In the May Q&A, we were warned about sending credit card details over the Internet. Are there any other problems we should worry about?
Yes. The Internet is bi-directional by nature. While you can talk to remote machines on the Internet, other remote machines can talk back to you. Normally, responding to a Web page request or retrieving a file by FTP would be considered desirable, but occasionally it could be a hacker probing your network or directing an attack at your workstation or servers.
What sort of vulnerabilities are there?
Any TCP/IP service you're running on your computer may well be visible over the Internet. For example, if you're running a Web server on your PC for personal development and testing, then it could easily be reachable by the whole Internet when you are online. If you're running file and print sharing on your machine over TCP/IP, then this might be visible on the Internet as well. The situation could be even worse if you're using Unix to access the Internet. Unix machines normally run a lot more TCP/IP services than an "out of the box" Windows 95 setup.
What can be done about them?
If you're on an office LAN, then serious thought should be placed on installing a firewall. This firewall should be configured to block all traffic by default and then to allow only traffic that is explicitly allowed. For example, a firewall may be configured to allow an incoming connector to the corporate mail server on the SMTP port, and to allow outgoing connections from workstations to Web servers. It's common for LANs to allow any outgoing traffic, but restrict incoming traffic. This does solve some of the problems, but not all of them. A better solution would be to be RFC1597-compliant. This specifies that your office LAN uses a range of IP addresses that are considered private, and a proxy server to connect to the Internet. In this model, your PC never talks directly to the outside world. It makes a request from the proxy server, and this machine talks to the Internet. Because there is now no direct link between the PC and the Internet, a lot of problems are bypassed.
We run Novell servers with a Winsock layer to connect our PCs via the Novell server to the Internet. Are we safe?
If all access is done via the Novell server, and the server itself has been secured, then you should be quite safe from the attacks described overleaf, much in the same way as the RFC1597 setup. Assuming there are no bugs in the Novell code, of course.
Some of our LAN users also dial into an ISP. Does this change things?
Yes. A firewall is only effective if all access to the Internet goes through it. By having a user dial into the Internet, you effectively have a back door into your LAN. A clever hacker might be able to take advantage of this back door and access your company servers.
Do home users dialling via an ISP need to worry?
There are similar problems here, but normally without the chance of firewalling. In this case most machines won't be configured to be running TCP/IP services, but this should be checked. Due to bugs in the Microsoft TCP module, it's possible to crash an NT server, or force a Windows 95 machine off the Net by various simple attacks. A workstation shouldn't run any services. Be warned that any services started may be reached over the Internet, and may become a point of attack.
So that's it then? We stop incoming traffic to our machines and we're safe?
Unfortunately, it doesn't end there. Ignoring all of the above, and concentrating just on the Web, there are still problems. Both Netscape and Microsoft Internet Explorer (MSIE) are large applications and have bugs and security holes. These holes can be exploited simply by viewing a Web page, and can cause files on your disk to be read and sent out to the Internet, or applications to be downloaded and run automatically, or even to pass out your server password to the Internet. Once these bugs have been detected, both Netscape and Microsoft attempt to patch them, but it does mean you always have to keep downloading the latest versions, checking for patches and so on. The fixes don't always work, or only partially fix the problem. Netscape offers a reward to people who can demonstrate a new security flaw in their product, and report it to Netscape. This has encouraged people to hit the product hard, resulting in a more robust program. In recent times, more security flaws have shown up in MSIE than Netscape.
What about Java and ActiveX?
Although these two are thought of together, they are actually two different technologies. Java itself comes in two flavours - application and applet. An application is a Java program that is run from the operating system, the same as any other program. As such it has full access to the computer and can do anything a normal program can. When downloading one of these, you must treat them the same as any other application, such as scanning them for viruses. Java virus building is in its infancy, but the virus scanning companies are now writing code to check for them. Java applets are more restricted. An applet is generally what you will find on a Web page. These run in a sand box which restricts the Java code from the real machine. Thus, any attempt for the Java applet to access the file system will result in a security error and the applet being killed. In the early days of Java, a number of flaws were found in the security manager. These were fixed, and the current version seems quite robust. The restrictions placed on applets are quite severe and do limit the usefulness of Java applets. For example, you can't write a word processing applet and allow saving to your local hard disk because the applet can't write to your hard disk. ActiveX is another kettle of fish. By design, ActiveX controls can see your whole machine and perform any operation on the machine that an application can. If this worries you, then good. It certainly worries me. Microsoft has worked to a different security model whereas Java applets are constrained by the sand box, an ActiveX control is signed by the author. An ActiveX author can apply to Microsoft for a digital certificate, and the author can then sign their creation with this certificate. This enables the user to verify that the control hasn't been modified since it was signed, and to check who wrote it. If you trust the author, you can allow the control to run, otherwise it is refused. Options in MSIE allow you to set the level of security on ActiveX controls (for example, trust all controls, trust controls from certain people, always ask before running). Many people change the setting to "trust all controls", and that's a bad idea. I strongly recommend setting the security to ask each time. Because ActiveX is a trust scheme, there is no guarantee that the control you have just downloaded will not do something malicious. Sure, the control was signed, but that's a bit late if your hard disk has just been reformatted. Be very careful of ActiveX.
Can I catch viruses from the Internet?
The Internet is merely a way of sending data around. A virus will not magically appear on your computer simply because you have connected to the Internet. However, if you use the Web to find and download programs, then you should always virus scan those programs before running them. I'll repeat my warning about ActiveX here as well - ActiveX controls can perform any action on your machine, so make sure you only run controls signed by a trusted author. Even a document can carry viruses. It can have an autostart macro that gets executed when the file is loaded, and can perform malicious acts. Turn off macro autoexecution in your programs. For a virus to infect a machine it must be run. Simply downloading a program will not cause a virus to infect your machine. Only by running the program can any virus act, so always scan newly downloaded programs and documents before running them.
And viruses in email?
Again, email is simply a way of transmitting data. Just reading the message will not cause a virus to infect your machine. However, things are now getting more difficult - mail reading programs are getting cleverer and will extract attachments to your hard disk and make them easy to execute. Remember all the comments above. Scan any program received by email before running it. Be careful with documents that may have autostart macros.
Should I worry about RealAudio, Pointcast, etc?
In general, these applications are media viewers. They don't have the ability to run external commands. RealAudio takes incoming data and sends it to the sound device, and Pointcast displays text and graphics sent to it from the server. They are applications, so the general rules about downloading programs from the Net applies; download them from the vendor's site or authorised mirrors and scan them before installing. This also applies to browser plug-ins. A plug-in is just an application that works closely with your browser. It can carry viruses and perform nasty actions. Treat any plug-in the same way as a program. Viruses are no longer the big scare they were a few years ago, but they are still around and cause just as much damage as ever. Don't count them out and take protection against them with a good virus scanning package.
Double legal trouble for Musk as he also faces civil lawsuit over renewed British pot-holer 'paedo' claims
Battery development could help boost performance of smartphones
Topological photonic chips promise a more robust option for scalable quantum computers
In quantum physics both the chicken and the egg can come first, claim University of Queensland researchers
Cause-and-effect is not always straightforward in quantum physics