Desktop Security 101: A Quick Course In Safer Computing

Whether you're a student, faculty member or staff person, life at Penn without a personal computer has become almost unthinkable. In dorm rooms, labs, offices, libraries and countless other campus locations, access to computers is a virtual necessity. With increasing reliance on personal computing has also come greater degrees of risk in the way that electronic data (personal, business, academic, etc.) is stored and handled, and the number and amount of computer exploits and malicious software ("malware") and people who attempt to use them have increased exponentially in just the last few years. Computing and information security is no longer an esoteric, theoretical field, it is a major concern in all corners of the computing world, right down to your personal, desktop computer.

Computers in use at Penn come in all shapes and sizes, and use just about every operating system available, but whether you're running a "classic" desktop tower or a laptop, or Windows, or linux, or Mac OS X, there are a number of basic concepts and practices that you can - and should - adopt and use that will protect not only you, your computer and your data, but those of other Internet users at Penn and around the world. These fundamentals apply, regardless of your particular hardware or operating system:

1. Keep your passwords strong, and keep them in your head (as much as possible).

The single biggest computing security problem today, as it has been for decades, is poor selection, maintenance and protection of user passwords. Most systems still rely heavily on passwords for authenticating user access, and human nature being what it is, people tend to choose passwords that are easy for themselves to remember - the dog's name, daughter's birthday, favorite singer, etc. - and in many cases, they will write the password down on a post-it note and stick it on the monitor where they (and anyone else) can see it as a reminder. Or, they will choose a word at random from the dictionary, thinking "no one could possibly guess".

Password "cracking" is a favorite activity of people who get their kicks trying to break into computer systems, and the power of modern computers has given them some very effective tools to do it with. "Cracking dictionaries" can try not only every English dictionary word, but also well-known phrases, slang words, substitutions (e.g., "time2go") and a surprising number of other obscure things. In 2002, Penn Information Security was asked to find out why "zzyzzx" would not meet PennKey password criteria. On investigation, it turned out that it's a word from a popular video game of the late 1980s, and does in fact appear in a number of cracking dictionaries.

Penn recommends that, in choosing a strong password, you choose one that is at least 8 characters long, that it be a mixture of the following: UPPERCASE (A-Z), lowercase (a-z), digits (0-9), special characters (@#$%&*, etc.). It should not contain whole dictionary words, and should avoid names or phrases that people with personal knowledge of you might be able to guess.

For more details on PennKey password rules, please visit http://www.upenn.edu/computing/pennkey/password.html

One technique often recommended is to think of a phrase that has meaning only to you (it can even be nonsensical) and take the first letter of each word to "assemble" your password. For example, "Orange elephants invade Alaska; film at eleven" would yield 'OeiA;fae' as the password. For even better security, replace "at" with "@" and "eleven" with "11", for a password of 'OeiA;f@11'. (Note: "Orange elephants..." is a famous example - don't use this as your password). It's also a good idea to change your password periodically, and some system administrators will require this (and will enforce strong password selection as well). Above all, don't share your password with anyone, and don't write it down - the only secure place for your password is in your head.

It is slowly becoming more common for operating systems (Windows XP, for one) to permit use of "passphrases", which are essentially the same thing as passwords, but can be much longer and can include spaces and punctuation. Though they take a few more seconds to type in, passphrases tend to be exponentially more secure than passwords, especially if you mix upper/lower case, digits and special characters as recommended with passwords. Many people also find that passphrases are actually easier to remember than passwords.

Unfortunately, with more and more computing resources becoming available, we all have more and more different account names and passwords to remember. With the introduction of PennKey in October, 2002, this has become somewhat less of a problem at Penn as more and more campus computing resources provide user authentication via PennKey. It is tempting to try and use the same password for all your accounts, but as noted above, different systems have differing parameters with regard to password length, etc., so it will likely not be possible to have one, single password for everything. More to the point, it is recommended that you not use your PennKey password, or any other Penn passwords for outside computing resources. This helps prevent unauthorized access to your Penn data in the event your "non-Penn" password is cracked.

For most of us, however, it has become virtually impossible to remember all the passwords associated with all the various online accounts we have. To cope with this, a number of "Password Vault" applications have appeared over the last few years. These are essentially small databases that store account names/numbers, user names, passwords and other confidential information in encrypted form and protect them all with a "master password" for use in accessing the data. While this relieves the need to keep the information needed to access all your accounts i your head, it obviously does place a critical importance on remembering the "master password" - and making sure it's a strong one. These "vault" programs are available commercially at reasonable prices, and Macintosh OS X comes with one for free ("Keychain Access"), as do many Linux distributions.

2. Don't open it - you don't know where it's been...

Without a doubt, the Number One method by which viruses, trojans, worms and "backdoor" programs are propagated is via e-mail attachments, and this is particularly true with computers running Microsoft Windows. More often than not, if you receive an attachment that you weren't expecting, or is from someone you don't know (and don't know why they're sending it), chances are that the attachment carries some variety of "malware" just waiting for you to set it loose by opening the attachment, particularly if the attachment has a filename extension of .exe, .pdf, .pif, .scr or .vba (this is not a complete list, though). One of the favorite tricks of virus writers, et al, is to hide the virus in an attachment that, when run, produces a clever or entertaining animation on the screen that people like to forward on to all their friends without thinking.

So, in short: if you get an email attachment, unless you feel very confident about what it is, where it came from, and why it was sent to you - DON'T OPEN IT! At the very least, scan it with your anti-virus software to see if anything is lurking inside.

Speaking of which...

3. Get anti-virus software. Use it. Keep it up to date.

Penn makes this very easy to do for Windows and Macintosh users by providing site-licensed copies of Symantec Anti-Virus (SAV) for both operating systems to Penn users at no cost. To obtain a copy, visit the Computing Resource Center and pick up the PennConnect CD, or visit the Supported Products website at http://www.upenn.edu/computing/product/.Once installed, be sure to update the virus signature files (a very easy process) on a regular basis. Weekly, at the very least. Daily is even better, though daily changes aren't always made by the vendors.

Although it is true that unix and linux users (this includes Mac OS X, which is essentially a unix-type operating system) are substantially less likely to acquire a virus infection on their system, it is possible, and Mac- and linux-specific viruses have appeared in the last couple of years. There are anti-virus software applications available for these systems, and some of them are open-source, i.e., free.

4. If you can't trust the source you're downloading from, you can't trust the file.

The ability to transfer files back and forth - "uploading" and "downloading" - has been the backbone of the Internet since its inception in the early 1970s, and with the rise of peer-to-peer ("P2P") networks like KaZaa, LimeWire and BitTorrent over the last few years, "file-swapping" and downloading are as popular as ever. In most cases, such as purchasing and downloading application software from a well-known commercial website, there's a high level of confidence that you're dealing with reputable people, and the transaction is usually done using a secured connection. There are many cases, though, where you can't be entirely sure who or what is at the other end, and whether or not you can trust the files you're getting from them. As with e-mail attachments (see #2 above), it's a good idea to run downloaded files through your anti-virus software (see #3 above) before opening or installing them. Also, if you're running peer-to-peer sharing software, get in the habit of reviewing the sharing settings of not only the directory you use for file-swapping, but your entire directory structure to make sure that nothing has been changed without your knowledge. And, be on the lookout for the sudden appearance of files that you don't recognize and/or don't recall downloading. "Mystery" files may be a signal that someone has gained access to your system beyond what you intended.

5. Don't leave a computer you're logged into unattended or unprotected.

This is very important not only when using your personal computer in your office or dorm room, but also when you are using public lab computers that are used by many other people, often in rapid succession. If you forget to log off a lab computer after finishing your session, you give the next person at the keyboard an open door into your account which they can use to read your email, personal financial information and other sensitive data. They could even change your password and lock you out of your own account!

Even in your office or dorm room (especially if you're in an "open suite" or a "cubicle warren"), if you get up and leave your computer unattended for no more than a few moments you provide an opportunity for someone to physically compromise your system. It takes less than a minute to install a backdoor program that will allow them complete remote access and control, or "spyware" that shows them everything you look at on your screen and everything you type on your keyboard.

All the major operating systems provide the ability to "lock" and password-protect the screen and system so that an unauthorized person with physical access cannot tamper with your computer. It's easy to say, "I'll only be gone a minute," only to get roped into that card game going on down the hall, or an extended chat at the water cooler. It's a good habit to get into to either log out or lock the system every time you get up.

6. Data on paper is the same as data on the screen.

Sometimes it's necessary to print out copies of important or sensitive data. If you have sensitive printouts, don't leave them lying around where unauthorized, prying eyes can see them. The data is just as sensitive and confidential on a printed page as it is on a computer screen, and if you don't want it read on the monitor, you probably don't want it read anywhere else. Keep important printouts in a secure location, and when you don't need them anymore, don't just throw them in the waste basket - shred them. Personal shredders ("cross-cut" preferred over "strip") are inexpensive and very useful in not only disposing of confidential printouts, but also junk mail, credit card offers and other printed material that may contain information about you that could be useful to identity thieves.

7. Your operating system needs to live and breathe. Don't let it get stale.

"Hackers" are continually probing and testing for vulnerabilities in all the major computer operating systems (this goes for mainframes as well), and are generally pretty adept at finding them. When this happens, the company that markets and distributes the operating system rushes to develop a "patch" to fix the problem and makes it available at no charge to users of the operating system. The problem is, many users rarely if ever check for availability of patches and system upgrades, let alone apply them. This is why the Code Red (I & II) and Nimda worms were able to spread so rapidly during the summer of 2001. They targeted and compomised systems that were running unpatched versions of Microsoft's Internet Information Server (IIS), even though the patch had been available for more than a year.

Along with weak passwords and virus-spreading e-mail attachements, unpatched computer systems constitute one of the premier security threats on the Internet. A compomised system threatens not only your personal data, it can be "hijacked" for use in remote proxy attacks such as a Distributed Denial of Service (DDoS), thereby becoming a threat to someone else's computer. DON'T LET THIS HAPPEN TO YOU! All the major operating system vendors, including Microsoft, offer mechanisms that will allow you to regularly check for updates and apply them relatively easily if they are available. Keeping your system at "current patch level" is not an iron-clad guarantee that your system will never be hacked, but it's a heck of a good start

Likewise, there's often a security aspect to individual software applications (word processing, spreadsheet, database, etc.) as well. When updates appear (though they're not usually free in these cases), it's a good practice to see if there's a security update included.

8. Don't use it? Lose it.

All the major operating systems come packaged with all sorts of application and server software (the marketers call them "features"), and a major problem is that not only do they often turn these services on by default, they frequently give you very little explanation about what they do and little flexibility with regard to configuration settings. In general, the more services you have running on your computer, the more potential targets you have for hackers to exploit (see "IIS" in #7 above), not to mention slowing down your computer running things you don't need. These services include well-known, standard things like ftp, telnet, Samba, SQL, SMTP (e-mail server), Apache (web server) and others. If you really have use or need to run, for example, an ftp server, then go ahead and set it up, but make sure you fully understand the configuration, operation and potential vulnerabilities. Otherwise, if you don't need it, don't run it.

When considering what services should be running on your system, here are a few easy rules of thumb:

1. If you don't know what it is or what it does, don't turn it on. In most every case, if you find out later that you need it, you can go back and turn it on.
2. If it's on, and you don't need it, turn it off.
3. If it's off, and you don't need it, don't turn it on.

9. Watch out for those "Social Engineers".

No, we're not talking about extroverted locomotive drivers. "Social engineering" is a term that has come into use in the computer security field over the last few years to describe the activities of what are, essentially, con men (and women). Their game is to get someone to willingly give them privileged information by exploiting some combination of:

A) The innate, good-natured desire to be of help to a fellow human being.
B) The belief that everyone basically honest.
C) The person's current state of being extremely busy and distracted.
D) The belief that bad things happen only to other people.
E) Stupidity.
F) All of the above.

A social engineer is the kind of guy who will walk into a busy office in a manner that suggests he belongs there, announce he's been sent to fix the president's computer, impatiently demand to be shown where it is, then calmly say, "I need his user name and password - what are they?", secure in the knowledge that someone will at least try to get the information for him. Sometimes he'll call on the phone and say, "This is Joe from the Help Desk. There's a problem with your account I'm trying to fix, and I need your password to test it."

In short, social engineers use trickery, subterfuge, human nature and sheer audacity to collect nuggets of information they can put together in a way that tells them more about the "Big Picture", thus making it easier for them to make the "Big Score". To thwart them, it takes little more than paying attention to who is around, what they're doing, and being aware of whether or not it's appropriate for them to be there and doing that. In other words, common sense.

10. Scanning is a two-way street.

At any given time, the Internet is buzzing with people using scanning software to survey entire networks at a time, searching for vulnerable machines to direct attacks at. You may feel like "nothing I have on my computer is worth protecting, and they wouldn't bother with me anyway", but the truth is that any vulnerable machine is a target that can be put to use for all sorts of things when compomised (see "DDoS" in #7 above). And, when you come down to it, some hackers like to take over someone else's system for no other reason than to show that they can.

The flip side of this is that scanning can be used to alert a system owner about what vulnerabilties are present and what can - or should - be done to remove or lessen them. Many network scanning software applications can be downloaded for free and used to scan your own system without getting an OK from Penn Information Systems and Computing. However, running scans against other systems at Penn, or from Penn's network without permission is not allowed, and is considered a violation of the Acceptable Use Policy.

Penn Information Security can scan your PennNet-connected system for vulnerabilities, provided you contact us and make arrangements in advance. Contact us at security@isc.upenn.edu if you would like to arrange this.

Last updated: Thursday, July 30, 2015