Frequently Asked Questions
for the Tibet Support Group
and Tibetan Exile Communities
Date: May 2005
Revision: 1.0
- 1—Preface
- 2—General Security Questions
- 2.1 What should I do when I receive email with attachments and I am not sure if it contains a virus?
- 2.2 Are all attachments potentially dangerous or are some safer than others?
- 2.3 How can I protect myself from computer viruses?
- 2.4 What are the different types of threats that I may be facing?
- 2.5 How can I prevent getting viruses, trojans or spyware from email attachments?
- 2.6 How can I browse the web safely?
- 2.7 How can I prevent attackers and other infected computers from attacking my computer?
- 2.8 How can I check to see if my computer is infected?
- 3—Specific TSG-L and WTN-L Concerns
- 4—Exchanging Confidential and Sensitive Documents
- 4.1 What is the best way to exchange confidential information between TSGs or between Dharamsala and the Offices of Tibet around the globe?
- 4.2 What is public-key cryptography?
- 4.3 What is a digital signature?
- 4.4 How can I encrypt and/or digitally sign my email?
- 4.5 If I install and use an email encryption system, can I still send messages to my unsecured friends? Am I running any risk?
- 4.6 What happens if a “spoofed” message arrives…?
- 4.7 …Does using encrypted email require that I install some special program on my computer? Will my system administrator allow this?
- 5—Finding More Information
1—Preface
This document is intended to answer common questions members of the TSG-L and WTN-L lists about computer security and email risks. Please read this document before sending questions to list moderators about viruses, spyware, trojans or other computer security issues.
I want to thank Conrad Richter, Locke Berkebile, Laird Brown and Jim Schuyler for their help with this FAQ. Corrections and additional materials for this document are welcome.
Please send them to samdup_faq@tibet.ca
2—General Security Questions
2.1 What should I do when I receive email with attachments and I am not sure if it contains a virus?
Do not open the attachment.
Any message containing attachments can contain dangerous elements such as viruses, trojans and spyware. If you are expecting the attachment from someone you know, then it is probably safe. But if the attachment was not expected—even if it appears to come from someone you know—then you should take extra precautions to make sure that it is safe.
When in doubt, it is always a good practice to send email to the message sender asking if he or she really did send the attachment to you.
2.2 Are all attachments potentially dangerous or are some safer than others?
There are many types of email attachments and almost all of them have the potential of harming your computer and the information stored on it. Some of the file types that commonly carry dangerous computer code are listed below.
In Windows, you can identify the different file types from file extensions, which are the 3-5 letters following a dot at the end of the file name.
Files with the following file extensions are always dangerous to open, even when they appear to come from someone you know:
o Windows programs: .exe, .com, .pif, .dll
o Windows scripts: .bat
Files with the following file types are potentially dangerous, but are probably safe if you are expecting them from someone you know:
- Microsoft Word: .doc
- Microsoft Excel: .xls
- Winzip (see note below!): .zip
- Web pages: .htm, .html, .shtml, .asp, .cgi
- Adobe Reader’s “Portable Document Format”: .pdf
Adobe attachments may also be a risk, as are Adobe Acrobat Reader pages on the net. If not sent from a secure known trusted source they should be downloaded to a diskette and scanned with antivirus software before opening. Check http://www.mcgill.ca/ncs/products/security/antivirusinfo/alerts/2004/ (search for “Adobe” on that page).
However, these files can be dangerous if they contain malicious macros or executable programs, or if they contain links to malicious websites. Be aware that .zip files can contain files that when expanded could be dangerous.
Files with the following file extensions are generally safe:
o Image files: .jpg, .gif, .bmp, .png
o Text files: .txt
o Rich Text Format: .rtf
o Microsoft Excel “Comma Separated Value” format: .csv
These files are not known to contain malicious programs that a computer can run. But a common trick is to append their file names with a “stealth extension” preceded with blank spaces to hide Windows programs and other malicious files, like this: “abcfile.txt .exe”
On Windows computers it is a good idea to turn off the option to hide the file extensions in Explorer. This can be done by choosing “Folder Options” from the Tools menu in Windows Explorer and unchecking the box next to “Hide file extensions for known file types.”
2.3 How can I protect myself from computer viruses?
If you are using Windows, it is very important that you install and use antivirus software. Unprotected Windows machines on the Internet will soon acquire viruses without antivirus protection. In order for antivirus software to be effective, it must be frequently updated. Most current antivirus software can be configured to update automatically on a computer connected to the Internet.
There are many popular antivirus packages for windows. Many of these packages also include personal firewalls and anti-spyware software, which work together to keep your computer from being corrupted or hijacked and your data from being stolen. A few of the most popular packages are:
Norton Antivirus from Symantec
http://www.symantec.com/nav/nav_9xnt/
PC-cillin Internet Security from TrendMicro
http://www.trendmicro.com/en/products/desktop/pc-cillin/evaluate/overview.htm
Titanium Antivirus from Panda Software
http://www.pandasoftware.com/products/titanium2005/
F-Prot Antivirus from Frisk Software International
http://www.f-prot.com/products/home_use/win/
Generally these packages can be ordered on the Internet, often from the vendors sites and installed on your computer immediately.
If you are a Macintosh user, viruses are rarely an issue. However, you should still install and use an antivirus program. Virex from McAfee is available for OS X here:
http://www.networkassociates.com/us/products/mcafee/antivirus/desktop/virex.htm
or for free from Apple if you are a .Mac member.
2.4 What are the different types of threats that I may be facing?
Your computer can be attacked through a variety of mechanisms. The most common of these faced by home computer users are:
1. Trojan horse programs—Trojan horse programs are programs that appear to be useful, but actually compromise the machine they are installed on.
2. Viruses—Viruses are small programs that can attach themselves to other files or programs. When you share these infected files with others, the virus spreads. Viruses generally self-replicate. They often accompany Trojan horses and together they serve the malicious purpose of the program author.
3. Spyware—Spyware is software that usually is installed by the user unknowingly while downloading or installing another program. The original purpose was to report the web pages that a user frequented to an advertiser while withholding the identity of the user. However, now attackers are using spyware to gather all possible information from the victim (such as email addresses, credit card numbers, and so forth).
You should run anti-spyware software such as Spybot Search and Destroy and SpywareBlaster. These are both free and available to anyone. When using Spybot Search and Destroy, you should enable the Immunize feature. These should be run in addition to antivirus software. More information is available at http://www.mcgill.ca/ncs/products/security/spyware/
4. Adware—Adware is software – installed by trojan horse programs, malicious mobile code, or a virus – that displays advertising on your computer, often through a profusion of pop-up windows in your browser, but sometimes in other locations in your operating system.
5. Mobile code—Mobile code is software that is automatically downloaded and executed on your machine when you visit a website. Mobile code is part of what makes the web work, but, due to flaws in your browser software, malicious mobile code can sometimes be created to attack your machine.
6. Phishing—Phishing (pronounced “fishing”) is the attempt of an attacker to defraud the user into visiting a malicious website or providing information about themselves for what they think is a legitimate request. Further information on phishing and how to protect yourself may be found at http://www.mcgill.ca/ncs/products/security/reality/ (then search for “phishing.”)
Threats to your computer through the above mechanisms can occur through a number of different activities. In order of danger, from most to least, the activities that are most often avenues for security attacks are:
1. Installing untrusted applications—Any application you install on your computer that is not from a trusted source such as Microsoft, Adobe, Macromedia and other respected vendors could be a trojan horse program. For instance, if you find a website through an Internet search engine (such as Google) and download a software installer from that website without knowing anything about the author of the software, you run the risk of compromising your computer. If you are unsure, search for reviews of the software on the Internet first. PC weather programs, as an example, are notorious for being trojan horses.
2. Opening dangerous attachments in email—See Section 2.2 above. Any attachment that you were not expecting should be suspected and should not be open until the source is verified. Even if an attachment appears to be from a friend, if you were not expecting it, verify that it is indeed from your friend before opening it.
3. Visiting malicious websites—If you are searching for information using an Internet search engine, there is really no way avoid visiting malicious websites. However, you can protect yourself by running a good antivirus program (see Section 2.3 above for suggestions and by using the Firefox browser instead of Internet Explorer. Firefox is a free application available here: http://www.mozilla.org/products/firefox/
4. Connecting your computer to the Internet—Anytime your computer is connected to the Internet, it is vulnerable to attack. You can minimize the risk by turning off or disconnecting your machine from the Internet when you are not using it and by installing a personal firewall application. There are many popular personal firewall applications such as:
Norton Personal Firewall from Symantec
http://www.symantec.com/sabu/nis/npf/
PC-cillin Internet Security from TrendMicro
http://www.trendmicro.com/en/products/desktop/pc-cillin/evaluate/overview.htm
Windows XP comes with a firewall built-in.
If you use Windows XP, make sure that the firewall is activated.
2.5 How can I prevent getting viruses, trojans or spyware from email attachments?
Do not open any email attachment you are not expecting to receive from a trusted source. Never open executable files that have been forwarded to you from unknown sources. These files will have file extensions ending in .exe, .dll, .com, .bat, .pif and .cmd.
See also Sections 2.1 and 2.3 above.
2.6 How can I browse the web safely?
There are a number of things you can do to make browsing Internet websites more safe:
First, stop using Internet Explorer and start using Firefox
The majority of web browsing security problems on Windows computers have come from flaws in Microsoft’s Internet Explorer. Firefox is a fast, free, more secure web browser from Mozilla. You can download it here:
http://www.mozilla.org/products/firefox/ It also blocks popup windows and has many great features that are not available in Internet Explorer.
Second, install and use an antivirus software package
See Section 2.3 above for a list of common antivirus packages.
Third, disable mobile code execution in your browser
In your browser options, disable Java, Active X controls and Iframes. Also it is very important that you disable the setting in your browser that allows websites to automatically download and install software on your computer.
For Internet Explorer
Under Tools, then Internet Options, click on the Security tab. Select the Internet zone and then click on the Custom Level button. The most important options to review are the ones involving ActiveX controls and plug-ins, downloads, Java, Iframes, and scripting. You can choose to disable browser features or tell the browser to prompt you when a website is trying to use these features. Disabling is always the safest approach, but disabling some features can interfere with the normal functioning of legitimate sites. The prompt option may be better for you; you will be prompted to approve the use of features each time a website tries to access them.
Below are recommended security settings for the Internet zone:
- Download signed ActiveX controls — Disable
- Download unsigned ActiveX controls — Disable
- Initialize and script ActiveX controls not marked as safe — Disable
- Run ActiveX controls and plug-ins — Prompt
- Script ActiveX controls marked safe for scripting — Prompt
- File download — Disable
- Java permissions — Disable
- Launching programs and files in an IFRAME — Disable
- Active scripting — Prompt
- Allow paste operations via script — Prompt
- Scripting of Java applets — Prompt
On some legitimate websites you may get many so prompts that it becomes cumbersome. You can add these websites to the “Trusted sites” zone and change the features from “Prompt” to “Enable”. Resist the temptation of enabling everything in order to avoid getting prompts for approval. If it is necessary to activate disabled features, then set them as “Prompt” instead of “Enable.”
Under the Advanced tab (under Tools > Internet Options), the following settings are recommended:
- Java console enable (requires restart) — Unchecked
- JIT compiler for virtual machine enabled (requires restart) — Unchecked
For Firefox
Under Tools, Options, and then Privacy, click on the “+” beside Cookies to show the cookie options. For maximum security you can uncheck Allow sites to set cookies but this is not realistic as many legitimate sites require cookies for proper functioning. Instead check this option and then click on the Exceptions button to set which sites you allow cookies. Enter the website address and click on Block, Allow for Session or Allow.
Web Features (also under Tools > Options) is where you control scripting and program execution. Below are recommended settings:
- Allow web sites to install software — uncheck (or check and click on the Allowed Sites button to add trusted sites)
- Enable Java — uncheck
- Enable JavaScript — uncheck
In Downloads (also under Tools > Options) you can control which applications automatically launch when downloaded. You may have .doc files set to be opened automatically by Word or .xls worksheets set to be automatically opened by Excel; but because these files can have malicious embedded programs or macros it may be a better idea to change setting the have Firefox download these files instead. This way you can decide whether or not you trust the source of the files (and delete those you don’t trust) or you can run them through your antivirus software first before opening them.
2.7 How can I prevent attackers and other infected computers from attacking my computer?
You should have a properly configured firewall to protect your computer. Even if your computer is part of a local area network that has firewall protection, it is still a good idea have a personal firewall for your computer. Windows XP comes with a firewall: make sure that it is turned on and properly configured.
Older Windows and other operating systems do not come with a firewall and you need to install one if you don’t already have one. Firewalls must be set up properly or they won’t provide much protection. Because firewalls are not easy to set up properly many people just turn them off which is inviting big trouble.
See section 2.4 above for a list of popular firewalls.
Unless you have one of these firewall programs in place, such as Norton Internet Security, you’ll want to configure the Windows Firewall:
- In the Start menu, find and open Control Panel and then double-click Windows Firewall.
- In the General tab, click the On radio button
- A window will open in which you can create or change Windows Firewall settings. In the Exceptions tab, select the programs and services that you want the firewall to give complete freedom of communication. These programs will be allowed to access the Internet, subject only to other security policies you have set, such as within your Firefox or Internet Explorer browser. You should only include programs you feel completely confident about, such as AOL, File Sharing, email (such as Outlook or Outlook Express), and Instant Messenger programs. These programs can then make connections to Internet sites and resources without being blocked by the firewall. This is probably the easiest way to configure your firewall – program by program.
- You can also unblock Internet “ports” using the Add Port button in the Exceptions tab. (That is, you are making an “exception” for this port.) Internet ports are numbered, and numbers are assigned to each of the commonly-used Internet services. Each port is a communications “window” between your computer and some outside Internet service, used for a specific purpose. For example, ports 25 and 110 are commonly used to communicate with email servers—port 25 is the outbound (SMTP) port, and port 110 is the inbound (POP3) port. If you have a number of programs that need a particular service, and you don’t want to go thru and add each and every program to the exceptions list, you can allow the port corresponding to the service. You do this by clicking Add a port and specifying the port thru which communications is to be allowed. Another commonly-used port is port 80, which is used by web browsers to access web sites.
2.8 How can I check to see if my computer is infected?
When you install antivirus software, it should check your system and clean up any problems found. There are some online tools you can use but it is important that online tools only check and clean up infections that have already occurred; they do not protect you from future infections.
See Section 2.3 above for a list of popular antivirus packages.
3—Specific TSG-L and WTN-L Concerns
3.1 There are times when fake TSG-L postings are received from individuals and organizations with a forged email address. Is there some way to know and to prevent this from happening?
This is difficult, but McGill University list managers have set up a system whereby the sender must confirm the message before the message is released to the list. This has definitely helped minimize these messages from forged email addresses. Also, the TSG-L list no longer allows attachments to be posted to the list, thereby removing the most serious threat that the list has faced in the past.
3.2 Sometimes I get messages with attachments that look like they are from WTN. Are these legitimate?
WTN never sends attachments. If you receive a message that looks like it is from WTN but it contains an attachment, throw it away. It is not from WTN.
4—Exchanging Confidential and Sensitive Documents
4.1 What is the best way to exchange confidential information between TSGs or between Dharamsala and the Offices of Tibet around the globe?
It is important to realize that most email programs such as Outlook Express and Eudora do not protect email while messages travel from one computer to another. Anyone with the right software can read your email as easily as reading a postcard sent through the mail. If you are sending confidential documents via email it is critical to encrypt your messages in some way. The most common form of email encryption is based on public-key cryptography, which will be discussed below.
4.2 What is public-key cryptography?
Public-key cryptography enables users to communicate securely using pairs of public and private keys. In encryption, a key specifies the particular transformation of plaintext into cipher text, or vice versa during decryption. The “public key” is available for all to see, and is akin to an individual’s number in a phone book. The “private key” is kept secret and is hidden safely on each user’s computer. To encrypt an email, the sender obtains the recipient’s public key and the encryption software uses it to encrypt the message. Upon receipt, the recipient’s software uses its private key to decrypt the cipher text. This only works if both parties have compatible encryption programs installed. If not, the sender still has the option of sending a message with a “digital signature”. You can find out more about public-key cryptography here: http://www.faqs.org/faqs/cryptography-faq/part06/
4.3 What is a digital signature?
Digital signatures are generated using the sender’s private key, and take the form of a simple numerical value, normally represented as a long string of digits, or digits and letters. The recipient’s software can check whether the message is authentic by running a verification algorithm on the combination of message, signature and the sender’s public key. If it all matches, the message was genuine, because the private key was needed to create the signature and no one but the sender has it. A general digital signature scheme consists of three procedures (called “algorithms”): a key generation algorithm; a signing algorithm; and, a verification algorithm. Digital signatures are widely used in e-commerce applications. You can find our more about digital signatures here: http://www.rsasecurity.com/rsalabs/node.asp?id=2182
4.4 How can I encrypt and/or digitally sign my email?
Many people use PGP or GPG which can be installed to operate with Outlook, Outlook Express, Eudora and other email programs. The person you wish to send encrypted email to must also have a PGP- or GPG-compatible program installed so they can decrypt it. When you wish to send a PGP-encrypted message to someone, you must carry out an extra step (a few clicks) in order to encrypt it before you send it. Additionally, when sending PGP-encrypted mail to multiple recipients, it must be encrypted for each recipient’s public key. You can encrypt a single message for multiple recipients, but you must specify exactly who it’s to be encrypted for otherwise they won’t be able to read it. And if you wish to send the same message to individuals who do not have PGP installed, you must send a separate unencrypted copy to them. You can learn more about PGP at http://www.pgp.com/. And you can learn more about GPG here http://www.gnupg.org/.
A recently-released system, Ciphire Mail, automates the key generation and exchange process so that you don’t have to worry about it. All you do is install the program and pretty much forget about it. Ciphire Mail invisibly encrypts your mail whenever it detects that a recipient already has Ciphire Mail installed. By default Ciphire Mail can also digitally sign your message so that recipients who do not have Ciphire Mail installed can check the authenticity of the signature by copying the message into a Web form on Ciphire’s Web site. Unlike PGP, Ciphire Mail allows users to send the same message to a mix of Ciphire users and non-Ciphire users, all in one step. You can learn more about Ciphire Mail at http://www.ciphire.com/.
4.5 If I install and use an email encryption system, can I still send messages to my unsecured friends? Am I running any risk?
Well, if you have Ciphire Mail installed you can send to any mix of friends and those who have Ciphire Mail installed will receive encrypted copies (which are automatically decrypted upon receipt), and those without Ciphire Mail will receive plain-text copies. In both cases they will be able to read your message without any further action on their part. And if you use PGP, you can encrypt a message for any group of PGP users, as long as you already have their public keys. There is still an issue if you are sending sensitive information by insecure means! The system is only as strong as its weakest link. So any time you send a plain text message, the information is vulnerable.
Remember that in general you can’t use encryption when sending to email groups (list-servers or Yahoo or MSN groups) because in those cases you send a single message which is re-broadcast to the entire group. The only way to encrypt group transmissions is for everyone in the group to use the same encryption software, and even then special (extra) procedures must be followed. Signing is still useful in these cases, however.
4.6 What happens if a “spoofed” message arrives, claiming to be from someone who uses Ciphire Mail to encrypt or sign their messages? (Such as from an official mailing list, or directly from some official organization.)
You can configure Ciphire Mail to refuse unencrypted messages that *claim to be* from your important correspondents who use Ciphire Mail. Normally they will be sending you encrypted message, of course, so if a “spoofed” message arrives – one from a person who claims to be your correspondent, but who really is not – then Ciphire Mail can immediately warn you that a message has been received which is not properly encrypted or signed. And you can throw it away (you wouldn’t open a virus or other malicious message, would you?).
If you’re using PGP, and you receive a spoofed message, you can also check the PGP signature (if there is one) to determine whether the message is from the purported sender.
4.7 I’m worried and want to be perfectly clear that I understand… Does using encrypted email require that I install some special program on my computer? Will my system administrator allow this?
To send and receive fully-encrypted mail, BOTH you (the sender) and your correspondent (the recipient) must have the email encryption programs, or plug-ins for your email program. Otherwise your mail is sent as plain text, or (worse yet) the recipient can’t read it because it’s encrypted. So, if your organization, or your friends are already using PGP or GPG, then you should get a PGP/GPG-capable program or plug-in. If your friends are using Ciphire Mail, then you should download and install Ciphire Mail. It’s worth noting that you can have BOTH of these solutions installed on the same computer, if you wish, and they should not interfere with each other.
If you work within an organization where you do not have administrative privileges on your desktop computer, then you’ll have to contact your local system administrator to have the software installed.
5—Finding more information
5.1 Where can I find more information on computer security?
There are many good resources on the Internet. The following lists of websites are good places to start:
Security at Home Center
Microsoft
http://www.microsoft.com/athome/security/default.mspx
Home Computer Security
CERT (Carnegie Mellon University Computer Emergency Response Team)
http://www.cert.org/homeusers/HomeComputerSecurity/
Home Network Security
CERT (Carnegie Mellon University Computer Emergency Response Team)
http://www.cert.org/tech_tips/home_networks.html
Stay Safe Online
National Cyber Security Alliance
http://www.staysafeonline.info/home-tips.html
Spyware
Wikipedia Encyclopedia
http://en.wikipedia.org/wiki/Spyware
Computer Virus FAQ for New Users
http://www.faqs.org/faqs/computer-virus/new-users/
alt.comp.virus FAQ
http://www.faqs.org/faqs/computer-virus/alt-faq/part1/index.html
Firewalls FAQ
http://www.faqs.org/faqs/firewalls-faq/
[Compiled by Thubten Samdup, May 5, 2005]