Garboldisham: Security on the Internet

Security on the Internet

The Internet is insecure in a number of ways:

People can attack or steal the data on your computer or take over your computer to use in attacks on others.
People can eaves-drop on the messages that you send.
People can get access to Internet services that they are not supposed to use.
People can tie up computers on the Internet, preventing other people from using them.

Computers with broadband connections are more vulnerable because they tend to be connected to the Internet more, and because the fast connection makes them more attractive targets for some kinds of attack. This page explains the risks involved and steps you can take to deal with them.

Viruses and worms

Before someone can attack the data on your computer, steal your data or use your computer to attack others, they must first install a program on it. This is called a virus if it attacks you, or a worm if it uses your computer to send data (including itself) somewhere else. References to viruses below also include worms.

Viruses can be transmitted by e-mail, by visiting web pages or chat rooms, or from discs that you put in your computer's drives. They can also infect your computer by exploiting security holes in the operating system that let them in through a network connection without any action being necessary on your part.

E-mail viruses often need you to open an attachment to install themselves, so you should be wary of any unexpected e-mail with attachments, even if they claim to be documents or pictures. If you download your mail to your computer, you should check that your e-mail application is not set to open attachments automatically.

The garboldisham.net mail server scans incoming mail for viruses. This provides a first line of defence, but virus scanners always lag behind the viruses so care is still needed. You also need protection against viruses coming from other sources. We therefore strongly recommend that you install your own virus scanning software and keep the virus definitions up to date.

To protect against attacks through a network connection, you can use a firewall. This will look at the address of the computer that is trying to communicate with you and the way it is trying to get access (the port), and apply rules to block unwanted access. This can stop both viruses trying to get in and worms trying to send data out.

Eaves-dropping

Communications over the Internet should normally be assumed not to be private. You should treat your e-mails as postcards that anyone can read as they pass through (although, as with postcards, the chances are that no-one is looking).

There are times when you want your communications to be private, such as when you are giving your credit card details to a web site to make a purchase. In that case, the web site will usually connect to your browser in a way that encrypts (scrambles) the data as they are sent. This will usually be indicated by a little closed padlock at the bottom of your browser window.

It is also possible to encrypt your e-mails before you send them out, using a plug-in component to your e-mail program. The person you are sending them to will need the same program to read them. One such program, PGP, is available as a free download. You can tell everyone a key that allows them to encrypt their mail so that only you can read it. Not many people send e-mail secret enough to make this worth the effort.

Like a lock, the security of the encryption depends on the number of different encryption keys that can be used. Fast computers can try a lot of different keys very quickly. Rather than talk about the number of keys, computer encryption usually talks about the length of the keys (in bits). Adding one more bit doubles the number of keys. Standard Internet security is based on 128-bit keys.

Some companies set up connections to the Internet in such a way that authorised people can establish an encrypted connection and no-one else can, usually for the benefit of people working from home who can be given access to sensitive data. These are known as Virtual Private Network (VPN) connections.

Unauthorised access

This is more of a problem for service providers than it is for users. We use passwords and other mechanisms to control access. We ask you to help by keeping your passwords secure, and letting us know if you have any reason to believe that they might be misused.

You should try to make your password hard to guess. Using your name, or the names of your significant other, children, dog, house, or road, as a password is not a good idea. Any ordinary word is vulnerable to the dictionary-based attacks used by some hackers. On the other hand, you do have to remember your password: it is even worse to write it down and put it next to your computer. There are a number of ways to make a password that you can remember but would be hard for someone else to discover, by starting with words and transforming them to make passwords.

Think of a phrase and take the first letters of each word to make your password. Hence "a stitch in time saves nine" becomes "asitsn".
Rather than start with a phrase, start with two words and interleave them, put one inside the other or join them (perhaps with punctuation between). John Smith could use "SJmoihtnh" or "JoSmithhn" (although "John+Smith" would not be a wonderful choice).
Swap alphabetic characters for punctuation characters or numbers, in a memorable way. For instance, "asitsn" could become "@s1tsn" because "a" looks like "@" and "i" is a Roman "1" (but you should make up your own rules).
If passwords are case-sensitive, use upper case as well as lower case letters, in unexpected places. ""asitsn" could become "asITsn".

There are many variations on this theme: use them for your internet access passwords and, probably more important, for Internet banking and credit card passwords if you use these services.

Don't use the same password for everything, but don't use so many that you can't remember them. Use different passwords for unimportant things such as order tracking on websites (but be careful if they have your credit card number) and important things such as bank accounts.

Once you have chosen your password, don't tell anyone else. We will never need to ask you for your password to administer your services once they are set up. However, we do need to ask for a password to set up an e-mail mailbox because we do not currently have a way of allowing users to set their own. We shall offer this capability if and when we can do so safely. We will not retain records of the passwords you have chosen once the mailboxes are set up.

Denial of service attacks

It is possible to slow down individual web sites or ISPs, or even large sections of the Internet, by generating very large amounts of traffic that keep the server busy with trivial requests. This has been done to attack companies that have made themselves unpopular, or to extort money from commercial sites. It can also happen when a new virus starts spreading across the Internet.

You are unlikely to be a direct victim of such an attack. However, they often depend on the attacker having access to a large number of worm-infected PCs that can be instructed to send the necessary messages. This will slow down your PC and our network as well as the rest of the Internet. Again, using a virus scanner and a firewall is a sensible precaution.