Internet Security a Primer

In this day and age most newer computers come pre-loaded with Anti-Virus software. With that being said the vendor shift in antivirus solutions and security software providers is to promote security suites or those all inclusive "Swiss Army Knives" of computer security; Norton IS, McAfee Security Center, and even AOL just to name a few. These “Swiss Army Knives” come with everything from Anti-Virus, to real-time process monitoring, firewall, spam filters, java script and web content filters, popup blockers and Ad-ware scan removal engines.

Working for a call center that supports an online software solution I encounter at least 20 calls a day from users that after installing Norton IS or McAfee are unable to use our system. The quick response would be to fix our system but hey that’s neither always possible nor feasible given the vast number of Security Systems available so all too often users end up disabling large portions of these systems to regain access to those resources they need (though if they call us we will walk them through configuring their software correctly to play nice with our system)

Thus in the end the user may have spent upwards of 50 dollars for a software package that is in a large part disabled when they are online. This is further compounded by the fact that most users rather than disabling or configuring only those components they need end up removing or disabling large portions of the system to fix a perceived problem the result being that they are effectively naked on the internet. This means they either suffer in silence or go without virus protection. 

Alas it hardly seems that a day goes by without hearing about some new virus, worm, phishing scam on the network news. When I was a young teenager I used to scan the channels for anything of this type I could find and now that I am constantly deluged by it I am tired of it all (irony is that I find it so interesting) the end result of this of course being that most users have a general knowledge of what a virus is and worse know someone in their direct circle of friends that has been affected by mal-ware on their system but while they consider themselves protected sadly they are just as vulnerable. With virus writing and malware development becoming profit generators the developers of these systems have become much better at hiding, protecting and enabling their software, while sadly enough the heuristic library based scan engines of the anti-virus providers have remained largely unchanged. So if you are the average user you are in one of the following five categories

1. Over protected using an all-in-one antivirus suite carrying everything from a firewall to deleted files recovery system

2. Using the same service but large sections of it disabled rendering it useless

3. Using a generic scanner not configured to update running virus definitions from the original date of purchase

4. Everything is just right

5. Sliding around the internet essentially naked protected by luck or using a non standard operating system

The purpose of this article therefore is to explain what is a virus, what is a Trojan, what exactly is this mal-ware stuff, and what can you do to defend yourself from them. The internet is a big bad place and while AOL’s security center maybe the all-in-one solution to all your security needs I seriously doubt it so let’s take a minute and go over some basics.

So what is a virus, simply put a virus is a program that is able to replicate itself. Viruses spread mutate and infect much like biological vectors and can cause system damage either unintentionally or intentionally expose the user to further security issues and may cause system instability or for the lack of better terms your computer to act sick. Some other side effects of a virus include:

1. Network slowdown due to the retransmission of the virus

2. Loss of files and system data

3. Operating system instability that is recoverable

4. Operating system instability that is not recoverable

So now that we have covered viruses what exactly is a Trojan? Trojans also known as root-kits allow the creator or distributor to monitor and or manage a remote system. Most often they are used to steal data and monitor the users either for profit or because of personal gain (revenge, curiosity, or both). Trojans due their nature are usually transmitted to the user by someone they know or are acquainted with, however this is becoming a thing of the past though with the recent increase in so called zombie networks and botnets. Trojans can be very difficult to remove due to technologies designed to protect or cloak themselves from the operating system, the major difference between a Trojan and virus is that a virus is self replicating whereas a Trojan is not though this is changing. Trojans can cause the following issues:

1. System damage and file and data loss

2. Unexpected behavior due to the remote control feature

3. Personal data security is compromised

4. Unauthorized access to systems and resources

5. You becoming the node in a large spam relay network

With Trojans and viruses defined we move on to Mal-ware, mal-ware is that generic third category of software that is malicious in nature, and while it may have aspects associated with Trojans and viruses their method of infection is generally different. Mal-ware is typically associated with a larger category of malicious software known as spy-ware. Effects of mal-ware vary but for the most part they are resistant to removal self replicating, and obfuscating. Mal-ware is also quickly becoming a viable profit center for many smaller developers helping to distribute ad software that generates revenue for the program. In recent years due to surge in Mal-ware installs the browser market has shifted its scope from IE to a 3^rd party browser model. Symptoms of a mal-ware may include:

1. Change or loss of important data on your computer such as documents, music and video files, this is known as espionage

2. Unexpected behavior due to the shoddy coding of the software

3. Personal data security is compromised

4. Unauthorized access to systems and resources

5. You becoming the node in a large spam relay network

Ok so we have taken a look at the virus, Trojans, and mal-ware now why are they such a growing threat. First off it has increasingly become easier to create and distribute mal-ware using freely available systems. Using these systems almost anyone can build a piece of mal-ware and distribute it in a matter of days if not sooner. Replication modes have continued to vary and intermix with malware spreading using everything from IM (internet message clients), to email, and web pages it becomes increasing difficult to secure all infection vectors without affecting the productivity of the system. As the timeline from exploit to mal-ware continues to decrease patch management becomes a growing concern systems are becoming increasingly blended and complex this proves to be a daunting task to many end users and thus after a while they fail to keep up with patch management. Unfortunately mal-ware developers count on this fact and utilizing multiple modes of infection they can be sure their virus will continue to spread even though the exploit their software uses may be long since fixed.

Ok now that you’re scared is there light at the end of the tunnel? Yes, first off if you haven’t done so already go and get an anti-virus software and if you have the choice stay away from those all in one anti-virus security suites. If you are home user consider using a couple of free clients:

1. Avast antivirus

2. Antivir

3. AVG

If you have the money and want to pay for one go for one of these

1. F-Secure

2. Kaspersky

3. Sophos

4. Norton Antivirus (not the security suite)

If you are using an anti-virus solution already then check it to make sure it is working properly:

1. Try to run a manual update if it fails then see if your service has expired if it has then either renew or purchase a new solution

2. Download a test file and scan the test file with your anti-virus software if it fails to be detected then you may need to reinstall

3. If you have one of those Swiss Army knives open it up and make sure everything is green if not then consult your literature to see why

4. Configure your antivirus to update regularly

5. Configure your antivirus to perform a full scan at least once a week

Anti-Virus covered now if you don’t have a Swiss Army knife you probably need a firewall if you are running windows xp then update to service pack 2 the firewall with windows xp service is more than sufficient.

1. If you are on a broadband connection get a router this will act as a hardware firewall and end many of the troubles at the gate

2. If you are not running Windows XP or hate Microsoft then run a third party firewall I personally recommend kerio

3. If you are on a dial up connection consider using ICS (internet connection sharing) this way you can isolate your primary computer from infection (if interested I will write an article on doing this simply leave a commend to that effect)

Now you need anti-spy-ware (my recommendations in order of preference)

1. Sunbelt software awesome counterspy product

2. Ewido simply fantastic

3. Microsoft Anti-Spy-ware

4. Ad-aware

Once you have one of those then configure them to auto-update and auto scan your computer weekly don’t be concerned with the reoccurrence of cookies these are for the large part innocuous and misleading indications of a mal-ware infection.

Some other more generic tips

1. Use web-mail where you can if you haven’t already setup a gmail or yahoo account and use those to read and send emails

2. If your ISP offers web-mail then use it

3. Switch browsers I personally like firefox but many people may find the new Netscape more convienent

4. If you can download and use the web browser application without a doubt this is the greatest single security fix you can do

5. If you are on Windows XP setup a restricted account and use it for browsing the web

We have covered a lot but for the most part it is fairly generic and should be universally applicable if you did not get anything else from this article then please go and get an antivirus solution and configure it properly. So many things can be prevented by diligent updating and the great thing about software nowadays is that it takes the work out of this dull task and makes it a background process that should be transparent to you. All the prevention in the world means nothing if you don’t apply common sense though so if you don’t know the person and they send you an executable, picture, or anything don’t open it; if you do know the person and have even an inkling of suspicion then contact them. Ultimately learn from the experience of others and ask what it is like to be without their system for a day or lose productivity due to a file or process being lost and all this will seem well worth it. By being diligent your online experience can be fun, informative, and even profitable as with any system invest in preventative maintenance and you will extend your investment into the future.

February 3rd is Almost Here - Scan your computer now!!

If you haven't yet please take a moment and scan your machine to make sure you are clean of the nasty kama sutra worm aka the blackworm I wrote about earlier. February 3rd is the day this nasty will attempt to overwrite documents and files of pdf, xls, doc, and etc.. given that the value of most computing systems is in the data they hold this makes it paramount that we as users take this threat seriously. So if you haven't already go update your anti virus software and scan your computer for viruses and then to be doubly sure head over to:

http://houcall.trendmicro.com

Or

http://safety.live.com/site/en-US/default.htm

Run the online scan just to make sure you security software was not compromised as this software while remaining does disable and compromise certian key elements of commercial anti-virus and security products.

http://isc.sans.org/diary.php?storyid=1067

Manual Removal for the Technically Inclined

http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fMywife.E%40mm

Be Careful When Loading a Play List in Winamp

While cruising on the Security Focus website I saw among the various exploits for windows and microsoft office one I didn't really expect to see from WinAmp. WinAmp a popular media platform on Windows for its ability to load and stream custom playlists is vulnerable to a malformed playlist exploit which could cause the target computer to slow to a crawl in most cases and even blue screen in others. The vulnerability occurs when winamp attempts load a playlist that is of an extreemly long filname or large byte size while processing the playlist it gradually consumes more and more resources until the target computer crashes.

This vulnerability has been confirmed in the latest version of Winamp and the author of the vulenerability surmises that it could be an issue with earlier ones as well. Best bet don't load playlists from people you don't know and trust. Ultimately this article is just another example of the list of third party application exploits available. As windows PC's become more locked down exploit authors and script kiddies are turning more and more to third party applications to wreak havoc on systems. Therefore it becomes incumbant on the consumer to make it a weekly habit to audit software on their pc and remove those applications they don't need. Most of the larger third party software adobe, macromedia, etc.. come with update clients run them on a regular basis to make sure you are protected from exploits. Finally read and stay on top of security as a computer user now days you are user, and administrator, and your own personal security expert.

SecurityFocus

Infected By the Blog Worm

Please note this not a real virus but only an embeded GIF file meant for humor.

If you want to infect your own Blog click the image to the left and cut, copy, paste the code to your blog. I think this is a really cool idea and look forward to the blogworm spreading.

I find this a funny and lighthearted look at how things spread using social networks now it does pose a possible security threat that the hoster of this image could post a malicious image say a WMF file that would run exploitable code on your system. To that end I have downloaded a copy of the GIF file and hosted it on my own server if you want to see it change click the image to view the website.

Ultimate Way to Prevent Spyware from Installing on A Windows PC

If your a regular reader of this blog either your a personal friend or someone that has been seriously screwed by spyware running rampant on their system. All the solutions and programs out there telling you that their software will clean you up and protect your system from spyware are great as remedies but for true prevention the best tool I have seen to date has come from Vmaware.

A couple weeks ago I blogged about VmWare releasing their free virtual browser application and said I would post back after using it for a bit. Well I have been using since then and I am not looking back. Running a modified version of the ubuntu linux platform the virtual browser application is a delight. Firefox version 1.0.7 and 1.5 come preinstalled and with a whole host of extension out there available you will be on-line and spyware free in no time. The best part is it is all free.

Now many people will be quick to point out this isn't keeping your system secure because it is truly a system running within a system but I would retort that is exactly why it is secure. To date there are no real widespread viral, or malware infections for linux and there are definitely no spyware packages either and it is easy to use so the inconvenience isn't really a factor. By using their virtual browser system you are protecting your computer in three ways:

1. Isolation you are isolating your operating system from potentially dangerous areas of Internet
2. Separate from personal information and the core system if you are infected (though I can't see how) your information is stored separate from the browser appliance operating system
3. Easy to clean, if you do manage to get infected all you need do is to delete the browser application system and start over.

All in all it is a great system, so do yourself a favor and try it out.

http://www.vmware.com/vmtn/vm/browserapp.html

Start-up

Desktop

Browser

Trojan Writers Taking Aim for the BIOS

    For those of you who don't know the BIOS is the Basic Input/Output system or the set of instructions that a computer runs at startup the BIOS configures the peripheral devices (hard drives, keyboard, mouse, etc..) connected to a system and then loads the operating system. The BIOS due to its fundamental function is protected from the system image by being stored on a ROM chip (persistent memory) separate from the operating system.  What the security researchers have surmised is that it may be possible using a set of procedures called the ACPI or the advanced configuration and power interface to insert code in the BIOS that could resurrect a Trojan or other piece of malware after the system has been restored to a clean image paving the way for truly persistent Trojans.

    Root kits have recently made a big name for themselves with the Sony XCP debacle but they are not a new problem. Root kits have been around since the earliest days of hacking and in fact many of the technologies that allow for remote control of computer systems over the internet are based on root kit technologies. Not to say they are root kits just that there are legitimate uses for the technology. At the same time there has been several attempts to launch a pervasive infection with some level of effectiveness but due to diversity of the chipsets and programming interfaces it is hard to target an infection to affect a large array of computers. Now with the inception of ACPI (which by the way is not a new thing) researchers feel that root kit creators may have the tools they need to make this not only feasible but eminent.

    My own read of this is that there are too many variables out there to allow for large scale infection of the sort they predict, there are so many BIOS types and versions each with its own tables and interface points that it would make it a huge investment in resources to create a large scale attack of this type. Factor in that in some not all motherboards you have to move a jumper to write to the memory area where the BIOS is stored and this becomes even more likely and the limited storage capacity of a BIOS ROM chip will make it necessary to store some files on the harddrive. So this becomes a scenario more likely associated with one individual seeking to gain on another individual or organization. To be effective though the attacker would need to gather information on the BIOS the version number and then have physical access if there was a jumper to be moved and also a method of delivery. So to protect from this threat I recommend the following:

1. Make sure your board is protected from BIOS flashing by requiring a jumper to be moved
2. Disable the verbose messages at startup that display the BIOS type and version
3. Password protect your BIOS access
4. Employ physical safeguards such as a key and lock for the case to ensure physical access is limited to a trusted few
5. If you feel you have been compromised isolate that system and re-flash the BIOS which will erase the information currently stored and replace it with a known good version you currently posses.

    While I don't honestly believe that this calls for a large scale panic it is definitely something the CIO’s and those trusted with the information security of an organization should consider. At the very least employing physical safeguards such as lock and key to the case will eliminate the threat for those systems that require a jumper move and also limit the possibility of theft of peripheral systems such as extra hard drives and video cards. I do foresee however a new business model in the way of BIOS guards and BIOS scanners and ACPI interceptors.

Researchers: Root kits headed for BIOS

 

StopBadware Live

Yesterday I reported that StopBadware a collaborative effort between technology innovators, university researchers, and consumer advocacy groups was in the works. Toady they have a live site, so when you get a chance go there check out the content I know I will be.

StopBadware.org

Google backs anti-spyware resource

Google, Sun Microsystems, a Chinese computer company, prominent universities across the

United States

and consumer advocacy groups are working to help identify the makers and providers of Spyware. Aiming to be an all in one stop for information spyware removal, detection, and prevention this ambitious site will give consumers the ability to decide if it is safe to download a program and should they get infected provide the resources to resolve the infection.

I think this is great step forward for while there are a number of sites spread out across the net with snippets of information such as startup programs, and bhos; and rouge anti-spyware applications, there are no all-in-one sites that are easily navigable.

Still in creation stages the site http://www.StopBadware.org will not be available until the end of February. If you go to the site now you will be greeted with the default ruby on rails page which is a good indicator that they are building the website in Ajax. With buy in from large internet technology corporations, universities, and consumer advocacy groups this could be an invaluable resource in the future.

 

SignOnSanDiego.com > News > Technology -- University researchers launch anti-spyware site

Taking the fight to spammers

Personally I think this is a great idea the only reason these people do this stuff is because they make money off of it. But if we flood their network with worthless yet legitimate looking information it will become more and more costly for them to do business, with the end result being that hopefully they stop doing business all together. So come one come all join the fight and seize back control of your inbox.

The 'Kick A Spammer In The Nuts Daily' idea... - theScamBaiter.com

Kama Sutra Goes WMD

Be careful when covertly checking those naughty spam mails one might really bite you.  A new worm that exploits human behavior to open emails carrying the promise of the obscene or titillating (depending on your point of view) and will if executed corrupt files of the .doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd, or .dmp type with the garbage data on the third day of the month.

While viruses destroying files is nothing new, what is scary is the way it does it. Rather than simply deleting the file which could allow for recovery the Kama Sutra worm writes over the files to make them unrecoverable. This could affect business and individuals dramatically should they not have backups. So what should you do?

First off be aware, the virus arrives in the form of an e-mail porn with a subject line of "Arab sex," "give me a kiss," "Hot Movie," and "F***** Kama Sutra pics." Once executed the worm attempts to delete various anti-virus and firewalls software and then spread through mass-mailing and local and network folder shares. So if you are running a computer on a network and have your firewall disabled, enable it, and should you see any free porn in the in-box delete it.