CERN Accelerating science

This website is no longer maintained. Its content may be obsolete. Please visit for current CERN information.

CERN home pageCERN home pageDocuments by ReferenceDocuments by ReferenceCNLsCNLsYear 2001Year 2001Help, Info about this page


Editorial Information
If you need help
Announcements Special 35th Anniversary Physics Computing Desktop Computing Internet Services and Network Scientific Applications and Software Engineering Desktop Publishing The Learning Zone User Documentation Just For Fun ...
Previous:Reduced Number of Versions of CCDB Tools (userinfo, userreg, spaceadm)
Next:Password Recommendations at CERN
 (See printing version)

Computer Security: Prevent Viruses and Worms

Denise Heagerty , IT / IS


In July this year several systems at CERN were infected by the "Code Red" worm which resulted in significant network disruption. It is essential that all networked computers remain up-to-date with security patches to reduce the risk of infection from future worms and viruses.

A computer worm is software which copies itself between networked computers, gradually infecting more and more of them. The "Code Red" worm which was launched on the Internet in July this year infected tens of thousands of computers, including 25 on the CERN site. It entered via security holes on computers which had not been regularly patched and seriously disrupted the CERN network with the massive traffic it generated.

System administrators must ensure that their computers have the latest security patches installed, for both the operating system and any application services using the network. If your system is running application services which are not necessary (e.g. some may be running by default or for historical reasons) then disable them. Systems running CERN-certified operating systems can profit from IT Division's services which apply tested patches automatically or provide them for manual installation. Those who have installed their own operating systems or applications must themselves check for and install relevant security patches.

Please refer to the CERN's security recommendations, at URL: which are reproduced below.

CERN Computer Security Recommendations

1. Don't open unexpected e-mail attachments.

Viruses often hide in e-mails from strangers, but can also appear to come from someone you know. Opening an attachment can activate a virus and place your computer at risk. If you are not expecting the attachment then either delete the e-mail directly or obtain further details from the sender before opening the attachment. The safest way to read an attachment is to first copy it to disk and then open it using the appropriate program (word, excel, ...). You can also run an anti-virus check on the file before opening it.

2. Click "cancel" (instead of "ok") or close unexpected dialogue boxes when using the web.

Visiting a web site sometimes results in dialogue boxes. If you don't expect them or don't understand them then either click "cancel" or close the dialogue box. If you click "ok", you may be agreeing to transfer and run a file containing a virus.

3. Don't answer or forward unsolicited e-mail - delete it immediately.

We all receive unexpected e-mail: advertising, requests for money or support for a cause. Sometimes it appears to come from an organisation or person that we know, maybe even from someone at CERN. The from address of these e-mails has usually been forged and cannot be trusted. The contents of the e-mail may contain a trick, particularly if it invites you to visit a web site or contains an attachment. If you react to such e-mails you risk introducing a virus into CERN, exposing your personal information (such as your e-mail address and getting even more of these e-mails), and wasting time and money. The more realistic the mail, particularly if it is related to a recent or topical event, the more dangerous it is likely to be. Hoax e-mail warning you of a virus is extremely common - delete it. If the mail asks you to forward it to other people: DO NOT. Unsolicited e-mail can usually be recognised by checking the subject and sender, so don't even read it - delete it rapidly. If you continue to receive unsolicited e-mail from the same sender then you can report this to

4. Run anti-virus software which is automatically updated (several new viruses appear each day).

CERN's centrally managed NICE PCs are equipped with anti-virus software and are automatically updated to limit damage from known viruses. If a virus is discovered, the anti-virus software will notify you, and prevent it from running (by placing it in quarantine). You should continue to work normally, as the anti-virus service will be automatically informed and will contact you if any further action is required. Occasionally, the anti-virus software cannot completely prevent damage, so if you do experience problems contact (tel: 78888), with the name of your PC, details of the error message and problem, and request a virus check.

Anyone managing their own Windows PC is responsible for obtaining, installing and keeping their anti-virus software up-to-date. This applies to all PCs on the CERN network, including those of visitors. Regularly updated anti-virus software is particularly important for portable PCs which are used at other locations and connect to other Internet Service Providers since they bypass CERN's security protections. This not only increases their own chance of infection, but places the whole CERN site at risk, since once infected, they can spread an infection from inside our firewall.

5. Don't copy or run software from non-trusted sources, e.g. via the Internet or physical media such as diskettes or CDs.

Viruses are often hidden inside files. When you copy and run a file containing a virus, you can infect not only your own PC, but can start to spread a virus inside CERN's firewall. Only copy files from trusted sources, such as commercial companies with whom CERN has a software agreement.

6. Choose secure passwords and change them regularly.

Programs to crack passwords or read them from the network are readily available. To limit the risk of your password being cracked, it should be at least 8 characters long and include letters (both upper and lower case), digits and punctuation. You should change your password regularly and always after a trip where you could have exposed your password at a remote site. More detailed advice is at

7. Avoid applications with unencrypted sessions, especially when connecting to CERN from off-site.

Applications such as telnet, ftp and X windows, expose all session data, including passwords, in clear on the network. Using such applications, especially to connect to CERN from other sites, has a strong risk that your password and other personal data will be exposed and used by intruders for malicious activity. You are strongly recommended to use applications, such as ssh, which encrypt session data, when accessing CERN from remote sites or for performing sensitive or privileged actions on-site. More detailed advice is at

Web sites prefixed by "http" expose data in clear. For sensitive data, such as passwords and credit card numbers, ensure that the data is encrypted, e.g. by using web sites prefixed by "https".

8. Use CERN's recommended and centrally managed systems - if you manage your own system or have installed your own applications, you are responsible for keeping the software secure:

  • limit application services listening on network port numbers to the absolute minimum
  • limit the number of users authorised to access the system to a minimum
  • ensure that the system and applications are securely configured
  • ensure that security patches are regularly applied - this may require upgrading to later versions
  • don't install software which you don't understand
  • respond quickly to fixes proposed by CERN's security team

9. Protect your system by CERN's firewall.

Systems connected to CERN's network must be registered at The default OUTGOING network access allows direct connections to the Internet from CERN, while still offering some protection by CERN's firewall. If your system does not need to access the external Internet and you want extra protection in the firewall, you can register the network access called NONE. If absolutely required, INCOMING access can be registered, to allow direct access from the Internet. Such systems have significant risk of being attacked and expose the whole CERN site to security risks. It is essential that they are actively and continually secured (see point 8).

10. Keep yourself informed of CERN's security rules and advice:, 23 October 2001

About the author(s): Denise Heagerty is the CERN Computer Security Officer.

For matters related to this article please contact the author.

Vol. XXXVI, issue no 3

Last Updated on Fri Dec 07 14:18:27 CET 2001.
Copyright © CERN 2001 -- European Organization for Nuclear Research