CyberCondoms
Internet Computer SecurityThis isn't about
guns, but if you're on the internet, you should be concerned. Once upon
a time, the only threats to our computers were viruses. Most of these
were simply obnoxious pranks which were only contracted by reading an
infected disk or downloading questionable software from the internet.
Generally, these early viruses were a form of vandalism that messed up
the computer and replicated themselves. Today, the threats faced by
users of the internet are far more sinister and complex than they were
in the simple days of yore. These include browser hijacks and security
exploits, phishing re-directs, back-door trojans, adware, spyware, key
loggers, and of course, the good old fashioned viruses are still around,
although much more virulent and sophisticated than they used to be.
The objectives of the black hat code writers are
diverse and complex. Sometimes it is simply a criminal effort to gain
access to people's bank accounts. Others are overly aggressive
advertising designed to make you look at their web sites and pop-ups
even if you don't want to. Some are spyware for advertisers who want to
know what people are doing with their computers. Others are large-scale
attacks which appear to target the internet itself in order to do
political or economic damage. No doubt many more
nefarious schemes will be hatched in the minds of these computer
criminals, and some of them are very good at what they do. What follows
is a quick survey of the different types of threats and some suggestions
of what you can do to protect yourself.
Browser Hijacks and Exploits
Browser hijacks are "browser helper objects" which are installed
surreptitiously on your computer when you surf to an evil or infected
web site. Not all BHO's are bad. A number of legitimate programs install
browser helper objects to enhance the functionality of Internet
Explorer. Some of these include Adobe Acrobat and Norton System Works.
But the black hats figured out that they could install these BHO's
surreptitiously and some of the black hat BHO's are evil indeed. One of
the worst is called
Cool
Web Search. It has a number of variants and I have yet to find an
anti-virus or anti-spyware program which will remove it completely. It
resets your home page to a strange search engine hosted in Russia or "about:blank."
Some of these browser hijacks may transmit personal information such as
bank account numbers and PINs stored
in your web browser back to servers which collect the information for
criminal purposes. Believe it or not, some of the Cool Web Search
hijacks are simply "pay-per-click" schemes that pay the downloading
websites for the number of hits they direct back to the home site.
Alternate Browsers
– One Response
to Hijacks
After rebuilding my completely patched and virus/trojan/scumware
protected XP Pro box for the second time, from the disk partition up,
due to an infection with Cool Web Search which was supposed to be fixed
by a Microsoft security patch months ago, I decided that there had to be
a better way. I downloaded and installed
Mozilla Firefox web browser.
The Mozilla-based browsers aren't as vulnerable to the Trojans and hijacks
because the black hats target Internet Explorer because it’s the
dominant browser by a factor of about 10 to 1. If enough people switch
to the Mozilla-based browsers, the black hats may switch to targeting
them also, but it hasn’t happened yet, and perhaps by that time
Microsoft will have plugged the holes in IE. Microsoft has made it easy
for the evil coders by building in so many OLE, scripting, and macro
running capabilities into IE and the Office Suite of products. What's
more aggravating is that Microsoft seems reluctant and tardy to deal
with these security issues.
Firefox reminds me most closely of Netscape 3, but
with the bugs of NS 3 fixed. I’m thinking back to the Netscape we knew
before Netscape junked itself up by trying to be a complete internet
operating system. NS 3 was the best of the Netscape browser versions, in
my opinion, although some might argue that v.2 was cleaner. With version
4 and beyond Netscape tried to do everything -- web browsing, e-mail,
instant messaging, and html editing. In doing so, it became buggy and
unstable, at least in the Windows environment. Some of the buggy-ness is
no doubt the result of the browser jihad between Microsoft and Netscape.
Microsoft won that one. Netscape was gobbled up by AOL and Mozilla was
spun off into an open source freeware project.
The most recent security attack of the
Scob Trojan
was extremely serious. Scob was not a simple “mess up your computer”
sort of Trojan. It was a browser hijack that redirected your browser to
a server in Russia and transmitted personal information from your
computer to the black hat server. This personal information would
include things like passwords and credit card numbers. Scob exploits
security gaps in Internet Explorer. This is when I began to think
seriously of using another browser, and checked out FireFox.
Firefox runs well and seems to be fairly bug free.
It’s also free and doesn’t contain any ad-ware. You have to install the
Sun Java runtime environment because Firefox doesn’t use the
now-orphaned Java virtual machine from Microsoft. Firefox includes an
internal pop-up blocker which is nice and is a security feature in
itself. In the privacy section of its
tools, it has a one button “clear all” which removes all history,
cookies, form data, and cache. Most importantly, it is immune to most of
the browser scumware that’s out there. I wouldn’t remove my Norton
Antivirus, but you still know that Firefox is impervious to most of the
dangerous hijacks. I would definitely consider Firefox to be a viable
option, at least until Microsoft can plug the chinks in its armor.
Anti-Virus Software
A strong anti-virus program remains at the heart of
a solid internet security system. We have come a long way from those
cute little viruses that infected COMMAND.COM and put mocking messages
on our screens. The viruses of today are generally carried by e-mail.
The objective of these attacks may be to install a back door into your
computer which allows an attacker to install programs, access files, and
launch more attacks from your computer. The objective may be to launch
mass mailings or denial of services attacks from your computer. These
kinds of attacks can also be used to steal personal information and log
keystrokes. These viruses are nasty and they're clever. They will
often arrive filled with official sounding language designed to stampede
you into opening the attachment. The one immutable rule for dealing with
e-mail-born viruses is to never, repeat never, open or click on an
e-mail attachment that you are not expecting. Use a virus scanner that
scans your e-mail as it comes in, and never open unexpected or
suspicious looking e-mail attachments. The infected e-mail may even come
from an address that you recognize, but if your friend has never sent
you an attachment and has no reason to today, don't open the strange
attachment. Send an e-mail back to the sender and ask if they have sent
you a message with an attachment. I use Norton antivirus for scanning
incoming e-mail, and it is very good, but I have even had infected
e-mails leak through Norton's in the case of new viruses that may not be
in the virus definition files yet. Repeating, never open an attachment
you aren’t expecting to receive. While I use
Norton
Antivirus,
McAfee AV
and F-Prot
are also excellent antivirus products.
Adware and Spyware
This is absolutely the broadest category of
scumware. The majority population of this group is the tracking cookie
which only records where the web surfer has been and sends a report to a
server set up to collect the information. While I consider this
unethical spying on my activities with my computer, most tracking
cookies are harmless. These are downloaded by many large commercial
sites which are supported by banner advertising. At the other end of the
maliciousness scale in spyware are the key stroke loggers. These
programs record key strokes when certain conditions are present, and
then send them to interested parties. Browser hijacks can also be quite
malicious, sending personal account information to malicious web
servers. If you are one who likes to
download and try free software on the internet, you probably have some adware and spyware on your computer, unless you have scanned it recently
with a spyware program. In the middle range of malicious spyware are the
"toolbar" programs which may pop up unwanted advertising or report more
detailed information about your computing activities to interested
parties. Regardless of their level of maliciousness or criminality,
software writers and web masters have no right to install programs on my
computer that report information or display advertising without my
knowledge and permission. The defenses against this sort of scumware
include never allowing a web site to install software on your computer
unless you are absolutely sure what it is and that you want it, not
randomly installing free warez from the internet, and using anti-spyware
programs such as SpyBot, Ad-Aware or Spy Sweeper. It is also a good idea
to keep your antivirus program running in "auto-protect" mode while
surfing unfamiliar sites. For tips on recognizing spyware, see
Recognizing and Avoiding Spyware.
Adware, Spyware and Scumware
Blockers
I am using two anti-scumware programs. Both are
pretty good, and neither is perfect.
Spy Bot is free and has a bunch of advanced
features. Spy Sweeper runs on a subscription basis and is more
automatic. Be warned that there are a few Trojans and browser hijacks
that will defeat any of these protection programs. The Cool Web Search
browser hijack will completely defeat any of these programs and the only
way to really get rid of it is to wipe your hard drive and re-install.
It is often downloaded from adult sites. You will think you are clicking
on a picture and you're actually installing a browser hijack. Having
your Norton Antivirus set to auto-protect will help block these trojans,
but even it isn't always 100%. Some of these Trojan writers are really
"good" in an evil way and if I ever find one of them, I will blow his
knee caps off.
I'm about to decide that SpyBot 1.3 is better than
Spy Sweeper. Spy Sweeper updates their definitions much more frequently,
but SpyBot has better tools for advanced users. With v. 1.3 they have
added a little TSR widget that blocks any attempts to modify your
registry. It will pop up a screen showing what the change being
attempted is, and give you the option to accept or deny. Very cool. Spy
Sweeper runs TSR and does everything automatically, which I like. It
updates itself and scans every day, and runs TSR to block scumware.
Firewalls
When we hear the word, "ports" in the context of
computers, we tend to think of USB, serial and parallel ports, because
these are the physical points of attachment that computer users deal
with most often. The fact of the matter is that your operating system
actually has thousands of "ports" which are addresses in memory, all of
which can be accessed and connected to by other computers. This is
especially important if you have an "always on" kind of internet
connection like a cable or DSL modem. Skilled hackers can access these
ports and use them to install proxy servers or SMTP servers to launch
denial of services attacks or mass mailings. I have even heard of
hackers installing whole websites, usually porno sites, on the computers
of unsuspecting home users who didn't have a clue until their ISP's cut
them off for violation of terms of use. For this reason, it is important
to have a firewall installed to block these types of intruders. The
function of a firewall is to close all of these open ports and only
allow traffic through acceptable protected ports. There are several
possibilities for getting the firewall functionality onto your system.
Windows XP has a built-in firewall that is turned off by default but you
can turn it on if you chose to use it.
Another option is to put a router with a firmware firewall between your
modem and computer. Finally, you can install a software firewall, such
as Zone Alarm, Black Ice, or the firewalls from McAfee and Symantec, to your computer.
While I was writing this, a hacker probed a half
dozen ports on my router. Each of these ports are typically attacked by
backdoor trojans. If you use a router with a firmware firewall (highly
recommended) a program called
WallWatcher is
an excellent logging and diagnostic program which will help you see and
understand the probes and attempts to access your system. The most
appalling thing you will observe is the frequency of attempts to gain
access and control over your computer by hackers. If you would like to
see how secure your ports are, go to
Shield-Up!
and get scanned.
Spam Blockers
Since I have several web sites and produce e-mail
newsletters, most of my e-mail addresses go all over the place and get
harvested by the spammers. As you can imagine, I get an enormous amount
of spam. In the past two days, I received 553 e-mails. 389, or 70%, were
spam. This gets to be a chore to just scroll through the inbox and
delete all of this junk. Many of these spam e-mails arrive with strange
attachments, viruses, and other malevolent scripts or links. Not only is the spam
a nuisance, it is also a security threat.
On the recommendation of a friend, I tried
McAfee
SpamKiller. This $40 product works well. Yes, I resent having to spend
money, learn another program, and run another program just to protect my
system from these online vermin, but the reality of the internet these
days demands protective strategies.
SpamKiller is designed primarily to work with
Outlook Express, and the installation to Outlook Express is virtually
automatic. It also functions with other e-mail clients, but it will
require manually changing the POP3 server to a “localhost” server
address in the non-Outlook e-mail client. I use Goldmine to manage my
e-mail lists and SpamKiller works fine with it once the POP3 server
address is set.
SpamKiller works primarily by maintaining a
“friends” list of e-mail addresses to accept, and a list of filters
which scan incoming e-mail for words, phrases and characteristics of
spam e-mail. SpamKiller actually downloads the e-mail and analyzes it
and then sends the accepted e-mail to the in-box of your e-mail client.
It comes with a large set of default filters which it updates frequently
from McAfee servers. You can also create your own filters or modify the
ones already installed in the program. With SpamKiller set at the
default “High” level of protection, it will intercept every e-mail from
anyone not on the friends list. When it installs to Outlook Express, it
reads your address book and automatically adds your address book to the
friends list so you don’t have to manually enter all of these “friends.”
If you subscribe to lists like Yahoo Groups, you do have to admit each
poster on the list as their e-mails arrive, but once admitted,
subsequent messages from that poster will be accepted. You also have the
option of blocking individuals on the lists. If a spam does squeak
through the filters, you have the option to block the e-mail, report it
to McAfee so that it can be added to their filters, and/or send
complaint messages if that makes you feel better. When you block an
e-mail, a new filter is created using the characteristics of the e-mail.
Blocked e-mails which you want to accept can be “rescued” from the
blocked list and a new “friends” account is created.
SpamKiller works well, is reasonably intuitive, and
does not seem to suffer any interaction problems with other software. I
use Norton Anti-Virus and I was concerned that the McAfee product might
conflict with the Norton since they are head-to-head competitors in the
AV market, but they play well together. If I have a complaint with the
program, it is that you have to frequently check the blocked message
list for e-mails that you want to receive. I don’t know that there’s a
better way to do this because I would not want the program to simply
whack an e-mail without allowing me to see it, but this does add another
screen and another task to deal with, especially if you are someone like
me who often receives legit e-mails from new people.
If you are having problems with spam, SpamKiller is
a stable and well-rendered solution. There are several good spam
blocking programs like Mail Washer and Spam Killer, and there are also a
number of bogus ones that are little more than scams themselves.
Parting Shots and Reflections
You will notice that much of the preceding
discussion deals with Microsoft Windows and server software. There are
two reasons for this. The first is that Microsoft has become a victim of
its own success. Since it is the dominant operating system in the world,
it is the most logical target for hackers. MS products receive the
lion's share of hacker attention due to the overwhelming numerical
dominance of MS products in the computer population. If I were looking
to steal money with a computer, I wouldn't focus on learning to hack
Fortran crunching mainframes, nor would I pay much attention to
Macintosh systems. Web servers don't run on Mac OS; they run on
Microsoft or Unix/Linux operating systems. Over 90% of the visitors to
my site run Windows and Internet Explorer. For a hacker, there's you're
target designator. The second reason has to do with Microsoft's design
policy, basically trying to be all things to all people and building an
endless parade of widgets, macro capabilities, Object Linked Embedding,
and scripting capabilities into every product they write. I'm not a
Microsoft basher. I have used their products since DOS 1, and I still
like them. I have worked with Mac and Unix systems and I just don't like
them as much as Windows PC's. Microsoft has created some truly excellent
products in their time and I use many of them. At the same time, we have
all watched as MS products became bloated and cluttered with widgets and
unnecessary interoperability. MS products have become so complex that
even small security patches take months for MS to work out. The design
philosophy has put primary emphasis on adding flashy multimedia
functionality and "ease of use" which will impress consumers and sell a
lot of boxes. I don't begrudge a guy trying to make a buck, but in the
rush to mesmerize consumers, out-Macintosh Apple, and be all things to
all people, security has slipped too far down on the scale of
priorities. The multitude of functions, configurability, and
interoperability of MS systems unfortunately create a multitude of
openings for hackers to exploit. The point of this is not to flail MS
for giving us what they thought we wanted – if we had been content with
Apple Writer and WordStar we would still be using them – the purpose is
to sketch out the parameters of the problem.
This stuff has gotten serious and it requires a
serious response. The threats have moved out of the playpen. The Love
Bug virus was estimated to have a worldwide economic impact of $8.75
billion dollars in the year 2000. That was the effect of one piece of
malicious code. Today there are thousands, many of which make Love Bug
look like kids' stuff.
Even those of us who work with the internet a lot
don't have a full grasp of how much our business, media, communications,
finance, transportation and even national defense utilize and depend
upon the internet. Threats to the internet are truly threats to our
civilization.
I learned of the 9-11 attack because I "felt" it in
the internet. I start my day by drinking a cup of coffee while I read
the local newspaper and then I get on the web to read the up-to-date
national and international news on the major news websites. On the
morning of 9-11, none of the news sites would come up. I rebooted my box
but the news sites still wouldn't load. It was only then that I turned
on the TV to see what was going on. The internet has become the central
nervous system of American civilization. Paralyze it, and we are blinded
and deafened.
What is required of us is a sort of militia
attitude: we have to provide for our own electronic defense. Government
and the big software companies don't seem to be up to the task. Like any
other form of self-defense, situational awareness is at least half the
battle. It is necessary to become acquainted with the threats and how to
deal with them, and then to put in place strategies to defeat them.
|
Resources
INTERNET STORM CENTER
US-CERT
SHIELDS UP!
Port Security Tester
SECURITY FOCUS
"Tight integration of the browser with
the operating system provides some convenience and power for Windows
developers and users, but has also been a continuing source that allows
malicious hackers to leverage that same convenience and power for their
exploits... Most of this convenience centers on the default protection
mechanisms for downloading, installing and running executable programs
without the knowledge of the user or any intervention by the user."
Chris Hofmann, engineering director at the
Mozilla Foundation
"...Zombie PC's in
a Botnet Army...
Vast networks of home computers are being rented out without their
owners' knowledge to spammers, fraudsters and digital saboteurs,
security experts said on Wednesday. The terminals have been infected by
a computer virus, turning them into zombies -- slaves to the commands of
a malicious and unseen controller. Connect them all up and the result is
a powerful network of zombie PCs that security experts call a botnet....Small
groups of young people creating a resource out of a 10-30,000-strong
computer network are renting them out to anybody who has the money, a
source in Scotland Yard's computer crime unit told Reuters. There may be
millions of such PCs around the world doing the bidding of crime gangs,
experts say, and they can be rented for as little as $100-per-hour."
By Bernhard Warner, Reuters European Internet Correspondent |
