see also: 


Did you know that with one wrong mouse click you could make it possible
for someone to read all your email, documents, or instant messages? That
they could also view your grades, online bank accounts, or change your
course schedule? That they could read or change anything on your
computer? Or anything accessed from it? That they could turn on your
computer's microphone to listen in on conversations? That they could use
your computer for a computer crime for which you may be blamed?

Did you know a newly installed Windows XP, 2000, NT, or Linux computer
is likely vulnerable to the same type of compromise just by being
attached to the network? 

Did you know several such incidents have occurred on computers at
JMU...from Windows 95 and Macintosh desktops to Windows NT and Unix
servers? That they've been used to attack other computers and divulge
information? Did you know all our computers are scanned constantly from
around the world by people hoping to take advantage of them?

Did you know that your behavior impacts your neighbors' security and
their behavior yours?

The Internet, paired with today's software, provides us astonishing
capabilities for sharing and communication. However, these same
capabilities also provide access and computer power to more than 300
million people around the world...some of whom may not share our
behavioral expectations. Examples, such as random acts of vandalism, can
be found in any local newspaper. 

The threats associated with online folks' behavior are very different
from similar threats in the physical world. Using the same freedom and
functionality we treasure, they can communicate with our computers
almost instantaneously, almost anonymously, and en masse from around the
world. They don't even need to be a computer expert. It only takes one
person to write a destructive program to enable many people without
technical knowledge to cause problems, just as all of us use word
processors and web browsers without knowing how they work or being able
to write one ourselves.

While the risks associated with these threats can be decreased by
limiting communications, limiting computer functionality, and increasing
the complexity involved with our computing environment, they can't be
eliminated because security is never absolute. Moreover, the more we
wish to maintain our current freedom in communications and computing,
the more necessary it is that we individually take steps to take care of
ourselves and reduce the need for outside controls and limitations. 

The only person ultimately in control of a computer is the operator in
front of the keyboard. That person presently has the freedom to run any
software he or she wants and communicate with anyone around the world.
Each of us must do his or her part to help ensure the integrity of our
network by operating our computers safely.

Our computers can do almost anything we tell them to do. Unfortunately,
this versatility makes them very complicated. A certain amount of
awareness and skill is necessary to operate such a complicated device
safely on a world wide network. The goal of the R.U.N.S.A.F.E. program
is to help you attain the knowledge and skills necessary for safely
operating an Internet connected computer.

The information and associated steps listed on this page are key
components to everyone's online security. Everyone should understand
them and be able to take the actions described. R.U.N.S.A.F.E. workshops
are offered once per semester that describe the incidents we've seen at
JMU, the threats we're exposed to, and that teach the defensive concepts
and procedures described here. Onsite workshops are also available to
groups. (contact Gary Flynn to schedule one).

Click here to download the RUNSAFE  workshop PowerPoint presentation. If
you don't have PowerPoint, you can get a free viewer from Microsoft

A sixteen minute RUNSAFE awareness video is available. It can be
downloaded here. The material is copyrighted by Jim Blackburn but may be
used  for educational purposes. The file is 161 MB in size.

R.U.N.S.A.F.E. Goal for All Computer Operators on the JMU network:
Understand the material on this page.  
Run anti-virus software and update it weekly. Preferably the campus
supported Norton Anti-virus. 
Treat email attachments and other unknown programs with caution. 
Use the Windows Update Site on every new installation and monthly
Choose strong passwords for your own desktop and on servers which you
may use and keep them confidential. 
Use care if you enable Microsoft File Sharing. 
Visit the Hot Topics! page at least monthly. 
For all server operators (Windows/Unix/Mac/Whatever) and all unix
desktop operators: 
Set up new computers with the network cable disconnected. 
Turn off all services running on the newly installed computer. 
Connect to network and download and install patches. 
Turn on only needed services. 
Subscribe to vendor security bulletins and check the Hot Topics page
REFUSE to Run Unknown Programs
Our computers operate the way they do entirely because of the programs
we run on them. When we run a program, we give control of our computer
to the author of the program. In fact, a computer break-in is just
someone running a program on our computer. 

A perpetrator may convince us to run their program which then takes
control of our computer. Or they may force our computer to run their
program by using software defects or unintentional access. The program
may then tell our computer to email viruses to our friends. It may tell
our computer to collect and reveal our passwords. It may tell our
computer to disable its anti-virus and personal firewall protection. It
may tell our computer to flood a web site with traffic in an attempt to
disable it. Or it may tell our computer to break into someone else's
computer to help hide the identity of the perpetrator.

Since programs control the computer and everything the computer does or
has access to, it is very important that we not run programs written by
people we don't know or trust. Almost every other security precaution
depends upon our having control of our computers. If we run unknown
programs, we don't. 

A program can take many forms. It might be a Windows .exe file. It might
be a Microsoft Word macro. It might be a script.

We may find programs in many places. They may be offered to us in email
attachments. They may be on web sites. They may be on shared folders. As
we'll see later, they even may be forced on us over the network if we
don't keep our computers up to date. For now, we'll concentrate on the
programs over which we have a choice about running.

In our point and click world, knowing what to click and what not to
click can be confusing. We are conditioned to click on everything. Here
are some rules of thumb that may be helpful:

We should pause a moment to consider the nature of the site, file, or
message and how much we want to trust our computer to it before
when the file or icon is an email attachment or associated with an
instant message 
when the file or icon is in a shared directory accessible to other
people on the network. For example, a Kazaa or Windows File Sharing
when our browser asks us if we want to allow extra access. For example,
to download or execute a file, plug-in, or ActiveX control. 
when our Word processor or spreadsheet asks us if we want to allow a
macro to run. 
when we don't know for certain where the file came from or through whose
hands it passed 
We're generally safe to click in the following situations as long as our
computer software is kept up to date. 
When the file is on our own computer. Note that an icon may point to a
file actually on a shared drive or web site particularly with
Microsoft's Active Desktop enabled. 
When we're browsing the web and our browser doesn't prompt us for extra
When we're reading email and there are no attachments. 
It all cases, risk is decreased if we save a file and open it with its
related application rather than double-click it or choose "Open this
file from its current location". 

By design or defect, a file displayed on our screen may not always
appear as it should. It may look like a relatively harmless Word
document (resume.doc), picture file (mydog.jpg) or sound file but may
actually be a malicious executable program (spy.exe). By saving it to
disk and opening it with the application that should go with it, we'll
protect ourselves from this scenario. The couple of additional mouse
clicks it takes to do this may save a lot of aggravation or worse. 

For example, if you are offered a file displayed as "resume.doc" in an
email attachment or on a web site, don't double-click it or open it from
its current location. Instead, save it to disk, open Word, and use
Word's File->Open menu to open the file you saved. If the file doesn't
open properly, or its name changes, its almost a sure sign something is
badly wrong with the file. 

There have been many instances of malicious programs spread
automatically or getting passed around purposely or innocently. When
such a program is discovered, vendors of anti-virus software update
their products to recognize the new program. Running the anti-virus
product on our computers protects us from this recognized program if we
fail in our efforts at refusing unknown programs. But like flu shots,
anti-virus software won't protect us from new viruses. Fast moving,
email based viruses can circle the globe in hours and infect a lot of
computers before antivirus software can be updated. Nevertheless,
installing and maintaining anti-virus software is a very important part
of maintaining the security of our computers. JMU has purchased licenses
for Norton anti-virus for faculty, staff, and students home and office
computers. It is fully supported by the helpdesk. Why not install it

Click here to learn how to install the campus provided Norton antivirus

Click here for instructions on checking the campus provided Norton
antivirus software for proper operation.  

When we receive email, we can rarely be sure who sent it. The FROM:
information is as easily falsified as the return address on a paper
envelope. Virus programs running on an infected computer can easily send
out email in anyone's name. Accordingly, email attachments, which may
contain malicious programs, should all be treated with caution. One
click is all it takes to lose complete control of our computer and
everything it accesses.

Be particularly careful of unexpected or unusual email or attachments
regardless of the source, content, or attachment name. 
Treat any email attachment whose name ends in ".exe", ".com", ".bat",
."scr", ".pif", ".shs", ".js", ".hta", ".vbs", or any ending you're not
familiar with as you would hazardous waste material. Find out what it is
from the sender before opening it! 
-->more information on refusing unknown programs... 

UPDATE Our Computers Regularly
Computer programs frequently contain defects. Some of these defects can
allow third parties to run programs of their choice on our computers
without any action on our part. This allows the third party to take
control of our computers, and all the resources and data they have
access to, for their own purposes. 

Defects in client programs like browsers, email clients, and media
players may allow unwanted programs to run if we click a link to a
malicious web page or receive malicious email. These types of defects
can cause us to lose control of our computer simply by browsing the web
or starting our email client. 

Defects in server programs like web or file servers, can allow someone
to force unwanted programs to be run on our server. They exploit the
defect by making malicious web or file requests. The exploitation might
be carried out by an individual or by an automated program like a worm. 

Running defective, vulnerable software on our networked computers is
similar to leaving broken windows in our homes and offices for strangers
to enter. Except with the Internet, people can enter these "windows"
from anywhere in the world. Large scale scans from around the world are
often seen within days of new vulnerabilities being announced. Machines
with defective software or vulnerable configurations have been known to
be compromised within hours of being attached to the network both here
and elsewhere. Most software is out-of-date and full of vulnerable
defects on the installation CDs and even sometimes when downloaded from
vendor web sites. Scanners and automated worms may find a vulnerable
server almost as soon as it is connected to the network. It is necessary
to check for updates as soon as new software is installed and regularly

Microsoft Windows Systems

Windows Desktop Operators: 

Use the Windows Update Service after every new installation. 
Re-use the Windows Update Service once a month to keep the computer up
to date. 
If Microsoft Office is installed and you're not using JMU's Novell
services for software management, visit the Office Update Site monthly.
You'll need the original distribution media to install Office patches.
People using JMU's Novell services can wait until Office patches are
available through the JMUAPPS menu or use the Office Update Site as

Double-click the Norton Anti-Virus gold shield icon in the lower left of
your screen. A Norton window will come up. Check the date of the Virus
Definition File. If it is more than two weeks old, the Norton Anti-Virus
program is not updating itself correctly. Click here for further

Upgrade or replace software which Microsoft doesn't support with
security patches. Of particular importance in this respect are:  
Microsoft Personal Web Server and Peer Web Services   
Internet Explorer versions 3 and 4   
Office 97 and 98 for Windows 
Windows 95 
Cygwin users must also check for defect updates in Unix programs
packaged with Cygwin or installed separately. For example, OpenSSH. 
Review computer security Hot Topics page at least monthly for
announcements of software defects or other issues that may affect you. 
Windows Server Operators:

Servers need to have more timely patches as they run software that is
accessible to anyone on the Internet. Patches should be installed as
they become available.

NEVER bring up a server until all patches and configuration changes have
been completed. Unpatched servers have been found and compromised in
minutes by automated worms and scripts. Install the software while the
machine is disconnected from the network, make sure all servers are shut
down, connect to the network and download the patches, disconnect from
the network, and apply patches. 
Use Microsoft's HfNetChk Patch Analyzer tool to check Windows NT, 2000,
and XP systems for needed patches. The QChain utility may be used to
chain together multiple patches so they canbe installed without
individual reboots. 
Subscribe to Microsoft's Security Bulletin Mailing List and apply
patches as soon after they are announced and can be tested as possible.

Cygwin users must also check for defect updates in Unix programs
packaged with Cygwin or installed separately. For example, OpenSSH. 
Review computer security Hot Topics and Serious Defects pages weekly for
announcements of software defects or other issues that may affect you. 
If you install non-Microsoft software, subscribe to vendor security
bulletins or check their web site regularly for updates. 
Linux and other Unix Systems 

These systems often have server programs running after even a desktop
default installation.

NEVER bring up a server until all patches and configuration changes have
been completed. Unpatched servers have been found and compromised in
minutes by automated worms and scripts. Install the software while the
machine is disconnected from the network, make sure all services started
in the inetd.conf file, /etc/rc* files, or your vendor's equivalent have
been disabled, connect to the network and download the patches,
disconnect from the network, and apply patches. 
Subscribe to vendor security bulletins and apply patches as soon after
they are available as possible. Click here for a list of various vendor
security sites and notification services. 
Review computer security Hot Topics page at least monthly for
announcements of software defects or other issues that may affect you.
Server operators should check both the Hot Topics and Serious Defects
pages weekly. 
MacIntosh OSX

MacIntosh OSX is based on unix. Many unix related defects also affect
MacIntosh OSX. 

Current security roll-up patches can be viewed and downloaded at 
Software updates can be requested using the Software Update pane in
System Preferences. 
Email notification of security defects in MacOSX can be obtained by
subscribing to the Apple notification service at 
Other Systems 

Review computer security Hot Topics page at least monthly for
announcements of software defects or other issues that may affect you. 
Keep anti-virus software up to date. 
If available, check your vendor's security site monthly for critical
security updates. 
  -->more information on updating our computers...

NULLIFY Unneeded Risks
Whether by operator mistakes, attempts at making computers easy to use,
or encouraging open access, our computer's software sometimes grants
more access to our computers than is needed. We can decrease risk by
eliminating unneeded access to our computers. 

Be very careful with Microsoft File Sharing. It is commonly
misconfigured. Don't share more than you need to. 
Assign a good password to all Windows NT, 2000, and XP accounts paying
particular attention to the Administrator and other privileged accounts.
Windows XP creates user accounts with administrative privileges and no
password by default. 
Use the IIS Lockdown Tool on NT, 2000, and XP computers to disable
unneeded access and oft-exploited functionality on IIS Web servers that
may be running. 
Disable unused Linux services 
Nullify Risks of Anonymous, Public Storage. 
Web Service designers, providers, and administrators should familiarize
themselves with Guidelines on Securing Public Web Servers (PDF-National
Institute of Standards and Technology) 
Follow platform specific "best practices" guidelines when configuring a
public server 
Disable music and peer sharing services when not needed 
Use the NT/2000/XP Administrator and unix root accounts only when needed
for system maintenance. Use a normal user account for all other
activities particularly browsing the web and reading email. 
Disable network access to the Windows Administrator account. 
The Checkup! security scanning service periodically scans JMU computers
looking for those with vulnerabilities that others may exploit. If your
computer is found to have a vulnerability, you may receive an automated
email message alerting you to the problem. More information will be
available shortly.

  -->more information on nullifying unneeded risk...

SAFEGUARD Our Identity and Password
Passwords are the combination locks used to protect our computer
accounts. It goes without saying that giving out our combination or
leaving the lock unlatched (i.e. walking away from a logged on
computer), compromises our security. However, technology provides ways
for people to obtain our combination even if we aren't careless. To
thwart such misuse, we must choose complex combinations. There are three
elements to a complex combination:

It can't be obvious. That is, it can't exist in an attack dictionary. 
Every word in an English language dictionary can be tried in minutes.
Attack dictionaries also include names, common misspellings, words with
numbers, and other commonly used passwords. You also don't want the
password to have any personal significance to you...your dog's name for
example. Using a dictionary word for a password is like using a locker
number for a combination. 
It can't be a short 
A combination lock with a two number combination wouldn't protect very
well. Anything less than an eight character password is like having a
such a combination. It simply won't hold up for long on the network. 
It can't be made up of just a few characters 
A combination lock with only ten numbers on the dial isn't as effective
as one with fifty. Using just lower case letters is like limiting a
combination lock to ten numbers. On systems that support them, passwords
should contain at least one of each of the following characters: 
Uppercase letters ( A-Z ) 
Lowercase letters ( a-z ) 
Numbers ( 0-9 ) 
Punctuation  marks ( !@#$%^&*()_+=- ) etc. 
Different systems have different capabilities. Some will not let you use
all the strength features mentioned here. When you get an account or
change your password on a system, you should be given instructions on
any limitations. 

How, you may ask, am I ever going to remember such a complicated

Pick a sentence that reminds you of the password. For example: 
if my car makes it through 2 semesters, I'll be lucky (imcmit2s,Ibl) 
only Bill Gates could afford this $70.00 textbook (oBGcat$7t) 
What time is my accounting class in Showker 240? (WtimaciS2?)  
If you absolutely have to, record it in a secure location. It's probably
safer to store a strong password in a place where someone would have to
physically break in than to expose a weak password to 300,000,000 people
on the Internet. 
Accounts that are not accessible from the network, or that can be
disabled if too many unsuccessful attempts are detected, are not as
susceptible to high-speed guessing attacks. However, some systems have
network accessible accounts you may not know about. Passwords for
Windows NT, 2000, and XP Professional Administrator accounts and
accounts included in the Administrator, Backup Operator, and Server
Operator groups must be as strong as possible as these accounts have
full, remote access to the entire file system through hidden shares. You
can disable network access to these accounts by following the procedures

Never type your password into an untrusted computer or web site. 
  -->more information on safeguarding passwords...

ASSURE Sufficient Resources for Proper System Care
Do you want your organization's web server to become known as the one
that makes headlines when it is used to bring down a high profile
Internet site? That is used to break into your neighbors computer? That
harbors illegal or inappropriate files? That gives away any privileged
information that is stored on it? That is unreliable?

A publicly accessible network resource needs special care in its initial
setup. Perhaps less well known due to vendor marketing efforts and
perhaps our own wishful thinking, it needs ongoing monitoring and
maintenance. If it is important enough to implement, it should be
important enough to devote sufficient resources to it to take care of it
properly. Without this care, the server may not remain in operation
long, it may not preserve the confidentiality and integrity of resident
data and accounts, or it may be used as a base of operations for
criminal activity including attacks on other computers.

Budget planning, hiring procedures, staffing levels, and job
descriptions should reflect the need for ongoing monitoring and
Allow time for regular maintenance 
Elevate security and ongoing maintenance to the same level of
consideration as cost, ease of use, functionality, and performance. 
Use the appropriate tool for the job. For example, do not use
Microsoft's PWS for production web servers. 
-->more information on assuring system care...

FACE Insecurity
It is impossible to provide absolute security for our computers just as
it is impossible to provide absolute security for ourselves or our
possessions in the physical world. Insecurity is a fact of life. There
are no technical panaceas. 

There are 200 million people connected to the Internet and we cannot
control their actions. They have world-wide, almost instantaneous and
anonymous access to our computers' network ports. There are practical
compromises in the design of our computers and networks that may leave
them vulnerable to certain activities. Accordingly, we must temper our
actions with awareness and take some precautions. 

Regularly backup critical or hard to replace data 
Be careful about whom and what you trust. Don't believe everything you
see on the web or in email messages. 
Do not ignore warning messages. In particular, those associated with: 
Web browsers warning about site certificate mismatches 
Web browsers warning about file downloads or potential security problems

SSH clients like Putty, F-Secure, and SecureCRT warning about host key
Repeated virus warnings 
-->more information on facing insecurity...

EVERYBODY Needs to Do Their Part
Your particular computer may not seem to be a desirable target of a
compromise attempt but any computer is attractive as a stepping stone or
attack vehicle. Simple Windows 95 and Macintosh desktops have been
involved in security incidents. Even with switched networks, a
compromised computer may be used to sniff network traffic from
neighboring computers. Thus, your security is dependant upon your
neighbors' security and their security on yours.

In the days of standalone computers, reckless or unauthorized use of a
computer affected just one computer. With a networked computer and its
access to shared network resources and common communications lines, the
same actions may affect many computers, accounts, services, or people. 

As long as we want to continue to have relatively open computing and
communications choices, and preserve our privacy, services, and data,
each one of us must do his or her part to help ensure the integrity of
our network. 

Do your part - RUNSAFE 
Encourage and help your peers to do their part - RUNSAFE 
  -->more information on doing our part...

Feel free to use or derive from R.U.N.S.A.F.E. material as long as you
give credit to JMU. A note to [EMAIL PROTECTED] describing your project
would be greatly appreciated!

IWS INFOCON Mailing List
@ IWS - The Information Warfare Site

Reply via email to