Firewalls, malware and secure data transfer
Hacking and firewalls
Communication between a computer and a network is directed through "ports". Each port is described by a number, and it is generally allocated a type of network traffic or a communications protocol. Unprotected computers often accept incoming and outgoing communication through most of these without restriction, and this sometimes allows malicious users to gain some sort of unauthorised control of the computers. Firewalls prevent communication through these ports, either by simply closing the port or by restricting access to it for known software or approved purposes only.
It is generally wise to use a firewall. Windows XP includes a firewall, enhanced in Service Pack 2, which greatly improves security for incoming traffic - unless you are using another firewall product, you should generally enable this. For this and operating systems, you may find the general description in the (slightly out of date) Home User Guide to PC Security useful. The Windows Firewall does not take any action for outgoing traffic, which means that unauthorised software running on your computer could continue to perform whatever malicious actions it was programmed to perform. More comprehensive software includes ZoneAlarm, which is available free (a commercial version, ZoneAlarm Pro, offers further enhanced protection) - there is information about configuring ZoneAlarm for users on the Cambridge network. If you have a Windows PC and choose to install an alternative firewall (e.g. ZoneAlarm), you should disable the built-in Windows firewall - running more than one firewall program can slow down your computer and cause connectivity problems.
Firewalls can also be implemented in hardware. Those sharing a broadband connection with a router (wireless or otherwise) may find that it has firewall features, which you should generally enable.
University regulations do not specify whether you should use a firewall or not, but they do require certain settings to be made if you are using a firewall. Computers connected to the University network (CUDN) - all college and department connections - are subject to a programme of friendly probing to check for security problems. As specified in an IT syndicate notice, this means that you must not block ping requests, at least from certain trusted sources.
Computers on the university network are protected from external attack on certain ports which are blocked on the CUDN/JANET.
Unauthorised software and 'malware'
There is a wide variety of software which could end up on your computer without your knowledge or permission (see also viruses). The general term "malware" is used to describe any software designed to do harm - while virus scanners will detect viruses and some other forms of malware, they are not designed to look for spyware (which gathers data about you without permission) and unwanted advertising. There are programs to remove spyware, but you should also take care to reduce your chances of downloading spyware. The main methods of delivery are e-mail and internet downloads.
There are two very good free programs, both of which offer regular updates, which can be used to remove many unwanted plug-ins, cookies with privacy implications, etc. These work very well together and it would be a good idea to install both on your own Windows computer.
Both of these need to be manually run and updated. Microsoft has recently launched its own free software to combat spyware, which runs in the background and automatically updates itself, making it more reliable and easier to use. This is suitable only for Windows 2000 and Windows XP, but if you have either operating system it is strongly recommended. It is technically still in testing (it is a beta version), but it has been released to the public and seems reliable:
If you want to find out more about security risks, you might want to refer to this detailed information for home users.
Security for passwords and personal data
Many online services, inside and outside the university, require you to supply a password. Unfortunately it is often possible to send these in an unencrypted form, which makes it much easier for people to intercept them. The same is true in principle for credit card details. The dangers of the latter falling into the wrong hands are perfectly clear; in the former case, there is the danger of computers or accounts being compromised, and of private information reaching an unintended audience. In some cases there is a choice between secure and insecure methods (e.g. logging in to an e-mail service); for online shopping, there should not really be an insecure option for a retailer you trust.
Here is a side-by-side comparison of insecure methods and their secure alternatives:
Whenever a secure option is available it is a very good idea to use it. The table below summarises the options for university servers.
The only reason for using the insecure option is if it is not supported by the service, or if you do not have the required software to make a secure connection. Fortunately, it is easy to acquire suitable free software for your own computers, and it is already available for your use on the MCR computer and PWF computers (although it is not quite as convenient as some insecure options). Users of Unix or Linux should already have everything they need, at least as command line tools.
|Computing information last modified by SP on 13 October 2009|