Chapter 6. Securing Services Over Networks

At a Glance

E-mail and the Web are the primary applications on the Internet. This chapter describes them in detail, investigating how they work and how careless use can result in security breaches. Other security-sensitive network-related topics covered include wireless communications, file sharing, and instant messaging.

General Issues

You should updates security patches for your software regularly. Although security problems can hurt you in many ways, you are most vulnerable when connected to the Internet. If there is a security hole in your operating system or application, you can be sure that the attackers know about it and will design ways to use it to infiltrate your computer.

Rule 4: Keep your operating system and key application software up-to-date.

By up-to-date, we do not necessarily mean the latest version of the software. Most companies and developers will issue fixes to bugs (at least security-related bugs) for older versions as well. Note that for free software, it is common for the developer to provide fixes only for the most recent version; this means that to stay security bug-free, you must regularly upgrade to the latest version of the software.

E-mail

Evolution of e-mail

If you go back into network ancient history (10-30 years ago), e-mail was used for sending text messages. Most of the systems that deployed e-mail also had some way to transfer files. Typically though, the file transfer mechanisms were somewhat arcane and difficult to use. This did not matter much when the main users of networks were technology experts. However, as the use of e-mail spread to the greater public, the application had to become easier to understand and to use.

The problem was that traditional e-mail allowed only printable text, and most files such as word processing files or executable programs contain non-printable characters. The solution was to “encode” the non-printable information so that it was now printable. (Encoding is described in more detail in Addendum 1). This printable file was inserted into the e-mail message, preceded by a signal that what followed was an encoded file. When the e-mail message was received, this encoded file would be “decoded” back into the original form. Later, the concept of attachments was generalized to allow encoding more types of file. The new methodology was called MIME (Multipurpose Internet Mail Extensions). Once attachments became common, e-mail programs were changed to open these attachments automatically, so that the recipient could see what had been sent to them readily.

At about the same time, the World Wide Web was becoming popular and it used HTML to format web pages. HTML became one of the MIME encoding techniques, allowing e-mail to be formatted (changing fonts, colors, inserting images, pointing to web pages, etc.) as needed. E-mail programs executed HTML automatically.

Impact of enhanced e-mail

These enhancements made e-mail much more useful. Users could exchange all sorts of files easily. With skillful use of fonts, color, and images, mail could be more pleasing to the eye and relatively simple formatting could be employed without a word processing program. However, these enhancements had some negative aspects as well. As mentioned previously, in the days before these enhancements were available, you could not get infected with a virus/worm directly through e-mail. As long as you did not run a program that you received in an attachment without verifying that it was safe, you were OK.

Now, programs that you receive could execute automatically. HTML also executes automatically, which means that it can send you to web sites that take malicious actions, including directly downloading malicious software into your computer. In addition, specific HTML commands could give the attacker control of your machine, due to bugs discovered in the programs that ran that HTML.

E-mail is NOT Authenticated

In most cases, the From: address of e-mail that is sent over the Internet is not authenticated. This is a capability that has been heavily exploited by spammers. When you Reply to e-mail, it normally goes back to whoever is listed in the From line. Sometimes, but not always, if you look at the full headers (all of those almost incomprehensible “Received from” lines), it may be possible to roughly identify where the mail came from.

How to protect yourself

Anyone who knows your e-mail address, or is able to guess it,29 can send you an attachment. This attachment could be relevant and useful to you or it could be a virus, a worm, or a Trojan, any of which could do a great deal of damage. Most current e-mail programs will not open attachments without your explicit request (typically by clicking on the attachment), but if your program will open attachments automatically, turn the option off.

29 In the west, there is a children’s story about a magical dwarf who promises to give a large reward if someone can guess his name. The person tries guessing many names, and eventually does guess the correct one – “Rumplestiltskin”. To guess e-mail addresses, attackers repeatedly try many, many name variations in the hope that one of them will be correct. This is known as a Rumplestiltskin attack.

Rule 5: Configure your mail program not to open attachments automatically.

Rule 6: Before opening any attachment, look at the name to verify that it is not an executable program.

Virus writers are cunning. One often finds an attachment with a name like budget.xls.vbs. To the casual observer who does not know what vbs is, this looks like Microsoft Excel spreadsheet named budget. In fact it is an executable Visual Basic program named budget.xls. The xls is just part of the name and unrelated to the Excel extension. The program could do anything it wished including erase your hard disk.

Rule 7: Never open an attachment from someone you do not know unless you are very sure that it is a type of file that cannot contain malicious code.

Remember that programs such as Microsoft Word (word processing) and Microsoft Excel (data spreadsheets) and all of their equivalents contain macro-capabilities that can include a virus. Even PDF files can contain malicious programs, although these programs are dangerous only when viewed with the Adobe Acrobat program and not the Adobe Reader which most people use. You should check your user manual or help screens to see what capabilities may be turned off, especially if they are rarely used.

Rule 8: Do not open an attachment from someone you do know and trust unless you are sure that they sent it deliberately.

It is possible for a colleague’s machine to have a virus that causes this machine to send infected files to all of the people in his or her address book.

Rule 9: Consider configuring your e-mail program to not process “fancy” HTML and not to send it to other computers.

This means that you will miss some images and other decorative things, but it also means that you will be in better control of your e-mail activities. Note that in some e-mail programs, you don’t even have to open a message to execute the HTML code, having it in the preview screen is sufficient. Even though e-mail may contain HTML, many browsers and e-mail programs allow you to disable cookies, JavaScript, and plug-ins for pages that are received as part of e-mail messages.

Rule 10: Check with your ISP to see if they are checking e-mails for viruses and similar threats before delivering e-mail.

Due to recent increases in the virus/worm activity, more and more ISPs are doing this. Note that this does not alter any of these rules, as you cannot presume that your ISP filtering will be 100% effective, but your ISPs preventive actions will help in your security efforts. If your ISP is not aware of security issues, you may be able to work with them to deliver better service to you and their other customers. Feel free to share this Handbook with them!

SPAM

Spam is the name we use for unwanted e-mail, and in particular, unsolicited commercial e-mail sent out in massive numbers with no specific reason to believe that the recipient will be interested in the product. In recent years, the amount of spam has grown dramatically. In 2003, it is estimated that over 50% of all e-mail transported over the Internet is spam! Many people currently receive over ten spam e-mails for every valid one.

It would be nice if all spam would contain something like “**SPAM**” in subject line, so that we could delete it easily. In fact, laws being passed in some jurisdictions mandate that any unsolicited commercial e-mail sent from within their territory contain just such a warning. However, this type of legislation is not practical at the present time, for reasons of volume, extraterritorial spam, and enforceability. One must have a reasonable way of recognizing and eliminating spam without reading each message or notifying a potentially overburdened complaint system.

Understanding Spam

To understand the problems associated with spam, one must look at three issues: a) how do the spammers get your address, b) how should spam be defined (in detail), and c) why do the spammers send these messages at all?

a) If you engage in any of the following activities, there is a good chance that a spammer will obtain your address:

• Send mail or subscribe to a semi-public mailing list

• Reply to a spam message saying that you should be removed from their mailing list

• Post messages to a Newsgroup

• Register for something on the web, giving your e-mail address (when you are not absolutely sure it is a reputable organization)

• Use a computer that has an Ident daemon running (on many Unix systems, an Ident daemon will tell anyone who asks what your username is).

• Let your web-browser know your address

• Use IRC, instant messaging, or chat

• Play games over the Internet

• Use an e-mail address that is a common given name, or an initial plus a common surname

• Put your e-mail address on a web page, or, in fact, allow your e-mail address to appear in print anywhere

• Register a domain name or be listed as the technical contact for a web site

• Use a “guessable” e-mail address

• Have your e-mail address on any system that has been maliciously penetrated previously

If any of these apply to you (and you will not necessarily have control or even knowledge about previously penetrated systems), there is a good chance that your address was harvested and sold to spammers. If you use the Internet to any extent, you are likely to be on some spammer’s list of recipients.

b) Some commercial spam is obvious and by nature of its volume and irrelevance, virtually everyone will agree that it is spam. For other mailings, the distinctions are less clear. In some cases, it depends on the recipient whether a particular e-mail is considered spam, rather than on the actual mailing. Several examples will help illustrate the point.

• Is an e-mail considered spam if it contains information on how to change the size of certain sexual body parts? Answer: Yes. Unless you are a plastic surgeon or a urologist and the e-mail was an academic paper, not a commercial advertisement.

• A Call-for-Papers requesting people to submit papers for an academic conference on some obscure topic is sent to many mailing lists. Is this spam? Answer: Perhaps. Unless by some coincidence the subject was of interest to you and you will submit a paper.

• A company that sold you a product sends you information about a follow-on product at your request, along with a million e-mails to other customers who asked to be notified. Is this spam? Answer: No, but any spam filtering programs at your ISP may have a hard time understanding this, as it looks like spam.

• An e-mail contains content that is spam by any definition. Is it spam? Answer: Yes, when it was originally sent. But if it was then forwarded to this author by a trusted colleague as an interesting example to include in this book, it is not spam and should not be filtered.

c) Why do spammers send spam? The simple answer is because it works. If you look at spam, you quickly see a pattern.

Most spam is about:

• Making or saving money

• Improving your love-life or sex life

• Improving your health

These topics have one very important thing in common. Most of us care about these issues to some extent and many of us are deeply concerned about them. So even though a very small percentage of recipients respond to spam messages related to these topics (estimated at about 1 purchase for every 100,000 e-mails sent), spammers who send out many millions of messages per day might make a lot of money.

What can you do about spam?

There are many ways that one can attempt to control and limit spam. Some governments are enacting legislation prohibiting spam mailings from within their jurisdiction. Most ISPs say that using their facilities to send spam is a violation of their usage agreement. Rules such as these can be effective, but to date, most spam-related rules have proven difficult and costly to enforce.

Some large (e.g. corporate) users of e-mail refuse to accept mail from ISPs that are known to allow spammers to operate. This can be effective, because it may force the ISP to clamp down on spamming activities. However, more often this method simply hurts the enterprises’ innocent customers who can no longer send e-mail to some locations. There are a number of programs that try to recognize spam and either delete it or warn the recipient that the mail looks like spam. These programs can be run at an ISP’s site or in your own mail client. The programs will look at the content of e-mail and/or its point of origin. These criteria are difficult to evaluate, and such programs often will generate false negatives or false positives.

False negatives

A false negative is produced when the scanning program decides that an e-mail is not spam, but it really is. This means that it lets some spam through and thus is not 100% effective.

False positives

A false positive means that the scanning program decides that some innocent mail is spam. This can be very dangerous, particularly if the mail is discarded instead of being delivered. False positives may mean that good mail is lost and unrecoverable through electronic means.

The target in spam scanning programs is to minimize false negatives and to have no false positives. Unfortunately, reducing false negatives usually increases false positives. People who, for whatever reason, need to receive mail that looks like spam can be hurt, in particular. A recent case involved an academic electronic newsletter that discussed spam. Since the newsletter included examples of spam, it was viewed as spam by some spam scanners, and was deleted by several ISPs.

In addition to spam scanners, there are also spam-filtering techniques which involve the sender in the process. One spam filtering technique is a challenge-response process. When mail is received from an unknown sender, it is intercepted before the recipient can see it. A challenge is sent to the sender requesting a confirmation that the mail was sent by an individual and not a program. The form of the confirmation is such that a human must reply; it cannot be handled automatically, at least not in a manner that is effective for the would-be spammer. If no confirmation is received after a few days, the mail is discarded. There are provisions for accepting mail from known mailing lists and other desired automatic mailings. The problem with this technique is that it requires manual intervention by the sender. If you send mail and then are unable to quickly respond to the confirmation request, your mail will not be delivered. If two people both use this type of service, it is possible that they would never get any mail from each other, because the first receiver will not see the mail unless it is confirmed and the request-for-confirmation will not be passed on because it’s sender is also unknown. Some spam-filters put suspected spam into a low priority folder, rather than deleting the messages. Then you may periodically review the spam folder to make sure that it doesn’t contain any false positives.

A promising new anti-spam technique is Bayesian Filtering. In this method, the filter’s rules improve by learning what you consider spam; these rules can be changed by each recipient. These rules tend to learn who your trusted colleagues are and, at your request, will allow content that would normally be spam, but is of interest to you for some reason. Bayesian filters also employ linguistic techniques to allow mail containing certain words that rarely appear in spam, but do appear in your real e-mail, based on prior experience with your e-mail habits. Bayesian filters are being made available for many e-mail programs.

If spam is a problem for you, you should see if your ISP offers any spam identification or filtering capabilities. You should also look into software programs that can filter out spam as it arrives at your computer.30

30 See Annexes 2-4 for web sites and other resources on anti-spam software and techniques to avoid spam.

Using the World Wide Web

As this is written in 2003, the web has been available in varying degrees for about ten years. For those who use it regularly for work, school, and recreation, it has become indispensable. Since the web has become such a common and useful tool, there is a tendency to forget that it can also be a hostile place.

Safe Browsing

In general, the web is relatively safe, but there are potential dangers. Web sites usually house content, including static text and images, but they can also house dynamic programs that are intended to run on your computer.

Rule 11: Do not allow web sites to download and execute potentially malicious programs on your computer unless you know that the site is trustworthy.

Dynamically downloading programs can be very useful. This capability allows you to use online services, including those needed to check your computer for viruses and security problems. It also enables software to be installed and updated easily, without requiring the user to select technically appropriate modules or perform complicated multi-step procedures.

Unfortunately, dynamically downloaded programs can also be malicious. All browsers allow you to control whether you can download and run JavaScript, Java, ActiveX and other programming tools on your machine. If you want to be completely safe, then you will not allow these tools to run. Of course, by disabling these features, you will find that many web sites cannot function without them.

Instead of blocking your access to so many sites, you may wish to follow a reasonable intermediate path:

• Enable the relatively safe and very commonly used capabilities such as Javascript. This will allow the vast majority of web sites to function properly.

• Either disable the less common and much less safe capabilities such as Java and ActiveX, or set the browser to ask your permission prior to using the capability. Disabling these capabilities means that the functions will not work; some sites may warn you about this, others will simply not work properly or will hang. If you request prompting, however, the browser should detect the requirements of the site and will ask for your permission to download and run a program needed to view that site’s content.

Rule 12: Display the web site address you are visiting and the address you are linking to, and pay attention to them while visiting an unfamiliar web site, especially if you are allowing the site to execute programs on our computer.

Web browsers can be configured to show what web site is being visited (often called the Navigation or Address Toolbar). When your cursor is pointing to a link, they will also display where that link will take you (Status Bar). Watching these will tell you when you are being transferred to another site, perhaps one you do not want to visit, or perhaps one that is not trustworthy. On a practical level, you are probably not going to look at the Navigation Bar and the Status Bar every time you click, but when you are at an unfamiliar site, particularly if you have enabled Java or ActiveX, you can use these tools so that you know that you are being redirected to a new site without your permission.

Cookies

A cookie is information written to your hard disk by your browser at the request of a remote web site. When you visit the site later, the cookies owned by that site are sent back. Cookies are typically sent back to the originating web site only, although there have been browser bugs that allowed other sites to see them as well. A cookie reminds the web site who you are, what your preferences are, and what you have done before on this site. For instance, when you log onto a site with your username and password, the site can store this information in a cookie on your computer. When you return a week later, it can automatically log you onto the site based on the information in the cookie. Cookies may also allow a web site to track what you are doing in a single session.

Although a cookie normally can only be retrieved by the originating web site, it is important to understand that the web site that you are visiting may contain images and other objects from a second web site (called a foreign or third-party site). That foreign web site can also store and retrieve cookies. Since images can be transparent, you may not even know that this is happening. Such invisible images may be used for advertising purposes,31 tracking what web sites you visit.

31 Consider what happens if web sites A, B, C and D all include an invisible image from web site Z. When the invisible image from Z is displayed, Z is told which site pointed to them (A, B, C or D), and Z retrieves and restores a cookie remembering what web sites you have been to. Z now has a good idea of what types of things interest you, and can arrange for targeted advertising to be sent to you.

Rule 13: Consider controlling under what situation you allow cookies to be stored on your computer. If you cannot control them (such as when using a computer in a public location), consider not entering private information.

All web browsers give you a certain degree of control over whether cookies are allowed or not. In some cases, the browser may differentiate between cookies that stay on your computer, cookies that disappear when you close your browser, and those that are stored by the web site you are visiting and foreign web sites. Typically, you can allow all cookies, disallow them, or have the browser ask for your permission before storing a cookie. You are never informed when a cookie is sent back to a web site.

Cookies can be viewed, since they are in text format, but typically the information has been encoded or encrypted by the web site so it is not intelligible. Some browsers allow you to display and delete cookies, and there are third-party programs that allow you to manage cookies.

If you wish to control what web sites know about you, you should control how and when cookies are being stored on your computer. Note that some sites require that cookies be stored to allow the site to function at all. Generally these sites will tell you if they find cookies disabled.

If you use web browsers from public locations (Internet cafÈs, libraries, schools), note that cookies containing information about you are still being stored on that computer. In many cases, the computer owner may not allow you to control, view, or erase these cookies. So information about you may be left on these computers and used when someone else visits the same site. If you logged onto a site and your authentication information is remembered in a cookie, another user going to that site may automatically be logged on as you! That web site may then give that user stored information about you (such as your name, address, credit card information, etc.).

Even with a private computer used by several people, this can be an issue. In these cases, cookies are not only a privacy issue, but also a security issue.

Web Browser Caches

When a browser retrieves a page or an image from a web site, the browser displays the site and usually stores a copy of that page on your hard disk. This set of stored pages and images is called a cache. If you visit that site later and the page has not changed, the browser may not download the full page from scratch, but instead will use the one in the cache. In some cases, web pages that are in a cache can also be viewed offline, when you are no longer connected to the Internet. This means that anything that you display with a browser may be stored on the computer’s hard disk as well. So if you use the web for financial transactions, information about your purchases, credit cards, and bank accounts may be stored on that computer in fully readable text. Depending on how much browsing is done on the machine and the size of the cache that is configured, these pages and images can stay on the computer for a very long time.

Rule 14: If there is any sort of private information displayed on a web page, clear the cache after the session is over. If you cannot clear the cache (such as when using a computer in a public location), you may decide not to use this particular computer for the task.

All browsers allow you to clear the cache (called Temporary Internet Files by Internet Explorer), but some public machines, such as those at Internet cafÈs, do not allow you to access the control windows that clear the cache. Although clearing the cache after entering sensitive information is very important, no browser so far has put an icon on its main toolbar to allow this to be done with one click.32

32 For Internet Explorer on Windows, Select Internet Options on the Tools pull-down menu. On the General tab, under Temporary Internet Files, hit the Delete Files button.

For Internet Explorer on a Macintosh, Select Preferences on the Explorer or Edit menu, go to Web Browser and then Advanced, and in the box marked Cache, hit the Empty Now button.

For Netscape/Mozilla, Select Preferences on the Edit pull-down menu. Expand the Advanced entry and select Cache. Hit Clear Disk Cache. For Safari on a Macintosh, Select Empty Cache from the Safari menu, and hit Empty to confirm.

Secure Transmission

Normally when you are using the web, all the messages that you send and receive are in clear text. That is, if someone were to intercept them and print them, they would be readable and understandable. There are times when this is undesirable. Interception is of particularly concern if any part of your Internet connection goes over wireless services or if the ISP at either end of the connection is untrustworthy.

To address this, browsers and web servers support encryption. Encryption changes the messages so that they are difficult or impossible for unauthorized people

to read. (See Addendum 1 for details). The name of the encryption capability is SSL for Secure Socket Layer. You can tell if SSL is being used for messages sent to you because there is (for most browsers) a picture of a small padlock on the screen that is open for normal transmissions, and closed (locked) for SSL transmissions. Also, the URL will start with “https” instead of “http”. You should always use the strongest encryption possible – 128 bit is best if it is available in your country.

Note that this padlock does not tell you that your message going back to the server is using SSL, but it is normally assumed that if the screen you received is encrypted, the web site will ensure that your return message is also encrypted.

SSL can only work if your browser knows who it is talking to. This is accomplished by means of “security certificates” and “digital signatures”. In general, if a web server wants to be trusted, they must obtain a security certificate from some recognized authority. If the authority is doing their job properly, they verify that whoever is requesting the certificate really is who they say they are. This authority then signs the certificate digitally and your browser has built-in tables to recognize these authorities.

Occasionally, you will get a message that a web site has sent you a certificate that:

• has expired, or

• is someone else’s certificate

In the former case, it is usually the case that the certificate has just recently expired, and the site needs to get their paperwork in order. In the latter case, it is usually the case that the site has been recently renamed and that is not reflected in the certificate. However, in both cases, you may want to play it safe and terminate the connection until the problem is rectified.

Is secure transmission sufficient?

The little locked padlock is designed to tell you that the web transmission is secure, and it accurately reflects that. However, transmission is not the only issue to consider. Only a very small percentage of cases of fraud or identity theft occur due to insecure transmissions. The vast majority of cases are due to:

• unscrupulous web sites,

• the web site has been compromised, or

• your computer has been compromised.

The one major exception to this is for wireless transmissions, which will be covered next.

Privacy Policies

Many web sites publish a Privacy Policy. A privacy policy should describe what kind of information the site collects, what they will and will not do with that data, and how they protect the data. All web sites that collect personal or financial data should have a suitable privacy policy.

Wireless Transmission

Wireless technology of various sorts is increasingly being used in developed countries and in developing countries. It is often less expensive than wired technologies, easier and faster to install, particularly in less populated areas, and subject, at least at the moment, to less regulatory oversight. However, wireless technologies have two potential problems:

• It may be possible to intercept transmissions, and

• Transmission quality may vary with location, weather, time of day, nearby radio equipment, transmission speed, quality of the installation, and malicious interference.

There is little that can be done about the second group of problems. They are characteristic of wireless technology and may be seen as the price that is paid for connectivity without wires. Interception can be addressed through various levels of encryption. (See Addendum 1 for details on encryption techniques). If the server you are communicating with supports encryption, it should be used (secure SSL web sites, for example). If you use POP e-mail, you should select the “APOP” option that will encrypt your password before sending it, instead of sending it in clear-text. This will give you end-to-end security regardless of the transmission medium. If the server does not offer encryption, you should be aware of the technology limitations and adjust how you use the connection, if necessary.

802.11 “Wi-Fi”

802.11 is a set of developing IEEE standards for wireless local area networks (WLAN).33 802.11, (often called “Wi-Fi” – short for Wireless Fidelity) is becoming popular as an alternative to wired Ethernet for connecting computers and laptops. On the positive side, it is inexpensive and relatively fast. Unfortunately, there are several vulnerabilities in most implementations:

33 For Internet Explorer on Windows, Select Internet Options on the Tools pull-down menu. On the General tab, under Temporary Internet Files, hit the Delete Files button.

For Internet Explorer on a Macintosh, Select Preferences on the Explorer or Edit menu, go to Web Browser and then Advanced, and in the box marked Cache, hit the Empty Now button.

For Netscape/Mozilla, Select Preferences on the Edit pull-down menu. Expand the Advanced entry and select Cache. Hit Clear Disk Cache. For Safari on a Macintosh, Select Empty Cache from the Safari menu, and hit Empty to confirm.

• Typical base stations are shipped with no security enabled.

• Unless you want to share your network connection with someone in the neighborhood, you should change the network name (SSID) from the default one and set the configuration not to transmit it. If you do this, only those people who already know the SSID will be allowed on.

• The encryption mechanism (WEP) is weak and can easily be broken. Nevertheless, in the absence of a better mechanism, you should enable it. Remember that it is vulnerable to attack if anyone really wants to look at your transmissions, including passwords.

• A new encryption mechanism, WPA, resolves the problems in WEP and it is available in newer equipment. It is strongly recommended for all Wi-Fi installations.

Mobile Telephones

Mobile telephones (often called cellular or hand-phones) are widely used for voice transmissions. At times, they are also used for data. Many mobile telephone technologies allow eavesdropping and are not secure.

Long-haul Lines

Long links, particularly to remote areas, are often built using wireless technologies. Typically the link will serve many users simultaneously. If the transmission method is highly directional (using dish or yagi antennas), it is relatively difficult to intercept transmissions without specialized equipment. These links may be encrypted with the addition of hardware encryption devices if necessary.

Local Loop Wireless Telephones

Wireless local loops to homes and businesses are used in many countries, as they allow telephones to be installed without the cost and trouble of building wired infrastructure, and because wireless equipment is not as easy to steal and resell as is copper wire. As with a wired telephone, when a modem is connected to these lines, it becomes a data link. The wireless technology used may be interceptable. Depending on your location, your countries regulations, and local practices, you may want to check with your service provider to see if the link is encrypted, and thus protected, at least to a certain extent.

Other Internet Issues

File Sharing

File sharing is one of the most useful networking tools if you have more than one computer. In the simplest situation, it lets you access, change, create, or delete files on one system while working on another system. The two systems could be in the same room or they could be half a world apart. Among other things, file sharing allows you to copy files to and from a laptop prior to traveling or while you are away on a trip. At the other extreme, a single computer acting as a file server can take the place of the hard disk for a large number of computers. In this case, most or all of your files reside on the file server and you access them over the network.

The obvious vulnerability is that if you can access your files remotely, someone else can do so as well. A less obvious vulnerability is that if you share files with another user, you become vulnerable to security problems that may be present on their computer – if they become infected with a virus and have write-access to your files, you may now be infected. If you read an infected file from their disk, you may now be infected.

Rule 15: If you are not using file sharing, disable it. If you are using it, to the extent possible, limit the kinds of things that can be done to those functions that you need.

Rule 16: If you use file sharing, set robust usernames and passwords and limit the access permissions to the least possible that will allow you to do your work.

Rule 17: If you share files with another user, make sure that they take security seriously.

Virtually all file sharing and remote file access capabilities allow you to set up usernames and passwords to control access. Generally, they also allow you to control what a user can do (read-only, write, create, erase). Many systems allow you to control what any user can do. For example, you could restrict the entire remote access facility so that it only allows read-access; if you do not need write access, disable it if you can.

Typically, systems that support some form of file sharing also support the sharing of printers. Although giving someone remote access to your printer is typically not hazardous, it is better to restrict such services unless they are needed. It is possible that a bug will be detected that allows malicious actions though an access that should have been used for printing only.

Instant messaging

Instant messaging is a facility that allows a message typed on one computer to be displayed on one or more other computers virtually instantaneously. Unlike e-mail, both sender and recipient must be online at the time. Instant messaging goes under many names on various systems. Among them are: Chat, ICQ (an acronym-like homonym for “I Seek You”), IRC (Internet Relay Chat), Talk, AIM (AOL Instant Messenger), and Messenger. Internet communities such as AOL, MSN, Yahoo, game-playing hosts, and many others all have their own Messenger and Chat variants. Some of these interoperate with others, and some do not.

Many messaging systems allow you to select a name that will be displayed with your messages and that allows other participants to send messages to you. They often allow your real identity to be disguised, although the system administrators can identify who you are, at least by your IP address.

Rule 18: Instant messaging can be very helpful, but use it with care and knowledge.

Instant messaging plays a very useful role for several reasons:

• it is much faster and easier to use than mail and has almost no delay – this makes interactive conversations much more practical than e-mail,

• messages can usually be sent and received in a small window on your screen while you are doing other work, and

• you do not have to reveal your e-mail address (and identity) to other participants.

For certain types of uses, messaging is far preferable to e-mail. In some people’s minds, it is also more secure, as the messages are not copied to disk at various places, as is the case for regular e-mail. However, users are cautioned that messaging is still not particularly secure. The major problem with messaging systems is that some of them have been expanded to allow file transfer. This makes them vulnerable to the same problems as other types of file sharing, including e-mail attachments. Some messaging systems also allow remote execution of commands, potentially allowing attacks on your computer.

Improperly Enabled Services

Operating systems and applications have become very powerful and functional. In most cases, a typical user does not need or want all of the capabilities that their software offers. Services that are not needed should be turned off (disabled). Unfortunately, some software suppliers ship their software with all services enabled and it is up to the user to turn them off. Often the user is not even aware that the services are there. For many years, some Unix systems were designed so that every installed user machine could act as an unrestricted mail hub if they did not explicitly turn the capability off. This allowed spammers to use these machines to send spam, without the machine owner’s knowledge.

Rule 19: Disable all Internet services that are not needed and used regularly.

Increasingly, suppliers are becoming aware of the problem. So, despite their pride at developing feature-rich systems, they are shipping their programs with extraneous services disabled; the user may enable them, if they are needed. In either case, it is important for users to make sure that unused services are not enabled. Such services include file and print sharing, web servers, mail servers, file transfer protocol (FTP) servers, Remote Procedure Call (RPC) servers, and others.