GOVERNMENT TECHNOLOGY/Protecting computers from malicious code

When local government employees and officials browse the Internet, they face the risk of intercepting malicious computer code or viruses that can damage desktop systems and even entire computer networks. Those viruses use mobile code, which is code sent from another system and executed on the desktop computer.

Some of the mobile code technologies emerging for Web programming (e.g., Web applets, Java and ActiveX controls) are full of security holes that compromise system integrity. Local governments can protect their computers against mobile code threats and viruses by following six suggestions.

• Run anti-virus software on all desktops, servers and gateways (e-mail and firewall). Most anti-virus solutions detect and remove known mobile code threats in addition to viruses. It is essential to keep all anti-virus signature files and engines as current as possible.

• Install URL blocking software at the gatewall or the desktop. URL blocking software can prevent users from going to virus exchange sites and downloading viruses for experimentation. In most cases, URL blocking software will not hinder users from doing their work and will prevent some infections by viruses.

• Configure Web browsers to automatically reject signed Java applets and ActiveX controls. Signed Java applets can request access to a computer system and wreak havoc. If computer users do not need Java applets to do their work, configure Web browsers or http proxy to automatically terminate/reject all signed Java applets. Additionally, if users do not need to use ActiveX or Netscape plug-ins, configure Web browsers or http proxy to reject all ActiveX controls or plug-ins.

• Configure desktop browser software to automatically deny all requests by JavaScript, VBScript, etc., to access the local machine resources. By default, the major browsers will ask users’ permission for a script to access the local computer. That decision should not be made by the users. On machines that have proprietary or mission critical information, all programmable content (and, in fact, all Web browsing) should be prohibited.

• Obtain the latest patches from your Web browser and e-mail products. Over the last few years, researchers have discovered a number of security holes in Internet Explorer, Netscape Navigator and popular e-mail programs. Luckily, the rate at which holes are discovered is slowing, indicating that those products are reaching a level of acceptable security. In most cases when a hole is found, the discoverer works with the product vendor to remove the vulnerability.

  Reduce security holes by visiting vendors’ Web sites and installing the latest patches to Internet-based software. For security advisories, consult the Computer Emergency Response Team, a non-profit organization run at Carnegie Mellon University, at www.cert.org.

• Install software to filter executable files or strip macros from incoming e-mail and http traffic. Most viruses are delivered via e-mail. Consequently, filtering incoming e-mail attachments that may harbor viruses will help solve the problem of malicious code in the enterprise.

• Some gateway anti-virus solutions can be configured to strip all incoming executable files and/or strip the macros from incoming documents. That drastic measure may deny users access to needed executable or macro content; however, it will virtually neutralize the Internet as a source of malicious code.

  While there are no known mobile code attacks that have actually targeted end-users of local government computers, some of the mobile code platforms have security holes that make attacks a serious threat. Following those six suggestions will help local governments neutralize that threat.

  The author is chief technologist, Enterprise Solutions Division, for Cupertino, Calif.-based Symantec.