $600,000 with his own e-mail scam turned around and invested the money in a Nigerian e-mail scam. Not only did the the scammer lose his fraudulently gained funds, he was subsequently arrested for his own phishing misdeeds.