NetAction Notes

Published by NetAction Issue No. 76 October 22, 2001
Repost where appropriate. See copyright information at end of message.

IN THIS ISSUE:

Cyber-Security
About NetAction Notes

Cyber-Security

Shortly after the September 11 attacks on the World Trade Center and the Pentagon, security experts began predicting a resurgence of malicious attacks on the Internet. More recently, an international security monitoring group (CERT, the Computer Emergency Response Team Coordination Center http://www.cert.org/) warned that Internet attacks are expected to double this year. While attacks by malicious or politically-motivated hackers have typically been directed at corporate and government web sites, any computer connected to the Internet is vulnerable. Computers connected through a broadband service are especially vulnerable since the connection is always on. If you haven't already taken steps to ensure that your computer is secure, do it now.

NetAction prepared the following checklist of computer security basics for activists and nonprofit organizations:

1) Virus Protection

New computer viruses are discovered all the time. Installing and regularly updating your anti-virus software is essential to maintaining the security of your computer files. In recent months, countless files have been distributed over the Internet by computers infected with the SirCam virus. See http://www.cert.org/advisories/CA-2001-22.html for more information about this pesky virus. Some of these files were confidential, others were simply embarrassing to the originator. None of these documents would have wound up in strangers' in-boxes if the computers they were stored on had been protected by up-to-date anti-virus software.

But the unintended release of confidential or embarrassing documents isn't the only risk you take if you don't keep your virus protection software up-to-date. Some viruses actually delete files from computers, others wreak so much havoc to your operating system that the only way to recover is to reformat the drive, wiping all its contents in the process.

Most virus protection software developers regularly update their software programs to include protection against newly detected viruses. Some software programs can be set up to automatically check for updates on a user-determined schedule (for example, on the first day of every month). If your software includes a scheduler, set it up to automatically check for updates once a month. If not, note it on your calendar and update the software manually.

See http://www.cert.org/other_sources/viruses.html#VI for a complete list of anti-virus software vendors. Some virus protection software vendors you may already be familiar with are Symantic http://securityresponse.symantec.com/avcenter/ and McAffee http://www.mcafee.com/anti-virus/. Their web sites include alerts about newly discovered viruses and comprehensive information about virtually all known viruses. If your computer is infected, you may find information on these sites that will help you minimize any damage to or loss of data.

Along with being vigilant about protecting your computer from viruses, be cautious about forwarding virus warnings that are sent to you via email. Many of these warnings are hoaxes. If someone sends you email warning of a virus, confirm its validity before forwarding it to anyone else. Sites that provide information on false virus warnings and other Internet hoaxes include: http://www.nonprofit.net/hoax/default.html and http://hoaxbusters.ciac.org/HBUrbanMyths.shtml.

2) Firewalls

If your computer is part of a network, chances are your network administrator has set up a firewall to prevent "crackers" from breaking into any of the computers on your network. If you don't have a network administrator, or don't know for sure whether your network is protected by a firewall, ask.

Networks without firewalls are extremely vulnerable! The obvious risk is that someone will hack in and obtain confidential information or deface your organization's web site. Perhaps less obvious is the risk that a malicious hacker will use your computer as part of a distributed denial of service (DoS) attack directed at another server. In a DoS attack, a sever is bombarded with so much email that it will eventually crash if the attack isn't stopped. See http://www.cert.org/archive/pdf/DoS_trends.pdf for additional information on DoS attacks.

Even if your computer is not connected to a network it's a good idea to set up a firewall, especially if you connect to the Internet via an always-on broadband service (such as DSL or cable modem). Individual computers with broadband connections can easily be usurped for DoS attacks without the owner's knowledge. Several software developers sell personal firewall software programs. Once installed, these programs can be set up to prevent access to your computer or to designate the level of access. (For example, if you occasionally work from home, you may want to set up the firewall on your home computer to allow you to retrieve work files from home when you're in the office.)

See http://www.interhack.net/pubs/fwfaq/ for a FAQ on firewalls. Firewall software software is available from many of the same developers who produce anti-virus software, including Symantec and McAffee.

3) Backups

Regular backups are a crucial component of computer security. Businesses that are serious about data security may spend tens of thousands of dollars on secure off-site storage of their backed up data. Since this isn't an option for most nonprofit organizations and individual activists, some creativity is necessary to develop an affordable backup strategy.

Documents and other data should be backed up daily. Backed up data can be stored on removable media (such as floppy or zip disks, or CDs), on an external hard drive, on a tape drive, or on a secure web site. Redundancy is the best strategy, so plan on using more than one alternative. (Note: CDs are probably your best choice in removable media; they hold 600-700 MB and cost less than $1 each, while zip disks hold 100 MB and cost about $10 each. Tape drives are generally more expensive than external drives, although both types of drives vary in price depending on capacity, type of connection and other factors.)

If the computer in your office is backed up daily onto a tape drive, make a second backup of your data on a floppy or zip drive to store in another location away from the office. (For example, at your accountant's office, or your supervisor's home.) If your home computer came with a rewrite-able CD player, make two copies of your backup on CD. Leave one at home and store the other in your office, or with a trusted neighbor or friend. Or make one backup on an external hard drive, the second on a floppy or zip disk that can be stored in another location.

In addition to backing up your data, it's also a good idea to make a full backup of your hard drive, and to update the full backup whenever you update your operating system or software applications. If you have a full backup and your hard drive crashes, it will be easier to recover. Otherwise, you will have to reinstall the operating system and applications one at a time if you want access to backed up documents or other data.

When you back up your entire drive, size matters. If your computer has a 10 GB hard drive and your programs and data use up 5 of the 10 GBs, a full backup will also require 5 GBs. While it's possible to make a full backup by using multiple floppy or zip disks or CDs, you will probably find it easier to use an external hard drive or a large-capacity tape drive.

If you use a PC with a current version of the Windows operating system (ME or 2000), a backup software program is included with the operating system. Mac users will have to buy a separate backup software program for full backups of the hard drive; data files can simply be copied to removable media or an external drive.

Although not strictly a security issue, good disk maintenance is also important. Several software vendors sell utility tools (such as Norton Utilities) that can alert you to and fix minor problems, and sometimes even retrieve lost data.

4) Mailing Lists

Mailing lists have long been targeted by spammers, so mailing list security should always be a high priority.

If you are responsible for maintaining a mailing list, configure it so that only the list owner has access to the addresses of individual subscribers. When you use your email browser to create a mailing list, you can prevent subscribers' addresses from being disclosed by always putting the addresses in the "Bcc" field. If your mailing list is provided by an application service provider (such as Topica), or you use a list software application (such as Majordomo) be sure it is configured so that subscriber addresses are not disclosed. Also, back up the subscriber list regularly.

Mailing lists fall into one of two categories: discussion or announcement. You have significantly more control of announcement lists since they are intended for one-way communication from the list owner to the list subscribers. (For example, to distribute email newsletters or action alerts.) When you configure an announcement list, limit posting privileges to as few people as possible and change the password whenever there is a change in personnel who have posting privileges.

If you operate a discussion list, you can increase security by assigning a moderator. When a subscriber sends a message to a moderated list it is routed to the moderator, who screens it before posting to make sure it is an appropriate message for the list. Of course, if your list has a lot of traffic this can be very time-consuming.

In situations where your best option is an unmoderated list, you can still exercise some control over who has access by configuring it so that all subscriptions must be approved by the list owner. This may make it easier to screen out spammers, as well as to remove a subscriber who becomes disruptive or persists in posting off-topic messages.

4) File and Email Security

Nearly everyone has some data on their computer that is sensitive or confidential. There are several ways to secure this data from prying eyes. Some operating systems allow users to set passwords that limit access to the entire hard drive. If your computer is on a network, check with your network administrator to determine if a password can be set to prevent access to your files. If not, check the "Help" files or the user guide for your operating system. And remember to change your password periodically.

Individual files, and the content of email messages, can be secured with encryption software. NetAction's Guide to Using Encryption includes information on software programs that can be used to encrypt individual files and/or folders, and software that can be used to encrypt email messages.


About NetAction Notes

NetAction Notes is a free electronic newsletter, published by NetAction. NetAction is a California-based non-profit organization dedicated to promoting use of the Internet for grassroots citizen action, and to educating the public, policy makers, and the media about technology policy issues.

To subscribe to NetAction Notes, send a message to: . The body of the message should state: subscribe netaction
To unsubscribe at any time, send a message to: . The body of the message should state: unsubscribe netaction

For more information contact NetAction by phone at (415) 215-9392, by E-mail at

, visit the NetAction Web site or write to:

NetAction * P.O. Box 6739* Santa Barbara, CA 93160

Copyright 1996-2003 by NetAction. All rights reserved. Material may be reposted or reproduced for non-commercial use provided NetAction is cited as the source.