| Staying
Uninfected on the Internet If you're
on the internet, you should be concerned. Once upon a time, the
only threats to our computers were viruses. Most of these were simply
obnoxious pranks which were only contracted by reading an infected
disk or downloading questionable software from the internet. Generally,
these early viruses were a form of vandalism that messed up the
computer and replicated themselves. Today, the threats faced by
users of the internet are far more sinister and complex than they
were in the simple days of yore. These include browser hijacks and
security exploits, phishing re-directs, back-door trojans, adware,
spyware, key loggers, and of course, the good old fashioned viruses
are still around, although much more virulent and sophisticated
than they used to be.
The objectives of the black hat code writers
are diverse and complex. Sometimes it is simply a criminal effort
to gain access to people's bank accounts. Others are overly aggressive
advertising designed to make you look at their web sites and pop-ups
even if you don't want to. Some are spyware for advertisers who
want to know what people are doing with their computers. Others
are large-scale attacks which appear to target the internet itself
in order to do political or economic damage. No doubt many more
nefarious schemes will be hatched in the minds of these computer
criminals, and some of them are very good at what they do. What
follows is a quick survey of the different types of threats and
some suggestions of what you can do to protect yourself.
Browser Hijacks and Exploits
Browser hijacks are "browser helper objects" which are installed
surreptitiously on your computer when you surf to an evil or infected
web site. Not all BHO's are bad. A number of legitimate programs
install browser helper objects to enhance the functionality of Internet
Explorer. Some of these include Adobe Acrobat and Norton System
Works. But the black hats figured out that they could install these
BHO's surreptitiously and some of the black hat BHO's are evil indeed.
One of the worst is called
Cool Web Search. It has a number of variants and I have yet
to find an anti-virus or anti-spyware program which will remove
it completely. It resets your home page to a strange search engine
hosted in Russia or "about:blank." Some of these browser hijacks
may transmit personal information such as bank account numbers and
PINs stored in your web browser back to servers which collect the
information for criminal purposes. Believe it or not, some of the
Cool Web Search hijacks are simply "pay-per-click" schemes that
pay the downloading websites for the number of hits they direct
back to the home site.
Alternate Browsers
– One
Response to Hijacks
After rebuilding my completely patched and
virus/trojan/scumware protected XP Pro box for the second time,
from the disk partition up, due to an infection with Cool Web Search
which was supposed to be fixed by a Microsoft security patch months
ago, I decided that there had to be a better way. I downloaded and
installed
Mozilla Firefox web browser. The Mozilla-based browsers aren't
as vulnerable to the Trojans and hijacks because the black hats
target Internet Explorer because it’s the dominant browser by a
factor of about 10 to 1. If enough people switch to the Mozilla-based
browsers, the black hats may switch to targeting them also, but
it hasn’t happened yet, and perhaps by that time Microsoft will
have plugged the holes in IE. Microsoft has made it easy for the
evil coders by building in so many OLE, scripting, and macro running
capabilities into IE and the Office Suite of products. What's more
aggravating is that Microsoft seems reluctant and tardy to deal
with these security issues.
Firefox reminds me most closely of Netscape
3, but with the bugs of NS 3 fixed. I’m thinking back to the Netscape
we knew before Netscape junked itself up by trying to be a complete
internet operating system. NS 3 was the best of the Netscape browser
versions, in my opinion, although some might argue that v.2 was
cleaner. With version 4 and beyond Netscape tried to do everything
-- web browsing, e-mail, instant messaging, and html editing. In
doing so, it became buggy and unstable, at least in the Windows
environment. Some of the buggy-ness is no doubt the result of the
browser jihad between Microsoft and Netscape. Microsoft won that
one. Netscape was gobbled up by AOL and Mozilla was spun off into
an open source freeware project.
The most recent security attack of the
Scob Trojan was extremely serious. Scob was not a simple “mess
up your computer” sort of Trojan. It was a browser hijack that redirected
your browser to a server in Russia and transmitted personal information
from your computer to the black hat server. This personal information
would include things like passwords and credit card numbers. Scob
exploits security gaps in Internet Explorer. This is when I began
to think seriously of using another browser, and checked out FireFox.
Firefox runs well and seems to be fairly bug
free. It’s also free and doesn’t contain any ad-ware. You have to
install the
Sun Java runtime environment because Firefox doesn’t use the
now-orphaned Java virtual machine from Microsoft. Firefox includes
an internal pop-up blocker which is nice and is a security feature
in itself. In the privacy section of its tools, it has a one button
“clear all” which removes all history, cookies, form data, and cache.
Most importantly, it is immune to most of the browser scumware that’s
out there. I wouldn’t remove my Norton Antivirus, but you still
know that Firefox is impervious to most of the dangerous hijacks.
I would definitely consider Firefox to be a viable option, at least
until Microsoft can plug the chinks in its armor.
Anti-Virus Software
A strong anti-virus program remains at the
heart of a solid internet security system. We have come a long way
from those cute little viruses that infected COMMAND.COM and put
mocking messages on our screens. The viruses of today are generally
carried by e-mail. The objective of these attacks may be to install
a back door into your computer which allows an attacker to install
programs, access files, and launch more attacks from your computer.
The objective may be to launch mass mailings or denial of services
attacks from your computer. These kinds of attacks can also be used
to steal personal information and log keystrokes. These viruses
are nasty and they're clever. They will often arrive filled with
official sounding language designed to stampede you into opening
the attachment. The one immutable rule for dealing with e-mail-born
viruses is to never, repeat never, open or click on an e-mail attachment
that you are not expecting. Use a virus scanner that scans your
e-mail as it comes in, and never open unexpected or suspicious looking
e-mail attachments. The infected e-mail may even come from an address
that you recognize, but if your friend has never sent you an attachment
and has no reason to today, don't open the strange attachment. Send
an e-mail back to the sender and ask if they have sent you a message
with an attachment. I use Norton antivirus for scanning incoming
e-mail, and it is very good, but I have even had infected e-mails
leak through Norton's in the case of new viruses that may not be
in the virus definition files yet. Repeating, never open an attachment
you aren’t expecting to receive. While I use
Norton
Antivirus,
McAfee
AV and
F-Prot
are also excellent antivirus products.
Adware and Spyware
This is absolutely the broadest category of
scumware. The majority population of this group is the tracking
cookie which only records where the web surfer has been and sends
a report to a server set up to collect the information. While I
consider this unethical spying on my activities with my computer,
most tracking cookies are harmless. These are downloaded by many
large commercial sites which are supported by banner advertising.
At the other end of the maliciousness scale in spyware are the key
stroke loggers. These programs record key strokes when certain conditions
are present, and then send them to interested parties. Browser hijacks
can also be quite malicious, sending personal account information
to malicious web servers. If you are one who likes to download and
try free software on the internet, you probably have some adware
and spyware on your computer, unless you have scanned it recently
with a spyware program. In the middle range of malicious spyware
are the "toolbar" programs which may pop up unwanted advertising
or report more detailed information about your computing activities
to interested parties. Regardless of their level of maliciousness
or criminality, software writers and web masters have no right to
install programs on my computer that report information or display
advertising without my knowledge and permission. The defenses against
this sort of scumware include never allowing a web site to install
software on your computer unless you are absolutely sure what it
is and that you want it, not randomly installing free warez from
the internet, and using anti-spyware programs such as SpyBot, Ad-Aware
or Spy Sweeper. It is also a good idea to keep your antivirus program
running in "auto-protect" mode while surfing unfamiliar sites.
Adware, Spyware and Scumware
Blockers
I am using two anti-scumware programs. Both
are pretty good, and neither is perfect.
Spy Bot is free and has a bunch of advanced
features. Spy Sweeper runs on a subscription basis and is more automatic.
Be warned that there are a few Trojans and browser hijacks that
will defeat any of these protection programs. The Cool Web Search
browser hijack will completely defeat any of these programs and
the only way to really get rid of it is to wipe your hard drive
and re-install. It is often downloaded from adult sites. You will
think you are clicking on a picture and you're actually installing
a browser hijack. Having your Norton Antivirus set to auto-protect
will help block these trojans, but even it isn't always 100%. Some
of these Trojan writers are really "good" in an evil way and if
I ever find one of them, I will blow his knee caps off.
I'm about to decide that SpyBot 1.3 is better
than Spy Sweeper. Spy Sweeper updates their definitions much more
frequently, but SpyBot has better tools for advanced users. With
v. 1.3 they have added a little TSR widget that blocks any attempts
to modify your registry. It will pop up a screen showing what the
change being attempted is, and give you the option to accept or
deny. Very cool. Spy Sweeper runs TSR and does everything automatically,
which I like. It updates itself and scans every day, and runs TSR
to block scumware.
Firewalls
When we hear the word, "ports" in the context
of computers, we tend to think of USB, serial and parallel ports,
because these are the physical points of attachment that computer
users deal with most often. The fact of the matter is that your
operating system actually has thousands of "ports" which are addresses
in memory, all of which can be accessed and connected to by other
computers. This is especially important if you have an "always on"
kind of internet connection like a cable or DSL modem. Skilled hackers
can access these ports and use them to install proxy servers or
SMTP servers to launch denial of services attacks or mass mailings.
I have even heard of hackers installing whole websites, usually
porno sites, on the computers of unsuspecting home users who didn't
have a clue until their ISP's cut them off for violation of terms
of use. For this reason, it is important to have a firewall installed
to block these types of intruders. The function of a firewall is
to close all of these open ports and only allow traffic through
acceptable protected ports. There are several possibilities for
getting the firewall functionality onto your system. Windows XP
has a built-in firewall that is turned off by default but you can
turn it on if you chose to use it. Another option is to put a router
with a firmware firewall between your modem and computer. Finally,
you can install a software firewall, such as Zone Alarm, Black Ice,
or the firewalls from McAfee and Symantec, to your computer.
While I was writing this, a hacker probed a
half dozen ports on my router. Each of these ports are typically
attacked by backdoor trojans. If you use a router with a firmware
firewall (highly recommended) a program called
WallWatcher
is an excellent logging and diagnostic program which will help you
see and understand the probes and attempts to access your system.
WallWatcher
enables to you send your logs to
DShield which
tracks and compiles hacking attempts. The most appalling thing you
will observe is the frequency of attempts to gain access and control
over your computer by hackers. If you would like to see how secure
your ports are, go to
Shield-Up!
and get scanned.
Spam Blockers
Since I have several web sites and produce
e-mail newsletters, most of my e-mail addresses go all over the
place and get harvested by the spammers. As you can imagine, I get
an enormous amount of spam. In the past two days, I received 553
e-mails. 389, or 70%, were spam. This gets to be a chore to just
scroll through the inbox and delete all of this junk. Many of these
spam e-mails arrive with strange attachments, viruses, and other
malevolent scripts or links. Not only is the spam a nuisance, it
is also a security threat.
On the recommendation of a friend, I tried
McAfee SpamKiller. This $40 product works well. Yes, I resent
having to spend money, learn another program, and run another program
just to protect my system from these online vermin, but the reality
of the internet these days demands protective strategies.
SpamKiller is designed primarily to work with
Outlook Express, and the installation to Outlook Express is virtually
automatic. It also functions with other e-mail clients, but it will
require manually changing the POP3 server to a “localhost” server
address in the non-Outlook e-mail client. I use Goldmine to manage
my e-mail lists and SpamKiller works fine with it once the POP3
server address is set.
SpamKiller works primarily by maintaining a
“friends” list of e-mail addresses to accept, and a list of filters
which scan incoming e-mail for words, phrases and characteristics
of spam e-mail. SpamKiller actually downloads the e-mail and analyzes
it and then sends the accepted e-mail to the in-box of your e-mail
client. It comes with a large set of default filters which it updates
frequently from McAfee servers. You can also create your own filters
or modify the ones already installed in the program. With SpamKiller
set at the default “High” level of protection, it will intercept
every e-mail from anyone not on the friends list. When it installs
to Outlook Express, it reads your address book and automatically
adds your address book to the friends list so you don’t have to
manually enter all of these “friends.” If you subscribe to lists
like Yahoo Groups, you do have to admit each poster on the list
as their e-mails arrive, but once admitted, subsequent messages
from that poster will be accepted. You also have the option of blocking
individuals on the lists. If a spam does squeak through the filters,
you have the option to block the e-mail, report it to McAfee so
that it can be added to their filters, and/or send complaint messages
if that makes you feel better. When you block an e-mail, a new filter
is created using the characteristics of the e-mail. Blocked e-mails
which you want to accept can be “rescued” from the blocked list
and a new “friends” account is created.
SpamKiller works well, is reasonably intuitive,
and does not seem to suffer any interaction problems with other
software. I use Norton Anti-Virus and I was concerned that the McAfee
product might conflict with the Norton since they are head-to-head
competitors in the AV market, but they play well together. If I
have a complaint with the program, it is that you have to frequently
check the blocked message list for e-mails that you want to receive.
I don’t know that there’s a better way to do this because I would
not want the program to simply whack an e-mail without allowing
me to see it, but this does add another screen and another task
to deal with, especially if you are someone like me who often receives
legit e-mails from new people.
If you are having problems with spam, SpamKiller
is a stable and well-rendered solution. There are several good spam
blocking programs like Mail Washer and Spam Assassin, and there
are also a number of bogus ones that are little more than scams
themselves.
Parting Shots and Reflections
You will notice that much of the preceding
discussion deals with Microsoft Windows and server software. There
are two reasons for this. The first is that Microsoft has become
a victim of its own success. Since it is the dominant operating
system in the world, it is the most logical target for hackers.
MS products receive the lion's share of hacker attention due to
the overwhelming numerical dominance of MS products in the computer
population. If I were looking to steal money with a computer, I
wouldn't focus on learning to hack Fortran crunching mainframes,
nor would I pay much attention to Macintosh systems. Web servers
don't run on Mac OS; they run on Microsoft or Unix/Linux operating
systems. Over 90% of the visitors to my site run Windows and Internet
Explorer. For a hacker, there's you're target designator. The second
reason has to do with Microsoft's design policy, basically trying
to be all things to all people and building an endless parade of
widgets, macro capabilities, Object Linked Embedding, and scripting
capabilities into every product they write. I'm not a Microsoft
basher. I have used their products since DOS 1, and I still like
them. I have worked with Mac and Unix systems and I just don't like
them as much as Windows PC's. Microsoft has created some truly excellent
products in their time and I use many of them. At the same time,
we have all watched as MS products became bloated and cluttered
with widgets and unnecessary interoperability. MS products have
become so complex that even small security patches take months for
MS to work out. The design philosophy has put primary emphasis on
adding flashy multimedia functionality and "ease of use" which will
impress consumers and sell a lot of boxes. I don't begrudge a guy
trying to make a buck, but in the rush to mesmerize consumers, out-Macintosh
Apple, and be all things to all people, security has slipped too
far down on the scale of priorities. The multitude of functions,
configurability, and interoperability of MS systems unfortunately
create a multitude of openings for hackers to exploit. The point
of this is not to flail MS for giving us what they thought we wanted
– if we had been content with Apple Writer and WordStar we would
still be using them – the purpose is to sketch out the parameters
of the problem.
This stuff has gotten serious and it requires
a serious response. The threats have moved out of the playpen. The
Love Bug virus was estimated to have a worldwide economic impact
of $8.75 billion dollars in the year 2000. That was the effect of
one piece of malicious code. Today there are thousands, many of
which make Love Bug look like kids' stuff.
Even those of us who work with the internet
a lot don't have a full grasp of how much our business, media, communications,
finance, transportation and even national defense utilize and depend
upon the internet. Threats to the internet are truly threats to
our civilization.
I learned of the 9-11 attack because I "felt"
it in the internet. I start my day by drinking a cup of coffee while
I read the local newspaper and then I get on the web to read the
up-to-date national and international news on the major news websites.
On the morning of 9-11, none of the news sites would come up. I
rebooted my box but the news sites still wouldn't load. It was only
then that I turned on the TV to see what was going on. The internet
has become the central nervous system of American civilization.
Paralyze it, and we are blinded and deafened.
What is required of us is a sort of militia
attitude: we have to provide for our own electronic defense. Government
and the big software companies don't seem to be up to the task.
Like any other form of self-defense, situational awareness is at
least half the battle. It is necessary to become acquainted with
the threats and how to deal with them, and then to put in place
strategies to defeat them.
|
Resources
INTERNET
STORM CENTER
US-CERT
SHIELDS
UP!
Port Security Tester
SECURITY
FOCUS
FIGHT SPAM
DShield
Distributed Intrusion
Detection System
"Tight integration of the browser
with the operating system provides some convenience and power for
Windows developers and users, but has also been a continuing source
that allows malicious hackers to leverage that same convenience
and power for their exploits... Most of this convenience centers
on the default protection mechanisms for downloading, installing
and running executable programs without the knowledge of the user
or any intervention by the user."
Chris Hofmann, engineering director
at the Mozilla Foundation
"...Zombie
PC's in a Botnet Army...
Vast networks of home computers are being rented out without their
owners' knowledge to spammers, fraudsters and digital saboteurs,
security experts said on Wednesday. The terminals have been infected
by a computer virus, turning them into zombies -- slaves to the
commands of a malicious and unseen controller. Connect them all
up and the result is a powerful network of zombie PCs that security
experts call a botnet....Small groups of young people creating a
resource out of a 10-30,000-strong computer network are renting
them out to anybody who has the money, a source in Scotland Yard's
computer crime unit told Reuters. There may be millions of such
PCs around the world doing the bidding of crime gangs, experts say,
and they can be rented for as little as $100-per-hour."
By Bernhard Warner, Reuters European Internet Correspondent
|
