Internet Storm Center Infocon Status Take the Cybercrime Quiz and see how well you do.

Updated and revised November 1, 2009 - OS Updates; Jan. 7, 2006 - Sygate references updated, new/revised info in Fight Back.

PC SecuritySo you spent hundreds, perhaps thousands of dollars on your computer and software. How well is it protected from viruses, trojans, worms and internet hacking? Do you assume your operating system, software and personal information are secure? Do you think the threat from hackers isn't that great?

Well, it is. My firewall's logs will attest to that, as will the logs of many others. Since August 2003, the amount of internet traffic at the average home PC has increased dramatically. Many of those port probes are from computers infected with malware (malicious software) looking for others to infect, or computers looking for other infected machines to do ill with. In 2008, infecting web sites is on the rise as the favoured way for the bad guys to spread their malware. More on that is detailed further on. In the "old days" most malware was written by "hobbyists" - today, it's organized crime. InformIT has a brief history on their site.

Your IP address and moreA report from silicon.com notes that more than 43,000 new variants of malicious remote control software were found in the first half of 2006. It said in the report: "Attackers, with financial gain in mind, are clearly concentrating a significant amount of development focus on this category of malware." The situation is not improving. F-Secure notes that as of February 12, 2008, they are adding over 1,300 detections a day. At that rate, they expect one million or more by the end of 2008.

Thousands of computers all over the world have been compromised, and their owners don't even know. According to this article from USA Today, "...as many as 47 million of the 681 million PCs connected to the Internet worldwide may be under the control of a bot network." Are you one of them? Botnets are big business now, and they are up to no good. For a chilling look at their power, read Attack of the Bots from wired.com.

The average "survival time" of an unpatched Windows PC is in the 16 to 25 minute range. This is the length of time before that computer will be infected with one of the many worms that still flourish on the internet. These worms and trojans persist because there are still computers on the internet that aren't protected. Protected means having a firewall, an operating system updated with the latest patches, and a good anti-virus program using the latest virus definitions available. See also this background article from the CBC news website: www.cbc.ca/news/background/computer-security/.

In a three hour period in November 2003, my firewall logged 280 inbound attempts to connect to my computer. On August 31, 2004, there were over 1000 in 90 minutes. The average from September 2004 to November 2004 is 991 per day*. A few years ago, I averaged less than 20 in a 24 hour period.

On November 29, 2004, USATODAY.com ran an article that fully illustrates this point. It's definitely worth a read. 2004-11-29-honeypot_x.htm Read it and cringe...

Use OpenDNS In early 2005 something called "DNS Cache Poisoning" began making the rounds. (A good overview of what DNS is can be found here.) A few internet DNS servers were affected by this. The result was that some people were directed to a website that dumped malware on their computers, instead of the intended website. Read the article from SecurityFocus here. A detailed report can be found at isc.sans.org/presentations/dnspoisoning.php. Some of the article is rather technical, but you can skim over that stuff...

Hackers are getting more sophisticated, just as fast as the operating systems and anti-virus software are. Software companies scramble to patch security vulnerabilities as they are discovered, hoping that they are a step ahead of the malicious hackers. Sometimes they aren't, and don't find out about the vulnerability until a hacker has exploited it.

You can protect yourself. Self-education is a very good start, and some excellent software is available to help you - some of it is even free.

Protect Yourself Against Viruses And Trojans

It is very important to have a good anti-virus (AV) program. Don't be cheap - you spent good money on your computer, you should be willing to spend a few bucks to keep it safe. It is also essential to keep your AV software up-to-date with the latest virus definitions. This should be done no less than weekly, if not daily.

AV software depends on a database of virus definitions to keep your computer safe. Most AV programs have the ability to download the latest virus definitions and update themselves. You can usually set the scheduling of this feature. Good AV software will recognize and stop virus-like activity, but only once the virus is running. But by then some damage has possibly occurred. If you have the latest virus definitions, then the chance of this is reduced.

As new types of threats evolve, so does AV software. The use of rootkits is on the rise, and older versions of AV software may not be able to detect them. Seriously consider upgrading to the newest AV software, preferably one that can detect rootkits. Symantec's Norton AntiVirus 2008 and F-Secure Anti-Virus 2008 are two of several that now have that capability.

There are free online virus scans available, which some people I know use instead of an AV program on their computer. This is like locking the barn door after the horse has left the building. Online scans will not prevent a virus, trojan or worm from infecting your computer. All they can do is try to clean up the mess it left behind. Be proactive, not reactive: acquire and install anti-virus software on your computer.

Symantec, Kaspersky and McAfee are among the most popular AV programs. Grisoft offers a free version of their AVG Anti-Virus software, but there are a few catches, like no technical support. As of this writing, the link to the free version of AVG is at http://free.grisoft.com/freeweb.php/doc/2/. Trend Micro is another - see the Virus Alert Feeds page, under Symantec's and Kaspersky's feeds. A free online virus scan is also available there.

Most of all, be very cautious. Don't be the first person to be infected with a brand-new, undiscovered virus! The fact your AV software found no virus in that email doesn't mean it's guaranteed safe. Do not open email messages or attachments that are even remotely suspicious. Even if it's from someone you know. To be on the safe side, email or call them and find out if they sent you that email on purpose.

Many viruses spread by using the address book on the victim's computer to email itself to others. The latest generation of viruses also scan other files on your computer, including your email inbox and your browser's cache; if it finds an email address, it will use it. If the email is from an unknown person, be safe, not sorry - just delete it without opening it.

You can help prevent the spread of viruses and spam by doing two simple things. Whenever you forward that funny joke email to all your friends and family, delete all the email addresses that show in the email. When you send it, don't use the "To" field to address it - use the "BCC" (blind carbon copy) field instead. Then delete that email from the "Sent" folder.

Most virus writers play on the fact people are curious. An enticing subject line, attachment name, or some other curiosity grabber. Some try to exploit the trusting. A recent version of the Netsky worm adds a line at the end of the email saying the attachment has been certified virus-free by the New Norton Online Scan, and includes the URL to Symantec's Web Site. Like Fox Mulder said, TRUST NO ONE.

Be suspicious of even legitimate-looking emails. Now and then emails go around claiming to warn of a vulnerability in the operating system (usually Windows, but also including MAC OS and Linux), and provide either a link to download a patch to fix it, or an attachment. The vulnerability is always a hoax. The patch is 99.99% likely malware...

Click on one or more of the links on the Virus Alert Feeds and see the descriptions of these viruses at Symantec's, Kaspersky's, Trend Micro's, or McAfee's web site. You will get a good look at the methods virus writers use.

If you are a Microsoft Outlook or Outlook Express user, disable the Preview Pane. An infected email will potentially start running the virus when the preview pane is open, especially the ones that try to exploit certain Windows vulnerabilities. Also, set the Security setting to Restricted Sites (look under Tools, Options, Security tab). You may also want to consider using different email software, like that available from Netscape, Opera, or Eudora. Disable JavaScript in any alternate email software you use, too.

To be really safe, disable the ability to read HTML email and use plain text instead. Plain text is rather boring to look at, but a lot safer.

Not all viruses are spread by email, however. Many come from the internet, knocking directly on your computer's internet ports. There are 65,535 ports on your computer. You need to know if your computer is answering any of those knocks... especially if Windows file-sharing is turned on. If a scanner sees one port at your IP address, then it knows there is a computer there. You may then be the target of an attack that attempts to exploit vulnerabilities in your operating system, possibly enabling infection, and even opening a "back door" on your PC.

Another source of infection can be a web page. This is becoming a favoured method for the bad guys to infect computers. November 2004 saw several websites hacked; malicious code was inserted to exploit a known vulnerability in Internet Explorer, and in turn it allowed malicious code to be downloaded and run on the infected machines. (Microsoft released a patch for that around December 1, 2004. It's available at the Windows Update site.) Attacks on web sites occur with alarming frequency - MySpace has had it's share of issues, as have php-based bulletin boards, and many others. 2008 has seen an alarming number of otherwise "trusted" websites compromised. The Register has an article on a recent outbreak. SophosLabs notes their scanners identify a new infected web page every 14 seconds. Minimize your risk, and keep all your software up-to-date with all the patches. US-CERT has detailed information on how to help secure your web browsers.

Many of these malicious web sites attempt to exploit vulnerabilities on your computer, which can be aimed at the browser itself, or plugins it uses. These include such items as Flash players, Java, Adobe's Acrobat Reader, Winamp, QuickTime or RealPlayer media players. One can disable plugins, but making sure you have the latest, patched versions is wise. Other types of software, such as Skype and instant messaging programs, can also be targeted. Secunia has a free program, the Secunia Personal Software Inspector (PSI), that will scan your computer and identify vulnerable and "end-of-life" applications. It will even provide a direct link to download the latest patched version of the program, in most cases.

Free Internet Security - WOT Web of TrustA hacked website isn't the only source of malware. Some websites purposely plant bugs on their pages. So be careful where you surf! That cute screensaver you just found on a website may be giving you more than you bargained for. You can help minimize your risk with free add-on's, such as WOT or McAfee's SiteAdvisor. Another is Finjan Secure Browsing. All are available free for Internet Explorer and Firefox.

Peer-to-peer file-sharing software like Kazaa and all the others are another source for trojans and other malware. A good number of today's bugs are designed to spread using your file-sharing software. When run on your machine, the malware will put a copy in the share folder, giving it an enticing name to get others to download it. A description of one such worm can be seen here at Symantec's site. If you were thinking of getting some free, cracked security software from a file-sharing network, you may want to reconsider and get it legitimately...

If you are a broadband user (cable, DSL) then consider "pulling the plug" and disconnecting when you're not actively using the internet. Better yet, turn off the computer, too. If it's not hooked up and on, they can't get you.

Important Note: More than a few trojans and other bugs rely on Microsoft software and it's vulnerabilities to infect a computer. Consider using an alternative web browser and email client, such as Opera, or Firefox.

Test Your Defenses

As mentioned previously, malware can be delivered to your computer without using email. Some infects computers directly from the internet. There are several sites that offer free port scans to test your computer's vulnerability. Two are mentioned here:

Defenses Need Help?

If your port probe results didn't all come back as "Stealth" then you need a firewall.

ZoneAlarm has a free version of their ZoneAlarm firewall software. ZoneAlarm is one of the best rated firewall programs available. It not only protects you from incoming threats, but it protects from unwanted outgoing internet traffic. If you picked up a trojan that tries to call home to it's master, ZoneAlarm will alert you before the connection is allowed. There are a few downsides to the free price. The annoying splash screen that comes up when you start your computer is one. (The splash screen disappears if you purchase ZoneAlarm Pro.) The other is a lack of extra features that some people may find useful.

There are other firewall programs available, such as those from Symantec/Norton, McAfee, Kaspersky, and F-Secure to name a few, if you don't mind spending some money.

Hardware firewalls are also quite effective. A good cable/DSL router will provide protection from unwanted intruders. Linksys, Netgear, Asante, and D-Link are a few of the manufacturers to check out. If you have a local area network (LAN) set up at home, then a router will definitely be of interest, as you can simultaneously share one internet connection among two to four (or more) computers.

The downside to these hardware firewalls is that they generally don't prevent outbound traffic based on the program that wants access. You can completely enable or disable an entire computer's access, but you can't set software permissions.

If you use a router, change the router's default password to one of your own. An article from Symantec's Weblog explains why: Drive-By Pharming: How Clicking on a Link Can Cost You Dearly

Bear in mind that wireless routers have their own security problem... so to be safe, get the old-fashioned kind that uses wires. It is possible for people to drive by your house with a mobile scanner and tap in to your wireless connection unless you take steps to secure it. Check with the manufacturer for details. See the news item here for details: Going wireless

Windows 95, 98 and ME users should realize that most software companies no longer design software with these Windows versions in mind. Get a hardware firewall for the best protection. If you have trouble getting into your router's settings (Linksys' routers don't like Windows 95 and Internet Explorer) you can use the Opera web browser, available free at www.opera.com. It will work with Windows 95. Of course, upgrading to a newer version of Windows is also a good idea, as Microsoft no longer supports Windows 95, 98 or ME and provides no patches for vulnerabilities. Even support for Windows 2000 is winding down...

Keep Your Operating System Up-to-date

This is critically important to your computer's operation. That fact cannot be stressed enough. If you don't have the latest security patches installed, you are vulnerable to publicly known exploits. A large number of the malware programs out there still target these known vulnerabilities that patches are available for, as there are still computers out there that have not been updated. Your anti-virus software may not catch them all.

The infamous Windows Metafile (WMF) vulnerability is a prime example. (For more information on this vulnerability please see http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx and http://isc.sans.org/diary.php?storyid=994.) The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don't have click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Windows Explorer with 'Icon size' images will cause the exploit to be triggered as well. If you don't have the patch installed, you are vulnerable.

Using Windows? Make sure you visit the Windows Update site regularly once a week) to download and install any critical updates. If you use any Microsoft Office products, check for updates for those, too. Better yet, make sure Windows Automatic Update is turned on.

Those of you with Windows 2000 and newer can use Microsoft Update, which will check for both Windows and Office updates at once. This service is available at http://update.microsoft.com/.

Other operating systems, such as Mac and Linux, also need to be kept updated. Vulnerabilities exist in those operating systems, too.

Spyware? Adware?

That's another problem many people have, and most are unaware of it. Some computers get so infested with it that they run noticeably slower. A news item a while back told of one person's computer having over one thousand various spyware goodies on it. Nice...

Spyware ranges from tracking cookies to web dialers to trojans and keyloggers, and their purpose is to track where you go on the internet. Some do worse, including noting user names and passwords. If you didn't ask for it, what's it doing on your machine? Get rid of it!

There are good, free programs available to help. Like AV software, you need to check for updates regularly. Not all will do it automatically, so you may have to do it manually when you run the programs. But before you download the first free program you see, visit Spyware Warrior. They have a listing of what's good and what's questionable.

These should take care of most of it, and they are free:

Windows users who are running Windows XP or newer should check out Microsoft's free anti-spyware offering, Windows Defender. Note that Windows Defender is no longer offered for Windows 2000. Defender was formerly available as GIANT AntiSpyware. Microsoft bought GIANT on December 16, 2004.

There are many others available. Check out my Links page for others not mentioned here.

Phishing

Phishing is one of the more worrying things to crop up as of late. Phishing is an attempt to obtain personal financial information. This is generally done by email. The email appears to be from a legitimate company, such as a bank, eBay, PayPal or other company - even using graphics from the company's web site.

The email will make some claim that your account is in need of some action on your part. They hope that you will fall for it by giving them your account information, password, and whatever else they may want. Most will direct you to a website to do this. And it's always a fake site that looks like the real thing. The URL to the site may be very close to the real one, too.

Once the hapless victim inputs their user name and password, the phishers have access to the victim's account. Not a good thing.

To make matters worse, a vulnerability in Internet Explorer has been discovered that allows the URL in your address bar to be spoofed to look like the legitimate one. And the cute little padlock icon on the status bar indicating a secure site can be spoofed, too. Another new technique has been seen in use, and it does not require you to click on a link to visit the phishing site. You can read about it here: http://software.silicon.com/security/0,39024655,39125549,00.htm

You may want to try this easy way to see if the site they are visiting is a real site or a scam site: http://www.millersmiles.co.uk/identitytheft/spoof-link-checker.php

You can take a phishing quiz at http://survey.mailfrontier.com/survey/quiztest.html and see if you can tell the difference from legitimate and fraudulent email. Even some security experts had trouble...

Netcraft offers the Netcraft Anti-Phishing Toolbar. It is for use with Internet Explorer on Windows 2000/XP or Firefox 1.0 or later. Give it a look.

Use these tips to keep yourself from being scammed:

  1. Be suspicious of any email with urgent requests for personal information.
  2. Don't be fooled by emails with upsetting or exciting (but false) statements that try to get you to react immediately.
  3. If you suspect the message might not be authentic, don't use the links within the email to get to a webpage.
  4. Don't fill out forms in email messages that ask for personal financial information.
  5. Communicate information such as credit card numbers only via a secure website or the telephone.
  6. To make sure you're on a secure Web server, check the beginning of the URL in your browser address bar. It should be "https" rather than "http". The "s" stands for secure.
  7. Consider installing a Web browser toolbar such as EarthLink's Scamblocker or Netcraft's Anti-Phishing Toolbar to alert you before you visit known phishing fraud websites (eBay also has a similar tool).
  8. If an email message is not personalized, assume it's not a valid message.
  9. Log in to your online accounts regularly, and check bank, credit and debit card statements to ensure that all transactions are legitimate.
  10. Ensure that your operating system and browser is up-to-date and security patches have been applied.

For more information on phishing and other scams visit:

Educate Yourself

For an eye-opening experience, here are a few web pages to see:

SANS and the Internet Storm Center also have many links to other good resources. Check them out.

There are many more resources out there, including some interesting stories on grc.com about the attacks on their web site. One of those attacks used home computers which had been infected and taken over by a 13-year-old hacker.

Some more good links can be found at http://zonelog.co.uk/links.html. If you are a ZoneAlarm user, you may want to try out ZoneLog Analyser, also available at this site.

Fight Back

Participate in DShield.org How can I fight back, you ask? Get yourself a firewall, be it a router, or software or both. Set the firewall up to record a log file of the blocked intrusions. Then submit them to a reporting service. There are three you can join for free.

To use any of these services, you should install software to synchronize your computer's clock to an atomic clock server. There are several free ones available, including AboutTime, which is freeware. It is what I use, and it works quite well. Also make sure that your time zone is set correctly on your computer. That is rather important...

Some time servers you can use include:

Many more can be found at support.microsoft.com/default.aspx?scid=kb;EN-US;q262680.

DShield.org
DShield

If you use ZoneAlarm, there are two programs you can choose from to submit reports to DShield.

Both of these will also let you analyze your logs and dig a bit deeper...

If you have a router, you can most likely configure it to log the traffic. See your router's documentation on how to enable logging. To collect and submit these logs you will need some software.

DShield submissions are used by the Internet Storm Center. As they say on their "About" page, "the Internet Storm Center gathers millions of intrusion detection log entries every day, from sensors covering over 500,000 IP addresses in over 50 countries. It is rapidly expanding in a quest to do a better job of finding new storms faster, identifying the sites that are used for attacks, and providing authoritative data on the types of attacks that are being mounted against computers in various industries and regions around the globe." DShield will also submit abuse reports to an attackers' ISP if it's deemed appropriate.

MyNetWatchman

MyNetWatchman will work with several firewall products and logging programs: ZoneAlarm, BlackICE Defender, WallWatcher, and several more. See www.mynetwatchman.com/setup.asp for a complete list. MyNetWatchman also has versions for Linux/Unix users.

MyNetWatchman's vision statement is, "myNetWatchman is a service that automatically aggregates the firewall logs from a very large number of computers, analyzes these logs for evidence of hacker or worm attacks, and notifies the ISPs where attacks are coming from. As such, it provides a vital level of inter-network security."

Symantec DeepSight

Symantec's DeepSight Analyzer is quite similar in scope. It is primarily intended for users of Norton Internet Security or Norton Personal Firewall. Visit the DeepSight Analyzer home page for a look at what it's all about.


Why am I here telling you all this? Because you need to know, and you need to educate yourself to stay safe.

A computer is not an appliance. It is a tool. Tools require some skill and training to use safely. To steal a brilliant quote from Tom Liston at the Internet Storm Center, "Computers are not appliances. If something goes wrong with your refrigerator, it doesn't attack your neighbour's microwave. If you don't patch your toaster oven, the chance that it will join up with other toaster ovens in a denial of service attack against the White House is negligible. Yet we persist in marketing computers in a way that presents their operation as requiring the same degree of knowledge and skill as is required to operate a toaster oven."

Not all computer salesmen will tell you about computer security - their job is to sell computers. They are not likely trained in IT Security. They are not paid to be computer security experts. They may have little or no knowledge about the subject. They may encourage you to buy the security software they are selling, of course, but that may not cover all the bases.

Internet Service Providers (ISPs) are reacting painfully slow on implementing any sort of port blocking to protect their customers. Even those ISPs that have anti-virus email protection won't protect you from new and undiscovered threats. At least some ISPs now provide free firewall and/or anti-virus software to their subscribers. In my neck of the woods, the two big ISPs have been doing this for the last few months. One offers ZoneAlarm Security Suite, the other F-Secure Internet Security.

Microsoft has been slow at implementing firewall technology in their operating system. Windows XP now comes with one, but any Windows operating system older than XP does not.

There is also the problem that will not go away: Microsoft is a huge target for hackers, and they continually look for vulnerabilities in Windows software. It's the biggest target, since the majority of computers in the world use a Microsoft operating system. Another line of defense is wise.

If you're not worried because you have nothing important on your computer, that's a poor reason. Not all hackers are there to steal your financial data, or your user name and passwords for your online banking. Some want to use your computer remotely as an HTTP proxy to mask other illegal activity, such as hacking into more interesting sites, surf for illegal porn, or use your computer as a spam relay. Your computer could be turned into a "bot" and used in an attack on some web site.

If your ISP is cooperating with law enforcement, it's your computer's IP address that will come up, not the hacker's. Why put yourself in the predicament of dealing with the police for something you didn't do?

Spend some time, maybe some money. Be part of the solution, not the problem. Protect yourself.


* 67,402 port probes in 68 days.

longship bar

Valid HTML 4.01 Transitional  Valid CSS!