Presentation on theme: "Computer Vulnerabilities 1. 1.Overview 2. 2.Threats to Computer Systems 3. 3.How Hackers Work 4. 4.Using the Internet Securely 5. 5.How We Make It Easy."— Presentation transcript:
Computer Vulnerabilities 1. 1.Overview 2. 2.Threats to Computer Systems 3. 3.How Hackers Work 4. 4.Using the Internet Securely 5. 5.How We Make It Easy for the Hackers 6. 6.“Cookies” 7. 7.Weak Passwords 8. 8.E-Mail Pitfalls 9. 9.“Social Engineering” 10. 10.Viruses & Other “Infections” 11. 11.P2P 12. 12.Insecure Modems 13. 13.Security of Hard Drives 14. 14.Security of Laptops
Overview Computers concentrate tremendous amounts of data in one location where it is vulnerable to unauthorized disclosure, modification, or destruction. The greater the concentration, the greater the consequences of any security breach. The dramatic increase in interconnections between computer networks, and the popularity of the Internet, have made it easier for countries, groups, or individuals with malicious intentions to intrude into inadequately protected systems. They can use that access to steal or make unauthorized changes in sensitive information, commit fraud, or disrupt operations. Threats to Computer Systems describes the changing face of computer crime. The ego-oriented and attention-seeking adolescents who steal information as trophies to demonstrate their prowess are still common. However, the field is becoming dominated by professionals who steal information for sale and disgruntled employees who damage systems or steal information for revenge or profit. The common saying that "security is everyone's responsibility" is especially true with computer security. It is essential that you understand the vulnerabilities of this new medium that is changing the world because YOU -- unknowingly -- can endanger your entire computer network. Your network is only as secure as its weakest link. The people who use the computers -- can be just as damaging as weaknesses in the software or hardware.
Threats to Computer Systems The nature of computer crime has changed over the years as the technology has changed and the opportunities for crime have changed. Although thrill-seeking adolescent hackers are still common, the field is increasingly dominated by professionals who steal information for sale and disgruntled employees who damage systems or steal information for revenge or profit. When Willie Sutton was asked why he robbed banks, he replied, "because that's where the money is." People attack computers because that's where the information is, and in our hyper-competitive, hi-tech business and international environment, information increasingly has great value. Some alienated individuals also gain a sense of power, control, and self-importance through successful penetration of computer systems to steal or destroy information or disrupt an organization's activities. A common view of computer security is that the threat comes from a vast group of malicious hackers "out there." The focus of many computer security efforts is on keeping the outsiders out -- through physical and technical measures such as gates, guards, locks, firewalls, passwords, etc. Yet, while the threat from outsiders is indeed as great as generally believed, the malicious insider with approved access to the system is an even greater threat! This discussion treats the insider threat and the outsider threat separately.
Insider Threat to Computer Security Survey after survey has shown that most damage is done by insiders -- people with authorized access to a computer network. Many insiders have the access and knowledge to compromise or shut down entire systems and networks. The Computer Security Institute and FBI cooperate to conduct an annual CSI/FBI Computer Crime and Security Survey of U.S. corporations, government agencies, financial institutions, and universities.1 Of the information security professionals who responded to this survey, 80% cited disgruntled and dishonest employees as the most likely source of attack on their computer system. Fifty-five percent of respondents reported unauthorized access by insiders, as compared with 30% reporting system penetration by outsiders. Many companies reported multiple instances of unauthorized access or system penetration. As discussed in Reporting Improper, Unreliable, and Suspicious Behavior, you are expected to report potentially significant, factual information that comes to your attention and that raises potential concerns about computer security. Reportable behaviors include the following: –Unauthorized entry into any compartmented computer system. –Unauthorized searching/browsing through classified computer libraries. –Unauthorized modification, destruction, manipulation, or denial of access to information residing on a computer system. –Storing or processing classified information on any system not explicitly approved for classified processing. –Attempting to circumvent or defeat security or auditing systems, without prior authorization from the system administrator, other than as part of a legitimate system testing or security research. –Any other willful violation of rules for the secure operation of your computer network.
Outsider Threat to Computer Security The Internet has become a boon to intelligence collectors world wide. Your computer network is at risk from many types of outsiders. –Freelance information brokers. –Foreign or domestic competitors. –Military services from adversary nations who are developing the capability to use the Internet as a military weapon. –Terrorist organizations for which organized hacking offers the potential for low cost, low risk, but high gain actions. –Crime syndicates and drug cartels. –Hobbyist hackers who penetrate your system for sport or or to do malicious damage. –Common thieves who specialize in stealing and reselling laptop computers. Break-ins occur at an alarming rate because the Internet provides an especially comfortable and interesting place for hackers. The Internet was not designed with security in mind. It is a large, intricate network with many software flaws. It is easy to remain anonymous on the net. Because everything is interconnected, everything is vulnerable, and an expert intruder can cover his or her tracks by weaving a trail through a dozen systems in several different countries. Many hacker tools that required in-depth knowledge a few years ago have been automated and have become easier to use.
How Hackers Work When linked to the Internet, you are linked to computers throughout the world – and, more important, they are linked to you. It’s not apparent to the computer user, but any link to a site on the Internet is a potential two-way street! Expert hackers create and pass on to others sophisticated software tools to exploit both human and technical weaknesses in the security of computer systems -- password crackers, war dialers, vulnerability scanners, sniffers, IP spoofers, and others. Because many of these tools are available on the Internet, relative newcomers can download and use them, raising the level of sophistication of hackers of all types. The hacker’s first goal is to get access to your network in order to read your files. Ineffective passwords, insecure modems, and what the hackers call “Social Engineering”. often provide the first opening to a system.
How Hackers Work Cont. Once inside the system, the hacker’s second goal is to get what is called "root" access. That usually requires finding a technical weakness. Root access means the hacker has unrestricted access to the inner workings of the system. With root access the hacker can: –Copy, change or delete any files. –Authorize new users. –Change the system to conceal the hacker’s presence. –Install a "back door" to allow regular future access without going through log-in procedures. –Add a "sniffer" to capture the User IDs and passwords of everyone who accesses the system. –Use the captured User IDs and passwords to attack the networks of other organizations to which the captured User IDs and passwords provide approved access. The initial foothold into the system is the toughest part. Often, the hacker will be working via the Internet, which is open to everyone, and will be trying to penetrate a network that is protected by a "firewall." A firewall is a series of programs and devices intended to protect a network from outside intruders. A strong firewall will identify and authenticate users trying to access the network from outside, thus limiting access to authorized persons. Sometimes the hacker is an insider, an employee already behind the firewall who has authorized access to one part of the system and then hacks his or her way into other protected files within the system. The hacker’s success in breaching the firewall often comes from some form of human failure -- especially weaknesses caused inadvertently by lack of computer security education, carelessness, or gullibility of computer users. Technical weaknesses in the system obviously play a role, but even those may be traceable to some form of human error, such as employee susceptibility to “Social Engineering”. or a systems administrator’s failure to update the firewall software promptly each time the hackers expose a weakness and the manufacturer makes a patch available to plug the hole.
How We Make It Easy for the Hackers Too many computer users assume their system administrator and the software developers do everything necessary to keep their network safe. They don’t think they need to worry about security. THEY ARE WRONG. A network, and every computer on it, is only as secure as its weakest link. You need to make certain that your network's weakest link is not YOU. A review of how hackers work shows that uninformed or careless actions by well-intentioned computer users can undermine the security of your entire network. Here are some of the mistakes that computer users make too often, and which the hackers and other computer criminals exploit. Each of these is discussed in a separate topic. –Using a weak or ineffective password. You need to understand how to select a strong password and why PASSWORDS ARE IMPORTANT. –Using an unauthorized or insecure modem. A password and a modem phone number is often all it takes for a hacker to penetrate your company's firewall. Hackers use a tool called a "war-dialer" to identify modems. –Responding to people who ask apparently innocent questions about you or your computer. Hackers often use a plausible pretext to elicit key information from well-meaning but naive employees – a technique that hackers call “Social Engineering”. –Exposing your system to viruses. The goal is that you understand your role in protecting the security of the network as a whole. Protecting the network is not just the job of the technical people. Security is everyone's responsibility.
Using the Internet Securely You can do many interesting and useful things on the Internet, both in the office and at home, and you can do them securely -- if you understand and avoid certain risks. The two main security risks are drawing attention to yourself as a potential target for intelligence exploitation and unintentional compromise of sensitive information. The greatest risk is probably downloading files, as discussed in Viruses and Other "Infections". The wealth of free software available for downloading from the Internet is exciting but does pose risks. Many organizations explicitly prohibit downloading and running software from the Internet. If you want to download a program, check with your system administrator. When logging in to an Internet site that requires password and user ID, do not use the same password that you use to log on to your office network. The password for your office network requires the utmost protection, while the password used to log in to an external web site is vulnerable to interception unless in it encrypted. Compromise of the one should not compromise the other. The rapid growth of Internet commerce is driving the development of additional security measures. Protection mechanisms such as Secure Sockets Layer (SSL) and Secure Electronic Transaction (SET) are growing rapidly. SSL sits "between" your web browser and the web server you are communicating with. It can exchange verification of both parties to the communication. It then encrypts sensitive information such as credit card data when making a purchase or personal information filled in on a form to register with a site. SET uses digital signatures to ensure that Internet credit card users and merchants are who they say they are. With SET, your credit card number is never stored on the merchant's computer. Most browsers have a padlock or key symbol in the lower left corner of the screen to show the security status of the connection. When the padlock is open or the key is broken, no special security precautions are in effect. When the padlock is closed or the key is unbroken, information is being encrypted. The number of teeth in the key signifies the level of encryption. One tooth signifies a 40-bit key; two teeth means a 128 bit key.
Using the Internet Securely Cont. Chat Rooms, News Groups, Bulletin Boards Chatting on the Internet or posting messages to news groups or bulletin boards might seem like a private pastime, but it is in fact a very public activity. Message sent to "Usenet" discussion groups are broadcast to anyone, anywhere in the world, who wants to receive them. These messages are archived so that they are readily searchable by the public. The Deja.com archive contains messages going back to March 1995. Foreign intelligence collectors and investigators collecting competitive intelligence regularly troll bulletin board, chat room and newsgroup postings to identify individuals or information of potential interest. If someone on the Internet finds that, because of the information you offer, you could be a good "source," he or she will have no problem finding out more about you. A knowledgeable information collector can identify a great deal of information about you with little more than your e-mail address and a newsgroup or chat room posting. One can probably obtain from online sources your address, phone number, vehicle license plate number, social security number, date of birth, name of employer, eye color, weight, credit report, real estate ownership records, and the names, addresses, and phone numbers of nine to fourteen of your neighbors who may then be called for additional information about you. Once you are identified as a potential target, a knowledgeable information collector may search for and read your newsgroup, bulletin board, and chat room postings. –Do not post any information on the Internet that calls attention to yourself as a person with access to proprietary or classified information. This could cause you to become a target.
Using the Internet Securely Cont. Chat Rooms, News Groups, Bulletin Boards –Do not try to impress others with how much you know. Specifically: Do not express any opinion in a way that implies you have insider information, and therefore that your opinion merits greater credence than the opinions of others. Do not imply or state outright that you have access to proprietary or classified information. A statement such as "I can't say any more, because I have a clearance" is an example of security consciousness gone awry. It targets you as a holder of classified information. Do not provide information about your work, your employer, or job location. –The greatest risk on the Internet is when you "chat" in real time with other users, using typed input that is relayed back and forth. There are several reasons why this can be dangerous: Live chat does not allow you time to think carefully before you respond. Once the message is sent, it's gone forever. What starts out as a casual information exchange can quickly lead to much more. Your message on the Internet may be read by tens of thousands of people worldwide. When chatting on line or exchanging e-mail, remember that the people you are communicating with are not always who they seem to be. You don't even know what country they are in. Although there are country codes for Internet addresses, they are not always used. For example, America Online is international, and you don't know the home country of a person with an aol.com e-mail address. Some messages are sent anonymously. Unfortunately, it is not always possible to know which are and which are not. Reputable "remailers" who forward mail anonymously make it clear that their messages are anonymous. Less responsible remailers, however, substitute phony names and addressed, but do not so indicate. Because messages can be forwarded from anywhere to anywhere, you cannot assume anything about message origins. Be wary of responding to messages from anyone whom you do not know personally.
“Cookies” Cookie is the deceptively sweet name for a small file that may be placed on your computer’s hard drive, often without your knowledge, when you visit a web site. The cookie is a unique identifier that enables the site to which you are linked to recognize that you have been there before. It enables the site to which you are linked to keep track of you as you go to different pages on that site, or to other sites, and to retrieve from its database any record of your previous visit or visits to the site. Cookies are a reminder that surfing the web is not an anonymous activity. Your movements in cyberspace can be and often are tracked. Privacy Issues –Cookies are controversial because they raise privacy issues. They are put on your computer without your explicit approval and are used to track where you go on the Internet. Most sites track your movements only within their site, but online advertising agencies with multiple clients track your movements among all their clients’ sites. When you register to use many sites and services you are required to provide demographic information about yourself, often including your name, or an e-mail address that can lead to identification of your name. –There is concern that dossiers of personal information on individuals and their behavior in cyberspace could be compiled, sold to advertisers or insurance companies, and used in ways that violate one’s right to privacy. Privacy advocates argue that online marketers should be kept out of the "cookie jar," and they urge Internet surfers to "toss their cookies" to protect themselves from the "Cookie Monster.“ –There is no question that cookies, and the information they enable others to collect, could be misused. The open questions are: How often is this information actually being misused? And how much of a threat does this represent? Most advertisers comply with the Direct Marketing Association’s Marketing Online Privacy Principles. At least one major advertising agency specializing in Internet advertising has voluntarily opened its practices and systems for third-party auditing.
Weak Passwords Your password is the key to your computer -- a key much sought-after by hackers as a means of getting a foothold into your system. A weak password may give a hacker access not only to your computer, but to the entire network to which your computer is connected. Treat your password like the key to your home. Would you leave your home or office unlocked in a high crime area? Too many passwords are easily guessed, especially if the intruder knows something about their target’s background. It's not unusual, for example, for office workers to use the word "password" to enter their office networks. Other commonly used passwords are the computer user's first, last or child's name, Secret, names of sports teams or sports terms, and repeated characters such as AAAAAA or bbbbbb. Your computer password is the foundation of your computer security, and it needs to stand up against the tools that hackers have for cracking it. There are 308 million possible letter combinations for a six letter password using all upper case or all lower case letters. A readily available password cracker can check all of them in only 2 minutes 40 seconds. With some combination of both upper and lower case letters, a six letter password has 19 billion possible combinations. If you increase the password to eight letters and use both upper and lower case letters, there are 53 trillion possible combinations. Substitute a number for one of the letters, and there are 218 trillion possible combinations. Here are some simple guidelines for strong passwords. –It should contain at least eight characters. –It should contain a mix of four different types of characters -- upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last character in the password. –It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e- mail address. –You should be able to type it quickly, so that someone looking over your shoulder cannot readily see what you have typed. –It should be changed at least every 90 days to keep undetected intruders from continuing to use it. –Almost all computer operating system software programs on the market today that store passwords in encrypted format store the last character in the clear. All password cracking programs know this, so that means one less character for them to crack. This is one of several reasons why numbers and special characters should be toward the middle of your password, not at the beginning or end.
Weak Passwords Cont. The password used for logging on to your office computer should be different from the password you use to log in to a web site on the Internet. The password used to log in to a web site is far more exposed to potential compromise. Any time you log in over an external network, your password is vulnerable to being stolen unless it is encrypted. Using a separate and unique password for your office computer helps protect the security of the office network. Once you have selected an effective password, protect it. Resist the temptation to write your password down. If you do, keep it with you until you remember it, then shred it! NEVER leave a password taped onto a terminal or written on a whiteboard. You wouldn't write your PIN code on your automated teller machine (ATM) card, would you? You should have different passwords for different accounts, but not so many passwords that you can't remember them. Do not allow anyone to observe your password as you enter it during the logon process. Do not disclose your password to anyone, not even to your systems administrator or maintenance technician. They have no need to know it. They have their own password with system privileges that will allow them to work on your account without the need for you to reveal your password. If a system administrator or maintenance technician asks you for your password, be suspicious (for reasons discussed under “Social Engineering”.). Use a password-locked screensaver to make certain no one can perform any activity under your User ID while you are away from your desk. These can be set up so that they activate after the computer has been idle for a while. Strange as it may seem, someone coming around to erase or sabotage your work is not uncommon. Or imagine the trouble you could have if nasty e-mail messages were sent to your boss or anyone else from your computer, or your account were used to transfer illegal pornography.
E-Mail Pitfalls E-mail has several vulnerabilities, each of which is discussed in greater detail below: Lack of Privacy –Sending e-mail is like sending a postcard through the mail. Just as the mailman and others have an opportunity to read a postcard, network eavesdroppers can read your e-mail as it passes through the Internet from computer to computer. E-mail is transmitted over a public network where you have no right to expect privacy. It is not like a telephone call, where privacy rights are protected by law. –The courts have repeatedly sided with employers who monitor their employees' e-mail or Internet use. In an American Management Association poll, 47% of major companies reported that they store and review their employees' e-mail. Organizations do this to protect themselves against lawsuits, because the organization can be held liable for abusive, harassing, or otherwise inappropriate messages sent over its computer network. In the same poll, 25% of companies reported that they have fired employees for misuse of the Internet or office e-mail. 5 In the past couple years, The New York Times fired 23 employees for exchanging off-color e-mail. Xerox fired 40 people for inappropriate Internet use. Dow Chemical fired 24 employees and disciplined another 230 for sending or storing pornographic or violent material by e-mail. 1 Several years ago, Chevron Corp. had to pay $2.2 million to plaintiffs who successfully brought a suit of sexual harassment, in part because an employee sent an e-mail to coworkers listing the reasons why beer is better than women. 2
E-Mail Pitfalls Cont. Inability to Fully Erase –The seemingly informal and temporary aspect of e-mail encourages people to use it to say things they would never commit to paper. But e-mail is like a cat with nine lives. It keeps coming back. It is almost impossible to eliminate all traces of an e-mail message. –Most e-mail messages remain retrievable on your hard drive and the recipient’s hard drive long after you think they have been "deleted," as discussed under Security of Hard Drives. –The recipient may have archived the message or transmitted it to others. –Computer servers routinely make back-ups of user accounts. One of the top priorities for any computer- system manager is to make sure he or she never loses any important information on the computer network. They archive backup tapes that record everything. –In short, e-mail messages sent years ago may live on in taped storage or on a hard drive beyond the reach of your delete key. You never know when an impulsive or ill-advised e-mail message will come back to haunt you. Three and four-year-old e-mail messages have played key roles as evidence in several high profile court cases. Remote Access –If you can gain access to your e-mail from afar via the Internet, while traveling, others may be able to do the same thing without your knowledge. An eavesdropper would only have to know the modem phone number and then also know, guess, or be able to crack your password. The vulnerability is similar to that discussed under Voice Mail. See Weak Passwords to learn how easy it is to guess or crack weak passwords. Uncertain Origin –It is easy to forge an e-mail message so that it appears to come from someone else or from some other location. Incoming e-mail from someone you do not know is always questionable, as the sender may not be who he or she claims to be. For example, a marketing survey that purports to come from a U.S. company may actually originate overseas and be part of a foreign intelligence collection operation. See Obtaining Information under False Pretenses.
E-Mail Pitfalls Cont. Ease of Accidental Compromise When you exchange e-mail with a colleague, it may seem like a cozy, private conversation. "Legally and technologically, however, you are as exposed as dummies in a department store window." 3 Classified information must never be sent via e-mail. Sensitive but unclassified information should be encrypted prior to sending by e-mail whenever practical. Any inappropriate language of any type must be avoided. E-mail is so easy to use that it is also easy to thoughtlessly or accidentally send others information they shouldn’t have. E-mail is a frequent source of security compromise. Here are two examples. In the first case, the e-mail writer put classified information into what he mistakenly thought was a private message to a few colleagues with security clearances. The second is a situation that often arises in offices that have both classified and unclassified networks. A few hours after participating in the successful rescue of a F-16 fighter pilot downed in Bosnia, an excited U.S. Air Force pilot sat down at his computer and banged out a first hand account of the mission. He hooked up to the Internet and sent the account by e-mail to Air Force friends at other bases, scooping the media coverage of the rescue. Friends passed it on to their friends until it was seen by thousands of people and posted on an America Online bulletin board accessible to millions. The account contained classified radio frequencies, pilot code names, exact times and weapons loads for the mission, etc. The pilot explained that he had intended the account to be a personal communication to other cleared officers and not for public review. But he was badly wrong on two counts. First, you don't put classified information in an unclassified e-mail message under any circumstances. Second, nothing that goes on the Internet is personal or private. 4
E-Mail Pitfalls Cont. Transmission of Viruses Mail programs generally allow files to be included as attachments to mail messages. The files that come by mail are files like any other. Any way in which a file can find its way onto a computer is potentially dangerous. If the attached file is only a text message, the risk is limited. If the attached file is a program, an executable script, or a data file which contains a macro, extreme caution should be applied before running it, as this is the means by which many viruses and other types of malicious logic are spread. One of the more dangerous types of malicious logic spread in this manner is a "Trojan Horse" that allows a remote user to access and control your computer via the Internet without your knowledge. One of these Trojan Horses was originally developed as a means of playing pranks on friends. When installed on another person's computer, you can control that computer via the Internet. For example, you can make the CD-ROM tray on that person's computer pop out repeatedly for no discoverable reason, or reverse the functions of the left and right buttons on the person's mouse. However, you can also read, change, or copy all the person's files without his or her knowledge. This Trojan Horse can be snuck onto someone's computer by burying it in a game program or other executable script sent by e-mail. Happily, all known versions of this Trojan Horse are caught by any good virus checker. However, about 200 to 300 new viruses are being created each month, so your virus checker is rarely capable of detecting all malicious logic.
“Social Engineering” "Social engineering" is hacker-speak for conning legitimate computer users into providing useful information that helps the hacker gain unauthorized access to their computer system. The attacker using social engineering usually poses as a legitimate person in the organization and tricks computer users into giving useful information. This is usually done by telephone, but it may also be done by forged e-mail messages or even an in-person visit. Most people think computer break-ins are purely technical, the result of technical flaws in computer systems that the intruders are able to exploit. The truth is, however, that social engineering often plays a big part in helping an attacker slip through the initial security barriers. Lack of security awareness or gullibility of computer users often provides an easy stepping stone into the protected system in cases when the attacker has no authorized access to the system at all. In testimony before Congress after he was released from jail, our country's most notorious computer hacker, Kevin Mitnick, told the lawmakers that the weakest element in computer security is the human element. "I was so successful in [social engineering] that I rarely had to resort to a technical attack," Mitnick explained. He added that "employee training to recognize sophisticated social engineering attacks is of paramount importance."1
“Social Engineering” Cont. As an example of how it is done, here is a quick summary of Case 2, a successful hacking operation based almost entirely on social engineering: Posing as someone from the public relations department, the hackers called an executive's secretary and succeeded in obtaining the executive's employee number. A second call exploited the knowledge of the executive's employee number in order to obtain the executive's cost center number, which was then used to receive overnight courier service delivery of the company’s internal phone directory. The hackers called the office in charge of new employees and were able to obtain a list of new employees. Posing as information systems employees, the hackers told the new employees that they wanted to give them a computer security awareness briefing over the phone. During this process, the hackers obtained "basic" information including the types of computer systems used, the software applications used, the employee number, the employees computer ID, and their password. Using a "war dialer" together with a call to the company's computer help desk, the hackers obtained the phone numbers of the company modems. They then called the modems and used the compromised computer IDs and passwords to gain access to the system.
“Social Engineering” Cont. Common “Social Engineering” scenarios The attacker pretends to be a legitimate end-user who is new to the system or is simply not very good with computers. The attacker may call systems administrators or other end-users for help. This "user" may have lost his password, or simply can't get logged into the system and needs to access the system urgently. The attacker may sound really lost so as to make the systems administrator feel that he is, for example, helping a damsel in distress. This often makes people go way out of their way to help. The attacker pretends to be a VIP in the company, screaming at administrators to get what he wants. In such cases, the administrator (or it could be an end-user) may feel threatened by the caller's authority and give in to the demands. The attacker takes advantage of a system problem that has come to his attention, such as a recently publicized security vulnerability in new software. The attacker gains the user's trust by posing as a system administrator or maintenance technician offering help. Most computer users are under the mistaken impression that it is okay to reveal their password to computer technicians. The attacker posing as a system administrator or maintenance technician can sometimes persuade a computer user to type in computer commands that the user does not understand. Such commands may damage the system or create a hole in the security system that allows the attacker to enter the system at a later time.
Social Engineering” Cont. Recommendations Computer security experts recommend the following measures to outsmart a hacker: –If you cannot personally identify a caller who asks for personal information about you or anyone else (including badge number or employee number), for information about your computer system, or for any other sensitive information, do not provide the information. Insist on verifying the caller’s identity by calling them back at their proper telephone number as listed in your organization’s telephone directory. This procedure creates minimal inconvenience to legitimate activity when compared with the scope of potential losses. –Remember that passwords are sensitive. A password for your personal account should be known ONLY to you. Systems administrators or maintenance technicians who need to do something to your account will not require your password. They have their own password with system privileges that will allow them to work on your account without the need for you to reveal your password. If a system administrator or maintenance technician asks you for your password, be suspicious. –Systems maintenance technicians from outside vendors who come on site should be accompanied by the local site administrator (who should be known to you). If the site administrator is not familiar to you, or if the technician comes alone, it is wise to give a call to your known site administrator to check if the technician should be there. Unfortunately, many people are reluctant to do this because it makes them look paranoid, and it is embarrassing to show that they do not trust a visitor. –If you feel you have thwarted or perhaps been victimized by an attempt at social engineering, report the incident to your manager and to security personnel immediately.
Viruses & Other "Infections" A virus is a small, self-contained piece of computer code hidden within another computer program. Like a real virus, it can reproduce, infect other computers, and then lie dormant for months or years before it strikes. A virus is only one of several types of "malicious logic" that can harm your computer or your entire network. Worms, logic bombs, and Trojan Horses are similar "infections" commonly grouped with computer viruses. A computer worm spreads like a virus but is an independent program rather than hidden inside another program. A logic bomb is a program normally hidden deep in the main computer and set to activate at some point in the future, destroying data. A Trojan Horse masquerades as a legitimate software program. It waits until triggered by some pre-set event or date and then delivers a payload that may include destroying files or disks. Some viruses are high-tech pranks not intended to cause damage. For example, a virus may be designed to conceal itself until a predetermined date, then flash a message on all network computers. Even pranks, however, are not benign. They steal computer memory, storage, and processing time. Of greatest concern, of course, are viruses and other devices that are deliberately malicious. They are intended to cause serious damage such as deleting files, provide access for an outsider to copy your files, or disrupting the operation of an entire computer network or organization. From an information security point of view, one of the more dangerous types of malicious logic is a Trojan Horse that allows a remote user to access and control your computer without your knowledge whenever you are on the Internet. One of these Trojan Horses was originally developed as a means of playing pranks on friends. When installed on another person's computer, you can control that computer via the Internet. For example, you can make the CD-ROM tray on that person's computer pop out repeatedly for no discoverable reason, or reverse the functions of the left and right buttons on the person's mouse. However, you can also read, change, or copy all the person's files without his or her knowledge. This Trojan Horse can be snuck onto someone's computer by burying it in a game program or other executable script sent by e-mail. Happily, known versions of the program will be caught by a good virus checker.
Viruses & Other "Infections“ Cont. The virus threat is increasing for several reasons: –Creation of viruses is getting easier. The same technology that makes it easier to create legitimate software is also making it easier to create viruses, and virus construction kits are now available on the Internet. About 200 to 300 new viruses are being created each month, while the old ones continue to spread.1 –The increased use of portable computers, e-mail, remote link-ups to servers, and growing links within networks and between networks mean that any computer that has a virus is increasingly likely to communicate with -- and infect -- other computers and servers than would have been true a few years ago. –You can catch a virus by launching an infected application or starting up your computer from a disk that has infected system files. Once a virus is in memory, it usually infects any application you run, including network applications (if you have write access to network folders or disks). A properly configured network is less susceptible to viruses than a stand-alone computer. –When you interact with another computer, the virus may automatically reproduce itself in the other computer. Once a virus infects a single networked computer, the average time required to infect another workstation in the same network is from 10 to 20 minutes -- meaning a virus can paralyze an entire organization in a few hours. 3 –Not all viruses, worms, logic bombs, and Trojan Horses are transmitted through infected software brought in from outside the organization. Some of the most damaging are implanted by disaffected insiders. For example: A computer programmer at a Fort Worth, Texas, insurance firm was convicted of computer sabotage for planting malicious software code that wiped out 168,000 payroll records two days after he was fired.
Viruses & Other "Infections“ Cont. Countermeasures Your organization has policies and tools for countering the threat of viruses. In order to avoid security or system maintenance problems, many organizations require that all software be installed by a system administrator. Some organizations require that any diskette you bring into the building be tested for viruses before being used. Others do not. Consult your system administrator to learn the correct procedures in your organization. Be sure you know how your virus detection software works. If it indicates your system has a virus problem, report it immediately to your system administrator and then to the person you believe may have passed the virus to you. It is important to remain calm. There are many virus hoaxes as well as real viruses, and a virus scare can cause as much delay and confusion as an actual virus outbreak. Before announcing the virus widely, make sure you verify its presence using a virus detection tool, if possible, with the assistance of technically competent personnel. The following procedures will help lower the risk of infection or amount of damage if the worst does happen. –Don't be promiscuous. Most risk of infection by viruses can be eliminated if you are cautious about what programs are installed on your computer. If you are unaware of or unsure of the origin of a program, it is wise not to run it. Do not execute programs or reboot using old diskettes unless you have reformatted them, especially if the old diskettes have been used to bring software home from a trade show or another security-vulnerable place. –Excellent virus-checking and security audit tools are available. Use them and, if possible, set them to run automatically and regularly. Update your virus checker regularly, as many new viruses are created each month. –Notice the unusual. Be familiar with the way your system works. If there is an unexplainable change (for instance, files you believe should exist are gone, or strange new files are appearing and disk space is "vanishing"), you should check for the presence of viruses. –Back up your files. If worst comes to worst, you can restore your system to its state before it was infected.
Viruses & Other "Infections“ Cont. Spyware Is a program monitoring your computer activity while you are online without your permission? Is your name being stripped from these findings and compiled with the statistics of many other users? Is a summary of your Net activity being sold to Net advertisers so they may more effectively profile users in order to better target their advertising? The answers to these questions and the questions themselves are the subject of a current moral and ethical debate. Some users find it intrusive or just plain sneaky to discover that they have unwittingly installed a program/applet/cookie that feeds information about their usage back to a third party. While it cannot be said that spyware or adware is currently illegal, there has been legislation proposed in the United States about this ethical dilemma. If your computer starts to behave strangely or displays any of the symptoms listed below, you may have spyware or other unwanted software installed on your computer. –I see pop-up advertisements all the time. Some unwanted software will bombard you with pop-up ads that aren't related to a particular Web site you're visiting. These ads are often for adult or other Web sites you may find objectionable. If you see pop-up ads as soon as you turn on your computer or when you're not even browsing the Web, you may have spyware or other unwanted software on your computer. –My settings have changed. Some unwanted software has the ability to change your home page or search page settings. This means that the page that opens first when you start your Internet browser or the page that appears when you select "search" may be pages that you do not recognize. Even if you know how to adjust these settings, you may find that they revert back every time you restart your computer. –My Web browser contains additional components that I didn’t download. Spyware and other unwanted software can add additional toolbars to your Web browser that you don't want or need. Even if you know how to remove these toolbars, they may return each time you restart your computer. –My computer seems sluggish. The resources Spyware and other unwanted software use to track your activities and deliver advertisements can slow down your computer and errors in the software can make your computer crash. If you notice a sudden increase in the number of times a certain program crashes, or if your computer is slower than normal at performing routine tasks, you may have spyware or other unwanted software on your machine.
P2P Peer-to-Peer (P2P) file-sharing is now an unavoidable part of Internet life. Because of its large user base, P2P networks can offer any ordinary user literally billions of files that are available for download with a simple click of mouse. Anyone connected to one of these networks can share and download virtually any file in existence, from the latest hot music track and Hollywood blockbuster, to obscure textbook and rare foreign texts. Best of all, most P2P networks as well as much of their contents are accessible at no cost! Yet the downside to P2P file sharing is that it is inherently insecure and lives on the fringes of legality. Badly- coded clients, viruses and Trojans and potential lawsuits are just some of the many threats that users must face when they venture into the untamed wilderness of the P2P world. Some serious issues facing P2P users include: 1 - Worms, Trojans, Backdoors and Viruses –The biggest viral threat comes from the sharing, unintended or not, of infected files. Some users do not know that they have been infected and they put up their file collection for the world to download, thus putting other users at risk. Others intentionally distribute malware, ranging from the casual script kiddie who wants to feel empowered, to a hacker to shares a Trojan to allow him full control over another computer. Harmful files often carry filenames of popular files, masquerading as a benign object to increase their chance at being downloaded, and waiting for an unsuspecting user to trigger their nefarious charge. –Recently, some viruses were specifically made for P2P distribution. Their effects include installing backdoors on victims' machines for easy access by remote attackers, putting up entire drives for sharing, and mass-mailing. These worms make copies of themselves in the P2P client's shared folder and posing as popular files that will entice others to download and run them. –Even more worrisome is the fact that some P2P clients might be harbouring backdoors for questionable purposes. In the past, a backdoor from Brilliant Digital Entertainment was bundled with KaZaA. This exploit can be turned on remotely to create an entirely new network unbeknownst to the user. The company intended to use this backdoor to commandeer and resell unused computing resources like disk space, bandwidth and CPU time, across the whole network, all without compensating them. Another example is EarthStation 5 (ES5 or ESV), in which users discovered a hidden feature that enabled the remote deletion of their files on their computers. Though the developers of ES5 claimed that this was the remnant of an abandoned automatic update feature, many from the P2P community are still suspicious at the makers' true intentions.
P2P Cont. 2 - Fake files –Because anyone can share anything, it is very hard sometimes to tell whether the files one is downloading are indeed the authentic files. Media giants offer apparently popular music or films to sniff out copyright violators in an effort to try to protect their products from being distributed illegally online. Anyone who has recently downloaded popular music tracks from KaZaA and the like can tell you just how many bogus files are out there. More of an annoyance than harm, this practice is mostly perpetrated by large record labels trying to curb the sharing of copyrighted material and to track which users attempted to copy them. As well, by flooding the network with useless material they hope to decrease the popularity of P2P. –On a darker note, this trend might encourage some companies with questionable business practices, in the name of protecting their products from piracy, to go beyond simply releasing decoys and distribute programs posing as working versions of their products but that secretly sabotage a user's machine. –Most P2P clients boast to be able to tell whether a file is authentic or not by generating a unique hash for each file and using this fingerprint to identify files, but some clients like KaZaA only implement this scheme halfway. The hashes these clients generate are based on only certain parts of the files, thus many corrupt downloads would have the same fingerprint as their real counterparts. 3 - Spyware/Adware –Many P2P clients claim to be free of charge - but are they? To subsidize the development cost, some developers partnered up with advertising companies to include spyware and adware in the P2P program. In exchange for a share of the marketing revenue, the marketers can have access to a large pool of potential consumers that they can track, analyze, and target with customized advertising. Beside the annoyance of targeted ads, the ability to track a user's online activity and sending reports back to an online monitor virtually removes the anonymity of the Internet. While some argue that tracking is harmless since the common user has no covert activity to hide from anyone, it still is a serious violation of privacy rights. –One of the more notorious examples is KaZaA. Bundled with the P2P client is Cydoor, a hidden application that tracks a user's Internet-related activities. Like many other programs with spyware/adware, KaZaA would no longer run if Cydoor is removed, forcing users to trade away their privacy in exchange for access to the FastTrack network.
P2P Cont. 4 - Buggy or improperly configured software –Not all P2P clients are made the same. Some are developed by ragtag teams following ad-hoc plans, resulting in barely functional, extremely buggy clients that are prone to security breaches. Even popular software is not immune; in the past, various FastTrack network clients like KaZaA had vulnerabilities that enabled someone to remotely crash the client. Recently, a security leak was found in eMule, an eDonkey client, which permitted a remote attacker to execute arbitrary codes on the victim's machine. –In the hands of an inexperienced user, even a well-written P2P client could be doomed to disaster. A P2P novice can accidentally put a whole hard drive as being shared, enabling any fellow file sharers to gaze at the user's private, perhaps highly confidential, documents, may they be personal information or business data. A user may also enable features that could potentially compromise system security. For example, a KaZaA user could set his/her computer as a Supernode, a feature known to be vulnerable to buffer overflows. 5 - Copyright issues –With all the media hype surrounding reports of P2P users being sued by big record companies, one cannot ignore the issue of copyright violations. Once again, due to the decentralized nature of the network and the fact that no one single entity has de-facto control of what gets shared, there is an enormous amount of copyrighted works that are being illegally distributed without the consent of their creators or rightful owners. Coupled with the fact that true online anonymity does not exist yet, users who inadvertently share copyrighted work can expose themselves to expensive litigations. –In the USA, one of the fiercest battles pitting P2P users and copyright holders is music sharing. The Recording Industry Association of America and its associates are actively prosecuting American file sharers for copyright infringement because the trade group alleges that music sharing is the principal cause of flagging sales. Though Canada's RIAA counterpart, SOCAN, was dealt a series of setbacks by various court rulings that prevent it from using U.S. tactics, some of these decisions are currently being appealed. It should be noted that as of January 2004 it has been deemed legal for users to download music in Canada provided it is for their own use and not for redistribution or sale. –Music is not the only problematic issue when it comes to filesharing. Peer-to-peer networks are teeming with pirated software and bootlegged movies. Some observers predict that other industry trade groups might follow suite by launching their own lawsuits against online copyright infringers.
Insecure Modems A computer presents very little risk if it's by itself. The problem arises when it's hooked up to a modem. A modem is a communications device that allows your computer to talk with another computer. Modem is short for modulator/demodulator. It is, basically, a telephone for your computer. It converts the computer's output to a format that can be sent over telephone lines. If your computer has a modem connected to the Internet, it is like you are living in a high-crime neighborhood. You must take appropriate precautions. The modem connection can be a significant vulnerability. Any unauthorized modem is a serious security concern. Hackers commonly use a tool known as a "war-dialer" to identify the modems at a target organization. A war-dialer is a computer program that automatically dials phone numbers within a specified range of numbers. Most organizations have a block of sequential phone numbers. If you have one number for the organization, it is usually correct to assume that most other numbers are within a limited range of numbers either higher or lower than that number. By dialing all numbers within the targeted range, the war-dialer identifies which numbers are for computer modems and determines certain characteristics of those modems. The hacker then uses other tools to attack the modem to gain access to the computer network. Effective war-dialers can be downloaded from the Internet at no cost. In one test of corporate security, a computer dialed a block of 1,500 numbers in the space of 16 hours and identified 55 modems.1 As a countermeasure to war-dialers, many organizations have equipment that detects rapid sequential dialing and shuts it down. On the other hand, some war-dialers are designed to avoid this type of detection. The problem is that a modem is a means of bypassing the "firewall" that protects your network from outside intruders. A hacker using a "war-dialer" to identify the modem telephone number and a password cracker to break one weak password can gain access to the system. Due to the nature of computer networking, once a hacker connects to that one computer, the hacker can often connect to just about any other computer in the network.2 It is possible to have a secure connection to the Internet, but it must meet certain requirements. The connection must be configured properly with the latest security equipment, and all employees who are authorized to access their office computers via the Internet from home or while traveling must use strong passwords. Too often, however, these conditions are not met.
Security of Hard Drives and Laptops Secrets in the computer require the same protection as secrets on paper. Information can usually be recovered from a computer hard drive even after the file has been deleted or erased by the computer user. It has been estimated that about a third of the average hard drive contains information that has been "deleted" but is still recoverable.1 Computers on which classified information is prepared must be kept in facilities that meet specified physical security requirements for processing classified information. If necessary to prepare classified information in a non-secure environment, use a typewriter or a removable hard drive or laptop that is secured in a safe when not in use. Laptop computers are a particular concern owing to their vulnerability to theft. –Laptop computers are a prime target for theft from your office, your home, or at airports, hotels, railroad terminals and on trains while you are traveling. They are an extremely attractive target for all types of thieves, as they are small, can be carried away without attracting attention, and are easily sold for a good price. They are also a favorite target for intelligence collectors, as they concentrate so much valuable information in one accessible place. –Safeware, the largest insurer of personal computers in the United States, paid claims for the theft of 319,000 laptop computers during 1999.1 Of course, most laptops are not insured, so this is only a small fraction of the total number of laptop computers that were stolen during that year. – When a laptop is stolen, you don't know whether it was taken for the value of the information on the computer or for the value of the computer itself. This makes it difficult to assess the damage caused by the loss. –This topic offers guidelines for keeping your laptop from being stolen, discusses technical measures for protecting information on the laptop if it is stolen or entered surreptitiously, and notes special problems relating to traveling overseas with your laptop.
Security of Laptops Cont. Protection of Laptops The basic rule for protecting your laptop is to treat it like your wallet or purse. Your laptop is a more attractive target for thieves than your wallet or purse, and if you lose your laptop, the cost to you in money and inconvenience is probably greater than if you lose your wallet or purse. If your laptop has sensitive government, commercial, or scientific data on it, the loss may be valued in the millions. Even in your office, unless it is a controlled secure area, it is advisable to keep your laptop out of sight when not in use, preferably in a locked drawer or cabinet. The Washington, DC police recently formed a task force to fight a surge in thefts from downtown offices; laptops were the thieves' preferred target.2 Your laptop is especially vulnerable while you are traveling. Here is a summary of basic precautions during travel. Disguise your laptop. The distinctive size and shape of a laptop computer make it an easily spotted target for thieves. Carry it in a briefcase or other, preferably grungy-looking, case. Never let a laptop out of your sight in an airport or other public area. If you set it down while checking in at the airport counter or hotel registration desk, lean it against your leg so that you can feel its presence, or hold it between your feet. When going through the airport security check, don't place your laptop on the conveyor belt until you are sure no one in front of you is being delayed. If you are delayed while passing through the checkpoint, keep your eye on your laptop. See Theft While Traveling for discussion of techniques used to steal laptops at airports. When traveling by plane or rail, do not ever place the computer (or other valuables) in checked baggage. If your aircraft departure is delayed and you are directed or invited to deplane and wait in the terminal, take your computer and other valuables with you. Don't leave them unattended at your seat or in the overhead.
Security of Laptops Cont. Protection of Laptops Never store a computer in an airport or train station locker. If you must leave it in a car, lock it in the trunk out of sight. Avoid leaving your computer in a hotel room, but if you must do so, at least lower the risk of theft by keeping it out of sight. Lock it securely in another piece of luggage. Placing the computer in a hotel vault or room safe should make it secure from theft, but in some foreign countries it may not be secure from access by local intelligence or security personnel. Never keep passwords or access phone numbers on the machine or in the case. Do not program your computer's function keys with sign-on sequences, passwords, access phone numbers, or phone credit card numbers. If the machine is stolen or lost, these would be valuable prizes. Back up all files before traveling. While in any public place, such as an airplane or hotel lobby, don't have up on your laptop screen anything you don't want the public to know about. A survey of 600 American travelers found that over one-third admitted looking at someone else's laptop while flying. Younger travelers were the worst offenders, with 49 percent of the men and 40 percent of the women under 40 admitting they look at what their seatmate is working on. Most are checking to see what their fellow passenger is doing, while others are more interested in who they are working for.3 Be prepared for the airport security check. You may be directed by airport security personnel to open and turn on your laptop to demonstrate that it is actually a functioning computer. Be sure the battery is charged or have the power cord handy. If you can't turn your laptop on, you may not be permitted to take it on board the aircraft. The airport security X-ray machines will usually not affect hard drives. Floppy diskettes, having less shielding, may be affected. If possible, pass these to the attendant for hand examination. It is even more difficult to protect your laptop, and the information on it, when traveling in foreign countries where your laptop may be targeted as a treasure trove of information.
Security of Laptops Cont. Technology for Protecting Information on Your Laptop Due to the very high risk and high cost of laptop theft, many products are being developed to protect the security of information in your laptop if it is stolen, prevent the surreptitious entry into files on your laptop, make it more difficult to steal a laptop, or make it easier to find a stolen laptop. Specific products are not discussed here, as the technology is changing so rapidly. The following general types of products are now available. Encryption software. Storing all data files in encrypted form will prevent disclosure of the data even if your computer is stolen. Software that hides information on your hard drive, so that it is not found by the average thief who steals your laptop or, for example, by an intelligence collector who gains surreptitious access to your laptop in your hotel room. Various types of locks, keys, and biometric identification devices designed to prevent anyone but you from using the computer, and perhaps to alert you to any unauthorized attempt to use your computer. Software utilities that wipe the hard disk clean when deleting sensitive data files. These overwrite the deleted data making it totally unrecoverable, as opposed to the normal Delete command that only deletes the "pointer" that allows the computer to find the file on your hard drive. The file itself is not deleted until it is overwritten by another file. See Security of Hard Drives. Tracers that identify the location of a stolen laptop. When the stolen laptop is linked to the Internet, it transmits a signal to a monitoring station that identifies the user's telephone number or Internet account. Proximity alarms that go off if the laptop gets too far away from its owner or user. Ask your system administrator or computer security specialist to evaluate which of the available alternatives best meet your needs.