Protecting computers and information, at work and at home
Notes to accompany a 2-hour practical workshop for University of Brighton staff
Although the Information Services department works hard to ensure that university
computers and data remain safe and secure, we all have a part to play in the
ongoing effort. This hands-on workshop provides an enjoyable and enlightening
overview of IT security issues that affect us all, both on the internet and offline.
You are welcome to bring along to the workshop any security-related questions
that you may have, including those relating to your home PC, and we’ll do our best
to answer them or provide general advice.
If you are not attending the workshop, you will still find it useful to read through this
document in order to learn about how to protect your office and home computers
from viruses, spyware, and so on. This workbook can be downloaded from
Last updated 08 Jul 2010 Robert Schifreen
For details of Information Services workshops see: http://www.brighton.ac.uk/is/training/ 1
Why Safe Computing is Important..........................................................................3
How We Manage Security .....................................................................................4
All About Passwords............................................................................................10
The Importance of Backups .................................................................................12
Spyware and Adware ..........................................................................................17
How Anonymous Is The Internet? ........................................................................22
Processing Confidential Information.....................................................................24
Web-Surfing in Safety ..........................................................................................30
Securing your web site ........................................................................................32
Specifics of home PC security .............................................................................33
Accidents Do Happen ..........................................................................................36
Computer Crime and the Law ..............................................................................36
And Finally, Esther ..............................................................................................39
Example files required for this workshop
System and software
A computer with internet access and a web browser. Although this workshop will
be taught on Windows PCs, the vast majority of the content and exercises are
Why Safe Computing is Important
The University of Brighton’s Safe Computing programme is about preventing the misuse of our
IT resources, both hardware and software. As well as protecting ourselves from criminals such
as hackers, it’s also about safeguarding our systems and data from loss or damage caused by
mistakes, mishaps, accidents and plain ignorance.
IT security is important because the risks are so high. For example:
A stolen PC or laptop costs us money (it’s hard to get anti-theft insurance for laptops)
and damages our reputation among staff and students
Someone who hacks into our computers, perhaps by guessing a UoB username and
password, can access data files that they’re not entitled to see
If you inadvertently divulge the password required to edit or amend a university web
site, someone else could change the site’s pages without your permission or your
If you click on a link in a spam email message that you receive, without giving due
consideration as to whether the link is trustworthy, you may infect your computer with a
virus that spreads to hundreds of other student and staff computers across the
Failure to adequately protect the university’s confidential information, such as student
records, is a breach of the UK’s Data Protection Act and could result in both you and
the university facing prosecution
If we dispose of an old desktop PC in a local skip without wiping the data from the hard
drive, and the information is subsequently recovered by a passer-by, we risk a large
amount of negative publicity.
As you can see, the major risks in IT security are a combination of financial and reputational.
In the next section of this workshop, we’ll look at some of the most important aspects of IT
security as it works at the university.
University of Brighton Information Services
How We Manage Security
Although we ask everyone to help play their part in protecting the university’s computers,
Information Services does all it can to help maintain a safe and secure computing environment
for everyone. This section explains more about what we do.
The university’s data network is actually 3 separate “virtual” networks which operate on the
same set of cables but which (mostly) can’t talk to each other. There’s the staff network for all
staff computers, the student network for the libraries and pool rooms, and the open-access
network for halls of residence. This helps to ensure security as, for example, anyone plugged
into the student network can’t access any resources that are dedicated as being for staff only,
regardless of which username and password they use.
Computers on the staff network use fixed IP addresses, which are allocated by Network
Services (part of the Information Services department). Without a valid IP address, a computer
connected to the staff network won’t be able to access any university systems or the internet.
Conversely, the student and open-access networks use DHCP, a system which automatically
assigns a valid IP address to a computer as soon as it is plugged into the network (although the
student network is further restricted by MAC address filtering to prevent students from
unplugging computers in the library or poolroom and connecting their own laptops instead).
We’ll discuss IP addresses in more detail later.
Most staff computers are members of the university “domain”. This allows them to be managed
centrally in order that, for example, the university’s standard antivirus software and security
patches can be automatically installed and updated. Computers which are joined to the domain
can also take advantage of our LDAP system for managing usernames and passwords, of
which more later.
Your desktop computer will normally have been installed, configured, and joined to the
university domain, by someone from the Information Services department or your school or
department technician. You can then log into the computer using your university username and
The university has lots of computer systems that you may need to log into, such as
StudentCentral, StaffCentral, eFin, SITS, protected areas of web servers, the Online Library, the
repository, not to mention the computer on your own desk. With 2,500 staff and 17,000
students, all of whom need to log into a variety of systems, keeping track of all those passwords
would be an impossible job without some form of centralized system. The university uses such
a system, employing a technology known as LDAP. This is a central database of usernames
and passwords that can be consulted by every university computer that you ever need to log
into in order to check whether the username and password that you have entered is correct.
When you log into your desktop PC or Mac (or, strictly speaking, when you log into the
university domain from your desktop computer), the username and password that you type is
checked against the LDAP database. Similarly, when you log into StaffCentral or
StudentCentral or the Online Library, the password that you enter is checked in the same way.
Using LDAP means that you only need to change your password in one place (the LDAP
database) in order to change it on almost all university systems.
If you ever want to change your LDAP password (also known as your university password), it’s
always best to do so via LDAP itself, using the MyInfo web site. If you change it via a single
system, such as using the feature built into Windows, you will only change the password that
logs you into Windows rather than the password that gets you into all the university systems.
This will result in your passwords becoming “out of sync”, and you’ll have to use different
passwords to log into different university computers.
Exercise 1 See how to change your LDAP password
You probably don’t want to change your password now, but it’s a good idea to at least see how
to do it.
1 Launch your Web browser
2 Go to myinfo.brighton.ac.uk and note how you are redirected to the https://
version of the page. This is a secure site which uses encryption to ensure that
anyone monitoring your connection can’t intercept what you type. Whenever
you’re entering confidential data into a web page, make sure that the site uses
3 You’ll see a screen that looks like this:
4 Enter your current university (LDAP) username and password, then click the
5 You can now, if you wish, change your password. Once you do so, the LDAP
database will be updated and the new password will apply to most university
systems, including your desktop PC or Mac. If you don’t want to do so at this
time, just close your web browser.
6 Note that the LDAP database processes all its updates in batches, every 15
minutes. So it will take up to 15 minutes before your new password is active.
7 Students who wish to change their password can do so using myinfo in exactly
the same way. They can also use the same system to change their email
forwarding address, eg if they want email that is sent to their UoB mailbox
University of Brighton Information Services
(firstname.lastname@example.org or email@example.com) to be forwarded to
somewhere like Hotmail or Gmail instead. This facility is not available to staff.
Automatic Installation of Security Patches
Microsoft issues around 100 security patches for Windows and Office every year, and other
companies such as Adobe and Apple also issue regular fixes for their products. Computers
connected to the university domain will automatically have these patches installed via our
central systems, so there’s normally no need for you to install security patches yourself on your
If you have a university laptop, any outstanding patches (and antivirus software updates too) will
be installed each time you connect the computer to our network. If you rarely connect your
university laptop to the network, it’s a very good idea to do so at least once a month in order to
ensure that you are not missing any important updates. Note that if you haven’t connected for a
while, there can be quite a large backlog of updates to get through, so you may find your
computer runs very slowly for the first ten minutes of use.
You must have antivirus software on your computer (whether PC or Mac) before you connect it
to the university network. Also, the software must be configured to update itself automatically at
least once a day. Otherwise there’s a real risk that your computer may become infected by a
virus, and that the virus might successfully spread to other computers in the university and
The university’s official antivirus software is Sophos, for both PCs and Macs. If you still have
the old McAfee software that we used until 2006, you must remove it and replace it with
Sophos. If you still run McAfee, your software won’t be updated and thus you will be at risk
from viruses. Also, you will be using the software illegally as we no longer have a McAfee
University computers (both PC and Mac) used by staff, as well as those in libraries and pool
rooms, should have the Sophos program automatically installed and updated by our central
systems. If this is the case on your computer, you can rest assured that you’re safe from
viruses. However, it’s always a good idea to check occasionally that your computer has
antivirus software installed, that it is configured to update itself regularly, and that the updates
are actually being correctly installed.
Exercise 2 Check your PC’s antivirus software
1 On the status line at the bottom of the screen, look for the blue shield that
signifies the Sophos antivirus software, and right-click on it.
2 Click on “open Sophos antivirus”
3 Check the “Last Updated” date and time and ensure that it’s no more than 2
4 Check that the “product version” is at least 6.
5 Click on “Configure”, then “Updating”
6 Click on the Primary Server tab.
7 The information on the tab should be greyed out. The server address should
be http://security.brighton.ac.uk/sophos/esxp/. The username should be
university\webupdate. If any of these items is wrong, you will need to configure
the updating again. On a PC, right-click on the blue shield and choose
Configure Updating . Fill in the information as follows:
Username: university\xxx (where xxx is your username)
Password: Your university (LDAP) password
If you’re using a Mac:
1 Click on the blue shield in the menu bar at the top right of the screen, near the
2 Select Open Preferences
3 Click on the AutoUpdate tab
4 Under the Primary Server tab, check that the URL is
As long as the Shield is blue and does NOT have a red cross on it, then Sophos is working
Antivirus Software for Home
If you have a computer at home (Mac or PC), it’s vital to use antivirus software, especially if you
connect to the internet or you ever exchange document files with other people. The university
has a site licence for our Sophos software which also allows you to install the software on a (but
only one) home computer. Just pick up a free CD from any university library or computer pool
room, or download it from http://security.brighton.ac.uk/sophos. Our licence covers students
too, so feel free to tell all your colleagues and students about this offer, for free software that
would otherwise cost them almost £100.
Restriction of admin accounts
Windows will normally be set up on your PC to give you Standard User or Power User
privileges, rather than an Administrator account. This allows you to use all the programs
installed (Word, Excel, eFin etc), and to browse the internet, but you won’t be able to install new
software or change your computer’s configuration. If you need software installed, your local
technician can do this for you.
Logging into Windows as a non-Administrator is a good idea for a couple of reasons. First, if
you inadvertently try to do something dangerous like deleting the entire hard disk, your lack of
administrator privileges means that you won’t be allowed to do it. Secondly, if a virus attempts
to install itself, the same mechanism will prevent it from doing so.
University of Brighton Information Services
If you have a PC at home, you probably don’t have any user accounts set up at all, or there’s
just a single administrator-level account that you use all the time. That’s how Windows XP is
normally delivered. But now that you know why this isn’t a good idea, you might wish to change
it. Set up a user and an admin account for yourself, and only log in as the administrator when
you need to do admin-type things. At all other times, use your Standard User or Power User
account. To change user account settings in Windows XP, go to the Control Panel and look for
the User Accounts icon.
The Proxy Server
All access to the internet from university computers has to go via what’s known as our proxy
server, except for access to .ac.uk web sites. If you attempt to connect directly to a non-
academic web site from your computer, it won’t work. Configuring our network in this way
allows us to manage the data that travels between our internal networks and the internet.
It also allows us to maintain logs of who (staff and students) access which web sites, which we
are required to do by law. These logs are held for no more than 6 months, after which they are
deleted. Details of a user’s internet activity is only retrieved from those logs if a member of the
university’s Senior Management Team or the police (with a warrant) request it.
All computers in the university domain are automatically configured to use the proxy server.
However, it’s useful to know how to configure and de-configure it manually, such as if you want
to use a personal laptop at work or you need to help a student access the internet on their
To configure Internet Explorer to use the proxy server, go to the Tools menu on IE, select
Internet Options, click on Connections, then LAN Settings, then tick the box that says “use
automatic configuration script”. For the address of the script enter:
and the job is done. (Note that the http:// part is required).
If you’re using a different Web browser, you’ll probably need to configure that one too. Look in
the options settings for a proxy server. If there’s an option to specify a configuration file, enter
the URL shown above. If there’s only the option to specify a proxy server, enter just
proxy.brighton.ac.uk instead. If you’re asked for a port number, use 80.
If you ever come across a computer that can access academic web sites but can’t contact other
external sites such as Google or the BBC, it’s highly likely that the problem is a missing
proxy.pac configuration entry.
If a student brings their laptop on site, they will need to enter this proxy information in order to
access external Web sites, regardless of whether they’re plugged into a port in a library, pool
room or hall of residence, and whether they’re using a network cable or a wireless connection.
Conversely, when they leave the campus and want to use their computer at home, they’ll need
to untick the “use automatic configuration script” box, because attempting to access the internet
from off-campus using our proxy won’t work.
Almost all organizations, both public- and private-sector, have documents which explain the
rules about what is deemed acceptable use of the organization’s IT resources. The University
of Brighton is no exception. The Information Services department publishes a series of
documents which are agreed by the university’s Information Strategy Committee on behalf of
the Academic Board. The 3 that are most relevant to all staff and students are:
Conditions of Use of University of Brighton Computing Facilities including Networks
University of Brighton Information Systems Security and Information Interception Policy
Code of practice for using information systems.
These are available on StaffCentral.
The documents define what represents unacceptable use of the university’s systems. For
example, attempting to hack into university systems by guessing a colleague’s password,
connecting a computer to our network which does not have antivirus software installed,
downloading pirated software or music files onto a university computer, or deliberately viewing
indecent material on web sites are regarded as unacceptable and can result in the offender
facing disciplinary action.
Uncensored But Monitored
Unlike some organizations, the university doesn’t routinely censor the web or email, preferring
instead to operate on a system of trust and freedom. We do, however, have monitoring
systems in place which will alert the Information Services operations staff if any suspicious
activity takes place on our network, whether that activity originates inside or outside the
We also have a central firewall which ensures that all access to university computers from off
campus is blocked, except in the case of specific computers such as web servers. All
computers on UoB premises including the sites at Moulsecoomb, Falmer, Grand Parade,
Eastbourne and Hastings are considered to be on-campus.
Although we do block some kinds of network data, this is not always for security reasons. For
example, we don’t allow staff or students to use internet telephony systems such as Skype
without the permission of the Director of Information Services, because it requires a lot of
network capacity. You may also find that videoconferencing applications such as MSN
Messenger don’t work when one of the parties is off-campus. This is because Messenger
requires our firewall to be configured in a manner which is regarded as insecure, in order to
allow data to travel freely between participants.
DRP and BCP
When you’re managing the security of a network the size of ours, you need to plan in advance
for how you’d deal with an emergency or a computer-related disaster. You also need to make
sure that you’re prepared for any eventuality.
University of Brighton Information Services
For example, most of the university’s web servers reside in one building, and if there was a
major flood or fire in that building a web site that normally gets around 50,000 hits a day would
be off the air. To prevent such an eventuality, we do what’s known in the security field as
Disaster Recovery Planning and Business Continuity Planning. This means that there are plans
and procedures in place to ensure that we can be up and running as quickly as possible after an
IT-related disaster. We also have backup hardware in place in various other locations, all ready
to spring into action should the need arise.
Your PC and Your Privacy
You should be aware that the university’s network does record details of every web site that you
visit (but not the information that you type into that web site, such as passwords).
The university has strict rules about data privacy and confidentiality. Technicians and network
operations staff do not routinely examine the contents of staff or student PCs, the contents of
your personal storage area (your M: drive) on the network, or the network’s log of the web sites
that you have visited. If a staff member or student is suspected of misusing the university’s IT
resources, and if it is deemed necessary to monitor that person’s internet usage or the content
of their PC, this has to be authorized in writing by a member of the university’s Senior
If you’re interested in the science of investigating the computer of someone who is suspected of
illegal activity, a google search for “computer forensics” will bring up a wealth of fascinating
information on this growing industry. The University of Derby has even launched an MSc in just
such a subject.
All About Passwords
There are various ways that a person can prove to a computer that they are who they say they
are. The main method that we use at the university is the password.
Other methods are available, such as biometrics (fingerprints, voice recognition) and
smartcards, but these are not widely used outside the commercial world. We do use cards to
control access to some buildings. Also, some of our systems are IP-authenticated which means
that you can’t log into them unless your computer has a specific IP address. Plus, our firewall
protects systems from attack from off-campus.
Guard Your Password
Your university (LDAP) username and password are the keys to almost every university system
that you are permitted to use, such as your desktop PC, studentcentral, StaffCentral, the
wireless network, the student records system, and others. Therefore, if you ever need to
change your password, choose one that is difficult to guess (but don’t write it down!).
If you routinely use your PC to process sensitive information it’s a good idea to change your
password occasionally. Some companies force all staff to change their passwords every 3
months, or so. We currently have no such rule, but that’s not to say that you shouldn’t consider
doing so. Also, remember that passwords on our systems are case-sensitive, so pAsswoRD
isn’t the same as PassWORD.
When you’re choosing a new password, it’s best to keep it shorter than 11 characters.
Otherwise, some of our systems (notably StudentCentral) tend to get confused.
Your university username and password lets you access not just internal university systems, but
also external systems. Perhaps the best example of this is Athens, which is a central
authentication system (similar to LDAP) that allows you to use your university credentials to log
into various external online databases to which the university subscribes. The precise set of
systems that you can access will depend on who you are and what department you’re in, and
you can access them both from on-campus and from home.
Let’s try using Athens to see what systems we’re allowed to use:
Exercise 3 Using Athens to access external authenticated databases
1 Open a web browser and go to http://auth.athensams.net/my
2 If you’re asked to click on a link to go to the University of Brighton login page,
3 Enter your university username and password
4 Under Resources, you’ll see all the systems that you can now log into
Another way to access these electronic resources, assuming you know which one you want to
see, is via the Online Library. Go to library.brighton.ac.uk with your Web browser and click on
the Online Databases link.
How your Password Protects Your PC
Any information that you store on your desktop computer or your M: drive can’t be accessed by
other people. Even if someone else uses your desktop PC or Mac they can’t see your data, so
long as they log into the computer as themselves. Remember: allowing someone else to use
your LDAP password is unwise and is also a major breach of the university’s security policy.
But contrary to popular belief, passwords do not offer 100% security. It’s possible to download
programs from the internet that will crack the passwords on a Windows computer in just a few
hours (but don’t be tempted to try this unless you’re willing to face dismissal and/or
prosecution). If you want 100% security you need to think about encryption, which we’ll cover
University of Brighton Information Services
This program is cracking a password every 126 seconds
There’s no facility within Windows or our network that allows our support staff to find out your
password. They can, though, change it to something else. So if you forget your password the
help desk can fix the problem for you. But if one of our admin staff wanted to change your
password in order to access your PC, you’d know that this had happened.
The Importance of Backups
The university provides 2 places to store the day-to-day document files, spreadsheets,
presentations, graphics etc that you create on your PC. These are:
1. The hard disk on your desktop PC ( normally drive D: in Windows but sometimes C:)
2. Your personal area on the network-based University Folders server ( drive M: )
In addition, your own school/department may provide some form of networked file store.
Your computer is normally set up so that files are stored on your computer’s own hard disk.
You may, though, wish to utilize your M: drive instead, or in addition to your local desktop PC.
It’s easy to do this – click the My Computer icon on your desktop and look for the drive whose
name ends with M: and which refers to a server called Titan.
The main differences between the local drive D: and the networked M: drive are:
Data on your M: drive is held on a central server in Brighton, and is automatically
backed up every day. If the server breaks, all the data on it can be recovered
Your M: drive is accessible from every computer on-campus, so if you log into someone
else’s PC, or you use a PC in a library or pool room, your files are instantly accessible.
Your M: drive is limited to 1 GB of storage, whereas the space on your D: drive will
typically be at least 40 GB.
When you delete a file on your M: drive, or replace it with a newer version, it’s still
possible to recover previous versions of the file. To read all about this incredibly useful
feature, see Information Services document number 961. We’ll also try it out in the
Wherever you store your day-to-day files, but especially if you store them on your local desktop
D: drive, it’s vital that you implement some form of backup strategy so that, if your computer
breaks down, you have another copy of your important data. Remember that it is your
responsibility to do this, rather than the Help desk or the Information Services department.
Exercise 4 Recovering a deleted folder from your M: drive
1 Click My Computer on the desktop, then go to your M: drive
2 Create a folder called Test Stuff
3 Within that folder, create a document file and save it
4 Open that document file and make a change to it, then save it
5 Now let’s try recovering the old version of the folder. Right -click on the folder,
and click Properties.
6 Click the Previous Versions tab
If you discover that you need to recover a file from your M: drive, do it as soon as possible. The
longer you leave it, the greater the chance that the file’s allotted lifespan will have expired and it
has become unrecoverable.
There are various places and devices on which you can store backups of your important files.
Just pick one of the following:
Your M: drive
A USB stick
A floppy disk
A recordable CD or DVD disk
An external USB hard drive
Someone else’s PC (see below)
The computer store in Watts building, Moulsecoomb, sells CDs, DVDs, USB sticks and external
hard drives. You can also get CDs and DVDs from the university’s media centres. Speak to
your line manager if you need any of these to be purchased for you.
Most of the university’s PCs have CD writers, and the more modern computers also have DVD
writers too. A CD can store 650 MB of information (0.65 GB) and a DVD can hold 4.7 GB, and
the blank disks cost less than 50p each. They’re a great way of backing up files, in a form that
can quickly be retrieved onto any other computer should the need arise. USB sticks typically
hold up to 8 GB but are more expensive than CD or DVD media. External USB-based hard
drives can store up to 250 GB but not all of them are pocket-sized.
University of Brighton Information Services
Someone Else’s PC? Really??
If your office computer is on-campus and linked to the university’s network, you can create a
folder and allow other staff to access it. Equally, someone else can set up a folder on their
computer and grant you access, so that you can store your own files in it and/or read the files
that are there. You could use this facility to provide reciprocal backup facilities to, for example,
someone who works in a nearby office.
Granting someone else access to a folder on your PC requires administrator-level privileges
under Windows, which you probably don’t have. (Right-click on a folder and see if there’s a
Sharing And Security option in the menu, just to make sure). So you’ll need to call on the
services of your school or departmental technician to set it up for you, but once this is done you
can access the “share”, as it’s called, whenever you like.
This facility can also be useful if you regularly work from more than one university office. Ask a
technician to set up the documents folder on your main PC so that you can access its contents
from other locations over the network. But note that this only works on campus – you can’t
access university PCs from outside the university because, regardless of how the PC is
configured, our firewall will block any incoming connection before it reaches the PC itself.
Where Not To Back Up To
There are a few places where it’s not advisable to store backups, such as:
A different folder on the same PC (because if the PC breaks, you’ll lose both your
original files and the backups)
DepartmentDocs. This is a separate service that allows you to share files between staff
in your department. It’s not meant to be used as backup space for staff PCs.
Email. It’s not advisable to back up files by emailing them to yourself at your university
account, because you’ll simply fill up your mailbox.
If you create a backup on an external device or medium, you should give some thought as to
where you keep the backup. If the backup contains confidential or personal information,
it’s best not to take it off site. However, you shouldn’t keep it near the PC because
something like a flood or fire could damage both the PC and the backup. Perhaps ask a
colleague in another office to look after it for you, or lock it in a cupboard or drawer elsewhere in
your office. That’s why storing the backup on a PC in another office is so useful.
Every now and then, and each time you change your backup method, you should test your
backup to make sure that a) it’s still readable, and b) that you are backing up the right files. For
example, if you have shortcuts on your desktop to important files, you may have inadvertently
backed up the shortcuts rather than the files themselves. By testing your backup on a different
PC, you can verify that everything is as it should be.
A Word About Exchange
The staff email system using Microsoft Exchange on our servers, and Microsoft Outlook on PCs.
In most cases, the information that you see in Outlook (email, tasks and calendar) is stored on
the central Exchange servers rather than on your PC unless you have created some personal
folders. This means that it’s accessible from whichever PC you happen to log into, and it’s all
automatically backed up.
Your data area on the Exchange server is limited to 0.1 GB, or 100 MB. This can fill up quite
quickly, especially if you don’t get into the habit of deleting old mail or sent messages, and
especially your Deleted Items folder. [This quota is due to be reviewed in February 2008 and
Outlook offers the facility to archive old messages and other data to a file on your PC. If you do
this, remember that the archive is no longer on the central server and thus will not be
automatically backed up. If you’re worried about losing your archive of sent mail that you have
copied from the Exchange server, you’ll need to back up the Outlook data file just as you would
any other file.
Note that, if you archive information from Outlook, and move it from the Exchange server to your
computer, it will be stored as one or more .PST files. If you attempt to start Outlook and it can’t
find a PST file that it is expecting, the program will not start. So, never store archived Outlook
data in locations that might be inaccessible. For example, don’t store PST files on someone
else’s PC, because you won’t be able to access Outlook if that person forgets to turn on their
Computer viruses represent a real threat to the university’s computer systems, and we all need
to work together to ensure that infection rates are as low as possible.
A computer virus is a computer program which attempts to copy itself to other computers.
Viruses are written by people who deliberately set out to try to cause as many problems as they
can, for as many people as possible. There are some 100,000 known computer viruses in
circulation, and the number is growing at the rate of around 30 a day.
Most virus-writers aren’t content with designing a program that can spread among computers.
They also build in a so-called “payload”, whereby the program does something nasty to every
PC that it touches. For example it might corrupt or delete document files, or pop up an obscene
message, or even install a keystroke logger than records all the passwords you type and send
them back to the virus-writer by email. The biggest growth area in viruses right now is the
surreptitious installation of “bot” software, which allows the virus writer to gain control of your
computer remotely in order to send out spam emails or to hack into other systems. The virus
writer then sells the services of his collection of infected computers, known as a “bot-net”, to
paying customers such as spammers and hackers.
Virus spread by various means. Most commonly, they email themselves to the contents of the
victim’s email address book. And because the resulting messages appear to originate from the
University of Brighton Information Services
victim, who will be known to the recipient, the recipient trusts the message and clicks on the
attachment which the virus has enclosed. And while that attachment may appear to be a
harmless game or picture, it’s actually the virus program itself.
On the handful of occasions when a particularly nasty virus has infected a university computer,
it managed to spread to hundreds of our computers in a matter of minutes.
Clearly, having virus-infested computers in the university is a real problem. It can result in loss
or damage to data on staff and student computers. It can also lead to problems, not to mention
legal action, if we pass on the virus to our suppliers, contractors, and anyone else that we
correspond with via email.
The way to avoid viruses being a problem is to install antivirus software on every computer.
This applies to both workstations and servers, and both PCs and Macs. The software
automatically scans every file that you open on your computer and compares it against its
database of known viruses. If it discovers a virus in a file, the software prevents you from
opening or copying the infected file.
Antivirus software is only as good as its database of known viruses. Because there are around
200 new viruses being discovered every week, you need to configure the software to update its
database at least once a day.
The antivirus software that we use at the university is made by Sophos. Our licence covers all
university-owned computers, as well as those used off-campus by staff and students. It’s a
condition of use of the university network that every computer connecting to our network must
have antivirus software installed, and that the software is configured to update itself regularly.
This includes contractors, visiting lecturers, and everyone else too.
You can pick up a free Sophos CD from any of the university’s libraries, or download it from
How not to catch a virus
Viruses spread mostly by sending email attachments to people, in the hope that they’ll click on
the attachment. Therefore, the best way to ensure that you don’t get a virus on your PC is to
never open an email attachment unless you are confident that it is legitimate. If you’re not sure,
ignore it or delete it. Or email the sender for confirmation that they really did send it.
Just because an email attachment appears to come from someone you know, and looks
genuine, does not mean that it really is trustworthy. So it’s best not to open it. However, if you
do open it, your antivirus software should stop it taking hold. So long as the software is up to
In the following exercise, we’ll check that the antivirus software on our computer is installed and
working. To do this, we will attempt to download the industry-standard antivirus test file, which
is designed to trigger antivirus software but which is not actually dangerous.
Exercise 5 Try downloading a “virus”
1 Open your Web browser (Internet Explorer, etc)
2 Go to http://www.eicar.org/anti_virus_test_file.htm
3 Note that your antivirus software should pop up a warning box because the file
is a known virus (albeit a harmless test one).
If your antivirus software ever pops up a similar warning and you’re not sure why, it’s always
best to seek advice before continuing. Speak to your school or department technician, or send
a message to firstname.lastname@example.org. Make a note of the exact wording of the message, if you
can. You can also use this address for any help that you need with viruses, adware or spyware.
You should never install more than one antivirus program on your computer, as they will conflict
with each other and cause various problems. If you’re considering installing Sophos at home,
remove any existing antivirus program first.
Spyware and Adware
Viruses come under the general category of “malware”, which encompasses software that is
deliberately designed to cause harm. The other entry in the malware category is that of
spyware and adware.
Spyware is software which attempts to spy on your computing activity. For example, keystroke
loggers which record the passwords you type. The most common form of spyware is a program
which monitors the web sites you visit, and/or the programs that are installed on your computer.
It uses this information to feed data back to participating (ie, subscribing) web site operators in
order that they can ensure that the adverts they show you while you are viewing their sites are
relevant to you.
Adware is similar in operation to spyware, but it often results in adverts being shown to you
even if you are not connected to the internet. They could pop up on your screen at any time,
while you are working.
Spyware and adware generally spreads not by email, but by being downloaded automatically
when you visit certain web sites.
Because most university computer users (ie, you!) don’t use an administrator account for day-
to-day computing, much of the spyware that attempts to install itself on your PC won’t actually
succeed in doing so because non-administrators aren’t permitted to install new software.
However, it’s a fair bet that some spyware and adware will get through, so it’s a very good idea
to run an anti-spyware program at least once a week.
The two best-known anti-spyware programs are both available free of charge. They are
“Spybot Search & Destroy” and “AdAware”. If you want to run them at home (you only need
one of them), you can download them from www.safer-networking.org and www.lavasoft.de. If
University of Brighton Information Services
you want to install them on your office PC you’ll need to ask a technician to do it for you, unless
you have admin access.
In addition, your Sophos antivirus program can also detect and remove a large amount of
spyware and adware.
The university runs two main email systems, for staff and students. The staff server is based on
Microsoft Exchange, with Microsoft Outlook as the message reader on PCs and Microsoft
Entourage the most popular Mac-based client. For various technical reasons, BSMS students
also use this system. All other students use a different system, which is Web-based and known
as Studentmail or TWIG.
One major difference between the staff and student email systems is that students can, via
MyInfo, forward their university email to another address if they have an account on a different
While internet-based email has become an indispensable tool for all sorts of organizations,
including ours, it suffers from a couple of major weaknesses. One of which is that email
messages are easy to fake. By typing just a handful of carefully-chosen commands, a hacker
could send you an email message which appeared to come from
email@example.com, firstname.lastname@example.org or indeed anyone else. So
before you act on the contents of an email message, consider the possibility that it might not be
all it seems.
Viruses often use this technique when they send copies of themselves. When a virus sends
itself to the contents of a victim’s address book, each message is made to appear as though it
comes from a random person from that address book. By not having all the messages appear
to come from the same person, this can help the virus to defeat some rudimentary anti-spam
systems. It’s also why you might sometimes receive emails that blame you for sending a virus.
This happens because your name happens to appear in the address book of someone who’s
caught a virus.
For example, Robert is friends with Jim, and so Robert’s name appears in Jim’s address book.
Jim clicks on an unsafe email attachment and catches a virus, which promptly starts sending
itself to the contents of Jim’s address book. One of the people that it gets sent to is Jim’s friend
Sarah. The virus sends itself to Sarah but forges the message so that it appears to come from
Robert, another name from Jim’s address book. Sarah’s employer’s email system detects the
virus and automatically sends an email to Robert, warning him that he sent Sarah an infected
email. Yet Robert didn’t actually send it, and has no way of knowing who did. All that Robert
knows is that someone in whose address book his name appears has got a virus.
For email users, spam is at best a disruptive nuisance, and at worst highly offensive. But for the
spammers, it’s a very cost-effective marketing tool and so the problem is unlikely to disappear
any time soon. Because spammers can send out tens of millions of messages a day, at a cost
of almost nothing, they only need to receive a handful of orders for their fake Viagra in order to
make the exercise worthwhile and profitable.
To help alleviate the problem as best as possible, there are various techniques that can be used
to detect spam. However, none is without its drawbacks, the most common of which is the real
risk of incorrectly regarding a legitimate message as spam. For example, one detection
technique is to regard something as spam if an identical message is sent by the same sender to
a large group of people. But this plays havoc with people who run legitimate mailing lists and
electronic newsletters, a large proportion of which fail to get past the recipients’ spam detection
Spammers are constantly trying to beat the system. For example, they attach a random
paragraph of text to each message they send, in order that it doesn’t appear that they’re
sending the same message to everyone. Or they deliberately mis-spell words. Some spammers
use an automatic thesaurus to vary their messages, hence some men receiving an offer of the
chance to improve their building (look it up!).
Almost all companies and other organizations have some form of spam detection systems in
place, and the university is no exception. We use something called Sender Address
Verification, for example, which attempts to verify that email is coming from people rather than
We also run a spam detection system on all of our email servers, which is known as Spam
Assassin. In keeping with our policy of monitoring rather than censoring, Spam Assassin does
not delete any incoming emails that are considered to be spam. Instead, it automatically adds a
[SPAM?] marker at the start of the message’s subject line. It’s up to you how to choose to deal
with this notification. Many people set up a rule in Outlook which automatically deletes, or
moves to a separate folder, any message which is so labeled.
If you’ve never set up an Outlook rule, it’s easy to do. Here’s how to set up a rule that moves all
[SPAM?] messages to your Junk Mail folder:
Exercise 6 Set up an Outlook 2003 rule
1 Start Outlook
2 From the Tools menu, select Rules And Alerts
3 Click on New Rule
4 Select “start creating a rule from a template” and, from the list below, choose
“move messages with specific words in the subject to a folder”.
5 Click Next.
6 In the Step 2 box, click on Specific Words and type [SPAM?] then press the
Add button. Then press OK.
7 Click on “Specified” in the step 2 box, select Junk Mail, and press OK
8 Press Finish, then OK.
University of Brighton Information Services
False Positives and False Negatives
No spam detection system can be 100% reliable. It’s just possible that a friend might send you
a message that contains the word “Viagra”. It’s highly likely that a spammer will occasionally
send you a message that appears genuine. Therefore, before you delete all your [SPAM?]
messages forever, it’s a good idea to skim-read the junk mail folder just in case there’s an
important message that has been incorrectly labeled as unwanted. It’s quite common for
messages from mailing lists to be incorrectly regarded as spam, for example, because a large
number of identical messages sent from a single address is very typical of a spammer’s
What Can We All Do?
In addition to marking suspicious messages with a [SPAM?] marker, the university also does
many other things to help reduce the amount of spam that everyone receives. For example, our
systems are configured so that no one outside the university can send messages to our built-in
mailing lists such as uni info.
If you’ve set up an Out Of Office message in Outlook and you receive an email from someone
outside the university, we won’t send your Out Of Office message to that person. Although this
can be inconvenient, it reduces the amount of spam we receive by ensuring that we don’t
inadvertently send replies in response to spam.
The golden rule about dealing with spam is that you MUST NEVER reply to it. Simply delete it.
If you reply to a spam message, this confirms to the sender that your email address is valid and
that it is read by a real person. This instantly adds value to your email address, and you’ll start
to receive many more messages. Not just from the original spammer, but from all the additional
spammers that your address has been sold to, because it now commands a much higher value.
So, don’t reply to spam. Ever. Not even to request that your name be removed from the
mailing list, or to click on a “please remove me from your list” link. That’s just the same as
replying, unless the message comes from a legitimate company that you’ve heard of and which
you might have dealt with before.
Spammers are good at psychology, and will often employ various tricks to persuade you to reply
to their messages. For example, you’ll receive unsolicited “confirmation” messages regarding a
purchase that you have supposedly made, including details of the amount that is to be taken
from your credit card, along with an address to reply to if you think there’s been a mistake. Or
you’ll get a “thank you for subscribing to our porn channel” mailing list, in the hope that you’ll
mail them back and say that you did no such thing. As always, just delete the message. Or if
you’re genuinely concerned, contact the Help desk or your local school or department
technician for advice.
Other Common Email Mistakes
To ensure that all 2,100 staff and 17,000 students get to make the most of our email system,
there are a few guidelines that we all need to adhere to. Lots of information can be found in a
useful and amusing document called “How to annoy your colleagues using email”, which you
can download from the web at www.brighton.ac.uk/isdocs as document number IS770. Some
of the guidelines which relate to security and to our topic of Safe Computing include:
When you’re sending a message to a group of people and you’re specifying each email
address individually, rather than using a built-in group name, always put the addresses
in the bcc: box rather than the cc: box. Otherwise, every recipient gets to see the full
list of names, which could result in your confidential email address database being
distributed to all of its members. This can be embarrassing, and possibly a breach of
data protection legislation
If you receive a “please forward this to everyone you know” message from a friend or
colleague, and you’re tempted to post it to all your friends, or even to uni info, please
don’t. Almost all of these messages are hoaxes, however genuine they appear.
Remember, adding “this warning was issued today by IBM” or “Someone at Brighton
Council recently lost money through this scam” to a message doesn’t make it any more
true. Before you forward any warning message, either contact the Help Desk on
extension 4444 (or email email@example.com), or type a couple of the message’s key
phrases into Google and see if anyone else on the Web has already received it.
Chances are, they will have.
Yet another way that computer criminals misuse the global email system is to initiate attacks
known as phishing. Here, someone sends out fake email message to you which appears to
come from your bank or some other financial institution such as Paypal. The message asks you
to click a link and log into your account in order to verify some important information or to check
your balance. But the site that the link takes you to is not all that it seems – it’s a convincing
fake version of your bank’s own site. When you type in your password, you’re really sending it
straight to the hackers. Who, within a couple of minutes, will have logged into your account and
cleared it out.
Banks never send out emails that ask you to log into your account. If you want to log into your
online bank, type in the address of the site manually rather than clicking a link on a web page or
in an email message.
To Assassinate Or Not?
How does SpamAssassin decide whether a message should be flagged as [SPAM?] or allowed
to go through unhindered? It analyses the message according to a number of rules, which are
updated regularly. You can, if you wish, view SpamAssassin’s reasoning. Right-click on a
message’s subject line (it’s best to choose something that’s been flagged as spam) and click
University of Brighton Information Services
You’ll see something like this:
Microsoft Mail Internet Headers Version 2.0
Received: from EXCHANGE1.university.brighton.ac.uk ([188.8.131.52])
From: "Avery Tapia" <firstname.lastname@example.org>
Date: Wed, 8 Jan 2008 11:37:29 +0300
X-Spam-Report: Spam detection software, running on carpo.brighton.ac.uk, has
scanned this message.
It scored 14.5 points (5.0 and above is classified as spam).
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 DATE_IN_PAST_24_48 Date: is 24 to 48 hours before Received: date
2.6 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam
3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
2.6 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
Recovering Deleted Mail
When you delete an item of mail (ie, a sent or received message), it doesn’t actually get deleted
from the server. Instead, it goes into the Deleted Items folder. Unless you manually delete the
contents of this folder, your mailbox will continue to fill up and reach its 100 MB limit, as the
Deleted Items folder counts towards your total quota.
One useful but little-known feature of Exchange is that, even if you have deleted something
from your Deleted Items folder, it still exists on the server and will do so for 3 weeks. During
that time, you can still recover it. To do this, open the Deleted Items folder, then go to the Tools
menu and choose Recover Deleted Items. Choose the item to recover, then click the Recover
button and you’ll find the mail item back in your Deleted Items folder. It’s best to then move it
somewhere safer, especially if you have configured Exchange to delete the contents of the
Deleted Items folder every time you quit the program.
How Anonymous Is The Internet?
Every computer on the internet, from the biggest web servers to the computer that you’re using
right now, has what’s called an IP address. This is like its phone number, and allows it to send
and receive information over the internet.
An IP address consists of 4 numbers between 0 and 255, separated by full stops. Most IP
addresses also have a friendly name, known as the DNS name. DNS is the Domain Name
As an example, one well-known IP address is 184.108.40.206 but you may know it better as
In the exercise below, we’ll find out the IP address of the computer we’re using:
Exercise 7 Find out your IP address
1 From the Start menu, choose Run, then type CMD and press Return.
2 Type IPCONFIG and press Return.
3 You’ll see your IP address displayed
4 Type EXIT and press Return, to get back to Windows
Most activity on the internet can be traced back to an individual IP address. This includes every
web page you view, everyone who views your web pages, and every email sent or received. In
theory, therefore, you might think that computer-related crime and spam would be easy to
detect. Sadly, this isn’t the case, for a couple of reasons.
First, some computers have fixed IP addresses that never change, but the majority of IP
addresses are what’s known as dynamic. That is, they change frequently. For example, if you
use the internet via a dial-up modem rather than a fixed broadband connection, you will have a
different IP address each time you dial into your ISP. These get allocated automatically by
something called DHCP.
The university uses a mixture of fixed and dynamic IP addresses. All our servers use fixed
addresses, as do staff and poolroom PCs. But the open access networks in halls and libraries
use DHCP, so each time a student connects they’ll be allocated a different IP address.
Also, there are lots of intermediate computers involved when you access something over the
internet. For example, the university operates a series of cache computers, which store copies
of all the pages that you access, for as long as there’s space available. Next time someone in
the university wants to access that same page, they get sent the version from our cache, which
saves it having to be requested again from a remote server. If the cache doesn’t have a copy of
the page, it requests it from the remote server, sends it to the person who requested it, and
keeps a copy handy in case anyone else wants it. As far as the distant web site is concerned,
the computer that requested the page is our cache, not the person sitting at their PC.
There are commands available that will tell you which DNS name, if any, is associated with a
particular IP address. One method that can prove effective in helping to detect spam is to reject
mail which comes from an IP address that doesn’t have a registered DNS name.
University of Brighton Information Services
Processing Confidential Information
If you routinely handle confidential university information on a university computer, you are
obliged under the Data Protection Act to take care of that information in order to prevent it being
accessed by people who aren’t entitled to see it. Confidential information includes information
about the university and, specifically, data which relates to, or could identify, any living person.
Transfer of Confidential Data
Of particular importance when handling confidential data is the way that you send it to other
people. Because of the risks of the data being lost, stolen or intercepted, you should avoid
sending such information outside the university by any means. However, if you do need to do
so, section 6 of the university’s IT security policy makes the following recommendations:
1. Only send the data to a person or organization who is authorized to receive it;
2. The person or organization which receives the data must have suitable
procedures in place to ensure that it remains confidential;
3. If you are sending sensitive or confidential data from the university, regardless
of the method used, you must ensure that the confidentiality and integrity of the
data can be guaranteed during transit;
4. You must not use a wireless network, whether the network is your own or the
university’s, to access confidential university systems (eg payroll data or
student information systems), or to send confidential unencrypted data files;
5. If you’re travelling, don’t leave laptops, PDAs and other portable equipment
unattended in a public place. If the device holds confidential university data,
suitable access control software must be installed on it;
6. Never store unencrypted passwords on a mobile or portable computing device.
Confidential Data On Paper
If you need to send confidential data to other people by post as printed sheets, it’s always best
to send it by either recorded delivery, a courier company, or some other similar service that you
can track and trace. Ideally, though, you shouldn’t send confidential data in printed form, as it is
easy for someone to recognize as such if it ends up in the wrong hands, whether accidentally or
Equally, if you do have to handle confidential information in printed form, it’s important to store it
out of sight, and to dispose of it correctly after you no longer need it. This normally means
shredding it, and/or placing it in a secure waste bag rather than the normal rubbish bins.
Tip: If you take home some confidential printouts to read on the train, disposing of them by
tearing into quarters and stuffing them down the back of the seat is not considered as secure.
As can be seen from the extract below, from a national chain of cafes, which was found on a
train at Hastings along with a printout of the culprit’s Outlook diary.
Electronically Held Data
It’s much better to send confidential material on disk or via email, rather than on paper. Not
only is it cheaper, but you can use encryption to ensure that, should the data get lost or fall into
the wrong hands, it can’t be accessed. You will be aware of some recent high-profile cases
involving confidential information that was sent by post on CD-ROMs from HM Revenue and
Customs and which was lost. The disks contained some 25 million names, addresses and bank
details of parents who were receiving child benefit. If only the HMRC had thought to encrypt the
disks, their loss would not have been a problem.
University of Brighton Information Services
The university doesn’t have a standard recommended data encryption program, but there are
many products that are available and which are simple to use. WinZIP and PKZIP, for example,
are programs that compress (zip) one or more files into a single .zip archive, with the added
facility of encrypting the zip file with a password that would take a powerful computer many
years to crack. They both cost around £20 per copy.
Another option is to use a program which creates a virtual encrypted drive on your computer.
Among the best-known examples of these are Bestcrypt (around £30) and Truecrypt (free). To
send someone some confidential data files, simply create a new virtual drive, copy the files to
that drive, then email the virtual drive as a file. The recipient will also need a copy of the
program in order to access the encrypted files, though, and you’ll also need to find a safe way to
inform the recipient of the password. Don’t send it by email!
You may know that Microsoft Office applications (Word, Excel, PowerPoint) have the facility that
allows you attach a password to a document file. In Word, for example, click on Tools then
Options and then click the Security tab. However, the encryption that Microsoft uses in its
Office product is very poor, and can be cracked in minutes. A Google search for “Microsoft
office password recovery” products will show you just how easy it is. The whole point of data
encryption is that, should a protected file be lost, you can be confident that no one who comes
across the file can read it. That’s not the case with the MS Office built-in encryption, therefore
you shouldn’t use it.
If You Receive a Request for Data
If someone requests confidential data from you, you should take reasonable steps to ensure
that the person who made the request is genuine. For example, if someone telephones or
emails you to ask for a copy of a certain student’s personal file, claiming that they are a lecturer,
it’s entirely possible that the person is not a lecturer at all. If you’re not 100% certain that the
person requesting the information is entitled to see it, politely refuse or refer the caller to your
A Word about the EFS
You may be aware that Windows 2000, XP and Vista include a built-in encryption facility which
is known as EFS, or the Encrypting File System. However, EFS suffers from a few serious
drawbacks. These include:
Encrypted files are locked to your PC. They can’t be accessed on another computer. If
you copy an encrypted file to a different computer you almost certainly won’t be able to
read it. So it’s not a sensible way of taking files off campus to work on at home.
You need to make alternative arrangements for backing up EFS-protected files,
because, if your computer breaks or is stolen, you won’t be able to copy the encrypted
files to your new computer. Even if your computer is only sufficiently poorly that it
requires Windows to be reinstalled, EFS regards that as being a different computer and
so the files can’t be copied back. Which means that they’re lost forever. The solution is
to create some non-encrypted backups and storing them safely and securely.
EFS only works on disk that are formatted using the NTFS system, as found in
Windows 2000 and above. Although external hard disks and USB sticks can be
formatted using NTFS, they aren’t always. So unless you reformat the drive, you’ll lose
the EFS encryption on any files that you copy to it. And Windows won’t always tell you
that this is happening.
Because of these possible pitfalls, we don’t support the use of EFS at the university and we
strongly recommend that you don’t attempt to use it.
Windows Vista also has an additional encryption feature called BitLocker, which is only
available in the Ultimate edition. It’s not available in the Business edition that we mostly use at
If you want to ensure that confidential information doesn’t leak out of the university via your PC,
or any other actions of yours, there are some other things that you need to consider in addition
to encrypting the data on your computer. The most important are:
If you have an old unwanted computer that you need to dispose of, there are various
rules and regulations regarding the disposal of electronic goods as well as wiping of
confidential data. Your local school or department technician will be able to advise you.
Throwing an old computer away with the rest of your office rubbish is now illegal,
because of the new Waste Electrical and Electronic Equipment directive. And before
you even consider disposing of a computer, it’s important to copy any important data
from it and then to securely wipe the hard disk. In a recent experiment, one IT security
company bought 100 second-hand hard disks on Ebay and found confidential data
remained on half of them. Including, in one case, databases relating to a pension
company that previously owned the drive.
The DepartmentDocs system is not confidential. Unless you change the access
permissions, or get someone to help do it for you, everyone in your department can
read (and change) any file that you place on the system.
If you’re typing confidential data into web sites, whether they are university systems or
external, always look for the closed padlock symbol at the bottom of the screen and the
https:// prefix at the start of the site’s address (URL). This indicates to you that the site
is using SSL, which encrypts all data that you enter before it is sent to the site.
Because of the fundamental way that the web is designed, it’s possible for hackers to
monitor internet connections and to intercept the data. Unless you are using an SSL-
encrypted site, it’s possible that someone could be watching you.
This is especially important when you’re using a computer away from the university,
such as in a hotel, at a conference venue, in an internet café, or via a wireless hotspot.
Unless you see the padlock symbol and the https prefix, you should never enter
confidential university-related information as there is a real possibility that it could be
intercepted (Staffmail uses https so it is safe to use from external locations).
University of Brighton Information Services
Like almost all corporate networks, the vast majority of data that travels around the
university’s network is not encrypted. We have systems in place that will alert us if
someone is attempting to tap our wires, but such systems won’t detect such activity
taking place on our wireless network. That’s why the official university policy is that you
must not use the wireless network to access confidential admin servers such as student
records and financial systems.
Never place confidential documents or other files on a public server such as your Web
site, even if you intend to keep the file’s location a secret by not creating any links to it.
Web sites are for publicly-accessible information only, and not to be used as a
convenient way to exchange files with colleagues. Many companies make the mistake
of using the depths of their Web site as a repository for private files that are intended
only for the eyes of the staff who know of their existence. But a quick google search for
phrases such as “internal use only” or “company confidential” or “commercial in
confidence” will show you just how dangerous such behaviour is.
A Special Word about Laptops
If you use a laptop, keeping backups of key files is even more important, as laptops are more
prone to theft. Because they’re so easy to drop, they also tend to suffer major breakdowns more
often than desktop PCs. The same goes for portable computers such as PDAs and
smartphones. If you store confidential information on a laptop or other device, ensuring that it’s
backed up and, where relevant, encrypted, is especially important.
You should always keep a close eye on your laptop, and warn students to do the same. In the
past, laptops have been stolen from the university:
from a library while a student was searching the shelves
from an unlocked, unattended office
from under a student’s nose during a lecture
While losing a university laptop would be hugely inconvenient, imagine the implications for
everyone concerned if it also contained, for example, the names, addresses and bank details of
every one of our students who’d received money from the Student Loan company. Or everyone
who’d sought sexual health information from Unisex. Would you like to be the person whose
name appeared at the bottom of the apologetic “we take security very seriously” letter that went
to all the victims?
If you’re using your laptop in a public place, such as on a train or in an internet café, it’s all too
easy to be overlooked without realizing that anyone’s watching you. Take care to ensure that
this is not happening, especially if you’re typing passwords or looking at sensitive data.
A firewall is the most important aid to IT security in any organization, and ours is no exception.
Therefore it’s good to understand the basics of what they are and why they are so useful.
Rather like an old CB radio, internet data (known as traffic) is transmitted on different channels
(known as ports). Traffic to or from web sites normally goes via port 80. Traffic for ftp servers
travels on ports 20 and 21. Most email goes via port 25, and so on.
Data that travels on the internet is split into small chunks called packets. In addition to the data
itself (eg, part of a web page or part of an email message), the packet also contains details of
where the packet came from and where it’s destined for.
In a nutshell, a firewall is an electronic filter. Physically, it’s a box that looks like any other
computer. It is wired in place between a company’s internet connection and its own internal
network of PCs, servers etc.
The firewall provides the ability to filter incoming and outgoing internet traffic according to each
packet’s source and/or destination and/or port number. This is done by setting up various rules,
of which there are typically many thousand in a complex setup such as ours.
The outcome of each rule will be, for each packet that travels between our network and the
internet in either direction, for the packet to either be allowed to continue on its journey or for it
to be blocked.
For example, we have a firewall rule that blocks any packets destined for web servers (ie,
incoming packets on port 80) unless the web server in question is one of our authorized
systems. That is, servers such as www.brighton.ac.uk and staffcentral. Now you know why, if
you turn one of the PCs in your office into a web server, people outside the university won’t be
able to view its content.
The firewall only analyzes data that travels between our computers and the internet. Any data
that remains purely inside our network, such as when you copy a file from your PC to
DepartmentDocs, or when you access studentcentral from your desk, doesn’t pass through the
firewall. That’s not to say that the data doesn’t get checked by other security systems, but it
doesn’t get seen by the firewall.
Both Windows and Mac OSX have a built-in firewall that offers additional protection, and you
should always ensure that this is enabled on your home PC. The need for such a product is
University of Brighton Information Services
slightly reduced if you also have a centralized firewall, as we do, although we still configure all
staff and poolroom computers to enable the Windows and Mac firewall.
Computers connected to the staff and student (pool room/library) networks are automatically
configured to be allowed (almost) unfettered access through our firewall. This means that you
can access off-campus systems such as web sites without hindrance. Conversely, the open
access network used in Halls of Residence require students to enter their username and
password every 2 hours, in order to enjoy continued access through the firewall. If they don’t
supply these details, they will be restricted to on-campus sites only. This helps ensure that
someone who plugs their laptop into an open access network socket without permission can’t
access dangerous web sites.
A firewall is not a security panacea, and companies who have mistakenly believed that they are
have occasionally encountered major problems. Remember that firewalls don’t stop viruses or
spyware. And a couple of years ago, ITV’s lunch time news bulletin inadvertently featured a link
to a child porn web site because their firewall was correctly doing its job.
Web-Surfing in Safety
Browsing web sites, or surfing as it’s often called, isn’t without its dangers. Malicious web sites
can attempt to infect your computer with spyware or viruses. Yet perhaps the greatest threat
from the Web is to your privacy.
Although viruses spread mostly via email, some virus writers choose to use the Web to
propagate their wares. For example, a hacker might break into a web site and amend it so that
visitors who click on that site’s links are actually agreeing to download and install the virus.
Therefore, always keep your virtual ear to the ground when browsing Web sites, and don’t click
on links that look suspicious. And if you find yourself at a site that you didn’t intend to look at,
close the browser window by pressing Alt-F4 rather than clicking on any Close or Cancel button
that appears to be displayed by the site. On a Mac, press the Apple key and Q.
The same applies if you see any pop-up adverts while you’re browsing the Web. Remember,
no one really gives away free iPods or laptops to the 10,000 person who visits their web site.
It’s an advert at best, and a link to a virus or spyware at worst. Clicking on that advert will cause
the site to attempt to download some malware to your computer. And the “close” or “cancel”
button that appears on screen is just part of the ad, hence the reason why you should press Alt-
F4 to close the browser rather than clicking on that button.
As always, if you’re buying goods online, don’t enter personal information such as credit card
numbers (or even your UoB account number) into any site that doesn’t look totally genuine or
that doesn’t have the https:// prefix and the closed padlock symbol. Sites that lack these
features are often fakes, appearing to be genuine but actually run by hackers who will steal your
personal information and use it for their own gain. For example, if someone telephoned you
about a problem with an order that you’d recently placed with them on behalf of the university,
and they knew your name and your UoB account number, would you doubt for a moment that
they were genuine? What about if they needed you to confirm your bank account details
because there was a problem with the payment?
Surfing And Your Privacy
Web site operators often need, or want, to know about their users’ surfing habits. They want to
know which web site you were on before you came to theirs. They want to know where you’ll
be going afterwards. They want to know exactly which pages on their site you visited, and in
You may not be surprised to know that the technology which allows them to this is widely
available and even more widely used. It helps web site operators ensure that the layout of their
web pages is optimized to generate as much usage and sales as possible, and it helps them
ensure that the adverts they display are as relevant to you as possible.
The way that web sites invade your privacy depends very much on whether or not the site
requires you to register and log in with a username and password. If it does, then the
opportunities for the site to invade your privacy are immense. Each time you do anything on the
site, such as clicking on a link, that activity can be stored in a database alongside your
username. So the site operators can build up a detailed picture of how you use the site, when
you use it, how long you stay on the site for during each visit, what time of day you typically log
in, and so on. Not only do they use that information for their own purposes, they often sell it to
other research organizations too. Sometimes anonymized, but not always.
Information about how people use the internet is much sought after, and hugely revealing. It’s
also a contentious issue. One famous case from a couple of years ago involved AOL, which
gave away to researchers the logs of half a billion entries from its search engine. It listed what
people were searching for, along with identifying factors such as their IP address. Many people
began to analyze the information and some frightening discoveries came to light. Such as the
search for “how to murder my wife”. Followed the next day, from the same IP address, by a
search for “how to dispose of a body”. Within a couple of days the data was no longer available
for downloading, but by then it was too late. Thanks to the internet, thousands of people had
taken a copy.
In the case of those web sites that don’t ask you to register, there are still ways to record
on its users’ PCs rather than on the site itself. Cookies aren’t as sophisticated as a proper
database, but they are still an invasion of privacy.
As an example of just how sophisticated website analysis has become, here’s part of an advert
for Google Analytics, a free service that lets you track visitors to your site:
University of Brighton Information Services
The considerable power of Google Analytics
Securing your web site
This is not a Web development workshop and this is not really the place for detailed technical
discussion. However, if you are developing a web site for the university, there are some things
that you should take into account regarding the security of the site. You may wish to search the
internet or the library for further information on any of the following points which seem to apply
to the site that you are developing:
1. Take great care to protect the confidentiality of the usernames and passwords
that you use to upload files to your site or which connect you to additional
systems such as the database servers. Someone who finds out your password
can, at best, corrupt your site or delete it. At worst, they can replace your
pages with obscene or libelous material. Many major corporations and political
parties have been embarrassed in this fashion before – please don’t allow it to
happen to us.
2. If you’re writing scripts in languages such as PHP, test them carefully on a
development server before they go live. Don’t develop programs on a
3. Take regular backups of your site. Remember to include not just the static files
such as html pages, but also any MySQL databases and other components.
4. Sometimes there will be material which you wish to protect from being viewed
by people who aren’t members of the university. One option is to use a
.htaccess file to restrict your pages to the university’s range of IP addresses.
However, this prevents your site from being seen by staff and students working
from home. A better option is to use our EZProxy system, which can allow
instant access to your site from on-campus but automatically require the entry
of a valid university (ie, LDAP) username and password from off-campus. If
this is of interest, contact Information Services.
5. If your site needs to authenticate users, don’t set up yet another system for
issuing and checking passwords. Our LDAP system is available to all web
developers, and allows you to let users access protected areas of your site with
their LDAP username and password. Contact Information Services for details
on how to do this (note that you’ll need some technical PHP coding
6. Consider removing metadata from any document files that you upload to a web
site. Companies such as Microsoft make available free tools to do this. The
standard metadata that’s built into every Word document will reveal, to
everyone who downloads the file, the name of the person who created the file,
how long they spent working on it, and so on. The data inside a PDF file even
reveals the computer username of the author.
7. Look at the web pages of the OWASP project for excellent advice on creating
secure Web-based applications.
8. If you do ask users to log into your system with a password, check that they are
correctly logged in EVERY time they need to access a protected page, not just
when they go to the login page.
Specifics of home PC security
Until now we’ve concentrated entirely on safe computing at work, or when away on university
business. But it’s important that you also practise safe computing at home, so here are some
recommendations that you will hopefully find useful.
1. Set up separate user accounts on your computer, with one account for each member of
the family that uses it. Give each user their own password. If you want to make the
children aware that their actions on the computer can be traced, ensure that they don’t
know your password and thus can only log in with their own account.
University of Brighton Information Services
2. Configure the accounts so that no one regularly uses an account that has administrator
privileges. Keep the admin account to yourself, and use it only when administering the
computer, such as setting up new users or installing new programs. This will help to
stop viruses and spyware from infecting your computer because they won’t have
sufficient privileges to run.
3. Ensure that you always install all important security updates issued by Microsoft, Apple,
etc. This is normally nothing more than ticking a “keep my computer updated
4. Install antivirus software, and ensure that it’s updating properly at least once a week.
5. Install some anti-spyware software and use it at least once a month.
6. Never click on a link within an email message, or download an attachment linked to an
email message, unless you are 100% confident that the source can be trusted. If in
doubt, just delete the message. Remember, banks never email you to ask you to log in
to your account. Clicking on an untrustworthy attachment is like inviting a burglar
through your front door - it bypasses any protection offered by your firewall.
7. If you use social network sites such as Facebook, MySpace, Bebo and others, don’t
give away too much personal information. While it might be fun to publish your name,
address, age, photo and life history for the world to see, such data can be of great help
to those who like to engage in identity theft.
8. If you're running Windows, download and run the free Microsoft Baseline Security
Analyzer program. You'll find it by searching for MBSA on www.microsoft.com. It will tell
you whether you are missing any important security patches, and automatically install
them for you.
9. If you haven't turned on the firewall in Windows, do so. It will help to protect you from
hackers on the internet. It will also help to prevent any rogue software which finds its
way onto your PC from making contact with outside hackers.
10. If you have a telephone-based broadband connection (ADSL) and you are using a
broadband modem that plugs into your computer via the USB port, consider replacing it
with a router. A router is much more secure than a USB modem. They normally have a
built-in firewall, which is better than the one provided with Windows because it can
block hackers before they even reach your computer.
11. If you're running any version of Windows prior to XP, update to XP or Vista. You can
get it for just a few pounds from the Computer Store on the Moulsecoomb campus. If
you're running Windows XP and you haven't installed Service Pack 2, download and
install it urgently. Versions of Windows prior to XP Service Pack 2 are much less secure
than modern releases. They are not as resilient to hackers, viruses, or malicious web
12. If you have a broadband or cable router that is providing wireless access, you must
enable encryption. Without encryption, neighbours and strangers can access your
internet connection and, possibly, the files on your PC. Cases of people using
someone else’s wireless to access child porn web sites are not uncommon, so don’t let
it be your connection that gets used. Equally, if your ISP imposes a monthly bandwidth
limit, passers-by or neighbours using your wireless connection will mean a greater
chance of you reaching that limit and having your connection temporarily turned off or
extra charges added to your account.
WEP encryption is an older standard and is not as strong as WPA, but is better than
nothing if your router doesn't support WPA.
Your router may also support other wireless security features, such as MAC address
filtering and SSID hiding. These are useful, but don’t significantly increase the overall
security of your system because they are relatively easy for hackers to circumvent.
13. If you are using your computer for online shopping, always buy from sites run by
reputable companies that you trust. If you provide your credit card details to a company
that you haven't heard of, there's a chance that the company might be fraudulent and
might misuse your information.
14. If you’re using the EFS encryption system built into Windows, read the warnings
elsewhere in this workbook to ensure that you’re not storing up trouble for later.
Specifically, you may be creating backups that you won’t be able to restore.
15. If you use online banking, or other online services where security is paramount, always
use a different password for each bank or site. If someone discovers or guesses your
password, that password is only valid for one site rather than multiple sites.
16. Before entering personal information such as a password or your credit card number
into a web site, check for a closed padlock symbol at the bottom of your screen and that
the address of the site starts with https rather than just http. The https prefix and the
closed padlock symbol means that all the information which you type into the web site
will be encrypted before being sent to the site, thus ensuring that hackers can't intercept
it. Also, companies which use https sites are easier to trace should anything go wrong.
17. If you have confidential documents stored on your PC you should therefore consider the
use of an encryption program, or look up details on how to use the EFS (Encrypting File
System) feature built into Windows. If someone were to steal your computer, they could
read all the files stored on it, even if you have configured Windows to ask for a
username and password for each user. Encrypting the files prevents this.
18. Make copies of all the important files that are on your computer, such as documents,
emails, photographs, music tracks, video clips, and so on. The most convenient way to
do this is to use an external USB hard drive or a "pen drive", depending on how much
data you have. Never keep your backup near your computer. If your computer breaks,
or is lost or stolen, you risk losing all of the information stored on it. If you have backup
copies of that information you can easily copy it to your new computer. By ensuring that
you don't keep the backups near the computer, disasters such as a fire or a burglary
won't result in you losing both the computer and the backup.
University of Brighton Information Services
19. Never reply to spam emails, even to opt out from being on the sender's database. Just
delete the message. Spammers often try emailing addresses at random in the hope that
you'll reply and thus confirm that the address was valid. By confirming your address as
valid, you'll simply get much more spam.
Accidents Do Happen
Not everything to do with Safe Computing is about criminal activity such as hackers, viruses and
spyware. Much of the problems that afflict us are caused by accidents, such as deleting the
wrong file or dropping your USB pen drive down the toilet! Sometimes, data that was
considered lost can be recovered, as we’ve already seen. For example, Exchange email
messages can often be recovered even after they’ve been removed from the Deleted Items
folder, and there are similar facilities available if you store your files on your M: drive.
But by far the best way to ensure that accidents don’t affect you is to make regular backups of
important data, and keep those backups stored safely.
Very occasionally, you might come across a problem where vital data has been lost and there’s
no backup. Even if all hope seems lost, there are companies that can recover information from
computers that seem beyond hope, including those that have been subjected to flood, fire, or
falling out of your car on the motorway. Such services don’t come cheap, but they can often
achieve the impossible. Therefore, it’s always worth contacting the Help Desk for advice before
giving up hope.
The golden rule about data recovery is that, the longer you continue to use the computer after
the loss is discovered, the more difficult the recovery becomes. So if you do have a problem,
stop using the computer immediately (but don’t turn it off or shut it down), and seek assistance.
Computer Crime and the Law
Computer crime is against the law in almost all countries, including the UK. This workshop is
mostly about how to protect your computer and your information (from both criminals and
mishaps), rather than how to detect and prosecute criminals. But it’s useful to cover some of
the major pieces of relevant legislation that can be used against computer criminals (including
staff and students, in extreme cases).
The Computer Misuse Act 1990
The most important piece of legislation which affects computer crime of all hues is the Computer
Misuse Act 1990. Someone who deliberately hacks into a computer system, or infects it with a
virus, is most likely to face charges under this Act. Offences under this Act fall into one of its 3
The wording of the Act deals with unauthorised access to, or modification of, computer material.
As with most computer-related legislation, the prosecution needs to prove intent. If you
innocently click on a link on a Web page and find yourself somewhere that you shouldn’t be,
that’s not against the law.
As with all other offences in UK law, it’s illegal to incite someone to commit an offence. So if
you’re creating a web site or a written document about computer crime, for example, you
mustn’t provide information that could be used to train someone to hack. Equally, if you’re
writing about explosives, take great care when listing the required ingredients or where to buy
Incidentally, using your laptop to connect to someone else’s wireless network that you do not
have explicit permission to use is a criminal offence under the Computer Misuse Act, and some
people have been prosecuted for it already. So if you’re currently taking advantage of your
neighbours’ good nature or ignorance, especially if you’re doing it on a university-owned laptop,
it might be best to stop. If only because those neighbours may well be able to view the files on
your computer, which could lead to major problems for you and the university.
Remember: accidentally committing a “computer crime” isn’t an offence. If you think that your
computer might have a virus, even if it’s because of something you did, it’s better to tell
someone straight away.
Originally a BSI British Standard and now a publication of the International Standards
Organisation, this is a “code of practice for information security management”.
It’s not legislation, as such, but more a set of best practices for companies who want to ensure
that their computer systems are safe. If you’re interested in learning more about IT security, it’s
well worth reading. And if you connect to the BSI via the university’s Online Library, you can
download this document (and many others) free of charge rather than paying the normal £50
Data Protection Act 1998
The Data Protection Act 1998 sets out rules for storing and processing information about
people. Whether you have a simple mailing list for names and addresses of students, or a
detailed database containing highly personal data such as salary or sexuality information, you
have to register with the Information Commissioner (www.informationcommissioner.gov.uk). It
is illegal to use information for purposes other than those which been declared. Data subjects,
ie those people on your lists, have a right to request a copy of the information that you hold
about them for a nominal fee.
The university’s Data Protection officer, who deals with relevant issues under the DPA, is Jan
Lock. If you’re creating databases that hold information about living people, you should talk to
Jan to ensure that you are adhering to the correct rules.
The university’s LDAP database, of which more later, is very useful if you’re developing
computer systems and you want to avoid holding personal information about current staff or
students that would otherwise be covered under the DPA.
Initially the DPA only covered information held on computers. Nowadays it covers paper
records too, so you must also take care to protect confidential printouts such as salary or exam
University of Brighton Information Services
The Regulation of Investigatory Powers Act 2000
This replaces the old Interception of Communications legislation and deals with the interception
of data and voice communications by private bodies and Government agencies. It covers, for
example, the rules which apply if companies wish to monitor employees’ use of the internet. It
also provides an exemption for cases of wide-scale interception that are required in order to
keep a system running smoothly, such as programs which automatically scan the contents of
email messages in search of viruses or banned content.
The Protection of Children Act of 1978
Covers, among other things, child pornography. Under this Act it is a criminal offence to take,
permit to be taken, distribute, show, advertise or possess for distribution any indecent
photograph or pseudo-photograph of a child who is, or appears to be, under the age of 18. Note
the inclusion of pseudo-photographs, which encompasses the activities of those who use
computer programs to put young heads on adults’ naked bodies. When TV news reports talk
about someone being convicted of “making indecent images of children”, this (rather than
actually taking the pictures) is normally what is meant.
Unlike conventional pornography, child porn is also unique in that mere possession of the
material is an offence. Hence the various police operations which have targeted those whose
credit card numbers appear on the customer lists of web sites selling such material.
Although it is illegal to actively seek out images (both still and moving) of child pornography on
the Internet, it is not an offence to encounter such material unwittingly. For example, if you
innocently click a link on a Web page and, without warning, are taken to a page containing child
porn, you are committing no offence. Similarly, if you suspect that a colleague is using his
computer at the office to view or download child pornography, you are permitted to view and
store any material that you find in order to gather evidence. However, this is best left to the
Information Services department, who have a team of people trained in the legalities of
computer investigations, rather than doing it yourself.
The university is legally liable for the content of email which is sent from its systems, regardless
of whether the message was sent for private or business-related purposes. This could lead to
prosecutions if, for example, outgoing email was found to contain material that was
pornographic, racist, or likely to incite someone to commit an act of terrorism. Therefore, make
sure that such incriminating messages are not sent.
The Data Protection Act states that all confidential information must be handled and transmitted
securely. Therefore, if you send such information by email without taking steps to encrypt it you
are committing a criminal offence. For example, if a new member of staff joins your department
and you send details of their name, address and salary to another department by email over the
internet then this is possibly illegal, especially if any of the computers or email accounts
involved are shared by more than one person.
The Freedom of Information Act
The Freedom of Information Act obliges organizations to make available all of its internal
information to anyone who asks, unless there’s a valid reason not to (such as client
confidentiality or because it’s commercially sensitive). The Act only applies to public sector
organizations, of which the university is one.
If data requested under the Act isn’t readily available, or isn’t in a suitable format, we are legally
obliged to assemble it. Not having the information to hand is not a valid excuse against
Most organizations covered under the FoIA, including us, have created what’s known as a
Publication Scheme. This is a list of all data that we have available (and, in many cases, the
actual data too). This is available on our Web site, and helps to ensure that people who would
normally need to make an FoIA request can now locate what they’re looking for without having
to go through any formal channels.
The university does still receive around 50 requests under the FoIA each year, which are dealt
with by the people in each department or school who have been trained in doing so.
If you receive a request for information, either by email or letter, you should pass it to the
relevant person in your department. If you don’t know who that is, ask Jan Lock, who’s our data
protection officer. Note that any formal request for information needs to be handled under the
FoIA guidelines, even if the request doesn’t mention the FoIA explicitly. Therefore, you should
always deal with (or pass on) such enquiries as quickly as possible because it is illegal to fail to
respond to an FoIA enquiry within a certain time frame.
The Rules According to Janet
Like almost every other British university, we use Janet (the Joint Academic Network) as our
internet service provider. Janet has some extra rules that we need to adhere to, most
specifically concerning the use of our internet connectivity for commercial purposes. If you
intend to use the university’s web sites for anything commercial, such as selling products or
services, you must obtain prior authorisation from the Director of Information Services.
And Finally, Esther
The university’s network of some 2500 computers, spread across an area that encompasses
Brighton, Eastbourne and Hastings, is one of the largest in the country. The Information
Services department takes great care to ensure that it remains secure, and available for use, all
of the time. But IT security is the responsibility of all of us, not just the Information Services
department. We all need to play our part, by being vigilant and by taking sensible precautions
in the way that we use hardware and software resources. So, if you do nothing else after
attending this workshop, it pays to follow these golden rules:
1. Make sure you are familiar with the university’s information security policy
2. Never click on an email attachment unless you can be sure it’s safe
University of Brighton Information Services
3. Back up all your important document files and store the backups thoughtfully
4. Make sure your antivirus software is updating regularly
5. Encrypt any confidential data that you send off-site
6. Run anti-spyware software on your PC every week or two