Missed Web free your inner fez

Security 101 or “How to Protect Your Computer on the Internet”

A lesson in virus protection for the casual MMOG player.
By Misty "Beans" Matonis

With the most recent evil virus running around the Internet like a rabid dog in heat, I thought the timing would be right to unveil a little document I wrote not long ago on security and your system, especially since a lot of MMOG players are really casual Internet users.

This essay is designed to give the casual computer or Internet user (read: novice) some basic ideas about protecting their systems from such things as viruses, trojans and the usual hacker stuff. This essay is not complete, but it is a good starting point.

This document assumes that the you are using Windows 95, Windows 98, Windows 98 Second Edition, and Windows NT. Windows 2000 and Windows ME, as well as Mac, Linux, and other OSs are not.

The absolute, 100% sure way to protect yourself from malicious attacks on your computer and your data is to not be on the Internet, however, that advice is not practical. But there are some things that you can do that can help you limit said attacks, and help to ensure your privacy and secure your data.

Passwords Are the Key

Password-protect your computer. If you are using a Windows machine, perform the following steps:

• Go to start
• Select Settings
• Select Control Panel
• Select Passwords
• In the "Change Passwords" tab, hit the "Change Windows Password" button.
• If you already had a Windows password, you may change it now. Input your old password in the password field. Then put your new password in both the "new password" and "confirm new password" fields and hit the OK button. You will get a confirmation window stating that your password has been updated.
• If you did not have a password for your computer, you may set one at this time. Put your password in the "new password" and "confirm new password" fields, leaving the "old password" field blank. Hit the OK button. You will get a confirmation window stating that your password has been updated.
• After creating or updating your password, hit OK to close the password screen.

Password protect your screen saver if you are using one.

• In the Control Pannel, double-click "Display."
• Select the "Screen Saver" tab.
• Check the "Password Protected" box and hit the "Apply Button."
• Hit the OK button to close the Display screen.

Chosing a Good Password

This is perhaps the most important thing that you can do as an end-user if you wish to protect your data from malicious attacks.

• Avoid dictionary words. For example, "secret" is a dictionary word. DO NOT use words like this
• Avoid using your first name, middle name, last name, names of members of your family, pet names, etc. as your password.
• Limit your password to either 7 OR 14 characters. Here's why. The way Windows stores passwords is as follows: Windows breaks up your password into bits of 7. So if your password is 8 characters long, your password is stored in one part as 7 characters, a second part as 1 character. It's much easier for a hacker to work with a password like this, as it's relatively quick to decipher part 2, and then work on part 1. Limiting it to either 7 or 14 characters will make the job of the cracker a bit more difficult.
• Use upper and lower case in your password.
• Use numbers in your password.
• Use non-alphabet characters in your password, e.g. @ or $
• DO NOT use characters in your password that are together on the keyboard. For example, "qwerty" is a bad choice for your password, or part of your password. As is "123." Crack applications thrive on this type of mistake. DON'T do it.
• Mix upper, lower, numbers, and non-alphabet characters in your password. For example, "1r0X0rj00pUnK!"
• Do this for EVERY password you have. Including Web sites, online games, documents, etc. Create individual passwords for each.

Password Do's and Don'ts

• DO NOT EVER WRITE YOUR PASSWORD DOWN. Never ever ever. Did I say don't. Well, just plain don't.
• DO NOT EVER share your password with ANYONE. This includes friends, co-workers, and family members. If you have to, change your password as soon as possible.
• DO change your password often. Once a month is okay, but if you are feeling adventurous, change it weekly.
• DO NOT recycle your passwords if the period of three months has not passed. Meaning, if you have to recycle your password, wait three months minimum to use that password again.
• DO NOT put your password or password hints in comments, such as in HTML code, a document, named folders or files, or system information areas.

Some Notes on Passwords and Windows and Screen Savers

The problem with Windows is that passwords aren't really that much of protector when it comes to your computer and a rogue individual. If I were to come up to your desk and see that you have a password-protected screen saver, all I would have to do to gain access to your system is reboot your machine, wait for the windows login screen to appear, and then hit "cancel." I would then have full access to whatever files you have on your system. The good thing, though, is that I won't have access to your company's network if you're on one, but, if you've not followed the steps outlined above, chances are I'd be able to guess what your password is.

This problem does not occur on NT.

Protecting Your System from Viruses and Trojans

Many unscrupulous individuals will send viruses and trojans through e-mail attachments and executable files. Knowing what to do and what not to do is important.

Invest in a Virus Scanner There are quite a number of products on the market that will scan your system and your files for viruses and trojans. Two of the best are:

• Symantec's Norton's AntiVirus (http://enterprisesecurity.symantec.com/content/productlink.cfm#0)
• McAfee's AntiVirus (http://mcafee.com/)

Personally, I think Norton's is the better of the two, but they both work well.

The most important thing that you can do is keep your antivirus application's signature files up-to-date. I recommend checking for new updates once per week. If any new viruses or variations of a virus have been discovered, this can insure that you will be protected.

Also, be sure to read any and all documentation on using the virus scanner and product updates. Know how to use it. Know how to run it in the background. Most importantly: just know how it works!

E-mail Hell: Some Tips

• If you are an Outlook or Outlook Express user, make sure you have your mail client set so that it does not auto-open attachments. Check the help me documentation that comes with these programs to see how to disable it. The vast majority of email worms are targeted to users who use either Outlook or Outlook Express. I personally prefer Eudora to limit my chances or an attack that way.
• Never open an attachment without first scanning it with your antivirus program.
• Never open and attachment that has a .vbs or a third extension (such as *.*.*).
• Never open an attachment that contains an executable file (*.exe) without first scanning it
• Never open an attachment because a friend or someone you know sent it to you without first scanning it for viruses. Remember the ILOVEYOU virus? That propagated so well because most people would receive it from someone they know well and would automatically open ILOVEYOU.vbs without thinking or scanning first. Bad move
• If you receive a word or excel attachment, scan it for macro viruses, and if the document uses macros, select the disable macro option that comes up when you open the document.

Download Hell: Some Tips

• Be wary if you download applications off the Net. This includes anything from Netscape and IE browsers to trial versions of your favorite product from your favorite vendor. Always run a scan on any executable or zip file you may download.
• Limit downloading from unknown sources. If you do have to download from an unknown third party, scan scan scan.
• If you use a service such as an online game, or any service that auto-patches an application for you, make sure you have your virus scanner running in the background. Origin Systems, Inc., a well-respected gaming company, almost accidentally sent its 150,000 users Back Orifice 9x through its auto-patching system. Thankfully, they didn't, but you can see the dangers inherent, eh?
• Scan scan scan
• Scan scan scan
• Scan scan scan

Disks and CD's

Just because you have an application or a document from a disk or CD does not mean that you won't download a virus or trojan! Scan first before using. Scan after using.

Education: Know Thy Enemy!

The most important thing that the end-user can do to protect themselves is to educate themselves. Know what viruses and trojans are out there. Know how your OS works. Know if there are any security flaws in the applications that you use.

Here are some good sites to check out:

• SecurityFocus.com
• symantec.com
• mcafee.com

Firewalls: Keep the Bad Guys Out!

If you have a static IP as many users tend to have when they have high-speed Internet access, you'd be remiss if you did not have a firewall. Different firewalls do different things. Some may simply monitor any and all port activity. Some prevent third-party access and may need to be configured so that you can play your games or use your IM programs. If you're interested in investing in a good firewall, and I suggest that you do if you're concerned about third party access to your system, make sure you read the documentation on your prospective purchase closely. Compare various firewalls and see which one would best one to fulfill your needs.

And don't forget to ask your friends what they use, and why. My friends tend to prefer ZoneAlarm, and some recommend BlackICE.

The decision is yours. Chose wisely. OMG I've Been Infected What Do I Do?!

Firstly, calm down. Knowing that you've been infected is the first step in the right direction!

Close all applications and documents. These can propagate the infection. Shutting down your computer can also help but it does not ensure your safety in the future. Your computer is still infected, after all.

If you have a virus scanner, use it.

If you don't, get one immediately. You can download great virus scanners from Symantec or McAffee for free. These are trial versions.

Now that you have a virus scanner, use it. Follow anything that these applications tell you to do. Pay attention to what files are infected and what virus was used to infect them. Let your virus scanner do the rest.

Go to a virus database and learn about the virus and how to clean your system of them. An excellent virus database can be found at http://www.symantec.com/avcenter/. Symantec will not only tell you the nuts and bolts of the virus, but will also tell you how to clean it from your system.

Download MooSoft's trojan cleaner (http://moosoft.com/download.php). This application will check to see if you've been infected with a trojan. Consider this your backup.

If it was a friend or an associate who sent you the virus, notify them immediately that they did so. Chances are it wasn't malicious. If the virus or trojan was sent to you by someone unknown to you, notify your ISP or online service provider immediately.

Delete the source of the virus.

Relax! If you've done all of the above, chances are you've cleaned your system of the virus. And now you've learned your most valuable lesson!

AOL and AOL Instant Messenger, ICQ and other IM applications

• DO NOT create a profile for yourself. If you do, do not put personal information or other clues to what your password may be. Not having a profile will also decrease your chances of getting spam to your AOL account.
• DO NOT go to chat rooms. Chat rooms on AOL are a great source for wingnuts to collect email addresses so they can spam you. You also may risk giving away personal information, or even your password, to a rogue individual.
• DO NOT accept files from ANYONE, including someone you may know, even if it is a picture.
• DO NOT accept IM's from a person you do not know.
• DO change your password often.
• DO NOT open unsolicited email (spam) if they have attachments. Delete them immediately.
• DO contact AOL's customer support team if you notice unusual activity with your account, or if you suspect someone is violating the AOL/AIM/ICQ TOS
• Set yourself up for the highest security level if you can. On ICQ, hide your IP address. Limit who can send you events. Use the invisibility feature. Ignore events that come from an unknown source.

As I said earlier, this is by no means a complete list of do's and don'ts, but it's a start. If you protect your system well, you'll not only protect your files and your sanity, but you'll lessen the frustration of losing your hard work in your game to a hacker.

Originally Published on GameSpy 7/29/01