Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jim Crowley C3 – Crowley Computer Consulting 1. Apologies This is long haired, geeky stuff. This is long and boring. This is version 1. The analogies.

Similar presentations


Presentation on theme: "Jim Crowley C3 – Crowley Computer Consulting 1. Apologies This is long haired, geeky stuff. This is long and boring. This is version 1. The analogies."— Presentation transcript:

1 Jim Crowley C3 – Crowley Computer Consulting 1

2 Apologies This is long haired, geeky stuff. This is long and boring. This is version 1. The analogies between safe sex and safe computing cannot be ignored. It is getting very difficult to protect older systems. Too slow and not enough memory for security programs. No new patches older than Windows 2000. This is meant to scare the *#$^ out of you. 2

3 The Internet brings the world to your computer! 3

4 Various services run over the Internet World Wide Web Email Instant Messaging Peer to Peer sharing Voice over IP phones Gaming Gopher Audio streaming Video streaming The Internet was designed for enhancement. It was not designed for this level of complexity. IE. The easiest way to prevent spam is to authenticate the sender. Email has no method to do this. 4

5 Services have multiple methods of encoding and delivery IE. World Wide Web HTML XML Java JavaScript Flash Perl ColdFusion VBScript`.Net ActiveX SHTML And more!!! 5

6 Services have multiple methods of encoding and delivery IE. Instant Messaging AOL Google ICQ Microsoft Yahoo And more!!! 6

7 World Wide Web Email Instant Messaging Peer to Peer Sharing Video streaming Gaming Voice over IP phones Gopher Audio streaming You invite these services in… 7

8 The good old days… …it was hard and relatively expensive to “get online.” …it was slow. Do you remember 300Bps and 1200Bps modems? …the web didn’t exist! Do you remember CompuServe and Prodigy and AOL? …it was geeky! Users were hobbyists and it was all very 60s. Exploits were confined to bugging your buddy and showing off! 8

9 Now.. Everyone is online! Over 50% of users in the USA are on broadband. Exploits are Dirty rotten @#*!!! Money making schemes and ripping off grandma Organized crime 9

10 Common attacks Virus Worms Trojan horse Spyware Spam Phishing 10

11 Did you know… All of these types of attacks are man-made and intentional. There is no “natural” or “random” virus. All of these ride the Internet services you invite in! Different companies and organizations Will group attacks differently. Will name attacks differently. 11

12 Malware Software designed to infiltrate or damage a computer system without the owner's informed consent. Originally harmless pranks or political messages, now have evolved into profit makers. Include viruses, worms and Trojan horses. 12

13 Malware: Virus a program or piece of code that is loaded onto your computer (without your knowledge and against your wishes), that (generally) replicates itself and (generally) delivers a payload. 1972 13

14 Virus In the days of yore… Who: typical author is young, smart and male Why: looking to fight the status quo, promote anarchy, make noise or simply show off to their peers. There is no financial gain to writing viruses. Now… Who: professional coders or programmers using “kits” Why: financial gain by email delivery payments, renting of botnets, extortion… Often supported by mafia and black marketers. 14

15 Virus structure Replication: viruses must propagate themselves Payload: the malicious activity a virus performs when triggered. Payload trigger: the date or counter or circumstances present when a virus payload goes off. 15

16 Payload examples Nothing - just being annoying Displaying messages Launching DDoS attack Erasing files randomly, by type or usage Formatting hard drive Overwrite mainboard BIOS Sending email Expose private information 16

17 Trigger examples Date Internet access # emails sent 17

18 Boot sector virus infects the first sector of a hard drive or disk. The first sector contains the MBR or master boot record. 18

19 File infector virus attaches itself to a file on the computer and is executed when that application is opened. 19

20 Multipartite combines properties of boot sector and file infector viruses. 20

21 Macro virus virus written using script or macro languages such as Microsoft Office’s VBA, executes when a document containing the virus is opened. 21

22 Memory resident virus that sits continuously in memory to do its work, often making it more difficult to clean. Most viruses now are memory resident. 22

23 Stealth virus a virus that actively hides from anti-virus programs by altering it’s state or hiding copies of itself or replacing needed files. 23

24 Polymorphic virus a virus that alters its signature or footprint, to avoid detection. 24

25 Metamorphic virus A virus that rewrites its code each time a new executable is created. Usually very large. 25

26 Malware: Worm A self-replicating computer program that uses networks to copy itself to other computers without user intervention. They often lack a payload of their own but drop in backdoor programs. 1978 26

27 Malware: Trojan A destructive program that masquerades as a benign application, it requires a user to execute it. A variety of payloads are possible, but often they are used to install backdoor programs. Generally, trojans do not replicate. 1983 27

28 Spyware Application installed, usually without the user’s knowledge, intercepting or taking partial control for the author’s personal gain Estimates as high as 90% of Internet connected computers are infected with spyware. Unlike a virus does not self-replicate. 28

29 Spyware: symptoms Sluggish PC performance An increase in pop-up ads Mysterious new toolbars you can’t delete Unexplained changes to homepage settings Puzzling search results Frequent computer crashes 29

30 Spyware: a loaded system 30

31 Spyware: rogue help Antivirus Gold Family Adware Delete SpyAxe Antivirus Gold SpywareStrike PS Guard Family Security Iguard Winhound PSGuard SpywareNO! SpyDemmolisher SpySheriff SpyTrooper SpywareNO! Raze Spyware RegFreeze WinAntiSpyware 2005 WorldAntiSpy 31

32 Spyware: rogue help This morning… 32

33 Spyware: Adware Any software package which automatically plays, displays or downloads advertising material to a computer Not necessarily “spyware” depending on your definitions Many “free” applications install adware, creating a source of income. Is it spyware? http://www.symantec.com/enterprise/security_response/thre atexplorer/risks/index.jsp http://www.symantec.com/enterprise/security_response/thre atexplorer/risks/index.jsp 33

34 Spyware: Adware 34

35 Spyware: Backdoors Backdoor = Remote Access A method of bypassing normal authentication or securing remote access while remaining hidden from casual inspection. May be an installed program (IE. Back Orifice) or a modification to an existing application (IE. Windows’ Remote Desktop). 35

36 Spyware: Browser hijacker Alters your home page and may redirect other requested pages, often away from helpful sites. Generally add advertising, porn, bookmarks or pay- per-surf web sites. 36

37 Spyware: Dialers Program that uses a computer’s modem to dial out to a toll number or Internet site 900 numbers Phone system flood attack Can rack up huge phone bills! Often running to international numbers in the Caribbean. 37

38 Spyware: Downloaders Application designed to download and possibly install another application. Sometimes, they may receive instructions from a web site or another trigger. Also a typical form of Trojans. 38

39 Spyware: Rootkits A type of Trojan that gives an attacker access to the lowest level of the computer, the root level. Removing rootkits can be very difficult to impossible. Microsoft’s recommendation to remove rootkits from Windows Xp was to reformat the hard drive and start over! Sometimes this is the only option. Have been used for “legitimate” purposes, Sony used for digital rights management licensing on music CDs, system was shown to have security holes, possibly giving up root access to an attacker. 39

40 Spyware: Scrapers Extracting data from output to the screen or printer rather than from files or databases that may be secure. Legitimate and illegitimate applications. Temp files are often a great source of information! 40

41 Spyware: Tracking cookies A small amount of data sent back to the requesting website by your browser. They may be temporary or persistent, first or third party. Cookies are not bad and make browsing life better! Third party cookies are used to track surfing habits and you may want to disable them. weather.comTRUE/FALSE1218399413LocID13669 41

42 Keylogger A software application or hardware device that captures a user’s keystrokes for legitimate or illegitimate use. Bad keyloggers will store information for later retrieval or spit the captured information to an email address or web page for later analysis. 42

43 Social Engineering Tricking a user into giving or giving access to sensitive information in order to bypass protection. 43

44 Social Engineering: pretexting Creating a scenario to persuade a target to release information done over the phone. Often use commonly available information like social security numbers or family names to gain access to further information. 44

45 Social engineering: phishing Creating a scenario to persuade a target to release information done via email. Often use commonly available information like social security numbers or family names to gain access to further information. 45

46 Social engineering: more Road apple: using an infected floppy, CD or USB memory key in a location where someone is bound to find and check it through simple curiosity. Quid pro quo: targeting corporate employees as “tech support” until some actually has a problem and “allows them to help.” 46

47 True or false? 47

48 True or false? 48

49 True or false? 49

50 True or false? 50

51 Spam Junk email. An email message can contain any of the threats mentioned, not to mention the time wasted downloading and filtering through the messages. You do not have to open an attachment to activate a threat. Webmail eliminates few threats. 51

52 Spam Threats that activate via merely opening the email are not disabled by using the email preview! 52

53 World Wide Web Email Instant Messaging Peer to Peer Sharing Gaming Now your services have hitchhikers! And they bring friends! 53

54 54

55 Don’t use the Internet Are you really that isolationist? Other user profiles on your computer? Other computers connected to the Internet Other devices… Xbox, Playstation, Wii Media Center Extenders DVRs 55

56 Other connections Wireless local networks Bluetooth personal networks Removable storage Floppy CDs DVDs USB memory key Flash memory Other connected devices Printers Digital cameras Video cameras 56

57 The first bug causing a computer error was found by Grace Hopper's team in 1945 using Harvard University's Mark II computer. 57

58 And the stakes get higher… Imagine the home of the future Broadband Internet connection shared by… Computers Television / DVR Phone Security / heating / cooling Kitchen appliances Cell phone Imagine hacker exploits Defrost your freezer Turn off the heat Trip / disable security Record “Boy Meets World” instead of “Desparate Housewives” and “24”! 58

59 What’s a guy or gal to do? 59

60 Protection: firewall A software or hardware which permits or denies data into and possibly out of a computer network depending on levels of trust and authentication. Emerged in 1988. 60

61 Protection: firewall Levels of protection Network address translation: internal devices carry separate addresses from Internet connection, firewall translates, masking internal devices. Packet filters: very basic inspection of individual packets of inbound traffic for correct ports for basic services. Stateful filters: compare packets of traffic and rules can change criteria of what is allowed. Application layer: deep packet inspection determines whether traffic is appropriate for a specific port. 61

62 Protection: hardware firewall Recommend a router with stateful packet inspection Jim’s picks Linksys Sonicwall 62

63 Protection: software firewall A good program will know configure major applications correctly, but it is easy to answer a firewall incorrectly. Software firewalls often disrupt internal networks Jim’s “sorta” pick ZoneAlarm 63

64 Protection: virus Most mature category of protection. Detection rate should be near perfect! How do anti-virus programs work? File fingerprinting Active scanning Heuristics Unusual hard drive activities Protection can be run at the Internet service provider Router Server (if applicable) Workstation – recommended 64

65 Protection: virus Must be updated! Jim’s picks Norton Antivirus (home) Symantec Antivirus Corporate Edition or Small Business Edition (offices) AVG for older systems 65

66 Protection: spyware Fairly new application, running two anti-spyware applications is often recommended, but only one should be doing “active scanning.” Detection rates are not nearly as accurate as virus detection. Anti-virus applications are now capable of replacing active scanning spyware applications. Spyware and virus scanners can fight, causing system freeze ups and instability. 66

67 Protection: spyware Jim’s picks Webroot SpySweeper Spyware Doctor Spybot * Adaware * Not active scanner 67

68 Protection: spam Spam filtering occurs by recognizing common email addresses and domains for sending spam and by recognizing keywords in email and moves it automatically to a “junk” folder. Can be done at email server or workstation. Success rates are very individual! 68

69 Protection: spam Avoid spam – once your email address is a spam target, there is no eliminating it Avoid posting address on web pages. Use throw-away email addresses (IE. Yahoo, Hotmail, Google) when working unknown or very public sites (IE. Ebay, MySpace…) You have to look through your Junk email occasionally to find mis-labeled email! The more “public” your email address, the less you can filter without false positives. 69

70 Protection: spam Jim’s thoughts Outlook 2007 not bad Andrew likes new Thunderbird Several clients like Inboxer Several clients like Norton AntiSpam Several clients like their ISP’s filtering but user must check junk on web site Dial up: ISP filtering 70

71 Protection: Operating System updates Most updates are security patches not functionality enhancements! I do not recommend using driver updates through Windows Updates! Get them only through Windows Updates! 71

72 Protection: Application updates Browsers, email applications, instant messaging applications, etc. all need security patches! 72

73 Protection: Application updates ApplicationSource of updates AOL IMwww.aim.com Internet ExplorerWindows Updates Microsoft MessengerWindows Updates Mozilla Firefoxwww.mozilla.comwww.mozilla.com (Help) Operawww.opera.comwww.opera.com (?) Outlook ExpressWindows Updates Thunderbird emailwww.mozilla.comwww.mozilla.com (Help) Windows Mail (Vista)Windows Updates Yahoo IMwww.yahoo.com 73

74 Vulnerability: Internet Firewall World Wide Web Windows updates Application updates 74

75 Vulnerability: WWW World Wide Web Virus protection Spyware protection 75

76 Vulnerability: Email Virus protection Email Spam protection 76

77 Vulnerability: Instant messaging Virus protection IM Turn off file sharing Close buddy list to known 77

78 Vulnerability: Gaming Virus protection Gaming Turn off file sharing Close buddy list to known 78

79 Vulnerability: Streaming Virus protection Audio and Video Streaming 79

80 Vulnerability: P2P Peer to Peer 80

81 Layers: onions, ogres & protection BroadbandDial up Hardware firewallNecessaryn/a Software firewallMaybe Virus protectionNecessary Spyware protectionNecessary Spam filteringRecommended Operating system patchesNecessary Browser/email/IM/… patches Necessary 81

82 Protection purchasing Best of breed applications Security suite Best possible protection Probably less bloat Probably play together better Better pricing Common interface 82

83 Protection purchasing: suites Jim’s picks Norton Internet Security Norton 360 PC Magazine Editor’s Choice Norton 360 ZoneAlarm Internet Security Suite 7 PC World Norton Internet Security McAfee Internet Security Suite 83

84 Selecting protection Do Don’t Read reviews from professional, neutral sources Make sure you can understand your subscription’s status Realize you generally get what you pay for Realize that bundled apps are often 30 or 90 day trials and often not installed Use advertising or blogs as your main source of information Use reviews from non- technical sources Run two software firewalls, two anti-virus or two active anti-spyware apps 84

85 Protection: Educate your users Do not open attachments from anyone you don’t know. Suspicious attachments from any known email address may be threats that spoof senders. Security measures are for their benefit, don’t subvert them. Don’t run ActiveX or Java from untrusted or unknown websites. Never click on suspicious ads or popups. Always click the Windows Close X when you can. Any connection can bring in threats… Home computers logging in for remote work. Office laptops connected in public Wi-Fi hotspots. Removable storage. 85

86 Protection: Educate your users It is much easier to protect yourself than to get clean after an infection. Internet Explorer is the only web browser that uses Microsoft’s ActiveX tools. ActiveX is a security nightmare. Avoid the problem, use a different browser. Jim’s pick: Mozilla Firefox 86

87 Protection: Educate your users Fake Windows Updates 87

88 88

89 Procedure at C3 Interview client. Possibly start system as is to see symptoms. Remove hard drive and connect to C3 testing systems. Prevents threats from going active Improves accuracy of scans for stealth, polymorphic and rootkits Virus scan (Symantec Antivirus Corporate Edition) Spyware scan (Webroot Spysweeper) Hard drive test (Scandisk or Norton Disk Doctor) 89

90 Procedure at C3 Clean temp files Windows\Temp Windows\Temporary Internet Files User\Temp User\Temporary Internet Files Possibly other locations Research infections Return hard drive to client’s system 90

91 Procedure at C3 Probable: Safe mode startup and disable Windows System Restore Manual cleaning as needed while “disconnected” All Windows Updates Probable: installation of appropriate security package All Updates Full system scan 91

92 Procedure at C3 Total time: 2 to 8 hours Total technician time: 1 to 4 hours 92

93 What can you do? Know that Windows cannot diagnose most problems. Know that repairing Windows requires a clean computer. Know when to say “Uncle!” based on your skill level. Know when to say “Uncle!” if a computer cannot be recovered and must be wiped. Backup, Backup, Backup. 93

94 94

95 Non-operating Windows Boot from the appropriate Windows CD and attempt a repair installation Must match system Version Home vs. Professional Upgrade vs. Retail vs. OEM Danger Infections may corrupt system further. You may get “running” until the threat kicks in again and repeats its damage. Pros Desperation – you’re doing something 95

96 Non-starting Windows Safe mode Press F8 (or hold Ctrl) prior to Windows splash screen Scan Manual updates? Virus scanner Spyware scanner Document, research, follow necessary instructions Limit startups Most threats are inactive in safe mode. You may be able to download scanner updates manually on another computer and install them. Warning: more threats successfully hide themselves in safe mode. 96

97 Safe mode F8 during startup Most drivers and network not running Often, you must log on as administrator 97

98 Manual virus definition update Highly dependent on application manufacturer Expired subscription may not allow use of manual update 98

99 Limit startups Start Run Msconfig Services and Startup tabs Turn off anything that you don’t recognize, especially “random” names. Google names. Restart 99

100 Operating Windows Backup Document! Virus scan Update installed app Online scanner Install new app Spyware scan or 2 Update installed app Online scanner Install new app Research infections Manual attack and tools Follow instructions! Take your time! All Windows Updates Install appropriate security All updates Scan Scan your backup 100

101 Update virus scanner Particular to application Many threats will attempt to subvert connection Subscription must be active. 101

102 Online scanners (virus & spyware) Symantec www.symantec.com/home_hom eoffice/security_response/index. jsp www.symantec.com/home_hom eoffice/security_response/index. jsp Webroot SpySweeper www.webroot.com/shoppingcar t/tryme.php?bjpc=64021&vcode =DT02A www.webroot.com/shoppingcar t/tryme.php?bjpc=64021&vcode =DT02A Trend Micro housecall.trendmicro.com/ housecall.trendmicro.com/ 102

103 I want a real antivirus – now! Many vendors have demo downloads. IE. Symantec offers a 15 day Norton Antivirus trial that can be activated later by purchasing a license or package Delete – don’t quarantine. When macro viruses were the rage, this was a method to recover infected documents. 103

104 My antivirus isn’t playing! Try updating. Attempt a repair installation. If you bought your security online, via download – copy it to CD for semi-permanent archival! Realize all security applications “get old.” Uninstall and reinstall. Need RAM? 104

105 Research infections Symantec Threat Explorer www.symantec.com/ho me_homeoffice/security _response/threatexplore r/index.jsp www.symantec.com/ho me_homeoffice/security _response/threatexplore r/index.jsp Google www.google.comwww.google.com Scumware http://scumware.com/ http://scumware.com/ 105

106 Disable System Restore Right+click My Computer Properties System Restore tab Check “Turn off System Restore” OK 106

107 Registry Editor Start Run Regedit OK Procedure Backup! Navigate Nuking the bad guys 107

108 Removal tools CWShredder www.cwshredder.netwww.cwshredder.net Major Geeks www.majorgeeks.com/downloads16.htmlwww.majorgeeks.com/downloads16.html 108

109 System cleaning Eliminate temporary files Start All Programs Accessories System Tools Disk Cleanup 109

110 System cleaning Defragment your hard drive Start All Programs Accessories System Tools Disk Defragmenter 110

111 System cleanup Internet Explorer automatically clearing cache Internet Explorer Tools Internet Options… Advanced tab Security section Check “Empty Temporary Internet Files when browser is closed” 111

112 Know when… You’re… Last backup was made System and application CDs are Over your head Wasting your time Your… Windows is toast 112

113 Worthwhile freebies Virus scanners AVG – www.grisoft.comwww.grisoft.com Avast - www.avast.comwww.avast.com Spyware scanners Spybot Search and Destroy www.safer- networking.org/en/index.htmlwww.safer- networking.org/en/index.html Discovery tools Hijack This www.merijn.orgwww.merijn.org 113

114 Web privacy 114

115 Web privacy Google is not the problem. Google is just one way to find this kind of data. Blocking this data on Google will not block other search engines. All of this is in the phone book and then I can go to any mapping application. 115

116 Email Hijack From: xxxxx xxxxxxxxx xxxxxx@xxxxxxx.xxx Sent: Monday, June 11, 2007 10:45 AM To: James D. Crowley Subject: SPAM Good Morning Jim: I wanted to report a SPAM issue to you. This morning xxxxx received an email to her xxxxxx account. The email was sent by her from an outside account. It was an email that she sent to someone 6 months ago. Also on the email were individuals CCd who should not have received that email. Basically what is occurring is someone is accessing her email account and is sending its herself and others mail that should not be going out. Is it possible that some type of hacker is doing this? She is also receiving SPAM from xxxxxxx’s email account and xxxxxx’x account. I am receiving SPAM from myself, and cannot block it because its from my account. The frequency of this is increasing. What can we be doing to prevent the SPAM and can someone access confidential information that is being sent via email and send it to people in our contact list? Xxxxx xxxxx Administrative Assistant Xxxxxxxxx Coordinator Xxxxxxxx xxxxxxx xxxxx xxxxxxxx, Inc. 116

117 Email Hijack Not hijacked – spoofed! Realize there are four primary locations that your email can be hijaaked or spoofed like Anita’s was. Your computer or server Your email server The recipient’s email host The recipient’s computer or server 117

118 Email Spoofing application It peruses my email and randomly grabs xyz’s message Makes a copy Probably alters the message somewhat Attaches the virus or whatever its “payload” is Reuses all original email addresses in the To, CC and BCC Maybe adds some more addresses Maybe randomly generates more email addresses And starts sending itself out XYZ may get a copy of her message back… 118

119 Urban myths 119

120 Resources: Independent antivirus testing www.av-test.org www.icsalab.com www.virusbtn.com 120

121 Resources: Reviews www.pcmag.com http://www.pcmag.com/category2/0,1874,4829,00.asp www.pcworld.com http://www.pcworld.com/tc/spyware/ 121

122 Resources: Other sources www.geeksonwheels.com www.pcmag.com/encyclopedia/ www.snopes.com www.sunbelt-software.com http://www.netvalley.com/archives/mirrors/robert_cai lliau_speech.htm http://www.netvalley.com/archives/mirrors/robert_cai lliau_speech.htm www.webroot.com www.wikipedia.org 122


Download ppt "Jim Crowley C3 – Crowley Computer Consulting 1. Apologies This is long haired, geeky stuff. This is long and boring. This is version 1. The analogies."

Similar presentations


Ads by Google