Home Network Security   customize| Publications Catalog  Secure Coding Vulnerability Analysis Function Extraction  Survivable Systems Engineering Network Situational Awareness  Resiliency Management Insider Threat Governance  CSIRT Development National CSIRTs Forensics  CERT Training Courses Virtual Training Environment Certification Curriculum  Publications CatalogHistorical DocumentsAuthorized Users of "CERT"US-CERT Vulnerability Notes DatabaseVulnerability Disclosure PolicyCourses   CERT® Coordination CenterHome Network SecurityThis document gives home users an overview of the security risksand countermeasures associated with Internet connectivity, especiallyin the context of “always-on” or broadband access services (suchas cable modems and DSL). However, much of the content is alsorelevant to traditional dial-up users (users who connect to theInternet using a modem). Computer securityWhat is computer security?Why should I care about computer security?Who would want to break into my computer at home?How easy is it to break into my computer?TechnologyWhat does "broadband" mean?What is cable modem access?What is DSL access?How are broadband services different from traditional dial-upservices?How is broadband access different from the network Iuse at work?What is a protocol?What is IP?What is an IP address?What are static and dynamic addressing?What is NAT?What are TCP and UDP ports?What is a firewall?What does antivirus software do?Computer security risks to home users What is at risk?Intentional misuse of your computerTrojan horse programsBack door and remote administration programsDenial of serviceBeing an intermediary for another attackUnprotected Windows sharesMobile code (Java, JavaScript, and ActiveX)Cross-site scriptingEmail spoofingEmail-borne virusesHidden file extensionsChat clientsPacket sniffingAccidents and other risksDisk failurePower failure and surgesPhysical theftActions home users can take to protect their computer systemsConsult your system support personnel if you work from homeUse virus protection softwareUse a firewallDon’t open unknown email attachmentsDon’t run programs of unknown originDisable hidden filename extensionsKeep all applications (including your operating system) patchedTurn off your computer or disconnect from the network when not in useDisable Java, JavaScript, and ActiveX if possibleDisable scripting features in email programsMake regular backups of critical dataMake a boot disk in case your computer is damaged or compromisedAppendix: References and additional informationDocument Revision HistoryComputer securityWhat is computer security? Computer security is the process of preventing and detectingunauthorized use of your computer. Prevention measures help you tostop unauthorized users (also known as "intruders") from accessing anypart of your computer system. Detection helps you to determine whetheror not someone attempted to break into your system, if they weresuccessful, and what they may have done.Why should I care about computer security?We use computers for everything from banking and investing to shoppingand communicating with others through email or chat programs. Althoughyou may not consider your communications "top secret," you probably donot want strangers reading your email, using your computer to attack othersystems, sending forged email from your computer, or examining personalinformation stored on your computer (such as financial statements).Who would want to break into my computer at home?Intruders (also referred to as hackers, attackers, or crackers) maynot care about your identity. Often they want to gain control of yourcomputer so they can use it to launch attacks on other computersystems.Having control of your computer gives them the ability to hide theirtrue location as they launch attacks, often against high-profile computersystems such as government or financial systems. Even if you have a computerconnected to the Internet only to play the latest games or to send emailto friends and family, your computer may be a target.Intruders may be able to watch all your actions on the computer, orcause damage to your computer by reformatting your hard drive orchanging your data.How easy is it to break into my computer?Unfortunately, intruders are always discovering new vulnerabilities(informally called "holes") to exploit in computer software. Thecomplexity of software makes it increasingly difficult to thoroughlytest the security of computer systems. When holes are discovered, computer vendors will usually developpatches to address the problem(s). However, it is up to you, the user, toobtain and install the patches, or correctly configure the software tooperate more securely. Most of the incident reports of computerbreak-ins received at the CERT/CC could have been prevented if systemadministrators and users kept their computers up-to-date with patchesand security fixes.Also, some software applications have default settings that allow otherusers to access your computer unless you change the settings to be more secure.Examples include chat programs that let outsiders execute commands on yourcomputer or web browsers that could allow someone to place harmful programson your computer that run when you click on them.TechnologyThis section provides a basic introduction to the technologies thatunderlie the Internet. It was written with the novice end-user inmind and is not intended to be a comprehensive survey of allInternet-based technologies. Subsections provide a short overview ofeach topic. This section is a basic primer on the relevanttechnologies. For those who desire a deeper understanding of theconcepts covered here, we include links to additional information.What does broadband mean?"Broadband" is the general term used to refer to high-speed networkconnections. In this context, Internet connections via cablemodem and Digital Subscriber Line (DSL) are frequently referred to asbroadband Internet connections. "Bandwidth" is the term used todescribe the relative speed of a network connection -- for example,most current dial-up modems can support a bandwidth of 56 kbps(thousand bits per second). There is no set bandwidth thresholdrequired for a connection to be referred to as "broadband", but it istypical for connections in excess of 1 Megabit per second (Mbps) to beso named.What is cable modem access?A cable modem allows a single computer (or network of computers) toconnect to the Internet via the cable TV network. The cable modemusually has an Ethernet LAN (Local Area Network) connection to thecomputer, and is capable of speeds in excess of 5 Mbps.Typical speeds tend to be lower than the maximum, however, sincecable providers turn entire neighborhoods into LANs which share thesame bandwidth. Because of this "shared-medium" topology, cablemodem users may experience somewhat slower network access duringperiods of peak demand, and may be more susceptible to risks such aspacket sniffing and unprotected windows shares than users with othertypes of connectivity. (See the "Computer securityrisks to home users" section of this document.)What is DSL access?Digital Subscriber Line (DSL) Internet connectivity, unlike cablemodem-based service, provides the user with dedicatedbandwidth. However, the maximum bandwidth available to DSL users isusually lower than the maximum cable modem rate because of differencesin their respective network technologies. Also, the "dedicatedbandwidth" is only dedicated between your home and the DSL provider'scentral office -- the providers offer little or no guarantee ofbandwidth all the way across the Internet.DSL access is not as susceptible to packet sniffing as cable modemaccess, but many of the other security risks we'll cover apply to bothDSL and cable modem access. (See the "Computersecurity risks to home users" section of this document.)How are broadband services different from traditionaldial-up services?Traditional dial-up Internet services are sometimes referred to as"dial-on-demand" services. That is, your computer only connects tothe Internet when it has something to send, such as email or arequest to load a web page. Once there is no more data to be sent, orafter a certain amount of idle time, the computer disconnects thecall. Also, in most cases each call connects to a pool of modems atthe ISP, and since the modem IP addresses are dynamically assigned,your computer is usually assigned a different IP address on each call. As aresult, it is more difficult (not impossible, just difficult) for anattacker to take advantage of vulnerable network services to takecontrol of your computer.Broadband services are referred to as "always-on" servicesbecause there is no call setup when your computer has something tosend. The computer is always on the network, ready to send or receivedata through its network interface card (NIC). Since the connectionis always up, your computer’s IP address will change lessfrequently (if at all), thus making it more of a fixed target forattack.What’s more, many broadband service providers use well-known IPaddresses for home users. So while an attacker may not be able tosingle out your specific computer as belonging to you, they may atleast be able to know that your service providers’ broadbandcustomers are within a certain address range, thereby making yourcomputer a more likely target than it might have been otherwise.The table below shows a brief comparison of traditional dial-up and broadbandservices. Dial-upBroadbandConnection typeDial on demandAlways onIP addressChanges on each callStatic or infrequently changingRelative connection speedLowHighRemote control potentialComputer must be dialed in to control remotely Computer is always connected, so remote control can occur anytimeISP-provided securityLittle or noneLittle or noneTable 1: Comparison of Dial-up and Broadband Services How is broadband access different from thenetwork I use at work?Corporate and government networks are typically protected by manylayers of security, ranging from network firewalls to encryption. Inaddition, they usually have support staff who maintain the securityand availability of these network connections.Although your ISP is responsible for maintaining the services theyprovide to you, you probably won’t have dedicated staff on hand tomanage and operate your home network. You are ultimately responsiblefor your own computers. As a result, it is up to you to takereasonable precautions to secure your computers from accidental orintentional misuse.What is a protocol?A protocol is a well-defined specification that allows computers tocommunicate across a network. In a way, protocols define the"grammar" that computers can use to "talk" to each other.What is IP?IP stands for "Internet Protocol". It can be thought of as the commonlanguage of computers on the Internet. There are a number ofdetailed descriptions of IP given elsewhere, so we won't cover it indetail in this document. However, it is important to know a fewthings about IP in order to understand how to secure your computer.Here we’ll cover IP addresses, static vs. dynamic addressing, NAT,and TCP and UDP Ports.An overview of TCP/IP can be found in the TCP/IP Frequently AskedQuestions (FAQ) athttp://www.faqs.org/faqs/internet/tcp-ip/tcp-ip-faq/part1/andhttp://www.faqs.org/faqs/internet/tcp-ip/tcp-ip-faq/part2/What is an IP address? IP addresses are analogous to telephone numbers – when you wantto call someone on the telephone, you must first know their telephonenumber. Similarly, when a computer on the Internet needs to senddata to another computer, it must first know its IP address. IPaddresses are typically shown as four numbers separated by decimalpoints, or “dots”. For example, 10.24.254.3 and 192.168.62.231are IP addresses.If you need to make a telephone call but you only know theperson’s name, you can look them up in the telephone directory (orcall directory services) to get their telephone number. On theInternet, that directory is called the Domain Name System, or DNSfor short. If you know the name of a server, say www.cert.org, andyou type this into your web browser, your computer will then go askits DNS server what the numeric IP address is that is associated withthat name. Every computer on the Internet has an IP address associated with itthat uniquely identifies it. However, that address may change overtime, especially if the computer is dialing into an Internet ServiceProvider (ISP)connected behind a network firewallconnected to a broadband service using dynamic IP addressing.What are static and dynamic addressing?Static IP addressing occurs when an ISP permanently assigns one ormore IP addresses for each user. These addresses do not change overtime. However, if a static address is assigned but not in use, it iseffectively wasted. Since ISPs have a limited number of addressesallocated to them, they sometimes need to make more efficient use oftheir addresses.Dynamic IP addressing allows the ISP to efficiently utilize theiraddress space. Using dynamic IP addressing, the IP addresses ofindividual user computers may change over time. If a dynamic address isnot in use, it can be automatically reassigned to another computer asneeded.What is NAT?Network Address Translation (NAT) provides a way to hide the IPaddresses of a private network from the Internet while still allowingcomputers on that network to access the Internet. NAT can be used inmany different ways, but one method frequently used by home users iscalled "masquerading".Using NAT masquerading, one or more devices on a LAN can be made toappear as a single IP address to the outside Internet. This allowsfor multiple computers in a home network to use a single cable modem orDSL connection without requiring the ISP to provide more than one IPaddress to the user. Using this method, the ISP-assigned IP addresscan be either static or dynamic. Most network firewalls support NATmasquerading.What are TCP and UDP Ports?TCP (Transmission Control Protocol) and UDP (User DatagramProtocol) are both protocols that use IP. Whereas IPallows two computers to talk to each other across the Internet, TCP andUDP allow individual applications (also known as "services") on thosecomputers to talk to each other.In the same way that a telephone number or physical mail box might beassociated with more than one person, a computer might have multipleapplications (e.g. email, file services, web services) runningon the same IP address. Ports allow a computer to differentiateservices such as email data from web data. A port is simply anumber associated with each application that uniquely identifies thatservice on that computer. Both TCP and UDP use ports to identifyservices. Some common port numbers are 80 for web (HTTP), 25 foremail (SMTP), and 53 for Dmain Name System (DNS).What is a firewall?The Firewalls FAQ (http://www.faqs.org/faqs/firewalls-faq/)defines a firewall as "a system or group of systems that enforces an accesscontrol policy between two networks." In the context of home networks,a firewall typically takes one of two forms:Software firewall - specialized software running on an individualcomputer, orNetwork firewall - a dedicated device designed to protect one ormore computers.Both types of firewall allow the user to define access policies forinbound connections to the computers they are protecting. Many alsoprovide the ability to control what services (ports) the protectedcomputers are able to access on the Internet (outbound access). Mostfirewalls intended for home use come with pre-configured securitypolicies from which the user chooses, and some allow the user tocustomize these policies for their specific needs.More information on firewalls can be found in the Additionalresources section of this document.What does antivirus software do?There are a variety of antivirus software packages that operate inmany different ways, depending on how the vendor chose to implementtheir software. What they have in common, though, is that they alllook for patterns in the files or memory of your computer that indicatethe possible presence of a known virus. Antivirus packages know whatto look for through the use of virus profiles (sometimes called"signatures") provided by the vendor.New viruses are discovered daily. The effectiveness ofantivirus software is dependent on having the latest virus profilesinstalled on your computer so that it can look for recently discoveredviruses. It is important to keep these profiles up to date.Computer security risks to home users What is at risk?Information security is concerned with three main areas:Confidentiality - information should be available only to those who rightfullyhave access to itIntegrity -- information should be modified only by those who are authorizedto do soAvailability -- information should be accessible to those who need it whenthey need itThese concepts apply to home Internet users just as much as theywould to any corporate or government network. You probably wouldn'tlet a stranger look through your important documents. In the same way,you may want to keep the tasks you perform on your computerconfidential, whether it's tracking your investments or sending emailmessages to family and friends. Also, you should have some assurancethat the information you enter into your computer remains intact andis available when you need it.Some security risks arise from the possibility of intentionalmisuse of your computer by intruders via the Internet. Others arerisks that you would face even if you weren't connected to theInternet (e.g. hard disk failures, theft, power outages). The badnews is that you probably cannot plan for every possible risk. Thegood news is that you can take some simple steps to reduce the chancethat you'll be affected by the most common threats -- and some ofthose steps help with both the intentional and accidental risks you'relikely to face. Before we get to what you can do to protectyour computer or home network, let’s take a closer look at some ofthese risks.Intentional misuse of your computerThe most common methods used by intruders to gain control of homecomputers are briefly described below. More detailed information isavailable by reviewing the URLs listed in the References section below.Trojan horse programsBack door and remote administration programsDenial of serviceBeing an intermediary for another attackUnprotected Windows sharesMobile code (Java, JavaScript, and ActiveX)Cross-site scriptingEmail spoofingEmail-borne virusesHidden file extensionsChat clientsPacket sniffingTrojan horse programsTrojan horse programs are a common way for intruders to trick you(sometimes referred to as "social engineering") into installing "backdoor" programs. These can allow intruders easy access to your computer withoutyour knowledge, change your system configurations, or infect your computerwith a computer virus. More information about Trojan horses can befound in the following document. http://www.cert.org/advisories/CA-1999-02.htmlBack door and remote administration programsOn Windows computers, three tools commonly used by intruders togain remote access to your computer are BackOrifice, Netbus, andSubSeven. These back door or remote administration programs, onceinstalled, allow other people to access and control your computer. Denial of serviceAnother form of attack is called a denial-of-service (DoS)attack. This type of attack causes your computer to crash or to becomeso busy processing data that you are unable to use it. In most cases,the latest patches will prevent the attack. The following documentsdescribe denial-of-service attacks in greater detail.http://www.cert.org/advisories/CA-2000-01.htmlhttp://www.cert.org/archive/pdf/DoS_trends.pdfIt is important to note that in addition to being the target of aDoS attack, it is possible for your computer to be used as aparticipant in a denial-of-service attack on another system.Being an intermediary for another attackIntruders will frequently use compromised computers as launching pads forattacking other systems. An example of this is how distributed denial-of-service (DDoS) tools are used. The intruders install an "agent"(frequently through a Trojan horse program) that runs on the compromisedcomputer awaiting further instructions. Then, when a number of agentsare running on different computers, a single "handler" can instruct allof them to launch a denial-of-service attack on another system. Thus,the end target of the attack is not your own computer, but someone else’s-- your computer is just a convenient tool in a larger attack.Unprotected Windows sharesUnprotected Windows networking shares can be exploited by intrudersin an automated way to place tools on large numbers of Windows-basedcomputers attached to the Internet. Because site security on theInternet is interdependent, a compromised computer not only createsproblems for the computer's owner, but it is also a threat to other siteson the Internet. The greater immediate risk to the Internet communityis the potentially large number of computers attached to the Internetwith unprotected Windows networking shares combined with distributedattack tools such as those described in http://www.cert.org/incident_notes/IN-2000-01.htmlAnother threat includes malicious and destructive code, such as virusesor worms, which leverage unprotected Windows networking shares to propagate.One such example is the 911 worm described inhttp://www.cert.org/incident_notes/IN-2000-03.htmlThere is great potential for the emergence of other intruder toolsthat leverage unprotected Windows networking shares on a widespreadbasis.Mobile code (Java/JavaScript/ActiveX)There have been reports of problems with "mobile code" (e.g. Java,JavaScript, and ActiveX). These are programming languages that let webdevelopers write code that is executed by your web browser. Althoughthe code is generally useful, it can be used by intruders to gatherinformation (such as which web sites you visit) or to run malicious codeon your computer. It is possible to disable Java, JavaScript, andActiveX in your web browser. We recommend that you do so if you arebrowsing web sites that you are not familiar with or do not trust.Also be aware of the risks involved in the use of mobile codewithin email programs. Many email programs use the same code as webbrowsers to display HTML. Thus, vulnerabilities that affect Java,JavaScript, and ActiveX are often applicable to email aswell as web pages.More information on ActiveX security is available in http://www.cert.org/archive/pdf/activeX_report.pdfCross-site scriptingA malicious web developer may attach a script to something sent toa web site, such as a URL, an element in a form, or a databaseinquiry. Later, when the web site responds to you, the maliciousscript is transferred to your browser.You can potentially expose your web browser to maliciousscripts byfollowing links in web pages, email messages, or newsgrouppostings without knowing what they link tousing interactive forms on an untrustworthy siteviewing online discussion groups, forums, or other dynamicallygenerated pages where users can post text containing HTML tagsMore information regarding the risks posed by malicious code in weblinks can be found in CA-2000-02Malicious HTML Tags Embedded in Client Web Requests. Email spoofingEmail “spoofing” is when an email message appears to have originatedfrom one source when it actually was sent from another source. Emailspoofing is often an attempt to trick the user into making a damaging statementor releasing sensitive information (such as passwords).Spoofed email can range from harmless pranks to social engineeringploys. Examples of the latter includeemail claiming to be from a system administrator requesting users to changetheir passwords to a specified string and threatening to suspend theiraccount if they do not complyemail claiming to be from a person in authority requesting users to sendthem a copy of a password file or other sensitive informationNote that while service providers may occasionally request that you changeyour password, they usually will not specify what you should change itto. Also, most legitimate service providers would never ask you tosend them any password information via email. If you suspect thatyou may have received a spoofed email from someone with malicious intent,you should contact your service provider's support personnel immediately.Email borne virusesViruses and other types of malicious code are often spread asattachments to email messages. Before opening anyattachments, be sure you know the source of the attachment. It is notenough that the mail originated from an address you recognize. TheMelissa virus (see References) spread preciselybecause it originated from a familiar address. Also, malicious codemight be distributed in amusing or enticing programs.Many recent viruses use these social engineering techniques tospread. Examples includeW32/Sircam -- http://www.cert.org/advisories/CA-2001-22.htmlW32/Goner -- http://www.cert.org/incident_notes/IN-2001-15.htmlNever run a program unless you know it to be authored by a personor company that you trust. Also, don't send programs of unknownorigin to your friends or coworkers simply because they are amusing --they might contain a Trojan horse program.Hidden file extensionsWindows operating systems contain an option to "Hide fileextensions for known file types". The option is enabled by default,but a user may choose to disable this option in order to have fileextensions displayed by Windows. Multiple email-borne viruses areknown to exploit hidden file extensions. The first major attack thattook advantage of a hidden file extension was the VBS/LoveLetter wormwhich contained an email attachment named"LOVE-LETTER-FOR-YOU.TXT.vbs". Other malicious programs have sinceincorporated similar naming schemes. Examples includeDownloader (MySis.avi.exe or QuickFlick.mpg.exe)VBS/Timofonica (TIMOFONICA.TXT.vbs)VBS/CoolNote (COOL_NOTEPAD_DEMO.TXT.vbs)VBS/OnTheFly (AnnaKournikova.jpg.vbs)The files attached to the email messages sent by these viruses mayappear to be harmless text (.txt), MPEG (.mpg), AVI (.avi) or otherfile types when in fact the file is a malicious script or executable(.vbs or .exe, for example). Chat clientsInternet chat applications, such as instant messaging applicationsand Internet Relay Chat (IRC) networks, provide a mechanism forinformation to be transmitted bi-directionally between computers on theInternet. Chat clients provide groups of individuals with the meansto exchange dialog, web URLs, and in many cases, files of anytype.Because many chat clients allow for the exchange of executablecode, they present risks similar to those of email clients. As withemail clients, care should be taken to limit the chat client’sability to execute downloaded files. As always, you should be waryof exchanging files with unknown parties.Packet sniffingA packet sniffer is a program that captures data from information packetsas they travel over the network. That data may include user names, passwords,and proprietary information that travels over the network in clear text.With perhaps hundreds or thousands of passwords captured by the packet sniffer,intruders can launch widespread attacks on systems. Installing a packetsniffer does not necessarily require administrator-level access.Relative to DSL and traditional dial-up users, cable modem usershave a higher risk of exposure to packet sniffers since entireneighborhoods of cable modem users are effectively part of the sameLAN. A packet sniffer installed on any cable modem user's computer in aneighborhood may be able to capture data transmitted by any othercable modem in the same neighborhood.Accidents and other risksIn addition to the risks associated with connecting your computer to theInternet, there are a number of risks that apply even if the computer hasno network connections at all. Most of these risks are well-known,so we won’t go into much detail in this document, but it is important tonote that the common practices associated with reducing these risks mayalso help reduce susceptibility to the network-based risks discussed above.Disk failureRecall that availability is one of the three key elements ofinformation security. Although all stored data can become unavailable-- if the media it’s stored on is physically damaged, destroyed, orlost -- data stored on hard disks is at higher risk due to themechanical nature of the device. Hard disk crashes are a common causeof data loss on personal computers. Regular system backups are theonly effective remedy.Power failure and surgesPower problems (surges, blackouts, and brown-outs) can causephysical damage to a computer, inducing a hard disk crash or otherwiseharming the electronic components of the computer. Common mitigationmethods include using surge suppressors and uninterruptible powersupplies (UPS).Physical Theft Physical theft of a computer, of course, results in the loss ofconfidentiality and availability, and (assuming the computer is everrecovered) makes the integrity of the data stored on the disk suspect.Regular system backups (with the backups stored somewhere away fromthe computer) allow for recovery of the data, but backups alone cannotaddress confidentiality. Cryptographic tools are available that canencrypt data stored on a computer’s hard disk. The CERT/CC encourages theuse of these tools if the computer contains sensitive data or is athigh risk of theft (e.g. laptops or other portable computers).Actions home users can take to protect theircomputer systemsThe CERT/CC recommends the followingpractices to home users:Consult your system support personnel if you workfrom homeUse virus protection softwareUse a firewallDon’t open unknown email attachmentsDon’t run programs of unknown originDisable hidden filename extensionsKeep all applications (including your operating system) patchedTurn off your computer or disconnect from the network when not in useDisable Java, JavaScript, and ActiveX if possibleDisable scripting features in email programsMake regular backups of critical dataMake a boot disk in case your computer is damaged or compromisedFurther discussion on each of these points is given below.RecommendationsConsult your system support personnel if you workfrom home If you use your broadband access to connect to your employer'snetwork via a Virtual Private Network (VPN) or other means, youremployer may have policies or procedures relating to the security ofyour home network. Be sure to consult with your employer's supportpersonnel, as appropriate, before following any of the steps outlinedin this document.Use virus protection softwareThe CERT/CC recommends the use of anti-virus software on allInternet-connected computers. Be sure to keep your anti-virussoftware up-to-date. Many anti-virus packages support automaticupdates of virus definitions. We recommend the use of these automaticupdates when available.Use a firewall We strongly recommend the use of some type of firewall product,such as a network appliance or a personal firewall software package.Intruders are constantly scanning home user systems for knownvulnerabilities. Network firewalls (whether software orhardware-based) can provide some degree of protection against theseattacks. However, no firewall can detect or stop all attacks, soit’s not sufficient to install a firewall and then ignore all othersecurity measures.Don't open unknown email attachmentsBefore opening any email attachments, be sure you know the sourceof the attachment. It is not enough that the mail originated from anaddress you recognize. The Melissa virus spread precisely because itoriginated from a familiar address. Malicious code might bedistributed in amusing or enticing programs. If you must open an attachment before you can verify the source, wesuggest the following procedure:be sure your virus definitions are up-to-date (see "Use virus protection software" above)save the file to your hard diskscan the file using your antivirus softwareopen the fileFor additional protection, you can disconnect your computer's networkconnection before opening the file.Following these steps will reduce, but not wholly eliminate, thechance that any malicious code contained in the attachment mightspread from your computer to others.Don't run programs of unknown originNever run a program unless you know it to be authored by a personor company that you trust. Also, don't send programs of unknownorigin to your friends or coworkers simply because they are amusing --they might contain a Trojan horse program.Disable hidden filename extensionsWindows operating systems contain an option to "Hide fileextensions for known file types". The option is enabled by default,but you can disable this option in order to have file extensionsdisplayed by Windows. After disabling this option, there are stillsome file extensions that, by default, will continue to remain hidden.There is a registry value which, if set, will cause Windows to hidecertain file extensions regardless of user configuration choices elsewherein the operating system. The "NeverShowExt" registry value is used to hide the extensions for basic Windows file types. For example, the ".LNK"extension associated with Windows shortcuts remains hidden even after auser has turned off the option to hide extensions.Specific instructions for disabling hidden file name extensions aregiven in http://www.cert.org/incident_notes/IN-2000-07.htmlKeep all applications, including youroperating system, patchedVendors will usually release patches for their software when avulnerability has been discovered. Most product documentation offersa method to get updates and patches. You should be able to obtainupdates from the vendor's web site. Read the manuals or browse thevendor's web site for more information.Some applications will automatically check for available updates,and many vendors offer automatic notification of updates via amailing list. Look on your vendor's web site for information aboutautomatic notification. If no mailing list or other automatednotification mechanism is offered you may need to check periodicallyfor updates.Turn off your computer or disconnect from thenetwork when not in useTurn off your computer or disconnect its Ethernet interface when you are notusing it. An intruder cannot attack your computer if it is powered offor otherwise completely disconnected from the network.Disable Java, JavaScript, and ActiveX if possibleBe aware of the risks involved in the use of "mobile code" such asActiveX, Java, and JavaScript. A malicious web developer may attach ascript to something sent to a web site, such as a URL, an element in aform, or a database inquiry. Later, when the web site responds toyou, the malicious script is transferred to your browser.The most significant impact of this vulnerability can be avoided bydisabling all scripting languages. Turning off these options willkeep you from being vulnerable to malicious scripts. However, it willlimit the interaction you can have with some web sites. Many legitimate sites use scripts running within the browser to adduseful features. Disabling scripting may degrade the functionality ofthese sites.More information on ActiveX security, including recommendations forusers who administer their own computers, is available in http://www.cert.org/archive/pdf/activeX_report.pdfMore information regarding the risks posed by malicious code in weblinks can be found in CA-2000-02Malicious HTML Tags Embedded in Client Web Requests. Disable scripting features in email programsBecause many email programs use the same code as web browsers todisplay HTML, vulnerabilities that affect ActiveX, Java, andJavaScript are often applicable to email as well as web pages.Therefore, in addition to disabling scripting features in web browsers(see "Disable Java, JavaScript, and ActiveX ifpossible", above), we recommend that users also disable thesefeatures in their email programs.Make regular backups of critical dataKeep a copy of important files on removable media such as ZIP disksor recordable CD-ROM disks (CD-R or CD-RW disks). Use software backuptools if available, and store the backup disks somewhere away from thecomputer.Make a boot disk in case your computer is damagedor compromisedTo aid in recovering from a security breach or hard disk failure,create a boot disk on a floppy disk which will help when recovering acomputer after such an event has occurred. Remember, however, youmust create this disk before you have a security event.AppendixReferences and additional informationThis section contains links to references and additionalresources related to this document.ReferencesThe following documents were used in compiling portions of this document:CERT AdvisoriesCERT Incident NotesCERT Tech TipsOther CERT documentsCERT AdvisoriesCA-1999-02: Trojan Horseshttp://www.cert.org/advisories/CA-1999-02.htmlCA-1999-04: Melissa Macro Virushttp://www.cert.org/advisories/CA-1999-04.htmlCA-2000-01: Denial-of-Service Developmentshttp://www.cert.org/advisories/CA-2000-01.html CA-2000-02: Malicious HTML Tags Embedded in Client Web Requestshttp://www.cert.org/advisories/CA-2000-02.htmlCA-2001-22: W32/Sircam Malicious Codehttp://www.cert.org/advisories/CA-2001-22.htmlCERT Incident NotesIN-2000-01: Windows Based DDOS Agentshttp://www.cert.org/incident_notes/IN-2000-01.html IN-2000-02: Exploitation of Unprotected Windows Networking Shareshttp://www.cert.org/incident_notes/IN-2000-02.html IN-2000-03: 911 Wormhttp://www.cert.org/incident_notes/IN-2000-03.html IN-2000-07: Exploitation of Hidden File Extensionshttp://www.cert.org/incident_notes/IN-2000-07.html IN-2000-08: Chat Clients and Network Securityhttp://www.cert.org/incident_notes/IN-2000-08.htmlIN-2001-15: W32/Goner Wormhttp://www.cert.org/incident_notes/IN-2001-15.htmlCERT Tech TipsSpoofed/Forged Emailhttp://www.cert.org/tech_tips/email_spoofing.htmlOther CERT documentsResults of the Security in ActiveX Workshophttp://www.cert.org/archive/pdf/activeX_report.pdf Security of the Internethttp://www.cert.org/encyc_article/tocencyc.html#PackSnifTrends in Denial of Service Attack Technologyhttp://www.cert.org/archive/pdf/DoS_trends.pdfAdditional resourcesAdditional information is available from the following sources.TCP/IP Frequently Asked Questionshttp://www.faqs.org/faqs/internet/tcp-ip/tcp-ip-faq/part1/http://www.faqs.org/faqs/internet/tcp-ip/tcp-ip-faq/part2/Computer Virus Frequently Asked Questions for New Usershttp://www.faqs.org/faqs/computer-virus/new-users/ alt.comp.virus Frequently Asked Questionshttp://www.faqs.org/faqs/computer-virus/alt-faq/part1/http://www.faqs.org/faqs/computer-virus/alt-faq/part2/http://www.faqs.org/faqs/computer-virus/alt-faq/part3/http://www.faqs.org/faqs/computer-virus/alt-faq/part4/ VIRUS-L/comp.virus Frequently Asked Questionshttp://www.faqs.org/faqs/computer-virus/faq/ Firewalls Frequently Asked Questionshttp://www.faqs.org/faqs/firewalls-faq/This document is available from: http://www.cert.org/tech_tips/home_networks.htmlCERT/CC Contact InformationEmail: cert@cert.orgPhone: +1 412-268-7090 (24-hour hotline)Fax: +1 412-268-6989Postal address:CERT Coordination CenterSoftware Engineering InstituteCarnegie Mellon UniversityPittsburgh PA 15213-3890U.S.A.CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)Monday through Friday; they are on call for emergencies during otherhours, on U.S. holidays, and on weekends.Using encryptionWe strongly urge you to encrypt sensitive information sent byemail. Our public PGP key is available fromhttp://www.cert.org/CERT_PGP.keyIf you prefer to use DES, please call the CERT hotline for moreinformation.Getting security informationCERT publications and other security information are available fromour web sitehttp://www.cert.org/* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.NO WARRANTYAny material furnished by Carnegie Mellon University and theSoftware Engineering Institute is furnished on an "as is"basis. Carnegie Mellon University makes no warranties of any kind,either expressed or implied as to any matter including, but notlimited to, warranty of fitness for a particular purpose ormerchantability, exclusivity or results obtained from use of thematerial. Carnegie Mellon University does not make any warranty of anykind with respect to freedom from patent, trademark, or copyrightinfringement.Conditions for use, disclaimers, and sponsorship informationCopyright 2001 Carnegie Mellon University.Revision HistoryJune 22, 2001Initial ReleaseJune 26, 2001Added SubSeven to Remote Administration Programs sectionAugust 6, 2001Clarification of IP addressing for ISP dial-up modem poolsDecember 5, 2001Fixed broken link to CA-1999-02, added links for Sircam, Goner, and DDoS TrendsFebruary 27, 2006Removed link to defunct directory that was on cert.org previously.  Home | About | Contact | FAQ | Jobs | Legal | Site Index Copyright © 1995-2010 Carnegie Mellon University var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src="http://www.cert.org/tech_tips/home_networks.html/" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); try { var pageTracker = _gat._getTracker("UA-12114994-3"); pageTracker._trackPageview(); } catch(err) {} |
|
