Security

Frank H. Vianzon

Community College of Aurora

Virus

• A virus is a program that attempts to damage a computer system and replicate itself to other computer systems. A virus has the following characteristics: A virus requires a replication mechanism which is a file that it uses as a host. When the host file is distributed, the virus is also distributed. Viruses typically attach to files with execution capabilities such as .doc, .exe, and .bat extensions. Many viruses are distributed via e-mail and are distributed to everyone in your address book.

• The virus only replicates when an activation mechanism is triggered. For example, each time the infected file or program is executed, the virus is activated.

• The virus is programmed with an objective, which is usually to destroy, compromise, or corrupt data. • Originally some viruses were created for nuisance

*Windows Virus

• Win32/Conficker• This virus is a network worm and exploits the RPC sub-system vulnerability present in

the Microsoft Windows operating system, allowing an attacker to remotely attack a computer without valid user credentials. Win32/Conficker infects the computer using unsecured folders, removable medium or by making use of Autorun facility enabled by default in windows. This threat contacts other domain names to download additional malicious code.

• Win32/PSW.OnlineGames• Win32/Agent• Win32/FlyStudio• INF/Conflicker• INF/Autorun• Win32/Pacex.Gen• WMA/TrojanDownload.GetCodec• Win32/Qhost

http://www.techonzo.com/2010/03/9-computer-viruses-you-should-be-aware-about/

*How

to d

ete

ct

Virus Scans• Trend Micro• Norton• McAfee

• Keep them updated? • Daily? • Every 4 hours

• Look for processes• Task Manager

Look for connections• Net Stat

Common symptoms of malware on your system include: • The browser home page or default search page has changed. • Excessive pop-ups or strange messages being displayed. • Firewall alerts about programs trying to access the Internet. • System errors about corrupt or missing files. • File extension associations have changed to open files with a different program. • Files that disappear, are renamed, or are corrupt. • New icons appear on the desktop or taskbar, or new toolbars show in the browser. • The firewall or antivirus software is turned off, or you can't run antivirus scans. • The system won't boot.

Some malicious software can hide itself such that there might not be any obvious signs of its presence. Other symptoms of an infection include: • Slow Internet access. • Excessive network traffic, or traffic during times when no

activity should be occurring. • Excessive CPU or disk activity. • Low system memory. • An unusually high volume of outgoing e-mail, or e-mail

sent during off hours.

Addit

ional

Counte

rmeasu

res

• Install anti-virus scanning software on e-mail servers. Attachments are scanned before e-mail is delivered. You can also block all attachments to prevent any unwanted software, but this can also block needed attachments as well.

• Implement spam filters and real-time blacklists. When implementing filters, be sure not to make the filters too broad, otherwise legitimate e-mails will be rejected.

• Train users to use caution when downloading software or responding to e-mail.

• Train users to update the virus definition files frequently and to scan removable storage devices before copying files.

• Disable scripts when previewing or viewing e-mail. • Implement software policies that prevent downloading

software from the Internet.

Addit

ional

Counte

rmeasu

res

• Keep your operating system files up to date; apply security-related hotfixes as they are released.

• In highly-secured areas, remove removable drives (such as recordable optical drives and USB drives) to prevent unauthorized software from entering a system. Show full file extensions on all files. Viruses, worms, and Trojans often make use of double file extensions to change the qualities of files that are normally deemed harmless. For example, adding the extension .TXT.EXE to a file will make the file appear as a text file in an attachment, when in reality it is an executable.

• Train users about the dangers of downloading software and the importance of anti-malware protections. Teach users to scan files before running them, and make sure they keep the virus protection definition files up to date.

• Network Access Control (NAC) is a network-based solution that prevents unprotected computers from connecting to the network. With NAC: • Computers must meet certain health requirements before they

are allowed to connect to the network. These requirements might include having the latest security patches installed, having antivirus software, or having completed a recent antivirus scan.

• Computers that meet the health requirements are given access to the network; computers that do not pass the health checks are denied full access.

• Remediation for unhealthy computers provides resources to fix the problem. For example, the computer might be given limited network access in order to download and install the required antivirus software.

• Network Access Protection (NAP) is Microsoft's implementation of NAC.

Addit

ional

Counte

rmeasu

res

Spyware

Spyware is software that is installed without the user's consent or knowledge, designed to intercept or take partial control over the user's interaction with the computer. • Spyware: Is installed on your machine by visiting a

particular Web page or running a particular application. • Can interfere with user control of the computer such as

installing additional software, changing computer settings, and redirecting Web browser activity. – Ever Google search and cannot go back?

Spyware

• Collects various types of personal information, such as Internet surfing habits and passwords, and sends the information back to its originating source.

• Cookies are text files that are stored on a computer to save information about your preferences, browser settings, and Web page preferences.

• Cookies are often used for legitimate purposes on e-commerce sites, but can be read or used for malicious purposes by spyware and other software.

• Uses tracking cookies to collect and report a user's activities.

Grayware

• Grayware is software that might offer a legitimate service, but which also includes features that you aren't aware of or features that could be used for malicious purposes. Grayware is often installed with the user's permission, but without the user fully understanding what they are adding.

• Features included with grayware might be identified in the end user license agreement (EULA), or the features could be hidden or undocumented. The main objection to grayware is that the end user cannot easily tell what the application does or what was added with the application.

Rem

ed

iati

on

• Remediation is the process of correcting any problems that are found. Most antivirus software remediates problems automatically or semi-automatically (i.e. you are prompted to identify the action to take). Possible actions in response to problems are: • Repair the infection. Repair is possible for true viruses that have

attached themselves to valid files. During the repair, the virus is removed and the file is placed back in its original state (if possible).

• Quarantine the file. Quarantine moves the infected file to a secure folder where it cannot be opened or run normally. You might quarantine an infected file that cannot be repaired to see if another tool or utility might be able to recover the file at another time.

• Delete the file. You should delete files that are malicious files such as worms, Trojan horse programs, or spyware or adware programs. In addition, you should periodically review the quarantine folder and delete any files you do not want to recover.

• *System Restore? • *Format and Recover!

Spam

• Spam is unwanted and unsolicited e-mail sent to many recipients. Spam: Can be benign as e-mails trying to sell products.

• Can be malicious containing phishing scams or malware as attachments.

• Wastes bandwidth and could fill the inbox, resulting in a denial of service condition where users can no longer receive e-mails.

• Dumpster Diving• Shoulder Surfing• Piggybacking• Eavesdropping• Masquerading

• Phishing – where do you see phishing now?

Countermeasures• Train employees to demand proof of identity over the phone and in person. • Define values for types of information, such as dial-in numbers, user names, passwords,

network addresses, etc. The greater the value, the higher the security around those items should be maintained.

• If someone requests privileged information, have employees find out why they want it and whether they are authorized to obtain it.

• Verify information contained in e-mails and use bookmarked links instead of links in e-mails to go to company Web sites.

• Dispose of sensitive documents securely, such as shredding or incinerating. • Dispose of disks and devices securely by shredding floppy disks or overwriting disks

with all 1's, all 0's, then all random characters. • Verify information from suspicious e-mails by visiting two or more well-known

malicious code threat management Web sites. These sites can be your antivirus vendor or a well-known and well-regarded Internet security watch group.

Phishing

• Phishing uses an e-mail and a spoofed Web site to gain sensitive information. In a phishing attack: A fraudulent message that appears to be legitimate is sent to a target.

• The message requests the target to visit a Web site which also appears to be legitimate.

• The fraudulent Web site requests the victim to provide sensitive information such as the account number and password.

Phishing with Hoax Virus

• Hoax virus information e-mails is a form of a phishing attack. This type of attack preys on e-mail recipients who are fearful and will believe most information if it is presented in a professional manner. All too often, the victims of these attacks fail to double check the information or instructions with a reputable third party antivirus software vendor before implementing the recommendations. Usually these hoax messages instruct the reader to delete key system files or download Trojan horses.

*Phishing with Text

• New scam involving text messages

• Call the bank because your card has been cancelled

*Spear Phishing

• Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information

• Facebook• LinkedIn• eBay/Paypal• Click here to see your grade• Other social media

So why have a facebook at all?

*Spear Phishing

Depends on three things1. The apparent source must appear to be a

known and trusted individual, 2. there is information within the message that

supports its validity 3. the request the individual makes seems to

have a logical basis.

Combine with Social Engineering

Counte

rmeasu

res

The most effective countermeasure for social engineering is employee awareness training on how to recognize social engineering schemes and how to respond appropriately. Specific countermeasures include:• Train employees to demand proof of identity over the phone

and in person. • Define values for types of information, such as dial-in

numbers, user names, passwords, network addresses, etc. The greater the value, the higher the security around those items should be maintained.

• If someone requests privileged information, have employees find out why they want it and whether they are authorized to obtain it.

• Verify information contained in e-mails and use bookmarked links instead of links in e-mails to go to company Web sites.

Counte

r M

easu

res

• Dispose of sensitive documents securely, such as shredding or incinerating.

• Dispose of disks and devices securely by shredding floppy disks or overwriting disks with all 1's, all 0's, then all random characters.

• Verify information from suspicious e-mails by visiting two or more well-known malicious code threat management Web sites. These sites can be your antivirus vendor or a well-known and well-regarded Internet security watch group.

BIOS Security

BIOS Passwords

Chassis Intrusion Detection

Hard Disk Password

TPM

Hard

Dis

k Pa

ssw

ord

• Some portable computers allow you to set a password on a hard disk. When set, the password must be given at system startup or the disk cannot be used.

• Hard disk passwords are part of the ATA specifications so they are not dependent upon a specific disk manufacturer.

• There are two different passwords: user and master. • Set the password(s) by using the CMOS program. Some

programs do not allow you to set a password, only let you set the user password, or let you set both a user and a master password.

• Passwords are saved on the hard disk. • You cannot read the passwords from the disk. • You cannot move the drive to another system to access the

disk without the password (the password moves with the disk).

• You cannot format the disk to remove the passwords.

Hard

Dis

k Pa

ssw

ord

• If you forget the user password, use the master password to access the drive. If you do not know either password, you cannot access any data on the drive.

• Most drives allow a limited number of incorrect password attempts. After that time, you must restart the system to try entering additional passwords. You can try as long as you want, but constantly restarting the system makes guessing the password a tedious job.

• Drives might ship with a default master password. However, these passwords (if they exist) are not publicly available and cannot be obtained from disk manufacturers.

• Setting a hard disk password is sometimes referred to as locking the hard disk.

Trust

ed

Pla

tform

M

od

ule

(TPM

)

• A TPM is a special chip on the motherboard that generates and stores cryptographic keys. Use the CMOS program to initialize the TPM.

• During initialization, you set a TPM owner password. The TPM password is required to manage TPM settings.

• The TPM includes a unique key on the chip that can be used for hardware system identification.

• The TPM can generate a cryptographic key or hash based on the hardware in the system, and use this key value to verify that the hardware has not changed. This value can be used to prevent the system from booting if the hardware has changed.

• The TPM can be used by applications to generate and save keys that are used with encryption.

• *Protects encrypted keys• *Together with the BIOS, the TPM forms a Root of

Trust: The TPM contains several PCRs (Platform Configuration Registers) that allow a secure storage and reporting of security relevant metrics. These metrics can be used to detect changes to previous configurations and derive decisions how to proceed. A good example can be found in Microsoft's BitLocker Drive Encryption (see below).

• *Therefore the BIOS and the Operating System have the primary responsibility to utilize the TPM to assure platform integrity. Only then applications and users running on that platform can rely on its security characteristics such as secure I/O "what you see is what you get", uncompromised keyboard entries, memory and storage operations.

Trust

ed

Pla

tform

M

od

ule

(TPM

)