ATC Colloquia 23 January 2003 Public Version
We
have all heard about the insecurity of the Internet, how millions of attacks and
probes happen every day around the world. In this talk we will explore the critical
information that you, as a computer user, need to know about:
Greg
Edwards, CISSP, GCIH, LM Antivirus, LM Vulnerability Alerts, UC Santa Cruz Extension
Instructor on Viruses and Wireless Security. Editing assistance by George Meyers
(LM-M&DS).
If you are behind the LM firewall, you can also download the LM specific Security
Talk - Word document (Zipped).
How
many attacks are there? No one knows. And it depends on what you mean by attack.
For example the www.incidents.org web page.
They log over 3 million attack probes per day.
On
10 December 2002 the most commonly attacked ports are:
Port/Service |
OS
Vendor |
Attack/Virus/Trojan |
|
137/Netbios |
Microsoft |
Chode, Qaz, Msinit Trojans |
|
80/http |
All computers |
IE, Nimda, 711, AckCmd, BO, Hooker, etc |
|
1433/MS-SQL-S |
Microsoft |
Easy remote root |
|
21/ftp |
All computers |
Ramen, Lion, 666, Senna Spy, Traitor21 |
|
25/smtp |
All computers |
Hybris, Antigen, IloveYou, etc |
|
4662/eDonkey |
All computers |
music/video exchange |
|
139/netbios-ssn |
Microsoft |
Chode, GodMessage, Msinit, Qaz, Sadmind |
|
445/Microsoft-ds |
Microsoft |
Open Share |
|
53/DNS |
All computers |
BIND |
|
27374/asp |
All computers? |
SubSeven, Lion, Ramen , BadBlood |
Key:
Microsoft in bold BLUE;
Linux in
bold Green
Top
10 Viruses of 2002 are all Microsoft viruses, as can be seen at: http://www.sophos.com/pressoffice/pressrel/uk/20021204yeartopten.html
however as seen above many of the top-10 attacks are Linux worms.
All
computers, operating systems and applications have vulnerabilities, but some have
less than others. If you use Windows or Microsoft Office or Microsoft Internet Explorer
your computer is at high risk. Linux virus are a growth area, but most of the Linux
problems are Trojans and worms. Linux AV can provide protection from them and rootkits.
Macintoshes have fewer problems than most, but they do have some.
Microsoftís
security page is at www.microsoft.com/security/
Red
Hat is at http://www.redhat.com/solutions/security/
(other Linux/BSD are at similar pages)
Appleís
Security Web page is at http://www.info.apple.com/usen/security/security_updates.html
Didnít
see very many Macintosh OS9 problems? Right, there are not very many.
There
are some Microsoft vulnerabilities that involve Macs, mostly with Word, Office, IE,
etc. You can find them here: http://www.microsoft.com/security/
If
you have a fast Internet connection at home and have no firewall, you are at risk.
The Honeynet project http://www.honeynet.org/
has found that the average computer on a fast network has about a 100% chance of
being hijacked within the first 24 hours of connection. The fastest that they have
seen a computer be discovered, broken into, and rootkited (stealth takeover) is 15
minutes.
The
are a number of good software firewalls, some free, some at reasonable costs (BlackIce,
ZoneAlarm, Sygate, CyberArmour, etc.). I prefer a hardware firewall (less likely
to have a problem, less likely to cause problems with computer operations, easier
to add additional computers) such as the Linksys BEFSR11, Hawking PN9230, D-Link
DI-704, SMC 7003ABR, Netgear RP114, etc., but the software firewalls are more likely
to be able to give you a list of probes and attempted attacks. It is sometimes interesting
to see that you have been probed 20-30 times an hour or more.
I
would NOT suggest a software firewall for most usersÖ (I use a hardware firewall
at home).
You
can test your home firewall via several sources. One is using
Steve Gibson's www.grc.com Shields
UP!! firewall tester
https://grc.com/x/ne.dll?bh0bkyd2 .
Microsoft
XP strongly wants WiFi and Macintosh IBooks
and Tibooks
are almost unthinkable without WiFi, howeverÖ
Wifi
does, however, have a >lot< of
security vulnerabilities (for a full look take Wireless
Security: 802.11b and Other Protocols which
will be offered in April 2003 at UC Santa Cruz Extension (Sunnyvale) http://www.ucsc-extension.edu/main/qd/citlist.taf?function=detail&start=0&X_Number=X459.5%20Computer%20Science
The
problems in short are:
WiFi
goes much further than 30 or 300 or even 3000 feet, see http://www.baylisa.org/library/slides/2001/10/openlans.pdf
for a short 150,000 foot connection.
Wifiís
WEP crypto has major defects
All
attempts to fix WiFi crypto up to November 2002 has had major defects
Users,
in general, wonít use the little security that they could have
The
MAC can be spoofed, easily
There
is no protection against fake Acess Points
Wardriving,
Warchalking, Warflying may be legal, but do add problems
http://www.techtv.com/news/internet/story/0,24195,3398350,00.html
(btw, TechTV is fun)
IANAL
Nor do I play one on TV or the Internet.
Misuse
of this material can get you in serious legal trouble.
The
law is very unclear, be careful, get advise from your corporate attorney.
There
have been court cases stating that ping sweeps/Nmap sweeps, etc. are legal, are similar
to walking down a street and looking to see if a window is open.
However
consider http://www.theregister.co.uk/content/55/26397.html
on 29 July 2002:
By
John Leyden
Posted:
26/07/2002 at 13:05 GMT
A
Houston computer security analyst has been charged with hacking after demonstrating
the insecurity of a county courts wireless LAN.
Stefan
Puffer, 33, was indicted by a Grand Jury on Wednesday with two counts of fraud for
allegedly breaking into Harris County district clerk's wireless computer system.
It's believed to be the first case of its kind in the US.
Puffer,
who was employed briefly by the county's technology department in 1999, could get
five years in jail and faces a $250,000 fine on each count if convicted, the Houston
Chronicle reports.
He's
accused of accessing the system March 8 in an alleged intrusion that cost the county
a reported $5,000 to clean up.
District
Clerk Charles Bacarisse told the paper that no confidential information was disclosed
but the alleged intrusion eventually resulted in the county closing its wireless
LAN only a month after it was activated.
But
is the prosecution a case of shooting the messenger?
On
March 18, Puffer demonstrated to a county official and a Chronicle reporter how easy
it was to gain access to the court's system using only a laptop computer and a wireless
LAN card.
Puffer
first noticed the problem while scanning for insecure 802.11 networks throughout
Houston earlier that month, around the time that the alleged offence took place.
Æ
And
then again (from http://www.commonme.org/
and elsewhere on July 23, 2002):
Steve Ballmer -
the Wifi pirate: "I was
in a hotel in Sun Valley last week that was not wired," Ballmer recalls. "So
I turned on my PC, and XP tells me there is a wireless network available. So I connect
to something called Mountaineer. "Well, I don't know what that is.
But I VPN into Microsoft. It
worked! I don't know whose broadband I used," he chuckles.
"I didn't see it in Bill's room.
I called him up and said, 'Hey, come over to my room.'
So soon everyone is there and connecting to the Internet through my room."
There
are a lot more problems with WiFi security, and then you have all the normal security
problems.
Send spam from you home computer, costing you your Internet access, possible
lawsuits
Plant a RAT on your home system and have control of your system (easy with
Windows)
Store illegal material on your home system
Use your home system as a zombie for attacks across the Internet
Etc.
You
should use an up-to-date antivirus tool on all computers all the time. If you use
Microsoft Windows or Office or Internet Explorer it is critical.
Hoax
viruses are another problem, more data on them can be found at Sophos http://www.sophos.com/virusinfo/hoaxes/
or or NAI http://vil.nai.com/VIL/hoaxes.asp
or Symantec http://www.symantec.com/sarc/avcenter/hoax.html
or use Google www.google.com.
If
you use any form of Microsoft Windows, or Microsoft Office, or Microsoft Internet
Explorer your system is at grave risk even with a good firewall unless it also has
a current antivirus system.
There
are not that many Linux/Unix viruses, but there are a number and they are growing.
The real problem for Linux/Unix is not viruses but Trojans, Worms, and Rootkits.
Firewalls are just one part of your critical defense, an Integrity Checker (Tripwire
or AntiVirus) is the other. AV has an advantage over Tripwire in that it can not
only detect but also correct. Tripwire has an advantage in that it does not have
to be upgraded as often.
If
you use Microsoft Excel, PowerPoint, etc. you need antivirus.
If
you use IE or Word you really
need antivirus.
If
you want to connect from home to the company network you need antivirus
Otherwise,
probably not.
Spam
is a current and expanding problem. Most spam tries to obtain $$ from you. Many are
virus/Trojan infected, on purpose or by accident. Some you do not want your children
to se.
music/video
exchange Below are two common current Scams, Ebay forgery and Nigerian Scam:
>
>
**** Message Header *****
>
Microsoft Mail Internet Headers Version 2.0
>
Received: from 195.73.193.7 ([24.232.235.26]) by ciretose.net with
>
Microsoft SMTPSVC(5.0.2195.5329);
>
Fri,
6 Dec 2002 19:03:46 -0500
>
Received: from unknown (HELO f64.law4.hotmail.com) (13.61.40.178) by
>
ssymail.ssy.co.kr with smtp; Dec, 06 2002 3:57:55 PM -0100
>
Received: from sparc.isl.net ([45.55.85.241]) by
>
anther.webhostingtalk.com with NNFMP; Dec, 06 2002 2:52:05 PM -0300
>
Received: from [177.34.196.8] by f64.law4.hotmail.com with NNFMP; Dec,
>
06 2002 1:46:01 PM +1100
>
From: Ebay Billing <Billing@ebay.com>
>
To: <deleted to protect victim>
>
Cc:
>
Subject: Ebay Billing Error
>
Sender: Ebay Billing <Billing@ebay.com>
>
Mime-Version: 1.0
>
Content-Type: text/html; charset="iso-8859-1"
>
Date: Fri, 6 Dec 2002 16:02:56 -0800
>
X-Mailer: eGroups Message Poster
>
Return-Path: Billing@ebay.com
>
Message-ID: <DCxgX3kT8fP682w9hWb00000009@ciretose.net>
>
X-OriginalArrivalTime: 07 Dec 2002 00:03:49.0430 (UTC)
>
FILETIME=[1E97BD60:01C29D84]
>
**** End Message Header *****
>
>
**** Message Contents *****
>
Dear Ebay Member,
>
We at Ebay are sorry to inform you that we are having problems with the billing information
of your account. We would appreciate it if you would
>
visit our website [Ebay Billing Center] <http://www.ebayupdates.com> and
>
fill out the proper information that we are needing to keep you as an
>
Ebay member.
>
If you think you have received this email as an error, please visit our
>
website and fill out the neccesary information. That way we can make
>
sure that everything is up
to date! Again here is the link to
>
our website. Ebay Billing Center <http://www.ebayupdates.com>
>
Joe Watson
>
Ebay Billing Center
>
Rep ID. 32A
>
Thank you for your business.
>
The Ebay Staff.
>
************************************************************************
>
******** *********************************
>
Do not reply to this e-mail, for assistance contact the customer service team.
>
************************************************************************
>
******** *********************************
>
***** Message Contents ******
>
>
419
or Nigerian Scam
----------
Forwarded message ----------
Date:
Tue, 10 Dec 2002 08:48:26 +0000
From:
"MR. NELSON BROWN (JNR)" <nelsonbrown_1@yahoo.com>
Reply-To:
nelsonbrown_2@mail.com
To:
edwards@rahul.net
Subject:
VERY URGENT! I NEED YOUR RESPONSE.
From:
NELSON BROWN (JNR)
ATTN:
President /CEO
Subject:
Urgent Assistance
PERSONAL
MEMO
Date:
10th December 2002
Sir,
Permit
me to inform you of my desire of going into business relationship with you .I am
NELSON MEE BROWN (JNR), The first son of late Mr. and Mrs. MORGAN MEE BROWN. My father
was a very wealthy GOLD AND COCOA merchant in Congo republic. His business associate
on one of their business outing poisoned him to death. When my mother died on the
21ST October 1994, my father took my brother and me so special because we were motherless,
Before the death of my father on the 29th November 2000 in a private hospital here
in Nigeria, He sincerely called me on his bed side and told me that he had a sum
of 35.600,000 US DOLLARS (THIRTY FIVE MILLION SIX HUNDRED UNITED STATES DOLLARS)
kept in a security company in SOUTH AFRICA. He also used my Mother's name and my
name to deposit the money as his first son as next of kin. He also explained to me
that it was because of this wealth that he was poisoned by his business associates,
that I should seek for a foreign partner in a country of my choice where I will transfer
this money and use it for investment purposes, I want you to assist me in clearing
this fund into your account overseas as a beneficiary of the fund, and also see it
for investment purpose, such as real estate management. My interested areas of investment
are: REAL ESTATE, HOTELS, and PETROLUM INDUSTRY. I am honorably seeking for your
assistance in the following ways.
(1)
To assist me to clear this fund from the security company and transfer to
your account successfully.
(2)
To serve as the guardian of this fund since I am a young man of (26) yrs.
(3)
To make arrangement for me to come over to your country to further my education
and to secure a residential permit in your country.
Moreover,
I am willing to offer you some part of the total sum as compensation for your effort
input after the successful transfer of this fund to your nominated account. Furthermore,
this transaction can be concluded within 14 days, from the day you signify interest
to assist me. Waiting to hear from you soonest. Please reach me through my email
address at: nelsonbrown_2@mail.com
Meanwhile
in the meantime I must implore you to keep this matter highly reticent pending the
actualization of the fund transfer.
Thanks
and God bless you for your anticipated cooperation.
Best
Regards
NELSON
BROWN (Jnr)
It
use to be simpler. Homes with children in school had most of the viruses because
they would trade games on floppy disks. Now games are on CDs and Hollywood and RIAA
are attacking children who download/rip/burn music and movies (Harry Potter 2 was
swiped last week, before release and is now on the Internet, for example).
Many,
if not most, of the Peer-2-Peer file sharing software is Trojan loaded, and in some
cases have very interesting EULA that users and kids click to approve without reading
or understanding.
But
this is only part of the problem.
There
is SPAM for products.
There
is SPAM for porn.
There
is IRC and email and who are your kids talking to?
Talk
to your kids about the problems and dangers
Know
who they are talking to, check their email, IRC, IM, Chat, Usenet, etc.
Consider
having only one place in the house where kids can use the Internet (in our kitchen/dining
room), then you only have to check one or two systems
Consider
the proís and conís of content filters
Run
up-to-date antivirus
Use
a hardware firewall
Can
your children hurt the company where you work?
YesáIf
your kids have access to your computer and play on it they may introduce viruses.
YesáIf
you leave your computers on and connected to your place of work or study, your family
members/visitors would have the access to your company that you have, which is not
safe. \
In
one case a 13 year old girl spent a day with her mother at her motherís office.
Her mom was an MD. The daughter, in a bit of playfulness, wrote a letter telling
patients that they were infected with AIDS and had the computer send it to all of
her motherís patients.
Dewie
the Turtle http://www.ftc.gov/opa/2002/09/dewie.htm
FBI
Publications - A Parent's Guide to Internet Safety http://www.fbi.gov/publications/pguide/pguidee.htm
American
library Association Librarianís Guide to CyberSpace for Parents and Kids
http://www.ala.org/parentspage/greatsites/safety.html
The
Parentsí Guide to the Information Superhighway, Rules and Tools for Families
Online: http://www.childrenspartnership.org/bbar/pbpg.html
Kids
Safety at Onondaga County Public Library
http://www.ocpl.lib.ny.us/website/kids/safety.htm
The
Parent's Guide to Protecting Your Children in Cyberspace
by Parry Aftab http://www.amazon.com/exec/obidos/tg/detail/-/0071357521/qid=1037219031/sr=1-1/ref=sr_1_1/002-0901107-9940867?v=glance&s=books
Internet
& Computer Ethics for Kids: (and Parents & Teachers Who Haven't Got a Clue.)
by
Winn
Schwartau, D. L. Busch (Illustrator) http://www.amazon.com/exec/obidos/tg/detail/-/0962870056/ref=pd_sim_books_1/002-0901107-9940867?v=glance&s=books
Czek
and Associates http://www.czekandassoc.com/
look under Community Education
A
last thought, make Google your home page, www.google.com
and use the modifier ìtutorialî when you need an introduction to a topic.