Please send feedback if you like it or don't, so I can gauge
whether to not to bother this newsgroup with any future scribblings.
Again, to be quite clear, this is not really aimed at the
readership here, but might be useful for the less educated clients of
this newsgroup's readers.
Andrew
----
User Security Awareness Newsletter
#1, March 14, 1996
The goal of this newsletter is to provide information useful to the end
user, and to help that end user to better maintain the integrity of the
data on their computers. More simply, it's stuff you might need to know,
with a minimum of technobabble. In general, the goal here is to take
information well known to the 'experts' and present it in terms that
a normal human can understand.
SAFE SURFING
by A. Molitor
In this first issue, I'll talk about how to use that latest, hottest, fad,
the World Wide Web, a bit more safely. It can be a tremendously useful
resource, and it's certainly seductive, but it's also a shockingly
dangerous place. If a stranger approached you on the street, handed you a
floppy disk, and asked you to take it in to work, insert it into your PC,
and run the INSTALL program, would you do it? Surely not! Yet it is almost
exactly this which you are doing any time you start up the neatest coolest
web browsers.
There are lots of things a malicious web-page author can do to try to fool
your browser into doing rotten things. A funny-looking link can persuade a
fancy browser to send mail, perhaps to exploit a bug in the mail program to
do something much worse. The newest craze, Java, actually downloads
programs into the browser, and runs them. Despite claims to the contrary,
Java seems to still have some security problems. A clever Java programmer
can make Java do lots of things, potentially deleting all your files, or
sending them to an outsider, and so forth.
What's at Stake
Everything is at stake. If just the right sequence of events occurs, all
the data available to you could be destroyed, subtly altered, or sent to a
competitor. Even data you do not normally have access to could be
destroyed, altered, or mailed if a sufficiently clever web page was able to
exploit some bug on your system to access the data. It takes very little
imagination to create very plausible scenarios in which employers lose
hundreds of thousands of dollars because someone innocently followed a link
on some web page. Given the size of the web, and the number of people
authoring pages on it, it is essentially guaranteed that there are web
pages out there that will hurt you. If you should find one, the very worst
could easily happen.
What to Do
Here are three little maxims to consider:
- Use Protection
- Look before you Click
- Consider the Source
Use Protection
What this means is, disable any features of your browser that you don't
normally use. Disable fancy features you do use, if you're going to be
clicking around somewhere you're not entirely comfortable with. Poke around
the menus and the help for your browser, to learn what capabilities it has,
and disable anything you don't use.
When you're disabling anything, make to sure to remember how it was set up
before, so you can re-enable it later if need be.
- Netscape
- Under options->security preferences, disable Java.
- Under options->mail & news preferences->servers, set the mail
server to the name of some machine that doesn't exist, like
'no-such-host', Netscape will probably complain that it can't send
mail now. This is sort of the idea, eh? You can probably just clear
this field, for the same effect.
- Under options->general preferences->applications, clear all
of these fields. Now Netscape won't be able to launch telnets
and rlogins and whatnot for you. Again, this is a good thing.
- Mosaic & Lynx seem to be a little short of things you can disable. On
the up side, there's less they can do, so there's fewer ways to get into
trouble.
Look before you Click
This means, simply, glance at the place you're going to before you go
there. With Mosaic or Netscape, this is displayed in the little
information box at the bottom of the browser's window. With Netscape, the
right mouse button pulls up a useful menu which includes most of the text
of the URL you click on (minus the http://host.name/ part). With Lynx, the
'=' key will give you information about the whatever link you have
selected. If a link doesn't look something like:
http://host.name.somewhere.foo/file/name/othername
ftp://host.name.somewhere.foo/file/name/othername
gopher://host.name.somewhere.foo/file/name/othername
be a little suspicious. If it's got any funny characters in it (like a
bunch of percent signs or something) you may have something bad on your
hands. Sometimes the last part of the URL, where I have 'othername' will
be a bunch of strange-looking stuff, like 'query?pq=aq&what=web', if
you're looking around something like a search engine, or some shopping
on-line, or anything else where you're filling out forms. In such a
context, this sort of stuff is most likely perfectly fine. On the other
hand, if the URL looks like:
gopher://localhost:25/0HELO%0AMAIL%20FROM%3A%20%7C%2Fusr%2Fbin....
(much deleted, the whole thing is about 700 characters long), clicking
on it will send vaguely threatening mail to your system adminstrator.
This is a real example right out there on the network! And it's a fairly
mild example of what could be done.
If the URL looks like:
mailto:f...@somewhere.com
make sure that whatever is after the 'mailto:' part is an address you
don't mind sending mail to. If it doesn't look like a decent email
address, DON'T CLICK! If you do want to send mail like that, using
your browser, you may need to re-enable mail, if you disabled it.
If there's a link you'd like to follow, that you're suspicious of, you
can:
- disable all the features on your browser that you can get at,
and hope for the best
- download the link into a file (the 'd' key in Lynx, select the
'Load To Local Disk' option in Mosaic, 'Shift-MouseButton1' in
Netscape). Then look the file over for any odd-looking stuff.
Well, it'll all be odd looking, but if it looks even more odd
looking than a normal web page, in raw form..
Consider the Source
If you're surfing around ibm.com, you probably don't have to worry all that
much about evil Java viruses. On the other hand, if you're looking at some
chap's song lyrics archive at some obscure college in the middle of
nowhere, or a well known college in a large eastern city, the chap might
just have a mischievous sense of humor. In particular, watch out for those
personal links. If the place you're just about to click to looks like:
http://some.host.somewhere/~name/file/name
(Note the ~ in front of 'name'? That's the tip-off.) it's practically
certain to be a page belonging to some individual. This isn't a sure thing,
one way or the other, but it's a useful hint. Of course, just because it's
a personal page doesn't mean it's bristling with horrid dangerous disease,
but it's useful to know when you're trying to make an informed choice.
In Summary
Nothing you do is going to guarantee your safety. You can only take steps
to reduce the risks. In general, if you take a little care, and try to do
things in a responsible and informed way, you're going to be fine. The idea
here is to help you, the reader, become a little more informed. Turn off as
much cool stuff in your browser as you can, and watch what you're doing.
ADMINSTRIVIA
If you'd like to comment on what you see, or would like to contribute a
column on some topic, by all means contact me at:
This is not a publication of Network Systems Corporation.
Copyright Andrew Molitor, 1996, all rights reserved. This material may be
reproduced and distributed provided this copyright notice and the entire
text above are reproduced verbatim.