The Internet has become a war zone. You should take immediate steps to
actively protect your computer and your property. Installing anti-virus
software on your computer is a necessary first step but is by no means
sufficient. To be safe, you must implement a multi-layer defense strategy.
The table and discussion that follows lists the main current threats to
your computer and what you can do to protect yourself against them.
Summary
of the major current threats
Threat |
Objective |
Method of Attack |
Your Defense |
direct attack |
take over your computer, steal passwords and credit
card numbers, use your computer to attack others. |
scan for open ports |
use a firewall
use a router (if broadband connection) |
"phishing" scam |
steal your financial account information, steal
your money |
"important" e-mail message that looks
like it came from your financial institution asking to verify account |
never reply
use e-mail filter
block e-mail images |
hijacked web sites |
take over your computer, steal passwords and credit
card numbers, use your computer to attack others. |
altered web image advertisements |
install Service Pack2 for Windows XP
use browser other than Internet Explorer |
"web bots" |
verify validity of your e-mail account |
invisible image embedded in otherwise "normal"
e-mail |
block e-mail images |
"spy ware" |
log web sites you visit and video and music
files you download and report back demographics and/or personal
information
log credit card numbers and passwords and report back to steal
your money. |
software stealthily installed when you download
music or photos, visit some web sites, play multimedia or install
software downloaded from the web |
use anti-spy software and periodically scan computer |
e-mail "spam" |
get you to reply or to visit web site, get you
to buy something or follow up with requests for credit card number
or other financial or personal information. verify validity of your
e-mail account. steal your money. |
"attractive" e-mail offer, usually pornography,
sexual enhancement drugs, low price software, low interest mortgage
loans, etc. |
never reply
use e-mail filter
block e-mail images |
viruses and "trojan horses" |
infect your computer, erase your software and data,
take over your computer and use it to attack others, steal passwords
and credit card numbers, steal addresses from your e-mail address
book. replicate itself and infect others by sending messages that
appear to come from you. |
infected e-mail attachment |
never click on e-mail attachments
use anti-virus software and periodically scan computer |
What
are IP addresses?
This introduction we hope will help you better understand the threats
and defense discussions that follow.
Every computer on the Internet is assigned what is called an IP ("Internet
Protocol") number. This number is the unique "address"
of your computer in the global Internet. Almost all server computers,
including those that host web sites, are assigned "permanent"
IP addresses. When you surf to a particular URL, such as www.amazon.com,
special computers called "name servers" translate this alphabetic
URL to the "real" numeric IP address of the amazon.com main server (in this example, the corresponding IP address is 207.171.163.30).
Most client computers, such as your home computer, are assigned, usually
by your Internet Service Provider (ISP), "temporary" IP addresses.
The ISP is normally pre-assigned one or more "blocks" of these
addresses from which they assign a temporary IP address to each of their
customers as they log in to use until they log off. In case of a broadband
connection, the IP address may be assigned for a limited period of time
or until activity stops at night. Some ISPs, usually for an extra charge,
offer a "fixed" IP address to some of their broadband and business
customers.
Direct
attack
Every computer has, as part of its software and microprocessor architecture,
thousands of numbered access "ports" which are used by various
services such as web surfing, e-mail, etc. and also by internal communication
between software components. The danger here occurs when some of these
ports are inadverdently left "open" to the Internet. Think of
this as leaving the rear door to your house unlocked in a high crime area.
Intruders ("crackers") run software on computers which sequentially
interrogate all IP addresses in a block to see if a computer is using
a given address. They do this by a process called "pinging",
which is to send a special probe message called a "ping" to
the address and see if the address responds, which is the normal behavior.
Once they find one such computer, they then run another software called
"port scan" in an attempt to identify what ports if any are
open to the Internet on the subject computer. Note that this "cracking"
process is entirely automated and they can interrogate may thousands of
IP addressess per hour.
Once they find an open port, the cracker will attempt to introduce a
small software program through this port (sometimes called a "trojan
horse") and run it on the subject computer. This malicious software
installs itself on the subject computer, running in the background under
a false name so the owner is not aware of its existence.
Depending on the cracker's objective, this software may, for example,
log all the keystrokes on your keyboard and periodically report back to
the cracker any credit card numbers and passwords that you may have typed,
or may just keep the cracker aware of your current IP address so that
he can make your computer, unbeknownst to you, take part in concentrated
attacks on a target site (such as was recently done to the Microsoft.com and Whitehouse.gov computer sites).
DEFENSE
Check your vulnerability by making use of Steve Gibson's "Shields
Up" free test utility. Go to www.grc.com and follow the links for "Shields Up".
If you are on a broadband connection, connected to the Internet at all
times, you are particularly vulnerable. We highly recommend the use of
a hardware router between you and the Internet. A router translates the
IP address assigned by your ISP into one or more IP addresses which are
only valid within your local network and are not visible from the Internet.
Look in your router manual and make sure you enable "Block WAN Request"
(on Linksys routers) or whatever it is called in your unit. This will
prevent your router from responding to any "ping" requests and
effectively make the router and all the computers in your home network
invisible to probes from the Internet.
If you get a wireless router or access point, be aware that you can also
be attacked through the wireless port. Be sure to enable encryption on
our wireless links (must be done at both ends of the each wireless link)
and also enable the MAC filter function to only allow your own computers
to connect wirelessly to the router or access point. Refer to your router
or access point manual for more details.
If you are on a dialup connection you are still vulnerable. A recent
survey done by PC Magazine reveals that the
average time between connecting to the Internet and getting a port probe
scanning for vulnerabilities is now only about 20 seconds.
In either case, broadband or dial-up, you should install a software firewall. Windows XP Service Pack 2 now has a firewall
enabled by default, but we have read reports that this built-in firewall
still leaves open certain ports for "enhanced functionality".
We recommend Zone
Alarm Pro which is the only firewall we are aware of that blocks unauthorized
packets in both directions, from your computer to the Internet as well
as the reverse.
"Phishing" scam
Read the FTC
Consumer Alert
Read how to recognize a "phishing" e-mail message and where to report
it at the Anti-Phishing Working
Group.
This is cited as an example of what is now called "Social Engineering",
using what looks like important "offical" communications from
you bank or financial institution to deceive you into revealing private
information such as account numbers, passwords, social security numbers,
etc.
In its most current form you receive an official looking e-mail from
your bank, financial institution or other organization in which you
have an account, such as Pay Pal, e-Bay, department stores or manufacturers,
telling you that there is a serious problem with your account and you
must immediately verify you account information in order to re-establish
access to your account. The message often tries to scare you by threatening
that if you don't respond immediately your account will be cut off.
NEVER NEVER NEVER click anywhere on this page (the entire page is a trap)!
The way the scam works, when you click on this page, it takes you to
a fake web site (usually outside the US) which is a replica of the real
web site of the financial institution (the scam e-mail typically disguises
the true destination by using numeric IP addresses or one that is made
to look legitimate by including the institution's name in the first part
of the address). When you log onto this fake page, using your real account
number and password, you have just given the thieves what they need to
access your real account and steal all your money.
DEFENSE
NEVER NEVER NEVER click anywhere on the e-mail!
If you got deceived by this scam contact your financial institution IMMEDIATELY
and have them block access to your account.
If you are in doubt about the status of your account, call the Customer
Service telephone number of your financial institution, or go DIRECTLY
to their real web site (use your bookmarks, NEVER use any links in the
scam e-mail!)
Fight back by forwarding the received e-mail, including all the routing
headers, to the FTC phishing scam line at spam@uce.gov and also to the "scam" or "abuse" e-mail address of
your financial institution (the larger ones now have an address such as
"scam@citibank.com" or "abuse@citibank.com"). At the
top of the forwarded e-mail you can ask "is this real or a scam?"
You will probably get an interesting reply.
Some sophisiticated e-mail filters used by ISPs are now catching the
phishing scam e-mails.
My favorite e-mail filter software, ChoiceMail
One, will intercept e-mails where the body of the e-mail uses numeric
IP addresses and it thus catches most phishing scam and other fake e-mails.
Hijacked
Web Sites
A recent development is the hijacking of web sites of companies providing
advertisement images to many popular web sites. These advertisements
are modified to include a virus which can infect your computer just by
visiting the site carrying the advertisement. The virus can infect your
computer if you use some versions of the Internet
Explorer web browser
and does not affect computeers that contain the Service
Pack 2 upgrade
to the Windows XP® operating system.
DEFENSE
If you are running the Windows XP® operating system, be sure to install
the Service Pack 2 upgrade, available free of charge from Microsoft,
for increased security.
Since many of the recent attacks target the popular Internet
Explorer browser, we recommend that you simply switch
to another browser. We highly recommend the Open Source Mozilla
Firefox,
which is available for download free of charge from the link on the
menu at the left of this page.
Web-Bots
Web-Bots are tiny invisible images embedded in commercial spam e-mails.
These images are usually only 1x1 pixels (the minimum size) and may be
transparent in color. When you view an e-mail containing a web-bot, the
web-bot image is served by a dedicated server which captures the IP address
of the computer. It thus serves to validate your e-mail address as a)
active and b) perhaps interested in the subject of the e-mail since you
viewed the message..
These Web-Bots would seem to serve a legitimate purpose for the advertiser,
except that it contributes to the general spam problem by serving to generate
lists of valid e-mail addresses. Particularly insidious is that you need
not read the actual message, all you have to do is "preview"
it with your e-mail software preview function (the feature that shows
you the first few lines of received messages).
DEFENSE
My favorite e-mail filter software, ChoiceMail
One, will let you preview messages while blocking ALL images in the
message from being served. Thus you can look at the text while retaining
your privacy. This is particularly important for messages that look "legitimate".
Spy-Ware
Read the FTC
Consumer Alert
Some popular software unbeknownst to you will install "spy-ware"
(sometimes called "ad-ware") on your computer. This software
tracks the web sites you visit, the video and music files you download,
or other personal information and periodically report back this data which
is then sold to advertisers. An early instance of a major commercial multi-media
player doing this was exposed by Steve Gibson of Gibson
Research Corp. You can read about it on his web site. Steve developed
an early package "Opt Out" (now obsolete)
to scan and eliminate this type of software.
Some "spy-ware" has been developed for malicious uses and logs
your typing on the keyboard to capture personal and financial information
such as credit card numbers. It then periodically reports back this information
to the thieves.
Since such "spy-ware" and "ad-ware" uses your computing
resources, extreme cases have been reported where the performance of your
computer is significantly affected when several of these programs are
active in your computer.
DEFENSE
Two major free software packages are available to scan and eliminate
such spy-ware from your computer:
SpyBot
Search and Destroy, from Germany (available as "donorware"
- free software, but they ask for voluntary donations)
Lavasoft's Ad-Aware, from Sweden
(available in both a free version and a commercial version with enhanced
features)
Ad-Aware SE (the commercial version) also includes
a memory resident component which intercepts in real-time any attempts
of installing "ad-ware" or "spy-ware" and also alerts
you of any Windows Registry changes.
e-mail
"spam"
"spam" (in lower case) refers to any unsolicited commercial
offer or propaganda sent by e-mail to a large number of users.
Aside from being a nuisance, many "spam" e-mail messages are
completely fraudulent offers. Usually these e-mail messages make attractive
offers for getting-rich-quick, meeting attractive girls (or boys); or
offering pornography, sexual enhancement drugs, discount drugs, gambling,
discount software, low mortgage rates, low cost loans, etc., etc., etc.
Others are disguised as "Important" notices from banks, stores
and even government agencies (see the "Phishing" scam section
above for one such example).
One of the most notorious offers of recent years is the "Nigerian
Scam" where someone offers you a part of a large amount of money
deposited in a bank, usually in Nigeria, or other parts of Africa, but
more recently extending to Europe, the Pacific and other parts of the
world.
The objective of all this spam is to get you to respond via e-mail or
to visit a web site where they will offer you a participation in this
"treasure". First you have to demonstrate your "good faith
and character" by providing your financial account information, an
amount of money or a credit card number as security. This rapidly leads
to your account being drained, your money dissapearing, or your credit
card being charged, without much hope of recovery.
"Genuine" spam is merely advertising e-mail offering you goods
or services. Unfortunately there is a very thin line between a "genuine"
offer and a fraudulent offer. IT IS BEST TO
IGNORE ALL THESE OFFERS COMPLETELY.
Almost all e-mail "spam" will have a forged "From:"
address (usually they do not want you to answer the e-mail, instead they
want you to visit some web site). They also try to disguise the address
of the web site that they want you to visit so it will not be obvious
to you that it is probably an overseas web site. Sometimes they will only
provide a numeric IP address for the web site, sometimes they will disguise
the IP address by formatting it in a way readable by the computer but
not by humans.
DEFENSE
My favorite e-mail filter software, ChoiceMail
One, allows you to intercept all spam by using multiple mechanisms.
ChoiceMail is provided with a number of filter rules to intercept suspect
spam and hold it in a "junk mailbox" for inspection and disposition.
The e-mail filter rules provided by the manufacturer inspect the subject
line and body of the message for occurence of typical spam words (you
can add to the list), it also looks in the body for disguised IP addresses,
for numeric IP addresses and also for IP addresses on a list of known
spammers. The software looks for e-mails with malformed or disguised structure
which attempt to bypass less sophisticated filters. It even detects when
the sender adds random words to get around probabilistic "Bayesian"
spam filters.
ChoiceMail treats as spam all e-mails that come from someone who is
not in your list of approved senders (initially generated from your address
book) and forces any new correspondents to go to a web site and visually
copy a random number or word to prove that they are human and not a spam
robot. The software has other essential features such as the ability to
preview messages without requesting any images from servers. You can also
set up a "black" list to block individual addresses or entire
domains. All the filtering rules are customizable to you own preferences
and you can create new rules as desired. Because of its complexity the
software takes a bit of effort to set up all the features, but well worth
the results.
Viruses
and Trojan horses
Please visit our page on Viruses and Trojan Horses
|