Archive for the ‘Computer Security’ Category
Computer Overnight – leave it on? shut it down?
Leave a CommentDo you leave your system running all night, or do you shut it down? Which is better?
Shutting down has the following advantages:
- Saves electricity = greener = cheaper. Shutting down every night means that, at least for 8 – 10 hours (almost half a day), the system is drawing minimal power. Unplug it to get 100% savings.
- System is protected during that time from software threats. If it ain’t running, it can’t get infected with spyware/malware/viruses.
- Might extend the life of the electronic components. Since it’s only running half the time, it should put only half the mileage on the various parts that make up the system – and, after all, accumulated mileage is what tends to cause systems to fail. However, more stress can be incurred during power-up sequences of the system, and now you’ve doubled the number of reboots (per year, let’s say) that you’re subjecting your system to.
In cleaning out some trojans from systems lately, I’ve noticed that there are traces of activity at specific 12-hour intervals (like at 5:30 AM and 5:30 PM), the times of which appear to coincide with times when the owner is least attentive to his/her system (like sleeping or leaving work). This argues for shutting down, to help cripple any crapware on your system, thereby slowing down the corruption process. If the system’s down, the crapware can’t download more stuff in the background.
On the other hand, I can’t use remote access (VNC or remote desktop) to a system that’s powered off, so if I’m on the road, I need to leave the system on or carry a lot of data with me. This is the only exception I can think of to shutting down, and it need only affect the system when I plan for it.
So, at this point, I’m pretty convinced that leaving the system off overnight is the best choice. Unless, of course, access requirements dictate otherwise.
[ http://forums.whirlpool.net.au/forum-replies-archive.cfm/1071288.html ] coincidentally ran a poll in October 2008, and the various comments at this site represent a fair assessment of the pros and cons of leaving systems on vs. shutting them down, if you want more information.
[edit]
http://itknowledgeexchange.techtarget.com/itanswers/will-we-really-save-money-having-users-shut-down-computers-at-end-of-day/ dating back to 2005 generated a significant volume of discussion, including a bit of history of the debate.
[/edit]
Mimicry – crapware’s new (old) gig
Comments (2)A new trend in crapware (malware – spyware, adware, trojans, whatever you want to call them) is the use of mimicry: programs that appear to be one thing and turn out to be something different. The key difference in this new generation is that the appearances are now quite deceiving.
Recent reports include:
1) A facebook trick in which the user is sent a message suggesting that (s)he should go look at a video (of him/herself, or something else). When the user attempts to view the video, a pop-up appears that looks exactly like the RealPlayer update notice, indicating that RP needs to be updated. Clicking on the update button results in download of undesirable software, and does NOT update RP at all. ( http://news.bbc.co.uk/newsbeat/hi/technology/newsid_7773000/7773340.stm )
2) Notices (in infected systems) indicating that your system is running slowly as a result of infection, and suggesting clicking on the notice or downloading a product to resolve the issue. ( http://www.enigmasoftware.com/support/antivirus-2008-antivirus-2009-xp-antivirus-2008-infect-winlogon/ )
While 1) occurs to a user online, and can be the trigger for an initial infection, 2) usually results from an existing infection.
So, what’s different in these scenarios from past experience? It’s in the appearance. The various notices appear identical to legitimate, expected system notices. The bad guys are copying icons, artwork, and presentation to make their crap look like something normal. This is rather insidious, as it becomes more difficult to ascertain whether your system is truly infected with something, or whether your system is attempting to inform you of a real problem.
So, what’s the bottom line, here? How can we defend ourselves?
Standard recommendations include:
- caution when browsing or checking email
- routine scanning with both antivirus and antispyware software
- keeping everything (virus definitions, spyware definitions, Windows) updated
(For more commonsense internet safety, see, for example, http://www.onguardonline.gov/ , or http://security.rit.edu/dsd.html ; there’s lots of information about internet safety out there. Google is your friend! )
These things help. But they’re not enough. Systems will still get mysteriously infected, whether by inadvertent clicking on a pop-up, drive-by download, or some other means. One of those means is when you are trying to clean your system up. There are no small number of crap products that claim to fix your system but actually do nothing, or, worse, actually put more crap onto your machine. Before you download and/or purchase protective measures, definitely check here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
One defensive measure I’ve experimented with in Windows is a freeware called Sandboxie ( http://www.sandboxie.com/ ). This program runs your browser (and/or whatever other programs you identify) in a protected environment. It creates a private registry, private file system, etc., all of which can be trashed completely at the end of a session. It fools software into “thinking” that it is installing in the real system, while, in reality, it’s installing only in Sandboxie’s protected area. Sandboxie’s license appears to grant free use of the product indefinitely for individual users. It explicitly forbids use in a commercial environment, except for evaluation purposes. If you decide to purchase a registration key, apparently more sophisticated features of the product are unlocked for you. Read the information on the website, including the license, so that you know what you’re getting yourself into – I’m no lawyer!
This is just one suggestion – one approach. I’m not endorsing the product; I’m using it as an example. It starts you down the road toward Virtual Machines (VM), for which I’ll provide more info in a future post. When you start thinking about protection of your system in this way, you’re thinking about a different kind of body armor from antivirus and antispyware – something that can provide more comprehensive protection, perhaps. On the other hand, maybe this one does the trick for you.
[Note - I intentionally avoided going into alternative systems such as linux, freeBSD, Mac, etc. This particular post is targeted toward Windows]
This article has just scratched the surface of these issues. The problem remains a serious one, and it’s not going to go away anytime soon. We have to stay on the defensive with our systems; either that, or disconnect them from the Internet, making them expensive paperweights. More and better products are in development, as the arms race between the good guys and the bad guys continues.
Any other suggestions? How do you protect your system?
Please Update Your Info with Our Bank
Leave a CommentNope, I’m not a victim; but I have been receiving phishing emails asking me to update my account information “from” a bank with whom I have no relationship. I sent the emails on to the bank and they’ve confirmed that it’s a phishing scheme. Here, I offer a few tidbits from the email to give you an idea of how this stuff works.
In the past week I’ve received two emails directed toward the same bank. (I have obscured the bank identification in this post, as it’s irrelevant to the discussion). One has subject line “IMPORTANT Upgrade to New Security System” and the other says simply “Account Update.” Both emails appear to come from the bank, and both have “Reply-To” addresses that appear legitimate (that is, both reference <bank>.com). Both explain that the bank has instituted new security measures, and request that I update my information through their new, secure server. Then they provide a convenient link to do just that. The link looks like this:
http://www.bank.com/secure/update/ssl.cfm
Sounds good, right? It even looks secure, what with that “ssl” and the word “secure” in the URL. But, looking “under the hood” (by way of examining the “page source”), the link really goes here:
http://xylus.ca/labradale/images/.www/onlineservices.bank.com/auth/
Now, I’m not sure who xylus.ca and the various subdirectories are, but I’m pretty sure they’re NOT my bank.com. It could be somebody’s website that is being victimized by the redirect, so I can’t even assert that xylus.ca is a bad guy. But the redirect is certainly cause for concern.
The rest of the email even grabs images and page reference from the bank.com site, to make things look more legit. And they offer you the phone number and email address for verification.
What purpose does this serve the bad guys? By using their site as an intermediary, they can either request information from you that you wouldn’t want others to know (like account numbers, usernames, passwords), or, more disturbing, they can simply “watch” your interaction with your bank to obtain the same information without you knowing your information has leaked. Then THEY have your username, account information, passwords, etc., to use as they wish. I doubt they’re planning on making deposits to your account.
This explains the experts’ advice that you NEVER click a link contained in an email. That is, assume any link in emails is suspect – especially if it concerns your finances, your accounts with anyone/anywhere, etc. CALL the bank or company ON THE PHONE. Use their published phone number, NOT the one provided in the email. Ask questions, and never assume an email is what it claims to be.
Caveat emailer.
Home network security – one perspective
Daily Cup of Tech (one of my favorite blogs) recently posted an article about home network security, and making your home (wireless) network less attractive to casual snoopers, responding to criticism received in a comment to a previous posting. The suggestions he provides aren’t designed to make your network hacker-proof – as even he discusses.
They do, however, help lower your network’s profile in a potential sea of available access points. Good advice he offers: disable SSID broadcast, use encryption, employ standard security measures (like changing administator password) available on your router, etc.
Experts will argue about whether one kind of encryption is superior to another (yes, WPA is better than WEP, etc., etc.), whether disabling SSID broadcast represents any measure of security at all (only nominal), etc., but the bottom line is that any measures you employ to improve your security are better than what you had before. It is, as they say, a step in the right direction. And it might just be enough to discourage a snoop… you never know.
Router vulnerability (potential)
A new attack approach was documented in February by researchers at Indiana University and Symantec in which an Internet user need only visit a bad guy’s web site to become a potential victim for a variety of crimes, including possibly identity theft. At the very least, it exposes any and all information that you send over the Internet to snooping by unknown parties. The attack uses Javascript to change settings in your router so that all of your Internet traffic is sent through the bad guys’ computer system. Once your router has been compromised, it is very difficult to detect the problem, since everything will appear to act normally. The various antivirus, antispyware, etc. measures cannot detect this attack at present, and will be unlikely to detect a compromised router in the future.
The fix: MAKE SURE YOU HAVE CHANGED YOUR ROUTER’S ADMINISTRATOR PASSWORD FROM ITS FACTORY DEFAULT SETTING!! While you’re at it, be sure you’ve enabled encryption on your wireless.
Of course, you should also check the DNS settings in your router to be certain they belong to your ISP. If this doesn’t make sense to you, get a professional involved.
Technical reference: http://www.cs.indiana.edu/pub/techreports/TR641.pdf (checked 2/27/07)
Routers and ISPs
A certain DSL ISP (who shall remain nameless) recently was “helping” one of my customers. The customer had trouble getting a connection, so called the ISP’s tech support for help.
It seems the ISP’s tech support decided that the best course of action would be to reset the router to its factory settings, so they could set up auto-login to their system. This means any and all security settings I had in place for my customer went out the window. (I co-posted a note on router security and default admin passwords here.)
There was no attempt to reinstitute ANY security settings once the ISP had reestablished the customer’s connection.
This is very bad news, for several reasons:
1) wireless security measures were completely disabled;
2) any other measures I may have had in place were now gone; and,
3) the router’s admin password was set to factory default.
Another of my customers called their cable ISP provider with a problem, and that company’s tech support had the customer bypass the router to get things working again… and never had the customer reconnect the router. A day later I got the call that the wireless was down… only to discover that the router wasn’t even in the loop!
For the ISP to throw away all security settings and place the router in a vulnerable configuration simply to reestablish their service is certainly unacceptable – perhaps negligent. To disconnect the router and never reconnect is downright incompetent.
Unfortunately, first-level tech support at many ISPs is a relatively untrained person who is stepping through a checklist – and has no idea as to the ramifications of the changes (s)he is making to the customer’s equipment. Once the ISP’s problem is solved (i.e., the customer’s original complaint is fixed), the ISP hangs up with a “see ya’ later” with an unspoken “good luck!”
Moral of the story: have your customers contact you when they’ve dealt with their ISP, so you can clean up the mess that gets left behind.
Is this commonplace? Your comments are welcome!
A truly astounding view of a system getting infected
Daily Cup of Tech (blog) is a place I visit routinely. It’s a very informative blog. Today, DCoT posted a YouTube link to a truly astounding piece of video: you get to watch a system get overwhelmed by spyware, adware, trojans, and whatever else (including some 78 Internet Explorer popup windows) in a matter of seconds. I think the video runs for about 1 minute.
http://www.dailycupoftech.com/2007/05/08/dont-go-to-this-website/trackback/
Like the video says, don’t try this at home.
No information was provided as to whether any security measures were in place. Even if they were, I doubt they would have stopped ALL of the crap being loaded onto this poor sap’s machine.
Nice Demo. Thank you, DCoT!
Protection for your system = learn
Our computer systems remain targets for various forms of attack. These range from phishing (using misrepresentation or fraud to obtain sensitive personal or financial information), trojans (programs that install, then download other programs), bots (where your computer becomes a zombie to do things at the whim of the bot “owner”)… there’re more. Lot’s more.
So, the pro’s recommend we protect our machines with technological fixes: antivirus, firewalls, spam filters, url- or ip-blocking, etc. etc. All good ideas. But they don’t fix everyting, and they cannot stop everything. The various vendors and ISPs that offer “free antivirus” and/or “free antispyware” are giving us a false sense of security. Literally. (Not that we shouldn’t take advantage of the freebies… I’m a firm believer in freeware and, especially, in open-source software.)
And the fixes ignore the primary causative agent in the majority of system infestations: the user. We casually visit unfamiliar websites, accept and read emails from unknown sources, sometimes follow a link in an email or, worse yet, take a look at that attachment.
The solution: we users have to educate ourselves. Yeah, it takes some effort, time, mental energy. But the alternative is equivalent to walking down a city street with our credit cards in one hand, our cash in the other, holding them up for all to see and grab if they want them. Unless you have a computer specifically reserved for Internet browsing, and you don’t do any online personal stuff (banking, purchasing, private emails) on that machine [in the city analogy, you left all your valuables locked at home], you are exposed.
From our education, we’ll start to establish habits that allow us to surf and email (and blog, and IM, and whatever) with some confidence that we’re not exposing ourselves. [heh heh]. And we’ll still be able to at least access our valuables when we need them.
First point to learn: you never get 100% protection from anything (unless you pull the plug to your network and/or ISP). There is an ongoing battle, driven by economic forces, between people who want to steal your stuff and people who want to help you keep your stuff. Some of those that want to help you offer their help for free; others charge; some charge a lot – for not much greater benefit.
Second: the more “protection” you install, the less convenient it becomes to do things. Like the difference between coming home to a locked or unlocked house: the more security you’ve got going, the longer it takes to get in [pull out your keys, unlock the door, etc.]; and be sure to give the door a tug to be sure it’s locked when you leave!
In my next post on this subject, I’ll start throwing in some links to decent (IMO) learning sites.
In the meantime, don’t believe everything your ISP or antivirus/antispyware vendor tells you. There’s safe, and there’s only safer [as in '...than nothing'].
Needed: Computer Body Armor
Symantec has come out with their semi-annual Internet Security Threat Report . Disturbing findings.
Seems attacks on our computers are more targeted toward information theft. Also seems the attackers are getting more sophisticated – using multiple layers of downloading, multiple attack vectors, and hiding themselves both with encryption* and rootkits**.
There are also indications of more organized efforts, more money involved, and sale of kits and tools to take advantage of security holes. By the way, if I read it right, the majority of attacks come in through email.
This lame little summary doesn’t do it justice. At least read the Executive Summary.
Keep your antivirus up to date, use a properly configured firewall, and be sensitive to unusual behavior of your system(s). Business as usual.
* the wikipedia entry for encryption seems to give an accurate idea of what this information coding approach is.
** the wikipedia entry for rootkit seems to provide a fair definition and context in the first three sections of the entry.
Gotta’ be careful about citing wikipedia these days, especially in light of “recent” events. GrumpyTechGuy gives a good summary in his blog.
- I have no association with either Symantec or Wikipedia at all. But I found Symantec’s report interesting. -
