University of Minnesota - Department of Geology and Geophysics

Internet Privacy / Security

Why this is a good thing, and why you should care.

| Connecting to the U. securely (SSH and (vs.) VPN) |

There are a lot of web articles at the bottom, under What you can do.

Why security is important in General:

First, it's impossible to completely secure a computer. Someone will always be able to get in. The trick is to make it as difficult as possible, so only the most determined can get in. And usually, the most determine are busy elsewhere. All of the steps you can take simply filter out more and more of the potential problems, until it's not worth the effort to access your machine.

A friend wrote a haiku on the only way to make a computer secure:

lonely desert rock
silently gathering dust
it has not been cracked
-Rowan Littell, 1999

It's true that very few people outside of our discipline would care about your geology/geophysics etc. data. However, crackers (those who crack security, hackers is a more generic, non-threatening term used for those who try to break security or software, looking for vulnerabilities to let the vendors know) will delete data just to cause trouble.

The computer resource itself is as valuable as your data. If a person can use your machine to cause havoc elsewhere, that in itself is a valuable commodity.

Often compromised machines are used to store data which is illegal. This can be stolen software, it can be military secrets, or it can be child pornography. The latter two scenarios are especially serious, as it can result in your machine being confiscated by the FBI, and you wouldn't get it back anytime soon. This isn't a scare tactic. I personally know people to whom this has happened, and they're not my computer geek friends.

Your computer could be used in a criminal act such as trying to take down a prominent internet presence. As a result, the U. might come disconnect you, or you might be subject to someone from the other end engaging in some "revenge tactics".

Crackers can engage in identity theft. If they can get your personal information: credit card numbers, social security number, your phone number, etc. they can pretend to be you. They can ruin your credit, or make death threats to the president in your name. Both of these are not worth the hassle they create.
According to the Social Security Administration (SSA), this is the fastest growing financial crime in the country. See these website for more information:
Identity Theft
SSA software to thwart identity theft
Federal Trade Comimission website on Identity Theft

Why Security is important at the University of Minnesota

The departmental network relies on a series of trust relationships. I trust that the machines in the department are safe, so I allow them to access machines that are mission critical. If I can't trust everyone's machines, then I have to protect against them individually.
It is much easier to protect against an attacker in another country than it is to protect against someone down the hall.
If crackers compromise a U. machine, and use it to cause havoc, other sites will start to block all access (including e-mail acceptance) from the U. This would greatly compromise other's ability to do their work, even if they had nothing to to with the compromised machine.
There are many more reasons, I'll add more later.

Why Security is important at Home

Home computers using high-speed internet connections which are on all the time are subject to the same security threats as e-business companies and universities. Hackers and crackers have as much time as they like to try to break into home machines, and since most home machines aren't secured at all, it's almost childs play.

Also, home machines are becoming the newest tool for crackers for launching their attacks against high profile companies, such as the DDOS (distributed denial of service) attacks which took down many of the high-profile internet sites during the summer of 2000.

In addition, many software programs such as Quicken* keep their information, such as bank account numbers, in known locations which are fairly easy for crackers to steal. So if you have a connection live all the time, it's conceivable that your private information could be stolen, resulting in the identity theft discussed above under General.
(* this isn't a problem with Quicken itself, and is not meant to discourage people from using it. All software tends to put files in default locations. Quicken just happens to store important information in those files.)
If you share data between your home and office computers, if your home computer is compromised, you can spread that compromise to your work computer. This can be in the form of a virus, or a trojan horse program. A trojan horse is a program that looks like it's doing one thing (those elf bowl programs that circulate around at Christmas, for instance) but actually send your credit card info back to a cracker's home machine, or turn on your webcam at night and send the pictures out to people. So protecting BOTH machines is critical.
I have the personal firewall ZoneAlarm running on my home computer. In October, one night I dialed into my ISP on my 56K modem, and in 5 minutes my machine was subjected to 7 probes to see if my machine was vulnerable to being cracked. This is a very real threat.

According to SANS, one of the leading computer security groups, the Five Worst Security Mistakes End Users Make are:

Opening unsolicted e-mail attachments without verifying their source and checking their content first.
Failing to install security patches-especially for Microsoft Office, Microsoft Internet Explorer, and Netscape.
(Note: I'll put up links here for the patches webpages. Problem with patches, is they often cause problems on their own. Not a bad idea to ask me first, even for your home computer. I've usually heard about which service packs and patches work and which don't).
Installing screen savers or games without verifying that they are safe.
Not making and testing backups.
Connecting a modem to a phone line while the same computer is connected to a Local Area Network.
(This is a problem behind corporate firewalls, more than it is on campus. Don't worry about it much here at the U. for now.) What you can do (mostly at home, but at work too).
(these links sometimes change, so not all are valid all the time. I do try to update them, though.)
- Install a personal firewall(article by ZDNET) to protect your machine. And learn how to use it well. This is true both if you have a high-speed connection (cable modem or DSL) or you connect via a modem.
  This article at ZDNET doesn't review ZoneAlarm, which is free for home use, and is an excellent product.
  Tiny Personal Firewall from Tiny Software is a fine product as well, although a bit harder to use than ZoneAlarm.
- Install virus protection. The geology/geophysics department does have virus protection which is licensed to use at home. See System Administrator for more details. Hopefully, I'll post more information when I can get it ready.
- Be very careful about what you download, and the attachments that you open.
  This is especially true around the holidays when numerous apps circulate which have cute holiday games and such. Many of these are safe, many of them contain malicious software. Check with the virus protection sites like Mcafee Virus Alerts and Mcafee virus information library, and Symantic AntiVirus Research Center.
- Regardless of what protection you have installed, be it a firewall, or virus protection, if you circumvent it, you're open to being compromised. So be very careful what you download, or what websites you visit.
More information
- University of Florida's ITSA (Information Technology Security Awareness) has some excellent links on security and some fun posters. (http://www.itsa.ufl.edu)
- James Madison University's R.U.N.S.A.F.E. program has excellent tips on how to be safe. (http://www.jmu.edu/computing/runsafe/)
- The Federal Trade Commission has written a simple yet effective 4 page guide to security, aimed at the home user. It can be dowloaded as either a TXT file or a PDF.
- OIT has some security guidelines for all operating systems. Your U. account (X.500, or central e-mail) is needed to access this.
- Macworld has an article about concerns for home Mac users with high-speed internet connections.
- And the OIT newsletter has a great series of articles about DSL and high-speed access.
- Recently, CERT also released an excellent report on the importance of home security, and how to protect your home computer.
- PCworld.com - Unsafe at High Speed: Security on Your Broadband Connection
- PCworld.com - 1/2 of U.S. Broadband Users unprotected, Are you practically begging hackers and Internet thieves to attack?
- PCWorld.com - Does Your PC Harbor Zombies Waiting to Attack? Unprotected broadband connections can leave your PC open to raids by malicious hackers.
- Security Focus - Always On, Always Vulnerable: Securing Broadband Connections A good overview of the problems inherent in Broadband connections, and why hackers want to access them.
- Hacking risk for broadband internet
- Broadband could be Hackland
- Home PC users wake up to need for firewalls by CNET.
- Macs: protect yourserlf online by MacWorld.
- Technology Today: Selecting an Internet Service Provider, an excellent article from the U. of St. Thomas
- Alas, even personal firewalls have problems: Personal Firewalls not so safe from ZDNet.
This page is still incomplete.