The internet is a dangerous place with identity theft, buffer overflow, cross-site scripting, request forgery and privilege escalation. Do you need to be concerned about these? Yes. Do you need to study these technical terms to be safe? Well, you have a choice.
It is always beneficial to know more, so we encourage you to stay up to date with the risks. But if the technical jargon has already given you a headache, you may choose the easier option to be safe – stick to the best practices of web surfing. It will not guarantee that you are 100% secure (no-one is), but it will reduce the risks by an order of magnitude. This article focuses on best practices using Internet Explorer and is a follow-up to the article dedicated to Mozilla Firefox in the previous issue.
The risks
The stakes are high: if your PC is compromised, the best-case scenario is that you will have to reinstall from scratch. If you are less lucky, you may lose valuable data; or if you have access to sensitive information it may be stolen and abused by the attackers. This might threaten your professional activities or your private resources – just think of someone getting access to your bank account. If your PC is infected and compromised, you are at the mercy of the attacker.
For the attacker, your computer is a valuable resource. If the attack is successful, it will turn your computer into a bot – a robot that serves the attacker's purpose and acts on their orders. It may start sending spam and infect other computers on your network, or record your key strokes to get your passwords. There is a black market behind such activities and the attacker's motivation is money.
If the attacker is particularly interested in something you have (or can access), they may launch a targeted attack, aimed specifically at you. Although it is less common, this is a growing threat and CERN users have recently been targeted by such attacks (see http://cern.ch/it-support-servicestatus/IncidentArchive/090504-Phishing.htm).
E-mail has become one of the main ways of attacking your privacy. You are more and more likely to receive scams, which are fake messages asking you to give away your passwords and details. Attackers try to make these e-mails look legitimate, but the IT Helpdesk has no reason to ask for passwords. Never send any confidential information by e-mail.
Other malicious e-mails contain links to infected files. Simply clicking on the link will put your PC at risk, so it is safest to ignore unwanted e-mails. When in doubt, try alternative ways to confirm the contents of the e-mail, for example, call the sender to ask them about the message by phone.
Internet Explorer
Due to its market share of nearly 70%, Internet Explorer is an obvious target for the attackers, who are constantly trying to find new security vulnerabilities and ways to exploit them. To fix such vulnerabilities, regular security updates are published. Security problems and the updates that fix them are a fact of life and we need to make sure that our operating system, web browser and all of the applications are up to date. It is a bit like a race – will the problem be fixed before it is exploited? This is why anti-virus software is so important – it brings an additional layer of protection because it can block malicious software trying to exploit a security issue before the problem in the application is fixed.
At work
If you have a standard NICE PC managed by the IT Department, your machine has up-to-date anti-virus software. The operating system, Internet Explorer, and all of the supported applications (such as Microsoft Office) are regularly updated. You can contribute to keeping everything secure by installing the security updates as soon as they are advertised by IT.
However, if you decide to install an application that is not supported by IT, for example Apple Quicktime, then you are responsible for keeping it up to date. We will do our best to inform you about security problems in such applications and these alerts must be taken seriously. Browsing the web is dangerous if you have outdated software on your PC.
At home
Having an infected computer at home puts your work computer at risk. The virus may spread if you use USB memory or open the same file on both computers.
The security of your home system depends on you. You should have an up-to-date anti-virus and schedule regular system scans. Note that as a CERN user you can download the anti-virus software for home use (https://cern.ch/winservices/Help/?kbid=051092). To keep your Windows updated, you should make sure that automatic updates are enabled (right-click on "My Computer" "Properties" "Automatic Updates") and configured to download and install security updates as soon as they are available. Similarly, you have to keep all of the applications up to date.
Security status bar
Internet Explorer 7 has a new security status bar, which lets you quickly assess whether you should trust the website that you are currently visiting. This is the same address bar where you see the website address, but it has a colour code. Typically, the green background means that the site is safe and can be trusted.
The white background means that there is no information about this website. If the address starts with "https://" and there is the padlock icon, then all communication within this website is encrypted.
A yellow or red background means that there is something suspicious about this site. We strongly advise you to stop visiting such websites.
Your responsibility
You are responsible for the security of your computer, because the way you use it determines whether it is secure or at risk. The following guidelines will allow you to enjoy the internet in a conscious – and much safer – way.
Security best practices
• Never send any passwords via e-mail. E-mails asking for passwords are scams. The CERN Helpdesk staff will never ask you for your password.
• Think twice before you click on links sent to you by e-mail or through instant messaging, especially if you did not ask for them. They may lead you to websites that look legitimate (like your e-banking website), but are prepared by attackers to steal your passwords. A similar risk may be related to links from social networking sites, such as Facebook.
• Always read before you click. Internet Explorer will ask for your confirmation before doing anything risky. But if you never read the contents of the pop-up windows you will not benefit from this type of warning.
• Don't install software from the internet unless you know and trust the vendor. Never run any executable (.exe) files that you did not request – in most cases it is an attempt to take control of your PC. The same is true regarding unwanted browser add-ons, like multimedia players. If you are not sure whether you need something then you probably don't, so never accept a request to run (or even download) files that you did not ask for.
• Never enter any sensitive information (passwords, credit card numbers, etc) unless the communication with the website is encrypted (small padlock icon and address starting with https://). Restart Internet Explorer before you begin; after you finish, use the site's log-off function and then close Internet Explorer.
• Never enter any sensitive information on a PC that you don't know, for example, in an internet cafe. Someone may be recording everything that you type in order to steal your passwords. The same applies to your PC if you suspect that it has been infected with a virus.
There is a new "Secure e-mail and web browsing" course designed to show you how to detect and avoid typical security pitfalls encountered when e-mailing and browsing the web. It is designed for non-technical users of Internet Explorer and Outlook. The course is free and more information is available from the training catalogue. Visit http://cta.cern.ch/cta2/f?p=110:9 or e-mail Technical.Training@cern.ch for dates of sessions.
Useful links
NICE Services – anti-virus for home use: https://cern.ch/winservices/Help/?kbid=051092
IE7 Security Status Bar: www.microsoft.com/windows/products/winfamily/ie/ev/security.mspx