1. What is computer security?
Computer security is the process of
preventing and detecting unauthorized use of your computer. Prevention
measures help you to stop unauthorized users (also known as "intruders") from
accessing any part of your computer system. Detection helps you to
determine whether or not someone attempted to break into your system,
if they were successful, and what they may have done.
2. Who would want to break into my computer at home?
Intruders (also referred to
as hackers, attackers, or crackers) may not care about your identity.
Often they want to gain control of your computer so they can use it
to launch attacks on other computer systems. Intruders may be able
to watch all your actions on the computer, or cause damage to your
computer by reformatting your hard drive or changing your data.
3. Exactly what security risks are
we talking about?
There are basically three overlapping
types of risk:
Bugs or misconfiguration problems in the Web server
that allow unauthorized remote access
Browser-side risks, including:
Active content that crashes the browser, damages
the user's system, breaches the user's privacy, or merely creates
The misuse of personal information knowingly or
provided by the end-user.
Interception of network data sent from browser to
server or vice versa via network eavesdropping. Eavesdroppers can
operate from any point on the pathway between browser and server.
It's important to realize that "secure"
browsers and servers are only designed to protect confidential information
against network eavesdropping. Without system security on both browser
and server sides, confidential documents are vulnerable to interception.
4 . What is ActiveX? Does it pose
ActiveX is a technology developed by
the Microsoft Corporation for distributing software over the Internet.
Like Java Applets, an ActiveX "control" can be embedded
in a Web page, where it typically appears as a smart interactive graphic.
ActiveX places no restrictions on what a control can do. Instead,
each ActiveX control can be digitally "signed" by its author
in such a way that the signature cannot be altered or repudiated using
a system called "Authenticode." The digital signatures are
then certified by a trusted "certifying authority", such
as VeriSign, to create the equivalent of a shrink-wrapped software
package. This security model places the responsibility for the computer
system's security squarely on the user's head. Before the browser
downloads an ActiveX control that hasn't been signed at all, or that
has been signed but certified by an unknown certifying authority,
the browser presents a dialog box warning the user that this action
may not be safe. The user can elect to abort the transfer, or may
continue the transfer and take his chances.
ActiveX can be turned off completely from the Internet Options->Security
pages of Microsoft Internet Explorer. Choose the "High Security"
setting to disable ActiveX completely, or "Medium Security"
to prompt you before downloading and executing ActiveX controls. If
you do allow a control to run, read its Authenticode certificate carefully,
and then carefully commit its name, publisher, date and the time of
download to hardcopy. Don't store this information on disk, since
that medium can easily be altered or destroyed by the control itself!
The "Low Security" option allows any ActiveX control to
run, signed or not, and is not recommended.
IE 4.0 allows you to customize the behavior of ActiveX controls depending
on whether they are coming from a site on the Internet, a site on
the local area network, or a site on specially-prepared lists of trusted
and untrusted sites.
5. What are “Cookies”
and do "Cookies" Pose any Security Risks?
A cookie is a small piece of information,
often no more than a short session identifier, that the HTTP server
sends to the browser when the browser connects for the first time.
Thereafter, the browser returns a copy of the cookie to the server
each time it connects. Typically the server uses the cookie to remember
the user and to maintain the illusion of a "session" that
HTTP specification, only some browsers support them: currently Microsoft
Internet Explorer 3.0 and higher, and Netscape Navigator 2.0 and higher.
The server and/or its CGI scripts must also know about cookies in
order to take advantage of them.
Cookies And Privacy
Cookies cannot be used to "steal"
information about you or your computer system. They can only be
used to store information that you have provided at some point.
However cookies can be used for more controversial purposes. Each
access your browser makes to a Web site leaves some information
about you behind, creating a gossamer trail across the Internet.
Cookies and System Security
In addition to the privacy issues,
to implement access control schemes of various sorts. For example,
a subscription site that requires a user name and password might
pass a cookie back to your browser the first time you log in. Thereafter,
the site will give you access to restricted pages if your browser
can produce a valid cookie, basically using the cookie as an admission
ticket. This can have several advantages for the site, not the least
of which is that it can avoid the overhead of looking up your user
name and password in a database each and every time you access a
However, unless this type of system is implemented carefully, it
may be vulnerable to exploitation by unscrupulous third parties.
For instance, an eavesdropper armed with a packet sniffer could
simply intercept the cookie as it passes from your browser to the
server, using it to obtain free access to the site.
6. What is a protocol?
A protocol is a well-defined specification
that allows computers to communicate across a network. In a way, protocols
define the "grammar" that computers can use to "talk"
to each other.
7. What is IP?
IP stands for "Internet Protocol".
It can be thought of as the common language of computers on the Internet.
An overview of TCP/IP can be found in the TCP/IP Frequently Asked
Questions (FAQ) at
8. What is an IP address?
IP addresses are analogous to telephone
numbers – when you want to call someone on the telephone, you
must first know their telephone number. Similarly, when a computer
on the Internet needs to send data to another computer, it must first
know its IP address. IP addresses are typically shown as four numbers
separated by decimal points, or “dots”. For example, 10.24.254.3
and 192.168.62.231 are IP addresses.
If you need to make a telephone call but you only know the person’s
name, you can look them up in the telephone directory (or call directory
services) to get their telephone number. On the Internet, that directory
is called the Domain Name System, or DNS for short. If you know the
name of a server, say www.cert.org, and you type this into your web
browser, your computer will then go ask its DNS server what the numeric
IP address is that is associated with that name.
Every computer on the Internet has an IP address associated with it
that uniquely identifies it. However, that address may change over
time, especially if the computer is
- dialing into an Internet Service Provider (ISP)
- connected behind a network firewall
- connected to a broadband service using dynamic IP addressing.
9. Actions home users can take to protect their computer
The CERT/CC (cert.org) recommends the
following practices to home users:
- Use virus protection software
- Use a firewall
- Don’t open unknown email attachments
- Don’t run programs of unknown origin
- Disable hidden filename extensions
- Keep all applications (including your operating system)
- Turn off your computer or disconnect from the network
when not in use
- Disable scripting features in email programs
- Make regular backups of critical data
- Make a boot disk in case your computer is damaged