Abstract
In July this year several systems at CERN were infected by the "Code
Red" worm which resulted in significant network disruption. It is
essential that all networked computers remain up-to-date with security
patches to reduce the risk of infection from future worms and viruses.
A computer worm is software which copies itself between
networked computers, gradually infecting more and more of them. The
"Code Red" worm which was launched on the Internet in July this
year infected tens of thousands of computers, including 25 on the
CERN site. It entered via security holes on computers which had not
been regularly patched and seriously disrupted the CERN network
with the massive traffic it generated.
System administrators must ensure that their computers have the
latest security patches installed, for both the operating system
and any application services using the network. If your system is
running application services which are not necessary (e.g. some may
be running by default or for historical reasons) then disable them.
Systems running CERN-certified operating systems can profit from IT
Division's services which apply tested patches automatically or
provide them for manual installation. Those who have installed
their own operating systems or applications must themselves check
for and install relevant security patches.
Please refer to the CERN's security recommendations, at URL:
http://cern.ch/security/recommendations which are
reproduced below.
CERN Computer Security Recommendations
1. Don't open unexpected e-mail attachments.
Viruses often hide in e-mails from strangers, but
can also appear to come from someone you know. Opening an
attachment can activate a virus and place your computer at risk. If
you are not expecting the attachment then either delete the e-mail
directly or obtain further details from the sender before opening
the attachment. The safest way to read an attachment is to first
copy it to disk and then open it using the appropriate program
(word, excel, ...). You can also run an anti-virus check on the
file before opening it.
2. Click "cancel" (instead of "ok") or close unexpected
dialogue boxes when using the web.
Visiting a web site sometimes results in dialogue
boxes. If you don't expect them or don't understand them then
either click "cancel" or close the dialogue box. If you click "ok",
you may be agreeing to transfer and run a file containing a
virus.
3. Don't answer or forward unsolicited e-mail - delete it
immediately.
We all receive unexpected e-mail: advertising,
requests for money or support for a cause. Sometimes it appears to
come from an organisation or person that we know, maybe even from
someone at CERN. The from address of these e-mails has usually been
forged and cannot be trusted. The contents of the e-mail may
contain a trick, particularly if it invites you to visit a web site
or contains an attachment. If you react to such e-mails you risk
introducing a virus into CERN, exposing your personal information
(such as your e-mail address and getting even more of these
e-mails), and wasting time and money. The more realistic the mail,
particularly if it is related to a recent or topical event, the
more dangerous it is likely to be. Hoax e-mail warning you of a
virus is extremely common - delete it. If the mail asks you to
forward it to other people: DO NOT. Unsolicited e-mail can usually
be recognised by checking the subject and sender, so don't even
read it - delete it rapidly. If you continue to receive unsolicited
e-mail from the same sender then you can report this to
abuse@cern.ch.
4. Run anti-virus software which is automatically updated
(several new viruses appear each day).
CERN's centrally managed NICE PCs are equipped
with anti-virus software and are automatically updated to limit
damage from known viruses. If a virus is discovered, the anti-virus
software will notify you, and prevent it from running (by placing
it in quarantine). You should continue to work normally, as the
anti-virus service will be automatically informed and will contact
you if any further action is required. Occasionally, the anti-virus
software cannot completely prevent damage, so if you do experience
problems contact helpdesk@cern.ch (tel: 78888), with the name of your PC,
details of the error message and problem, and request a virus
check.
Anyone managing their own Windows PC is
responsible for obtaining, installing and keeping their anti-virus
software up-to-date. This applies to all PCs on the CERN network,
including those of visitors. Regularly updated anti-virus software
is particularly important for portable PCs which are used at other
locations and connect to other Internet Service Providers since
they bypass CERN's security protections. This not only increases
their own chance of infection, but places the whole CERN site at
risk, since once infected, they can spread an infection from inside
our firewall.
5. Don't copy or run software from non-trusted sources, e.g.
via the Internet or physical media such as diskettes or
CDs.
Viruses are often hidden inside files. When you
copy and run a file containing a virus, you can infect not only
your own PC, but can start to spread a virus inside CERN's
firewall. Only copy files from trusted sources, such as commercial
companies with whom CERN has a software agreement.
6. Choose secure passwords and change them regularly.
Programs to crack passwords or read them from the
network are readily available. To limit the risk of your password
being cracked, it should be at least 8 characters long and include
letters (both upper and lower case), digits and punctuation. You
should change your password regularly and always after a trip where
you could have exposed your password at a remote site. More
detailed advice is at
http://cern.ch/security/passwords.
7. Avoid applications with unencrypted sessions, especially
when connecting to CERN from off-site.
Applications such as telnet, ftp and X
windows, expose all session data, including passwords, in clear
on the network. Using such applications, especially to connect to
CERN from other sites, has a strong risk that your password and
other personal data will be exposed and used by intruders for
malicious activity. You are strongly recommended to use
applications, such as ssh, which encrypt session data,
when accessing CERN from remote sites or for performing sensitive
or privileged actions on-site. More detailed advice is at
http://cern.ch/security/ssh.
Web sites prefixed by "http" expose data
in clear. For sensitive data, such as passwords and credit card
numbers, ensure that the data is encrypted, e.g. by using web sites
prefixed by "https".
8. Use CERN's recommended and centrally managed systems -
if you manage your own system or have installed your own
applications, you are responsible for keeping the software
secure:
-
limit application services listening on network port numbers
to the absolute minimum
-
limit the number of users authorised to access the system to
a minimum
-
ensure that the system and applications are securely
configured
-
ensure that security patches are regularly applied - this
may require upgrading to later versions
-
don't install software which you don't understand
-
respond quickly to fixes proposed by CERN's security
team
9. Protect your system by CERN's firewall.
Systems connected to CERN's network must be
registered at
http://network.cern.ch/register. The default OUTGOING
network access allows direct connections to the Internet
from CERN, while still offering some protection by CERN's
firewall. If your system does not need to access the external
Internet and you want extra protection in the firewall, you can
register the network access called NONE. If absolutely
required, INCOMING access can be registered, to allow direct access
from the Internet. Such systems have significant risk of
being attacked and expose the whole CERN site to security risks. It
is essential that they are actively and continually secured (see
point 8).
10. Keep yourself informed of CERN's security rules and
advice:
Computer.Security@cern.ch, 23 October 2001
About the author(s):
Denise Heagerty is the CERN Computer
Security Officer.
