http://www.jmu.edu/computing/runsafe/
see also: http://www.jmu.edu/computing/security/ R.U.N.S.A.F.E. Did you know that with one wrong mouse click you could make it possible for someone to read all your email, documents, or instant messages? That they could also view your grades, online bank accounts, or change your course schedule? That they could read or change anything on your computer? Or anything accessed from it? That they could turn on your computer's microphone to listen in on conversations? That they could use your computer for a computer crime for which you may be blamed? Did you know a newly installed Windows XP, 2000, NT, or Linux computer is likely vulnerable to the same type of compromise just by being attached to the network? Did you know several such incidents have occurred on computers at JMU...from Windows 95 and Macintosh desktops to Windows NT and Unix servers? That they've been used to attack other computers and divulge information? Did you know all our computers are scanned constantly from around the world by people hoping to take advantage of them? Did you know that your behavior impacts your neighbors' security and their behavior yours? The Internet, paired with today's software, provides us astonishing capabilities for sharing and communication. However, these same capabilities also provide access and computer power to more than 300 million people around the world...some of whom may not share our behavioral expectations. Examples, such as random acts of vandalism, can be found in any local newspaper. The threats associated with online folks' behavior are very different from similar threats in the physical world. Using the same freedom and functionality we treasure, they can communicate with our computers almost instantaneously, almost anonymously, and en masse from around the world. They don't even need to be a computer expert. It only takes one person to write a destructive program to enable many people without technical knowledge to cause problems, just as all of us use word processors and web browsers without knowing how they work or being able to write one ourselves. While the risks associated with these threats can be decreased by limiting communications, limiting computer functionality, and increasing the complexity involved with our computing environment, they can't be eliminated because security is never absolute. Moreover, the more we wish to maintain our current freedom in communications and computing, the more necessary it is that we individually take steps to take care of ourselves and reduce the need for outside controls and limitations. The only person ultimately in control of a computer is the operator in front of the keyboard. That person presently has the freedom to run any software he or she wants and communicate with anyone around the world. Each of us must do his or her part to help ensure the integrity of our network by operating our computers safely. Our computers can do almost anything we tell them to do. Unfortunately, this versatility makes them very complicated. A certain amount of awareness and skill is necessary to operate such a complicated device safely on a world wide network. The goal of the R.U.N.S.A.F.E. program is to help you attain the knowledge and skills necessary for safely operating an Internet connected computer. The information and associated steps listed on this page are key components to everyone's online security. Everyone should understand them and be able to take the actions described. R.U.N.S.A.F.E. workshops are offered once per semester that describe the incidents we've seen at JMU, the threats we're exposed to, and that teach the defensive concepts and procedures described here. Onsite workshops are also available to groups. (contact Gary Flynn to schedule one). Click here to download the RUNSAFE workshop PowerPoint presentation. If you don't have PowerPoint, you can get a free viewer from Microsoft here. A sixteen minute RUNSAFE awareness video is available. It can be downloaded here. The material is copyrighted by Jim Blackburn but may be used for educational purposes. The file is 161 MB in size. R.U.N.S.A.F.E. Goal for All Computer Operators on the JMU network: Understand the material on this page. Run anti-virus software and update it weekly. Preferably the campus supported Norton Anti-virus. Treat email attachments and other unknown programs with caution. Use the Windows Update Site on every new installation and monthly thereafter. Choose strong passwords for your own desktop and on servers which you may use and keep them confidential. Use care if you enable Microsoft File Sharing. Visit the Hot Topics! page at least monthly. For all server operators (Windows/Unix/Mac/Whatever) and all unix desktop operators: Set up new computers with the network cable disconnected. Turn off all services running on the newly installed computer. Connect to network and download and install patches. Turn on only needed services. Subscribe to vendor security bulletins and check the Hot Topics page weekly. REFUSE to Run Unknown Programs Our computers operate the way they do entirely because of the programs we run on them. When we run a program, we give control of our computer to the author of the program. In fact, a computer break-in is just someone running a program on our computer. A perpetrator may convince us to run their program which then takes control of our computer. Or they may force our computer to run their program by using software defects or unintentional access. The program may then tell our computer to email viruses to our friends. It may tell our computer to collect and reveal our passwords. It may tell our computer to disable its anti-virus and personal firewall protection. It may tell our computer to flood a web site with traffic in an attempt to disable it. Or it may tell our computer to break into someone else's computer to help hide the identity of the perpetrator. Since programs control the computer and everything the computer does or has access to, it is very important that we not run programs written by people we don't know or trust. Almost every other security precaution depends upon our having control of our computers. If we run unknown programs, we don't. A program can take many forms. It might be a Windows .exe file. It might be a Microsoft Word macro. It might be a script. We may find programs in many places. They may be offered to us in email attachments. They may be on web sites. They may be on shared folders. As we'll see later, they even may be forced on us over the network if we don't keep our computers up to date. For now, we'll concentrate on the programs over which we have a choice about running. In our point and click world, knowing what to click and what not to click can be confusing. We are conditioned to click on everything. Here are some rules of thumb that may be helpful: We should pause a moment to consider the nature of the site, file, or message and how much we want to trust our computer to it before clicking: when the file or icon is an email attachment or associated with an instant message when the file or icon is in a shared directory accessible to other people on the network. For example, a Kazaa or Windows File Sharing directory. when our browser asks us if we want to allow extra access. For example, to download or execute a file, plug-in, or ActiveX control. when our Word processor or spreadsheet asks us if we want to allow a macro to run. when we don't know for certain where the file came from or through whose hands it passed We're generally safe to click in the following situations as long as our computer software is kept up to date. When the file is on our own computer. Note that an icon may point to a file actually on a shared drive or web site particularly with Microsoft's Active Desktop enabled. When we're browsing the web and our browser doesn't prompt us for extra access. When we're reading email and there are no attachments. It all cases, risk is decreased if we save a file and open it with its related application rather than double-click it or choose "Open this file from its current location". By design or defect, a file displayed on our screen may not always appear as it should. It may look like a relatively harmless Word document (resume.doc), picture file (mydog.jpg) or sound file but may actually be a malicious executable program (spy.exe). By saving it to disk and opening it with the application that should go with it, we'll protect ourselves from this scenario. The couple of additional mouse clicks it takes to do this may save a lot of aggravation or worse. For example, if you are offered a file displayed as "resume.doc" in an email attachment or on a web site, don't double-click it or open it from its current location. Instead, save it to disk, open Word, and use Word's File->Open menu to open the file you saved. If the file doesn't open properly, or its name changes, its almost a sure sign something is badly wrong with the file. There have been many instances of malicious programs spread automatically or getting passed around purposely or innocently. When such a program is discovered, vendors of anti-virus software update their products to recognize the new program. Running the anti-virus product on our computers protects us from this recognized program if we fail in our efforts at refusing unknown programs. But like flu shots, anti-virus software won't protect us from new viruses. Fast moving, email based viruses can circle the globe in hours and infect a lot of computers before antivirus software can be updated. Nevertheless, installing and maintaining anti-virus software is a very important part of maintaining the security of our computers. JMU has purchased licenses for Norton anti-virus for faculty, staff, and students home and office computers. It is fully supported by the helpdesk. Why not install it now? Click here to learn how to install the campus provided Norton antivirus software. Click here for instructions on checking the campus provided Norton antivirus software for proper operation. When we receive email, we can rarely be sure who sent it. The FROM: information is as easily falsified as the return address on a paper envelope. Virus programs running on an infected computer can easily send out email in anyone's name. Accordingly, email attachments, which may contain malicious programs, should all be treated with caution. One click is all it takes to lose complete control of our computer and everything it accesses. Be particularly careful of unexpected or unusual email or attachments regardless of the source, content, or attachment name. Treat any email attachment whose name ends in ".exe", ".com", ".bat", ."scr", ".pif", ".shs", ".js", ".hta", ".vbs", or any ending you're not familiar with as you would hazardous waste material. Find out what it is from the sender before opening it! -->more information on refusing unknown programs... UPDATE Our Computers Regularly Computer programs frequently contain defects. Some of these defects can allow third parties to run programs of their choice on our computers without any action on our part. This allows the third party to take control of our computers, and all the resources and data they have access to, for their own purposes. Defects in client programs like browsers, email clients, and media players may allow unwanted programs to run if we click a link to a malicious web page or receive malicious email. These types of defects can cause us to lose control of our computer simply by browsing the web or starting our email client. Defects in server programs like web or file servers, can allow someone to force unwanted programs to be run on our server. They exploit the defect by making malicious web or file requests. The exploitation might be carried out by an individual or by an automated program like a worm. Running defective, vulnerable software on our networked computers is similar to leaving broken windows in our homes and offices for strangers to enter. Except with the Internet, people can enter these "windows" from anywhere in the world. Large scale scans from around the world are often seen within days of new vulnerabilities being announced. Machines with defective software or vulnerable configurations have been known to be compromised within hours of being attached to the network both here and elsewhere. Most software is out-of-date and full of vulnerable defects on the installation CDs and even sometimes when downloaded from vendor web sites. Scanners and automated worms may find a vulnerable server almost as soon as it is connected to the network. It is necessary to check for updates as soon as new software is installed and regularly thereafter. Microsoft Windows Systems Windows Desktop Operators: Use the Windows Update Service after every new installation. Re-use the Windows Update Service once a month to keep the computer up to date. If Microsoft Office is installed and you're not using JMU's Novell services for software management, visit the Office Update Site monthly. You'll need the original distribution media to install Office patches. People using JMU's Novell services can wait until Office patches are available through the JMUAPPS menu or use the Office Update Site as desired. Double-click the Norton Anti-Virus gold shield icon in the lower left of your screen. A Norton window will come up. Check the date of the Virus Definition File. If it is more than two weeks old, the Norton Anti-Virus program is not updating itself correctly. Click here for further instructions. Upgrade or replace software which Microsoft doesn't support with security patches. Of particular importance in this respect are: Microsoft Personal Web Server and Peer Web Services Internet Explorer versions 3 and 4 Office 97 and 98 for Windows Windows 95 Cygwin users must also check for defect updates in Unix programs packaged with Cygwin or installed separately. For example, OpenSSH. Review computer security Hot Topics page at least monthly for announcements of software defects or other issues that may affect you. Windows Server Operators: Servers need to have more timely patches as they run software that is accessible to anyone on the Internet. Patches should be installed as they become available. NEVER bring up a server until all patches and configuration changes have been completed. Unpatched servers have been found and compromised in minutes by automated worms and scripts. Install the software while the machine is disconnected from the network, make sure all servers are shut down, connect to the network and download the patches, disconnect from the network, and apply patches. Use Microsoft's HfNetChk Patch Analyzer tool to check Windows NT, 2000, and XP systems for needed patches. The QChain utility may be used to chain together multiple patches so they canbe installed without individual reboots. Subscribe to Microsoft's Security Bulletin Mailing List and apply patches as soon after they are announced and can be tested as possible. Cygwin users must also check for defect updates in Unix programs packaged with Cygwin or installed separately. For example, OpenSSH. Review computer security Hot Topics and Serious Defects pages weekly for announcements of software defects or other issues that may affect you. If you install non-Microsoft software, subscribe to vendor security bulletins or check their web site regularly for updates. Linux and other Unix Systems These systems often have server programs running after even a desktop default installation. NEVER bring up a server until all patches and configuration changes have been completed. Unpatched servers have been found and compromised in minutes by automated worms and scripts. Install the software while the machine is disconnected from the network, make sure all services started in the inetd.conf file, /etc/rc* files, or your vendor's equivalent have been disabled, connect to the network and download the patches, disconnect from the network, and apply patches. Subscribe to vendor security bulletins and apply patches as soon after they are available as possible. Click here for a list of various vendor security sites and notification services. Review computer security Hot Topics page at least monthly for announcements of software defects or other issues that may affect you. Server operators should check both the Hot Topics and Serious Defects pages weekly. MacIntosh OSX MacIntosh OSX is based on unix. Many unix related defects also affect MacIntosh OSX. Current security roll-up patches can be viewed and downloaded at http://www.info.apple.com/usen/security/security_updates.html Software updates can be requested using the Software Update pane in System Preferences. Email notification of security defects in MacOSX can be obtained by subscribing to the Apple notification service at http://lists.apple.com/mailman/listinfo/security-announce Other Systems Review computer security Hot Topics page at least monthly for announcements of software defects or other issues that may affect you. Keep anti-virus software up to date. If available, check your vendor's security site monthly for critical security updates. -->more information on updating our computers... NULLIFY Unneeded Risks Whether by operator mistakes, attempts at making computers easy to use, or encouraging open access, our computer's software sometimes grants more access to our computers than is needed. We can decrease risk by eliminating unneeded access to our computers. Be very careful with Microsoft File Sharing. It is commonly misconfigured. Don't share more than you need to. Assign a good password to all Windows NT, 2000, and XP accounts paying particular attention to the Administrator and other privileged accounts. Windows XP creates user accounts with administrative privileges and no password by default. Use the IIS Lockdown Tool on NT, 2000, and XP computers to disable unneeded access and oft-exploited functionality on IIS Web servers that may be running. Disable unused Linux services Nullify Risks of Anonymous, Public Storage. Web Service designers, providers, and administrators should familiarize themselves with Guidelines on Securing Public Web Servers (PDF-National Institute of Standards and Technology) Follow platform specific "best practices" guidelines when configuring a public server Disable music and peer sharing services when not needed Use the NT/2000/XP Administrator and unix root accounts only when needed for system maintenance. Use a normal user account for all other activities particularly browsing the web and reading email. Disable network access to the Windows Administrator account. The Checkup! security scanning service periodically scans JMU computers looking for those with vulnerabilities that others may exploit. If your computer is found to have a vulnerability, you may receive an automated email message alerting you to the problem. More information will be available shortly. -->more information on nullifying unneeded risk... SAFEGUARD Our Identity and Password Passwords are the combination locks used to protect our computer accounts. It goes without saying that giving out our combination or leaving the lock unlatched (i.e. walking away from a logged on computer), compromises our security. However, technology provides ways for people to obtain our combination even if we aren't careless. To thwart such misuse, we must choose complex combinations. There are three elements to a complex combination: It can't be obvious. That is, it can't exist in an attack dictionary. Every word in an English language dictionary can be tried in minutes. Attack dictionaries also include names, common misspellings, words with numbers, and other commonly used passwords. You also don't want the password to have any personal significance to you...your dog's name for example. Using a dictionary word for a password is like using a locker number for a combination. It can't be a short A combination lock with a two number combination wouldn't protect very well. Anything less than an eight character password is like having a such a combination. It simply won't hold up for long on the network. It can't be made up of just a few characters A combination lock with only ten numbers on the dial isn't as effective as one with fifty. Using just lower case letters is like limiting a combination lock to ten numbers. On systems that support them, passwords should contain at least one of each of the following characters: Uppercase letters ( A-Z ) Lowercase letters ( a-z ) Numbers ( 0-9 ) Punctuation marks ( !@#$%^&*()_+=- ) etc. Different systems have different capabilities. Some will not let you use all the strength features mentioned here. When you get an account or change your password on a system, you should be given instructions on any limitations. How, you may ask, am I ever going to remember such a complicated password? Pick a sentence that reminds you of the password. For example: if my car makes it through 2 semesters, I'll be lucky (imcmit2s,Ibl) only Bill Gates could afford this $70.00 textbook (oBGcat$7t) What time is my accounting class in Showker 240? (WtimaciS2?) If you absolutely have to, record it in a secure location. It's probably safer to store a strong password in a place where someone would have to physically break in than to expose a weak password to 300,000,000 people on the Internet. Accounts that are not accessible from the network, or that can be disabled if too many unsuccessful attempts are detected, are not as susceptible to high-speed guessing attacks. However, some systems have network accessible accounts you may not know about. Passwords for Windows NT, 2000, and XP Professional Administrator accounts and accounts included in the Administrator, Backup Operator, and Server Operator groups must be as strong as possible as these accounts have full, remote access to the entire file system through hidden shares. You can disable network access to these accounts by following the procedures here. Never type your password into an untrusted computer or web site. -->more information on safeguarding passwords... ASSURE Sufficient Resources for Proper System Care Do you want your organization's web server to become known as the one that makes headlines when it is used to bring down a high profile Internet site? That is used to break into your neighbors computer? That harbors illegal or inappropriate files? That gives away any privileged information that is stored on it? That is unreliable? A publicly accessible network resource needs special care in its initial setup. Perhaps less well known due to vendor marketing efforts and perhaps our own wishful thinking, it needs ongoing monitoring and maintenance. If it is important enough to implement, it should be important enough to devote sufficient resources to it to take care of it properly. Without this care, the server may not remain in operation long, it may not preserve the confidentiality and integrity of resident data and accounts, or it may be used as a base of operations for criminal activity including attacks on other computers. Budget planning, hiring procedures, staffing levels, and job descriptions should reflect the need for ongoing monitoring and maintenance. Allow time for regular maintenance Elevate security and ongoing maintenance to the same level of consideration as cost, ease of use, functionality, and performance. Use the appropriate tool for the job. For example, do not use Microsoft's PWS for production web servers. -->more information on assuring system care... FACE Insecurity It is impossible to provide absolute security for our computers just as it is impossible to provide absolute security for ourselves or our possessions in the physical world. Insecurity is a fact of life. There are no technical panaceas. There are 200 million people connected to the Internet and we cannot control their actions. They have world-wide, almost instantaneous and anonymous access to our computers' network ports. There are practical compromises in the design of our computers and networks that may leave them vulnerable to certain activities. Accordingly, we must temper our actions with awareness and take some precautions. Regularly backup critical or hard to replace data Be careful about whom and what you trust. Don't believe everything you see on the web or in email messages. Do not ignore warning messages. In particular, those associated with: Web browsers warning about site certificate mismatches Web browsers warning about file downloads or potential security problems SSH clients like Putty, F-Secure, and SecureCRT warning about host key mismatches Repeated virus warnings -->more information on facing insecurity... EVERYBODY Needs to Do Their Part Your particular computer may not seem to be a desirable target of a compromise attempt but any computer is attractive as a stepping stone or attack vehicle. Simple Windows 95 and Macintosh desktops have been involved in security incidents. Even with switched networks, a compromised computer may be used to sniff network traffic from neighboring computers. Thus, your security is dependant upon your neighbors' security and their security on yours. In the days of standalone computers, reckless or unauthorized use of a computer affected just one computer. With a networked computer and its access to shared network resources and common communications lines, the same actions may affect many computers, accounts, services, or people. As long as we want to continue to have relatively open computing and communications choices, and preserve our privacy, services, and data, each one of us must do his or her part to help ensure the integrity of our network. Do your part - RUNSAFE Encourage and help your peers to do their part - RUNSAFE -->more information on doing our part... Feel free to use or derive from R.U.N.S.A.F.E. material as long as you give credit to JMU. A note to [EMAIL PROTECTED] describing your project would be greatly appreciated! IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk