JAFCI Home
Service Request
Staff
Computers & Networking
Chemistry Home Page
Purdue Home Page
Viruses
Unix System Security		 Welcome to
JAFCI
Computer Viruses and Security

Computer Security

If you are interested in general about computer security, a good starting point is to visit the CERIAS website, Purdue's Center for computer security research.

What's Happening in the Department of Chemistry?

The department's machines continue to be targets for computer break-ins and virus attacks. Unix systems are typically the targets for break-ins by virtue of their software architecture. PC's and Macs are usually the targets of viruses. These break-ins have caused significant downtime for some instrumentation. Some accounts have been used to significantly disrupt other systems to the point where persons owning the accounts have experienced lost time and significant emotional distress.

What is the nature of Unix break-ins?

These are break-ins through the chemistry network. Often, a break-in is not overtly destructive. A break-in is usually meant to provide the hacker with a base of operations to attack another, more sensitive site, e.g., a Department of Defense site or an FBI site, etc. Another site on campus had one of its servers being clandestinely used as some hacker's chat room server. Recent break-ins have typically consisted of either putting in place a back door to the system, so the hacker can easily come back to the system whenever a new site is needed, or to plant a program called a sniffer.

A sniffer program allows any traffic sharing the same transmission cable to read from the compromised system. This includes transmitted account and password information. This typically requires the hacker to gain access to the system account. The sniffer provides the hacker with many more systems and accounts from which to work.

Break-in to student accounts is another concern with respect to sniffers. Apparently, from sniffer information, student account passwords were obtain. The hacker then places a booby-trap in the students's accounts. The next time the student logs in, vandal programs are automatically run that disrupt campus and commercial networks and systems.

What can be done to prevent such attacks?

bulletDelete unused accounts. Active users of accounts may notice changes made by a hacker, whereas no one is monitoring an unused account. Other accounts that are used by system internally (such as the lp account under SGI's IRIX) should have interactive logins disabled. Finding compromised systems quickly prevent the system from being used as an attacking platform.
bulletCheck for unusual processes on the system. Review the output of the command "ps -ef" on your UNIX system (some systems may have a slightly different command). This lists all processes running on the system. Check for any unusual changes, particularly check for system (root) process that normally are listed as being started at system boot time that have a different start time than other such process. Also check for processes, particularly root processes, running from unusual paths (./something or /tmp/something or /user-directory/something). Checking on Mondays seem to be a good idea to counter the additional free-time hackers have to hack on the weekends.
bulletDisable any unneeded network services on the system, there are typically several unneeded services enabled. Consult the JAFCI staff on what services you may or may not need on your system.
bulletMake it harder for hackers to break into the root account of Unix systems.

Refrain from logging into a system (root) account across the network. Sniffer programs will not then get a direct line on a privileged account. If it is necessary to log in though the network on a root account change the password soon afterward (at the computer console, not across the network).

Apply the latest security patches to the system. Vendors typically supply security patches at no charge via their web sites. This corrects security breaches that allow either unauthorized entry to the system or unauthorized upgrading of unprivileged account to a privileged account.

Use some of the tools from the CERIAS website to make the system more secure.

bulletSwitch to the newer, more secure, telecommunications network. A breach in security on one system on the new network does not have the impact it does on the old network. Far fewer machines share the same transmission cable to the central network switches, defeating sniffer programs. JAFCI is in the process of switching the department to the new from the old cabling. The JAFCI staff would appreciate your cooperation in proceeding quickly with the process.
bulletPay close attention to any messages during login notifying you of any unsuccesful login attempts and time and source of the last login. If these attempts were not due to your activity, you should report that fact immediately to the system administrator of that system.
bulletIf you are using a Unix account strictly for email, consider using the POP or IMAP facility on the Mail*Hub instead. The Mail*Hub system is a more controlled environment with a lower likelyhood of someone being able to use the account to commit network vandalism.

What should be done after a network break-in?

If you suspect that your system security has been breached, contact the JAFCI staff for help in determining if and to what extent the system has been compromised. Unfortunately, once a system has been compromised, it is difficult to tell to what extent it has been compromised. Often, additional "backdoors" are hidden by the hacker. Though the primary method of attack has been disabled, the hacker can gain entry once again through these backdoors. A total system reinstallation (with appropriate security patches) is often necessary to ensure that the system is again secure.

PC and Macintosh Viruses

Purdue has provided site licenses for virus scanners for Mac's and PC's. Since the acquisition of Dr. Solomon's antivirus software by Network Associates, we have changed virus scanners for the PC. You may obtain Virex for the Mac or Virus Scan for the PC from our download page. There is a lot of information (and misinformation) concerning computer viruses. The web sites for Symantec and Network Associates virus scanners contain a lot of useful information. Another good site, one that discusses what is  computer virusesare as well as what they are not,  is the Computer Virus Myths site.

How is a virus introduced into a computer system?

Any method that transports files into a computer system can be a source of computer viruses, through removable media (floppies, CD-ROMs, ZIP drive) or through the network (email, FTP file transfer, file downloads from the web, etc.). However, transporting them into the system is not enough to infect your system. Before the virus infects the system, the virus must be given control of the system.  This means that the virus must be part of a code that is executed on your computer.

Any executable/application files should be checked for viruses before they are used. This is particularly true of executable files sent as attachments to email. NEVER open any executable email attachment before checking it for viruses, even if it is trusted communication; the sender may not know they have an infected system which is spreading the virus. The From: address of email should always be suspect; it is easily forged.

There are also boot-sector viruses. These infect the small program on the disk that is responsible for loading the operating system on power-up or reset. They can infect removeable media (diskettes) and be spread to other systems.

Unfortunately, as standard office applications (particularly Microsoft applications) have gotten more sophisticated, it is not always apparent that you are running a program other than the particular office application.   Small programs called macros  can be embedded into the document that are transmitted to your work station. They are automatically run when the document is opened. These macros may contain viruses, so that just opening a document may cause your system to become infected.  Most programs can be configured to shut off the automatic macro processing. When the application detects a macro, you can exit the program and check the document for a macro virus before using the document. For the Microsoft Office '97 applications, use the Tools menu, select Options... and click on the General tab. You will find a checkbox marked macro virus protection to turn on the facility.

HTML (web page) documents are also a source of hidden programs. An html file may contain executable code called scripts that can be very useful in validating form data or customizing the look of a page for a given user. Scripts in general only have access to the web brower's window and the embedded pages and forms. However, Microsoft provides ActiveX controls in their operating systems which can be called from Visual Basic Active Scripting (VBScript) which can be embedded in html files. These provide services which can be very useful, but also very dangerous. Some ActiveX controls have general access to all your computer's resources and if used in scripting can allow any web page designer to make any changes they desire on your computer. To prevent this, controls are marked safe for scripting (they don't have general access to resources on your computer) or unsafe for scripting (they do have general access to your computer's resources); sometimes the controls are inappropriately marked. These controls then may be used by a malicious web operator to gain access to all the resources (particularly disk files and registry information).

Microsoft now provides for active scripting in more than just web pages. For example, scripts embedded in email messages coded as html are executed when opening the message. Exploitation of an improperly marked ActiveX control then allows the sender of message access to your machine simply through the action of reading that message. This is the mechanism by which the bubbleboy virus works. You can lessen your chance of damage to your machine by some of the following actions:
bulletApply security patches for ActiveX controls which are improperly marked.
bulletDisable Active Scripting through the Internet icon in the control panel.
bulletUse software products which do not use ActiveX technologies