Mini Tutorial

Internet for You

Katarzyna J. Macura, M.D., Ph.D.

The Russell H. Morgan Department of Radiology and Radiological Science •  Johns Hopkins Medical Institutions

Part 7 — Internet Security
by Katarzyna J. Macura, M.D., Ph.D.

Viruses

Computer data can be damaged or altered by programs called malware, pest programs or vandalware created by computer hackers. More typically, these programs are called viruses. A computer virus is a program that attaches itself to a file, reproduces itself and spreads to other programs. A virus can corrupt and/or destroy data, display an irritating message or disrupt computer operations.

Several medical terms are used to describe virus operation. A computer is a "host" that becomes "infected" with a virus. The virus "replicates" and spreads from one computer to another. A computer can be "inoculated" against viruses, but when it becomes infected, "antiviral" software is used to "disinfect" it.

Viruses can spread if an infected floppy disk is in the disk drive when the computer boots up, when the user runs an infected program or opens an infected file. Downloading a file from the Internet or opening an e-mail attachment might also infect the user's computer. A computer virus is a segment of program code that implants itself in a computer file and spreads systematically from one file to another, replicating itself on the hard disk. Some viruses place a virus marker inside the programs that they infect, so they can manage the viruses' activities. If a virus detects one of these markers, it knows that the program is already infected so it does not replicate itself in this particular program.

Viruses attack four parts of a computer: its executable program files, its file directory system that tracks the location of all computer files, its boot and system areas that are needed to start the computer and the data files themselves.

Types of Virus

There are four main types of viruses: boot sector viruses, file viruses, Trojan horse viruses and macro viruses.

A boot sector virus replaces the boot program used to start a computer with a modified infected version of the boot program that loads the virus into the computer's memory. Once the virus is in the memory, it spreads to any disk inserted into the computer.

A file virus attaches itself to or replaces program files; the virus then spreads to any file that accesses the infected program.

A modern Trojan horse is a computer program that appears to perform one function while it actually does something else. It is not a virus because it does not replicate itself, but it may carry a virus. A Trojan horse usually destroys data or steals passwords while looking like a login screen. As a user tries to log in, the Trojan horse collects the user's ID and password. This information is then e-mailed to a hacker for easy access to the data stored on the network. The typical purpose of a Trojan horse is to defeat network security measures.

A macro virus uses the macro language of an application, such as word processing or a spreadsheet, to hide the virus code. When the document with an infected macro is opened, the macro virus loads into the memory. A virus is usually activated as soon as a program or file is used, or at the specific times or dates determined by the virus creator.

A logic bomb is a computer virus that activates when it detects a certain condition, such as appearance or disappearance of certain data. A time bomb is a type of logic bomb that activates when the predetermined time or date registers on the internal clock of the computer.

Another type of malicious program is a worm. Worms are programs designed to infect networks through security holes. Like a virus, a worm replicates itself. Unlike a virus, a worm does not need to be attached to a document or executable program to reproduce. Worms travel from a networked computer to another networked computer, replicating themselves along the way. The worm copies itself repeatedly in the memory or disk space until no memory or disk space remains. Worms are not likely to affect personal computers, because they are designed to attack network servers.

Some symptoms of virus infection:

1. Computer displays annoying messages
   
2. Computer develops unusual visual or sound effects
   
3. Files mysteriously disappear or are difficult to save
   
4. Computer reboots unexpectedly
   
5. Computer suddenly slows down
   
6. Executable files increase in size

Tips for preventing virus infection:

1. Install and regularly run an antivirus program on all of your computers. Obtain updates to the antivirus signature files. The cost of antivirus software is much less than the cost of rebuilding damaged files.
   
2. Write-protect your rescue disk by sliding the write-protect tab into the write-protect position. Beware, however, that although a virus cannot transfer onto your disk when it is write-protected, you must remove the write-protection each time you save a file on the disk. With the write protection removed, your disk is open to virus attack.
   
3. Never start computer with a floppy disk in drive A. All floppy disks contain a boot sector. During the startup process, the computer attempts to execute the boot sector on a disk in drive A. Even if the attempt is unsuccessful, any virus on the floppy disk's boot sector can infect the computer's hard disk.
   
4. Do not accept files from high-risk sources. Before using any floppy disk, use the antivirus scan program to check the disk for viruses. Even commercial software has been infected and distributed to unsuspecting users.
   
5. Do not download from sites that do not test and secure their files. Check all downloaded programs for viruses. Viruses are often placed in seemingly innocent programs so they will affect a large number of users.
   
6. Before opening and/or executing any e-mail attachments, ensure that the e-mail is from a trusted source. If an e-mail is from an unknown source, it should be deleted without opening or executing any attachments. Avoid running attachments that are .EXE files, even if they come from your friends.
   
7. Back up your files regularly. Scan the backup program prior to backing up disks and files to ensure the backup program is virus free.

Antiviral Applications

There are three kinds of antiviral applications that protect computers against viruses: scanners, eradication programs and inoculators.

A scanner checks if the computer has any files that have markers indicating the presence of a virus. A scanner may also check the size of a program to detect any changes in file size or file creation date. An antivirus program can identify a virus through recognition of a specific pattern of known virus code, called a virus signature.

An eradication program disinfects, or removes viruses from the hard disk.

An inoculator does not allow a program to run if it contains a virus. Currently, several thousands of known viruses exist, but fewer than 10 cause significant damage. The Symantec AntiVirus Research Center's Online Encyclopedia offers the most up-to-date information on recent threats at www.symantec.com/avcenter/vinfodb.html

Encryption

Encryption is a technique for scrambling and unscrambling information. The unscrambled information is called clear-text and the scrambled information is called cipher-text. Once data is encrypted, it can be sent via e-mail messages or stored just as any other data. To read the data, the recipient must decrypt, or decipher, it into a readable form. To encrypt the data the originator of the data applies an encryption key, secret values that computers use along with complex mathematical formulas to encrypt messages. The recipient of the data then uses an encryption key to decrypt the data.

There are two basic types of encryption, private key and public key. With private key encryption, symmetric encryption, both the originator and recipient use the same encryption key to encrypt and decrypt the data. Public key encryption uses two encryption keys: a public key known to everyone and a private key known by only the receiver. To decode an encrypted message, a computer must use the public key, provided by the originating computer and its own private key.

Many browsers include encryption software that allows the user to encrypt e-mail messages or other documents. Secure Socket Layer (SSL) is one of the more popular Internet encryption methods, which provides two-way encryption along the entire route data travels to and from a computer. Web pages that use SSL begin with the https protocol, instead of http protocol. To check if the communication is carried over a secure channel that uses SSL, the user should look for a padlock icon on the browser and make sure that the URL is in the form of https:// as opposed to http://. Before entering any sensitive data, such as a credit card number or Social Security number, it is important to verify that the user's computer is communicating with the right server and not an imposter that is trying to steal personal information. To verify this, the user should check the authentication certificate, which could be accessed by double-clicking on the padlock icon.

Firewalls

The nature of the Internet, an open public network that allows for free exchange of information and files, makes it vulnerable to attack. Every time a computer connects to the Internet it faces potential danger of being open to hackers who could theoretically break into the system and cause damage. One way of protecting the networks and individual computers from intruders is the installation of a firewall that shields the internal (corporate/educational/private) networks from the Internet.

A firewall is a combination of hardware and software used to prevent hostile programs from entering a network, usually by filtering out suspicious data packets. Firewalls can also be used to prevent unauthorized access to the information within the particular network. Recognizing the efficiency and power of the Internet, many organizations have applied Internet technologies to their own internal networks called intranets.

An intranet, sometimes called an enterprise network, is a small version of the Internet used within an organization, which uses the same file exchange protocols, supports multimedia and allows access via browsers. Intranets generally make company information accessible to authorized users, employers, and facilitate working in groups. An intranet may also allow access by authorized users outside the company, forming an extranet. With a firewall, the internal networks work as networks normally do, with servers providing internal services such as e-mail, access to corporate databases and the ability to run programs from servers.

When someone on the local network wants to access the Internet, the request and data must go through an internal screening router. This interior router examines the packets of data traveling in both directions, between the network and the Internet. Information within the packets' headers gives the router the source and destination of the packet, the protocol being used to send the packet and other identifying data. Based on the information in the headers, the screening router will allow certain packets to be sent or received, but will block other packets. System administrators set the rules to specify acceptable communications from locations, individuals, or in certain protocols and to determine which packets to allow in and which ones to block.

A software firewall can be installed on the computer at home that has an Internet connection. This computer is considered a gateway because it provides the only point of access between the home network and the Internet. With a hardware firewall, the firewall unit itself becomes a gateway, for example, the Linksys Cable/DSL router. It has a built-in Ethernet card and hub. Computers on the home network connect to the router, which in turn is connected to either a cable or DSL modem. The router can be configured via a Web-based interface that can be accessed through the browser. The user can set any filters. Hardware firewalls are secure and not very expensive. Home versions that include a router, firewall and Ethernet hub for broadband connections can be found for well under $100. A free firewall testing for security flaws is available at www.securitymetrics.com/portscan.adp.

Virtual Private Network

A firewall is an important security feature for any Internet user. However, firewalls do not protect data from threats within the Internet network itself. Once the data gets outside the firewall, the user names, passwords, account numbers, server addresses and other sensitive information are visible to hackers. The Virtual Private Network (VPN) by using the encryption algorithms, give users the ability to utilize the public shared Internet for secure data transmission after it leaves the protection of the firewall.

The feature that makes a VPN "virtually private" is a tunnel. What makes a VPN transmission a tunnel is the fact that only the recipients at the other end of transmission can look inside the protective encryption shell. Tunneling technology encrypts and encapsulates the network protocols within Internet Protocol (IP). Using special tunneling protocols and complex encryption procedures, data integrity and privacy is achieved in the VPN in what seems like a dedicated point-to-point connection. At either end of the VPN tunnel there is a VPN gateway in hardware and software form. The gateway at the sending location encrypts the information into cipher-text before sending the encrypted information through the tunnel over the Internet. The VPN gateway at the receiving location decrypts the information back into clear-text. The encryption algorithm uses the secret code, a key, to create a unique version of cipher-text. Transmission security strength depends on the length of the keys used; the formula used is 8-bit keys = 256 combinations or two to the eighth power, or 16-bit keys = 65,536 combinations or two to the 16th power. In other words, if the key used is a 16-bit key, an intruder might have to make 65,536 attempts at cracking the combination. This would be a quick and fairly simple task for computers. That is why most of VPN products are using at least 168-bit keys, creating two to the 168th power possible combinations.

VPN allows connecting remote sites or users together in two ways, via a remote-access or a site-to-site connection. A remote-access, called a virtual private dial-up network (VPDN), is used for a user-to-LAN connection set up by a company that has employees who need to connect to the private network from remote locations. Typically, a corporation that wishes to set up a large remote-access VPN will outsource to an enterprise service provider (ESP).

The ESP sets up a network access server (NAS) and provides the remote users with desktop client software for their computers. The telecommuters can then dial a toll-free number to reach the NAS and use their VPN client software to access the corporate network. In a site-to-site link, a company can connect multiple fixed sites over a public network through the use of dedicated equipment and large-scale encryption.

Virtual Private Network

A firewall is an important security feature for any Internet user. However, firewalls do not protect data from threats within the Internet network itself. Once the data gets outside the firewall, the user names, passwords, account numbers, server addresses and other sensitive information are visible to hackers. The Virtual Private Network (VPN) by using the encryption algorithms, give users the ability to utilize the public shared Internet for secure data transmission after it leaves the protection of the firewall.

The feature that makes a VPN "virtually private" is a tunnel. What makes a VPN transmission a tunnel is the fact that only the recipients at the other end of transmission can look inside the protective encryption shell. Tunneling technology encrypts and encapsulates the network protocols within Internet Protocol (IP). Using special tunneling protocols and complex encryption procedures, data integrity and privacy is achieved in the VPN in what seems like a dedicated point-to-point connection. At either end of the VPN tunnel there is a VPN gateway in hardware and software form. The gateway at the sending location encrypts the information into cipher-text before sending the encrypted information through the tunnel over the Internet. The VPN gateway at the receiving location decrypts the information back into clear-text. The encryption algorithm uses the secret code, a key, to create a unique version of cipher-text. Transmission security strength depends on the length of the keys used; the formula used is 8-bit keys = 256 combinations or two to the eighth power, or 16-bit keys = 65,536 combinations or two to the 16th power. In other words, if the key used is a 16-bit key, an intruder might have to make 65,536 attempts at cracking the combination. This would be a quick and fairly simple task for computers. That is why most of VPN products are using at least 168-bit keys, creating two to the 168th power possible combinations.

VPN allows connecting remote sites or users together in two ways, via a remote-access or a site-to-site connection. A remote-access, called a virtual private dial-up network (VPDN), is used for a user-to-LAN connection set up by a company that has employees who need to connect to the private network from remote locations. Typically, a corporation that wishes to set up a large remote-access VPN will outsource to an enterprise service provider (ESP).

The ESP sets up a network access server (NAS) and provides the remote users with desktop client software for their computers. The telecommuters can then dial a toll-free number to reach the NAS and use their VPN client software to access the corporate network. In a site-to-site link, a company can connect multiple fixed sites over a public network through the use of dedicated equipment and large-scale encryption.