Several clients like Inboxer
advertisement
Jim Crowley C3 – Crowley Computer Consulting 1 Apologies This is long haired, geeky stuff. This is long and boring. This is version 1. The analogies between safe sex and safe computing cannot be ignored. It is getting very difficult to protect older systems. Too slow and not enough memory for security programs. No new patches older than Windows 2000. This is meant to scare the *#$^ out of you. 2 The Internet brings the world to your computer! 3 Various services run over the Internet World Wide Web The Internet was Email designed for enhancement. It was not designed for this level of complexity. Instant Messaging Peer to Peer sharing Voice over IP phones Gaming Gopher Audio streaming Video streaming IE. The easiest way to prevent spam is to authenticate the sender. Email has no method to do this. 4 Services have multiple methods of encoding and delivery IE. World Wide Web HTML XML Java JavaScript Flash Perl ColdFusion VBScript` .Net ActiveX SHTML And more!!! 5 Services have multiple methods of encoding and delivery IE. Instant Messaging AOL Google ICQ Microsoft Yahoo And more!!! 6 You invite these services in… Email World Wide Web Peer to Peer Sharing Instant Messaging Audio streaming Gopher Gaming Voice over IP phones Video streaming 7 The good old days… …it was hard and relatively expensive to “get online.” …it was slow. Do you remember 300Bps and 1200Bps modems? …the web didn’t exist! Do you remember CompuServe and Prodigy and AOL? …it was geeky! Users were hobbyists and it was all very 60s. Exploits were confined to bugging your buddy and showing off! 8 Now.. Everyone is online! Over 50% of users in the USA are on broadband. Exploits are Dirty rotten @#*!!! Money making schemes and ripping off grandma Organized crime 9 Common attacks Virus Worms Trojan horse Spyware Spam Phishing 10 Did you know… All of these types of attacks are man-made and intentional. There is no “natural” or “random” virus. All of these ride the Internet services you invite in! Different companies and organizations Will group attacks differently. Will name attacks differently. 11 Malware Software designed to infiltrate or damage a computer system without the owner's informed consent. Originally harmless pranks or political messages, now have evolved into profit makers. Include viruses, worms and Trojan horses. 12 Malware: Virus a program or piece of code that is loaded onto your computer (without your knowledge and against your wishes), that (generally) replicates itself and (generally) delivers a payload. 1972 13 Virus In the days of yore… Who: typical author is young, smart and male Why: looking to fight the status quo, promote anarchy, make noise or simply show off to their peers. There is no financial gain to writing viruses. Now… Who: professional coders or programmers using “kits” Why: financial gain by email delivery payments, renting of botnets, extortion… Often supported by mafia and black marketers. 14 Virus structure Replication: viruses must propagate themselves Payload: the malicious activity a virus performs when triggered. Payload trigger: the date or counter or circumstances present when a virus payload goes off. 15 Payload examples Nothing - just being annoying Displaying messages Launching DDoS attack Erasing files randomly, by type or usage Formatting hard drive Overwrite mainboard BIOS Sending email Expose private information 16 Trigger examples Date Internet access # emails sent 17 Boot sector virus infects the first sector of a hard drive or disk. The first sector contains the MBR or master boot record. 18 File infector virus attaches itself to a file on the computer and is executed when that application is opened. 19 Multipartite combines properties of boot sector and file infector viruses. 20 Macro virus virus written using script or macro languages such as Microsoft Office’s VBA, executes when a document containing the virus is opened. 21 Memory resident • virus that sits continuously in memory to do its work, often making it more difficult to clean. Most viruses now are memory resident. 22 Stealth virus • a virus that actively hides from anti-virus programs by altering it’s state or hiding copies of itself or replacing needed files. 23 Polymorphic virus • a virus that alters its signature or footprint, to avoid detection. 24 Metamorphic virus A virus that rewrites its code each time a new executable is created. Usually very large. 25 Malware: Worm A self-replicating computer program that uses networks to copy itself to other computers without user intervention. They often lack a payload of their own but drop in backdoor programs. 1978 26 Malware: Trojan A destructive program that masquerades as a benign application, it requires a user to execute it. • A variety of payloads are possible, but often they are used to install backdoor programs. • Generally, trojans do not replicate. • 1983 27 Spyware Application installed, usually without the user’s knowledge, intercepting or taking partial control for the author’s personal gain Estimates as high as 90% of Internet connected computers are infected with spyware. Unlike a virus does not self-replicate. 28 Spyware: symptoms Sluggish PC performance An increase in pop-up ads Mysterious new toolbars you can’t delete Unexplained changes to homepage settings Puzzling search results Frequent computer crashes 29 Spyware: a loaded system 30 Spyware: rogue help Antivirus Gold Family Adware Delete SpyAxe Antivirus Gold SpywareStrike PS Guard Family Security Iguard Winhound PSGuard SpywareNO! SpyDemmolisher SpySheriff SpyTrooper SpywareNO! Raze Spyware RegFreeze WinAntiSpyware 2005 WorldAntiSpy 31 Spyware: rogue help This morning… 32 Spyware: Adware Any software package which automatically plays, displays or downloads advertising material to a computer Not necessarily “spyware” depending on your definitions Many “free” applications install adware, creating a source of income. Is it spyware? http://www.symantec.com/enterprise/security_response/thre atexplorer/risks/index.jsp 33 Spyware: Adware 34 Spyware: Backdoors Backdoor = Remote Access A method of bypassing normal authentication or securing remote access while remaining hidden from casual inspection. May be an installed program (IE. Back Orifice) or a modification to an existing application (IE. Windows’ Remote Desktop). 35 Spyware: Browser hijacker Alters your home page and may redirect other requested pages, often away from helpful sites. Generally add advertising, porn, bookmarks or payper-surf web sites. 36 Spyware: Dialers Program that uses a computer’s modem to dial out to a toll number or Internet site 900 numbers Phone system flood attack Can rack up huge phone bills! Often running to international numbers in the Caribbean. 37 Spyware: Downloaders Application designed to download and possibly install another application. Sometimes, they may receive instructions from a web site or another trigger. Also a typical form of Trojans. 38 Spyware: Rootkits A type of Trojan that gives an attacker access to the lowest level of the computer, the root level. Removing rootkits can be very difficult to impossible. Microsoft’s recommendation to remove rootkits from Windows Xp was to reformat the hard drive and start over! Sometimes this is the only option. Have been used for “legitimate” purposes, Sony used for digital rights management licensing on music CDs, system was shown to have security holes, possibly giving up root access to an attacker. 39 Spyware: Scrapers Extracting data from output to the screen or printer rather than from files or databases that may be secure. Legitimate and illegitimate applications. Temp files are often a great source of information! 40 Spyware: Tracking cookies A small amount of data sent back to the requesting website by your browser. They may be temporary or persistent, first or third party. Cookies are not bad and make browsing life better! Third party cookies are used to track surfing habits and you may want to disable them. weather.com TRUE / FALSE 1218399413 LocID 13669 41 Keylogger A software application or hardware device that captures a user’s keystrokes for legitimate or illegitimate use. Bad keyloggers will store information for later retrieval or spit the captured information to an email address or web page for later analysis. 42 Social Engineering Tricking a user into giving or giving access to sensitive information in order to bypass protection. 43 Social Engineering: pretexting Creating a scenario to persuade a target to release information done over the phone. Often use commonly available information like social security numbers or family names to gain access to further information. 44 Social engineering: phishing Creating a scenario to persuade a target to release information done via email. Often use commonly available information like social security numbers or family names to gain access to further information. 45 Social engineering: more Road apple: using an infected floppy, CD or USB memory key in a location where someone is bound to find and check it through simple curiosity. Quid pro quo: targeting corporate employees as “tech support” until some actually has a problem and “allows them to help.” 46 True or false? 47 True or false? 48 True or false? 49 True or false? 50 Spam Junk email. An email message can contain any of the threats mentioned, not to mention the time wasted downloading and filtering through the messages. You do not have to open an attachment to activate a threat. Webmail eliminates few threats. 51 Spam Threats that activate via merely opening the email are not disabled by using the email preview! 52 Now your services have hitchhikers! And they bring friends! Email World Wide Web Instant Messaging Gaming Peer to Peer Sharing 53 54 Don’t use the Internet Are you really that isolationist? Other user profiles on your computer? Other computers connected to the Internet Other devices… Xbox, Playstation, Wii Media Center Extenders DVRs 55 Other connections Wireless local networks Bluetooth personal networks Removable storage Other connected devices Printers Digital cameras Video cameras Floppy CDs DVDs USB memory key Flash memory 56 The first bug causing a computer error was found by Grace Hopper's team in 1945 using Harvard University's Mark II computer. 57 And the stakes get higher… Imagine the home of the future Broadband Internet connection shared by… Computers Television / DVR Phone Security / heating / cooling Kitchen appliances Cell phone Imagine hacker exploits Defrost your freezer Turn off the heat Trip / disable security Record “Boy Meets World” instead of “Desparate Housewives” and “24”! 58 What’s a guy or gal to do? 59 Protection: firewall A software or hardware which permits or denies data into and possibly out of a computer network depending on levels of trust and authentication. Emerged in 1988. 60 Protection: firewall Levels of protection Network address translation: internal devices carry separate addresses from Internet connection, firewall translates, masking internal devices. Packet filters: very basic inspection of individual packets of inbound traffic for correct ports for basic services. Stateful filters: compare packets of traffic and rules can change criteria of what is allowed. Application layer: deep packet inspection determines whether traffic is appropriate for a specific port. 61 Protection: hardware firewall Recommend a router with stateful packet inspection Jim’s picks Linksys Sonicwall 62 Protection: software firewall A good program will know configure major applications correctly, but it is easy to answer a firewall incorrectly. Software firewalls often disrupt internal networks Jim’s “sorta” pick ZoneAlarm 63 Protection: virus Most mature category of protection. Detection rate should be near perfect! How do anti-virus programs work? File fingerprinting Active scanning Heuristics Unusual hard drive activities Protection can be run at the Internet service provider Router Server (if applicable) Workstation – recommended 64 Protection: virus Must be updated! Jim’s picks Norton Antivirus (home) Symantec Antivirus Corporate Edition or Small Business Edition (offices) AVG for older systems 65 Protection: spyware Fairly new application, running two anti-spyware applications is often recommended, but only one should be doing “active scanning.” Detection rates are not nearly as accurate as virus detection. Anti-virus applications are now capable of replacing active scanning spyware applications. Spyware and virus scanners can fight, causing system freeze ups and instability. 66 Protection: spyware Jim’s picks Webroot SpySweeper Spyware Doctor Spybot * Adaware * • Not active scanner 67 Protection: spam Spam filtering occurs by recognizing common email addresses and domains for sending spam and by recognizing keywords in email and moves it automatically to a “junk” folder. Can be done at email server or workstation. Success rates are very individual! 68 Protection: spam Avoid spam – once your email address is a spam target, there is no eliminating it Avoid posting address on web pages. Use throw-away email addresses (IE. Yahoo, Hotmail, Google) when working unknown or very public sites (IE. Ebay, MySpace…) You have to look through your Junk email occasionally to find mis-labeled email! The more “public” your email address, the less you can filter without false positives. 69 Protection: spam Jim’s thoughts Outlook 2007 not bad Andrew likes new Thunderbird Several clients like Inboxer Several clients like Norton AntiSpam Several clients like their ISP’s filtering but user must check junk on web site Dial up: ISP filtering 70 Protection: Operating System updates Most updates are security patches not functionality enhancements! I do not recommend using driver updates through Windows Updates! Get them only through Windows Updates! 71 Protection: Application updates Browsers, email applications, instant messaging applications, etc. all need security patches! 72 Protection: Application updates Application Source of updates AOL IM www.aim.com Internet Explorer Windows Updates Microsoft Messenger Windows Updates Mozilla Firefox www.mozilla.com (Help) Opera www.opera.com (?) Outlook Express Windows Updates Thunderbird email www.mozilla.com (Help) Windows Mail (Vista) Windows Updates Yahoo IM www.yahoo.com 73 Vulnerability: Internet Firewall World Wide Web Windows updates Application updates 74 Vulnerability: WWW Virus protection World Wide Web Spyware protection 75 Vulnerability: Email Virus protection Email Spam protection 76 Vulnerability: Instant messaging Virus protection IM Turn off file sharing Close buddy list to known 77 Vulnerability: Gaming Virus protection Gaming Turn off file sharing Close buddy list to known 78 Vulnerability: Streaming Virus protection Audio and Video Streaming 79 Vulnerability: P2P Peer to Peer 80 Layers: onions, ogres & protection Broadband Dial up Hardware firewall Necessary n/a Software firewall Maybe Maybe Virus protection Necessary Necessary Spyware protection Necessary Necessary Spam filtering Recommended Recommended Operating system patches Necessary Necessary Browser/email/IM/… patches Necessary Necessary 81 Protection purchasing Best of breed applications Security suite Best possible protection Probably play together better Probably less bloat Better pricing Common interface 82 Protection purchasing: suites Jim’s picks Norton Internet Security Norton 360 PC Magazine Editor’s Choice Norton 360 ZoneAlarm Internet Security Suite 7 PC World Norton Internet Security McAfee Internet Security Suite 83 Selecting protection Do Don’t Read reviews from Use advertising or blogs as professional, neutral sources Make sure you can understand your subscription’s status Realize you generally get what you pay for Realize that bundled apps are often 30 or 90 day trials and often not installed your main source of information Use reviews from nontechnical sources Run two software firewalls, two anti-virus or two active anti-spyware apps 84 Protection: Educate your users Do not open attachments from anyone you don’t know. Suspicious attachments from any known email address may be threats that spoof senders. Security measures are for their benefit, don’t subvert them. Don’t run ActiveX or Java from untrusted or unknown websites. Never click on suspicious ads or popups. Always click the Windows Close X when you can. Any connection can bring in threats… Home computers logging in for remote work. Office laptops connected in public Wi-Fi hotspots. Removable storage. 85 Protection: Educate your users It is much easier to protect yourself than to get clean after an infection. Internet Explorer is the only web browser that uses Microsoft’s ActiveX tools. ActiveX is a security nightmare. Avoid the problem, use a different browser. Jim’s pick: Mozilla Firefox 86 Protection: Educate your users Fake Windows Updates 87 88 Procedure at C3 Interview client. Possibly start system as is to see symptoms. Remove hard drive and connect to C3 testing systems. Prevents threats from going active Improves accuracy of scans for stealth, polymorphic and rootkits Virus scan (Symantec Antivirus Corporate Edition) Spyware scan (Webroot Spysweeper) Hard drive test (Scandisk or Norton Disk Doctor) 89 Procedure at C3 Clean temp files Windows\Temp Windows\Temporary Internet Files User\Temp User\Temporary Internet Files Possibly other locations Research infections Return hard drive to client’s system 90 Procedure at C3 Probable: Safe mode startup and disable Windows System Restore Manual cleaning as needed while “disconnected” All Windows Updates Probable: installation of appropriate security package All Updates Full system scan 91 Procedure at C3 Total time: 2 to 8 hours Total technician time: 1 to 4 hours 92 What can you do? Know that Windows cannot diagnose most problems. Know that repairing Windows requires a clean computer. Know when to say “Uncle!” based on your skill level. Know when to say “Uncle!” if a computer cannot be recovered and must be wiped. Backup, Backup, Backup. 93 94 Non-operating Windows Boot from the appropriate Windows CD and attempt a repair installation Must match system Version Home vs. Professional Upgrade vs. Retail vs. OEM Danger Infections may corrupt system further. You may get “running” until the threat kicks in again and repeats its damage. Pros Desperation – you’re doing something 95 Non-starting Windows Safe mode Press F8 (or hold Ctrl) prior to Windows splash screen Scan Manual updates? Virus scanner Spyware scanner Document, research, follow necessary instructions Limit startups Most threats are inactive in safe mode. You may be able to download scanner updates manually on another computer and install them. Warning: more threats successfully hide themselves in safe mode. 96 Safe mode F8 during startup Most drivers and network not running Often, you must log on as administrator 97 Manual virus definition update Highly dependent on application manufacturer Expired subscription may not allow use of manual update 98 Limit startups Start Run Msconfig Services and Startup tabs Turn off anything that you don’t recognize, especially “random” names. Google names. Restart 99 Operating Windows Backup Document! Virus scan Update installed app Online scanner Install new app Spyware scan or 2 Update installed app Online scanner Install new app Research infections Manual attack and tools Follow instructions! Take your time! All Windows Updates Install appropriate security All updates Scan Scan your backup 100 Update virus scanner Particular to application Many threats will attempt to subvert connection Subscription must be active. 101 Online scanners (virus & spyware) Symantec www.symantec.com/home_hom eoffice/security_response/index. jsp Webroot SpySweeper www.webroot.com/shoppingcar t/tryme.php?bjpc=64021&vcode =DT02A Trend Micro housecall.trendmicro.com/ 102 I want a real antivirus – now! Many vendors have demo downloads. IE. Symantec offers a 15 day Norton Antivirus trial that can be activated later by purchasing a license or package Delete – don’t quarantine. When macro viruses were the rage, this was a method to recover infected documents. 103 My antivirus isn’t playing! Try updating. Attempt a repair installation. If you bought your security online, via download – copy it to CD for semi-permanent archival! Realize all security applications “get old.” Uninstall and reinstall. Need RAM? 104 Research infections Symantec Threat Explorer www.symantec.com/ho me_homeoffice/security _response/threatexplore r/index.jsp Google www.google.com Scumware http://scumware.com/ 105 Disable System Restore Right+click My Computer Properties System Restore tab Check “Turn off System Restore” OK 106 Registry Editor Start Run Regedit OK Procedure Backup! Navigate Nuking the bad guys 107 Removal tools CWShredder www.cwshredder.net Major Geeks www.majorgeeks.com/downloads16.html 108 System cleaning Eliminate temporary files Start All Programs Accessories System Tools Disk Cleanup 109 System cleaning Defragment your hard drive Start All Programs Accessories System Tools Disk Defragmenter 110 System cleanup Internet Explorer automatically clearing cache Internet Explorer Tools Internet Options… Advanced tab Security section Check “Empty Temporary Internet Files when browser is closed” 111 Know when… You’re… Last backup was made System and application CDs are Over your head Wasting your time Your… Windows is toast 112 Worthwhile freebies Virus scanners AVG – www.grisoft.com Avast - www.avast.com Spyware scanners Spybot Search and Destroy www.safernetworking.org/en/index.html Discovery tools Hijack This www.merijn.org 113 Web privacy 114 Web privacy Google is not the problem. Google is just one way to find this kind of data. Blocking this data on Google will not block other search engines. All of this is in the phone book and then I can go to any mapping application. 115 Email Hijack From: xxxxx xxxxxxxxx xxxxxx@xxxxxxx.xxx Sent: Monday, June 11, 2007 10:45 AM To: James D. Crowley Subject: SPAM Good Morning Jim: I wanted to report a SPAM issue to you. This morning xxxxx received an email to her xxxxxx account. The email was sent by her from an outside account. It was an email that she sent to someone 6 months ago. Also on the email were individuals CCd who should not have received that email. Basically what is occurring is someone is accessing her email account and is sending its herself and others mail that should not be going out. Is it possible that some type of hacker is doing this? She is also receiving SPAM from xxxxxxx’s email account and xxxxxx’x account. I am receiving SPAM from myself, and cannot block it because its from my account. The frequency of this is increasing. What can we be doing to prevent the SPAM and can someone access confidential information that is being sent via email and send it to people in our contact list? Xxxxx xxxxx Administrative Assistant Xxxxxxxxx Coordinator Xxxxxxxx xxxxxxx xxxxx xxxxxxxx, Inc. 116 Email Hijack Not hijacked – spoofed! Realize there are four primary locations that your email can be hijaaked or spoofed like Anita’s was. Your computer or server Your email server The recipient’s email host The recipient’s computer or server 117 Email Spoofing application It peruses my email and randomly grabs xyz’s message Makes a copy Probably alters the message somewhat Attaches the virus or whatever its “payload” is Reuses all original email addresses in the To, CC and BCC Maybe adds some more addresses Maybe randomly generates more email addresses And starts sending itself out XYZ may get a copy of her message back… 118 Urban myths 119 Resources: Independent antivirus testing www.av-test.org www.icsalab.com www.virusbtn.com 120 Resources: Reviews www.pcmag.com http://www.pcmag.com/category2/0,1874,4829,00.asp www.pcworld.com http://www.pcworld.com/tc/spyware/ 121 Resources: Other sources www.geeksonwheels.com www.pcmag.com/encyclopedia/ www.snopes.com www.sunbelt-software.com http://www.netvalley.com/archives/mirrors/robert_cai lliau_speech.htm www.webroot.com www.wikipedia.org 122
