Posts Tagged ‘malware’

Internet doomsday scenarios

Tuesday, May 25th, 2010

For something we have become so reliant on the internet is worryingly open to attack. From attacks on the physical infrastructure, to the computers connected to it, to the data which is stored in it, I’m going to go through some potential internet doomsday scenarios.

Mass deliberate cutting of internet cables

The number of computers on the internet is large. The number of cables which connect the continents is small. This image of the internet’s undersea cables is a few years old but it is still relevant. It shows how fragile the internet’s infrastructure really is.

lan cables

There have already been numerous incidents where areas such as India and the Middle East, West Africa and Dubai have had their internet access severely disrupted. The cause can be ship’s anchors cutting the cables, earthquakes, or component failure.

Even these small incidents can have big knock on impacts, as the failure of one major cable puts extra pressure on other cables to take the extra data – making them more likely to fail as a knock on consequence. Some countries are almost totally reliant on a single cable.

Accidental cable damage has already caused major internet failures. Imagine if a deliberate attack was carried out on numerous cables at the same time, either by a standard terrorist, or some Bond-esque villain intent on removing our ability to watch videos of skateboarding dogs.

If a large enough number of cables were cut the internet could grind to a complete halt.

Yes the damage is fixable, but when you are dealing with cables that are far under the sea it takes time to repair them.

Much of the world could be left without usable internet for days or even weeks. The problem would be compounded by people’s panic reactions. Whenever a major terrorist attack is carried out, people flock to the internet to try to find out more. This creates additional load on the network which compounds the problem.

Search engine data theft

Chances are you use regularly use a search engine. Think back of all the search terms you typed in. I bet you’ve typed searched for things that you wouldn’t want anyone else to know about.

lan cables connecting to router

It could be the things you have searched for would cause major embarrassment to you if your friends or family found out. Maybe if this data were ever made public maybe you would lose your job. Possibly you would be severely shamed. In the worst case if you searched for illegal content you could be prosecuted and imprisoned if found out.

All search engines store your search queries for various purposes, the most obvious being to target relevant adverts at you. They store the raw data for a certain time, and then carry out some form of anonymisation on the data.

A major search engine for example has reduced the time until they anonymise IP addresses from 18 months to 9 months, but is the anonymisation really sufficient?

It seems not, they only change ‘some’ bits of the IP address after 9 months, and you have to wait 18 months to have the last 8 bits and the cookie information changed. This is hardly anonymisation as the associations between can potentially be reconstructed with using the other information in the logs such as the search terms.

If you have ever done searches where you look for you own name, post or zip code, or other personally identifiable information then you are leaving markers in the logs that would allow the information to be reconstructed and attributed to you, even after their anonymisation process is carried out.

Look at what happened when AOL deliberately released search data that they had ‘anonymised’. Researchers and journalists were soon able to track down some of the people who had been typing in those search terms.

So what is the doomsday scenario?

All that data is sitting there in the search engine’s huge data centres all around the world. All it takes is one person to hack in, or one disgruntled employee to send some of the data out.

The search data that AOL released only took up 439mb compressed. Imagine the damage a disgruntled search engine employee with a 1TB hard drive could cause.

Data theft isn’t some far out scenario. It happens all the time. Look at the OSF data loss database if you want to see how often it is happening.

Other data theft

As you can imagine the damage a major search engine data leak or theft could occur, I’m sure you can imagine the damage that could be caused if a major collector of personal data such as Facebook or Hotmail had their data stolen.

router control panel

What would you do if all your email from the last one, two, five, or ten years was made public, for all to see?

Data destruction

More and more of our data is moving from being stored on local computers to centralised data centres which might be in another country (media companies like to refer to the network of data centres as ‘the cloud’). In theory the companies that store our data should be backing it up so if something goes wrong, no data is lost.

Problems occur because when something goes wrong with the original data, the companies often find that their backups don’t work as expected. How often do you test your backups? People just assume that backups will work, and by the time they realise that something is wrong with the backup it is too late.

One example is the social bookmarking site Ma.gnolia who lost all their user data in 2009. The quantity of data lost was only half a terabyte. An amount that you can fit in a pocket hard drive.

If things can go wrong when you have a mere half a terabyte of data, imagine what can go wrong when companies have petabyes, or even exabytes of data.

A better known data destruction close call was the 2009 Sidekick data loss when 800,000 user’s data was lost from Microsoft data centres. Most of the data was subsequently recovered, it is not clear if anyone permanently lost data, but it was certainly a close call for many.

Many of these data destruction events have been down to software errors, but it can only be a matter of time before a well know company suffers a big data centre fire, or until a data centre is deliberately targeted by terrorists.

DNS hacking

The current IPV4 internet was never designed to be secure. Much of it relies on trust. This worked alright when it was just used by scientists, and academics. But now that the internet is open to all, this trust is leading to problems.

One of the cornerstones of the web is the DNS system. We trust it everyday to tell our computer where to find the web address that we type in, or click on.

A URL such as bbc.co.uk is not an address that allows a computer to directly access the website. There is an additional step where a trusted server, known as a DNS server, has to translate the URL into something the computer can find such as 212.58.224.138. This block of four numbers is an IP address. It is the address of a computer on the internet.

We trust the DNS server to give our computer the correct IP address. Problems happen when it doesn’t.

Imagine that we type in the URL for our bank. And instead of giving us the IP address for our bank it gives us the IP address for the computer of a criminal gang (this is known as a DNS hack). Instead of going to our bank’s website we will go to the criminal’s website.

It is not difficult for them to make their website look just like our bank’s website. The address you see in the browser would even be identical so you might never know that you were at the wrong website. They can even produce a fake certificate so you get the padlock icon in your browser that makes you think the website is safe.

Once they have convinced you that their website is the real bank’s website it is trivial for them to get your bank login details off you. In some cases they can forward requests from their fake bank website to the genuine bank website to get your real account information so that they can present you with the correct account balance, and online statement values.

If this attack is done on a high profile bank or other high profile organisation it will get found out. But how long would it take. Maybe a few hours? Maybe half an hour? Maybe it would even be found out sooner.

Even if the DNS hack was quickly closed down the criminals could still steal a large amount of user account details in a very short time. In this time they could initiate purchases, money transfers, or other data thefts.

They could make off with a serious amount of money before anyone realises what has happened.

This kind of DNS hack can be done. China’s largest search engine Baidu recently had their DNS details changed to point somewhere else.

I’ve mainly spoken about using a DNS back to steal bank account details, but it could be used for other purposes. The fake website could install viruses or spyware, promote some political cause, corrupt your data, or steal other data that you would normally type into the trusted website.

Global webcam or microphone hack

Most new laptops and netbooks have cameras and microphones built in these days. Unless you cover up the camera (with bluetak for example) you will be sitting in front of the computer with a camera watching everything you do, and a microphone listening to what you say.

camera phone lens

What if someone managed to hack into your camera, or the cameras of thousands, hundreds of thousands, or even millions of computers? Webcam hacking is something that has already been done on a small scale. There are even websites out there that claim to identify webcams that can easily be hacked into.

The malicious hacker could take covert photos or video of you. And they could use a virus to access your microphone. Many people leave their laptop on in their living room. If a virus was able to access your laptop microphone it would just be like having a spy’s listening bug in your living room.

The malicious virus spreader could record your most personal conversations in full, and could potentially record photos and video as well.

Most laptops do have a basic safety device to prevent the webcam being used without your knowledge. They have a light which will turn on when the camera is activated. If you noticed the light (and I bet a lot of people wouldn’t) then you might spot something isn’t right.

But there is no way to tell if your microphone is being used.

Before you know it the photos, videos, and private conversations of thousands or even millions of people could have been made available for public viewing on the internet.

As shown with the AOL search data scandal, any other unwanted publication of data on the internet is very difficult, or often impossible to get removed.

Think you are safe from prying ears and eyes when away from your computer? Think again, modern mobile phones have cameras, a microphone and an internet connection. There have not been very many instances of mobile phones viruses – yet, but this is an areas that criminals are likely to target more in the future.

Internet censorship

Censorship on the internet is increasing. As well as countries that openly practice internet censorship, you might be surprised to hear of internet censorship being introduced in countries such as Australia and New Zealand.

One of the internet’s big strengths has been to allow information to move freely from country to country. For how much longer will this be the case?

Reporters without Borders have a good PDF of internet enemies on their site, and Wikipedia have a comprehensive starting page on internet censorship.

Made to pay for illegal music and film downloading

Have you ever illegally downloaded a song or a film? Or have you shared a song or film with other via websites such as BitTorrent?

If you have, then music and film industry bodies such as the RIAA or MPAA may one day be getting in contact with you.

They are very keen to stamp down on all pirating activities and have launched many prosecutions against individual users. There has even been a case of someone being jailed for sharing a video.

You may wonder how they would ever find out. Unfortunately for you there are companies such as BayTSP who are employed by the copyright holders to track illegal downloads on their behalf. They can build up huge databases of what IP addresses are downloading what. All the copyright holder then has to do is to make the relevant ISP hand over the details of who was using that IP address at that time and they can soon make a prosecution.

Many people have already received demands that require them to pay compensation or face prosecution.

Don’t go round thinking the internet is anonymous. Everywhere you go information about what you do is being recorded. It only takes one company with sufficient motivation (such as an expected monetary payoff) to be able to piece the bits together and identify you.

Windows Update hacked

Windows Update is Microsoft’s solution for pushing updates and patches to millions of Windows PCs all around the world.

adsl microfilter

Most people have their PCs configured to automatically download and install all critical updates that Microsoft issue.

What if the ‘bad guy hackers’ managed to hack into the Windows Update mechanism and insert their virus into the Windows Update system so that all Windows PCs around the world automatically downloaded and installed it before Microsoft notice?

Once installed the virus could create havoc on a scale not seen by any other virus. A denial of service attack launched from the entire world’s Windows PCs could bring the internet to a complete standstill for a significant time. The damage would take a lot of effort to fix.

Ultimate doomesday

What if using the Windows Update hack the bad guys were really evil. What if instead of just installing spyware, or using the PCs as a botnet the bad guys decided to nuke them. The Chernobyl virus wrote over the computer’s BIOS, and over vital parts of the hard drive.

If it managed to infect the computer and corrupt the BIOS and hard drive in this way then the computer would need to be taken in for repair, and there might be a significant loss of data even after the repair.

Millions or hundreds of millions people could be left without access to their computers. This kind of virus would be more likely to affect home or small business users, as medium or large businesses don’t usually have automatic updates turned on. They’ll roll out the patches only after they have tested them.

This kind of virus could have enormous global impact, but it could still be worse.

If the bad guys managed to find a significant zero day exploit on several different versions of Windows, and managed to find a way to covertly spread it, then they could go for a total global infection. If the bad guys were patient and waited for the infection to reach a critical mass before activating it then they could simultaneously nuke the majority of internet connected Windows PCs at the same time.

What then? It is hard to imagine what would happen to the world if most of their desktop computers were wiped out in this way.

Of course some lucky people would have UNIX/Linux/Mac machines, and they’d be alright – unless the hackers were really good and used a simultaneous exploit on those as well! Users of non-Windows machines shouldn’t be too smug about the security of their computers. There are many examples that have shown that non-Windows machines are riddled with security holes. They only stay virus free because the hackers attention is focussed on the Windows boxes.

Links for the paranoid

The best way to avoid viruses and spyware is to apply common sense. Nowadays most malware is getting on computers through social engineering, or people being careless. I did write a post about anti-malware software but it is now a bit out of date. These days I use Avast, Windows Security Essentials, Spyware Blaster and Trusteer Rapport.

Scroggle will allow you to search Google without them being able to link your search queries to you. Google have an SSL encrypted version of the search tool, which will prevent your searches being intercepted by your ISP, or by people sniffing your unencrypted WiFi connection if you aren’t using an encrypted connection.

For more comprehensive anonymous browsing Anonymizer.com will help.

If you are worried about your web cam being used to spy on you then covering the lens with blu tack or a piece of paper will work. Be careful if you use something sticky like blu tack. When you close the screen it might stick to the main surface of your laptop. And when you then open it again you could end up ripping the screen off!

Preventing the microphone from being used is harder – if there is a physical microphone plug on the laptop then plugging in a 3.5mm adaptor should physically disconnect it.

To solve your worries about losing data which is stored in the world’s data centres all you have to do is make sure it is backed up – which you should be doing anyway.

For people who are worried about being sued for pirating music and DVDs; I’d suggest a simple solution. Buy your music and DVDs instead of pirating them! They aren’t that expensive if you get them from somewhere like Amazon. And you’ll get a warm and fuzzy feeling that you are supporting the people employed in the music and film industries!

Have fun on your computers, and stay safe!

Setup Trusteer Rapport to protect other websites

Monday, February 22nd, 2010

Trusteer Rapport helps to stop key loggers from stealing your passwords, and stops viruses or spyware from seeing what you are doing in your web browser.

Many banks are now offering it for free download. You can for example download it from NatWest’s website here – even if you aren’t a NatWest customer.

It is preconfigured to protect a small number of partner websites, but you can configure it to protect other sites you use as well.

You can enable it for each website that you enter username / password / credit card details into. When on the website you want to protect click on the grey Rapport arrow, and then press the ‘Protect this Website’ button.

trusteer rapport unprotected website

Then:

trusteer rapport protect this website

When you are on a website it is protected if the arrow is green, and it is not protected if the arrow is grey.

As well as protecting each individual website I’d recommend you increase the level of protection Trusteer Rapport offers.

Increase the security from the default settings

Click on the ‘Rapport’ arrow in the address bar of the web browser and press ‘Open Console’.

trusteer rapport open console

Click on the green circle with the right facing arrow on the bottom right of the screen.

trusteer rapport green button

Click on ‘Edit Policy’.

trusteer rapport edit policy

On this screen go through all the pull down options and make sure the bottom option of each is selected.

trusteer rapport advanced configuration

Click ‘Save’. You will be told that it is a good idea to restart the computer. There’s no need to do this now. The setting will be applied when you next turn the computer on.

After saving you can close the Trusteer window by clicking on the green ‘x’ on the top right hand corner of the screen.

In my case I was able to turn all the settings up to the maximum level apart from the ‘Block Kernel Keylogging’. I found that this setting prevented my wireless keyboard from working. If you have a problem with a wireless keyboard after installing Trusteer Rapport then you should try turning this setting off too.

Using Trusteer Rapport

Trusteer is only configured by default to protect a few websites. You need to manually enable it for the sites that you enter username / password or other sensitive details into. You can enable it to work for up to 50 sites. Do this for each sensitive website when you visit it next.

When you visit a website that needs username password details, and which is not already protected (i.e. it has a grey Rapport arrow), click on the grey arrow and choose ‘Protect this website’ as detailed above.

When you submit your login details you will probably see this box. Select ‘Yes’.

trusteer rapport password monitoring

Trusteer Rapport will then warn you if this password is being sent to a new website – for example to a phishing website.

Trusteer Rapport password leakage problem

Wednesday, February 17th, 2010

If you bank online then there is a good chance you will have been prompted to install a software product called Trusteer Rapport. It is recommended by NatWest, HSBC, First Direct and a whole list of others.

Trusteer Rapport helps increase the security of your Windows operating system by attempting to block keystroke logging attempts, screen capturing, validating the IP address of sites you visit (to protect against phishing/pharming), and more.

On the whole it looks like a good piece of software to have on your computer when combined with an up to date virus scanner, firewall, spyware blocker, and Windows automatic updates turned on. I use it on my computer and intend to continue to use it for now.

However there are a number of worries about the software. RLR UK Secure IT Services has written about some of the worries here and here.

I have a new worry to add to the list.

Password leakage

One of Trusteer Rapports security measures is to warn you if you enter a known password onto a new site. This is a security measure to protect against the password for one site being stolen by another sites phishing attempt.

This is all good stuff. However they have created a new potential problem in the way they have implemented the warning message. If you use the same password on multiple sites (as most people do), and someone discovers your password, then they can use Trusteer Rapport to get a list of other sites that you have asked Rapport which use the same password.

The malicious user will need access to your computer to do this, but if they have this access then all they need to do is enter the password on a new website and they will trigger this Trusteer Rapport warning dialog.

Trusteer Rapport password information leak

You will see that in this example dialog Trusteer Rapport has now leaked that this particular password is also the same password used on 6 other websites.

This means that instead of gaining access to one account, the malicious user could gain access to many of your password protected accounts.

Now you can argue that users should use a different password for each site, but in reality that is never going to happen. People have two choices (unless they have some kind of super brain), they either use a small number of passwords they can remember on all their sites, or they write the passwords down somewhere. Most people will reuse the passwords.

I think Trusteer would be better off changing this message so that it doesn’t print out the names of the websites. Perhaps Rapport could just print out a message saying that this password is in use on other websites, and that this is a new website that has not been given this password before.

Overall

Despite this I’d still recommend using Trusteer Rapport at the moment as it does many things which will increase the security on your computer. You must make sure you use it in combination with up to date anti-virus and anti-spyware.

How I stay safe from viruses and spyware for free

Monday, August 11th, 2008

Being connected to the internet has – according to various news sources – got more and more dangerous over the years.

A metric that is commonly quoted is the average time it takes for an unprotected PC to become infected by viruses / spyware after it has been connected to the internet.

In 2004 the time was apparently 20 minutes. By 2005 the time had reduced to 12 minutes. Now in 2008 there are articles saying it is 4 minutes.

Whether these stories are true, or just a scare tactics by the anti-virus industry to sell more products is another matter. Whatever the real situation viruses and spyware are real threats and you should make sure you are protected. Becoming infected could lead to personal details being stolen for identity theft purposes, or your bandwidth being stolen for use in botnets.

I use both Windows XP and Internet Explorer and I’ve never had a virus or any spyware on my computer (or at least none that I know of!). Maybe I’m just lucky or maybe it is because I use a variety of tools to stay safe. You can get everything you need to stay safe for free so there is little excuse not to be protected. Here are the tools and techniques I use.

Keep Windows up to date with the latest patches

New patches for Windows are usually released on a monthly basis. Many of these patches stop ‘bad guys’ from taking advantages of newly discovered vulnerabilities in the operating system. Windows can download and install these for you automatically. You should make sure that you computer is configured to do this.

Go to Control Panel -> Security Center.

Make sure that Automatic Updates is turned on. For the easiest updating go into the Automatic Updates settings page and make sure that it is set to download and install them automatically.

Windows Automatic Updates

Use a firewall

A firewall stops unauthorised connections from coming into your computer. At the very least you should ensure that the default Windows firewall is enabled. As with the Automatic Updates you can check the firewall status from the Windows Security Center (in the Control Panel).

However the Windows firewall only stops unauthorised incoming connections. It won’t stop unauthorised outgoing connections. If you want to do this you should use a more sophisticated firewall such as the free version of the ZoneAlarm firewall. There are several different versions available from their website but the free one will do the job.

ZoneAlarm firewall

You should be warned however that it may well complicate your PC usage as every time a new program tries to access the internet it will ask you if you want to authorise that program. There have also been problems in the past where ZoneAlarm users have lost their internet connections. You will however be more secure if you use ZoneAlarm and if you have problems you can always uninstall it and go back to the default Windows firewall.

You can test how effective you firewall is at stopping incoming connections by using the ShieldsUP! online port scanner. Use their ‘All Service Ports’ scan to see if any of your ports are accessible from outside your computer.

Install a spyware blocker

Some programs will actively search and remove spyware and viruses. Spyware Blaster does something more simple. It sets kill bits for all the spyware programs it knows about so they can’t run.

There is a free version of Spyware Blaster available. You should install it and then run it on a regular basis to download and enable the new spyware updates.

SpywareBlaster

Get an anti-virus application

You should make sure you have an up-to-date anti-virus tool on your computer. Many require you to pay a yearly subscription. avast! antivirus is a commercial tool for business use, but it is free for home use. You can find and download the Home Edition from their official website.

avast! will automatically keep itself up to date if your computer connects to the internet. It will protect you from viruses, spyware and rootkits.

Use a variety of other tools

As well as using a good regular suite of protective tools (firewall, anti-virus, automatic updates) I also on an occasional basis scan my computer using other tools. Not all anti-malware tools find all problems so it is good to use different tools once in a while.

Here are a few that I’d recommend you try:

Ad-Aware – get the free version of this tool to scan for spyware.
Spybot – Search & Destroy – another anti-spyware tool which is worth running once in a while.
Windows Defender – free anti-malware program from Microsoft.

As well as using these application there are a number of online scanners that you can use too:

ZoneAlarm Online Spyware Scanner
Symantec Security Check – virus and security scanner
F-Secure online scanner

Stay safe!