IT Security Blog

Malware Removal

By

If you look on any major forum which discusses computer security, you will probably find people, or teams of people, who dedicate a large proportion of their time to helping users remove malware from their computers.

These teams typically dedicate several hours a day to going through posts on the forum and helping users locate and remove malware. This process is aided by one or more tools which scan a system for malware and optionally remove some of it. My concern is that people rely far too much on other people to fix their mistakes, than trying not to make them in the first place.

These malware-removal types have started to make documents on generic ways to detect and remove malware, which is a start, but really they need to emphasise the methods of keeping your system clean to begin with. In fact, not only that, but ISPs and IT sellers should emphasise the importance of antivirus software which is regularly updated, to their customers.

Considering that there are several free antivirus programs around, there really is no excuse for not running one! Note, here, that “I’m running Linux” still is not a valid excuse for not having virus scanners; even if Linux is itself immune to most viruses, worms, etc, it can still be used as a node along the path to infecting more users.

Especially since mail attachments sent to a Linux system without a virus scanner would not be scanned, and the Linux user may then go on to send that attachment to a Windows user, who would open it thinking it comes from a reliable source. Using a virus scanner, and educating users in prevention rather than cure, is the direction I’d like to see being taken more often.

Unfortunately, there is no accountability for ISPs or vendors, so this won’t happen.

AOL Spam Policies

By

AOL are planning to charge for emails. Mass mailers will be able to pay for a higher priority delivery, bypassing the AOL spam filters and ensuring that mail is received directly in the end users inbox.

This is, obviously, a bad thing since spammers will be able to pay a small offset to ensure that their messages are delivered direct to the end users inbox, whilst legitimate messages will face the AOL spam filter gauntlet. Programmes such as this will only see a rise in spam, and a fall in the success rate of legitimate mail being successfully delivered.

Switched Network Security

By

Many people I speak to think that simply because they are on a switched network, they are immune to packet sniffing, a process whereby a computer listens for packets not intended for that address, and logs them, potentially gathering usernames, passwords, and other useful information within network traffic. For example, every time you log into a website which does not use SSL (Secure Sockets Layer), your username and password are transmitted in plain text as part of the HTTP (HyperText Transfer Protocol) request. If another user is running packet sniffing software, this request will get logged for later analysis, which could lead to that user gaining access to the website you visited, under your account.

Packet sniffing was easy on networks connected using hubs, as a hub is a device which sends every packet it receives to every computer connected. This is bad for a number of reasons, including reducing transfer rates due to collisions and unnecessary transmission; if data is not destined for a computer, it would still be sent there. It does, however, also allow for easy packet sniffing; simply set a network card to pass every packet up to the application layer, instead of only those addressed to the specific computer. These can be logged for later analysis.

On a switched network, packets usually go only to the computer to which they are addressed, based on MAC address resolution of the IP. The switch then sends packets to the port hosting that MAC address, and only that port.

So, how is it that switched networks are still vulnerable to packet sniffing, if packets only get transmitted to their destination?

This is where ARP Poisoning comes in. ARP is the Address Resolution Protocol, and maps IP addresses to MAC addresses. In an ARP Poisoning attack, a system sends out faked ARP responses claiming to be the MAC associated with an IP. As such, packets destined for that IP will be sent to the computer doing the ARP poisoning, as they traverse the switch, instead of the real destination.

Using this mechanism, it is possible to redirect packets between a computer on the network to the border router, forcing them to be delivered to a system running a packet sniffer, instead. From here, they can be logged and then sent on to the real MAC address of the router. This is known as a man-in-the-middle ARP Poisoning based network sniffing attack, and is effective against switched networks.

Because this attack is based on ARP requests and responses, which are a local network mechanism, this attack cannot traverse routers or any other level 3 or higher device.

Tips to keep your identity safe

By

http://commons.wikimedia.org/wiki/User:Juntung

Identity theft sounds like it’s mostly done online by hackers who try to scam your information off you, but some of the easiest techniques can be done without even logging in front of a computer.

Frank Abagnale is probably the best example of a successful identity thief. In the late sixties he created different personas to get jobs, free airplane trips, and draw money from various banks before being caught and sent to jail for six years. Since then he’s given his expertise to combatting the same crimes he was charged with, becoming one of the foremost document security experts out there. Here’s several tips from him on how to avoid getting your identity stolen:

  • Shred, shred, shred. Dumpster diving can turn up documents with revealing personal information printed on them. Try to use a cross cut shredder to get Some of the documents you should shred are pre-printed checks and pre-approved credit card mailings. They may have your credit card or account numbers written on them, and it only takes a phone call to order and put that to your account.
  • Check if you’re missing any mail, especially credit card records and bank statements. And while we’re on the topic of mail – go through your statements and make sure all of your purchases are accounted for.
  • Don’t carry anything you don’t need. This applies to Social Security cards, extra credit cards, and any other papers. Leave them in a safe place at home. If you lose them or they get stolen they’ll be more than enough to take your identity.
  • In the eventuality that your credit card or papers are stolen, know what government agencies and bank hotlines you can call to report it immediately. The smaller that window between the theft and the report, the shorter the time they can use your data.

[tags]identity theft, tips, Frank Abagnale[/tags]

End users’ behavior can cause security breaches

By

Crystal_Clear_filesystem_folder_locked.png

Most security specialists say that though hackers and phishers are their primary enemies, the ones doing the most damage to their system are the end users. End users may inadvertently let malware on their computers by clicking an attachment or entering an untrustworthy site, but no matter how many times they’re warned and educated about these threats they go on doing the same things.

An article in Dark Reading compiled by their staff lists down ten of the most dangerous behaviors end user do that could compromise the security. Though this isn’t the first list ever made about this issue (nor will it be the last) the themes it had in common with a few other lists I found were:

  • Visiting, downloading and installing freeware from sources you’re not sure of. No one would admit it, but chances are users will find a way to visit gambling and porn sites even if they’re banned. They just look for one that’s currently not in the banned list. Music and game downloads sites can also house unseen code that can exploit the computer.
  • Disabling the very same security precautions intended to keep you safe. This is especially true for firewalls, anti-virus software, and WiFi connections. Some might find their connection speed lowered by constant reminders of security precautions like password changes, patch updates, and automated virus updates.
  • Password precautions. End users may be sharing their passwords with friends and family, increasing the risks of security breaches. Some, for the sake of remembering them easily, use dictionary words and jot them down or save them in their mobiles.
  • Clicking on links and attachments from friends and even perfect strangers. It’s only too true that most people click before checking if a link’s legitimate or not, especially for phishing e-mails. And even links from friends on an instant messenger service can be a scam to deliver trojans to your computer.

[tags]dangerous things to do online, list, security, password[/tags]

How Botnets Work

By

computer.JPG

A botnet to a group of computers that’s been hacked and put under the control of one controller called a bot herder, and all this without the computer owner’s knowledge. They do it by planting a bot into the system and then activating it when it suits their ends.

How they work
Bot herders try to target the machines with broadband internet like those of home users, small universities and enterprises, which are typically with limited resources and knowledge of protecting their systems. These computers often run on Windows without up-to-date patches. The computer are infected by using an e-mail attachment, or more recently, using Internet Relay Chat (IRC). Once infected, the bot logs onto an IRC server to receive commands from the bot herder. Though firewalls, anti-spyware and antivirus programs can stem the flow of attacks, even more programs are being developed to evade detection.

Once a computer is commandeered, the bot herder can use it in a variety of ways. It can be used to download a variety of adware that pays per download, send spam to people listed on the owner’s addressbook, gain confidential information through keylogging, and even cause a directed denial of service attack (DoS) to a selected website by sending huge amounts of traffic and page requests, shutting it down until the attack is over. Because of the flexibility of IRC networks, computers from different countries can be easily connected and controlled through a botnet. Botnets proliferate because the potential of profit is great.

There are signs to tell if a computer has become a zombie in a botnet. Monitor to see if it’s receiving data from a server the user isn’t accessing. Organizations intent on finding and shutting down botnets establish networks specifically made to lure these bot herders out in the open. They allow these to control a computer in their system and tracing the source down. They reverse engineer bots and listen into botnet conversations to find them. If the track a zombie, it will be reported and the data of the infection logged for possible criminal investigations.

[tags]botnet[/tags]