ATC Colloquia 23 January 2003 Public Version
We have all heard about the insecurity of the Internet, how millions of attacks and probes happen every day around the world. In this talk we will explore the critical information that you, as a computer user, need to know about:
Edwards, CISSP, GCIH, LM Antivirus, LM Vulnerability Alerts, UC Santa Cruz Extension
Instructor on Viruses and Wireless Security. Editing assistance by George Meyers
If you are behind the LM firewall, you can also download the LM specific Security Talk - Word document (Zipped).
How many attacks are there? No one knows. And it depends on what you mean by attack. For example the www.incidents.org web page. They log over 3 million attack probes per day.
On 10 December 2002 the most commonly attacked ports are:
Chode, Qaz, Msinit Trojans
IE, Nimda, 711, AckCmd, BO, Hooker, etc
Easy remote root
Ramen, Lion, 666, Senna Spy, Traitor21
Hybris, Antigen, IloveYou,etc
Chode, GodMessage, Msinit, Qaz, Sadmind
SubSeven, Lion, Ramen, BadBlood
Key: Microsoft in bold BLUE; Linux in bold Green
Top 10 Viruses of 2002 are all Microsoft viruses, as can be seen at: http://www.sophos.com/pressoffice/pressrel/uk/20021204yeartopten.html however as seen above many of the top-10 attacks are Linux worms.
All computers, operating systems and applications have vulnerabilities, but some have less than others. If you use Windows or Microsoft Office or Microsoft Internet Explorer your computer is at high risk. Linux virus are a growth area, but most of the Linux problems are Trojans and worms. Linux AV can provide protection from them and rootkits. Macintoshes have fewer problems than most, but they do have some.
Microsoftís security page is at www.microsoft.com/security/
Red Hat is at http://www.redhat.com/solutions/security/ (other Linux/BSD are at similar pages)
Appleís Security Web page is at http://www.info.apple.com/usen/security/security_updates.html
Didnít see very many Macintosh OS9 problems? Right, there are not very many.
There are some Microsoft vulnerabilities that involve Macs, mostly with Word, Office, IE, etc. You can find them here: http://www.microsoft.com/security/
If you have a fast Internet connection at home and have no firewall, you are at risk. The Honeynet project http://www.honeynet.org/ has found that the average computer on a fast network has about a 100% chance of being hijacked within the first 24 hours of connection. The fastest that they have seen a computer be discovered, broken into, and rootkited (stealth takeover) is 15 minutes.
The are a number of good software firewalls, some free, some at reasonable costs (BlackIce, ZoneAlarm, Sygate, CyberArmour, etc.). I prefer a hardware firewall (less likely to have a problem, less likely to cause problems with computer operations, easier to add additional computers) such as the Linksys BEFSR11, Hawking PN9230, D-Link DI-704, SMC 7003ABR, Netgear RP114, etc., but the software firewalls are more likely to be able to give you a list of probes and attempted attacks. It is sometimes interesting to see that you have been probed 20-30 times an hour or more.
I would NOT suggest a software firewall for most usersÖ (I use a hardware firewall at home).
You can test your home firewall via several sources. One is using Steve Gibson's www.grc.com Shields UP!! firewall tester https://grc.com/x/ne.dll?bh0bkyd2 .
Microsoft XP strongly wants WiFi and Macintosh IBooks and Tibooks are almost unthinkable without WiFi, howeverÖ
Wifi does, however, have a >lot< of security vulnerabilities (for a full look take Wireless Security: 802.11b and Other Protocols which will be offered in April 2003 at UC Santa Cruz Extension (Sunnyvale) http://www.ucsc-extension.edu/main/qd/citlist.taf?function=detail&start=0&X_Number=X459.5%20Computer%20Science
The problems in short are:
WiFi goes much further than 30 or 300 or even 3000 feet, see http://www.baylisa.org/library/slides/2001/10/openlans.pdf for a short 150,000 foot connection.
Wifiís WEP crypto has major defects
All attempts to fix WiFi crypto up to November 2002 has had major defects
Users, in general, wonít use the little security that they could have
The MAC can be spoofed, easily
There is no protection against fake Acess Points
Wardriving, Warchalking, Warflying may be legal, but do add problems
http://www.techtv.com/news/internet/story/0,24195,3398350,00.html (btw, TechTV is fun)
IANAL Nor do I play one on TV or the Internet.
Misuse of this material can get you in serious legal trouble.
The law is very unclear, be careful, get advise from your corporate attorney.
There have been court cases stating that ping sweeps/Nmap sweeps, etc. are legal, are similar to walking down a street and looking to see if a window is open.
However consider http://www.theregister.co.uk/content/55/26397.html on 29 July 2002:
By John Leyden
Posted: 26/07/2002 at 13:05 GMT
A Houston computer security analyst has been charged with hacking after demonstrating the insecurity of a county courts wireless LAN.
Stefan Puffer, 33, was indicted by a Grand Jury on Wednesday with two counts of fraud for allegedly breaking into Harris County district clerk's wireless computer system. It's believed to be the first case of its kind in the US.
Puffer, who was employed briefly by the county's technology department in 1999, could get five years in jail and faces a $250,000 fine on each count if convicted, the Houston Chronicle reports.
He's accused of accessing the system March 8 in an alleged intrusion that cost the county a reported $5,000 to clean up.
District Clerk Charles Bacarisse told the paper that no confidential information was disclosed but the alleged intrusion eventually resulted in the county closing its wireless LAN only a month after it was activated.
But is the prosecution a case of shooting the messenger?
On March 18, Puffer demonstrated to a county official and a Chronicle reporter how easy it was to gain access to the court's system using only a laptop computer and a wireless LAN card.
Puffer first noticed the problem while scanning for insecure 802.11 networks throughout Houston earlier that month, around the time that the alleged offence took place. Æ
And then again (from http://www.commonme.org/ and elsewhere on July 23, 2002):
Steve Ballmer - the Wifi pirate: "I was in a hotel in Sun Valley last week that was not wired," Ballmer recalls. "So I turned on my PC, and XP tells me there is a wireless network available. So I connect to something called Mountaineer. "Well, I don't know what that is. But I VPN into Microsoft. It worked! I don't know whose broadband I used," he chuckles. "I didn't see it in Bill's room. I called him up and said, 'Hey, come over to my room.' So soon everyone is there and connecting to the Internet through my room."
There are a lot more problems with WiFi security, and then you have all the normal security problems.
Send spam from you home computer, costing you your Internet access, possible lawsuits
Plant a RAT on your home system and have control of your system (easy with Windows)
Store illegal material on your home system
Use your home system as a zombie for attacks across the Internet
You should use an up-to-date antivirus tool on all computers all the time. If you use Microsoft Windows or Office or Internet Explorer it is critical.
Hoax viruses are another problem, more data on them can be found at Sophos http://www.sophos.com/virusinfo/hoaxes/ or or NAI http://vil.nai.com/VIL/hoaxes.asp or Symantec http://www.symantec.com/sarc/avcenter/hoax.html or use Google www.google.com.
If you use any form of Microsoft Windows, or Microsoft Office, or Microsoft Internet Explorer your system is at grave risk even with a good firewall unless it also has a current antivirus system.
There are not that many Linux/Unix viruses, but there are a number and they are growing. The real problem for Linux/Unix is not viruses but Trojans, Worms, and Rootkits. Firewalls are just one part of your critical defense, an Integrity Checker (Tripwire or AntiVirus) is the other. AV has an advantage over Tripwire in that it can not only detect but also correct. Tripwire has an advantage in that it does not have to be upgraded as often.
If you use Microsoft Excel, PowerPoint, etc. you need antivirus.
If you use IE or Word you really need antivirus.
If you want to connect from home to the company network you need antivirus
Otherwise, probably not.
Spam is a current and expanding problem. Most spam tries to obtain $$ from you. Many are virus/Trojan infected, on purpose or by accident. Some you do not want your children to se.
music/video exchange Below are two common current Scams, Ebay forgery and Nigerian Scam:
> **** Message Header *****
> Microsoft Mail Internet Headers Version 2.0
> Received: from 184.108.40.206 ([220.127.116.11]) by ciretose.net with
> Microsoft SMTPSVC(5.0.2195.5329);
> Fri, 6 Dec 2002 19:03:46 -0500
> Received: from unknown (HELO f64.law4.hotmail.com) (18.104.22.168) by
> ssymail.ssy.co.kr with smtp; Dec, 06 2002 3:57:55 PM -0100
> Received: from sparc.isl.net ([22.214.171.124]) by
> anther.webhostingtalk.com with NNFMP; Dec, 06 2002 2:52:05 PM -0300
> Received: from [126.96.36.199] by f64.law4.hotmail.com with NNFMP; Dec,
> 06 2002 1:46:01 PM +1100
> From: Ebay Billing <Billing@ebay.com>
> To: <deleted to protect victim>
> Subject: Ebay Billing Error
> Sender: Ebay Billing <Billing@ebay.com>
> Mime-Version: 1.0
> Content-Type: text/html; charset="iso-8859-1"
> Date: Fri, 6 Dec 2002 16:02:56 -0800
> X-Mailer: eGroups Message Poster
> Return-Path: Billing@ebay.com
> Message-ID: <DCxgX3kT8fP682w9hWb00000009@ciretose.net>
> X-OriginalArrivalTime: 07 Dec 2002 00:03:49.0430 (UTC)
> **** End Message Header *****
> **** Message Contents *****
> Dear Ebay Member,
> We at Ebay are sorry to inform you that we are having problems with the billing information of your account. We would appreciate it if you would
> visit our website [Ebay Billing Center] <http://www.ebayupdates.com> and
> fill out the proper information that we are needing to keep you as an
> Ebay member.
> If you think you have received this email as an error, please visit our
> website and fill out the neccesary information. That way we can make
> sure that everything is up to date! Again here is the link to
> our website. Ebay Billing Center <http://www.ebayupdates.com>
> Joe Watson
> Ebay Billing Center
> Rep ID. 32A
> Thank you for your business.
> The Ebay Staff.
> ******** *********************************
> Do not reply to this e-mail, for assistance contact the customer service team.
> ******** *********************************
> ***** Message Contents ******
419 or Nigerian Scam
---------- Forwarded message ----------
Date: Tue, 10 Dec 2002 08:48:26 +0000
From: "MR. NELSON BROWN (JNR)" <firstname.lastname@example.org>
Subject: VERY URGENT! I NEED YOUR RESPONSE.
From: NELSON BROWN (JNR)
ATTN: President /CEO
Subject: Urgent Assistance
Date: 10th December 2002
Permit me to inform you of my desire of going into business relationship with you .I am NELSON MEE BROWN (JNR), The first son of late Mr. and Mrs. MORGAN MEE BROWN. My father was a very wealthy GOLD AND COCOA merchant in Congo republic. His business associate on one of their business outing poisoned him to death. When my mother died on the 21ST October 1994, my father took my brother and me so special because we were motherless, Before the death of my father on the 29th November 2000 in a private hospital here in Nigeria, He sincerely called me on his bed side and told me that he had a sum of 35.600,000 US DOLLARS (THIRTY FIVE MILLION SIX HUNDRED UNITED STATES DOLLARS) kept in a security company in SOUTH AFRICA. He also used my Mother's name and my name to deposit the money as his first son as next of kin. He also explained to me that it was because of this wealth that he was poisoned by his business associates, that I should seek for a foreign partner in a country of my choice where I will transfer this money and use it for investment purposes, I want you to assist me in clearing this fund into your account overseas as a beneficiary of the fund, and also see it for investment purpose, such as real estate management. My interested areas of investment are: REAL ESTATE, HOTELS, and PETROLUM INDUSTRY. I am honorably seeking for your assistance in the following ways.
(1) To assist me to clear this fund from the security company and transfer to your account successfully.
(2) To serve as the guardian of this fund since I am a young man of (26) yrs.
(3) To make arrangement for me to come over to your country to further my education and to secure a residential permit in your country.
Moreover, I am willing to offer you some part of the total sum as compensation for your effort input after the successful transfer of this fund to your nominated account. Furthermore, this transaction can be concluded within 14 days, from the day you signify interest to assist me. Waiting to hear from you soonest. Please reach me through my email address at: email@example.com
Meanwhile in the meantime I must implore you to keep this matter highly reticent pending the actualization of the fund transfer.
Thanks and God bless you for your anticipated cooperation.
It use to be simpler. Homes with children in school had most of the viruses because they would trade games on floppy disks. Now games are on CDs and Hollywood and RIAA are attacking children who download/rip/burn music and movies (Harry Potter 2 was swiped last week, before release and is now on the Internet, for example).
Many, if not most, of the Peer-2-Peer file sharing software is Trojan loaded, and in some cases have very interesting EULA that users and kids click to approve without reading or understanding.
But this is only part of the problem.
There is SPAM for products.
There is SPAM for porn.
There is IRC and email and who are your kids talking to?
Talk to your kids about the problems and dangers
Know who they are talking to, check their email, IRC, IM, Chat, Usenet, etc.
Consider having only one place in the house where kids can use the Internet (in our kitchen/dining room), then you only have to check one or two systems
Consider the proís and conís of content filters
Run up-to-date antivirus
Use a hardware firewall
Can your children hurt the company where you work?
YesáIf your kids have access to your computer and play on it they may introduce viruses.
YesáIf you leave your computers on and connected to your place of work or study, your family members/visitors would have the access to your company that you have, which is not safe. \
In one case a 13 year old girl spent a day with her mother at her motherís office. Her mom was an MD. The daughter, in a bit of playfulness, wrote a letter telling patients that they were infected with AIDS and had the computer send it to all of her motherís patients.
Dewie the Turtle http://www.ftc.gov/opa/2002/09/dewie.htm
FBI Publications - A Parent's Guide to Internet Safety http://www.fbi.gov/publications/pguide/pguidee.htm
American library Association Librarianís Guide to CyberSpace for Parents and Kids http://www.ala.org/parentspage/greatsites/safety.html
The Parentsí Guide to the Information Superhighway, Rules and Tools for Families Online: http://www.childrenspartnership.org/bbar/pbpg.html
Kids Safety at Onondaga County Public Library http://www.ocpl.lib.ny.us/website/kids/safety.htm
The Parent's Guide to Protecting Your Children in Cyberspace by Parry Aftab http://www.amazon.com/exec/obidos/tg/detail/-/0071357521/qid=1037219031/sr=1-1/ref=sr_1_1/002-0901107-9940867?v=glance&s=books
Internet & Computer Ethics for Kids: (and Parents & Teachers Who Haven't Got a Clue.) by
Winn Schwartau, D. L. Busch (Illustrator) http://www.amazon.com/exec/obidos/tg/detail/-/0962870056/ref=pd_sim_books_1/002-0901107-9940867?v=glance&s=books
Czek and Associates http://www.czekandassoc.com/ look under Community Education
A last thought, make Google your home page, www.google.com and use the modifier ìtutorialî when you need an introduction to a topic.