Apologies

_{This is long haired, geeky stuff.}

_{This is long and boring.}

_{This is version 1.}

_{The analogies between safe sex and safe}

computing cannot be ignored.

_{It is getting very difficult to protect older systems.}

Too slow and not enough memory for security

programs.

No new patches older than Windows 2000.

_{This is meant to scare the *#$^ out of you.}

Various services run over the

Internet

_

World Wide Web

_Email

Instant Messaging Peer to Peer sharing _{Voice over IP phones} _Gaming

_Gopher

Audio streaming _{Video streaming}

_{The Internet was}

designed for enhancement.

_{It was not designed}

for this level of complexity.

IE. The easiest way

to prevent spam is to authenticate the sender. Email has no method to do this.

IE. World Wide Web HTML

XML Java

JavaScript Flash

Perl

ColdFusion VBScript` .Net

ActiveX SHTML

IE. Instant Messaging

AOL Google ICQ

Microsoft Yahoo

And more!!!

…it was hard and relatively expensive to “get

online.”

…it was slow.

Do you remember 300Bps and 1200Bps modems?

…the web didn’t exist!

Do you remember CompuServe and Prodigy and AOL?

…it was geeky!

Users were hobbyists and it was all very 60s.

Exploits were confined to bugging your buddy and showing off!

Now..

_{Everyone is online!} _{Over 50% of users in}

the USA are on broadband.

_{Exploits are}

Dirty rotten @#*!!!

Money making

schemes and

ripping off grandma



Virus



Worms



Trojan horse



Spyware



Spam



Phishing

All of these types of attacks are man-made

and intentional.

There is no “natural” or “random” virus. All of these ride the Internet services you

invite in!

Different companies and organizations Will group attacks differently.

Software designed to infiltrate or damage a

computer system without the owner's informed consent.

Originally harmless pranks or political

messages, now have evolved into profit makers.

Include viruses, worms and Trojan horses.

a program or piece of code that is loaded

onto your computer (without your knowledge and against your wishes), that (generally)

replicates itself and (generally) delivers a payload.

Virus

_{In the days of yore…}

Who: typical author is young, smart and male

Why: looking to fight the status quo, promote anarchy, make noise or simply show off to their

peers. There is no financial gain to writing viruses. _Now…

Who: professional coders or programmers using “kits”

Why: financial gain by email delivery payments, renting of botnets, extortion…

Often supported by mafia and black marketers.

Virus structure

_{Replication: viruses must propagate}

themselves

_{Payload: the malicious activity a virus}

performs when triggered.

_{Payload trigger: the date or counter or}

Payload examples

_{Nothing - just being annoying} _{Displaying messages}

_{Launching DDoS attack}

_{Erasing files randomly, by type or usage} _{Formatting hard drive}

_{Overwrite mainboard BIOS} _{Sending email}

_{Expose private information}

Trigger examples

_Date

Boot sector virus

_{infects the first sector of a hard drive or disk.}

The first sector contains the MBR or master boot record.

File infector virus

_{attaches itself to a file on the computer and is}

Multipartite

_{combines properties of boot sector and file}

infector viruses.

Macro virus

_{virus written using script or macro languages}

Memory resident

• _{virus that sits continuously in memory to do} its work, often making it more difficult to

clean. Most viruses now are memory resident.

Stealth virus

Polymorphic virus

• _{a virus that alters its signature or footprint,} to avoid detection.

Metamorphic virus

_{A virus that rewrites its code each time a new}

executable is created.

Malware: Worm

_{A self-replicating computer program that}

uses networks to copy itself to other computers without user intervention.

_{They often lack a payload of their own but}

drop in backdoor programs.

₁₉₇₈

Malware: Trojan

_{A destructive program that masquerades as a}

benign application, it requires a user to execute it.

• _{A variety of payloads are possible, but often} they are used to install backdoor programs. • _{Generally, trojans do not replicate.}

Spyware

_{Application installed, usually without the}

user’s knowledge, intercepting or taking

partial control for the author’s personal gain

_{Estimates as high as 90% of Internet}

connected computers are infected with spyware.

_{Unlike a virus does not self-replicate.}

Spyware: symptoms

_{Sluggish PC performance} _{An increase in pop-up ads}

_{Mysterious new toolbars you can’t delete} _{Unexplained changes to homepage settings} _{Puzzling search results}

Spyware: a loaded system

Spyware: rogue help

 _{Antivirus Gold Family}

 _{Adware Delete}  _SpyAxe

 _{Antivirus Gold}  _{SpywareStrike}

 _{PS Guard Family}

 _{Security Iguard}  _Winhound  PSGuard  _SpywareNO!  _{SpyDemmolisher}  _SpySheriff  _SpyTrooper  _SpywareNO!

 _{Raze Spyware}  _RegFreeze

Spyware: rogue help

_{This morning…}

Spyware: Adware

_{Any software package which automatically}

plays, displays or downloads advertising material to a computer

_{Not necessarily “spyware” depending on your}

definitions

_{Many “free” applications install adware,}

creating a source of income.

_{Is it spyware?}

 http://www.symantec.com/enterprise/security_respo

Spyware: Adware

Spyware: Backdoors

_{Backdoor = Remote Access}

_{A method of bypassing normal authentication}

or securing remote access while remaining hidden from casual inspection.

_{May be an installed program (IE. Back}

Orifice) or a modification to an existing

Spyware: Browser hijacker

_{Alters your home page and may redirect}

other requested pages, often away from helpful sites.

_{Generally add advertising, porn, bookmarks}

or pay-per-surf web sites.

Spyware: Dialers

_{Program that uses a computer’s modem to}

dial out to a toll number or Internet site

900 numbers

Phone system flood attack

_{Can rack up huge phone bills! Often running}

Spyware: Downloaders

_{Application designed to download and}

possibly install another application.

Sometimes, they may receive instructions from a web site or another trigger.

_{Also a typical form of Trojans.}

Spyware: Rootkits

_{A type of Trojan that gives an attacker access to}

the lowest level of the computer, the root level.

_{Removing rootkits can be very difficult to}

impossible.

Microsoft’s recommendation to remove rootkits from Windows Xp was to reformat the hard drive and start over! Sometimes this is the only option.

_{Have been used for “legitimate” purposes,}

Spyware: Scrapers

_{Extracting data from}

output to the screen or printer rather than from files or databases that may be secure.

_{Legitimate and}

illegitimate applications.

_{Temp files are often a}

great source of information!

Spyware: Tracking cookies

_{A small amount of data}

sent back to the

requesting website by your browser. They may be temporary or

persistent, first or third party.

_{Cookies are not bad and}

make browsing life better!

_{Third party cookies are}

used to track surfing

Keylogger

_{A software application or hardware device}

that captures a user’s keystrokes for legitimate or illegitimate use.

_{Bad keyloggers will store information for}

later retrieval or spit the captured

information to an email address or web page for later analysis.

Social Engineering

_{Tricking a user into giving or giving access to}

Social Engineering: pretexting

_{Creating a scenario to persuade a target to}

release information done over the phone.

_{Often use commonly available information}

like social security numbers or family names to gain access to further information.

Social engineering: phishing

_{Creating a scenario to persuade a target to}

release information done via email.

_{Often use commonly available information}

Social engineering: more

_{Road apple: using an infected floppy, CD or}

USB memory key in a location where someone is bound to find and check it through simple curiosity.

_{Quid pro quo: targeting corporate employees}

as “tech support” until some actually has a problem and “allows them to help.”

True or false?

True or false?

Spam

_{Junk email.}

_{An email message can contain any of the}

threats mentioned, not to mention the time

wasted downloading and filtering through the messages.

_{You do not have to open an attachment to}

activate a threat.

Spam

_{Threats that activate}

via merely opening the email are not

disabled by using the email preview!

Don’t use the Internet

_{Are you really that isolationist?}

_{Other user profiles on your computer?}

_{Other computers connected to the Internet} _{Other devices…}

Xbox, Playstation, Wii

Media Center Extenders

Other connections

_{Wireless local}

networks

_{Bluetooth personal}

networks

_{Removable storage}

Floppy

CDs DVDs

USB memory key

Flash memory

_{Other connected}

devices

Printers

Digital cameras

Video cameras

The first bug causing a

And the stakes get higher…

_{Imagine the home of}

the future

_{Broadband Internet}

connection shared by…

 Computers

 Television / DVR  Phone

 Security / heating /

cooling

 Kitchen appliances  Cell phone

_{Imagine hacker}

exploits

Defrost your freezer

Turn off the heat

Trip / disable

security

Record “Boy Meets

World” instead of “Desparate

Housewives” and “24”!

A software or hardware which permits or

denies data into and possibly out of a

computer network depending on levels of trust and authentication.

Emerged in 1988.

Levels of protection

Network address translation: internal devices carry

separate addresses from Internet connection, firewall translates, masking internal devices.

Packet filters: very basic inspection of individual

packets of inbound traffic for correct ports for basic services.

Stateful filters: compare packets of traffic and rules

can change criteria of what is allowed.

Application layer: deep packet inspection

Protection: hardware firewall

_{Recommend a router}

with stateful packet inspection

_{Jim’s picks}

Linksys

Sonicwall

Protection: software firewall

_{A good program will}

know configure major applications correctly, but it is easy to

answer a firewall incorrectly.

_{Software firewalls}

often disrupt internal networks

_{Jim’s “sorta” pick}

Protection: virus

_{Most mature category of protection. Detection}

rate should be near perfect!

_{How do anti-virus programs work?}

File fingerprinting Active scanning Heuristics

Unusual hard drive activities

_{Protection can be run at the}

Internet service provider Router

Server (if applicable)

Workstation – recommended

Protection: virus

_{Must be updated!}

_{Jim’s picks}

Norton Antivirus

(home)

Symantec Antivirus

Corporate Edition or Small Business

Edition (offices)

AVG for older

Protection: spyware

_{Fairly new application, running two}

anti-spyware applications is often recommended, but only one should be doing “active scanning.” _{Detection rates are not nearly as accurate as}

virus detection.

Anti-virus applications are now capable of

replacing active scanning spyware applications. _{Spyware and virus scanners can fight, causing}

system freeze ups and instability.

Protection: spyware

_{Jim’s picks}

Webroot

SpySweeper

Spyware Doctor

Spybot *

Adaware *

Protection: spam

_{Spam filtering occurs by recognizing common}

email addresses and domains for sending spam and by recognizing keywords in email and moves it automatically to a “junk” folder.

_{Can be done at email server or workstation.} _{Success rates are very individual!}

Protection: spam

_{Avoid spam – once your email address is a}

spam target, there is no eliminating it

Avoid posting address on web pages.

Use throw-away email addresses (IE. Yahoo,

Hotmail, Google) when working unknown or very public sites (IE. Ebay, MySpace…)

_{You have to look through your Junk email}

occasionally to find mis-labeled email!

_{The more “public” your email address, the}

Protection: spam

_{Jim’s thoughts}

Outlook 2007 not bad

Andrew likes new

Thunderbird

Several clients like Inboxer

Several clients like Norton

AntiSpam

Several clients like their

ISP’s filtering but user must check junk on web site

Dial up: ISP filtering

Protection: Operating System

updates

_

Most updates are security patches not functionality

enhancements!

_{I do not recommend} using driver updates through Windows

Updates!

_{Get them only}

Protection: Application updates

_{Browsers, email applications, instant}

messaging applications, etc. all need security patches!

Protection: Application updates

Application Source of updates

AOL IM www.aim.com

Internet Explorer Windows Updates Microsoft Messenger Windows Updates

Mozilla Firefox www.mozilla.com (Help) Opera www.opera.com (?)

Outlook Express Windows Updates

Thunderbird email www.mozilla.com (Help) Windows Mail (Vista) Windows Updates

Vulnerability: Internet

World Wide Web

Vulnerability: Email

Vulnerability: Gaming

Vulnerability: P2P

Layers: onions, ogres & protection

Broadband Dial up

Hardware firewall Necessary n/a Software firewall Maybe Maybe Virus protection Necessary Necessary Spyware protection Necessary Necessary

Spam filtering Recommended Recommended

Operating system patches

Necessary Necessary

Browser/email/IM/… patches

Protection purchasing

Best of breed

applications Security suite

_{Best possible protection} _{Probably less bloat}

_{Probably play together} better

_{Better pricing}

_{Common interface}

Protection purchasing: suites

_{Jim’s picks}

Norton Internet Security Norton 360

_{PC Magazine Editor’s}

Choice

Norton 360

ZoneAlarm Internet Security Suite 7

_{PC World}

Norton Internet Security McAfee Internet Security

Selecting protection

Do Don’t

_{Read reviews from}

professional, neutral sources

_{Make sure you can}

understand your

subscription’s status

_{Realize you generally get}

what you pay for

_{Realize that bundled apps}

are often 30 or 90 day trials and often not installed

_{Use advertising or blogs} as your main source of information

_{Use reviews from} non-technical sources

_{Run two software}

firewalls, two anti-virus or two active

anti-spyware apps

Protection: Educate your users

_{Do not open attachments from anyone you don’t know.} _{Suspicious attachments from any known email address}

may be threats that spoof senders.

_{Security measures are for their benefit, don’t subvert}

them.

_{Don’t run ActiveX or Java from untrusted or unknown}

websites.

_{Never click on suspicious ads or popups. Always click}

the Windows Close X when you can.

_{Any connection can bring in threats…}

Home computers logging in for remote work.

Protection: Educate your users

_{It is much easier to protect yourself than to}

get clean after an infection.

_{Internet Explorer is the only web browser}

that uses Microsoft’s ActiveX tools. ActiveX is a security nightmare. Avoid the problem, use a different browser.

Jim’s pick: Mozilla Firefox

Procedure at C3

_{Interview client. Possibly start system as is to see}

symptoms.

_{Remove hard drive and connect to C3 testing}

systems.

Prevents threats from going active

Improves accuracy of scans for stealth, polymorphic

and rootkits

_{Virus scan (Symantec Antivirus Corporate Edition)}

_{Spyware scan (Webroot Spysweeper)}

Procedure at C3

_{Clean temp files}

Windows\Temp

Windows\Temporary Internet Files

User\Temp

User\Temporary Internet Files

Possibly other locations

_{Research infections}

_{Return hard drive to client’s system}

Procedure at C3

_{Probable: Safe mode startup and disable}

Windows System Restore

_{Manual cleaning as needed while}

“disconnected”

_{All Windows Updates}

_{Probable: installation of appropriate security}

package

All Updates

Procedure at C3

_{Total time: 2 to 8 hours}

_{Total technician time: 1 to 4 hours}

What can you do?

_{Know that Windows cannot diagnose most}

problems.

_{Know that repairing Windows requires a}

clean computer.

_{Know when to say “Uncle!” based on your}

skill level.

_{Know when to say “Uncle!” if a computer}

cannot be recovered and must be wiped.

Non-operating Windows

_{Boot from the}

appropriate

Windows CD and attempt a repair installation

Must match system

 Version

 Home vs. Professional  Upgrade vs. Retail vs.

OEM

_Danger

Infections may corrupt system further.

You may get “running” until the threat kicks in again and repeats its damage.

_Pros

Non-starting Windows

_{Safe mode}

Press F8 (or hold Ctrl)

prior to Windows splash screen

_Scan

Manual updates? Virus scanner

Spyware scanner

Document, research,

follow necessary instructions

_{Limit startups}

_{Most threats are}

inactive in safe mode.

_{You may be able to}

download scanner updates manually on another computer and install them.

_{Warning: more threats}

successfully hide themselves in safe mode.

Safe mode

_{F8 during startup} _{Most drivers and}

network not running

_{Often, you must log}

Manual virus definition update

_{Highly dependent on}

application manufacturer

_{Expired subscription}

may not allow use of manual update

Limit startups

_Start _Run

_Msconfig

_{Services and Startup}

tabs

_{Turn off anything}

that you don’t

recognize, especially “random” names.

Google names.

Operating Windows

_Backup

_Document! _{Virus scan}

Update installed app

Online scanner

Install new app

_{Spyware scan or 2}

Update installed app

Online scanner

Install new app

_{Research infections} _{Manual attack and}

tools

Follow instructions! Take your time!

_{All Windows Updates} _{Install appropriate}

security

All updates Scan

_{Scan your backup}

Update virus scanner

_{Particular to}

application

_{Many threats will}

attempt to subvert connection

_{Subscription must}

Online scanners (virus & spyware)

_Symantec www.symantec.com/home_ homeoffice/security_respon se/index.jsp 

Webroot

SpySweeper

www.webroot.com/shoppin gcart/tryme.php? bjpc=64021&vcode=DT02 A

Trend Micro

housecall.trendmicro.com/

I want a real antivirus –

now!

_{Many vendors have demo downloads. IE.}

Symantec offers a 15 day Norton Antivirus

trial that can be activated later by purchasing a license or package

_{Delete – don’t quarantine.}

When macro viruses were the rage, this was a

My antivirus isn’t playing!

_{Try updating.}

_{Attempt a repair installation.}

If you bought your security online, via

download – copy it to CD for semi-permanent archival!

Realize all security applications “get old.”

_{Uninstall and reinstall.} _{Need RAM?}

Research infections

_{Symantec Threat}

Explorer

www.symantec.com/h ome_homeoffice/secu rity_response/threate xplorer/index.jsp

_Google

www.google.com

_Scumware

Disable System Restore

_{Right+click My}

Computer

_Properties

_{System Restore tab} _{Check “Turn off}

System Restore”

_OK

Registry Editor

_Start

_Run

_Regedit

_OK

_Procedure

Backup!

Navigate

Nuking the bad

Removal tools

_{CWShredder www.cwshredder.net} _{Major Geeks}

www.majorgeeks.com/downloads16.html

System cleaning

_{Eliminate temporary}

files

Start

All Programs

Accessories

System Tools

System cleaning

_{Defragment your}

hard drive Start

All Programs

Accessories

System Tools

Disk

Defragmenter

System cleanup

_{Internet Explorer}

automatically clearing cache

Internet Explorer

Tools

Internet Options…

Advanced tab

Security section

Check “Empty

Know when…

_You’re…

Last backup was made

System and application CDs are

Over your head

Wasting your time

_Your…

Windows is toast

Worthwhile freebies

_{Virus scanners}

AVG – www.grisoft.com

Avast - www.avast.com

_{Spyware scanners}

Spybot Search and Destroy

www.safer-networking.org/en/index.html

_{Discovery tools}

Web privacy

Web privacy

_{Google is not the problem. Google is just one}

way to find this kind of data.

_{Blocking this data on Google will not block}

other search engines.

_{All of this is in the phone book and then I can}

Email Hijack

From: xxxxx xxxxxxxxx xxxxxx@xxxxxxx.xxx Sent: Monday, June 11, 2007 10:45 AM To: James D. Crowley

Subject: SPAM  

Good Morning Jim:  

I wanted to report a SPAM issue to you. This morning xxxxx received an email to her

xxxxxx account. The email was sent by her from an outside account. It was an email that she sent to someone 6 months ago. Also on the email were individuals CCd who should not have received that email. Basically what is occurring is someone is accessing her email account and is sending its herself and others mail that should not be going out. Is it possible that some type of hacker is doing this? She is also receiving SPAM from

xxxxxxx’s email account and xxxxxx’x account. I am receiving SPAM from myself, and cannot block it because its from my account. The frequency of this is increasing. What can we be doing to prevent the SPAM and can someone access confidential information that is being sent via email and send it to people in our contact list?

 

Xxxxx xxxxx

Administrative Assistant Xxxxxxxxx Coordinator

Xxxxxxxx xxxxxxx xxxxx xxxxxxxx, Inc.

Email Hijack

_{Not hijacked – spoofed!}

_{Realize there are four primary locations that}

your email can be hijaaked or spoofed like Anita’s was.

Your computer or server

Your email server

The recipient’s email host

Email Spoofing application

_{It peruses my email and randomly grabs xyz’s}

message

_{Makes a copy}

_{Probably alters the message somewhat}

_{Attaches the virus or whatever its “payload” is}

_{Reuses all original email addresses in the To, CC}

and BCC

_{Maybe adds some more addresses}

_{Maybe randomly generates more email addresses}

_{And starts sending itself out}

_{XYZ may get a copy of her message back…}

www.av-test.org www.icsalab.com www.virusbtn.com

www.pcmag.com

http://www.pcmag.com/category2/0,1874,4829,

00.asp

www.pcworld.com

www.geeksonwheels.com

www.pcmag.com/encyclopedia/ www.snopes.com

www.sunbelt-software.com

http://www.netvalley.com/archives/mirrors/ro

bert_cailliau_speech.htm

www.webroot.com www.wikipedia.org