MCR Computing

Firewalls, malware and secure data transfer

Hacking and firewalls | Malware | Secure data transfer

Hacking and firewalls

Communication between a computer and a network is directed through "ports". Each port is described by a number, and it is generally allocated a type of network traffic or a communications protocol. Unprotected computers often accept incoming and outgoing communication through most of these without restriction, and this sometimes allows malicious users to gain some sort of unauthorised control of the computers. Firewalls prevent communication through these ports, either by simply closing the port or by restricting access to it for known software or approved purposes only.

It is generally wise to use a firewall. Windows XP includes a firewall, enhanced in Service Pack 2, which greatly improves security for incoming traffic - unless you are using another firewall product, you should generally enable this. For this and operating systems, you may find the general description in the (slightly out of date) Home User Guide to PC Security useful. The Windows Firewall does not take any action for outgoing traffic, which means that unauthorised software running on your computer could continue to perform whatever malicious actions it was programmed to perform. More comprehensive software includes ZoneAlarm, which is available free (a commercial version, ZoneAlarm Pro, offers further enhanced protection) - there is information about configuring ZoneAlarm for users on the Cambridge network. If you have a Windows PC and choose to install an alternative firewall (e.g. ZoneAlarm), you should disable the built-in Windows firewall - running more than one firewall program can slow down your computer and cause connectivity problems.

Firewalls can also be implemented in hardware. Those sharing a broadband connection with a router (wireless or otherwise) may find that it has firewall features, which you should generally enable.

University regulations do not specify whether you should use a firewall or not, but they do require certain settings to be made if you are using a firewall. Computers connected to the University network (CUDN) - all college and department connections - are subject to a programme of friendly probing to check for security problems. As specified in an IT syndicate notice, this means that you must not block ping requests, at least from certain trusted sources.

• If you are using the Windows Firewall in Windows XP Service Pack 2 or above, you should select open the Security Center from the Control Panel and choose to manage security settings for the Firewall. Click on the Advanced tab, and then click on Settings... in the ICMP section. Tick only the "Allow incoming echo request" box, and click OK.
• If your computer is connected to the university network and you are using a version of the Internet Connection Firewall (or indeed any other firewall) that does not have these advanced settings, unfortunately you will have to disable the firewall and consider using an alternative firewall
• Users of ZoneAlarm can choose to accept ping (ICMP echo) requests specifically from the trusted Cambridge source - for setting instructions, click here.

Computers on the university network are protected from external attack on certain ports which are blocked on the CUDN/JANET.

Unauthorised software and 'malware'

There is a wide variety of software which could end up on your computer without your knowledge or permission (see also viruses). The general term "malware" is used to describe any software designed to do harm - while virus scanners will detect viruses and some other forms of malware, they are not designed to look for spyware (which gathers data about you without permission) and unwanted advertising. There are programs to remove spyware, but you should also take care to reduce your chances of downloading spyware. The main methods of delivery are e-mail and internet downloads.

• E-mail attachments
  • You should never open or access an executable attachment (including, but not exclusively, those ending in .exe) unless you were expecting to receive and you know what it is. Hermes will remove all .exe attachments (and several other types) to prevent this risk, so if you really must send or receive a .exe file it should first be compressed or "wrapped" as, for example, a .zip archive.
  • You should never open or access any attachment from a sender you do not know. It is not always obvious which attachments are executable - it is not even guaranteed that images are safe.
  • Ideally you should never open or access any unexpected attachment. If a friend's computer has a virus infection, a contaminated file may be sent to you from their address. If possible, contact them to check its identity.
  • Use anti-virus software to check your attachments
• The Internet and software downloads
  • Even software that you volunteer to download may not be as innocuous as it appears. Many file-sharing programs (which you must not use on the university network anyway!) also include additional software to, for example, collect information for advertising purposes. It would be wise to check that free software you are intending to download does not have these problems - searching Google is likely to provide useful information.
  • Viewing some websites will initiate an automatic download. If you are offered a viewer, toolbar, plug-in or helper application that you are not familiar with you should not agree to download it. Find the website of the manufacturer and check what the software is for.
  • In relatively rare cases, simply navigating to a website will initiate a download with no prompting. This is generally less of a problem with newer browsers - for example the version of Internet Explorer 6 in Windows XP Service Pack 2, which blocks most of these - so you should ensure that your web browser is up to date.
  • Javascript, ActiveX objects and Java applets are used to provide dynamic or interactive features. Sometimes these can have a malicious purpose. Updating your browser to ensure that as many security holes are patched as possible will limit what these scripts can do. It is possible to disable Java and/or Javascript in your web browser, but this is generally not recommended as it will prevent the use of some websites, and limit the available features of many others.

Some more minor problems are associated with data mining and cookies. Many sites use cookies, small files stored on your computer, to identify you and remember preferences - some of these cookies are deleted immediately after use; others are persistent. In many cases these are useful. However, advertising services often also use these to assist with accumulating information about you, which at the very least is a privacy concern. You could block all cookies, but this would severely limit the use you could make of the Internet. More moderate privacy settings can be selected in most modern web browsers.

There are two very good free programs, both of which offer regular updates, which can be used to remove many unwanted plug-ins, cookies with privacy implications, etc. These work very well together and it would be a good idea to install both on your own Windows computer.

• Ad-aware will search your computer for items in its database and provide a safe way of removing them.
• Spybot - Search and Destroy does much the same thing, but will additionally "innoculate" your browser to protect against future problems.

Both of these need to be manually run and updated. Microsoft has recently launched its own free software to combat spyware, which runs in the background and automatically updates itself, making it more reliable and easier to use. This is suitable only for Windows 2000 and Windows XP, but if you have either operating system it is strongly recommended. It is technically still in testing (it is a beta version), but it has been released to the public and seems reliable:

• Microsoft Antispyware

If you want to find out more about security risks, you might want to refer to this detailed information for home users.

Security for passwords and personal data

Many online services, inside and outside the university, require you to supply a password. Unfortunately it is often possible to send these in an unencrypted form, which makes it much easier for people to intercept them. The same is true in principle for credit card details. The dangers of the latter falling into the wrong hands are perfectly clear; in the former case, there is the danger of computers or accounts being compromised, and of private information reaching an unintended audience. In some cases there is a choice between secure and insecure methods (e.g. logging in to an e-mail service); for online shopping, there should not really be an insecure option for a retailer you trust.

Here is a side-by-side comparison of insecure methods and their secure alternatives:

Whenever a secure option is available it is a very good idea to use it. The table below summarises the options for university servers.

The only reason for using the insecure option is if it is not supported by the service, or if you do not have the required software to make a secure connection. Fortunately, it is easy to acquire suitable free software for your own computers, and it is already available for your use on the MCR computer and PWF computers (although it is not quite as convenient as some insecure options). Users of Unix or Linux should already have everything they need, at least as command line tools.

• PWF Computers running Windows (Computing Service information)
  • FTP: FTP Explorer
  • SCP: WinSCP or pscp
  • SFTP: None
  • SSH: PuTTY
• PWF Macintoshes (Computing Service information)
  • FTP: Fetch or Unix ftp
  • SCP: Unix scp
  • SFTP: MacSFTP or Unix sftp
  • SSH: iTerm or JellyfiSSH
• Linux (including PWF) (Computing Service information)
  • FTP: ftp
  • SCP: scp
  • SFTP: sftp
  • SSH: openssh
• Your own Windows PC
  • FTP: An FTP client (recommended), Internet Explorer or other web browser, ftp at command prompt
  • SCP: WinSCP (recommended), PuTTY (command line only)
  • SFTP: WinSCP (recommended), PuTTY (command line only)
  • SSH: PuTTY - from the Computing Service (local users only), or the PuTTY homepage