Lab 11 - Computer Security Basics CSE/INFO 100, Winter 2006 Lab

Lab 11: Computer Security Basics

Key Words: computer security, virus, hacker, spyware, patch, spam filter, Windows Update.

Objectives

The Internet can be an unpredictable, and sometimes unsafe, place. In the real world, you wouldn't leave your house unlocked, your car door open, or your wallet lying around. The same holds true with the Internet, and even a brand new computer is not impervious to worms and viruses. This lab will walk you through the basics of setting up your computer and safeguarding it against some of the uncertainties of the Internet. While it will not make you an instant computer security expert, it will give you a few tools that will help you protect yourself and your computer from some of the things that are out there.

There are three common threats that you may run into while online: viruses, hackers, and spyware. Viruses are malicious programs that can make your computer spam other computers, delete all of your files, or even give someone else complete control over your computer. Hackers are individuals who, for reasons ranging from boredom to being paid by organized crime, write viruses and steal personal data on the Internet. Spyware is like a virus, but instead of deleting or modifying files, may report your personal information (things like your credit card number and your Social Security Number) to other people so that they may steal your identity. This lab will give you the tools to help prevent these three things from happening to you while you are online.

Note that all of the software used in this lab is either free from the provider or available as part of the UW Internet Connectivity Kit (UWICK) package. This software can be downloaded and used on your home computer or laptop to keep it safe from these threats. We highly recommend that you do so!

This is a graded lab exercise. Before you start working, open a text editor. As you encounter the questions, write down your answers in the text file. When you're done, you'll show your answers to your TA and upload the file to your account on dante.

Password Security

Good password security is the first line of defense against any sort of threat on the Internet. A bad password will make even the best security system worthless, so it is important to follow a few basics about good password creation:

  1. Don't use a common word. There are password-guessing tools out there that use common words as a basis for guessing passwords. They even have dictionaries in other languages that they use, so make sure your password is not a common word in any language!
  2. Make sure your password is at least 8 characters long. Short passwords can be easily guessed, and a longer password will reduce the chances that someone will guess your password using a hacking tool.
  3. Give your password letters, numbers, and non-alphanumeric characters (such as ! and $).
  4. Mix upper- and lower-case letters in with your password.

Many people have a "system" for creating secure passwords. One way to ake a good password is to start with some phrase that is easy for you to remember, but difficult for others to guess.For example, if you like the song "Stairway to Heaven" by Led Zeppelin, you could take the first letters from each word in the line "And she's buying a stairway to heaven" as the basis for your password, which would create a password of 'asbasth'. From here, you could mix some upper-case letters in with your password to make it 'aSbAsTh'. To make it a little more complex, you could then replace some of the letters with numbers and special characters that look like the letters they replace, making it '@SbA5Th'. Now, since it's only 7 characters long, we can lengthen it a little by adding an exclamation point, so that it is '@SbA5Th!'.

There are also services online that will help you choose a good password. You may have seen these when setting up an e-mail account. Open your browser and visit Microsoft's Password Checker. Try out a few passwords and see how secure Microsoft thinks they are. Try one of your usual passwords (this webpage does not store your password, but it's good to be thinking about this). Try the method above with a favorite song. Think of a few words in the lyrics of the song and take the letters of each of those words to create a password out of. Then, do some of the above steps to strengthen the password.

Q1. Try this for your favorite song. Think of a few words in the lyrics of the song and take the letters of each of those words to create a password out of. Then, do some of the above steps to strengthen the password. Write down the password you came up with and an explanation of how you created it.

You can also find many programs or online services that generate secure passwords for you. An example would be at this page, a secure password generator with options to add punction, caps, or numerals to our password of specified length. However, we should be wary when using these services as they might be unknowingly storing our generated password to use for malicious purposes. Even though we may have created a secure password, we must always be aware that our password could have been potentially compromised. Thus, it is also good practice to regularly change your password, perhaps once every few months.

Email Security

Here we will discuss three common e-mail concerns: viruses, "phishing" attacks, and junk mail.

Viruses and phishing

Much of the time, viruses can spread through emails that look like they come from trusted sources. The email may contain enticing messages to download its attachments or click on a link, which eventually ends up infecting your system with a virus. Other times hoaxes can be sent out through trustworthy-looking emails that try and get information about you such as your credit card number. This process of obtaining your information through deception is called "phishing". Spotting these emails is very hard for software to do, and so it's up to you and your skepticism to figure out the good from the bad. Generally, the things to look for in an email message are the same things you should look for when looking at web sites. Here are a few of the ways that you can figure out whether an email is legitimate:

One final thing to remember is to NEVER OPEN EMAIL ATTACHMENTS from people that you do not know. And even if you know the person, it is a good idea to scan the email attachment with an up-to-date virus scanner just to make sure, since a lot of viruses can disguise themselves as being from someone you know.

Q2. Now it's time to put what you just learned into practice. Here and here are two email messages. Using what you just learned, decide which one is real and which one is fake. Write down your answer, and the reasons why you chose it.

Junk mail filtering

Junk e-mail or "spam" is a problem that affects anyone who uses e-mail. It's also a problem that is unlikely to go away soon. Since e-mail is essentially free to use, it's profitable to send e-mail advertisements even if only a few people respond.

There are multiple ways of handling junk e-mail. Many e-mail clients have built in spam filtering. If you use your UW mail, you can turn on the university's server-side spam filter.

Using Windows Update

An additional way to protect your computer is to install patches for your operating system. A lot of times, there are flaws that are found in the code of operating systems like Windows or Mac OS, and so it is important to stay up-to-date on all of the latest patches so that your computer is protected against these flaws. Let's practice updating Windows now (though more than likely the lab machines do not need updating at the moment

  1. Click on Start > Control Panel.
  2. Double-click on Security Center.
  3. In the Resources box, click the underlined sentence that says "Check for the latest updates from Windows Update".
  4. This will bring you to the Windows Update web site. You can visit this web site on your home computer whenever you want to download and install critical updates. This website will also show you which updates you have already installed.
  5. In order to check for updates, click on the button marked "Express". This will scan your computer to see if any new updates are required. There should not be any updates listed, but if there were, all you would have to do is click on the button marked "Download and install updates" to get your computer up to date.

In order to keep your computer up to date automatically, you can also enable automatic updates with Windows Update.

  1. Click on Start > Control Panel.
  2. Double-click on Automatic Updates.
  3. Automatic updates should already be turned on with your lab computer. If you are doing this lab from home, click on the button that says 'Automatic (recommended)', then select the time that you want your computer to check for automatic updates. This will download and install all Windows updates automatically, though your computer has to be on in order for automatic updates to work.

    Scheduling automatic updates with Windows XP

Q3. When was the last time the machine was updated?

Q4. Does this machine have the GDI+ Detection Tool installed?

Updating McAfee VirusScan

McAfee VirusScan is the virus protection software used at the University. You can acquire it for $1 at the University Bookstore or download it as part of UWICK.

Anti-virus software performs two primary functions:

  1. It scans the hard drive and external devices such as USB flash drives, CDs, and floppy disks when they are connected to the computer for known viruses
  2. Anti-virus software can quarantine and sometimes disinfect individual files that have viral code in them. Sometimes you cannot separate a virus from a file once it has been inserted and the quarantined file has to be deleted. Either way, the virus is neutralized so you can repair any damage and get on with your digital life.

Every week new viruses, worms, and other nasty software appear on the Internet. Because of this, simply installing anti-virus software is not enough. You need to update your VirusScan definitions - the files that tell anti-virus software how to detect a specific virus - daily or weekly. McAfee VirusScan definitions can be updated automatically or manually. We will show you how to do both because sometimes a nasty virus spreads so fast that you should not wait for the auto-update feature to update your definitions.

To manually update your virus definitions in McAfee VirusScan:

  1. Right click the VirusScan icon in the Windows system tray (it looks like a shield). Choose VirusScan Console from the popup menu.


    Before you update, answer the following question:

    Q5. What was the last time that this computer had its virus definitions updated?

  2. Just to be safe, we'll update the virus definitions on this computer. Right-click the AutoUpdate item in the console and choose Start from the popup menu.

  3. The update will now run. When it's finished, click the Close button.

To verify your Windows McAfee VirusScan software is automatically being updated with the latest virus definitions, or to enable automatic updates to your anti-virus software:

  1. Open the VirusScan Console (it should still be open).
  2. Find AutoUpdate in the list of tasks.
  3. Right-click on AutoUpdate, and click on Properties.
  4. Click on the Schedule tab.
  5. Verify that the Enable box is checked: if the Enable box is not checked, click on the box to turn it on.
  6. Verify the software is set up to run daily: if the Daily button is not on, click on the button to turn it on.
  7. Verify the updates are running: click on Enable Randomization to allow updates at random times.
  8. If you have updated your VirusScan configuration, click on OK to save your changes.

Scanning and Removing Spyware

Spyware is a common problem for Windows computers. Similar to a virus, spyware is software that has been installed onto your system without your knowledge. Unlike a virus, spyware is less overtly destructive and is therefore it is much less obvious when you are infected by spyware. In truth, many problems that Windows users have with their programs and computers may be traced back to spyware. This software often uses up system resources such as memory and processor time and can corrupt files. While some antivirus software now has the ability to look for and remove spyware, the best spyware detectors and removers are not the best antivirus programs. Therefore, we will focus on scanning and removing spyware with specialized antispyware tools.

For this part of the lab we will use Windows Defender, a (currently) free spyware scanner from Microsoft. You can also download Defender to use at home from the link below.

Note that the the installer page for Defender requires you to install a browser plugin in order to validate your copy of Windows. This is more complicated in Firefox and Mozilla than for Internet Explorer. We recommend that you use IE to download Defender in this section.

  1. Visit the Windows Defender homepage (please use IE).
  2. Click "DOWNLOAD IT HERE!" and follow the instructions to download Defender. If you are asked to validate your Windows installation, choose Yes. This is designed to ensure that you are using a legal copy of Windows.
  3. Download the installer file (WindowsDefender.msi) to your Desktop.
  4. Once Defender has finished downloading, double-click the file WindowsDefender.msi to install it.
  5. Walk through the installation steps. When asked, choose to iuse the recommended update settings.



    Choose a complete install.
  6. When installation is finished, it will ask you if you want to perform a definitions update and a scan. Check the box to do so. Defender will open, but may not be able to update if you are using a lab machine.
  7. Once the update is completed, click the Scan button to scan your system for spyware. (If Defender did not open in the last step, right-click the castle icon in the system tray to open the console.)

    Q6
    . How is spyware different from viruses?

When you're done

When you've finished the exercise, show your answers to your TA. Once your TA has seen the assignment, copy your answer file to a lab11 directory in your fit100 directory on dante.

Checklist

  1. I understand the keywords and technical terms used in this exercise.
  2. I know what a strong password is and have tested my own password for strength
  3. I know how to detect fraudulent email messages and that it is a bad idea to open email attachments that are unexpected.
  4. I know how to turn on junk mail filtering for my UW e-mail.
  5. I know how to update my computer using Windows Update.
  6. I know how to update my virus definitions with McAfee VirusScan.
  7. I know how to scan for and remove spyware with Windows Defender.