Make your own free website on Tripod.com
What's New
Resources
Useful Tips
FAQ
Contact

------------------------------------------------

Security and systems design

Most current real-world computer security effort focuses on external threats, and generally treats the computer system itself as a trusted system. Some knowledgeable observers consider this a disastrous mistake, and point out that this distinction is the cause of much of the insecurity of current computer systems - once an attacker has subverted one part of a system without fine-grained security, he or she usually has access to most or all of the features of that system. Because computer systems are very complex, and cannot be guaranteed to be free of defects, this security stance tends to produce insecure systems.

The trusted systems approach has been predominant in the design of many Microsoft software products, due to the long-standing Microsoft policy of emphazing functionality and 'ease of use' over security. Microsoft claims that this is the result of consumer choice. Since Microsoft products currently dominate the desktop and home computing markets, this has led to unfortunate effects. However, the problems described here derive from the security stance taken by software and hardware vendors generally, rather than the failing of a single vendor. Microsoft is not out of line in this respect, just far more prominent with respect to its consumer marketshare and its mistakes more pervasive.

Back to Top

------------------------------------------------

Financial cost

Severe financial damage has been caused by computer security breaches, but estimating reliable costs is quite difficult. Figures in the billions of dollars have been quoted in relation to the damage caused by malware such as computer worms like the Code Red worm, but such estimates are likely exaggerated. However, other losses, such as those caused by the compromise of credit card information, can be more easily determined, and they have been substantial.

Back to Top

------------------------------------------------

Reasons

There are many similarities (yet many fundamental differences) between computer and physical security. Just like real-world security, the motivations for breaches of computer security vary between attackers, sometimes called hackers or crackers. Some are teenage thrill-seekers or vandals (the kind often responsible for defacing web sites); similarly, some web site defacements are done to make political statements.

However, some attackers are highly skilled and motivated with the goal of compromising computers for financial gain or espionage. An example of the latter is Markus Hess who spied for the KGB and was ultimately caught because of the efforts of Clifford Stoll, who wrote an amusing and accurate book, The Cuckoo's Egg about his experiences.

For those seeking to prevent security breaches, the first step is usually to attempt to identify what might motivate an attack on the system, how much the continued operation and information security of the system are worth, and who might be motivated to breach it. The precautions required for a home PC are very different for those of banks' Internet banking system, and different again for a classified military network.

Other computer security writers suggest that, since an attacker using a network need know nothing about you or what you have on your computer, attacker motivation is inherently impossible to determine beyond guessing. If true, blocking all possible attacks is the only plausible action to take.

Back to Top

------------------------------------------------

Vulnerabilities

To understand something about techniques for securing a computer system, it is important to first understand the various types of "attacks" that can be made against it.

These threats can typically be classified into a number of categories:

  • Code exploits: Software flaws are often exploited to gain control of a computer, or to cause it to operate in an unexpected manner. Many development methodologies rely on testing to ensure the quality of any code released; this process often fails to discover extremely unusual potential exploits. The code exploits often come in the form of Trojan horses, for example non-executable media files which are disguised to function in the application.
     
  • Eavesdropping: Any data that is transmitted over a network is at some risk of being intercepted, or even modified by a malicious person. Even machines that operate as a closed system (ie, with no contact to the outside world) can be eavesdropped upon via monitoring the faint electro-magnetic transmissions generated by the hardware, such as TEMPEST. The FBI's proposed Carnivore program, was intended to act as a system of eavesdropping protocols built into the systems of internet service providers.
     
  • Social engineering and human error: A computer systems is no more secure than the human systems responsible for its operation. Malicious individuals have regularly penetrated well-designed, secure computer systems by taking advantage of the carelessness of trusted individuals, or by deliberately deceiving them.
     
  • Denial of service attacks: Denial of service attacks differ slightly from those listed above, in that they are not primarily a means to gain unauthorized access or control of a system. They are instead designed to overload the capabilities of a machine or network, and thereby render it unusable. This type of attack is, in practice, very hard to prevent, because the behavior of whole networks needs to be analyzed, not only of small pieces of code.
     
  • Indirect attacks: are those in which one or more of the attack types above are launched from a third party computer which has been taken over remotely. The term usually used is 'zombified'. By using someone else's computer to launch an attack, it becomes far more difficult to track down the actual attacker.
     
  • Backdoors: are methods of bypassing normal authentication or giving remote access to a computer to somebody who knows about the backdoor, while intended to remain hidden to casual inspection. The backdoor may take the form of an installed program (e.g., Back Orifice) or could be in the form of an existing "legitimate" program, or executable file.

Computer code is regarded by some as just a form of mathematics. It is theoretically possible to prove the correctness of computer programs (within very limited circumstances) though the likelihood of actually achieving this in large-scale practical systems is regarded as unlikely in the extreme by most with practical experience in the industry -- see Bruce Schneier et al.

It's also possible to protect messages in transit (ie, communications) by means of cryptography. One method of encryption —the one-time pad —has been proven to be unbreakable when correctly used. This method, was effectively used by the Soviet Union during the Cold War (See Venona Project), and uses a matching pair of key-codes, securely distributed, which are used once-and-only-once to encode and decode a single message. For transmitted computer encription this method is difficult to use properly (securely), and highly inconvenient as well. Other methods of encryption, while breakable in theory, are often virtually impossible to directly break by any means publicly known today. Breaking them requires some non-cryptographic input, such as a stolen key, stolen plaintext (at either end of the transmission), or some other extra cryptanalytic information.

Social engineering and direct computer access (physical) attacks can only be prevented by non-computer means, which can be difficult to enforce, relative to the sensitivity of the information. Even in a highly disciplined environment, such as in military organizations, social engineering attacks can still be difficult to forsee, and thereby prevent.

In practice, only a small fraction of computer program code is mathematically proven, or even goes through extensive security audits, so it's usually possible for a determined cracker to read, copy, alter or destroy data in well secured computers. You can reduce a cracker's chances by keeping your systems up to date, using a security scanner or/and hiring competent people responsible for security. The effects of data loss/damage can be reduced by careful backing up and insurance.

Back to Top

------------------------------------------------

Security measures

A state of computer "security" is the conceptual ideal, attained by the use of the three processes:

  • Prevention, Detection, and Response

User account access controls and cryptography can protect systems files and data, respectively.

Firewalls are by far the most common prevention systems from a network security perspective as they can (if properly configured) block the normal packet types, preventing some kinds of attacks.

Intrusion Detection Systems (IDS's) are designed to detect network attacks in progress and assist in post-attack forensics, while audit trails and logs serve a similar function for individual systems.

"Response" is necessarily defined by the assessed security requirements of an individual system and may cover the range from simple upgrade of protections to notification of legal authorities, counter-attacks, and the like. In some special cases, a complete destruction of the system is favored.

Today, computer security comprises mainly "preventive" measures, like firewalls or an Exit Procedure. We could liken a firewall to the building of a good fence around your warehouse. Firewalls are common amongst machines that are permanently connected to the internet (though not universal, as demonstrated by the large numbers of machines "cracked" by worms like the Code Red worm which would have been protected by a properly-configured firewall). However, relatively few organisations maintain computer systems with effective detection systems, and fewer still have organised response mechanisms in place.

  • Difficulty with response

Responding forcefully to attempted security breaches (in the manner that one would for attempted physical security breaches) is often very difficult for a variety of reasons:

Identifying attackers is difficult, as they are often in a different jurisdiction to the systems they attempt to breach, and operate through proxies, temporary anonymous dial-up accounts, and other anonymising procedures which make backtracing difficult and are often located in yet another jurisdiction. If they successfully breach security, they are often able to delete logs to cover their tracks.

The sheer number of attempted attacks is so large that organisations cannot spend time pursuing each attacker (a typical home user with a permanent (eg, cable modem) connection will be attacked at least several times per day, so more attractive targets could be presumed to see many more).

Law enforcement officers are often unfamiliar with information technology, and so lack the skills and interest in pursuing attackers, although with new laws and legislative bills being passed this is rapidly changing.

  • Further reading

Computer security is a highly complex field, and is relatively immature. The ever-greater amounts of money dependent on electronic information make protecting it a growing industry and an active research topic.

There is an extensive culture associated with electronic security; see electronic underground community.

Back to Top

------------------------------------------------

Stopping e-mail abuse

E-mail has become the subject of much abuse, in the form of both spamming and E-mail worm programs. Both of these flood the in-boxes of E-mail users with junk E-mails, wasting their time and money, and often carrying offensive, fraudulent, or damaging content. This article describes the efforts being made to stop E-mail abuse and ensure that E-mail continues to be usable in the face of these threats.

  • Defense against spam

There are a number of services and software systems that mail sites and users can use to reduce the load of spam on their systems and mailboxes. Some of these depend upon rejecting email from Internet sites known or likely to send spam. Others rely on automatically analyzing the content of email messages and weeding out those which resemble spam. These two approaches are sometimes termed blocking and filtering.

Blocking and filtering each have their advocates and advantages. While both reduce the amount of spam delivered to users' mailboxes, blocking does much more to alleviate the bandwidth cost of spam, since spam can be rejected before the message is transmitted to the recipient's mail server. Filtering tends to be more thorough, since it can examine all the details of a message. Many modern spam filtering systems take advantage of machine learning techniques, which vastly improve their accuracy over manual methods. However, some people find filtering intrusive to privacy, and many mail administrators prefer blocking to deny access to their systems from sites tolerant of spammers.

  • Spam blocking and filtering techniques

DNSBLs

DNS-based Blackhole Lists, or DNSBLs, are a blocking technique, whereby a site publishes lists of IP addresses via the DNS, in such a way that mail servers can easily be set to reject mail from those addresses. There are literally scores of DNSBLs, each of which reflects different policies: some list sites known to emit spam; others list open mail relays or proxies; others, such as SPEWS, list ISPs known to support spam.

For history and details on DNSBLs, see DNSBL.

  • Content-based filtering

Until recently, content filtering techniques relied on mail administrators specifying lists of words or regular expressions disallowed in mail messages. Thus, if a site receives spam advertising "herbal Viagra", the administrator might place these words in the filter configuration. The mail server would thence reject any message containing the phrase.

Content based filtering can also filter based on content other than the words and phrases that make up the test of the message. Primarily, this means looking at the headers of the email, the part of the message that contains information about the message, and not the text of the message. Spammers will often spoof headers in order to hide their identities, or to try to make the email look more legitimate than it is; many of these spoofing methods can be detected. Also, spam sending software often produces headers that violate the RFC 2822 standard on how email headers are supposed to be formed.

Disadvantages of this static filtering are threefold: First, it is time-consuming to maintain. Second, it is prone to false positives. Third, these false positives are not equally distributed: manual content filtering is prone to reject legitimate messages on topics related to products advertised in spam. A system administrator who attempts to reject spam messages which advertise mortgage refinancing may easily inadvertently block legitimate mail on the same subject.

Finally, spammers can change the phrases and spellings they use, or employ methods to try to trip up phrase detectors. This means more work for the administrator. However, it also has some advantages for the spam fighter. If the spammer starts spelling "Viagra" as "V1agra" (see leet) or "Via_gra", it makes it harder for the spammer's intended audience to read their messages. If they try to trip up the phrase detector, by, for example, inserting an invisible-to-the-user HTML comment in the middle of a word ("Via<---->gra"), this sleight of hand is itself easily detectable, and is a good indication that the message is spam. And if they send spam that consists entirely of images, so that anti-spam software can't analyze the words and phrases in the message, the fact that it is image only can be detected.

  • Statistical filtering

Statistical filtering was first proposed in 1998 by Mehran Sahami, et al., at the AAAI-98 Workshop on Learning for Text Categorization. A statistical filter is a kind of text classification system, and a number of machine learning researchers have turned their attention to the problem. Statistical filtering was popularized by Paul Graham's influential 2002 article, which used Naive Bayesian classification to predict whether messages are spam or not -- based on collections of spam and nonspam ("ham") email submitted by users.

Statistical filtering, once set up, requires no maintenance per se: instead, users mark messages as spam or nonspam and the filtering software learns from these judgements. Thus, a statistical filter does not reflect its author's or administrator's biases as to content, but it does reflect the user's biases as to content; a biochemist who is researching Viagra won't have messages containing the word "Viagra" flagged as spam, because "Viagra" will show up often in his or her legitimate messages. It can also respond quickly to changes in spam content, without administrative intervention.

Spammers have attempted to fight statistical filtering by invisibly inserting many random but valid words into their messages, making more likely that the filter will classify the message is neutral; they make the words invisible by giving them a very tiny font, by making the words the same color as the background, or both. However, the countermeasures seem to have been largely ineffective.

Software programs that implement statistical filtering include Bogofilter, the e-mail programs Mozilla and Mozilla Thunderbird, and later revisions of SpamAssassin. Another interesting project is CRM114 which hashes phrases and does bayesian classification on the phrases.

You can also check Popfile [[3]] that will sort mail in as many category as you want (family, friends, co-worker, spam, whatever) with bayesian filtering.

  • Checksum-based filtering

Checksum-based filter takes advantage of the fact that, for any individual spammer, all of the messages he or she sends out will be mostly identical, the only differences being web bugs, and when the text of the message contains the recipient's name or email address. Checksum-based filters will strip out everything that might vary between messages, reduces it to a checksum, and compares it to a database which collects the checksums of messages that email recipients consider to be spam (some people have a button on their email client which they can click to nominate a message as being spam); if the checksum is in the database, the message is likely to be spam.

The advantage of this type of filtering is that it lets ordinary users help identify spam, and not just administrators, thus vastly increasing the pool of spam fighters. The disadvantage is that spammers can insert unique invisible gibberish -- known as hashbusters -- into the middle of each of their messages, thus making each message unique and having a different checksum. This leads to an arms race between the developers of the checksum software and the developers of the spam-generating software.

Checksum based filtering methods include:

  • Distributed Checksum Clearinghouse
     

  • Vipul's Razor
     

  • Protocol extensions

A number of proposals and specifications have been written to extend the SMTP protocol to avoid spam, including:

  • Sender Permitted From (SPF)
     

  • Trusted Email Open Standard (TEOS)
     

  • Tripoli protocol

Messages certified as not being spam:

There are several third-party organizations which guarantee that certain messages aren't spam, and have the means to prevent spammers from fraudulently using their system, by fining or suing them, for example. Administrators can use this to let through messages that would otherwise be filtered or blocked as spam, thus reducing the false positive rate.

Organizations that implement such systems include:

  • Habeas Sender Warranted Email
     

  • Bonded Sender
     

  • Heuristic filtering

Heuristic filtering, such as is implemented in the program SpamAssassin, uses some or all of the various tests for spam mentioned above, and assigns a numerical score to each test. Each message is scanned for these patterns, and the applicable scores tallied up. If the total is above a fixed value, the message is rejected or flagged as spam. By ensuring that no single spam test by itself can flag a message as spam, the false positive rate can be greatly reduced.

Tarpits and Honeypots:

A tarpit is any server software which intentionally responds pathologically slowly to client commands. A honeypot is a server which attempts to attract attacks. Some mail administrators operate tarpits to impede spammers' attempts at sending messages, and honeypots to detect the activity of spammers. By running a tarpit which appears to be an open mail relay, or which treats acceptable mail normally and known spam slowly, a site can slow down the rate at which spammers can inject messages into the mail facility.

One tarpit design is the teergrube, whose name is simply German for "tarpit." This is an ordinary SMTP server which intentionally responds very slowly to commands. Such a system will bog down SMTP client software, as further commands cannot be sent until the server acknowledges the earlier ones. Several SMTP MTAs, including Postfix, have a teergrube capacity built in: when confronted with a client session which causes errors such as spam rejections, they will slow down their responding.

Another design for tarpits directly controls the TCP/IP protocol stack, holding the spammer's network socket open without allowing any traffic over it. By reducing the TCP window size to zero, but continuing to acknowledge packets, the spammer's process may be tied up indefinitely. This design is more difficult to implement than the former. Aside from anti-spam purposes, it has also been used to absorb attacks from network worms.

A third design is simply an imitation MTA which gives the appearance of being an open mail relay. Spammers who probe systems for open relay will find such a host and attempt to send mail through it, wasting their time. Such a system may simply discard the spam attempts, submit them to DNSBLs, or store them for analysis. It may also selectively deliver relay test messages to give a stronger appearance of open relay. SMTP honeypots of this sort have been suggested as a way that end-users can interfere with spammers' activities.

Spammers also abuse open proxies, and open proxy honeypots (proxypots) are also used. Ron Guillmette reported in 2003 that he succeeded in getting over 100 spammer accounts terminated in under 3 months, using his network (of unspecified size) of proxypots.

Unlike most other anti-spam techniques tarpits and honeypots work at the relay (or proxy) level. They work by targeting spammer behavior rather than targeting spam content.

Note also that there is some terminological confusion. Some people refer to spamtraps as honeypots. In this context a spamtrap is an email address created specifically to attract spam. These run at the destination level rather than at the relay or proxy level.

Challenge-response systems:

Another method which may be used by internet service providers (or by specialized services) to combat spam is to require unknown senders to pass various tests before their messages are delivered. These strategies are termed challenge-response systems or C/R, and are currently controversial among email programmers and system administrators.

One example of a challenge-response system is a "captcha" test, in which a mail sender is required to view an image containing a word or phrase, and respond with that word or phrase in text. The purpose of this is to ensure that automated systems (incapable of reading the image) cannot transmit email.

Critics of C/R systems have raised several issues regarding their usefulness as an email defense:

Some kinds of C/R system, such as captchas, discriminate against the disabled. A blind person can send and receive textual email (using a braille terminal, for instance), but cannot see an image and read text from it. A blurry image intended to defeat optical character recognition software may be impossible for sighted but visually-impaired persons.

C/R systems interact badly with mailing list software. If a person subscribed to a mailing list begins to use C/R software, posters to the mailing list may be confronted by large numbers of challenge messages. Many regard these as junk mail equal in annoyance to actual spam. In response, some C/R advocates have suggested that a C/R user must simply "whitelist" mailing lists to which they subscribe -- instructing the C/R software not to challenge their messages.

Some C/R systems interact badly with other C/R systems. If two persons both use C/R and one emails the other, the two C/R systems may become trapped in a loop, each challenging the other, neither one willing to deliver the challenge messages -- or the original message.

A person who disseminates his email address in order that others may easily contact him should not (critics say) subsequently challenge those persons' messages. For instance, if a person who gives a new acquaintance his email address, that acquaintance should expect to be able to send email to that address without "jumping through hoops" laid by a C/R system. Many C/R critics consider it rude to give someone your email address, then require them to play along with C/R software before they can send you mail.

Spammers and viruses send forged messages -- email with other people's addresses in the From headers. A C/R system challenging a forged message will send its challenge to the uninvolved person whose address the spammer put in the spam. This effectively doubles the amount of unwanted email being distributed. Indeed, some argue that using a C/R system means sending unsolicited, bulk email (challenges to forged spam) to all those people whose addresses are forged in spam.

Nevertheless, users report C/R systems are extremely effective at eliminating spam, even for addresses that receive hundreds of spam messages per day. With C/R systems the only spam that get delivered is spam that has been personally authorized by the spammer.

Back to Top

------------------------------------------------

Spam Tips for Users

Aside from installing client-side filtering software, end users can protect themselves from the brunt of spam's impact in numerous other ways.

  • Address munging

One way that spammers obtain email addresses to target is to trawl the Web and Usenet for strings which look like addresses. Thus, if one's address is never listed on these fora, they cannot find it. Posting anonymously, or with an entirely faked name and address, is one way to avoid this "address harvesting". Users who want to receive legitimate email regarding their posts or Web sites can alter their addresses in some way that humans can figure out but spammers haven't (yet). For instance, joe@example.net might post as joeNOS@PAM.example.net, or display his email address as an image instead of text. This is called address munging, from the jargon word "mung" meaning to break.

Address munging does not, however, evade so-called "dictionary attacks" in which the spammer generates a number of likely-to-exist addresses out of names and common words. For instance, if there is someone with the address adam@example.com, where 'example.com' is a popular ISP or mail provider, it is likely that he frequently receives spam.

  • Disposable e-mail addresses

Many email users sometimes need to give an address to a site without complete assurance that the site will not spam, or leak the address to spammers. One way to mitigate the risk of spam from such sites is to provide a disposable email address -- a temporary address which forwards email to your real account, but which you can disable or abandon whenever you see fit.

A number of services, such as Spamgourmet, provide disposable address forwarding. Addresses can be manually disabled, can expire after a given time interval, or can expire after a certain number of messages have been forwarded.

  • Defeating Web bugs and JavaScript

Many modern mail programs incorporate Web browser functionality, such as the display of HTML and images. This can easily expose the user to pornographic or otherwise offensive images in spam. In addition, spam written in HTML can contain JavaScript programs to direct the user's Web browser to an advertised page, or to make the spam message difficult or impossible to close or delete. In some cases, spam messages have contained attacks upon security vulnerabilities in the HTML renderer, using these holes to install spyware. (Some computer viruses are borne by the same mechanisms.)

Users can defend against these methods by using mail clients which do not display HTML or attachments, or by configuring their clients not to display these by default.

  • Avoiding responding to spam

It is well established that some spammers regard responses to their messages -- even responses which say "Don't spam me" -- as confirmation that an email address refers validly to a reader. Likewise, many spam messages contain Web links or addresses which the user is directed to follow to be removed from the spammer's mailing list. In several cases, spam-fighters have tested these links and addresses and confirmed that they do not lead to the recipient address's removal -- if anything, they lead to more spam.

In Usenet, it is widely considered even more important to avoid responding to spam. Many ISP have software that seeks out and destroys duplicate messages. Often someone sees a spam and responds to it before it's cancelled by their server. This can have the effect of reposting the spammer's spam for them... and since it's not just a duplicate, this reposted copy will actually last longer.

In late 2003, the FCC launched a public relations campaign to encourage email users to simply never respond to a spam email -- ever. This campaign stemmed from the tendency of casual email users to reply to spam, in order to complain about the spam and ask the spammer to stop sending spam. This has the effect of alerting spammers to the existence of a person who actually reads spam email, and it has the effect of increasing spam rather than stopping it.

  • Reporting spam

The majority of ISPs explicitly forbid their users from spamming, and eject from their service users who are found to have spammed. Tracking down a spammer's ISP and reporting the offense often leads to the spammer's service being terminated. Unfortunately, it can be difficult to track down the spammer -- and while there are some online tools to assist, they are not always accurate.

Two such online tools are SpamCop and Network Abuse Clearinghouse. Both provide automated or semi-automated means to report spam to ISPs. Some spam-fighters regard them as inaccurate compared to what an expert in the email system can do; however, most email users are not experts.

  • Defense against email worms

In the past several years, scores of worm programs have used email systems as a conduit for infection. The worm program transmits itself in an email message, usually as a MIME attachment. In order to infect a computer, the executable worm attachment must be opened. In almost all cases, this means the user must click on the attachment. The worm also requires a software environment compatible with its programming.

  • Email users can defend against worms in a number of ways, including:

Avoiding email client software which supports executable attachments. The most frequently-targeted client software for email worms is Microsoft Outlook and Outlook Express, both of which can easily be made to open executable attachments. However, other Windows-based email software is not immune to worms.

Using an operating system which does not provide an environment compatible with present worms. Essentially all current email worms affect only the Microsoft Windows operating system. They cannot execute on Macintosh, Unix, Linux, or other operating systems. In some cases, it is conceivable that a worm could be written for one of these systems; however, various security features militate against it.

Using up-to-date anti-virus software to detect incoming worms and quarantine or delete them before they can take effect.

Being skeptical of unsolicited email attachments. Since worms and other email-borne malware arrive in this form, some email users simply refuse to open attachments that the sender has not given them advance notice of.

Back to Top

------------------------------------------------

Tools to reduce the impact of spam

Mozilla and the soon to be released Thunderbird: e-mail programs ("clients") with a Bayesian filter, i.e. a filter that keeps learning and is therefore able to adapt to the constantly changing forms of spam. Disposable e-mail accounts, various types for registering on web sites etc.

E4ward.com You can use your own domain name or e4ward.com for your aliases

Sneakemail original disposable email address service

spamgourmet expire after a number of emails, but can be reset or ignored for some senders

jetable expiring in 1-8 days

  • Making it harder to harvest e-mail addresses

hide email addresses on web sites from harvesting tools

  • Tools to filter out spam

SpamPal free (really) Windows filter with lots of filtering methods. Client or server-side filtering

Bogofilter Bayesian filter

Spambayes Bayesian filter especially designed for use with Microsoft Outlook

SpamAssassin heuristic filter

TMDA a challenge/response system

  • Checksum-based filter

Distributed Checksum Clearinghouse

Vipul's razor

  • Other tools

SpamCop a place to report spam

Sam Spade program with tools

  • Services which guarantee messages as not being spam

Habeas Sender Warranted Email

Bonded Sender

  • Protocols for reducing spam

Spam-proofing the mail system; Linux Weekly News; December 17, 2003.

Back to Top

------------------------------------------------

Hoaxes

Virus Hoaxes: Not Just Harmless Pranks

There are a lot of viruses out there. And then there are some viruses that aren't really out there at all. Hoax virus warning messages are more than mere annoyances. After repeatedly becoming alarmed, only to learn that there was no real virus, computer users may get into the habit of ignoring all virus warning messages, leaving them especially vulnerable to the next real, and truly destructive, virus.

  • Don't let your guard down!

Remember: Never open an email attachment unless you know what it is--even if it comes from someone you know and trust.

Be aware that the people who create viruses can use known hoaxes to their advantage. A good example is the AOL4FREE hoax. This began as a hoax warning about a nonexistent virus. Once it was known that this was a hoax, somebody began to distribute a destructive trojan horse (a trojan horse differs from a virus in that it does not reproduce itself) in a file named AOL4FREE, attached to the original hoax virus warning! The lessons are clear:

  • Always remain vigilant
     

  • Never open a suspicious attachment

Back to Top

------------------------------------------------

Spyware

Strictly defined, spyware is computer software that gathers information about a computer user without the user's knowledge or informed consent, and then transmits this information to an organisation that expects to be able to profit from it in some way. Data collecting programs installed with the user's knowledge are not, properly speaking, spyware, if the user fully understands what data is being collected and with whom it is being shared.

More broadly, the term spyware is applied to a wide range of related malware products which are not spyware in the strict sense. These products perform many different functions, including the delivery of unrequested advertising (pop-ups in particular), harvesting private information, re-routing page requests to illegally claim commercial site referral fees, and installing stealth phone dialers.

  • Spyware and viruses

More than 81,000 threats exist today!

Spyware is very similar to a virus, but clearly distinct. In both cases, the program is installed without the user's knowledge or consent. In both cases, system instability is a common result.

A virus, however, is self-replicating: it spreads copies of itself to other computers if it can. Spyware generally is not self-replicating. Where a virus relies on users with poor security habits in order to spread, and spreads so far as possible in an unobtrusive way (in order not to be detected and removed), spyware usually relies on persuading ignorant or credulous users to download and install it by offering some kind of bait. One typical spyware program targeted at children, for example, claims that:

He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he's FREE!

In reality, it installs itself in such that it starts up every time the computer starts up (using CPU cycles and RAM, and reducing stability) and runs at all times, monitoring Internet usage and delivering targeted advertising to the child.

A virus generally aims to carry a payload of some kind: in other words, to do some some damage to the user's system (such as, for example, delete certain files). The damage caused by spyware, in contrast, is usually incidental to the primary function of the program. Spyware generally does not damage the user's data files, indeed (apart from the intentional privacy invasion and bandwidth theft) the overwhelming majority of the harm inflicted by spyware is simply an unintended by-product of the data-gathering or other primary purpose.

One of the easiest ways to conceptualise the difference between viruses and spyware is to think of a virus as a kind of "software murder". In this framwork, spyware is "software manslaughter". A virus does deliberate damage (to system software, or data, or both); spyware does accidental damage (usually only to the system software). In general, neither one can damage the computer hardware itself. Certain special circumstances aside, the worst-case outcome is a need to reformat the hard drive and reinstall the operating software, and restore from backups. The cost to have this done professionally is typically in the order of US$50. The cost of lost time and productivity can be much higher than this. It is not uncommon for the owner of a badly spyware infected system to purchase an entire new computer in the belief that the existing system "has become too slow".

  • Consequences

Unprotected Windows-based computers, particularly those used by children or credulous adults, can rapidly accumulate a great many spyware components—several hundred individual instances is common. The consequences of a moderate to severe spyware infection (privacy issues aside) generally include a substantial loss of system performance (over 50% in severe cases), and major stability issues (crashes and hangs). Difficulty connecting to the Internet is another common symptom.

Spyware infection is now (as of 2004) responsible for more visits to professional computer repairers than any other single cause. In more than half of these cases, the user is unaware of the spyware problem and initially assumes that the system performance, stability, and/or connectivity issues are related to hardware, Windows installation problems, or a virus.

Some spyware products have additional consequences. Dialers attempt to connect directly to a particular telephone number rather than to the user's own ISP: where the number in question is interstate or overseas, this can result in massive telephone bills which the user has no choice but to pay.

  • Installation

Spyware is normally installed through either one of two common methods. The first is to hide a spyware component within an otherwise apparently useful program. Often, the containing program is made available for download free of charge, so as to encourage wide uptake of the spyware component. The second common method is to take advantage of security flaws in Internet Explorer. Sypware can also be installed on a computer by a virus or an e-mail trojan program, but this is not common.

The HTTP cookie is a well-known mechanism for storing information about an Internet user on their own computer, often used to assign webite visitors an individual identification number for subsequent recognition. However, the existence of cookies and their use is generally not concealed from users, who can also disallow access to cookie information. Nevertheless, to the extent that a Web site uses a cookie identifier to build a profile about the user, who does not know what information is added to this profile, the cookie mechanism could be considered a form of spyware. For example, a search engine website could assign a user an individual ID the first time he visits and store all search terms in a database with this ID as a key on all subsequent visits (until the cookie expires or is deleted). This data could be used to select advertisements to display to that user, or could—legally or illegally—be transmitted to third parties.

Another cause is granting permission for web based applications to integrate into your system. These browser helper objects embed itself as part of your web browser.

Spyware is usually installed by some stealthy means. If you read the user agreements for the software you download and install, references (sometimes vague) are cited for allowing the issuing company of the software to record your internet usage and website surfing. Some software vendors allow you to buy the same product without this overhead.

Neglect is an additional cause. Use of automatic updates, antivirus, and other software upgrades will protect your system. Software bugs and exploits remain with older software, because the public is more aware how to invade your system.

  • Software Considered Spyware

Some software commonly found on computers which is considered spyware by some includes:

  • Bonzi Buddy
     

  • Gator, made by the Claria Corporation

A number of software applications are available to help computer users search for and remove spyware programs. Some programs promise to purge your system of spyware, only to install their own.

Back to Top

--------------------------------------------------

Trojans - myths & facts

Not so long ago, the more knowledgeable PC users were well aware of the risks that computer viruses posed. Only a few years later, almost every PC user is aware of the very-real dangers that a virus can pose. Many of us use some form of anti-virus software, and a reasonable number of us diligently keep the anti-virus definitions up to date.

Only a complete novice would question the need for good anti-virus software today. However many users do not realize that these programs may actually provide their users with a false sense of security. One common mistake is to assume that anti-virus software automatically means that your system is secure. It isn't. Most anti-virus applications deal specifically with one thing - viruses. They don't protect your system from intruders, and they don't ensure that other software that you may use is secure and legitimate.

Another very dangerous assumption that many users of anti-virus software make, is that their anti-virus application will also keep their systems clear of trojans. Not so. In order to understand this, let's take a step back.

Despite the fact that they are often confused, viruses and trojans are two very different things. A virus by definition makes copies of itself and spreads, in much the same way that it's biological namesake will do among hosts. A trojan on the other hand, also known as a trojan horse, is simply a program that pretends to be something else.

So why are trojans or trojan horses so dangerous? The basic idea is that you download a program, for example one that you think is some sort a game demo. When you run the demo, to your surprise, nothing happens. Or so you thought.

What may have happened is that you've just unwittingly run some form of program that has planted itself on your hard drive. Perhaps it's going to be a very basic application, and simply delete some files on your system. Perhaps it's an even more sinister tool that will actually give other people full access to your hard drive and system. Sounds ridiculous? It happens literally every single day, to computer users all around the world.

Whether the trojan you just unwittingly downloaded and installed will delete files from your system, open your web connection to snoopers, share your emails or simply watch everything that you do, one thing's for sure. You don't want it there.

And the terrifying fact? You may want to be sure that you're sitting down here. Most anti-virus applications will not protect your system from trojan horses. Why? Well the real question is why should they? As explained, a virus and a trojan are two very different things. Getting a shot from a Doctor against the flu won't protect you from being hit by a bus after you leave the surgery. Other preventative measures are required.

So in the above scenario of the user downloading what they think is a game demo, they may even scan the file with their anti virus software, and receive the all clear. Why? Because the file isn't infected with a virus. The anti-virus software isn't saying that the software is safe to install, it isn't saying that it won't make a mess of your system files, and most importantly, it isn't saying that it doesn't contain a trojan or trojan horse.

In short, if you want to keep your PC safe, follow the three golden hints.

1. Use a good anti trojan application that offers regular trojan definition updates. Use the software regularly, and keep it up to date.

2. Use a good anti virus application that offers regular virus definition updates. Use the software, and keep it up to date.

3. Keep your operating system up to date with security fixes. Details of Microsoft's security updates may be found at their website.

Why trojans are often called viruses...

  • Definition "VIRUS"

A virus is a program that adds itself to a file and forms a modified .exe-file - that's why you can't recognize it as a virus file at first sight or remove from the file system. The most common characteristic of a virus is that it is able to spread itself on its own impulse when it has been activated; further distribution occurs by copying infected files over networks - for example per email. Viruses can delete or change files/data, to delete them efficiently the boot sequence has to be eliminated out of the infected executable file.

  • Definition "TROJAN"

The primary difference between virus and trojan is that trojans don't spread on their own. A trojan is a standalone program that makes certain areas of interest for other users/computers on the internet available. Therefore it has to be run at every system reboot, what's done by autorun keys in the system registry. A trojan is an .exe file that hides somewhere in the system but in the opposite to viruses it removable manually - if you know how to do it.

Back to Top

------------------------------------------------

| What's New | Resources | Useful Tips | FAQ | Contact | Home |
System Security
Financial Cost
Reasons
Vulnerabilities
Security Steps
E-mail Abuse
Spam Tips
Spam Tools
Hoaxes
Spyware
Myths & Facts