ATC Colloquia 23 January 2003 Public Version

1.            General

We have all heard about the insecurity of the Internet, how millions of attacks and probes happen every day around the world. In this talk we will explore the critical information that you, as a computer user, need to know about:

Greg Edwards, CISSP, GCIH, LM Antivirus, LM Vulnerability Alerts, UC Santa Cruz Extension Instructor on Viruses and Wireless Security. Editing assistance by George Meyers (LM-M&DS).

If you are behind the LM firewall, you can also download the LM specific Security Talk - Word document (Zipped).

2.            Vulnerabilities

How many attacks are there? No one knows. And it depends on what you mean by attack. For example the www.incidents.org web page. They log over 3 million attack probes per day.

On 10 December 2002 the most commonly attacked ports are:

Port/Service

OS Vendor

Attack/Virus/Trojan

137/Netbios

Microsoft

Chode, Qaz, Msinit Trojans

80/http

All computers

IE, Nimda, 711, AckCmd, BO, Hooker, etc

1433/MS-SQL-S

Microsoft

Easy remote root

21/ftp

All computers

Ramen, Lion, 666, Senna Spy, Traitor21

25/smtp

All computers

Hybris, Antigen, IloveYou, etc

4662/eDonkey

All computers

music/video exchange

139/netbios-ssn

Microsoft

Chode, GodMessage, Msinit, Qaz, Sadmind

445/Microsoft-ds

Microsoft

Open Share

53/DNS

All computers

BIND

27374/asp

All computers?

SubSeven, Lion, Ramen, BadBlood

Key:  Microsoft in bold BLUE; Linux in bold Green

Top 10 Viruses of 2002 are all Microsoft viruses, as can be seen at: http://www.sophos.com/pressoffice/pressrel/uk/20021204yeartopten.html however as seen above many of the top-10 attacks are Linux worms.

All computers, operating systems and applications have vulnerabilities, but some have less than others. If you use Windows or Microsoft Office or Microsoft Internet Explorer your computer is at high risk. Linux virus are a growth area, but most of the Linux problems are Trojans and worms. Linux AV can provide protection from them and rootkits.  Macintoshes have fewer problems than most, but they do have some.

Microsoftís security page is at www.microsoft.com/security/

Red Hat is at http://www.redhat.com/solutions/security/ (other Linux/BSD are at similar pages)

Appleís Security Web page is at http://www.info.apple.com/usen/security/security_updates.html

Didnít see very many Macintosh OS9 problems? Right, there are not very many.

There are some Microsoft vulnerabilities that involve Macs, mostly with Word, Office, IE, etc. You can find them here: http://www.microsoft.com/security/

3.            Home Firewalls

If you have a fast Internet connection at home and have no firewall, you are at risk. The Honeynet project  http://www.honeynet.org/ has found that the average computer on a fast network has about a 100% chance of being hijacked within the first 24 hours of connection. The fastest that they have seen a computer be discovered, broken into, and rootkited (stealth takeover) is 15 minutes.

The are a number of good software firewalls, some free, some at reasonable costs (BlackIce, ZoneAlarm, Sygate, CyberArmour, etc.). I prefer a hardware firewall (less likely to have a problem, less likely to cause problems with computer operations, easier to add additional computers) such as the Linksys BEFSR11, Hawking PN9230, D-Link DI-704, SMC 7003ABR, Netgear RP114, etc., but the software firewalls are more likely to be able to give you a list of probes and attempted attacks. It is sometimes interesting to see that you have been probed 20-30 times an hour or more.

I would NOT suggest a software firewall for most usersÖ (I use a hardware firewall at home).

You can test your home firewall via several sources. One is using Steve Gibson's www.grc.com Shields UP!! firewall tester https://grc.com/x/ne.dll?bh0bkyd2 .

 

4.            WiFi Wireless Network Security

Microsoft XP strongly wants WiFi and Macintosh IBooks and Tibooks are almost unthinkable without WiFi, howeverÖ

Wifi does, however, have a >lot< of security vulnerabilities (for a full look take Wireless Security: 802.11b and Other Protocols  which will be offered in April 2003 at UC Santa Cruz Extension (Sunnyvale) http://www.ucsc-extension.edu/main/qd/citlist.taf?function=detail&start=0&X_Number=X459.5%20Computer%20Science

The problems in short are:

WiFi goes much further than 30 or 300 or even 3000 feet, see http://www.baylisa.org/library/slides/2001/10/openlans.pdf for a short 150,000 foot connection.

Wifiís WEP crypto has major defects

All attempts to fix WiFi crypto up to November 2002 has had major defects

Users, in general, wonít use the little security that they could have

The MAC can be spoofed, easily

There is no protection against fake Acess Points

Wardriving, Warchalking, Warflying may be legal, but do add problems

            http://www.wardrive.org/live/

            http://www.warchalking.org/

            http://www.techtv.com/news/internet/story/0,24195,3398350,00.html  (btw, TechTV is fun)

4.1   Legal Issues and WiFi

IANAL Nor do I play one on TV or the Internet.

Misuse of this material can get you in serious legal trouble.

The law is very unclear, be careful, get advise from your corporate attorney.

There have been court cases stating that ping sweeps/Nmap sweeps, etc. are legal, are similar to walking down a street and looking to see if a window is open.

However consider http://www.theregister.co.uk/content/55/26397.html on 29 July 2002:

4.2   Ethical hacker faces war driving charges

By John Leyden

Posted: 26/07/2002 at 13:05 GMT

A Houston computer security analyst has been charged with hacking after demonstrating the insecurity of a county courts wireless LAN.

Stefan Puffer, 33, was indicted by a Grand Jury on Wednesday with two counts of fraud for allegedly breaking into Harris County district clerk's wireless computer system. It's believed to be the first case of its kind in the US.

Puffer, who was employed briefly by the county's technology department in 1999, could get five years in jail and faces a $250,000 fine on each count if convicted, the Houston Chronicle reports.

He's accused of accessing the system March 8 in an alleged intrusion that cost the county a reported $5,000 to clean up.

District Clerk Charles Bacarisse told the paper that no confidential information was disclosed but the alleged intrusion eventually resulted in the county closing its wireless LAN only a month after it was activated.

But is the prosecution a case of shooting the messenger?

On March 18, Puffer demonstrated to a county official and a Chronicle reporter how easy it was to gain access to the court's system using only a laptop computer and a wireless LAN card.

Puffer first noticed the problem while scanning for insecure 802.11 networks throughout Houston earlier that month, around the time that the alleged offence took place. Æ

 

And then again (from http://www.commonme.org/ and elsewhere on July 23, 2002):

            Steve Ballmer - the Wifi pirate: "I was in a hotel in Sun Valley last week that was not wired," Ballmer recalls. "So I turned on my PC, and XP tells me there is a wireless network available. So I connect to something called Mountaineer. "Well, I don't know what that is.  But I VPN into Microsoft.  It worked! I don't know whose broadband I used," he chuckles.  "I didn't see it in Bill's room.  I called him up and said, 'Hey, come over to my room.'  So soon everyone is there and connecting to the Internet through my room."

There are a lot more problems with WiFi security, and then you have all the normal security problems.

4.3   But what can the bad guys do if they break into your home systems?

            Send spam from you home computer, costing you your Internet access, possible lawsuits

            Plant a RAT on your home system and have control of your system (easy with Windows)

            Store illegal material on your home system

            Use your home system as a zombie for attacks across the Internet

            Etc.

 

5.            Viruses, Worms, Trojans, RATs and other Malware

You should use an up-to-date antivirus tool on all computers all the time. If you use Microsoft Windows or Office or Internet Explorer it is critical.

Hoax viruses are another problem, more data on them can be found at Sophos http://www.sophos.com/virusinfo/hoaxes/ or or NAI http://vil.nai.com/VIL/hoaxes.asp or Symantec http://www.symantec.com/sarc/avcenter/hoax.html or use Google www.google.com.

5.1   Windows Antivirus

If you use any form of Microsoft Windows, or Microsoft Office, or Microsoft Internet Explorer your system is at grave risk even with a good firewall unless it also has a current antivirus system.

5.2   Linux/Unix Antivirus

There are not that many Linux/Unix viruses, but there are a number and they are growing. The real problem for Linux/Unix is not viruses but Trojans, Worms, and Rootkits. Firewalls are just one part of your critical defense, an Integrity Checker (Tripwire or AntiVirus) is the other. AV has an advantage over Tripwire in that it can not only detect but also correct. Tripwire has an advantage in that it does not have to be upgraded as often.

5.3   Macintosh Antivirus

If you use Microsoft Excel, PowerPoint, etc. you need antivirus.

If you use IE or Word  you really need antivirus.

If you want to connect from home to the company network you need antivirus

Otherwise, probably not.

 

 

6.            SPAM/Scams

6.1   Spam

Spam is a current and expanding problem. Most spam tries to obtain $$ from you. Many are virus/Trojan infected, on purpose or by accident. Some you do not want your children to se.

music/video exchange Below are two common current Scams, Ebay forgery and Nigerian Scam:

6.2   Ebay

>

> **** Message Header *****

> Microsoft Mail Internet Headers Version 2.0

> Received: from 195.73.193.7 ([24.232.235.26]) by ciretose.net with

> Microsoft SMTPSVC(5.0.2195.5329);

>      Fri, 6 Dec 2002 19:03:46 -0500

> Received: from unknown (HELO f64.law4.hotmail.com) (13.61.40.178) by

> ssymail.ssy.co.kr with smtp; Dec, 06 2002 3:57:55 PM -0100

> Received: from sparc.isl.net ([45.55.85.241]) by

> anther.webhostingtalk.com with NNFMP; Dec, 06 2002 2:52:05 PM -0300

> Received: from [177.34.196.8] by f64.law4.hotmail.com with NNFMP; Dec,

> 06 2002 1:46:01 PM +1100

> From: Ebay Billing <Billing@ebay.com>

> To: <deleted to protect victim>

> Cc:

> Subject: Ebay Billing Error

> Sender: Ebay Billing <Billing@ebay.com>

> Mime-Version: 1.0

> Content-Type: text/html; charset="iso-8859-1"

> Date: Fri, 6 Dec 2002 16:02:56 -0800

> X-Mailer: eGroups Message Poster

> Return-Path: Billing@ebay.com

> Message-ID: <DCxgX3kT8fP682w9hWb00000009@ciretose.net>

> X-OriginalArrivalTime: 07 Dec 2002 00:03:49.0430 (UTC)

> FILETIME=[1E97BD60:01C29D84]

> **** End Message Header *****

>

> **** Message Contents *****

> Dear Ebay Member,

> We at Ebay are sorry to inform you that we are having problems with the billing information of your account. We would appreciate it if you would

> visit our website [Ebay Billing Center] <http://www.ebayupdates.com> and

> fill out the proper information that we are needing to keep you as an

> Ebay member.

> If you think you have received this email as an error, please visit our

> website and fill out the neccesary information. That way we can make

> sure that everything is     up to date! Again here is the link to

> our website. Ebay Billing Center <http://www.ebayupdates.com>

> Joe Watson

> Ebay Billing Center

> Rep ID. 32A

> Thank you for your business.

> The Ebay Staff.

> ************************************************************************

> ******** *********************************

> Do not reply to this e-mail, for assistance contact the customer service team.

> ************************************************************************

> ******** *********************************

> ***** Message Contents ******

>

>

 

419 or Nigerian Scam

 

 

---------- Forwarded message ----------

Date: Tue, 10 Dec 2002 08:48:26 +0000

From: "MR. NELSON BROWN (JNR)" <nelsonbrown_1@yahoo.com>

Reply-To: nelsonbrown_2@mail.com

To: edwards@rahul.net

Subject: VERY URGENT! I NEED YOUR RESPONSE.

 

From: NELSON BROWN (JNR)

ATTN: President /CEO

Subject: Urgent Assistance

PERSONAL MEMO

Date: 10th December 2002

Sir,

Permit me to inform you of my desire of going into business relationship with you .I am NELSON MEE BROWN (JNR), The first son of late Mr. and Mrs. MORGAN MEE BROWN. My father was a very wealthy GOLD AND COCOA merchant in Congo republic. His business associate on one of their business outing poisoned him to death. When my mother died on the 21ST October 1994, my father took my brother and me so special because we were motherless, Before the death of my father on the 29th November 2000 in a private hospital here in Nigeria, He sincerely called me on his bed side and told me that he had a sum of 35.600,000 US DOLLARS (THIRTY FIVE MILLION SIX HUNDRED UNITED STATES DOLLARS) kept in a security company in SOUTH AFRICA. He also used my Mother's name and my name to deposit the money as his first son as next of kin. He also explained to me that it was because of this wealth that he was poisoned by his business associates, that I should seek for a foreign partner in a country of my choice where I will transfer this money and use it for investment purposes, I want you to assist me in clearing this fund into your account overseas as a beneficiary of the fund, and also see it for investment purpose, such as real estate management. My interested areas of investment are: REAL ESTATE, HOTELS, and PETROLUM INDUSTRY. I am honorably seeking for your assistance in the following ways.

 

(1)   To assist me to clear this fund from the security company and transfer to your account successfully.

 

(2)   To serve as the guardian of this fund since I am a young man of (26) yrs.

 

(3)   To make arrangement for me to come over to your country to further my education and to secure a residential permit in your country.

 

Moreover, I am willing to offer you some part of the total sum as compensation for your effort input after the successful transfer of this fund to your nominated account. Furthermore, this transaction can be concluded within 14 days, from the day you signify interest to assist me. Waiting to hear from you soonest. Please reach me through my email address at: nelsonbrown_2@mail.com

Meanwhile in the meantime I must implore you to keep this matter highly reticent pending the actualization of the fund transfer.

Thanks and God bless you for your anticipated cooperation.

 

Best Regards

 

NELSON BROWN (Jnr)

 

7.            Children, Computers  and Internet Security

 

It use to be simpler. Homes with children in school had most of the viruses because they would trade games on floppy disks. Now games are on CDs and Hollywood and RIAA are attacking children who download/rip/burn music and movies (Harry Potter 2 was swiped last week, before release and is now on the Internet, for example).

 

Many, if not most, of the Peer-2-Peer file sharing software is Trojan loaded, and in some cases have very interesting EULA that users and kids click to approve without reading or understanding.

 

But this is only part of the problem.

 

There is SPAM for products.

 

There is SPAM for porn.

 

There is IRC and email and who are your kids talking to?

 

7.1  What can you do?

Talk to your kids about the problems and dangers

 

Know who they are talking to, check their email, IRC, IM, Chat, Usenet, etc.

 

Consider having only one place in the house where kids can use the Internet (in our kitchen/dining room), then you only have to check one or two systems

 

Consider the proís and conís of content filters

 

Run up-to-date antivirus

 

Use a hardware firewall

 

 

7.2  Problems Your Children May Cause Your Company

 

Can your children hurt the company where you work?

 

YesIf your kids have access to your computer and play on it they may introduce viruses.

 

YesIf you leave your computers on and connected to your place of work or study, your family members/visitors would have the access to your company that you have, which is not safe. \

 

In one case a 13 year old girl spent a day with her mother at her motherís office. Her mom was an MD. The daughter, in a bit of playfulness, wrote a letter telling patients that they were infected with AIDS and had the computer send it to all of her motherís patients.

 

8.            There are some tools to help

Dewie the Turtle http://www.ftc.gov/opa/2002/09/dewie.htm

FBI Publications - A Parent's Guide to Internet Safety http://www.fbi.gov/publications/pguide/pguidee.htm    

American library Association Librarianís Guide to CyberSpace for Parents and Kids http://www.ala.org/parentspage/greatsites/safety.html

The Parentsí Guide to the Information Superhighway, Rules and Tools for Families Online: http://www.childrenspartnership.org/bbar/pbpg.html

Kids Safety at Onondaga County Public Library http://www.ocpl.lib.ny.us/website/kids/safety.htm

The Parent's Guide to Protecting Your Children in Cyberspace by Parry Aftab http://www.amazon.com/exec/obidos/tg/detail/-/0071357521/qid=1037219031/sr=1-1/ref=sr_1_1/002-0901107-9940867?v=glance&s=books

Internet & Computer Ethics for Kids: (and Parents & Teachers Who Haven't Got a Clue.) by

Winn Schwartau, D. L. Busch (Illustrator) http://www.amazon.com/exec/obidos/tg/detail/-/0962870056/ref=pd_sim_books_1/002-0901107-9940867?v=glance&s=books

Czek and Associates http://www.czekandassoc.com/ look under Community Education

A last thought, make Google your home page, www.google.com and use the modifier ìtutorialî when you need an introduction to a topic.