Docstoc

Freedom Antivirus - DOC

Document Sample
Freedom Antivirus - DOC Powered By Docstoc
					                                                                                                          IS
                                                                                                         Doc
                                                                                                         600




                       Safe Computing
                       Protecting computers and information, at work and at home
                       Notes to accompany a 2-hour practical workshop for University of Brighton staff




                       Although the Information Services department works hard to ensure that university
                       computers and data remain safe and secure, we all have a part to play in the
                       ongoing effort. This hands-on workshop provides an enjoyable and enlightening
                       overview of IT security issues that affect us all, both on the internet and offline.

                       You are welcome to bring along to the workshop any security-related questions
                       that you may have, including those relating to your home PC, and we’ll do our best
                       to answer them or provide general advice.

                       If you are not attending the workshop, you will still find it useful to read through this
                       document in order to learn about how to protect your office and home computers
                       from viruses, spyware, and so on. This workbook can be downloaded from
                       www.brighton.ac.uk/is/training.




Last updated 08 Jul 2010                                                                        Robert Schifreen
For details of Information Services workshops see: http://www.brighton.ac.uk/is/training/                      1
Contents
Safe Computing.....................................................................................................1

Contents................................................................................................................2

Workshop requirements.........................................................................................2

Why Safe Computing is Important..........................................................................3

How We Manage Security .....................................................................................4

All About Passwords............................................................................................10

The Importance of Backups .................................................................................12

Viruses ................................................................................................................15

Spyware and Adware ..........................................................................................17

Email ...................................................................................................................18

How Anonymous Is The Internet? ........................................................................22

Processing Confidential Information.....................................................................24

Firewalls ..............................................................................................................29

Web-Surfing in Safety ..........................................................................................30

Securing your web site ........................................................................................32

Specifics of home PC security .............................................................................33

Accidents Do Happen ..........................................................................................36

Computer Crime and the Law ..............................................................................36

And Finally, Esther ..............................................................................................39




Workshop requirements
Example files required for this workshop

None


System and software

A computer with internet access and a web browser. Although this workshop will
be taught on Windows PCs, the vast majority of the content and exercises are
hardware-agnostic.




                                                            2
                                                                                   Safe Computing


Why Safe Computing is Important
The University of Brighton’s Safe Computing programme is about preventing the misuse of our
IT resources, both hardware and software. As well as protecting ourselves from criminals such
as hackers, it’s also about safeguarding our systems and data from loss or damage caused by
mistakes, mishaps, accidents and plain ignorance.

IT security is important because the risks are so high. For example:

       A stolen PC or laptop costs us money (it’s hard to get anti-theft insurance for laptops)
        and damages our reputation among staff and students

       Someone who hacks into our computers, perhaps by guessing a UoB username and
        password, can access data files that they’re not entitled to see

       If you inadvertently divulge the password required to edit or amend a university web
        site, someone else could change the site’s pages without your permission or your
        knowledge.

       If you click on a link in a spam email message that you receive, without giving due
        consideration as to whether the link is trustworthy, you may infect your computer with a
        virus that spreads to hundreds of other student and staff computers across the
        university

       Failure to adequately protect the university’s confidential information, such as student
        records, is a breach of the UK’s Data Protection Act and could result in both you and
        the university facing prosecution

       If we dispose of an old desktop PC in a local skip without wiping the data from the hard
        drive, and the information is subsequently recovered by a passer-by, we risk a large
        amount of negative publicity.

As you can see, the major risks in IT security are a combination of financial and reputational.

In the next section of this workshop, we’ll look at some of the most important aspects of IT
security as it works at the university.




                                                3
University of Brighton Information Services


         How We Manage Security
         Although we ask everyone to help play their part in protecting the university’s computers,
         Information Services does all it can to help maintain a safe and secure computing environment
         for everyone. This section explains more about what we do.

         The university’s data network is actually 3 separate “virtual” networks which operate on the
         same set of cables but which (mostly) can’t talk to each other. There’s the staff network for all
         staff computers, the student network for the libraries and pool rooms, and the open-access
         network for halls of residence. This helps to ensure security as, for example, anyone plugged
         into the student network can’t access any resources that are dedicated as being for staff only,
         regardless of which username and password they use.

         Computers on the staff network use fixed IP addresses, which are allocated by Network
         Services (part of the Information Services department). Without a valid IP address, a computer
         connected to the staff network won’t be able to access any university systems or the internet.
         Conversely, the student and open-access networks use DHCP, a system which automatically
         assigns a valid IP address to a computer as soon as it is plugged into the network (although the
         student network is further restricted by MAC address filtering to prevent students from
         unplugging computers in the library or poolroom and connecting their own laptops instead).
         We’ll discuss IP addresses in more detail later.

         Most staff computers are members of the university “domain”. This allows them to be managed
         centrally in order that, for example, the university’s standard antivirus software and security
         patches can be automatically installed and updated. Computers which are joined to the domain
         can also take advantage of our LDAP system for managing usernames and passwords, of
         which more later.


         Passwords

         Your desktop computer will normally have been installed, configured, and joined to the
         university domain, by someone from the Information Services department or your school or
         department technician. You can then log into the computer using your university username and
         password.

         The university has lots of computer systems that you may need to log into, such as
         StudentCentral, StaffCentral, eFin, SITS, protected areas of web servers, the Online Library, the
         repository, not to mention the computer on your own desk. With 2,500 staff and 17,000
         students, all of whom need to log into a variety of systems, keeping track of all those passwords
         would be an impossible job without some form of centralized system. The university uses such
         a system, employing a technology known as LDAP. This is a central database of usernames
         and passwords that can be consulted by every university computer that you ever need to log
         into in order to check whether the username and password that you have entered is correct.

         When you log into your desktop PC or Mac (or, strictly speaking, when you log into the
         university domain from your desktop computer), the username and password that you type is
         checked against the LDAP database. Similarly, when you log into StaffCentral or


                                                            4
                                                                                             Safe Computing

         StudentCentral or the Online Library, the password that you enter is checked in the same way.
         Using LDAP means that you only need to change your password in one place (the LDAP
         database) in order to change it on almost all university systems.

         If you ever want to change your LDAP password (also known as your university password), it’s
         always best to do so via LDAP itself, using the MyInfo web site. If you change it via a single
         system, such as using the feature built into Windows, you will only change the password that
         logs you into Windows rather than the password that gets you into all the university systems.
         This will result in your passwords becoming “out of sync”, and you’ll have to use different
         passwords to log into different university computers.

Exercise 1           See how to change your LDAP password

        You probably don’t want to change your password now, but it’s a good idea to at least see how
         to do it.

                      1 Launch your Web browser
                      2 Go to myinfo.brighton.ac.uk and note how you are redirected to the https://
                          version of the page. This is a secure site which uses encryption to ensure that
                          anyone monitoring your connection can’t intercept what you type. Whenever
                          you’re entering confidential data into a web page, make sure that the site uses
                          https.
                      3 You’ll see a screen that looks like this:




                      4 Enter your current university (LDAP) username and password, then click the
                          Login button.
                      5 You can now, if you wish, change your password. Once you do so, the LDAP
                          database will be updated and the new password will apply to most university
                          systems, including your desktop PC or Mac. If you don’t want to do so at this
                          time, just close your web browser.
                      6 Note that the LDAP database processes all its updates in batches, every 15
                          minutes. So it will take up to 15 minutes before your new password is active.
                      7 Students who wish to change their password can do so using myinfo in exactly
                          the same way. They can also use the same system to change their email
                          forwarding address, eg if they want email that is sent to their UoB mailbox




                                                          5
  University of Brighton Information Services

                            (xx99@brighton.ac.uk or f.bloggs@brighton.ac.uk) to be forwarded to
                            somewhere like Hotmail or Gmail instead. This facility is not available to staff.


           Automatic Installation of Security Patches

           Microsoft issues around 100 security patches for Windows and Office every year, and other
           companies such as Adobe and Apple also issue regular fixes for their products. Computers
           connected to the university domain will automatically have these patches installed via our
           central systems, so there’s normally no need for you to install security patches yourself on your
           office computers.

           If you have a university laptop, any outstanding patches (and antivirus software updates too) will
           be installed each time you connect the computer to our network. If you rarely connect your
           university laptop to the network, it’s a very good idea to do so at least once a month in order to
           ensure that you are not missing any important updates. Note that if you haven’t connected for a
           while, there can be quite a large backlog of updates to get through, so you may find your
           computer runs very slowly for the first ten minutes of use.


           Antivirus Software

           You must have antivirus software on your computer (whether PC or Mac) before you connect it
           to the university network. Also, the software must be configured to update itself automatically at
           least once a day. Otherwise there’s a real risk that your computer may become infected by a
           virus, and that the virus might successfully spread to other computers in the university and
           beyond.

           The university’s official antivirus software is Sophos, for both PCs and Macs. If you still have
           the old McAfee software that we used until 2006, you must remove it and replace it with
           Sophos. If you still run McAfee, your software won’t be updated and thus you will be at risk
           from viruses. Also, you will be using the software illegally as we no longer have a McAfee
           licence.

           University computers (both PC and Mac) used by staff, as well as those in libraries and pool
           rooms, should have the Sophos program automatically installed and updated by our central
           systems. If this is the case on your computer, you can rest assured that you’re safe from
           viruses. However, it’s always a good idea to check occasionally that your computer has
           antivirus software installed, that it is configured to update itself regularly, and that the updates
           are actually being correctly installed.

Exercise 2            Check your PC’s antivirus software



                        1 On the status line at the bottom of the screen, look for the blue shield that
                            signifies the Sophos antivirus software, and right-click on it.
                        2 Click on “open Sophos antivirus”
                        3 Check the “Last Updated” date and time and ensure that it’s no more than 2
                            days old.


                                                              6
                                                                                       Safe Computing

             4   Check that the “product version” is at least 6.
             5   Click on “Configure”, then “Updating”
             6   Click on the Primary Server tab.
             7   The information on the tab should be greyed out. The server address should
                 be http://security.brighton.ac.uk/sophos/esxp/. The username should be
                 university\webupdate. If any of these items is wrong, you will need to configure
                 the updating again. On a PC, right-click on the blue shield and choose
                 Configure Updating . Fill in the information as follows:


                 Server:           http://security.brighton.ac.uk/sophos/esxp
                 Username:         university\xxx (where xxx is your username)
                 Password:         Your university (LDAP) password


                 If you’re using a Mac:


             1 Click on the blue shield in the menu bar at the top right of the screen, near the
                 clock
             2 Select Open Preferences
             3 Click on the AutoUpdate tab
             4 Under the Primary Server tab, check that the URL is
                 http://security.brighton.ac.uk/sophos/esosx/

As long as the Shield is blue and does NOT have a red cross on it, then Sophos is working
correctly.


Antivirus Software for Home

If you have a computer at home (Mac or PC), it’s vital to use antivirus software, especially if you
connect to the internet or you ever exchange document files with other people. The university
has a site licence for our Sophos software which also allows you to install the software on a (but
only one) home computer. Just pick up a free CD from any university library or computer pool
room, or download it from http://security.brighton.ac.uk/sophos. Our licence covers students
too, so feel free to tell all your colleagues and students about this offer, for free software that
would otherwise cost them almost £100.


Restriction of admin accounts

Windows will normally be set up on your PC to give you Standard User or Power User
privileges, rather than an Administrator account. This allows you to use all the programs
installed (Word, Excel, eFin etc), and to browse the internet, but you won’t be able to install new
software or change your computer’s configuration. If you need software installed, your local
technician can do this for you.

Logging into Windows as a non-Administrator is a good idea for a couple of reasons. First, if
you inadvertently try to do something dangerous like deleting the entire hard disk, your lack of
administrator privileges means that you won’t be allowed to do it. Secondly, if a virus attempts
to install itself, the same mechanism will prevent it from doing so.


                                                   7
University of Brighton Information Services

         If you have a PC at home, you probably don’t have any user accounts set up at all, or there’s
         just a single administrator-level account that you use all the time. That’s how Windows XP is
         normally delivered. But now that you know why this isn’t a good idea, you might wish to change
         it. Set up a user and an admin account for yourself, and only log in as the administrator when
         you need to do admin-type things. At all other times, use your Standard User or Power User
         account. To change user account settings in Windows XP, go to the Control Panel and look for
         the User Accounts icon.


         The Proxy Server

         All access to the internet from university computers has to go via what’s known as our proxy
         server, except for access to .ac.uk web sites. If you attempt to connect directly to a non-
         academic web site from your computer, it won’t work. Configuring our network in this way
         allows us to manage the data that travels between our internal networks and the internet.

         It also allows us to maintain logs of who (staff and students) access which web sites, which we
         are required to do by law. These logs are held for no more than 6 months, after which they are
         deleted. Details of a user’s internet activity is only retrieved from those logs if a member of the
         university’s Senior Management Team or the police (with a warrant) request it.

         All computers in the university domain are automatically configured to use the proxy server.
         However, it’s useful to know how to configure and de-configure it manually, such as if you want
         to use a personal laptop at work or you need to help a student access the internet on their
         laptop.

         To configure Internet Explorer to use the proxy server, go to the Tools menu on IE, select
         Internet Options, click on Connections, then LAN Settings, then tick the box that says “use
         automatic configuration script”. For the address of the script enter:

         http://www.brighton.ac.uk/proxy.pac

         and the job is done. (Note that the http:// part is required).

         If you’re using a different Web browser, you’ll probably need to configure that one too. Look in
         the options settings for a proxy server. If there’s an option to specify a configuration file, enter
         the URL shown above. If there’s only the option to specify a proxy server, enter just
         proxy.brighton.ac.uk instead. If you’re asked for a port number, use 80.

         If you ever come across a computer that can access academic web sites but can’t contact other
         external sites such as Google or the BBC, it’s highly likely that the problem is a missing
         proxy.pac configuration entry.

         If a student brings their laptop on site, they will need to enter this proxy information in order to
         access external Web sites, regardless of whether they’re plugged into a port in a library, pool
         room or hall of residence, and whether they’re using a network cable or a wireless connection.
         Conversely, when they leave the campus and want to use their computer at home, they’ll need
         to untick the “use automatic configuration script” box, because attempting to access the internet
         from off-campus using our proxy won’t work.



                                                            8
                                                                                     Safe Computing

The Rules!

Almost all organizations, both public- and private-sector, have documents which explain the
rules about what is deemed acceptable use of the organization’s IT resources. The University
of Brighton is no exception. The Information Services department publishes a series of
documents which are agreed by the university’s Information Strategy Committee on behalf of
the Academic Board. The 3 that are most relevant to all staff and students are:

       Conditions of Use of University of Brighton Computing Facilities including Networks

       University of Brighton Information Systems Security and Information Interception Policy

       Code of practice for using information systems.

These are available on StaffCentral.

The documents define what represents unacceptable use of the university’s systems. For
example, attempting to hack into university systems by guessing a colleague’s password,
connecting a computer to our network which does not have antivirus software installed,
downloading pirated software or music files onto a university computer, or deliberately viewing
indecent material on web sites are regarded as unacceptable and can result in the offender
facing disciplinary action.


Uncensored But Monitored

Unlike some organizations, the university doesn’t routinely censor the web or email, preferring
instead to operate on a system of trust and freedom. We do, however, have monitoring
systems in place which will alert the Information Services operations staff if any suspicious
activity takes place on our network, whether that activity originates inside or outside the
university.

We also have a central firewall which ensures that all access to university computers from off
campus is blocked, except in the case of specific computers such as web servers. All
computers on UoB premises including the sites at Moulsecoomb, Falmer, Grand Parade,
Eastbourne and Hastings are considered to be on-campus.

Although we do block some kinds of network data, this is not always for security reasons. For
example, we don’t allow staff or students to use internet telephony systems such as Skype
without the permission of the Director of Information Services, because it requires a lot of
network capacity. You may also find that videoconferencing applications such as MSN
Messenger don’t work when one of the parties is off-campus. This is because Messenger
requires our firewall to be configured in a manner which is regarded as insecure, in order to
allow data to travel freely between participants.


DRP and BCP

When you’re managing the security of a network the size of ours, you need to plan in advance
for how you’d deal with an emergency or a computer-related disaster. You also need to make
sure that you’re prepared for any eventuality.



                                                    9
University of Brighton Information Services

         For example, most of the university’s web servers reside in one building, and if there was a
         major flood or fire in that building a web site that normally gets around 50,000 hits a day would
         be off the air. To prevent such an eventuality, we do what’s known in the security field as
         Disaster Recovery Planning and Business Continuity Planning. This means that there are plans
         and procedures in place to ensure that we can be up and running as quickly as possible after an
         IT-related disaster. We also have backup hardware in place in various other locations, all ready
         to spring into action should the need arise.


         Your PC and Your Privacy

         You should be aware that the university’s network does record details of every web site that you
         visit (but not the information that you type into that web site, such as passwords).

         The university has strict rules about data privacy and confidentiality. Technicians and network
         operations staff do not routinely examine the contents of staff or student PCs, the contents of
         your personal storage area (your M: drive) on the network, or the network’s log of the web sites
         that you have visited. If a staff member or student is suspected of misusing the university’s IT
         resources, and if it is deemed necessary to monitor that person’s internet usage or the content
         of their PC, this has to be authorized in writing by a member of the university’s Senior
         Management Team.

         If you’re interested in the science of investigating the computer of someone who is suspected of
         illegal activity, a google search for “computer forensics” will bring up a wealth of fascinating
         information on this growing industry. The University of Derby has even launched an MSc in just
         such a subject.


         All About Passwords
         There are various ways that a person can prove to a computer that they are who they say they
         are. The main method that we use at the university is the password.

         Other methods are available, such as biometrics (fingerprints, voice recognition) and
         smartcards, but these are not widely used outside the commercial world. We do use cards to
         control access to some buildings. Also, some of our systems are IP-authenticated which means
         that you can’t log into them unless your computer has a specific IP address. Plus, our firewall
         protects systems from attack from off-campus.


         Guard Your Password

         Your university (LDAP) username and password are the keys to almost every university system
         that you are permitted to use, such as your desktop PC, studentcentral, StaffCentral, the
         wireless network, the student records system, and others. Therefore, if you ever need to
         change your password, choose one that is difficult to guess (but don’t write it down!).

         If you routinely use your PC to process sensitive information it’s a good idea to change your
         password occasionally. Some companies force all staff to change their passwords every 3
         months, or so. We currently have no such rule, but that’s not to say that you shouldn’t consider



                                                          10
                                                                                             Safe Computing

         doing so. Also, remember that passwords on our systems are case-sensitive, so pAsswoRD
         isn’t the same as PassWORD.

         When you’re choosing a new password, it’s best to keep it shorter than 11 characters.
         Otherwise, some of our systems (notably StudentCentral) tend to get confused.


         Athens

         Your university username and password lets you access not just internal university systems, but
         also external systems. Perhaps the best example of this is Athens, which is a central
         authentication system (similar to LDAP) that allows you to use your university credentials to log
         into various external online databases to which the university subscribes. The precise set of
         systems that you can access will depend on who you are and what department you’re in, and
         you can access them both from on-campus and from home.

         Let’s try using Athens to see what systems we’re allowed to use:



Exercise 3         Using Athens to access external authenticated databases
                     1 Open a web browser and go to http://auth.athensams.net/my
                     2 If you’re asked to click on a link to go to the University of Brighton login page,
                         do so
                     3 Enter your university username and password
                     4 Under Resources, you’ll see all the systems that you can now log into

         Another way to access these electronic resources, assuming you know which one you want to
         see, is via the Online Library. Go to library.brighton.ac.uk with your Web browser and click on
         the Online Databases link.


         How your Password Protects Your PC

         Any information that you store on your desktop computer or your M: drive can’t be accessed by
         other people. Even if someone else uses your desktop PC or Mac they can’t see your data, so
         long as they log into the computer as themselves. Remember: allowing someone else to use
         your LDAP password is unwise and is also a major breach of the university’s security policy.

         But contrary to popular belief, passwords do not offer 100% security. It’s possible to download
         programs from the internet that will crack the passwords on a Windows computer in just a few
         hours (but don’t be tempted to try this unless you’re willing to face dismissal and/or
         prosecution). If you want 100% security you need to think about encryption, which we’ll cover
         later.




                                                         11
University of Brighton Information Services




         This program is cracking a password every 126 seconds

         There’s no facility within Windows or our network that allows our support staff to find out your
         password. They can, though, change it to something else. So if you forget your password the
         help desk can fix the problem for you. But if one of our admin staff wanted to change your
         password in order to access your PC, you’d know that this had happened.


         The Importance of Backups
         The university provides 2 places to store the day-to-day document files, spreadsheets,
         presentations, graphics etc that you create on your PC. These are:

             1. The hard disk on your desktop PC ( normally drive D: in Windows but sometimes C:)

             2. Your personal area on the network-based University Folders server ( drive M: )

         In addition, your own school/department may provide some form of networked file store.

         Your computer is normally set up so that files are stored on your computer’s own hard disk.
         You may, though, wish to utilize your M: drive instead, or in addition to your local desktop PC.
         It’s easy to do this – click the My Computer icon on your desktop and look for the drive whose
         name ends with M: and which refers to a server called Titan.

          The main differences between the local drive D: and the networked M: drive are:

                Data on your M: drive is held on a central server in Brighton, and is automatically
                 backed up every day. If the server breaks, all the data on it can be recovered

                Your M: drive is accessible from every computer on-campus, so if you log into someone
                 else’s PC, or you use a PC in a library or pool room, your files are instantly accessible.

                Your M: drive is limited to 1 GB of storage, whereas the space on your D: drive will
                 typically be at least 40 GB.



                                                         12
                                                                                                Safe Computing

                When you delete a file on your M: drive, or replace it with a newer version, it’s still
                 possible to recover previous versions of the file. To read all about this incredibly useful
                 feature, see Information Services document number 961. We’ll also try it out in the
                 exercise below.

         Wherever you store your day-to-day files, but especially if you store them on your local desktop
         D: drive, it’s vital that you implement some form of backup strategy so that, if your computer
         breaks down, you have another copy of your important data. Remember that it is your
         responsibility to do this, rather than the Help desk or the Information Services department.

Exercise 4         Recovering a deleted folder from your M: drive
                      1   Click My Computer on the desktop, then go to your M: drive
                      2   Create a folder called Test Stuff
                      3   Within that folder, create a document file and save it
                      4   Open that document file and make a change to it, then save it
                      5   Now let’s try recovering the old version of the folder. Right -click on the folder,
                          and click Properties.
                      6 Click the Previous Versions tab

         If you discover that you need to recover a file from your M: drive, do it as soon as possible. The
         longer you leave it, the greater the chance that the file’s allotted lifespan will have expired and it
         has become unrecoverable.


         Where To?

         There are various places and devices on which you can store backups of your important files.
         Just pick one of the following:

                Your M: drive

                A USB stick

                A floppy disk

                A recordable CD or DVD disk

                An external USB hard drive

                Someone else’s PC (see below)

         The computer store in Watts building, Moulsecoomb, sells CDs, DVDs, USB sticks and external
         hard drives. You can also get CDs and DVDs from the university’s media centres. Speak to
         your line manager if you need any of these to be purchased for you.

         Most of the university’s PCs have CD writers, and the more modern computers also have DVD
         writers too. A CD can store 650 MB of information (0.65 GB) and a DVD can hold 4.7 GB, and
         the blank disks cost less than 50p each. They’re a great way of backing up files, in a form that
         can quickly be retrieved onto any other computer should the need arise. USB sticks typically
         hold up to 8 GB but are more expensive than CD or DVD media. External USB-based hard
         drives can store up to 250 GB but not all of them are pocket-sized.


                                                           13
University of Brighton Information Services

         Someone Else’s PC? Really??

         If your office computer is on-campus and linked to the university’s network, you can create a
         folder and allow other staff to access it. Equally, someone else can set up a folder on their
         computer and grant you access, so that you can store your own files in it and/or read the files
         that are there. You could use this facility to provide reciprocal backup facilities to, for example,
         someone who works in a nearby office.

         Granting someone else access to a folder on your PC requires administrator-level privileges
         under Windows, which you probably don’t have. (Right-click on a folder and see if there’s a
         Sharing And Security option in the menu, just to make sure). So you’ll need to call on the
         services of your school or departmental technician to set it up for you, but once this is done you
         can access the “share”, as it’s called, whenever you like.

         This facility can also be useful if you regularly work from more than one university office. Ask a
         technician to set up the documents folder on your main PC so that you can access its contents
         from other locations over the network. But note that this only works on campus – you can’t
         access university PCs from outside the university because, regardless of how the PC is
         configured, our firewall will block any incoming connection before it reaches the PC itself.


         Where Not To Back Up To

         There are a few places where it’s not advisable to store backups, such as:

                  A different folder on the same PC (because if the PC breaks, you’ll lose both your
                   original files and the backups)

                  DepartmentDocs. This is a separate service that allows you to share files between staff
                   in your department. It’s not meant to be used as backup space for staff PCs.

                  Email. It’s not advisable to back up files by emailing them to yourself at your university
                   account, because you’ll simply fill up your mailbox.

         If you create a backup on an external device or medium, you should give some thought as to
         where you keep the backup. If the backup contains confidential or personal information,
         it’s best not to take it off site. However, you shouldn’t keep it near the PC because
         something like a flood or fire could damage both the PC and the backup. Perhaps ask a
         colleague in another office to look after it for you, or lock it in a cupboard or drawer elsewhere in
         your office. That’s why storing the backup on a PC in another office is so useful.


         Test It

         Every now and then, and each time you change your backup method, you should test your
         backup to make sure that a) it’s still readable, and b) that you are backing up the right files. For
         example, if you have shortcuts on your desktop to important files, you may have inadvertently
         backed up the shortcuts rather than the files themselves. By testing your backup on a different
         PC, you can verify that everything is as it should be.




                                                           14
                                                                                       Safe Computing

A Word About Exchange

The staff email system using Microsoft Exchange on our servers, and Microsoft Outlook on PCs.
In most cases, the information that you see in Outlook (email, tasks and calendar) is stored on
the central Exchange servers rather than on your PC unless you have created some personal
folders. This means that it’s accessible from whichever PC you happen to log into, and it’s all
automatically backed up.

Your data area on the Exchange server is limited to 0.1 GB, or 100 MB. This can fill up quite
quickly, especially if you don’t get into the habit of deleting old mail or sent messages, and
especially your Deleted Items folder. [This quota is due to be reviewed in February 2008 and
may increase.]

Outlook offers the facility to archive old messages and other data to a file on your PC. If you do
this, remember that the archive is no longer on the central server and thus will not be
automatically backed up. If you’re worried about losing your archive of sent mail that you have
copied from the Exchange server, you’ll need to back up the Outlook data file just as you would
any other file.

Note that, if you archive information from Outlook, and move it from the Exchange server to your
computer, it will be stored as one or more .PST files. If you attempt to start Outlook and it can’t
find a PST file that it is expecting, the program will not start. So, never store archived Outlook
data in locations that might be inaccessible. For example, don’t store PST files on someone
else’s PC, because you won’t be able to access Outlook if that person forgets to turn on their
computer.


Viruses
Computer viruses represent a real threat to the university’s computer systems, and we all need
to work together to ensure that infection rates are as low as possible.

A computer virus is a computer program which attempts to copy itself to other computers.
Viruses are written by people who deliberately set out to try to cause as many problems as they
can, for as many people as possible. There are some 100,000 known computer viruses in
circulation, and the number is growing at the rate of around 30 a day.

Most virus-writers aren’t content with designing a program that can spread among computers.
They also build in a so-called “payload”, whereby the program does something nasty to every
PC that it touches. For example it might corrupt or delete document files, or pop up an obscene
message, or even install a keystroke logger than records all the passwords you type and send
them back to the virus-writer by email. The biggest growth area in viruses right now is the
surreptitious installation of “bot” software, which allows the virus writer to gain control of your
computer remotely in order to send out spam emails or to hack into other systems. The virus
writer then sells the services of his collection of infected computers, known as a “bot-net”, to
paying customers such as spammers and hackers.

Virus spread by various means. Most commonly, they email themselves to the contents of the
victim’s email address book. And because the resulting messages appear to originate from the



                                                  15
University of Brighton Information Services

         victim, who will be known to the recipient, the recipient trusts the message and clicks on the
         attachment which the virus has enclosed. And while that attachment may appear to be a
         harmless game or picture, it’s actually the virus program itself.

         On the handful of occasions when a particularly nasty virus has infected a university computer,
         it managed to spread to hundreds of our computers in a matter of minutes.

         Clearly, having virus-infested computers in the university is a real problem. It can result in loss
         or damage to data on staff and student computers. It can also lead to problems, not to mention
         legal action, if we pass on the virus to our suppliers, contractors, and anyone else that we
         correspond with via email.

         The way to avoid viruses being a problem is to install antivirus software on every computer.
         This applies to both workstations and servers, and both PCs and Macs. The software
         automatically scans every file that you open on your computer and compares it against its
         database of known viruses. If it discovers a virus in a file, the software prevents you from
         opening or copying the infected file.

         Antivirus software is only as good as its database of known viruses. Because there are around
         200 new viruses being discovered every week, you need to configure the software to update its
         database at least once a day.

         The antivirus software that we use at the university is made by Sophos. Our licence covers all
         university-owned computers, as well as those used off-campus by staff and students. It’s a
         condition of use of the university network that every computer connecting to our network must
         have antivirus software installed, and that the software is configured to update itself regularly.
         This includes contractors, visiting lecturers, and everyone else too.

         You can pick up a free Sophos CD from any of the university’s libraries, or download it from
         http://security.brighton.ac.uk/sophos.


         How not to catch a virus

         Viruses spread mostly by sending email attachments to people, in the hope that they’ll click on
         the attachment. Therefore, the best way to ensure that you don’t get a virus on your PC is to
         never open an email attachment unless you are confident that it is legitimate. If you’re not sure,
         ignore it or delete it. Or email the sender for confirmation that they really did send it.

         Just because an email attachment appears to come from someone you know, and looks
         genuine, does not mean that it really is trustworthy. So it’s best not to open it. However, if you
         do open it, your antivirus software should stop it taking hold. So long as the software is up to
         date.

         In the following exercise, we’ll check that the antivirus software on our computer is installed and
         working. To do this, we will attempt to download the industry-standard antivirus test file, which
         is designed to trigger antivirus software but which is not actually dangerous.




                                                           16
                                                                                               Safe Computing

Exercise 5         Try downloading a “virus”



                     1 Open your Web browser (Internet Explorer, etc)
                     2 Go to http://www.eicar.org/anti_virus_test_file.htm
                     3 Note that your antivirus software should pop up a warning box because the file
                            is a known virus (albeit a harmless test one).


         If your antivirus software ever pops up a similar warning and you’re not sure why, it’s always
         best to seek advice before continuing. Speak to your school or department technician, or send
         a message to alert@brighton.ac.uk. Make a note of the exact wording of the message, if you
         can. You can also use this address for any help that you need with viruses, adware or spyware.

         You should never install more than one antivirus program on your computer, as they will conflict
         with each other and cause various problems. If you’re considering installing Sophos at home,
         remove any existing antivirus program first.


         Spyware and Adware
         Viruses come under the general category of “malware”, which encompasses software that is
         deliberately designed to cause harm. The other entry in the malware category is that of
         spyware and adware.

         Spyware is software which attempts to spy on your computing activity. For example, keystroke
         loggers which record the passwords you type. The most common form of spyware is a program
         which monitors the web sites you visit, and/or the programs that are installed on your computer.
         It uses this information to feed data back to participating (ie, subscribing) web site operators in
         order that they can ensure that the adverts they show you while you are viewing their sites are
         relevant to you.

         Adware is similar in operation to spyware, but it often results in adverts being shown to you
         even if you are not connected to the internet. They could pop up on your screen at any time,
         while you are working.

         Spyware and adware generally spreads not by email, but by being downloaded automatically
         when you visit certain web sites.

         Because most university computer users (ie, you!) don’t use an administrator account for day-
         to-day computing, much of the spyware that attempts to install itself on your PC won’t actually
         succeed in doing so because non-administrators aren’t permitted to install new software.
         However, it’s a fair bet that some spyware and adware will get through, so it’s a very good idea
         to run an anti-spyware program at least once a week.

         The two best-known anti-spyware programs are both available free of charge. They are
         “Spybot Search & Destroy” and “AdAware”. If you want to run them at home (you only need
         one of them), you can download them from www.safer-networking.org and www.lavasoft.de. If




                                                           17
University of Brighton Information Services

         you want to install them on your office PC you’ll need to ask a technician to do it for you, unless
         you have admin access.

         In addition, your Sophos antivirus program can also detect and remove a large amount of
         spyware and adware.


         Email
         The university runs two main email systems, for staff and students. The staff server is based on
         Microsoft Exchange, with Microsoft Outlook as the message reader on PCs and Microsoft
         Entourage the most popular Mac-based client. For various technical reasons, BSMS students
         also use this system. All other students use a different system, which is Web-based and known
         as Studentmail or TWIG.

         One major difference between the staff and student email systems is that students can, via
         MyInfo, forward their university email to another address if they have an account on a different
         system.

         While internet-based email has become an indispensable tool for all sorts of organizations,
         including ours, it suffers from a couple of major weaknesses. One of which is that email
         messages are easy to fake. By typing just a handful of carefully-chosen commands, a hacker
         could send you an email message which appeared to come from
         elizabeth@buckinghampalace.co.uk, david.house@brighton.ac.uk or indeed anyone else. So
         before you act on the contents of an email message, consider the possibility that it might not be
         all it seems.

         Viruses often use this technique when they send copies of themselves. When a virus sends
         itself to the contents of a victim’s address book, each message is made to appear as though it
         comes from a random person from that address book. By not having all the messages appear
         to come from the same person, this can help the virus to defeat some rudimentary anti-spam
         systems. It’s also why you might sometimes receive emails that blame you for sending a virus.
         This happens because your name happens to appear in the address book of someone who’s
         caught a virus.

         For example, Robert is friends with Jim, and so Robert’s name appears in Jim’s address book.
         Jim clicks on an unsafe email attachment and catches a virus, which promptly starts sending
         itself to the contents of Jim’s address book. One of the people that it gets sent to is Jim’s friend
         Sarah. The virus sends itself to Sarah but forges the message so that it appears to come from
         Robert, another name from Jim’s address book. Sarah’s employer’s email system detects the
         virus and automatically sends an email to Robert, warning him that he sent Sarah an infected
         email. Yet Robert didn’t actually send it, and has no way of knowing who did. All that Robert
         knows is that someone in whose address book his name appears has got a virus.


         Spam

         For email users, spam is at best a disruptive nuisance, and at worst highly offensive. But for the
         spammers, it’s a very cost-effective marketing tool and so the problem is unlikely to disappear
         any time soon. Because spammers can send out tens of millions of messages a day, at a cost

                                                          18
                                                                                              Safe Computing

         of almost nothing, they only need to receive a handful of orders for their fake Viagra in order to
         make the exercise worthwhile and profitable.

         To help alleviate the problem as best as possible, there are various techniques that can be used
         to detect spam. However, none is without its drawbacks, the most common of which is the real
         risk of incorrectly regarding a legitimate message as spam. For example, one detection
         technique is to regard something as spam if an identical message is sent by the same sender to
         a large group of people. But this plays havoc with people who run legitimate mailing lists and
         electronic newsletters, a large proportion of which fail to get past the recipients’ spam detection
         systems.

         Spammers are constantly trying to beat the system. For example, they attach a random
         paragraph of text to each message they send, in order that it doesn’t appear that they’re
         sending the same message to everyone. Or they deliberately mis-spell words. Some spammers
         use an automatic thesaurus to vary their messages, hence some men receiving an offer of the
         chance to improve their building (look it up!).

         Almost all companies and other organizations have some form of spam detection systems in
         place, and the university is no exception. We use something called Sender Address
         Verification, for example, which attempts to verify that email is coming from people rather than
         machines.

         We also run a spam detection system on all of our email servers, which is known as Spam
         Assassin. In keeping with our policy of monitoring rather than censoring, Spam Assassin does
         not delete any incoming emails that are considered to be spam. Instead, it automatically adds a
         [SPAM?] marker at the start of the message’s subject line. It’s up to you how to choose to deal
         with this notification. Many people set up a rule in Outlook which automatically deletes, or
         moves to a separate folder, any message which is so labeled.

         If you’ve never set up an Outlook rule, it’s easy to do. Here’s how to set up a rule that moves all
         [SPAM?] messages to your Junk Mail folder:

Exercise 6          Set up an Outlook 2003 rule


                     1    Start Outlook
                     2    From the Tools menu, select Rules And Alerts
                     3    Click on New Rule
                     4    Select “start creating a rule from a template” and, from the list below, choose
                          “move messages with specific words in the subject to a folder”.
                     5 Click Next.
                     6 In the Step 2 box, click on Specific Words and type [SPAM?] then press the
                          Add button. Then press OK.
                     7 Click on “Specified” in the step 2 box, select Junk Mail, and press OK
                     8 Press Finish, then OK.




                                                           19
University of Brighton Information Services

         False Positives and False Negatives

         No spam detection system can be 100% reliable. It’s just possible that a friend might send you
         a message that contains the word “Viagra”. It’s highly likely that a spammer will occasionally
         send you a message that appears genuine. Therefore, before you delete all your [SPAM?]
         messages forever, it’s a good idea to skim-read the junk mail folder just in case there’s an
         important message that has been incorrectly labeled as unwanted. It’s quite common for
         messages from mailing lists to be incorrectly regarded as spam, for example, because a large
         number of identical messages sent from a single address is very typical of a spammer’s
         behaviour.


         What Can We All Do?

         In addition to marking suspicious messages with a [SPAM?] marker, the university also does
         many other things to help reduce the amount of spam that everyone receives. For example, our
         systems are configured so that no one outside the university can send messages to our built-in
         mailing lists such as uni info.

         If you’ve set up an Out Of Office message in Outlook and you receive an email from someone
         outside the university, we won’t send your Out Of Office message to that person. Although this
         can be inconvenient, it reduces the amount of spam we receive by ensuring that we don’t
         inadvertently send replies in response to spam.

         The golden rule about dealing with spam is that you MUST NEVER reply to it. Simply delete it.
         If you reply to a spam message, this confirms to the sender that your email address is valid and
         that it is read by a real person. This instantly adds value to your email address, and you’ll start
         to receive many more messages. Not just from the original spammer, but from all the additional
         spammers that your address has been sold to, because it now commands a much higher value.

         So, don’t reply to spam. Ever. Not even to request that your name be removed from the
         mailing list, or to click on a “please remove me from your list” link. That’s just the same as
         replying, unless the message comes from a legitimate company that you’ve heard of and which
         you might have dealt with before.

         Spammers are good at psychology, and will often employ various tricks to persuade you to reply
         to their messages. For example, you’ll receive unsolicited “confirmation” messages regarding a
         purchase that you have supposedly made, including details of the amount that is to be taken
         from your credit card, along with an address to reply to if you think there’s been a mistake. Or
         you’ll get a “thank you for subscribing to our porn channel” mailing list, in the hope that you’ll
         mail them back and say that you did no such thing. As always, just delete the message. Or if
         you’re genuinely concerned, contact the Help desk or your local school or department
         technician for advice.


         Other Common Email Mistakes

         To ensure that all 2,100 staff and 17,000 students get to make the most of our email system,
         there are a few guidelines that we all need to adhere to. Lots of information can be found in a
         useful and amusing document called “How to annoy your colleagues using email”, which you


                                                           20
                                                                                      Safe Computing

can download from the web at www.brighton.ac.uk/isdocs as document number IS770. Some
of the guidelines which relate to security and to our topic of Safe Computing include:

       When you’re sending a message to a group of people and you’re specifying each email
        address individually, rather than using a built-in group name, always put the addresses
        in the bcc: box rather than the cc: box. Otherwise, every recipient gets to see the full
        list of names, which could result in your confidential email address database being
        distributed to all of its members. This can be embarrassing, and possibly a breach of
        data protection legislation

       If you receive a “please forward this to everyone you know” message from a friend or
        colleague, and you’re tempted to post it to all your friends, or even to uni info, please
        don’t. Almost all of these messages are hoaxes, however genuine they appear.
        Remember, adding “this warning was issued today by IBM” or “Someone at Brighton
        Council recently lost money through this scam” to a message doesn’t make it any more
        true. Before you forward any warning message, either contact the Help Desk on
        extension 4444 (or email alert@brighton.ac.uk), or type a couple of the message’s key
        phrases into Google and see if anyone else on the Web has already received it.
        Chances are, they will have.


Gone Phishing

Yet another way that computer criminals misuse the global email system is to initiate attacks
known as phishing. Here, someone sends out fake email message to you which appears to
come from your bank or some other financial institution such as Paypal. The message asks you
to click a link and log into your account in order to verify some important information or to check
your balance. But the site that the link takes you to is not all that it seems – it’s a convincing
fake version of your bank’s own site. When you type in your password, you’re really sending it
straight to the hackers. Who, within a couple of minutes, will have logged into your account and
cleared it out.

Banks never send out emails that ask you to log into your account. If you want to log into your
online bank, type in the address of the site manually rather than clicking a link on a web page or
in an email message.


To Assassinate Or Not?

How does SpamAssassin decide whether a message should be flagged as [SPAM?] or allowed
to go through unhindered? It analyses the message according to a number of rules, which are
updated regularly. You can, if you wish, view SpamAssassin’s reasoning. Right-click on a
message’s subject line (it’s best to choose something that’s been flagged as spam) and click
Properties.




                                                  21
University of Brighton Information Services



         You’ll see something like this:



         Microsoft Mail Internet Headers Version 2.0

         Received: from EXCHANGE1.university.brighton.ac.uk ([194.81.203.102])

         From: "Avery Tapia" <advertised@skonberg.com>

         To: <r.n.bosworth@brighton.ac.uk>

         Date: Wed, 8 Jan 2008 11:37:29 +0300

         X-Spam-Report: Spam detection software, running on carpo.brighton.ac.uk, has
         scanned this message.

         It scored 14.5 points (5.0 and above is classified as spam).

         Analysis:

         pts rule name                      description

         ---- ---------------------- --------------------------------------------------

         0.8 DATE_IN_PAST_24_48             Date: is 24 to 48 hours before Received: date

         2.6 FUZZY_PHARMACY                 BODY: Attempt to obfuscate words in spam

         3.4 URIBL_JP_SURBL                 Contains an URL listed in the JP SURBL blocklist

         1.5 URIBL_WS_SURBL                 Contains an URL listed in the WS SURBL blocklist

         2.6 URIBL_OB_SURBL                 Contains an URL listed in the OB SURBL blocklist



         Recovering Deleted Mail

         When you delete an item of mail (ie, a sent or received message), it doesn’t actually get deleted
         from the server. Instead, it goes into the Deleted Items folder. Unless you manually delete the
         contents of this folder, your mailbox will continue to fill up and reach its 100 MB limit, as the
         Deleted Items folder counts towards your total quota.

         One useful but little-known feature of Exchange is that, even if you have deleted something
         from your Deleted Items folder, it still exists on the server and will do so for 3 weeks. During
         that time, you can still recover it. To do this, open the Deleted Items folder, then go to the Tools
         menu and choose Recover Deleted Items. Choose the item to recover, then click the Recover
         button and you’ll find the mail item back in your Deleted Items folder. It’s best to then move it
         somewhere safer, especially if you have configured Exchange to delete the contents of the
         Deleted Items folder every time you quit the program.


         How Anonymous Is The Internet?
         Every computer on the internet, from the biggest web servers to the computer that you’re using
         right now, has what’s called an IP address. This is like its phone number, and allows it to send
         and receive information over the internet.




                                                           22
                                                                                             Safe Computing

         An IP address consists of 4 numbers between 0 and 255, separated by full stops. Most IP
         addresses also have a friendly name, known as the DNS name. DNS is the Domain Name
         System.

         As an example, one well-known IP address is 72.14.207.99 but you may know it better as
         google.com.

         In the exercise below, we’ll find out the IP address of the computer we’re using:

Exercise 7         Find out your IP address


                     1    From the Start menu, choose Run, then type CMD and press Return.
                     2    Type IPCONFIG and press Return.
                     3    You’ll see your IP address displayed
                     4    Type EXIT and press Return, to get back to Windows

         Most activity on the internet can be traced back to an individual IP address. This includes every
         web page you view, everyone who views your web pages, and every email sent or received. In
         theory, therefore, you might think that computer-related crime and spam would be easy to
         detect. Sadly, this isn’t the case, for a couple of reasons.

         First, some computers have fixed IP addresses that never change, but the majority of IP
         addresses are what’s known as dynamic. That is, they change frequently. For example, if you
         use the internet via a dial-up modem rather than a fixed broadband connection, you will have a
         different IP address each time you dial into your ISP. These get allocated automatically by
         something called DHCP.

         The university uses a mixture of fixed and dynamic IP addresses. All our servers use fixed
         addresses, as do staff and poolroom PCs. But the open access networks in halls and libraries
         use DHCP, so each time a student connects they’ll be allocated a different IP address.

         Also, there are lots of intermediate computers involved when you access something over the
         internet. For example, the university operates a series of cache computers, which store copies
         of all the pages that you access, for as long as there’s space available. Next time someone in
         the university wants to access that same page, they get sent the version from our cache, which
         saves it having to be requested again from a remote server. If the cache doesn’t have a copy of
         the page, it requests it from the remote server, sends it to the person who requested it, and
         keeps a copy handy in case anyone else wants it. As far as the distant web site is concerned,
         the computer that requested the page is our cache, not the person sitting at their PC.

         There are commands available that will tell you which DNS name, if any, is associated with a
         particular IP address. One method that can prove effective in helping to detect spam is to reject
         mail which comes from an IP address that doesn’t have a registered DNS name.




                                                          23
University of Brighton Information Services




         Processing Confidential Information
         If you routinely handle confidential university information on a university computer, you are
         obliged under the Data Protection Act to take care of that information in order to prevent it being
         accessed by people who aren’t entitled to see it. Confidential information includes information
         about the university and, specifically, data which relates to, or could identify, any living person.


         Transfer of Confidential Data

         Of particular importance when handling confidential data is the way that you send it to other
         people. Because of the risks of the data being lost, stolen or intercepted, you should avoid
         sending such information outside the university by any means. However, if you do need to do
         so, section 6 of the university’s IT security policy makes the following recommendations:

                         1. Only send the data to a person or organization who is authorized to receive it;

                         2. The person or organization which receives the data must have suitable
                             procedures in place to ensure that it remains confidential;

                         3. If you are sending sensitive or confidential data from the university, regardless
                             of the method used, you must ensure that the confidentiality and integrity of the
                             data can be guaranteed during transit;

                         4. You must not use a wireless network, whether the network is your own or the
                             university’s, to access confidential university systems (eg payroll data or
                             student information systems), or to send confidential unencrypted data files;

                         5. If you’re travelling, don’t leave laptops, PDAs and other portable equipment
                             unattended in a public place. If the device holds confidential university data,
                             suitable access control software must be installed on it;

                         6. Never store unencrypted passwords on a mobile or portable computing device.


         Confidential Data On Paper

         If you need to send confidential data to other people by post as printed sheets, it’s always best
         to send it by either recorded delivery, a courier company, or some other similar service that you
         can track and trace. Ideally, though, you shouldn’t send confidential data in printed form, as it is
         easy for someone to recognize as such if it ends up in the wrong hands, whether accidentally or
         deliberately.

         Equally, if you do have to handle confidential information in printed form, it’s important to store it
         out of sight, and to dispose of it correctly after you no longer need it. This normally means
         shredding it, and/or placing it in a secure waste bag rather than the normal rubbish bins.

         Tip: If you take home some confidential printouts to read on the train, disposing of them by
         tearing into quarters and stuffing them down the back of the seat is not considered as secure.



                                                             24
                                                                                      Safe Computing

As can be seen from the extract below, from a national chain of cafes, which was found on a
train at Hastings along with a printout of the culprit’s Outlook diary.




Electronically Held Data

It’s much better to send confidential material on disk or via email, rather than on paper. Not
only is it cheaper, but you can use encryption to ensure that, should the data get lost or fall into
the wrong hands, it can’t be accessed. You will be aware of some recent high-profile cases
involving confidential information that was sent by post on CD-ROMs from HM Revenue and
Customs and which was lost. The disks contained some 25 million names, addresses and bank
details of parents who were receiving child benefit. If only the HMRC had thought to encrypt the
disks, their loss would not have been a problem.




                                                  25
University of Brighton Information Services

         The university doesn’t have a standard recommended data encryption program, but there are
         many products that are available and which are simple to use. WinZIP and PKZIP, for example,
         are programs that compress (zip) one or more files into a single .zip archive, with the added
         facility of encrypting the zip file with a password that would take a powerful computer many
         years to crack. They both cost around £20 per copy.

         Another option is to use a program which creates a virtual encrypted drive on your computer.
         Among the best-known examples of these are Bestcrypt (around £30) and Truecrypt (free). To
         send someone some confidential data files, simply create a new virtual drive, copy the files to
         that drive, then email the virtual drive as a file. The recipient will also need a copy of the
         program in order to access the encrypted files, though, and you’ll also need to find a safe way to
         inform the recipient of the password. Don’t send it by email!

         You may know that Microsoft Office applications (Word, Excel, PowerPoint) have the facility that
         allows you attach a password to a document file. In Word, for example, click on Tools then
         Options and then click the Security tab. However, the encryption that Microsoft uses in its
         Office product is very poor, and can be cracked in minutes. A Google search for “Microsoft
         office password recovery” products will show you just how easy it is. The whole point of data
         encryption is that, should a protected file be lost, you can be confident that no one who comes
         across the file can read it. That’s not the case with the MS Office built-in encryption, therefore
         you shouldn’t use it.


         If You Receive a Request for Data

         If someone requests confidential data from you, you should take reasonable steps to ensure
         that the person who made the request is genuine. For example, if someone telephones or
         emails you to ask for a copy of a certain student’s personal file, claiming that they are a lecturer,
         it’s entirely possible that the person is not a lecturer at all. If you’re not 100% certain that the
         person requesting the information is entitled to see it, politely refuse or refer the caller to your
         line manager.


         A Word about the EFS

         You may be aware that Windows 2000, XP and Vista include a built-in encryption facility which
         is known as EFS, or the Encrypting File System. However, EFS suffers from a few serious
         drawbacks. These include:

                Encrypted files are locked to your PC. They can’t be accessed on another computer. If
                 you copy an encrypted file to a different computer you almost certainly won’t be able to
                 read it. So it’s not a sensible way of taking files off campus to work on at home.

                You need to make alternative arrangements for backing up EFS-protected files,
                 because, if your computer breaks or is stolen, you won’t be able to copy the encrypted
                 files to your new computer. Even if your computer is only sufficiently poorly that it
                 requires Windows to be reinstalled, EFS regards that as being a different computer and
                 so the files can’t be copied back. Which means that they’re lost forever. The solution is
                 to create some non-encrypted backups and storing them safely and securely.



                                                           26
                                                                                       Safe Computing

       EFS only works on disk that are formatted using the NTFS system, as found in
        Windows 2000 and above. Although external hard disks and USB sticks can be
        formatted using NTFS, they aren’t always. So unless you reformat the drive, you’ll lose
        the EFS encryption on any files that you copy to it. And Windows won’t always tell you
        that this is happening.

Because of these possible pitfalls, we don’t support the use of EFS at the university and we
strongly recommend that you don’t attempt to use it.

Windows Vista also has an additional encryption feature called BitLocker, which is only
available in the Ultimate edition. It’s not available in the Business edition that we mostly use at
the university.


Other Considerations

If you want to ensure that confidential information doesn’t leak out of the university via your PC,
or any other actions of yours, there are some other things that you need to consider in addition
to encrypting the data on your computer. The most important are:

       If you have an old unwanted computer that you need to dispose of, there are various
        rules and regulations regarding the disposal of electronic goods as well as wiping of
        confidential data. Your local school or department technician will be able to advise you.
        Throwing an old computer away with the rest of your office rubbish is now illegal,
        because of the new Waste Electrical and Electronic Equipment directive. And before
        you even consider disposing of a computer, it’s important to copy any important data
        from it and then to securely wipe the hard disk. In a recent experiment, one IT security
        company bought 100 second-hand hard disks on Ebay and found confidential data
        remained on half of them. Including, in one case, databases relating to a pension
        company that previously owned the drive.

       The DepartmentDocs system is not confidential. Unless you change the access
        permissions, or get someone to help do it for you, everyone in your department can
        read (and change) any file that you place on the system.

       If you’re typing confidential data into web sites, whether they are university systems or
        external, always look for the closed padlock symbol at the bottom of the screen and the
        https:// prefix at the start of the site’s address (URL). This indicates to you that the site
        is using SSL, which encrypts all data that you enter before it is sent to the site.
        Because of the fundamental way that the web is designed, it’s possible for hackers to
        monitor internet connections and to intercept the data. Unless you are using an SSL-
        encrypted site, it’s possible that someone could be watching you.


        This is especially important when you’re using a computer away from the university,
        such as in a hotel, at a conference venue, in an internet café, or via a wireless hotspot.
        Unless you see the padlock symbol and the https prefix, you should never enter
        confidential university-related information as there is a real possibility that it could be
        intercepted (Staffmail uses https so it is safe to use from external locations).



                                                 27
University of Brighton Information Services

                Like almost all corporate networks, the vast majority of data that travels around the
                 university’s network is not encrypted. We have systems in place that will alert us if
                 someone is attempting to tap our wires, but such systems won’t detect such activity
                 taking place on our wireless network. That’s why the official university policy is that you
                 must not use the wireless network to access confidential admin servers such as student
                 records and financial systems.

                Never place confidential documents or other files on a public server such as your Web
                 site, even if you intend to keep the file’s location a secret by not creating any links to it.
                 Web sites are for publicly-accessible information only, and not to be used as a
                 convenient way to exchange files with colleagues. Many companies make the mistake
                 of using the depths of their Web site as a repository for private files that are intended
                 only for the eyes of the staff who know of their existence. But a quick google search for
                 phrases such as “internal use only” or “company confidential” or “commercial in
                 confidence” will show you just how dangerous such behaviour is.


         A Special Word about Laptops

         If you use a laptop, keeping backups of key files is even more important, as laptops are more
         prone to theft. Because they’re so easy to drop, they also tend to suffer major breakdowns more
         often than desktop PCs. The same goes for portable computers such as PDAs and
         smartphones. If you store confidential information on a laptop or other device, ensuring that it’s
         backed up and, where relevant, encrypted, is especially important.

         You should always keep a close eye on your laptop, and warn students to do the same. In the
         past, laptops have been stolen from the university:

                from a library while a student was searching the shelves

                from an unlocked, unattended office

                from under a student’s nose during a lecture




         While losing a university laptop would be hugely inconvenient, imagine the implications for
         everyone concerned if it also contained, for example, the names, addresses and bank details of


                                                           28
                                                                                          Safe Computing

every one of our students who’d received money from the Student Loan company. Or everyone
who’d sought sexual health information from Unisex. Would you like to be the person whose
name appeared at the bottom of the apologetic “we take security very seriously” letter that went
to all the victims?

If you’re using your laptop in a public place, such as on a train or in an internet café, it’s all too
easy to be overlooked without realizing that anyone’s watching you. Take care to ensure that
this is not happening, especially if you’re typing passwords or looking at sensitive data.


Firewalls
A firewall is the most important aid to IT security in any organization, and ours is no exception.
Therefore it’s good to understand the basics of what they are and why they are so useful.

Rather like an old CB radio, internet data (known as traffic) is transmitted on different channels
(known as ports). Traffic to or from web sites normally goes via port 80. Traffic for ftp servers
travels on ports 20 and 21. Most email goes via port 25, and so on.

Data that travels on the internet is split into small chunks called packets. In addition to the data
itself (eg, part of a web page or part of an email message), the packet also contains details of
where the packet came from and where it’s destined for.

In a nutshell, a firewall is an electronic filter. Physically, it’s a box that looks like any other
computer. It is wired in place between a company’s internet connection and its own internal
network of PCs, servers etc.

The firewall provides the ability to filter incoming and outgoing internet traffic according to each
packet’s source and/or destination and/or port number. This is done by setting up various rules,
of which there are typically many thousand in a complex setup such as ours.

The outcome of each rule will be, for each packet that travels between our network and the
internet in either direction, for the packet to either be allowed to continue on its journey or for it
to be blocked.

For example, we have a firewall rule that blocks any packets destined for web servers (ie,
incoming packets on port 80) unless the web server in question is one of our authorized
systems. That is, servers such as www.brighton.ac.uk and staffcentral. Now you know why, if
you turn one of the PCs in your office into a web server, people outside the university won’t be
able to view its content.

The firewall only analyzes data that travels between our computers and the internet. Any data
that remains purely inside our network, such as when you copy a file from your PC to
DepartmentDocs, or when you access studentcentral from your desk, doesn’t pass through the
firewall. That’s not to say that the data doesn’t get checked by other security systems, but it
doesn’t get seen by the firewall.

Both Windows and Mac OSX have a built-in firewall that offers additional protection, and you
should always ensure that this is enabled on your home PC. The need for such a product is




                                                    29
University of Brighton Information Services

         slightly reduced if you also have a centralized firewall, as we do, although we still configure all
         staff and poolroom computers to enable the Windows and Mac firewall.

         Computers connected to the staff and student (pool room/library) networks are automatically
         configured to be allowed (almost) unfettered access through our firewall. This means that you
         can access off-campus systems such as web sites without hindrance. Conversely, the open
         access network used in Halls of Residence require students to enter their username and
         password every 2 hours, in order to enjoy continued access through the firewall. If they don’t
         supply these details, they will be restricted to on-campus sites only. This helps ensure that
         someone who plugs their laptop into an open access network socket without permission can’t
         access dangerous web sites.

         A firewall is not a security panacea, and companies who have mistakenly believed that they are
         have occasionally encountered major problems. Remember that firewalls don’t stop viruses or
         spyware. And a couple of years ago, ITV’s lunch time news bulletin inadvertently featured a link
         to a child porn web site because their firewall was correctly doing its job.


         Web-Surfing in Safety
         Browsing web sites, or surfing as it’s often called, isn’t without its dangers. Malicious web sites
         can attempt to infect your computer with spyware or viruses. Yet perhaps the greatest threat
         from the Web is to your privacy.

         Although viruses spread mostly via email, some virus writers choose to use the Web to
         propagate their wares. For example, a hacker might break into a web site and amend it so that
         visitors who click on that site’s links are actually agreeing to download and install the virus.
         Therefore, always keep your virtual ear to the ground when browsing Web sites, and don’t click
         on links that look suspicious. And if you find yourself at a site that you didn’t intend to look at,
         close the browser window by pressing Alt-F4 rather than clicking on any Close or Cancel button
         that appears to be displayed by the site. On a Mac, press the Apple key and Q.

         The same applies if you see any pop-up adverts while you’re browsing the Web. Remember,
                                                                         th
         no one really gives away free iPods or laptops to the 10,000 person who visits their web site.
         It’s an advert at best, and a link to a virus or spyware at worst. Clicking on that advert will cause
         the site to attempt to download some malware to your computer. And the “close” or “cancel”
         button that appears on screen is just part of the ad, hence the reason why you should press Alt-
         F4 to close the browser rather than clicking on that button.

         As always, if you’re buying goods online, don’t enter personal information such as credit card
         numbers (or even your UoB account number) into any site that doesn’t look totally genuine or
         that doesn’t have the https:// prefix and the closed padlock symbol. Sites that lack these
         features are often fakes, appearing to be genuine but actually run by hackers who will steal your
         personal information and use it for their own gain. For example, if someone telephoned you
         about a problem with an order that you’d recently placed with them on behalf of the university,
         and they knew your name and your UoB account number, would you doubt for a moment that
         they were genuine? What about if they needed you to confirm your bank account details
         because there was a problem with the payment?


                                                           30
                                                                                     Safe Computing

Surfing And Your Privacy

Web site operators often need, or want, to know about their users’ surfing habits. They want to
know which web site you were on before you came to theirs. They want to know where you’ll
be going afterwards. They want to know exactly which pages on their site you visited, and in
what order.

You may not be surprised to know that the technology which allows them to this is widely
available and even more widely used. It helps web site operators ensure that the layout of their
web pages is optimized to generate as much usage and sales as possible, and it helps them
ensure that the adverts they display are as relevant to you as possible.

The way that web sites invade your privacy depends very much on whether or not the site
requires you to register and log in with a username and password. If it does, then the
opportunities for the site to invade your privacy are immense. Each time you do anything on the
site, such as clicking on a link, that activity can be stored in a database alongside your
username. So the site operators can build up a detailed picture of how you use the site, when
you use it, how long you stay on the site for during each visit, what time of day you typically log
in, and so on. Not only do they use that information for their own purposes, they often sell it to
other research organizations too. Sometimes anonymized, but not always.

Information about how people use the internet is much sought after, and hugely revealing. It’s
also a contentious issue. One famous case from a couple of years ago involved AOL, which
gave away to researchers the logs of half a billion entries from its search engine. It listed what
people were searching for, along with identifying factors such as their IP address. Many people
began to analyze the information and some frightening discoveries came to light. Such as the
search for “how to murder my wife”. Followed the next day, from the same IP address, by a
search for “how to dispose of a body”. Within a couple of days the data was no longer available
for downloading, but by then it was too late. Thanks to the internet, thousands of people had
taken a copy.

In the case of those web sites that don’t ask you to register, there are still ways to record
information about you. The trick is to use cookies, which are small text files that the site stores
on its users’ PCs rather than on the site itself. Cookies aren’t as sophisticated as a proper
database, but they are still an invasion of privacy.

As an example of just how sophisticated website analysis has become, here’s part of an advert
for Google Analytics, a free service that lets you track visitors to your site:




                                                  31
University of Brighton Information Services




                                      The considerable power of Google Analytics


         Securing your web site
         This is not a Web development workshop and this is not really the place for detailed technical
         discussion. However, if you are developing a web site for the university, there are some things
         that you should take into account regarding the security of the site. You may wish to search the
         internet or the library for further information on any of the following points which seem to apply
         to the site that you are developing:

                      1. Take great care to protect the confidentiality of the usernames and passwords
                          that you use to upload files to your site or which connect you to additional
                          systems such as the database servers. Someone who finds out your password
                          can, at best, corrupt your site or delete it. At worst, they can replace your
                          pages with obscene or libelous material. Many major corporations and political
                          parties have been embarrassed in this fashion before – please don’t allow it to
                          happen to us.




                                                          32
                                                                                    Safe Computing

            2. If you’re writing scripts in languages such as PHP, test them carefully on a
                development server before they go live. Don’t develop programs on a
                production server.

            3. Take regular backups of your site. Remember to include not just the static files
                such as html pages, but also any MySQL databases and other components.

            4. Sometimes there will be material which you wish to protect from being viewed
                by people who aren’t members of the university. One option is to use a
                .htaccess file to restrict your pages to the university’s range of IP addresses.
                However, this prevents your site from being seen by staff and students working
                from home. A better option is to use our EZProxy system, which can allow
                instant access to your site from on-campus but automatically require the entry
                of a valid university (ie, LDAP) username and password from off-campus. If
                this is of interest, contact Information Services.

            5. If your site needs to authenticate users, don’t set up yet another system for
                issuing and checking passwords. Our LDAP system is available to all web
                developers, and allows you to let users access protected areas of your site with
                their LDAP username and password. Contact Information Services for details
                on how to do this (note that you’ll need some technical PHP coding
                experience).

            6. Consider removing metadata from any document files that you upload to a web
                site. Companies such as Microsoft make available free tools to do this. The
                standard metadata that’s built into every Word document will reveal, to
                everyone who downloads the file, the name of the person who created the file,
                how long they spent working on it, and so on. The data inside a PDF file even
                reveals the computer username of the author.

            7. Look at the web pages of the OWASP project for excellent advice on creating
                secure Web-based applications.

            8. If you do ask users to log into your system with a password, check that they are
                correctly logged in EVERY time they need to access a protected page, not just
                when they go to the login page.


Specifics of home PC security
Until now we’ve concentrated entirely on safe computing at work, or when away on university
business. But it’s important that you also practise safe computing at home, so here are some
recommendations that you will hopefully find useful.

    1. Set up separate user accounts on your computer, with one account for each member of
        the family that uses it. Give each user their own password. If you want to make the
        children aware that their actions on the computer can be traced, ensure that they don’t
        know your password and thus can only log in with their own account.




                                                33
University of Brighton Information Services

             2. Configure the accounts so that no one regularly uses an account that has administrator
                 privileges. Keep the admin account to yourself, and use it only when administering the
                 computer, such as setting up new users or installing new programs. This will help to
                 stop viruses and spyware from infecting your computer because they won’t have
                 sufficient privileges to run.

             3. Ensure that you always install all important security updates issued by Microsoft, Apple,
                 etc. This is normally nothing more than ticking a “keep my computer updated
                 automatically” box.

             4. Install antivirus software, and ensure that it’s updating properly at least once a week.

             5. Install some anti-spyware software and use it at least once a month.

             6. Never click on a link within an email message, or download an attachment linked to an
                 email message, unless you are 100% confident that the source can be trusted. If in
                 doubt, just delete the message. Remember, banks never email you to ask you to log in
                 to your account. Clicking on an untrustworthy attachment is like inviting a burglar
                 through your front door - it bypasses any protection offered by your firewall.

             7. If you use social network sites such as Facebook, MySpace, Bebo and others, don’t
                 give away too much personal information. While it might be fun to publish your name,
                 address, age, photo and life history for the world to see, such data can be of great help
                 to those who like to engage in identity theft.

             8. If you're running Windows, download and run the free Microsoft Baseline Security
                 Analyzer program. You'll find it by searching for MBSA on www.microsoft.com. It will tell
                 you whether you are missing any important security patches, and automatically install
                 them for you.

             9. If you haven't turned on the firewall in Windows, do so. It will help to protect you from
                 hackers on the internet. It will also help to prevent any rogue software which finds its
                 way onto your PC from making contact with outside hackers.

             10. If you have a telephone-based broadband connection (ADSL) and you are using a
                 broadband modem that plugs into your computer via the USB port, consider replacing it
                 with a router. A router is much more secure than a USB modem. They normally have a
                 built-in firewall, which is better than the one provided with Windows because it can
                 block hackers before they even reach your computer.

             11. If you're running any version of Windows prior to XP, update to XP or Vista. You can
                 get it for just a few pounds from the Computer Store on the Moulsecoomb campus. If
                 you're running Windows XP and you haven't installed Service Pack 2, download and
                 install it urgently. Versions of Windows prior to XP Service Pack 2 are much less secure
                 than modern releases. They are not as resilient to hackers, viruses, or malicious web
                 pages.

             12. If you have a broadband or cable router that is providing wireless access, you must
                 enable encryption. Without encryption, neighbours and strangers can access your
                 internet connection and, possibly, the files on your PC. Cases of people using

                                                          34
                                                                                  Safe Computing

    someone else’s wireless to access child porn web sites are not uncommon, so don’t let
    it be your connection that gets used. Equally, if your ISP imposes a monthly bandwidth
    limit, passers-by or neighbours using your wireless connection will mean a greater
    chance of you reaching that limit and having your connection temporarily turned off or
    extra charges added to your account.


    WEP encryption is an older standard and is not as strong as WPA, but is better than
    nothing if your router doesn't support WPA.


    Your router may also support other wireless security features, such as MAC address
    filtering and SSID hiding. These are useful, but don’t significantly increase the overall
    security of your system because they are relatively easy for hackers to circumvent.

13. If you are using your computer for online shopping, always buy from sites run by
    reputable companies that you trust. If you provide your credit card details to a company
    that you haven't heard of, there's a chance that the company might be fraudulent and
    might misuse your information.

14. If you’re using the EFS encryption system built into Windows, read the warnings
    elsewhere in this workbook to ensure that you’re not storing up trouble for later.
    Specifically, you may be creating backups that you won’t be able to restore.

15. If you use online banking, or other online services where security is paramount, always
    use a different password for each bank or site. If someone discovers or guesses your
    password, that password is only valid for one site rather than multiple sites.

16. Before entering personal information such as a password or your credit card number
    into a web site, check for a closed padlock symbol at the bottom of your screen and that
    the address of the site starts with https rather than just http. The https prefix and the
    closed padlock symbol means that all the information which you type into the web site
    will be encrypted before being sent to the site, thus ensuring that hackers can't intercept
    it. Also, companies which use https sites are easier to trace should anything go wrong.

17. If you have confidential documents stored on your PC you should therefore consider the
    use of an encryption program, or look up details on how to use the EFS (Encrypting File
    System) feature built into Windows. If someone were to steal your computer, they could
    read all the files stored on it, even if you have configured Windows to ask for a
    username and password for each user. Encrypting the files prevents this.

18. Make copies of all the important files that are on your computer, such as documents,
    emails, photographs, music tracks, video clips, and so on. The most convenient way to
    do this is to use an external USB hard drive or a "pen drive", depending on how much
    data you have. Never keep your backup near your computer. If your computer breaks,
    or is lost or stolen, you risk losing all of the information stored on it. If you have backup
    copies of that information you can easily copy it to your new computer. By ensuring that
    you don't keep the backups near the computer, disasters such as a fire or a burglary
    won't result in you losing both the computer and the backup.



                                             35
University of Brighton Information Services

             19. Never reply to spam emails, even to opt out from being on the sender's database. Just
                 delete the message. Spammers often try emailing addresses at random in the hope that
                 you'll reply and thus confirm that the address was valid. By confirming your address as
                 valid, you'll simply get much more spam.


         Accidents Do Happen
         Not everything to do with Safe Computing is about criminal activity such as hackers, viruses and
         spyware. Much of the problems that afflict us are caused by accidents, such as deleting the
         wrong file or dropping your USB pen drive down the toilet! Sometimes, data that was
         considered lost can be recovered, as we’ve already seen. For example, Exchange email
         messages can often be recovered even after they’ve been removed from the Deleted Items
         folder, and there are similar facilities available if you store your files on your M: drive.

         But by far the best way to ensure that accidents don’t affect you is to make regular backups of
         important data, and keep those backups stored safely.

         Very occasionally, you might come across a problem where vital data has been lost and there’s
         no backup. Even if all hope seems lost, there are companies that can recover information from
         computers that seem beyond hope, including those that have been subjected to flood, fire, or
         falling out of your car on the motorway. Such services don’t come cheap, but they can often
         achieve the impossible. Therefore, it’s always worth contacting the Help Desk for advice before
         giving up hope.

         The golden rule about data recovery is that, the longer you continue to use the computer after
         the loss is discovered, the more difficult the recovery becomes. So if you do have a problem,
         stop using the computer immediately (but don’t turn it off or shut it down), and seek assistance.


         Computer Crime and the Law
         Computer crime is against the law in almost all countries, including the UK. This workshop is
         mostly about how to protect your computer and your information (from both criminals and
         mishaps), rather than how to detect and prosecute criminals. But it’s useful to cover some of
         the major pieces of relevant legislation that can be used against computer criminals (including
         staff and students, in extreme cases).


         The Computer Misuse Act 1990

         The most important piece of legislation which affects computer crime of all hues is the Computer
         Misuse Act 1990. Someone who deliberately hacks into a computer system, or infects it with a
         virus, is most likely to face charges under this Act. Offences under this Act fall into one of its 3
         main sections.

         The wording of the Act deals with unauthorised access to, or modification of, computer material.

         As with most computer-related legislation, the prosecution needs to prove intent. If you
         innocently click on a link on a Web page and find yourself somewhere that you shouldn’t be,
         that’s not against the law.


                                                            36
                                                                                     Safe Computing

As with all other offences in UK law, it’s illegal to incite someone to commit an offence. So if
you’re creating a web site or a written document about computer crime, for example, you
mustn’t provide information that could be used to train someone to hack. Equally, if you’re
writing about explosives, take great care when listing the required ingredients or where to buy
them.

Incidentally, using your laptop to connect to someone else’s wireless network that you do not
have explicit permission to use is a criminal offence under the Computer Misuse Act, and some
people have been prosecuted for it already. So if you’re currently taking advantage of your
neighbours’ good nature or ignorance, especially if you’re doing it on a university-owned laptop,
it might be best to stop. If only because those neighbours may well be able to view the files on
your computer, which could lead to major problems for you and the university.

Remember: accidentally committing a “computer crime” isn’t an offence. If you think that your
computer might have a virus, even if it’s because of something you did, it’s better to tell
someone straight away.


ISO 27002

Originally a BSI British Standard and now a publication of the International Standards
Organisation, this is a “code of practice for information security management”.

It’s not legislation, as such, but more a set of best practices for companies who want to ensure
that their computer systems are safe. If you’re interested in learning more about IT security, it’s
well worth reading. And if you connect to the BSI via the university’s Online Library, you can
download this document (and many others) free of charge rather than paying the normal £50
fee!


Data Protection Act 1998

The Data Protection Act 1998 sets out rules for storing and processing information about
people. Whether you have a simple mailing list for names and addresses of students, or a
detailed database containing highly personal data such as salary or sexuality information, you
have to register with the Information Commissioner (www.informationcommissioner.gov.uk). It
is illegal to use information for purposes other than those which been declared. Data subjects,
ie those people on your lists, have a right to request a copy of the information that you hold
about them for a nominal fee.

The university’s Data Protection officer, who deals with relevant issues under the DPA, is Jan
Lock. If you’re creating databases that hold information about living people, you should talk to
Jan to ensure that you are adhering to the correct rules.

The university’s LDAP database, of which more later, is very useful if you’re developing
computer systems and you want to avoid holding personal information about current staff or
students that would otherwise be covered under the DPA.

Initially the DPA only covered information held on computers. Nowadays it covers paper
records too, so you must also take care to protect confidential printouts such as salary or exam
grade spreadsheets.


                                                 37
University of Brighton Information Services

         The Regulation of Investigatory Powers Act 2000

         This replaces the old Interception of Communications legislation and deals with the interception
         of data and voice communications by private bodies and Government agencies. It covers, for
         example, the rules which apply if companies wish to monitor employees’ use of the internet. It
         also provides an exemption for cases of wide-scale interception that are required in order to
         keep a system running smoothly, such as programs which automatically scan the contents of
         email messages in search of viruses or banned content.


         The Protection of Children Act of 1978

         Covers, among other things, child pornography. Under this Act it is a criminal offence to take,
         permit to be taken, distribute, show, advertise or possess for distribution any indecent
         photograph or pseudo-photograph of a child who is, or appears to be, under the age of 18. Note
         the inclusion of pseudo-photographs, which encompasses the activities of those who use
         computer programs to put young heads on adults’ naked bodies. When TV news reports talk
         about someone being convicted of “making indecent images of children”, this (rather than
         actually taking the pictures) is normally what is meant.

         Unlike conventional pornography, child porn is also unique in that mere possession of the
         material is an offence. Hence the various police operations which have targeted those whose
         credit card numbers appear on the customer lists of web sites selling such material.

         Although it is illegal to actively seek out images (both still and moving) of child pornography on
         the Internet, it is not an offence to encounter such material unwittingly. For example, if you
         innocently click a link on a Web page and, without warning, are taken to a page containing child
         porn, you are committing no offence. Similarly, if you suspect that a colleague is using his
         computer at the office to view or download child pornography, you are permitted to view and
         store any material that you find in order to gather evidence. However, this is best left to the
         Information Services department, who have a team of people trained in the legalities of
         computer investigations, rather than doing it yourself.


         Email Law

         The university is legally liable for the content of email which is sent from its systems, regardless
         of whether the message was sent for private or business-related purposes. This could lead to
         prosecutions if, for example, outgoing email was found to contain material that was
         pornographic, racist, or likely to incite someone to commit an act of terrorism. Therefore, make
         sure that such incriminating messages are not sent.

         The Data Protection Act states that all confidential information must be handled and transmitted
         securely. Therefore, if you send such information by email without taking steps to encrypt it you
         are committing a criminal offence. For example, if a new member of staff joins your department
         and you send details of their name, address and salary to another department by email over the
         internet then this is possibly illegal, especially if any of the computers or email accounts
         involved are shared by more than one person.




                                                          38
                                                                                       Safe Computing

The Freedom of Information Act

The Freedom of Information Act obliges organizations to make available all of its internal
information to anyone who asks, unless there’s a valid reason not to (such as client
confidentiality or because it’s commercially sensitive). The Act only applies to public sector
organizations, of which the university is one.

If data requested under the Act isn’t readily available, or isn’t in a suitable format, we are legally
obliged to assemble it. Not having the information to hand is not a valid excuse against
providing it.

Most organizations covered under the FoIA, including us, have created what’s known as a
Publication Scheme. This is a list of all data that we have available (and, in many cases, the
actual data too). This is available on our Web site, and helps to ensure that people who would
normally need to make an FoIA request can now locate what they’re looking for without having
to go through any formal channels.

The university does still receive around 50 requests under the FoIA each year, which are dealt
with by the people in each department or school who have been trained in doing so.

If you receive a request for information, either by email or letter, you should pass it to the
relevant person in your department. If you don’t know who that is, ask Jan Lock, who’s our data
protection officer. Note that any formal request for information needs to be handled under the
FoIA guidelines, even if the request doesn’t mention the FoIA explicitly. Therefore, you should
always deal with (or pass on) such enquiries as quickly as possible because it is illegal to fail to
respond to an FoIA enquiry within a certain time frame.


The Rules According to Janet

Like almost every other British university, we use Janet (the Joint Academic Network) as our
internet service provider. Janet has some extra rules that we need to adhere to, most
specifically concerning the use of our internet connectivity for commercial purposes. If you
intend to use the university’s web sites for anything commercial, such as selling products or
services, you must obtain prior authorisation from the Director of Information Services.


And Finally, Esther
The university’s network of some 2500 computers, spread across an area that encompasses
Brighton, Eastbourne and Hastings, is one of the largest in the country. The Information
Services department takes great care to ensure that it remains secure, and available for use, all
of the time. But IT security is the responsibility of all of us, not just the Information Services
department. We all need to play our part, by being vigilant and by taking sensible precautions
in the way that we use hardware and software resources. So, if you do nothing else after
attending this workshop, it pays to follow these golden rules:

    1. Make sure you are familiar with the university’s information security policy

    2. Never click on an email attachment unless you can be sure it’s safe




                                                  39
University of Brighton Information Services

             3. Back up all your important document files and store the backups thoughtfully

             4. Make sure your antivirus software is updating regularly

             5. Encrypt any confidential data that you send off-site

             6. Run anti-spyware software on your PC every week or two



                                                    The End




                                                        40

				
DOCUMENT INFO
Description: Freedom Antivirus document sample