Jim CrowleyC3 – Crowley Computer Consulting

1

ApologiesThis is long haired, geeky stuff.This is long and boring.This is version 1.The analogies between safe sex and safe

computing cannot be ignored.It is getting very difficult to protect older systems.

Too slow and not enough memory for security programs.

No new patches older than Windows 2000.This is meant to scare the *#$^ out of you.

2

3

Various services run over the InternetWorld Wide WebEmailInstant MessagingPeer to Peer sharingVoice over IP

phonesGamingGopherAudio streamingVideo streaming

The Internet was designed for enhancement.

It was not designed for this level of complexity.IE. The easiest way

to prevent spam is to authenticate the sender. Email has no method to do this.

4

IE. World Wide WebHTMLXMLJavaJavaScriptFlashPerlColdFusionVBScript` .NetActiveXSHTMLAnd more!!!

5

IE. Instant MessagingAOLGoogleICQMicrosoftYahooAnd more!!!

6

World World Wide Wide WebWeb

EmailEmail

Instant Instant MessaginMessagin

gg

Peer to Peer to Peer Peer

SharingSharing

Video Video streaminstreamin

gg

GamingGaming

Voice Voice over IP over IP phonesphonesGopherGopher

Audio Audio streaminstreamin

gg

7

…it was hard and relatively expensive to “get online.”

…it was slow. Do you remember 300Bps and 1200Bps modems?

…the web didn’t exist! Do you remember CompuServe and Prodigy and

AOL?…it was geeky!

Users were hobbyists and it was all very 60s.Exploits were confined to bugging your buddy and

showing off!

8

Now..Everyone is online!Over 50% of users in

the USA are on broadband.

Exploits are Dirty rotten @#*!!!Money making

schemes and ripping off grandma

Organized crime

9

VirusWormsTrojan horseSpywareSpamPhishing

10

All of these types of attacks are man-made and intentional.

There is no “natural” or “random” virus.All of these ride the Internet services you

invite in!

Different companies and organizations Will group attacks differently.Will name attacks differently.

11

Software designed to infiltrate or damage a computer system without the owner's informed consent.

Originally harmless pranks or political messages, now have evolved into profit makers.

Include viruses, worms and Trojan horses.

12

a program or piece of code that is loaded onto your computer (without your knowledge and against your wishes), that (generally) replicates itself and (generally) delivers a payload.

1972

13

VirusIn the days of yore…

Who: typical author is young, smart and maleWhy: looking to fight the status quo, promote

anarchy, make noise or simply show off to their peers. There is no financial gain to writing viruses.

Now…Who: professional coders or programmers using

“kits”Why: financial gain by email delivery payments,

renting of botnets, extortion…Often supported by mafia and black marketers.

14

Virus structureReplication: viruses must propagate

themselves Payload: the malicious activity a virus

performs when triggered.Payload trigger: the date or counter or

circumstances present when a virus payload goes off.

15

Payload examplesNothing - just being annoyingDisplaying messagesLaunching DDoS attackErasing files randomly, by type or usageFormatting hard driveOverwrite mainboard BIOS Sending emailExpose private information

16

Trigger examplesDateInternet access# emails sent

17

Boot sector virusinfects the first sector of a hard drive or disk.

The first sector contains the MBR or master boot record.

18

File infector virusattaches itself to a file on the computer and is

executed when that application is opened.

19

Multipartitecombines properties of boot sector and file

infector viruses.

20

Macro virusvirus written using script or macro languages

such as Microsoft Office’s VBA, executes when a document containing the virus is opened.

21

Memory resident• virus that sits continuously in memory to do

its work, often making it more difficult to clean. Most viruses now are memory resident.

22

Stealth virus• a virus that actively hides from anti-virus

programs by altering it’s state or hiding copies of itself or replacing needed files.

23

Polymorphic virus• a virus that alters its signature or footprint,

to avoid detection.

24

Metamorphic virusA virus that rewrites its code each time a new

executable is created. Usually very large.

25

Malware: WormA self-replicating computer program that

uses networks to copy itself to other computers without user intervention.

They often lack a payload of their own but drop in backdoor programs.

1978

26

Malware: TrojanA destructive program that masquerades as a

benign application, it requires a user to execute it.

• A variety of payloads are possible, but often they are used to install backdoor programs.

• Generally, trojans do not replicate.• 1983

27

SpywareApplication installed, usually without the

user’s knowledge, intercepting or taking partial control for the author’s personal gain

Estimates as high as 90% of Internet connected computers are infected with spyware.

Unlike a virus does not self-replicate.

28

Spyware: symptomsSluggish PC performance An increase in pop-up adsMysterious new toolbars you can’t delete Unexplained changes to homepage settings Puzzling search results Frequent computer crashes

29

Spyware: a loaded system

30

Spyware: rogue help Antivirus Gold Family

Adware Delete SpyAxe Antivirus Gold SpywareStrike

PS Guard Family Security Iguard Winhound PSGuard

SpywareNO! SpyDemmolisher SpySheriff SpyTrooper SpywareNO!

Raze Spyware RegFreeze WinAntiSpyware 2005 WorldAntiSpy

31

Spyware: rogue helpThis morning…

32

Spyware: AdwareAny software package which automatically

plays, displays or downloads advertising material to a computer

Not necessarily “spyware” depending on your definitions

Many “free” applications install adware, creating a source of income.

Is it spyware? http://www.symantec.com/enterprise/

security_response/threatexplorer/risks/index.jsp

33

Spyware: Adware

34

Spyware: BackdoorsBackdoor = Remote AccessA method of bypassing normal authentication

or securing remote access while remaining hidden from casual inspection.

May be an installed program (IE. Back Orifice) or a modification to an existing application (IE. Windows’ Remote Desktop).

35

Spyware: Browser hijackerAlters your home page and may redirect

other requested pages, often away from helpful sites.

Generally add advertising, porn, bookmarks or pay-per-surf web sites.

36

Spyware: DialersProgram that uses a computer’s modem to

dial out to a toll number or Internet site900 numbersPhone system flood attack

Can rack up huge phone bills! Often running to international numbers in the Caribbean.

37

Spyware: DownloadersApplication designed to download and

possibly install another application. Sometimes, they may receive instructions from a web site or another trigger.

Also a typical form of Trojans.

38

Spyware: RootkitsA type of Trojan that gives an attacker access to

the lowest level of the computer, the root level. Removing rootkits can be very difficult to

impossible. Microsoft’s recommendation to remove rootkits

from Windows Xp was to reformat the hard drive and start over! Sometimes this is the only option.

Have been used for “legitimate” purposes, Sony used for digital rights management licensing

on music CDs, system was shown to have security holes, possibly giving up root access to an attacker.

39

Spyware: ScrapersExtracting data from

output to the screen or printer rather than from files or databases that may be secure.

Legitimate and illegitimate applications.

Temp files are often a great source of information!

40

Spyware: Tracking cookiesA small amount of data

sent back to the requesting website by your browser. They may be temporary or persistent, first or third party.

Cookies are not bad and make browsing life better!

Third party cookies are used to track surfing habits and you may want to disable them.

weather.com TRUE / FALSE 1218399413 LocID 13669 41

KeyloggerA software application or hardware device

that captures a user’s keystrokes for legitimate or illegitimate use.

Bad keyloggers will store information for later retrieval or spit the captured information to an email address or web page for later analysis.

42

Social EngineeringTricking a user into giving or giving access to

sensitive information in order to bypass protection.

43

Social Engineering: pretextingCreating a scenario to persuade a target to

release information done over the phone.Often use commonly available information

like social security numbers or family names to gain access to further information.

44

Social engineering: phishingCreating a scenario to persuade a target to

release information done via email.Often use commonly available information

like social security numbers or family names to gain access to further information.

45

Social engineering: moreRoad apple: using an infected floppy, CD or

USB memory key in a location where someone is bound to find and check it through simple curiosity.

Quid pro quo: targeting corporate employees as “tech support” until some actually has a problem and “allows them to help.”

46

True or false?

47

True or false?

48

True or false?

49

True or false?

50

SpamJunk email. An email message can contain any of the

threats mentioned, not to mention the time wasted downloading and filtering through the messages.

You do not have to open an attachment to activate a threat.

Webmail eliminates few threats.

51

SpamThreats that activate

via merely opening the email are not disabled by using the email preview!

52

World World Wide Wide WebWeb

EmailEmailInstant Instant

MessaginMessagingg

Peer to Peer to Peer Peer

SharingSharing

GamingGaming

53

54

Don’t use the InternetAre you really that isolationist?Other user profiles on your computer?Other computers connected to the InternetOther devices…

Xbox, Playstation, WiiMedia Center ExtendersDVRs

55

Other connectionsWireless local

networksBluetooth personal

networksRemovable storage

FloppyCDsDVDsUSB memory keyFlash memory

Other connected devicesPrintersDigital camerasVideo cameras

56

The first bug causing a computer error was found by Grace Hopper's team in 1945 using Harvard University's Mark II computer.

57

And the stakes get higher…Imagine the home of

the futureBroadband Internet

connection shared by…

Computers Television / DVR Phone Security / heating /

cooling Kitchen appliances Cell phone

Imagine hacker exploitsDefrost your freezerTurn off the heatTrip / disable

securityRecord “Boy Meets

World” instead of “Desparate Housewives” and “24”!

58

What’s a guy or gal to do?

59

A software or hardware which permits or denies data into and possibly out of a computer network depending on levels of trust and authentication.

Emerged in 1988.

60

Levels of protectionNetwork address translation: internal devices carry

separate addresses from Internet connection, firewall translates, masking internal devices.

Packet filters: very basic inspection of individual packets of inbound traffic for correct ports for basic services.

Stateful filters: compare packets of traffic and rules can change criteria of what is allowed.

Application layer: deep packet inspection determines whether traffic is appropriate for a specific port.

61

Protection: hardware firewallRecommend a router

with stateful packet inspection

Jim’s picksLinksysSonicwall

62

Protection: software firewallA good program will

know configure major applications correctly, but it is easy to answer a firewall incorrectly.

Software firewalls often disrupt internal networks

Jim’s “sorta” pickZoneAlarm

63

Protection: virusMost mature category of protection. Detection

rate should be near perfect!How do anti-virus programs work?

File fingerprintingActive scanningHeuristicsUnusual hard drive activities

Protection can be run at the Internet service providerRouterServer (if applicable)Workstation – recommended

64

Protection: virusMust be updated!Jim’s picks

Norton Antivirus (home)

Symantec Antivirus Corporate Edition or Small Business Edition (offices)

AVG for older systems

65

Protection: spywareFairly new application, running two anti-

spyware applications is often recommended, but only one should be doing “active scanning.”

Detection rates are not nearly as accurate as virus detection.

Anti-virus applications are now capable of replacing active scanning spyware applications.

Spyware and virus scanners can fight, causing system freeze ups and instability.

66

Protection: spywareJim’s picks

Webroot SpySweeper

Spyware DoctorSpybot *Adaware *

• Not active scanner

67

Protection: spamSpam filtering occurs by recognizing common

email addresses and domains for sending spam and by recognizing keywords in email and moves it automatically to a “junk” folder.

Can be done at email server or workstation. Success rates are very individual!

68

Protection: spamAvoid spam – once your email address is a

spam target, there is no eliminating itAvoid posting address on web pages.Use throw-away email addresses (IE. Yahoo,

Hotmail, Google) when working unknown or very public sites (IE. Ebay, MySpace…)

You have to look through your Junk email occasionally to find mis-labeled email!

The more “public” your email address, the less you can filter without false positives.

69

Protection: spamJim’s thoughts

Outlook 2007 not badAndrew likes new

ThunderbirdSeveral clients like Inboxer Several clients like Norton

AntiSpamSeveral clients like their

ISP’s filtering but user must check junk on web site

Dial up: ISP filtering

70

Protection: Operating System updatesMost updates are

security patches not functionality enhancements!

I do not recommend using driver updates through Windows Updates!

Get them only through Windows Updates!

71

Protection: Application updatesBrowsers, email applications, instant

messaging applications, etc. all need security patches!

72

Protection: Application updatesApplication Source of updates

AOL IM www.aim.com

Internet Explorer Windows Updates

Microsoft Messenger Windows Updates

Mozilla Firefox www.mozilla.com (Help)

Opera www.opera.com (?)

Outlook Express Windows Updates

Thunderbird email www.mozilla.com (Help)

Windows Mail (Vista) Windows Updates

Yahoo IM www.yahoo.com

73

Vulnerability: Internet

World Wide Web

74

Vulnerability: WWW

75

Vulnerability: Email

76

Vulnerability: Instant messaging

77

Vulnerability: Gaming

78

Vulnerability: Streaming

79

Vulnerability: P2P

80

Layers: onions, ogres & protectionBroadband Dial up

Hardware firewall Necessary n/a

Software firewall Maybe Maybe

Virus protection Necessary Necessary

Spyware protection Necessary Necessary

Spam filtering Recommended Recommended

Operating system patches

Necessary Necessary

Browser/email/IM/… patches

Necessary Necessary

81

Protection purchasingBest of breed applications

Security suiteBest possible protectionProbably less bloat

Probably play together better

Better pricingCommon interface

82

Protection purchasing: suitesJim’s picks

Norton Internet SecurityNorton 360

PC Magazine Editor’s ChoiceNorton 360ZoneAlarm Internet

Security Suite 7PC World

Norton Internet SecurityMcAfee Internet

Security Suite

83

Selecting protectionDo Don’tRead reviews from

professional, neutral sources

Make sure you can understand your subscription’s status

Realize you generally get what you pay for

Realize that bundled apps are often 30 or 90 day trials and often not installed

Use advertising or blogs as your main source of information

Use reviews from non-technical sources

Run two software firewalls, two anti-virus or two active anti-spyware apps

84

Protection: Educate your usersDo not open attachments from anyone you don’t

know.Suspicious attachments from any known email

address may be threats that spoof senders.Security measures are for their benefit, don’t

subvert them.Don’t run ActiveX or Java from untrusted or

unknown websites.Never click on suspicious ads or popups. Always

click the Windows Close X when you can.Any connection can bring in threats…

Home computers logging in for remote work.Office laptops connected in public Wi-Fi hotspots.Removable storage.

85

Protection: Educate your usersIt is much easier to protect yourself than to

get clean after an infection.Internet Explorer is the only web browser

that uses Microsoft’s ActiveX tools. ActiveX is a security nightmare. Avoid the problem, use a different browser.Jim’s pick: Mozilla Firefox

86

Protection: Educate your usersFake Windows Updates

87

88

Procedure at C3Interview client. Possibly start system as is to

see symptoms.Remove hard drive and connect to C3 testing

systems.Prevents threats from going activeImproves accuracy of scans for stealth,

polymorphic and rootkitsVirus scan (Symantec Antivirus Corporate

Edition)Spyware scan (Webroot Spysweeper)Hard drive test (Scandisk or Norton Disk Doctor)

89

Procedure at C3Clean temp files

Windows\TempWindows\Temporary Internet FilesUser\TempUser\Temporary Internet FilesPossibly other locations

Research infectionsReturn hard drive to client’s system

90

Procedure at C3Probable: Safe mode startup and disable

Windows System RestoreManual cleaning as needed while

“disconnected”All Windows UpdatesProbable: installation of appropriate security

packageAll UpdatesFull system scan

91

Procedure at C3Total time: 2 to 8 hoursTotal technician time: 1 to 4 hours

92

What can you do?Know that Windows cannot diagnose most

problems.Know that repairing Windows requires a

clean computer.Know when to say “Uncle!” based on your

skill level.Know when to say “Uncle!” if a computer

cannot be recovered and must be wiped.Backup, Backup, Backup.

93

94

Non-operating WindowsBoot from the

appropriate Windows CD and attempt a repair installationMust match system

Version Home vs. Professional Upgrade vs. Retail vs.

OEM

DangerInfections may

corrupt system further.

You may get “running” until the threat kicks in again and repeats its damage.

ProsDesperation – you’re

doing something95

Non-starting WindowsSafe mode

Press F8 (or hold Ctrl) prior to Windows splash screen

ScanManual updates?Virus scannerSpyware scannerDocument, research,

follow necessary instructions

Limit startups

Most threats are inactive in safe mode.

You may be able to download scanner updates manually on another computer and install them.

Warning: more threats successfully hide themselves in safe mode.

96

Safe modeF8 during startupMost drivers and

network not runningOften, you must log

on as administrator

97

Manual virus definition updateHighly dependent on

application manufacturer

Expired subscription may not allow use of manual update

98

Limit startupsStartRunMsconfigServices and Startup

tabsTurn off anything

that you don’t recognize, especially “random” names. Google names.

Restart99

Operating WindowsBackupDocument!Virus scan

Update installed appOnline scannerInstall new app

Spyware scan or 2Update installed appOnline scanner Install new app

Research infectionsManual attack and

toolsFollow instructions!Take your time!

All Windows UpdatesInstall appropriate

securityAll updates Scan

Scan your backup100

Update virus scannerParticular to

applicationMany threats will

attempt to subvert connection

Subscription must be active.

101

Online scanners (virus & spyware)Symantec

www.symantec.com/home_homeoffice/security_response/index.jsp

Webroot SpySweeper www.webroot.com/shoppingcart/tryme.php?bjpc=64021&vcode=DT02A

Trend Micro housecall.trendmicro.com/

102

I want a real antivirus – now!Many vendors have demo downloads. IE.

Symantec offers a 15 day Norton Antivirus trial that can be activated later by purchasing a license or package

Delete – don’t quarantine.When macro viruses were the rage, this was a

method to recover infected documents.

103

My antivirus isn’t playing!Try updating.Attempt a repair installation.

If you bought your security online, via download – copy it to CD for semi-permanent archival!

Realize all security applications “get old.”Uninstall and reinstall. Need RAM?

104

Research infectionsSymantec Threat

Explorer www.symantec.com/home_homeoffice/security_response/threatexplorer/index.jsp

Google www.google.com

Scumware http://scumware.com/

105

Disable System RestoreRight+click My

ComputerPropertiesSystem Restore tabCheck “Turn off

System Restore”OK

106

Registry EditorStartRunRegedit OKProcedure

Backup!NavigateNuking the bad

guys

107

Removal toolsCWShredder www.cwshredder.net Major Geeks

www.majorgeeks.com/downloads16.html

108

System cleaningEliminate temporary

filesStartAll ProgramsAccessoriesSystem ToolsDisk Cleanup

109

System cleaningDefragment your

hard driveStartAll ProgramsAccessoriesSystem ToolsDisk

Defragmenter

110

System cleanupInternet Explorer

automatically clearing cacheInternet ExplorerToolsInternet Options…Advanced tabSecurity sectionCheck “Empty

Temporary Internet Files when browser is closed”

111

Know when…You’re…

Last backup was madeSystem and application CDs areOver your headWasting your time

Your…Windows is toast

112

Worthwhile freebiesVirus scanners

AVG – www.grisoft.comAvast - www.avast.com

Spyware scannersSpybot Search and Destroy www.safer-

networking.org/en/index.html Discovery tools

Hijack This www.merijn.org

113

Web privacy

114

Web privacyGoogle is not the problem. Google is just one

way to find this kind of data.Blocking this data on Google will not block

other search engines. All of this is in the phone book and then I can

go to any mapping application.

115

Email HijackFrom: xxxxx xxxxxxxxx xxxxxx@xxxxxxx.xxxSent: Monday, June 11, 2007 10:45 AMTo: James D. CrowleySubject: SPAM Good Morning Jim: I wanted to report a SPAM issue to you. This morning xxxxx received an email to her

xxxxxx account. The email was sent by her from an outside account. It was an email that she sent to someone 6 months ago. Also on the email were individuals CCd who should not have received that email. Basically what is occurring is someone is accessing her email account and is sending its herself and others mail that should not be going out. Is it possible that some type of hacker is doing this? She is also receiving SPAM from xxxxxxx’s email account and xxxxxx’x account. I am receiving SPAM from myself, and cannot block it because its from my account. The frequency of this is increasing. What can we be doing to prevent the SPAM and can someone access confidential information that is being sent via email and send it to people in our contact list?

 Xxxxx xxxxxAdministrative AssistantXxxxxxxxx CoordinatorXxxxxxxx xxxxxxx xxxxx xxxxxxxx, Inc.

116

Email HijackNot hijacked – spoofed!Realize there are four primary locations that

your email can be hijaaked or spoofed like Anita’s was.Your computer or serverYour email server The recipient’s email hostThe recipient’s computer or server

117

Email Spoofing applicationIt peruses my email and randomly grabs xyz’s

messageMakes a copyProbably alters the message somewhatAttaches the virus or whatever its “payload” is Reuses all original email addresses in the To, CC

and BCCMaybe adds some more addressesMaybe randomly generates more email addressesAnd starts sending itself outXYZ may get a copy of her message back…

118

Urban myths

119

www.av-test.org www.icsalab.com www.virusbtn.com

120

www.pcmag.com http://www.pcmag.com/

category2/0,1874,4829,00.asp www.pcworld.com

http://www.pcworld.com/tc/spyware/

121

www.geeksonwheels.comwww.pcmag.com/encyclopedia/ www.snopes.com www.sunbelt-software.comhttp://www.netvalley.com/archives/mirrors/

robert_cailliau_speech.htmwww.webroot.com www.wikipedia.org

122