Link

Internet Computer Security

This isn’t about guns, but if you’re on the internet, you should be concerned. Once upon a time, the only threats to our computers were viruses. Most of these were simply obnoxious pranks which were only contracted by reading an infected disk or downloading questionable software from the internet. Generally, these early viruses were a form of vandalism that messed up the computer and replicated themselves. Today, the threats faced by users of the internet are far more sinister and complex than they were in the simple days of yore. These include browser hijacks and security exploits, phishing re-directs, back-door trojans, adware, spyware, key loggers, and of course, the good old fashioned viruses are still around, although much more virulent and sophisticated than they used to be.

The objectives of the black hat code writers are diverse and complex. Sometimes it is simply a criminal effort to gain access to people’s bank accounts. Others are overly aggressive advertising designed to make you look at their web sites and pop-ups even if you don’t want to. Some are spyware for advertisers who want to know what people are doing with their computers. Others are large-scale attacks which appear to target the internet itself in order to do political or economic damage. No doubt many more nefarious schemes will be hatched in the minds of these computer criminals, and some of them are very good at what they do. What follows is a quick survey of the different types of threats and some suggestions of what you can do to protect yourself.

Browser Hijacks and Exploits

Browser hijacks are “browser helper objects” which are installed surreptitiously on your computer when you surf to an evil or infected web site. Not all BHO’s are bad. A number of legitimate programs install browser helper objects to enhance the functionality of Internet Explorer. Some of these include Adobe Acrobat and Norton System Works. But the black hats figured out that they could install these BHO’s surreptitiously and some of the black hat BHO’s are evil indeed. One of the worst is called Cool Web Search. It has a number of variants and I have yet to find an anti-virus or anti-spyware program which will remove it completely. It resets your home page to a strange search engine hosted in Russia or “about:blank.” Some of these browser hijacks may transmit personal information such as bank account numbers and PINs stored in your web browser back to servers which collect the information for criminal purposes. Believe it or not, some of the Cool Web Search hijacks are simply “pay-per-click” schemes that pay the downloading websites for the number of hits they direct back to the home site.

Alternate Browsers – One Response to Hijacks

After rebuilding my completely patched and virus/trojan/scumware protected XP Pro box for the second time, from the disk partition up, due to an infection with Cool Web Search which was supposed to be fixed by a Microsoft security patch months ago, I decided that there had to be a better way. I downloaded and installed Mozilla Firefox web browser. The Mozilla-based browsers aren’t as vulnerable to the Trojans and hijacks because the black hats target Internet Explorer because it’s the dominant browser by a factor of about 10 to 1. If enough people switch to the Mozilla-based browsers, the black hats may switch to targeting them also, but it hasn’t happened yet, and perhaps by that time Microsoft will have plugged the holes in IE. Microsoft has made it easy for the evil coders by building in so many OLE, scripting, and macro running capabilities into IE and the Office Suite of products. What’s more aggravating is that Microsoft seems reluctant and tardy to deal with these security issues.

Firefox reminds me most closely of Netscape 3, but with the bugs of NS 3 fixed. I’m thinking back to the Netscape we knew before Netscape junked itself up by trying to be a complete internet operating system. NS 3 was the best of the Netscape browser versions, in my opinion, although some might argue that v.2 was cleaner. With version 4 and beyond Netscape tried to do everything — web browsing, e-mail, instant messaging, and html editing. In doing so, it became buggy and unstable, at least in the Windows environment. Some of the buggy-ness is no doubt the result of the browser jihad between Microsoft and Netscape. Microsoft won that one. Netscape was gobbled up by AOL and Mozilla was spun off into an open source freeware project.

The most recent security attack of the Scob Trojan was extremely serious. Scob was not a simple “mess up your computer” sort of Trojan. It was a browser hijack that redirected your browser to a server in Russia and transmitted personal information from your computer to the black hat server. This personal information would include things like passwords and credit card numbers. Scob exploits security gaps in Internet Explorer. This is when I began to think seriously of using another browser, and checked out FireFox.

Firefox runs well and seems to be fairly bug free. It’s also free and doesn’t contain any ad-ware. You have to install the Sun Java runtime environment because Firefox doesn’t use the now-orphaned Java virtual machine from Microsoft. Firefox includes an internal pop-up blocker which is nice and is a security feature in itself. In the privacy section of its tools, it has a one button “clear all” which removes all history, cookies, form data, and cache. Most importantly, it is immune to most of the browser scumware that’s out there. I wouldn’t remove my Norton Antivirus, but you still know that Firefox is impervious to most of the dangerous hijacks. I would definitely consider Firefox to be a viable option, at least until Microsoft can plug the chinks in its armor.

Anti-Virus Software

A strong anti-virus program remains at the heart of a solid internet security system. We have come a long way from those cute little viruses that infected COMMAND.COM and put mocking messages on our screens. The viruses of today are generally carried by e-mail. The objective of these attacks may be to install a back door into your computer which allows an attacker to install programs, access files, and launch more attacks from your computer. The objective may be to launch mass mailings or denial of services attacks from your computer. These kinds of attacks can also be used to steal personal information and log keystrokes. These viruses are nasty and they’re clever. They will often arrive filled with official sounding language designed to stampede you into opening the attachment. The one immutable rule for dealing with e-mail-born viruses is to never, repeat never, open or click on an e-mail attachment that you are not expecting. Use a virus scanner that scans your e-mail as it comes in, and never open unexpected or suspicious looking e-mail attachments. The infected e-mail may even come from an address that you recognize, but if your friend has never sent you an attachment and has no reason to today, don’t open the strange attachment. Send an e-mail back to the sender and ask if they have sent you a message with an attachment. I use Norton antivirus for scanning incoming e-mail, and it is very good, but I have even had infected e-mails leak through Norton’s in the case of new viruses that may not be in the virus definition files yet. Repeating, never open an attachment you aren’t expecting to receive. While I use Norton Antivirus, McAfee AV and F-Prot are also excellent antivirus products.

Adware and Spyware

This is absolutely the broadest category of scumware. The majority population of this group is the tracking cookie which only records where the web surfer has been and sends a report to a server set up to collect the information. While I consider this unethical spying on my activities with my computer, most tracking cookies are harmless. These are downloaded by many large commercial sites which are supported by banner advertising. At the other end of the maliciousness scale in spyware are the key stroke loggers. These programs record key strokes when certain conditions are present, and then send them to interested parties. Browser hijacks can also be quite malicious, sending personal account information to malicious web servers. If you are one who likes to download and try free software on the internet, you probably have some adware and spyware on your computer, unless you have scanned it recently with a spyware program. In the middle range of malicious spyware are the “toolbar” programs which may pop up unwanted advertising or report more detailed information about your computing activities to interested parties. Regardless of their level of maliciousness or criminality, software writers and web masters have no right to install programs on my computer that report information or display advertising without my knowledge and permission. The defenses against this sort of scumware include never allowing a web site to install software on your computer unless you are absolutely sure what it is and that you want it, not randomly installing free warez from the internet, and using anti-spyware programs such as SpyBot, Ad-Aware or Spy Sweeper. It is also a good idea to keep your antivirus program running in “auto-protect” mode while surfing unfamiliar sites. For tips on recognizing spyware, see Recognizing and Avoiding Spyware.

Adware, Spyware and Scumware Blockers

I am using two anti-scumware programs. Both are pretty good, and neither is perfect.

SpyBot http://www.spybot.info/index.php?page=download

Spy Sweeper http://www.webroot.com

Spy Bot is free and has a bunch of advanced features. Spy Sweeper runs on a subscription basis and is more automatic. Be warned that there are a few Trojans and browser hijacks that will defeat any of these protection programs. The Cool Web Search browser hijack will completely defeat any of these programs and the only way to really get rid of it is to wipe your hard drive and re-install. It is often downloaded from adult sites. You will think you are clicking on a picture and you’re actually installing a browser hijack. Having your Norton Antivirus set to auto-protect will help block these trojans, but even it isn’t always 100%. Some of these Trojan writers are really “good” in an evil way and if I ever find one of them, I will blow his knee caps off.

I’m about to decide that SpyBot 1.3 is better than Spy Sweeper. Spy Sweeper updates their definitions much more frequently, but SpyBot has better tools for advanced users. With v. 1.3 they have added a little TSR widget that blocks any attempts to modify your registry. It will pop up a screen showing what the change being attempted is, and give you the option to accept or deny. Very cool. Spy Sweeper runs TSR and does everything automatically, which I like. It updates itself and scans every day, and runs TSR to block scumware.

Firewalls

When we hear the word, “ports” in the context of computers, we tend to think of USB, serial and parallel ports, because these are the physical points of attachment that computer users deal with most often. The fact of the matter is that your operating system actually has thousands of “ports” which are addresses in memory, all of which can be accessed and connected to by other computers. This is especially important if you have an “always on” kind of internet connection like a cable or DSL modem. Skilled hackers can access these ports and use them to install proxy servers or SMTP servers to launch denial of services attacks or mass mailings. I have even heard of hackers installing whole websites, usually porno sites, on the computers of unsuspecting home users who didn’t have a clue until their ISP’s cut them off for violation of terms of use. For this reason, it is important to have a firewall installed to block these types of intruders. The function of a firewall is to close all of these open ports and only allow traffic through acceptable protected ports. There are several possibilities for getting the firewall functionality onto your system. Windows XP has a built-in firewall that is turned off by default but you can turn it on if you chose to use it. Another option is to put a router with a firmware firewall between your modem and computer. Finally, you can install a software firewall, such as Zone Alarm, Black Ice, or the firewalls from McAfee and Symantec, to your computer.

While I was writing this, a hacker probed a half dozen ports on my router. Each of these ports are typically attacked by backdoor trojans. If you use a router with a firmware firewall (highly recommended) a program called WallWatcher is an excellent logging and diagnostic program which will help you see and understand the probes and attempts to access your system. The most appalling thing you will observe is the frequency of attempts to gain access and control over your computer by hackers. If you would like to see how secure your ports are, go to Shield-Up! and get scanned.

Spam Blockers

Since I have several web sites and produce e-mail newsletters, most of my e-mail addresses go all over the place and get harvested by the spammers. As you can imagine, I get an enormous amount of spam. In the past two days, I received 553 e-mails. 389, or 70%, were spam. This gets to be a chore to just scroll through the inbox and delete all of this junk. Many of these spam e-mails arrive with strange attachments, viruses, and other malevolent scripts or links. Not only is the spam a nuisance, it is also a security threat.

On the recommendation of a friend, I tried McAfee SpamKiller. This $40 product works well. Yes, I resent having to spend money, learn another program, and run another program just to protect my system from these online vermin, but the reality of the internet these days demands protective strategies.

SpamKiller is designed primarily to work with Outlook Express, and the installation to Outlook Express is virtually automatic. It also functions with other e-mail clients, but it will require manually changing the POP3 server to a “localhost” server address in the non-Outlook e-mail client. I use Goldmine to manage my e-mail lists and SpamKiller works fine with it once the POP3 server address is set.

SpamKiller works primarily by maintaining a “friends” list of e-mail addresses to accept, and a list of filters which scan incoming e-mail for words, phrases and characteristics of spam e-mail. SpamKiller actually downloads the e-mail and analyzes it and then sends the accepted e-mail to the in-box of your e-mail client. It comes with a large set of default filters which it updates frequently from McAfee servers. You can also create your own filters or modify the ones already installed in the program. With SpamKiller set at the default “High” level of protection, it will intercept every e-mail from anyone not on the friends list. When it installs to Outlook Express, it reads your address book and automatically adds your address book to the friends list so you don’t have to manually enter all of these “friends.” If you subscribe to lists like Yahoo Groups, you do have to admit each poster on the list as their e-mails arrive, but once admitted, subsequent messages from that poster will be accepted. You also have the option of blocking individuals on the lists. If a spam does squeak through the filters, you have the option to block the e-mail, report it to McAfee so that it can be added to their filters, and/or send complaint messages if that makes you feel better. When you block an e-mail, a new filter is created using the characteristics of the e-mail. Blocked e-mails which you want to accept can be “rescued” from the blocked list and a new “friends” account is created.

SpamKiller works well, is reasonably intuitive, and does not seem to suffer any interaction problems with other software. I use Norton Anti-Virus and I was concerned that the McAfee product might conflict with the Norton since they are head-to-head competitors in the AV market, but they play well together. If I have a complaint with the program, it is that you have to frequently check the blocked message list for e-mails that you want to receive. I don’t know that there’s a better way to do this because I would not want the program to simply whack an e-mail without allowing me to see it, but this does add another screen and another task to deal with, especially if you are someone like me who often receives legit e-mails from new people.

If you are having problems with spam, SpamKiller is a stable and well-rendered solution. There are several good spam blocking programs like Mail Washer and Spam Killer, and there are also a number of bogus ones that are little more than scams themselves.

Parting Shots and Reflections

You will notice that much of the preceding discussion deals with Microsoft Windows and server software. There are two reasons for this. The first is that Microsoft has become a victim of its own success. Since it is the dominant operating system in the world, it is the most logical target for hackers. MS products receive the lion’s share of hacker attention due to the overwhelming numerical dominance of MS products in the computer population. If I were looking to steal money with a computer, I wouldn’t focus on learning to hack Fortran crunching mainframes, nor would I pay much attention to Macintosh systems. Web servers don’t run on Mac OS; they run on Microsoft or Unix/Linux operating systems. Over 90% of the visitors to my site run Windows and Internet Explorer. For a hacker, there’s you’re target designator. The second reason has to do with Microsoft’s design policy, basically trying to be all things to all people and building an endless parade of widgets, macro capabilities, Object Linked Embedding, and scripting capabilities into every product they write. I’m not a Microsoft basher. I have used their products since DOS 1, and I still like them. I have worked with Mac and Unix systems and I just don’t like them as much as Windows PC’s. Microsoft has created some truly excellent products in their time and I use many of them. At the same time, we have all watched as MS products became bloated and cluttered with widgets and unnecessary interoperability. MS products have become so complex that even small security patches take months for MS to work out. The design philosophy has put primary emphasis on adding flashy multimedia functionality and “ease of use” which will impress consumers and sell a lot of boxes. I don’t begrudge a guy trying to make a buck, but in the rush to mesmerize consumers, out-Macintosh Apple, and be all things to all people, security has slipped too far down on the scale of priorities. The multitude of functions, configurability, and interoperability of MS systems unfortunately create a multitude of openings for hackers to exploit. The point of this is not to flail MS for giving us what they thought we wanted – if we had been content with Apple Writer and WordStar we would still be using them – the purpose is to sketch out the parameters of the problem.

This stuff has gotten serious and it requires a serious response. The threats have moved out of the playpen. The Love Bug virus was estimated to have a worldwide economic impact of $8.75 billion dollars in the year 2000. That was the effect of one piece of malicious code. Today there are thousands, many of which make Love Bug look like kids’ stuff.

Even those of us who work with the internet a lot don’t have a full grasp of how much our business, media, communications, finance, transportation and even national defense utilize and depend upon the internet. Threats to the internet are truly threats to our civilization.

I learned of the 9-11 attack because I “felt” it in the internet. I start my day by drinking a cup of coffee while I read the local newspaper and then I get on the web to read the up-to-date national and international news on the major news websites. On the morning of 9-11, none of the news sites would come up. I rebooted my box but the news sites still wouldn’t load. It was only then that I turned on the TV to see what was going on. The internet has become the central nervous system of American civilization. Paralyze it, and we are blinded and deafened.

What is required of us is a sort of militia attitude: we have to provide for our own electronic defense. Government and the big software companies don’t seem to be up to the task. Like any other form of self-defense, situational awareness is at least half the battle. It is necessary to become acquainted with the threats and how to deal with them, and then to put in place strategies to defeat them.

 


 

Additional Reading and Resources

Recognizing and Avoiding Spyware

The Internet Storm Center

An Arsenal to Combat Spyware
A good article on anti-spyware programs

Shields Up Online Port Security Scanner

PC Hell Spyware Removal Help

Symantec Security Response Page

McAfee Security Center

Microsoft Security Center

US-CERT
United States Computer Emergency Readiness Team

CERT Home Network Security

CERT Coordination Center

Computer and Network Security at UC Davis

Viruslist.com – The Virus Encyclopedia

Computer Cops

Computerworld Security Knowledge Center

SecurityFocus

Economic Impact of Network Security Threats

 


 

Resources

INTERNET STORM CENTER

US-CERT

SHIELDS UP!
Port Security Tester

SECURITY FOCUS

CENTER FOR PEST RESEARCH

COMPUTERWORLD CYBERCRIME

“Tight integration of the browser with the operating system provides some convenience and power for Windows developers and users, but has also been a continuing source that allows malicious hackers to leverage that same convenience and power for their exploits… Most of this convenience centers on the default protection mechanisms for downloading, installing and running executable programs without the knowledge of the user or any intervention by the user.”

Chris Hofmann, engineering director at the Mozilla Foundation

“…Zombie PC’s in a Botnet Army…

Vast networks of home computers are being rented out without their owners’ knowledge to spammers, fraudsters and digital saboteurs, security experts said on Wednesday. The terminals have been infected by a computer virus, turning them into zombies — slaves to the commands of a malicious and unseen controller. Connect them all up and the result is a powerful network of zombie PCs that security experts call a botnet….Small groups of young people creating a resource out of a 10-30,000-strong computer network are renting them out to anybody who has the money, a source in Scotland Yard’s computer crime unit told Reuters. There may be millions of such PCs around the world doing the bidding of crime gangs, experts say, and they can be rented for as little as $100-per-hour.”

By Bernhard Warner, Reuters European Internet Correspondent

 


Comments, suggestions, contributions? Let me know