Computer Security

In Brief:

• Start off with a healthy computer by following StartSafe procedures.
• Keep your computer healthy by following RUNSAFE operating guidelines
• Be aware of current threats and scams by reviewing the Hot Topics listed below on a regular basis.
• Procedures to nurse a sick and quarantined Windows computer back to health when preventive measures fail.
• Report a Computer Security Violation or Incident
• Review Appropriate Use Policies

Contents:

• Current Computer Security Hot Topics ( last update 05/30/08 )
• United States Computer Emergency Readiness Team ( US- CERT ) Current Activity List
•  
• Critical Security Updates ( last entry added 07/02/08 )
• Notable reported security defects without a fix ( 07/07/08 )
•  
• Why Computer Security Affects YOU
• Reporting a Computer Security Violation or Incident
• Viruses and Worms and Trojans and Spyware, Oh My!
• Help! I'm getting e-mail messages returned from people I didn't send anything to. Some of them are telling me I have a virus.
• Internet Fraud including Phishing
• SPAM and other unwanted messages
• Common Mistakes Affecting Our Privacy, Accounts, Computers, and Data
• Common Appropriate Use Violations
• Security Measures That May Impact Your Computer Use
  • Information on Exposing a computer to the Internet for server administrators
• How Others Break Into Our Computers and Accounts
• List of Frequently Asked Questions about Computer Security
• Security Awareness ( available on-demand from on-campus locations or from anywhere during eID password changes )
• JMU Policies Associated with Computer Security
• Privacy (to be provided)

Why Computer Security Affects YOU

Computers today are an integral part of day to day campus life. E-mail and instant messages are heavily used for communications. University administrative business processes depend upon computer automation, record keeping, and dependable, confidential, and quick access to reliable information. The university's academic processes make use of computers for classroom presentations, lab demonstrations and simulations, and online research. For many of us, computers are also used frequently in our private lives.

We all have a vested interest in ensuring that our computing infrastructure continues to operate reliably and that it preserves the confidentiality and integrity of the information it handles - both our own and that of those we serve. Our JMU network is made up of over 15,000 computing devices. Each and every device contributes to our network's security. Each and every operator of those devices has a necessary and important part in preserving the integrity of our network, just as every citizen has a necessary and important part in preserving a society.

Each and every day, some of the 600 million people on the Internet are reaching out and touching our computers in attempts to violate our privacy, use our resources, dupe us into helping them perform a crime, or steal information. Every one of the 15,000 or so computers on the JMU network is an attractive target for criminals. Serious crimes have been committed on, by, and through five year old laptops.

"The people of the world have granted control of their existence to computers, networks, and databases. You own property if a computer says you do. You can buy a house if a computer says you may. You have money in the bank if a computer says so. Your blood type is what the computer says it is. You are who the computer says you are." ^{How to Own an Identity}

Do you think your computer isn't an attractive target for criminals? Think again:

• Invasion of the Computer Snatchers ( Washington Post 02/20/06 )
• Panel paints grim picture of cybercrime battle ( ZDNet 06/01/2005 )
• Attack of the BOTS ( Wired 11/02/06 )
• Feds square off with organized cyber crime ( SecurityFocus 02/17/2005  )
• Is your computer part of a criminal network? ( GlobeandMail.com 01/20/2005  )
• 1.5 Million Node IRCBOT Network ( USA Today/AP 10/21/05 )
• Experts fret over online extortion attempts - 'Bot' armies capable of toppling big sites, some say ( MSN 11/10/2004 )
• Are hackers using your PC to spew spam and steal? ( USAToday 09/08/2004 )
• Malicious Bots Threaten Network Security ( IEEE Computer Society PDF File )
• When BOTS Attack ( Technology Review 09/24/2004 )
• Alarm growing over bot software ( News.com 04/30/2004 )
• Could your computer be a criminal? - PCs hijacked to send spam, serve porn, steal credit cards ( MSN 07/15/2003 )

And while setting up a computer and operating it in a more secure manner may sometimes be confusing, frustrating, and inconvenient, some simple steps can help prevent not only crimes against the network at large, but also personal losses:

The resources found here will hopefully help provide an understanding of the threats we face and the steps we can take to protect both ourselves and the rest of the JMU computing infrastructure.

Reporting a Computer Security Violation or Incident

• If you receive a message leading you to believe your health or safety is threatened:
  • Preserve evidence. Do not delete the message. Do not take any other action on your computer. Leave it as it is.
  • Contact law enforcement.
• If you suspect your computer has been broken into:
  1. Preserve evidence. Do not alter anything on the computer.
  2. Disconnect the computer from the network.
  3. Contact IT Security Engineering at it-security@jmu.edu or via phone: Gary Flynn (x82364) or Mike Bayne (x81684).
  4. Write down everything you know about the incident while it is still fresh in your memory.
• For incidents of unsolicited e-mail (SPAM), read the SPAM page .
• If your personal firewall is reporting an "attack", please review What Does it Mean When My Firewall Reports an Attack? What Should I Do?
• For all other incidents: submit a violation report over the web or email abuse@jmu.edu . For email abuse, it is important to include the full mail headers of the offending message. Click here for instructions on how to display the mail headers.

Viruses and Worms and Trojans and Spyware, Oh My!

More than 2000 virus and worm carrying email messages arrive at the JMU email server each and every day and we're seeing increasing numbers of virus carrying instant messages. Infected computers spew out thousands of packets per minute attempting to infect neighboring computers with worms. Web visitors using Internet Explorer have spyware and trojans installed on their computers. Regardless of name, virus, worm, trojan, or spyware, any of these examples of malicious software, henceforth referred to collectively as malware, are undesirable additions to our computers.

Unless a particular piece of malware is extraordinarily virulent, unique, or common, special announcements will not be made. With tens of thousands of unique malware copies already existing, and new ones coming out daily, it is impractical to keep in mind all the possible symptoms which they may present. Posting alerts to the entire population on every new virus would just result in needless clutter, alarm, and probably eventual numbness. The same piece of malware is often referred to by different names by anti-virus companies and the press leading to further confusion. General StartSafe and  R.U.N.S.A.F.E. guidelines will protect against almost all malicious software regardless of form or name - virus, worm, trojan, spyware, adware:

• Don't infect yourself by running unknown programs especially those received as email attachments.
• Decrease risk by running anti-virus software.
• Don't let defects in your software allow others to infect you while your computer is just sitting on the network. Update your computer at least monthly.
• Minimize risk by operating the computer with a least privilege account .

An ounce of prevention is worth a pound of cure. Once malware runs on a computer, its actions are limited mostly by the whims of the author. Malware that opens the computer to control by third parties is often seen. Damage is sometimes irreversible and often causes large amounts of frustration and lost time. The relative benevolence of past malware should not be expected of future malware.

Email messages containing attachments with certain names and extensions have their attachments stripped off by the JMU email server because of their common use by malicious software. Thousands of virus carrying messages are prevented from reaching our computers each day. The types of messages that are blocked are described here.

A lot of computers have recently had problems with undesirable programs that are being called  "Spyware" or "Adware". The programs are sometimes installed along with free programs such as music sharing programs. They are also sometimes offered by web sites and even forced upon you if you haven't kept up with Windows Updates. There have been instances of it being found in software that is supposed to remove it so stick to the removal tools found on the JMU downloads page. This software may track your movements, steal your passwords, pop up targeted ads, take control of your web browser, or report your movements to online web sites.

Being no different than any other undesirable programs, it is less risky and usually easier to prevent a compromise of your computer and privacy than it is to recover from it. In particular, read all program documentation thoroughly before installing it and only load programs obtained and written from trusted sources. Oftentimes the distributors of programs that include spyware or adware tell you in the fine print of the licensing or installation documentation. Also make sure to keep up with Windows Updates. Some of these programs are being installed by web sites taking advantage of Internet Explorer defects to force installation without operator knowledge.

Two tools, Adaware and SpyBot, are available on the JMU Computing Downloads site to detect these undesirable programs on your computer.

These types of programs (Spyware) are no different than other malware programs other than that they've been labeled, been given press coverage, and are widespread. The functions they perform on your computer vary widely and any name given to them or attempt to classify them is quite generalized. Regardless of anti-virus software, anti-spyware software, anti-trojan software, firewalls, other security precautions, and even legislation, the first line of defense is to refuse to run unknown programs. Inadvertent installation of spyware can often be prevented by operating the computer using a regular user account. Windows XP instructions are here. Macintosh instructions are here.  Generic information is here.

• Malware Related Links of interest:
  • Detailed virus information from Symantec/Norton , McAfee, Sophos, and TrendMicro
  • Spy Stoppers (PC Magazine)
  • Spyware - Its Lurking on Your Machine (PC Magazine)
  • Educause Spyware/Adware Resource Page
  • What is a virus?
• Scams, Hoaxes and Fables
  • Virus Hoaxes listed by Symantec
  • http://urbanlegends.about.com/od/internet/u/current_netlore.htm
  • FBI New E-scams and Warnings
  • http://www.snopes.com/
  • Onguard Online - list of generic spam scams

You can submit suspicious files though a web browser to www.virustotal.com and virusscan.jotti.org which will run various anti-virus products against the submission. Do not assume, however, that a clean bill of health means the file is harmless.

Because there are many malicious software packages in circulation that are not detected by anti-virus software, conventional security measures such as anti-virus software, firewalls, and security updates will often not prevent an infection caused by an operator run program. Additionally, since many of the malicious programs that are circulating disable anti-virus, firewall, and automated update software and tools used to detect an infection, the chances are good that the computer will remain compromised exposing the operator's privacy, accounts, and documents.

One security measure that is presently effective at limiting or entirely preventing a compromise due to an operating mistake is to operate the computer using an account that will limit the resources available to the malicious program. Most computer operators will have little or no problems using this type of account once it is set up. And if problems are experienced, they can always use the riskier account temporarily to accomplish these infrequent activities. Macintosh instructions are here. Windows XP instructions are here. Generic information is here. This practice is effective for preventing  the majority of viruses, worms, trojans, spyware, and other malicious programs from getting a toehold in a computer and limits the ability of others to do damage or hide themselves.

Help! I'm getting e-mail messages returned from people I didn't send anything to. Some of them are telling me I have a virus.

These types of messages are almost never an indication that you, your computer, or your e-mail account have a problem.

The messages are almost always caused when criminals or infected computers forge your e-mail address in the FROM section of messages they are sending to other people. This is often done to decrease risk of detection, cause confusion, or increase the chances of fooling recipients by using names the recipient may trust. It can be done by any computer anywhere in the world.

The messages are a reflection of the trusting design of the Internet and the abuse of that trust. Internet e-mail standards allow anyone to pretend to be anyone else.

This activity ebbs and flows. During periods of high virus, scam, or SPAM activity, you may see quite a lot of such messages. If the messages are sent to a public e-mail distribution list, a lot of people may see them, respond, and cause a flood of confusing messages.

Here is an example of what is happening:

1. A computer somewhere in the world owned by "Bill" becomes compromised. It may be compromised by a virus program that randomly picks e-mail addresses or those found on the computer or it may be compromised in a way allowing criminals to use his computer to send SPAM and messages with malicious intent.
2. The computer, under the control of the virus program or remote criminal, composes an e-mail message. It has the ability to put anything it wants in the TO and FROM fields. It makes little difference to where the message actually gets sent or from what account or computer it is sent. It should be particularly noted that the FROM field is as meaningless and easily forged as the return address on the outside of an envelope. Anything or anyone can write anything they want there. For example:
3. The compromised computer sends a message. For example:

   From: DukeDog@jmu.edu ( Note that it does not say Bill though it could. It might list your address, helpdesk@jmu.edu, santaclause@northpole.net, President@bank.com,  or anything else the virus or criminal wants to put there. )

   To: HokieBird@vt.edu ( The message may be received by HokieBird or someone else entirely. Actual mail routing does not depend on this field. You may receive messages not appearing to be addressed to you.)

    

4. HokieBird's e-mail server receives the message.

   If the server delivers the message to HokieBird's mailbox, HokieBird sees a message that appears to have been sent by DukeDog@jmu.edu but that was actually sent by Bill's computer under the control of a virus or criminal. If HokieBird replies to the message, the reply will usually get sent to DukeDog@jmu.edu, the apparent sender. Other fields under control of the virus or criminal can change this behavior to send replies to a completely different third party, for example tuitionpayment@criminal.net .

   Dukedog may also receive a message if HokieBird's e-mail server refuses to deliver the message to HokieBird's mailbox. The server may do so for a number of reasons but whatever the reason, it will send any error or status messages to the apparent sender: DukeDog@jmu.edu because that is whose name is in the FROM field.

   Reasons DukeDog@jmu.edu may get a response from HokieBird's server:

   1. The VT server can't find a user named HokieBird@vt.edu ( example message subject: Returned mail: User unknown )
   2. HokieBird's mailbox is full
   3. The server detects a virus
   4. The message has an illegal attachment
   5. The message looks like SPAM

There is nothing that can be done about the problem on this end. We cannot stop a computer outside JMU from sending e-mail messages, even forged ones, to other computers. In cases of gross abuse, we can complain to their internet provider but this is rarely effective. Hundreds of thousands of computers outside JMU are infected and compromised, some say millions, and are often used by criminals to send SPAM, scams, and viruses. We have no control over them.

For those interested, the true source of an infected message can usually be determined by examining the full mail headers. Note that the headers from the original, infected message must be examined, not the headers of a complaint or bounced message. Also note that some viruses add false information to make this more difficult.

We are limited in what we can filter in our central e-mail system. However, individuals may create custom filters suited to their tolerance, desires, and abilities. These capabilities are more fully described here. Such filters won't stop the forgery or the response messages but may allow you to discard messages resulting from them if they get too numerous or bothersome.

The only generic statement that can be made about the issue is that e-mail and instant messages are not reliable communications methods on which to make any type of decision concerning sensitive information or the identity of the apparent sender. Note that the same statement applies to telephone numbers and addresses included in such messages. If sensitive information, finances, or computer programs are involved, always verify the information on a trusted source - web site, previously known or published phone number, etc. - independent of information provided in the message. While these statements are true of all such messages, messages you expect will understandably be trusted more. However, be wary of generic messages such as 'here you go' and 'it's ready now' that can be interpreted as responses to almost anything. Authors of business messages can help combat this problem by crafting complete messages and/or including original requests in the responses.

Internet Fraud:

• Phishing

  We continue to see increasing numbers of fraudulent e-mail messages trying to convince people to visit fraudulent web sites in order to steal their credit card numbers, bank account numbers, E-Bay, PayPal, banking, and AOL account passwords, and other sensitive data. Fraudulent messages pretending to be from local banks, such as SunTrust and BB&T, have also been seen.
  
  These scams, being referred to as "phishing" attacks, use e-mail messages made to appear as though they come from banks and other businesses you may trust. The messages contain links leading to malicious web sites that duplicate the business' web sites in almost every detail and that ask for passwords, credit card numbers, and other sensitive information useful to criminals. It is very difficult to tell the difference between an official web site and one set up by criminals to mimic an official one and they are getting more sophisticated. You can view real-life examples of these messages and the fake websites at: http://www.fraudwatchinternational.com/phishing/index.php.

  The face values of web links in email, web sites, instant messages, and other locations cannot be trusted to make critical decisions such as whether to supply sensitive information or download software on to your computer.  They're as useless and as easily forged or disguised as the return address on a post card or the FROM address on an email message.

  It is best to avoid typing sensitive data (account numbers, passwords, credit card numbers, etc.) into unfamiliar web sites or those led to by links in unexpected or unusual e-mail messages. It is also prudent to avoid clicking links in such e-mail and instant messages especially those that are blatant spam or phishing messages as they sometimes lead to web sites that will infect visiting computers. For the same reason, it is also best to avoid downloading software from such web sites.

  Use a known good web link and/or verify the message contents over a known good secondary channel (phone number, email address, etc.).

  General recommendations for handling unsolicited messages can be found on the JMU SPAM web page.

  If you receive such a message, you may report it to authorities by forwarding the message, preferably with full mail headers, to spam@uce.gov and/or the owner of the site being forged (e.g. abuse@suntrust.com, abuse@ebay.com, or the address supported for this purpose by the organization).

  A web site ( http://www.lookstoogoodtobetrue.com ) promoting Internet fraud awareness has been published with the cooperation of the FBI, U.S. Postal Service, and several other organizations.

  Carnegie Mellon University has designed a game meant to improve your ability to identify fraudulent web sites. It can be accessed at http://cups.cs.cmu.edu/antiphishing_phil/ . Note that it requires the installation of Adobe Flash. Many people already have this installed. If you install it, it is important to check for security updates as it can leave your computer vulnerable if not properly maintained.

  • http://www.adobe.com/support/security/bulletins/apsb07-12.html
  • http://www.adobe.com/support/security/bulletins/apsb06-11.html
  • http://www.adobe.com/devnet/security/security_zone/apsb06-03.html
  • http://www.adobe.com/devnet/security/security_zone/mpsb05-07.html

   

  Identity Theft Help

  If you typed sensitive information into one of these criminal's web sites it is likely the information you provided will be, or already has been, sold or misused. To limit loss in such a case, review the recommendations at the following web sites after contacting the organization whose site was forged.
   

  • ID Theft Home ( U.S. Federal Trade Commission )
  • Identity Theft Victim's Guide ( Privacy Rights Clearinghouse )
  • Consumer Advice: What To Do If You've Given Out Your Personal Financial Information ( AntiPhishing.org )
  • Identify Theft Resources ( Privacy Rights Clearinghouse )
  • Identity Theft and Fraud ( U.S. Department of Justice )

  In the past, it has been difficult for a person to freeze credit reporting on themselves. State laws mandating the ability of consumers to request such freezes were spotty ( notably absent in Virginia ) and the credit reporting agencies did not offer the service in states where laws mandated it. Luckily, the credit agencies seem to be responding and are beginning to offer the ability for anyone nationwide to freeze their credit reports ( see this article and this one ). This becomes a useful tool for preventing fraud and the spread of identity theft.

  
  Additional phishing information:

  • What you should know about phishing identity-theft scams ( Microsoft Video )
  • Putting an End to Account Hijacking Identity Theft ( Federal Trade Commision PDF file) Excerpt: "While precise statistics on the prevalence of account hijacking are difficult to obtain, recent studies indicate that unauthorized access to checking accounts is the fastest growing form of identity theft. The FTC has estimated that almost 2 million U.S. adult Internet users experienced this fraud during the 12 months ending April 2004."
  • Special Report on Phishing ( U.S. Department of Justice Criminal Division PDF file)
  • How Not to get hooked by a phishing scam ( U.S.  Federal Trade Commission )

Can you tell the difference?

• MailFrontier Quiz II
• Washington Post Quiz

Phishing in the news:

• Phishing is Big Business ( eWeek 03/07/2005 )
• Phishing Feeds Internet Black Market ( Washington Post 11/18/2004 )
• IT Tackles Phishing ( InfoWorld 1/24/05 )
• Consumers deluged as fake e-mails multiply - Even experts say telling real mail from phish can be difficult ( MSNBC 01/21/2004 )
• What happens to victims ( MSNBC 11/04/2003 )
• Fake FBI Site ( MSNBC )

Other Internet Fraud:

• 419 or Nigerian fraud schemes where you are offered a percentage of a large amount of money for help transferring it.
  • United States Secret Service Alert
  • Information at the University of Pennsylvania
  • Nigeria cracking down on e-scams ( CNN 08/08/2005 )
  • Nigerian Scams Keep Evolving ( MSNBC 06/10/ 20 05 )
  • You may forward such messages with full e-mail headers to 419.fcd@usss.treas.gov
• View Monster.com's safe online job search tips for avoiding identity theft, criminal recruitment, and other threats associated with online job searches
• Seduced into scams: Online lovers often duped MSNBC ( 07/29/ 20 05 )
• Officials: Beware of phantom stock regulators ( ZDNet 07/29/ 20 05 )
• Cybercrooks lure citizens into international crime ( USA TODAY 07/11/ 20 05 )
• Fake banks lure customers online ( MSNBC 03/03/ 20 05 )
• Auction sites being used to sell goods purchased with stolen credit cards ( MSNBC 06/08/ 20 04 )
• Scam: Postal Forwarding/Reshipping job aiding criminals ( MSNBC 12/17/ 20 03 )
• Beware of Fake Escrow Sites for Internet Financial Transactions ( MSNBC 12/04/ 20 03 )
• Online auction scams ( WashintonPost.com 05/03/ 20 03 )
• Fraudulent offers of money from Nigeria and other countries for assistance in transferring funds .  ( United States Secret Service. Forward received messages to the United States Secret Service at 419.fcd@usss.treas.gov . )

FBI Internet Fraud and Crime Complaint Center

Scams, Hoaxes, and Fables

• Virus Hoaxes listed by Symantec
• http://urbanlegends.about.com/od/internet/u/current_netlore.htm
• FBI New E-scams and Warnings
• http://www.snopes.com/
• Onguard Online - list of generic spam scams

Common Mistakes Affecting Our Privacy, Accounts, Computers, and Data

• Trusting unknown programs
• Failure to periodically patch defective desktop Windows software at the Windows update site
• Failure to run and update anti-virus software
• Treating a computer that accesses sensitive information as an entertainment device
• Using the same passwords on multiple systems with different levels of sensitivity and risk factor
• Failure to set passwords on Windows NT, 2000, and XP computers
• Microsoft File Sharing configuration errors 
• Installing and operating Linux, Windows NT, and Windows 2000 servers without first fixing known defects
• Failure to back up critical files
• Poor password choices
• Unsafe handling of passwords
• Forgetting to log out of shared computers like those found in labs
• Trusting unknown computers that may be running malicious software that records keystrokes
• Failure to assure sufficient resources to maintain servers

Common Appropriate Use Violations

• Copyright violations. Information:
  • www.campusdownloading.com
  • University of Texas Crash Course in Copyright information
  • University of Chicago's instructions on disabling music and peer sharing services
• Harassing or otherwise inappropriate email
• Bulk unsolicited email (SPAM)
• Password and account sharing
• Excessive bandwidth usage by music sharing programs and ftp servers.
• Network System Scanning
• Attempted system cracking
• Doing inappropriate things on a computer that we would never consider doing on the telephone, via postal mail, or in person. Doing it on a computer doesn't make it any less inappropriate...or illegal.

Security Measures That May Impact Your Computer Use

By default, computers outside the JMU network cannot connect to computers on the JMU network. Most computers do not need this exposure and not having it decreases risk significantly. If you are a faculty or staff member and run a server that needs to accept connections directly from outside computers, you will need to request exposure of the server.

Some security measures decrease risk by eliminating high risk access. Two such measures at JMU may affect things you're trying to do at JMU. First, some email messages are blocked based on various properties in an effort to reduce virus transmissions. Second, some network services are blocked because they are often used to exploit systems, are commonly misconfigured, are generally not needed, and/or commonly have defects. Details are here.

Network Restrictions

Computers found to be infected with computer viruses or otherwise threatening the network will be put in quarantine. This is necessary to protect everyone on the JMU network and JMU operations in general.  A computer in quarantine will be able to reach all JMU sites but only a few sites on the Internet. Generally those will be sites needed to download software to correct the problem. The most common problems can be corrected by following the Windows clean-up instructions here.