, Washington Post 2003-05-21
It's no accident that the Bush administration's cybersecurity plan begins with
an appeal to home users and small businesses, arguably the least computersecurity-conscious group of Internet users.
"Home users are more likely to have a level of vulnerability they aren't aware
of," said Mark Uncapher, senior vice president and counsel for the Information
Technology Association of America.
None of the recommendations for home users and small businesses are new: They
have been prescribed for years as the most effective medicine against malicious
hackers. Yet they are prominent because Internet users continue to ignore them
at a high cost to themselves and other Internet users.
"Individual consumers fail to understand that by not exercising good and safe
practices on their computers they are potentially causing themselves to be a
pawn in a larger cyberattack against other users or against one of our critical
infrastructures," said Tatiana Gau, senior vice president of Integrity
Assurance at America Online.
In a survey of more than a 1,000 Internet users to be released today, AOL found
that most users are familiar with basic computer security practices but
generally fail to act on them.
Here are five basic things anyone who uses the Internet can do to guard against
online attack:
1. Install and use a firewall. Considered the first and last line of defense, a
firewall is a software program or piece of hardware that prevents unauthorized
Internet traffic from entering or leaving your computer, particularly computers
that are always left connected to the Internet (typically, Internet users who
connect over DSL or cable modem fit this category). Properly configured, a
firewall can give you greater control over your computer and prevent attackers
from successfully scanning your system to learn details about potential
weaknesses on your network or PC.
For a sobering look at the insecurity in the average operating system, consider
the research conducted by The Honeynet Project. The project takes servers and
computers "out-of-the-box," -- without any changes to improve or reduce their
security -- and connects them to the Internet for the sole purpose of seeing
how often they are probed and hacked, and what techniques attackers are using.
Based on the project's most recent tests, the average unprotected Windows or
Linux-based computer with the most common security holes will be hacked within
three to five days. Even secured computers will be probed or scanned for known
vulnerabilities an average of 30 times each day.
It's nothing personal, said Honeynet Project founder Lance Spitzner. "The vast
majority of attacks on the Net today are launched by people out to break into
as many computers as possible," he said.
Using automated software tools available online, a malicious hacker can set in
motion a scan of more than a million computers before he goes to bed at night
and have hundreds of systems under his thumb by morning, Spitzner said.
"It's not so much people not realizing they're vulnerable than it is they don't
believe they're a target," he said. "The fact is, anybody can be a target."
The reasons attackers would want to break into your machine are as varied as
the methods for doing so.
Computer criminals often use other peoples' PCs for storing files that would be
incriminating if found on their own machines, such as child pornography or
lists of stolen credit card numbers, said Marc D. Goodman, senior managing
director of the Digital Security and Investigations Group at Decision
Strategies in New York.
More frequently, criminals hijack computers for financial gain or as a means of
attacking others with impunity, Goodman said.
2. Use anti-virus software and update virus definitions regularly. More than 80
percent of Internet users surveyed in the AOL study have antivirus software
installed on their computers, but less than a third said they regularly update
their virus definitions, an indication that most users do not bother to pay the
renewal fee when the antivirus software subscription expires, Gau said.
"The lack of proper security hygiene at the individual level can put the rest
of the Internet at risk," Uncapher said. "It becomes similar to someone who
doesn't get properly vaccinated and ends up spreading diseases to the broader
public."
Once executed on a vulnerable computer, most viruses transmit copies of
themselves to all of names in the victim's e-mail address book. As a result,
people who don't use antivirus software or allow their virus definitions to
expire are putting their friends, co-workers and loved ones in the line of
fire, Uncapher said.
"With antivirus software, you're not just protecting yourself for your own
sake, but also for the sake of those you communicate with," he said.
3. Create secure, original passwords. Creating unique passwords is
one of the easiest ways for consumers to ensure their privacy and security
online. See Cybersecurity Primer for more tips.
4. Update your computer(s) with the latest vendor security patches. Fully 95
percent of all network intrusions can be avoided by keeping computer systems
updated with the latest vendor patches, according to the Cert Coordination
Center's Software Engineering Group, a government-funded computer security
watchdog group at Carnegie Mellon University.
Visit www.cert.org for a comprehensive list of security alerts and vendor
patches. Windows users can go to windowsupdate.microsoft.com to install the
latest updates. Using Microsoft's automatic update notification service, users
can get updates when they are released. Windows XP users can configure updates
to install automatically.
5. Practice basic e-mail and downloading "street smarts." Most viruses are
transmitted as e-mail attachments. Some may come from people you know; others
will enter your inbox bearing enticing subject lines. Either way, users should
be wary of opening all attachments, and scan each one with antivirus software
before opening them. Avoid opening e-mail attachments that contain the ".vbs"
file extension. Short for visual basic script, .vbs is commonly used in
writing computer viruses.
People who use so-called "peer-to-peer" file-sharing networks such as Morpheus,
Kazaa and Limewire place themselves at a particularly high risk, especially
when downloading "executable" programs, experts say (executable files have
names that end in ".exe").
"Kazaa and other P2P networks are filled with viruses and other bad stuff,"
Goodman said. "Often times the most destructive things are programs that won't
be caught by antivirus software."
Such nasties include so-called "Trojan Horse" programs that allow attackers to
control your computer from afar, and keystroke loggers, which can record
everything you type on your keyboard, including passwords and bank account
numbers.
P2P users also should take care to limit the directories they share. It is not
uncommon for users who rush through the process for installing programs that
run those services to end up sharing the contents of their entire hard drive.
