Apologies
This is long haired, geeky stuff.
This is long and boring.
This is version 1.
The analogies between safe sex and safe
computing cannot be ignored.
It is getting very difficult to protect older systems.
Too slow and not enough memory for security
programs.
No new patches older than Windows 2000.
This is meant to scare the *#$^ out of you.
Various services run over the
Internet
World Wide Web
Instant Messaging Peer to Peer sharing Voice over IP phones Gaming
Gopher
Audio streaming Video streaming
The Internet was
designed for enhancement.
It was not designed
for this level of complexity.
IE. The easiest way
to prevent spam is to authenticate the sender. Email has no method to do this.
IE. World Wide Web HTML
XML Java
JavaScript Flash
Perl
ColdFusion VBScript` .Net
ActiveX SHTML
IE. Instant Messaging
AOL Google ICQ
Microsoft Yahoo
And more!!!
…it was hard and relatively expensive to “get
online.”
…it was slow.
Do you remember 300Bps and 1200Bps modems?
…the web didn’t exist!
Do you remember CompuServe and Prodigy and AOL?
…it was geeky!
Users were hobbyists and it was all very 60s.
Exploits were confined to bugging your buddy and showing off!
Now..
Everyone is online! Over 50% of users in
the USA are on broadband.
Exploits are
Dirty rotten @#*!!!
Money making
schemes and
ripping off grandma
Virus
Worms
Trojan horse
Spyware
Spam
Phishing
All of these types of attacks are man-made
and intentional.
There is no “natural” or “random” virus. All of these ride the Internet services you
invite in!
Different companies and organizations Will group attacks differently.
Software designed to infiltrate or damage a
computer system without the owner's informed consent.
Originally harmless pranks or political
messages, now have evolved into profit makers.
Include viruses, worms and Trojan horses.
a program or piece of code that is loaded
onto your computer (without your knowledge and against your wishes), that (generally)
replicates itself and (generally) delivers a payload.
Virus
In the days of yore…
Who: typical author is young, smart and male
Why: looking to fight the status quo, promote anarchy, make noise or simply show off to their
peers. There is no financial gain to writing viruses. Now…
Who: professional coders or programmers using “kits”
Why: financial gain by email delivery payments, renting of botnets, extortion…
Often supported by mafia and black marketers.
Virus structure
Replication: viruses must propagate
themselves
Payload: the malicious activity a virus
performs when triggered.
Payload trigger: the date or counter or
Payload examples
Nothing - just being annoying Displaying messages
Launching DDoS attack
Erasing files randomly, by type or usage Formatting hard drive
Overwrite mainboard BIOS Sending email
Expose private information
Trigger examples
Date
Boot sector virus
infects the first sector of a hard drive or disk.
The first sector contains the MBR or master boot record.
File infector virus
attaches itself to a file on the computer and is
Multipartite
combines properties of boot sector and file
infector viruses.
Macro virus
virus written using script or macro languages
Memory resident
• virus that sits continuously in memory to do its work, often making it more difficult to
clean. Most viruses now are memory resident.
Stealth virus
Polymorphic virus
• a virus that alters its signature or footprint, to avoid detection.
Metamorphic virus
A virus that rewrites its code each time a new
executable is created.
Malware: Worm
A self-replicating computer program that
uses networks to copy itself to other computers without user intervention.
They often lack a payload of their own but
drop in backdoor programs.
1978
Malware: Trojan
A destructive program that masquerades as a
benign application, it requires a user to execute it.
• A variety of payloads are possible, but often they are used to install backdoor programs. • Generally, trojans do not replicate.
Spyware
Application installed, usually without the
user’s knowledge, intercepting or taking
partial control for the author’s personal gain
Estimates as high as 90% of Internet
connected computers are infected with spyware.
Unlike a virus does not self-replicate.
Spyware: symptoms
Sluggish PC performance An increase in pop-up ads
Mysterious new toolbars you can’t delete Unexplained changes to homepage settings Puzzling search results
Spyware: a loaded system
Spyware: rogue help
Antivirus Gold Family
Adware Delete SpyAxe
Antivirus Gold SpywareStrike
PS Guard Family
Security Iguard Winhound PSGuard SpywareNO! SpyDemmolisher SpySheriff SpyTrooper SpywareNO!
Raze Spyware RegFreeze
Spyware: rogue help
This morning…
Spyware: Adware
Any software package which automatically
plays, displays or downloads advertising material to a computer
Not necessarily “spyware” depending on your
definitions
Many “free” applications install adware,
creating a source of income.
Is it spyware?
http://www.symantec.com/enterprise/security_respo
Spyware: Adware
Spyware: Backdoors
Backdoor = Remote Access
A method of bypassing normal authentication
or securing remote access while remaining hidden from casual inspection.
May be an installed program (IE. Back
Orifice) or a modification to an existing
Spyware: Browser hijacker
Alters your home page and may redirect
other requested pages, often away from helpful sites.
Generally add advertising, porn, bookmarks
or pay-per-surf web sites.
Spyware: Dialers
Program that uses a computer’s modem to
dial out to a toll number or Internet site
900 numbers
Phone system flood attack
Can rack up huge phone bills! Often running
Spyware: Downloaders
Application designed to download and
possibly install another application.
Sometimes, they may receive instructions from a web site or another trigger.
Also a typical form of Trojans.
Spyware: Rootkits
A type of Trojan that gives an attacker access to
the lowest level of the computer, the root level.
Removing rootkits can be very difficult to
impossible.
Microsoft’s recommendation to remove rootkits from Windows Xp was to reformat the hard drive and start over! Sometimes this is the only option.
Have been used for “legitimate” purposes,
Spyware: Scrapers
Extracting data from
output to the screen or printer rather than from files or databases that may be secure.
Legitimate and
illegitimate applications.
Temp files are often a
great source of information!
Spyware: Tracking cookies
A small amount of data
sent back to the
requesting website by your browser. They may be temporary or
persistent, first or third party.
Cookies are not bad and
make browsing life better!
Third party cookies are
used to track surfing
Keylogger
A software application or hardware device
that captures a user’s keystrokes for legitimate or illegitimate use.
Bad keyloggers will store information for
later retrieval or spit the captured
information to an email address or web page for later analysis.
Social Engineering
Tricking a user into giving or giving access to
Social Engineering: pretexting
Creating a scenario to persuade a target to
release information done over the phone.
Often use commonly available information
like social security numbers or family names to gain access to further information.
Social engineering: phishing
Creating a scenario to persuade a target to
release information done via email.
Often use commonly available information
Social engineering: more
Road apple: using an infected floppy, CD or
USB memory key in a location where someone is bound to find and check it through simple curiosity.
Quid pro quo: targeting corporate employees
as “tech support” until some actually has a problem and “allows them to help.”
True or false?
True or false?
Spam
Junk email.
An email message can contain any of the
threats mentioned, not to mention the time
wasted downloading and filtering through the messages.
You do not have to open an attachment to
activate a threat.
Spam
Threats that activate
via merely opening the email are not
disabled by using the email preview!
Don’t use the Internet
Are you really that isolationist?
Other user profiles on your computer?
Other computers connected to the Internet Other devices…
Xbox, Playstation, Wii
Media Center Extenders
Other connections
Wireless local
networks
Bluetooth personal
networks
Removable storage
Floppy
CDs DVDs
USB memory key
Flash memory
Other connected
devices
Printers
Digital cameras
Video cameras
The first bug causing a
And the stakes get higher…
Imagine the home of
the future
Broadband Internet
connection shared by…
Computers
Television / DVR Phone
Security / heating /
cooling
Kitchen appliances Cell phone
Imagine hacker
exploits
Defrost your freezer
Turn off the heat
Trip / disable
security
Record “Boy Meets
World” instead of “Desparate
Housewives” and “24”!
A software or hardware which permits or
denies data into and possibly out of a
computer network depending on levels of trust and authentication.
Emerged in 1988.
Levels of protection
Network address translation: internal devices carry
separate addresses from Internet connection, firewall translates, masking internal devices.
Packet filters: very basic inspection of individual
packets of inbound traffic for correct ports for basic services.
Stateful filters: compare packets of traffic and rules
can change criteria of what is allowed.
Application layer: deep packet inspection
Protection: hardware firewall
Recommend a routerwith stateful packet inspection
Jim’s picks
Linksys
Sonicwall
Protection: software firewall
A good program will
know configure major applications correctly, but it is easy to
answer a firewall incorrectly.
Software firewalls
often disrupt internal networks
Jim’s “sorta” pick
Protection: virus
Most mature category of protection. Detection
rate should be near perfect!
How do anti-virus programs work?
File fingerprinting Active scanning Heuristics
Unusual hard drive activities
Protection can be run at the
Internet service provider Router
Server (if applicable)
Workstation – recommended
Protection: virus
Must be updated!Jim’s picks
Norton Antivirus
(home)
Symantec Antivirus
Corporate Edition or Small Business
Edition (offices)
AVG for older
Protection: spyware
Fairly new application, running two
anti-spyware applications is often recommended, but only one should be doing “active scanning.” Detection rates are not nearly as accurate as
virus detection.
Anti-virus applications are now capable of
replacing active scanning spyware applications. Spyware and virus scanners can fight, causing
system freeze ups and instability.
Protection: spyware
Jim’s picksWebroot
SpySweeper
Spyware Doctor
Spybot *
Adaware *
Protection: spam
Spam filtering occurs by recognizing common
email addresses and domains for sending spam and by recognizing keywords in email and moves it automatically to a “junk” folder.
Can be done at email server or workstation. Success rates are very individual!
Protection: spam
Avoid spam – once your email address is a
spam target, there is no eliminating it
Avoid posting address on web pages.
Use throw-away email addresses (IE. Yahoo,
Hotmail, Google) when working unknown or very public sites (IE. Ebay, MySpace…)
You have to look through your Junk email
occasionally to find mis-labeled email!
The more “public” your email address, the
Protection: spam
Jim’s thoughts
Outlook 2007 not bad
Andrew likes new
Thunderbird
Several clients like Inboxer
Several clients like Norton
AntiSpam
Several clients like their
ISP’s filtering but user must check junk on web site
Dial up: ISP filtering
Protection: Operating System
updates
Most updates are security patches not functionality
enhancements!
I do not recommend using driver updates through Windows
Updates!
Get them only
Protection: Application updates
Browsers, email applications, instantmessaging applications, etc. all need security patches!
Protection: Application updates
Application Source of updatesAOL IM www.aim.com
Internet Explorer Windows Updates Microsoft Messenger Windows Updates
Mozilla Firefox www.mozilla.com (Help) Opera www.opera.com (?)
Outlook Express Windows Updates
Thunderbird email www.mozilla.com (Help) Windows Mail (Vista) Windows Updates
Vulnerability: Internet
World Wide Web
Vulnerability: Email
Vulnerability: Gaming
Vulnerability: P2P
Layers: onions, ogres & protection
Broadband Dial upHardware firewall Necessary n/a Software firewall Maybe Maybe Virus protection Necessary Necessary Spyware protection Necessary Necessary
Spam filtering Recommended Recommended
Operating system patches
Necessary Necessary
Browser/email/IM/… patches
Protection purchasing
Best of breed
applications Security suite
Best possible protection Probably less bloat
Probably play together better
Better pricing
Common interface
Protection purchasing: suites
Jim’s picks
Norton Internet Security Norton 360
PC Magazine Editor’s
Choice
Norton 360
ZoneAlarm Internet Security Suite 7
PC World
Norton Internet Security McAfee Internet Security
Selecting protection
Do Don’t
Read reviews from
professional, neutral sources
Make sure you can
understand your
subscription’s status
Realize you generally get
what you pay for
Realize that bundled apps
are often 30 or 90 day trials and often not installed
Use advertising or blogs as your main source of information
Use reviews from non-technical sources
Run two software
firewalls, two anti-virus or two active
anti-spyware apps
Protection: Educate your users
Do not open attachments from anyone you don’t know. Suspicious attachments from any known email address
may be threats that spoof senders.
Security measures are for their benefit, don’t subvert
them.
Don’t run ActiveX or Java from untrusted or unknown
websites.
Never click on suspicious ads or popups. Always click
the Windows Close X when you can.
Any connection can bring in threats…
Home computers logging in for remote work.
Protection: Educate your users
It is much easier to protect yourself than toget clean after an infection.
Internet Explorer is the only web browser
that uses Microsoft’s ActiveX tools. ActiveX is a security nightmare. Avoid the problem, use a different browser.
Jim’s pick: Mozilla Firefox
Procedure at C3
Interview client. Possibly start system as is to see
symptoms.
Remove hard drive and connect to C3 testing
systems.
Prevents threats from going active
Improves accuracy of scans for stealth, polymorphic
and rootkits
Virus scan (Symantec Antivirus Corporate Edition)
Spyware scan (Webroot Spysweeper)
Procedure at C3
Clean temp files
Windows\Temp
Windows\Temporary Internet Files
User\Temp
User\Temporary Internet Files
Possibly other locations
Research infections
Return hard drive to client’s system
Procedure at C3
Probable: Safe mode startup and disable
Windows System Restore
Manual cleaning as needed while
“disconnected”
All Windows Updates
Probable: installation of appropriate security
package
All Updates
Procedure at C3
Total time: 2 to 8 hours
Total technician time: 1 to 4 hours
What can you do?
Know that Windows cannot diagnose most
problems.
Know that repairing Windows requires a
clean computer.
Know when to say “Uncle!” based on your
skill level.
Know when to say “Uncle!” if a computer
cannot be recovered and must be wiped.
Non-operating Windows
Boot from the
appropriate
Windows CD and attempt a repair installation
Must match system
Version
Home vs. Professional Upgrade vs. Retail vs.
OEM
Danger
Infections may corrupt system further.
You may get “running” until the threat kicks in again and repeats its damage.
Pros
Non-starting Windows
Safe mode
Press F8 (or hold Ctrl)
prior to Windows splash screen
Scan
Manual updates? Virus scanner
Spyware scanner
Document, research,
follow necessary instructions
Limit startups
Most threats are
inactive in safe mode.
You may be able to
download scanner updates manually on another computer and install them.
Warning: more threats
successfully hide themselves in safe mode.
Safe mode
F8 during startup Most drivers and
network not running
Often, you must log
Manual virus definition update
Highly dependent on
application manufacturer
Expired subscription
may not allow use of manual update
Limit startups
Start Run
Msconfig
Services and Startup
tabs
Turn off anything
that you don’t
recognize, especially “random” names.
Google names.
Operating Windows
Backup
Document! Virus scan
Update installed app
Online scanner
Install new app
Spyware scan or 2
Update installed app
Online scanner
Install new app
Research infections Manual attack and
tools
Follow instructions! Take your time!
All Windows Updates Install appropriate
security
All updates Scan
Scan your backup
Update virus scanner
Particular to
application
Many threats will
attempt to subvert connection
Subscription must
Online scanners (virus & spyware)
Symantec www.symantec.com/home_ homeoffice/security_respon se/index.jsp Webroot
SpySweeper
www.webroot.com/shoppin gcart/tryme.php? bjpc=64021&vcode=DT02 ATrend Micro
housecall.trendmicro.com/
I want a real antivirus –
now!
Many vendors have demo downloads. IE.Symantec offers a 15 day Norton Antivirus
trial that can be activated later by purchasing a license or package
Delete – don’t quarantine.
When macro viruses were the rage, this was a
My antivirus isn’t playing!
Try updating.
Attempt a repair installation.
If you bought your security online, via
download – copy it to CD for semi-permanent archival!
Realize all security applications “get old.”
Uninstall and reinstall. Need RAM?
Research infections
Symantec Threat
Explorer
www.symantec.com/h ome_homeoffice/secu rity_response/threate xplorer/index.jsp
www.google.com
Scumware
Disable System Restore
Right+click My
Computer
Properties
System Restore tab Check “Turn off
System Restore”
OK
Registry Editor
Start
Run
Regedit
OK
Procedure
Backup!
Navigate
Nuking the bad
Removal tools
CWShredder www.cwshredder.net Major Geeks
www.majorgeeks.com/downloads16.html
System cleaning
Eliminate temporary
files
Start
All Programs
Accessories
System Tools
System cleaning
Defragment your
hard drive Start
All Programs
Accessories
System Tools
Disk
Defragmenter
System cleanup
Internet Explorer
automatically clearing cache
Internet Explorer
Tools
Internet Options…
Advanced tab
Security section
Check “Empty
Know when…
You’re…
Last backup was made
System and application CDs are
Over your head
Wasting your time
Your…
Windows is toast
Worthwhile freebies
Virus scannersAVG – www.grisoft.com
Avast - www.avast.com
Spyware scanners
Spybot Search and Destroy
www.safer-networking.org/en/index.html
Discovery tools
Web privacy
Web privacy
Google is not the problem. Google is just one
way to find this kind of data.
Blocking this data on Google will not block
other search engines.
All of this is in the phone book and then I can
Email Hijack
From: xxxxx xxxxxxxxx xxxxxx@xxxxxxx.xxx Sent: Monday, June 11, 2007 10:45 AM To: James D. Crowley
Subject: SPAM
Good Morning Jim:
I wanted to report a SPAM issue to you. This morning xxxxx received an email to her
xxxxxx account. The email was sent by her from an outside account. It was an email that she sent to someone 6 months ago. Also on the email were individuals CCd who should not have received that email. Basically what is occurring is someone is accessing her email account and is sending its herself and others mail that should not be going out. Is it possible that some type of hacker is doing this? She is also receiving SPAM from
xxxxxxx’s email account and xxxxxx’x account. I am receiving SPAM from myself, and cannot block it because its from my account. The frequency of this is increasing. What can we be doing to prevent the SPAM and can someone access confidential information that is being sent via email and send it to people in our contact list?
Xxxxx xxxxx
Administrative Assistant Xxxxxxxxx Coordinator
Xxxxxxxx xxxxxxx xxxxx xxxxxxxx, Inc.
Email Hijack
Not hijacked – spoofed!
Realize there are four primary locations that
your email can be hijaaked or spoofed like Anita’s was.
Your computer or server
Your email server
The recipient’s email host
Email Spoofing application
It peruses my email and randomly grabs xyz’s
message
Makes a copy
Probably alters the message somewhat
Attaches the virus or whatever its “payload” is
Reuses all original email addresses in the To, CC
and BCC
Maybe adds some more addresses
Maybe randomly generates more email addresses
And starts sending itself out
XYZ may get a copy of her message back…
www.av-test.org www.icsalab.com www.virusbtn.com
www.pcmag.com
http://www.pcmag.com/category2/0,1874,4829,
00.asp
www.pcworld.com
www.geeksonwheels.com
www.pcmag.com/encyclopedia/ www.snopes.com
www.sunbelt-software.com
http://www.netvalley.com/archives/mirrors/ro
bert_cailliau_speech.htm
www.webroot.com www.wikipedia.org