Category Archives: Security

Leeds – Security Event with a former FBI agent

I am pleased to confirm that Microsoft’s Chief Security Advisor and former FBI agent, Ed Gibson, will definitely be making a stop in Leeds.

If you are a develop looking to learn more about what Oracle and Microsoft are doing in the security space, then this event is for you!

Venue:
Leeds, Courtyard By Marriott Leeds/Bradford

Date/Time:
12th Oct 2006 (4pm-7.30pm)

Further information can be found here, and if you want to register please click here.

Technorati Tags: , , , , , ,

PC security is not the first thing on the mind of a home user

The MD of Roundtrip Solutions Limited posted an interesting link to a piece about security in this posting: 81% of Home Users Lack Critical Security Elements (which links to this CNET article).

Security is something most folks generally ignore. I took delivery of my next door neighbour’s Dell PC this week (late December 2005), now I know security won’t be on his mind once it’s all set up and working. And since virtually all Dell’s are supplied with a Symantec anti-virus/firewall product that’s free to use for the first three months, any Internet nasties that were thinking of taking up residence on his machine will be kept away…for the first three months. After that, and after the Symantec product has asked for a credit card number and been told “no” (politely of course), the machine gradually opens up and the nasties come in. That’s the start of spyware, malware, viruses, rootkits and trojans, each inviting the other, each breeding and infecting the machine, applications, e-mails and ultimately, machines belonging to others…the zombie network takes over.

[April 2006 update: Dell are now shipping with McAfee as their anti-virus vendor of choice, and they are offering 15 months instead of 3, but do check as I believe that this is an offer not a permanent thing]

A further three months might pass before the “fastest machine money could buy” starts taking a long time to boot up…simple operations take forever…perhaps the odd “memory could not be read” error or even a blue screens of death. If they’re lazy, they might put up with it for another few months, but invariably “Friendly Bloke/Relative (FB/R) who works in IT” gets a call.

The majority of spyware “items” infect your PC largely because you clicked on something that essentially gave them permission. It’s rather like a burglar knocking at your door, you invite him or her in, they take some stuff, including a copy of the keys and go. OK, so the spyware doesn’t actually go, it lurks about on your PC making it slower and slower. And spyware will not take a copy of your keys, it might take a copy of your passwords, credit card numbers etc. You may have read a lot in the press about identity theft – well, spyware is responsible for some of the pain and turmoil caused by identity theft. Spyware, malware, etc. that sits on your PC logging your keystrokes, watching what sites you visit, can be the first step to your identity being stolen…or worse, your bank account being accessed without your knowledge or consent.

Now, until the major banks implement better security mechanisms, on-line banking is threatened by these key loggers. However, if you PC is protected using the tools mentioned in this posting, you can relax a little. You can relax even more when you learn that the banks are working on methods that will make your usage of their services a little bit more secure. In addition to the plethora of passwords and bits of passwords that banks expect us to remember (never write down of course!), new techniques such as two-factor authentication are in the pipeline. It is the PassMark system that offers this two-factor authentication, more can be found here and here.

However, whilst your bank balance is somewhat hardened, imagine how your children might react if the computer that they had been using for their homework suddenly presented them with a rather less than salubrious list of previously visited sites? That’s what I’ve found a lot of PCs that I “look after” under the auspices of FB/R. Here’s a carefully edited screenshot that demonstrates the kind of thing to expect.

spyware

This is an extreme example. The machine in question had been used to view rather a lot of pornographic material and as such had been subject to a variety of popups many of which expected the user to click ok, Yes or Accept. It is this affirmation that lets the burglar into your house and thus free to do as they please. As soon as you confirm that you are happy to have something downloaded and installed on your PC, there’s often little that can be done to prevent any damage being done.

What’s worse, this particular machine had lost its Start bar, hence the appearance of the Windows Task Manager at the bottom of the screenshot. The user of this particular machine had to use the Task Manager to run applications (some of which were in fact corrupt). By visiting pornographic sites, downloading whatever they have to offer and claim to need in order to run, this computer become very slow, unstable and required a complete re-format to bring it back to life.

Incidentally, the metastop toolbar that you see in the screenshot above, it’s a “search hijacker”. Whilst it might not sound dangerous, largely because many search hijackers will return similar results to those returned by your preferred Internet search tool, e.g. MSN Search or Google. The subtle difference being the fact that you might be directed to a site that gives the search hijacker some benefit based on the number of clicks and click-thrus that are made. If you are offered the chance to install a toolbar, particularly if you are just browsing, my advice to you is to ignore it. There are very few toolbars that you need – the big names have the market sewn up, Microsoft, Google, Yahoo, etc. More about this particular search hijacker can be found here.

You can, however, protect yourself in a number of ways:

  1. User education – don’t visit dodgy sites. This is harder than it sounds – convincing folks not to visit dodgy sites is a mind game, good luck!
  2. Avoid clicking on popups. Use the default operating system close icon instead: in Windows this is a red cross in the top right of the popup – some popups will try and fool you by including their own red cross, watch out for this and don’t be tempted to click on it. If in any doubt, ignore the popup, reboot and don’t visit that site again!
  3. Purchase and install a reputable firewall product. Many popular broadband routers, such the NetGear DG834 and the DLink DI-624+, have a firewall built in. Generally, this is a good thing and it does give you out of the box protection. However, if you really want to know how and when your PC is sending messages from your machine to the Internet, a operating system level firewall is useful. There are many good ones, such as ZoneAlarm. Many antivirus products now have an integrated firewall, so it is worth considering software products that do both – there are a few listed in the Recommended Software section at the end of this posting.
  4. Purchase and install a reputable anti-virus product. Whilst you can rely on your ADSL/Broadband router to protect you with its firewall, there’s nothing it can do to help you protect your machine from viruses, Trojan horses and other nasties that might come in via other means.
  5. Install an anti-spyware product. There are some good free tools, such as Ad-Aware, however like firewalls, many anti-virus vendors are integrating them into their products. John notes that he is enjoying success with Windows Defender.
  6. Use a file cleaner such as CCleaner. Over time, your computer builds up a lot of temporary files. Whilst Windows is reasonably good at maintaining these files, inevitably many remain. Amongst many others, CCleaner is capable of removing a whole plethora of temporary and unneeded files. After you have used CCleaner, I recommend that you defragment your drives too.

What if I don’t want to buy any software?
In that case, I recommend that you download and install a firewall such as ZoneAlarm. I would also suggest installing a free anti-virus product, such as AVG or avast!. Further, you should also install Ad-Aware.

Of course, it’s not much use downloading and installing these products, whether free or not. You have to keep them up to date. Most of the products I’ve mentioned in this post offer some form of automated update, so once you’ve installed them, they’ll happily update themselves in the background – it’s worth watching to see that this does actually happen. The first sign of a virus infection usually manifests itself when the virus tries to disable or alter the anti-virus protection that you have installed. Viruses are not known for their delicacy and often step on lots of toes whilst attempting to thwart the anti-virus protection!

On-line alternatives
Many anti-virus vendors offer their “scans” on-line, often for free. Microsoft’s Windows Live Safety Center and Symantec do just that.

Lastly…
This post homes in on the need for security on your [home] PCs, the author makes reference to a number of products that can help achieve a level of security that is sufficient. However, security is an on-going thing, it’s important to keep any security products up to date. It’s also about vigilance: don’t do anything “out of the ordinary”, don’t click “yes” or provide some sort of confirmation to popups that you weren’t expecting. Don’t open e-mails or attachments if there is anything “odd” about them, particularly if they look as if they are “executable”, e.g. .exe or .com extension…or unsolicited Word/Excel documents. The author welcomes comments and pointers to other competent software.

Further Reading
Identity theft, phishing, key loggers…
http://www.rootkit.com/
Sony, Rootkits and Digital Rights Management Gone Too Far
EMPLOYEE FRAUD – THE ENEMY WITHIN
Banks introduce transfer delays in drive to stamp out phishing
Victims of internet bank fraud will have to pay up

Recommended Software
Windows Live OneCare

Norton Internet Security

ZoneAlarm Internet Security Suite 6

Kaspersky Antivirus

McAfee VirusScan Professional 6.0

Panda Antivirus Platinum

AVG 7.0 Anti Virus PRO

[Originally written 31st December 2005, not posted. Revised April 2006, posted]

Identity theft, phishing, key loggers…

Despite what you hear, major banks have a more serious problem to contend with than on-line fraud – there is a lot more fraud happening inside the banks themselves, i.e. internal fraud. In a recent case, somewhat close to home, the bank in question acted rather naively and demonstrated that they are not geared up to deal with on-line security issues. I can say this because earlier this year I had to verify that my friend’s business PCs were not infected with any viruses or key loggers – they had just witnessed a large sum of money vanish from their business account via a transaction that apparently used their own credentials.

However, instead of the transaction being carried out from a PC located in Scotland, the transaction was carried out using a computer located in Sheffield (insofar as we could tell, the actual machine could easily have been elsewhere in the world – this is the concept of a zombie PC coming to the public eye.) The computer in Sheffield appeared to be using a cable modem and Blueyonder as their Internet Service Provider (ISP). Now this, in my opinion, is the first warning sign and one that the bank should have picked up on before committing the transaction and allowing it to complete. The business in question use a fixed IP address, therefore it is always the same address each and every time they use the bank’s on-line service.

Suddenly, out of the blue, this customer wants to transfer over 95% of their business account to an account that they have never used in the past. Clue number two: what sort of business transfers 95% or more of their account in one go? Clue number three: the destination account is unknown. Clue four: over 95% of all this business’ transactions are conducted via Scottish branches of the destination bank.

Worse than that, a few days later, the same bank and the same software was used to conduct another withdrawal, this time from a ‘deposit’ account that should never have allowed withdrawals of this size anyway. This time the PC was located outside of Scotland and was using AOL as their ISP. At this point, the business in question lost faith in the bank’s ability – the business owners had been accused of performing the initial fraudulent transaction themselves, for it to then happen a second time on an account that was meant for deposits only, cracked an egg on the bank’s face.

Luckily, the business in question had all their money returned rather quickly, which provided a clue that the problem was more internal than external. It is not uncommon for disgruntled employees to leave a bank, “walk off” with a handful of user login information, go to ground, then use it a few months after their departure. Indeed there are a few links at the end of this posting that confirm this happens, they make worrying reading.

Of course, had the bank been using a two-factor authentication mechanism, this kind of fraud would be virtually impossible to commit.

Why am I so hard on the bank in question? Well, in 2004, my bank were wise enough to notice that I had used my credit card in Plymouth, Aberdeen and Edinburgh within a few days of each other – this didn’t worry them too much, it was reasonable to expect me to have been in those three locations in the space of three days. However, on the fourth day, I happened to use the same card in Tenerife, a fact that when put in context with the other three days travel caused the bank to give me a call. They did authorise the transaction in Tenerife, and gave me an option for them to call me back. Once they had confirmed that all was well with my credit card, business continued as usual.

I’ve not really touched on phishing, in this post. Perhaps because I don’t believe that this was a phishing case. All signs are that it was an internal security issue, not the work of a rogue e-mail asking the business owners to login to the bank via a link in the said e-mail. Of course if you do receive such an e-mail, remember that the major UK banks will never ask you for your login details to be “repeated” in their entirety and remember that it’s always best to manual type in your bank’s URL.

Further Reading
PC security is not the first thing on the mind of a home user
EMPLOYEE FRAUD – THE ENEMY WITHIN
Banks introduce transfer delays in drive to stamp out phishing
Victims of internet bank fraud will have to pay up

Windows OneCare Live

Following on from my earlier posting…Windows OneCare Live offers a similar service:

This PC health service is always on, running quietly in the background. It helps give you round-the-clock protection and maintenance—virus scanning, firewalls, tune ups, file backups, the whole nine yards. Delivered to you in a smooth, hassle-free package.

Another e-mail scam…

If you receive an e-mail with content similar to this, just delete it:

Hello,

We are planning to include you in the new campus magazine in an article titled “[TOPIC]”. Can you approve the photo and article for us before we go to printing please?

If any details are wrong then we can amend before printing on Wednesday the 1st of February so please get back to us as soon as possible. We have attached the photo and article.

Many Thanks & Best Regards,

It may well have an attachment “photo+article.zip” that contains an executable application – do not under any circumstances, try and run this application. It is a trojan horse.

More details can be found here.

Windows Live Safety Center

With more and more users relying on their PCs for day-to-day activities, what happens when things start to go wrong? Finding reliable experts can be a tricky and expensive process. Luckily, there is some help at hand in the form of the Windows Live Safety Center.

The [Microsoft] Windows Live Safety Center promises to:

  • Check for and remove viruses
  • Learn about threats
  • Improve your PC’s performance
  • Get rid of junk on your hard disk

You’ll need to “allow pop-ups” for this tool to work.

There’s an excellent Community section, where you can expect to find answers to such questions as:

  1. My PC is slow
  2. I’ve lost an important file. How can I find it?
  3. My PC crashes a lot
  4. I need to get rid of a virus
  5. I’m having problems installing or using hardware
  6. My PC takes a long time to start up or reboot
  7. I’m having problems installing or using software
  8. I’m having problems with Microsoft Update
  9. I need to be an Administrator to install or use a program

The site itself looks to be taking the form of a portal, offering the collation of a number of other services including Windows AntiSpyware (beta).