jim crowley c3 – crowley computer consulting 1. apologies this is long haired, geeky stuff. this...
TRANSCRIPT
Jim CrowleyC3 – Crowley Computer Consulting
1
ApologiesThis is long haired, geeky stuff.This is long and boring.This is version 1.The analogies between safe sex and safe
computing cannot be ignored.It is getting very difficult to protect older systems.
Too slow and not enough memory for security programs.
No new patches older than Windows 2000.This is meant to scare the *#$^ out of you.
2
3
Various services run over the InternetWorld Wide WebEmailInstant MessagingPeer to Peer sharingVoice over IP
phonesGamingGopherAudio streamingVideo streaming
The Internet was designed for enhancement.
It was not designed for this level of complexity.IE. The easiest way
to prevent spam is to authenticate the sender. Email has no method to do this.
4
IE. World Wide WebHTMLXMLJavaJavaScriptFlashPerlColdFusionVBScript` .NetActiveXSHTMLAnd more!!!
5
IE. Instant MessagingAOLGoogleICQMicrosoftYahooAnd more!!!
6
World World Wide Wide WebWeb
EmailEmail
Instant Instant MessaginMessagin
gg
Peer to Peer to Peer Peer
SharingSharing
Video Video streaminstreamin
gg
GamingGaming
Voice Voice over IP over IP phonesphonesGopherGopher
Audio Audio streaminstreamin
gg
7
…it was hard and relatively expensive to “get online.”
…it was slow. Do you remember 300Bps and 1200Bps modems?
…the web didn’t exist! Do you remember CompuServe and Prodigy and
AOL?…it was geeky!
Users were hobbyists and it was all very 60s.Exploits were confined to bugging your buddy and
showing off!
8
Now..Everyone is online!Over 50% of users in
the USA are on broadband.
Exploits are Dirty rotten @#*!!!Money making
schemes and ripping off grandma
Organized crime
9
VirusWormsTrojan horseSpywareSpamPhishing
10
All of these types of attacks are man-made and intentional.
There is no “natural” or “random” virus.All of these ride the Internet services you
invite in!
Different companies and organizations Will group attacks differently.Will name attacks differently.
11
Software designed to infiltrate or damage a computer system without the owner's informed consent.
Originally harmless pranks or political messages, now have evolved into profit makers.
Include viruses, worms and Trojan horses.
12
a program or piece of code that is loaded onto your computer (without your knowledge and against your wishes), that (generally) replicates itself and (generally) delivers a payload.
1972
13
VirusIn the days of yore…
Who: typical author is young, smart and maleWhy: looking to fight the status quo, promote
anarchy, make noise or simply show off to their peers. There is no financial gain to writing viruses.
Now…Who: professional coders or programmers using
“kits”Why: financial gain by email delivery payments,
renting of botnets, extortion…Often supported by mafia and black marketers.
14
Virus structureReplication: viruses must propagate
themselves Payload: the malicious activity a virus
performs when triggered.Payload trigger: the date or counter or
circumstances present when a virus payload goes off.
15
Payload examplesNothing - just being annoyingDisplaying messagesLaunching DDoS attackErasing files randomly, by type or usageFormatting hard driveOverwrite mainboard BIOS Sending emailExpose private information
16
Trigger examplesDateInternet access# emails sent
17
Boot sector virusinfects the first sector of a hard drive or disk.
The first sector contains the MBR or master boot record.
18
File infector virusattaches itself to a file on the computer and is
executed when that application is opened.
19
Multipartitecombines properties of boot sector and file
infector viruses.
20
Macro virusvirus written using script or macro languages
such as Microsoft Office’s VBA, executes when a document containing the virus is opened.
21
Memory resident• virus that sits continuously in memory to do
its work, often making it more difficult to clean. Most viruses now are memory resident.
22
Stealth virus• a virus that actively hides from anti-virus
programs by altering it’s state or hiding copies of itself or replacing needed files.
23
Polymorphic virus• a virus that alters its signature or footprint,
to avoid detection.
24
Metamorphic virusA virus that rewrites its code each time a new
executable is created. Usually very large.
25
Malware: WormA self-replicating computer program that
uses networks to copy itself to other computers without user intervention.
They often lack a payload of their own but drop in backdoor programs.
1978
26
Malware: TrojanA destructive program that masquerades as a
benign application, it requires a user to execute it.
• A variety of payloads are possible, but often they are used to install backdoor programs.
• Generally, trojans do not replicate.• 1983
27
SpywareApplication installed, usually without the
user’s knowledge, intercepting or taking partial control for the author’s personal gain
Estimates as high as 90% of Internet connected computers are infected with spyware.
Unlike a virus does not self-replicate.
28
Spyware: symptomsSluggish PC performance An increase in pop-up adsMysterious new toolbars you can’t delete Unexplained changes to homepage settings Puzzling search results Frequent computer crashes
29
Spyware: a loaded system
30
Spyware: rogue help Antivirus Gold Family
Adware Delete SpyAxe Antivirus Gold SpywareStrike
PS Guard Family Security Iguard Winhound PSGuard
SpywareNO! SpyDemmolisher SpySheriff SpyTrooper SpywareNO!
Raze Spyware RegFreeze WinAntiSpyware 2005 WorldAntiSpy
31
Spyware: rogue helpThis morning…
32
Spyware: AdwareAny software package which automatically
plays, displays or downloads advertising material to a computer
Not necessarily “spyware” depending on your definitions
Many “free” applications install adware, creating a source of income.
Is it spyware? http://www.symantec.com/enterprise/
security_response/threatexplorer/risks/index.jsp
33
Spyware: Adware
34
Spyware: BackdoorsBackdoor = Remote AccessA method of bypassing normal authentication
or securing remote access while remaining hidden from casual inspection.
May be an installed program (IE. Back Orifice) or a modification to an existing application (IE. Windows’ Remote Desktop).
35
Spyware: Browser hijackerAlters your home page and may redirect
other requested pages, often away from helpful sites.
Generally add advertising, porn, bookmarks or pay-per-surf web sites.
36
Spyware: DialersProgram that uses a computer’s modem to
dial out to a toll number or Internet site900 numbersPhone system flood attack
Can rack up huge phone bills! Often running to international numbers in the Caribbean.
37
Spyware: DownloadersApplication designed to download and
possibly install another application. Sometimes, they may receive instructions from a web site or another trigger.
Also a typical form of Trojans.
38
Spyware: RootkitsA type of Trojan that gives an attacker access to
the lowest level of the computer, the root level. Removing rootkits can be very difficult to
impossible. Microsoft’s recommendation to remove rootkits
from Windows Xp was to reformat the hard drive and start over! Sometimes this is the only option.
Have been used for “legitimate” purposes, Sony used for digital rights management licensing
on music CDs, system was shown to have security holes, possibly giving up root access to an attacker.
39
Spyware: ScrapersExtracting data from
output to the screen or printer rather than from files or databases that may be secure.
Legitimate and illegitimate applications.
Temp files are often a great source of information!
40
Spyware: Tracking cookiesA small amount of data
sent back to the requesting website by your browser. They may be temporary or persistent, first or third party.
Cookies are not bad and make browsing life better!
Third party cookies are used to track surfing habits and you may want to disable them.
weather.com TRUE / FALSE 1218399413 LocID 13669 41
KeyloggerA software application or hardware device
that captures a user’s keystrokes for legitimate or illegitimate use.
Bad keyloggers will store information for later retrieval or spit the captured information to an email address or web page for later analysis.
42
Social EngineeringTricking a user into giving or giving access to
sensitive information in order to bypass protection.
43
Social Engineering: pretextingCreating a scenario to persuade a target to
release information done over the phone.Often use commonly available information
like social security numbers or family names to gain access to further information.
44
Social engineering: phishingCreating a scenario to persuade a target to
release information done via email.Often use commonly available information
like social security numbers or family names to gain access to further information.
45
Social engineering: moreRoad apple: using an infected floppy, CD or
USB memory key in a location where someone is bound to find and check it through simple curiosity.
Quid pro quo: targeting corporate employees as “tech support” until some actually has a problem and “allows them to help.”
46
True or false?
47
True or false?
48
True or false?
49
True or false?
50
SpamJunk email. An email message can contain any of the
threats mentioned, not to mention the time wasted downloading and filtering through the messages.
You do not have to open an attachment to activate a threat.
Webmail eliminates few threats.
51
SpamThreats that activate
via merely opening the email are not disabled by using the email preview!
52
World World Wide Wide WebWeb
EmailEmailInstant Instant
MessaginMessagingg
Peer to Peer to Peer Peer
SharingSharing
GamingGaming
53
54
Don’t use the InternetAre you really that isolationist?Other user profiles on your computer?Other computers connected to the InternetOther devices…
Xbox, Playstation, WiiMedia Center ExtendersDVRs
55
Other connectionsWireless local
networksBluetooth personal
networksRemovable storage
FloppyCDsDVDsUSB memory keyFlash memory
Other connected devicesPrintersDigital camerasVideo cameras
56
The first bug causing a computer error was found by Grace Hopper's team in 1945 using Harvard University's Mark II computer.
57
And the stakes get higher…Imagine the home of
the futureBroadband Internet
connection shared by…
Computers Television / DVR Phone Security / heating /
cooling Kitchen appliances Cell phone
Imagine hacker exploitsDefrost your freezerTurn off the heatTrip / disable
securityRecord “Boy Meets
World” instead of “Desparate Housewives” and “24”!
58
What’s a guy or gal to do?
59
A software or hardware which permits or denies data into and possibly out of a computer network depending on levels of trust and authentication.
Emerged in 1988.
60
Levels of protectionNetwork address translation: internal devices carry
separate addresses from Internet connection, firewall translates, masking internal devices.
Packet filters: very basic inspection of individual packets of inbound traffic for correct ports for basic services.
Stateful filters: compare packets of traffic and rules can change criteria of what is allowed.
Application layer: deep packet inspection determines whether traffic is appropriate for a specific port.
61
Protection: hardware firewallRecommend a router
with stateful packet inspection
Jim’s picksLinksysSonicwall
62
Protection: software firewallA good program will
know configure major applications correctly, but it is easy to answer a firewall incorrectly.
Software firewalls often disrupt internal networks
Jim’s “sorta” pickZoneAlarm
63
Protection: virusMost mature category of protection. Detection
rate should be near perfect!How do anti-virus programs work?
File fingerprintingActive scanningHeuristicsUnusual hard drive activities
Protection can be run at the Internet service providerRouterServer (if applicable)Workstation – recommended
64
Protection: virusMust be updated!Jim’s picks
Norton Antivirus (home)
Symantec Antivirus Corporate Edition or Small Business Edition (offices)
AVG for older systems
65
Protection: spywareFairly new application, running two anti-
spyware applications is often recommended, but only one should be doing “active scanning.”
Detection rates are not nearly as accurate as virus detection.
Anti-virus applications are now capable of replacing active scanning spyware applications.
Spyware and virus scanners can fight, causing system freeze ups and instability.
66
Protection: spywareJim’s picks
Webroot SpySweeper
Spyware DoctorSpybot *Adaware *
• Not active scanner
67
Protection: spamSpam filtering occurs by recognizing common
email addresses and domains for sending spam and by recognizing keywords in email and moves it automatically to a “junk” folder.
Can be done at email server or workstation. Success rates are very individual!
68
Protection: spamAvoid spam – once your email address is a
spam target, there is no eliminating itAvoid posting address on web pages.Use throw-away email addresses (IE. Yahoo,
Hotmail, Google) when working unknown or very public sites (IE. Ebay, MySpace…)
You have to look through your Junk email occasionally to find mis-labeled email!
The more “public” your email address, the less you can filter without false positives.
69
Protection: spamJim’s thoughts
Outlook 2007 not badAndrew likes new
ThunderbirdSeveral clients like Inboxer Several clients like Norton
AntiSpamSeveral clients like their
ISP’s filtering but user must check junk on web site
Dial up: ISP filtering
70
Protection: Operating System updatesMost updates are
security patches not functionality enhancements!
I do not recommend using driver updates through Windows Updates!
Get them only through Windows Updates!
71
Protection: Application updatesBrowsers, email applications, instant
messaging applications, etc. all need security patches!
72
Protection: Application updatesApplication Source of updates
AOL IM www.aim.com
Internet Explorer Windows Updates
Microsoft Messenger Windows Updates
Mozilla Firefox www.mozilla.com (Help)
Opera www.opera.com (?)
Outlook Express Windows Updates
Thunderbird email www.mozilla.com (Help)
Windows Mail (Vista) Windows Updates
Yahoo IM www.yahoo.com
73
Vulnerability: Internet
World Wide Web
74
Vulnerability: WWW
75
Vulnerability: Email
76
Vulnerability: Instant messaging
77
Vulnerability: Gaming
78
Vulnerability: Streaming
79
Vulnerability: P2P
80
Layers: onions, ogres & protectionBroadband Dial up
Hardware firewall Necessary n/a
Software firewall Maybe Maybe
Virus protection Necessary Necessary
Spyware protection Necessary Necessary
Spam filtering Recommended Recommended
Operating system patches
Necessary Necessary
Browser/email/IM/… patches
Necessary Necessary
81
Protection purchasingBest of breed applications
Security suiteBest possible protectionProbably less bloat
Probably play together better
Better pricingCommon interface
82
Protection purchasing: suitesJim’s picks
Norton Internet SecurityNorton 360
PC Magazine Editor’s ChoiceNorton 360ZoneAlarm Internet
Security Suite 7PC World
Norton Internet SecurityMcAfee Internet
Security Suite
83
Selecting protectionDo Don’tRead reviews from
professional, neutral sources
Make sure you can understand your subscription’s status
Realize you generally get what you pay for
Realize that bundled apps are often 30 or 90 day trials and often not installed
Use advertising or blogs as your main source of information
Use reviews from non-technical sources
Run two software firewalls, two anti-virus or two active anti-spyware apps
84
Protection: Educate your usersDo not open attachments from anyone you don’t
know.Suspicious attachments from any known email
address may be threats that spoof senders.Security measures are for their benefit, don’t
subvert them.Don’t run ActiveX or Java from untrusted or
unknown websites.Never click on suspicious ads or popups. Always
click the Windows Close X when you can.Any connection can bring in threats…
Home computers logging in for remote work.Office laptops connected in public Wi-Fi hotspots.Removable storage.
85
Protection: Educate your usersIt is much easier to protect yourself than to
get clean after an infection.Internet Explorer is the only web browser
that uses Microsoft’s ActiveX tools. ActiveX is a security nightmare. Avoid the problem, use a different browser.Jim’s pick: Mozilla Firefox
86
Protection: Educate your usersFake Windows Updates
87
88
Procedure at C3Interview client. Possibly start system as is to
see symptoms.Remove hard drive and connect to C3 testing
systems.Prevents threats from going activeImproves accuracy of scans for stealth,
polymorphic and rootkitsVirus scan (Symantec Antivirus Corporate
Edition)Spyware scan (Webroot Spysweeper)Hard drive test (Scandisk or Norton Disk Doctor)
89
Procedure at C3Clean temp files
Windows\TempWindows\Temporary Internet FilesUser\TempUser\Temporary Internet FilesPossibly other locations
Research infectionsReturn hard drive to client’s system
90
Procedure at C3Probable: Safe mode startup and disable
Windows System RestoreManual cleaning as needed while
“disconnected”All Windows UpdatesProbable: installation of appropriate security
packageAll UpdatesFull system scan
91
Procedure at C3Total time: 2 to 8 hoursTotal technician time: 1 to 4 hours
92
What can you do?Know that Windows cannot diagnose most
problems.Know that repairing Windows requires a
clean computer.Know when to say “Uncle!” based on your
skill level.Know when to say “Uncle!” if a computer
cannot be recovered and must be wiped.Backup, Backup, Backup.
93
94
Non-operating WindowsBoot from the
appropriate Windows CD and attempt a repair installationMust match system
Version Home vs. Professional Upgrade vs. Retail vs.
OEM
DangerInfections may
corrupt system further.
You may get “running” until the threat kicks in again and repeats its damage.
ProsDesperation – you’re
doing something95
Non-starting WindowsSafe mode
Press F8 (or hold Ctrl) prior to Windows splash screen
ScanManual updates?Virus scannerSpyware scannerDocument, research,
follow necessary instructions
Limit startups
Most threats are inactive in safe mode.
You may be able to download scanner updates manually on another computer and install them.
Warning: more threats successfully hide themselves in safe mode.
96
Safe modeF8 during startupMost drivers and
network not runningOften, you must log
on as administrator
97
Manual virus definition updateHighly dependent on
application manufacturer
Expired subscription may not allow use of manual update
98
Limit startupsStartRunMsconfigServices and Startup
tabsTurn off anything
that you don’t recognize, especially “random” names. Google names.
Restart99
Operating WindowsBackupDocument!Virus scan
Update installed appOnline scannerInstall new app
Spyware scan or 2Update installed appOnline scanner Install new app
Research infectionsManual attack and
toolsFollow instructions!Take your time!
All Windows UpdatesInstall appropriate
securityAll updates Scan
Scan your backup100
Update virus scannerParticular to
applicationMany threats will
attempt to subvert connection
Subscription must be active.
101
Online scanners (virus & spyware)Symantec
www.symantec.com/home_homeoffice/security_response/index.jsp
Webroot SpySweeper www.webroot.com/shoppingcart/tryme.php?bjpc=64021&vcode=DT02A
Trend Micro housecall.trendmicro.com/
102
I want a real antivirus – now!Many vendors have demo downloads. IE.
Symantec offers a 15 day Norton Antivirus trial that can be activated later by purchasing a license or package
Delete – don’t quarantine.When macro viruses were the rage, this was a
method to recover infected documents.
103
My antivirus isn’t playing!Try updating.Attempt a repair installation.
If you bought your security online, via download – copy it to CD for semi-permanent archival!
Realize all security applications “get old.”Uninstall and reinstall. Need RAM?
104
Research infectionsSymantec Threat
Explorer www.symantec.com/home_homeoffice/security_response/threatexplorer/index.jsp
Google www.google.com
Scumware http://scumware.com/
105
Disable System RestoreRight+click My
ComputerPropertiesSystem Restore tabCheck “Turn off
System Restore”OK
106
Registry EditorStartRunRegedit OKProcedure
Backup!NavigateNuking the bad
guys
107
Removal toolsCWShredder www.cwshredder.net Major Geeks
www.majorgeeks.com/downloads16.html
108
System cleaningEliminate temporary
filesStartAll ProgramsAccessoriesSystem ToolsDisk Cleanup
109
System cleaningDefragment your
hard driveStartAll ProgramsAccessoriesSystem ToolsDisk
Defragmenter
110
System cleanupInternet Explorer
automatically clearing cacheInternet ExplorerToolsInternet Options…Advanced tabSecurity sectionCheck “Empty
Temporary Internet Files when browser is closed”
111
Know when…You’re…
Last backup was madeSystem and application CDs areOver your headWasting your time
Your…Windows is toast
112
Worthwhile freebiesVirus scanners
AVG – www.grisoft.comAvast - www.avast.com
Spyware scannersSpybot Search and Destroy www.safer-
networking.org/en/index.html Discovery tools
Hijack This www.merijn.org
113
Web privacy
114
Web privacyGoogle is not the problem. Google is just one
way to find this kind of data.Blocking this data on Google will not block
other search engines. All of this is in the phone book and then I can
go to any mapping application.
115
Email HijackFrom: xxxxx xxxxxxxxx [email protected]: Monday, June 11, 2007 10:45 AMTo: James D. CrowleySubject: SPAM Good Morning Jim: I wanted to report a SPAM issue to you. This morning xxxxx received an email to her
xxxxxx account. The email was sent by her from an outside account. It was an email that she sent to someone 6 months ago. Also on the email were individuals CCd who should not have received that email. Basically what is occurring is someone is accessing her email account and is sending its herself and others mail that should not be going out. Is it possible that some type of hacker is doing this? She is also receiving SPAM from xxxxxxx’s email account and xxxxxx’x account. I am receiving SPAM from myself, and cannot block it because its from my account. The frequency of this is increasing. What can we be doing to prevent the SPAM and can someone access confidential information that is being sent via email and send it to people in our contact list?
Xxxxx xxxxxAdministrative AssistantXxxxxxxxx CoordinatorXxxxxxxx xxxxxxx xxxxx xxxxxxxx, Inc.
116
Email HijackNot hijacked – spoofed!Realize there are four primary locations that
your email can be hijaaked or spoofed like Anita’s was.Your computer or serverYour email server The recipient’s email hostThe recipient’s computer or server
117
Email Spoofing applicationIt peruses my email and randomly grabs xyz’s
messageMakes a copyProbably alters the message somewhatAttaches the virus or whatever its “payload” is Reuses all original email addresses in the To, CC
and BCCMaybe adds some more addressesMaybe randomly generates more email addressesAnd starts sending itself outXYZ may get a copy of her message back…
118
Urban myths
119
www.av-test.org www.icsalab.com www.virusbtn.com
120
www.pcmag.com http://www.pcmag.com/
category2/0,1874,4829,00.asp www.pcworld.com
http://www.pcworld.com/tc/spyware/
121
www.geeksonwheels.comwww.pcmag.com/encyclopedia/ www.snopes.com www.sunbelt-software.comhttp://www.netvalley.com/archives/mirrors/
robert_cailliau_speech.htmwww.webroot.com www.wikipedia.org
122