computerwriter.com pc_type.gif (30736 bytes)


Advanced

Up
Home
Bio
Search
Contact
Troubleshooter
Articles
Links
Typetronics
Calendar
Books
Notes for PR Folk
About

Computer Security Update

Toronto Star Fast Forward column for June 21 and 28, 2001
Note: the original columns were filed back-to-back and ran in two separate weeks. I've combined them here for your convenience.

Copyright © Myles White, 2001. All rights reserved.

Computer Security Update – Part 1
(To go directly to Part 2, click here)

"It doesn't matter where you live or work. If you leave your connected computer without any form of intrusion or anti-virus protection, you've just moved into a high-crime neighbourhood,"said Vincent Weafer, senior director of Symantec's Anti-Virus Research Center (SARC), during a recent interview.

Gus Malezis agrees. Malezis, general manager and vice president of sales for Network Associates Canada (NAC), publishers of McAfee Anti-Virus and PGP (Pretty Good Privacy) products added, "We don't worry too much about slow dialup connections, but the 'always on' high-speed connections just provide a huge pipe for hackers to enter a system – and anyone should worry about that."

Making a home or small office computer secure today means more than simply practicing safe computing by scanning for viruses. However, in this, the first of our two-part look at computer security issues, we're going to focus on viruses. Next week, we'll delve more heavily into intrusion prevention.

The Anti-Virus Wars

Computer viruses are small and usually malicious software programs that attempt to replicate and "infect" other computers. They come in a variety of forms including file infectors, boot sector infectors, macro viruses, script viruses, and trojan horses. They may be relatively simple constructs or more pernicious and difficult to detect polymorphic or metamorphic varieties (more on these below). Collectively, SARC's Weafer calls them "malware."

Weafer says that the current virus collection amounts to nearly 50,000 examples collected or recognized over the past 12 to 14 years. In his line of work, viruses are either contained in the "zoo" and kept for analysis and study or they're "in the wild" – still active and plaguing computer users world-wide.

"We see anywhere from five to seven new viruses in the wild each week," he added. "And at any given moment there may be between 150 and 200 of them still circulating."

To be classed as an "in the wild" virus (at least by SARC), requires at least two independent reports of its existence. If there have been no reports for 13 to 14 months, the listing is deactivated. "The majority of new viruses are modifications of older ones," said Weafer, "but we're still seeing new variations."

Viruses have been a plague for computer users for years. However, changes in the types of applications we use, the advent of more wide-spread use of the Internet, and new devices have altered not only the type of viruses we can get, but also how they're spread.

For example, said NAC's Malezis, in addition to somewhere between 300 and 500 million PCs on the planet, there is a growing profusion of Internet-enabled cell phones (WAP phones) and connected personal digital assistants (PDA's). "That gives us nearly two billion devices that incredibly expand the areas where the hackers and virus writers can 'market' their wares," he added.

"Sneaker-net" is the oldest form of infection, Weafer adds, where viruses are transmitted by diskettes passed from computer user to other users. That was a somewhat more relaxed era where it was most likely you got the infection from a friend giving you a copied program or file, or from a careless technician with well-traveled diagnostic disks. "It took months for the viruses to spread and, for an organization such as SARC, resolving the problem and getting out a fix could easily take a couple of weeks without it causing severe damage.

"However," Weafer continued, "in today's environment we've become not just a research organization; we've also taken on the role of emergency response, both for globally spread viruses, such as Melissa and the "I Love You" bug, and for local infections for large corporations that you don't often hear about."

Weafer reports that he and his team may get an average of one 2:00 am emergency call a month that gets everyone out of bed.

From where...?

Weafer says viruses still get into unprotected systems through disk sharing (the older sneaker-net route), but it's much more likely today that they'll come as attachments to an e-mail message, from programs downloaded from careless or shadowy Internet sites, from another computer on a network, through various Internet Chat routes, or from newsgroups.

By the way, did you know that even if you're connected to the Internet by dial-up modem, not to mention either cable or DSL broadband connection, you've just added your computer to the biggest network there is?

Polywhat...?

Typically, a virus has several stages of activity. Once it gets into your computer, it needs to infect it. This can be done by re-writing part of the Windows Registry to ensure that it will become active each time you start the system. It may also overwrite certain files, such as the Winsock application that is integral to getting on the Internet. It will also try to examine and capture information from any address books you may have so that it can replicate itself to other systems. While doing this, it may also be attempting to either disable your anti-virus software or simply block its attempts to get updates (all hard to do, says Weafer). All of this may be occurring without your knowledge, because most of today's viruses want to propagate before they drop their payload to perform the malicious acts outlined above.

Some viruses don't activate until they're sent themselves to a certain number of places. Others wait for a certain date, or until you've visited a certain Web site (like Symantec or the McAfee sites for example).

A simple virus, however, has a footprint – descriptive, unique code that anti-virus programs can hunt and recognize. These are the easiest to detect and to expunge. However, virus writers have tried three broadly-defined techniques over the years to make their detection more difficult.

Oligomorphic viruses use one level of encryption and a decryptor, which is changed with each new regeneration. Anti-virus software doesn't need to decrypt the virus, however, because a pattern based on the decryptor is unique enough to identify it.

Polymorphic viruses often hide beneath two or more layers of encryption, and their trick is to change the decryptor and encryption method each time they propagate. Here again, the anti-virus software can defeat these threats because the actual virus body still stays the same under the encryption and can be detected.

Both oligomorphic and polymorphic virus-writing techniques have been around for several years, but Metamorphic viruses are relatively new, with the first crude examples showing up in late 1998, followed by several more advanced examples in 2000.

Metamorphic viruses also make use of polymorphic techniques, but each time they activate, they discard what virus fighters call "junk" code, add different junk code, then recompile themselves so that the virus body and the pattern that anti-virus software can recognize, changes each time it replicates.

Metamorphic viruses are much harder to detect and, says SARC researcher, Pιter Szφr, "It is only a matter of time until we see in-the-wild Win32 worms using metamorphic engines. Since their code structure is much more obfuscated, they are more difficult to analyze than polymorphic viruses. Their random infection and spreading mechanism will make the job of automated analyzers and advanced behaviour-blocking systems more challenging."

"It's a tough battle to stay ahead of them," said NAC's Malezis, "especially because we don't know what's coming next."

Who...?

Once, it was widely believed that the people who wrote viruses were males with stunted social habits, aged 14 to 23, who did it largely "because they could," to impress their limited circle of friends with similar interests. They may or may not have had a beef with a particular type of computer or software company. When I last looked into the virus writer profile a couple of years ago, there were no official records of women being involved.

Both Weafer and Malezis suggest that the profile of the virus writer has changed while I wasn't paying attention."The writers are both younger and older," said Weafer, "and the list includes both males and females. We once considered that hackers and virus writers were two entirely different groups; now they are often the same.

We still have experimenters who write viruses to see if they can and because they're curious about what they do. But we also get what we call "script kiddies" who have heard of port scanners and that's its possible to write malicious code using script languages (such as the automation languages in Word, Excel and others, or visual basic and similar languages) and want to try it out. They largely modify existing viruses and aren't often the source of original viruses.

"We're also seeing more political motives with viruses originating in Indonesia, the Philippines, or Israelis and Palestinians."

One example of this particular form of war came from Malezis. "For example," he said, "earlier this spring, during the recent incident between the US and China over the captured spy plane, we have several examples where there was a highly organized campaign on both sides to enter and either interrogate or deface Web sites, and the FBI issued a warning to US companies that China was going to launch a cyberwar. Countries are engaging in a more structured high-tech response instead of the normal political or military responses to tensions."

The last relatively new group is more likely to create havoc in larger corporations. "There are also more people doing it for profit," Weafer said, "creating insider attacks with trojan "back doors" and worms, but these people usually know exactly what they're after and their efforts aren't as likely to become widespread.

You can get more information on the types of viruses, a good sense of what the current crop of "in the wild" threats look like (and what they do), as well as keeping up to date on my favourite variant on this theme – the virus hoaxes – by starting at Symantec's Anti-Virus Research Center ( www.sarc.com ) and at the McAfee site www.mcafee.com/anti-virus ). However, the trail doesn't end there. By entering "Anti-virus information" into the Google ( www.google.com ) search engine, I came up with nearly 100 additional sources.

Back to top

Computer Security Update – part 2

Last week, we began a two-part look at making your computer secure from the world of harm it can suffer from viruses and intrusion by hacker meanies while you're on the Internet. In the first part, we focused on what's new in the murky world of virus creation and hunting. Today, we continue with the second shoe...

Vincent Weafer, senior director of Symantec's Anti-Virus Research Centre (SARC), and Gus Malezis, general manager and vice president of sales for Network Associates Canada (NAC – publishers of McAfee Anti-Virus and PGP – Pretty Good Privacy – encryption products), offer a charming comparison between two types of people.

First, there are the computer users who have a personal firewall (either software- or hardware-based) to prevent intrusion over their "always on" broadband Internet connection, who apply anti-virus software to check all incoming programs and e-mails (and update it regularly), become aware of security patches for operating systems and programs (particularly e-mail programs), and make regular backups of their critical data.

Then there's the trusting soul who takes none of these steps, or who applied them once and never went back. "The biggest mistake," said Malezis, "is to set these things, then to forget them."

"On one hand," said Weafer, "you have the neighbour with floodlights, motion sensors, well-placed locks, and an alarm system with armed response in seconds. Next door, you have the people with no protection who leave their windows open, the keys in their unlocked car, and who post a sign on the door that reads, 'Victim!' The criminals are going to go after the easiest target and leave the protected house alone."

Malezis agrees with that picture (unprompted, he raised the same analogy, leading me to suspect that it's common currency in this branch of the computer industry). But he also added another chilling thought. "It's unlikely that an electronic intruder is going to care very much about a random consumer's data. It is far more likely the intruder will simply want to borrow some processing cycles when you're not paying attention to be part of a distributed denial of service attack (DDOS)."

You may not care if someone enters your computer, modifies some files, installs software that sends itself to your closest friends and relatives, then either wipes your hard drive, attacks your system BIOS, or exports your private files, passwords, or IP (Internet Protocol) address to other interested parties. But how will you feel if the perpetrator simply opens a route through which s/he can enter your computer without your knowledge to do things you'd rather they didn't?

Weafer's take on it: "That's like leaving your gun out, unlocked, in plain view."

When I explained that the gun analogy might be lost on some Canadian readers, Weafer modified it. "So, they steal the unlocked car with its keys thoughtfully left in the ignition, then use it to commit another crime or to knock someone down."

You may still not be too concerned, but perhaps you might think again. According to Michael Power, of the Ottawa-based law firm, Gowlings Technology Law Practice, you could be sued for negligence by the target of a DDOS attack.

While admitting that it's less likely a victim will go after individuals whose systems were used instead of larger companies with deeper pockets, it's still possible. "The test of negligence is the reasonable man test. If the victim's insurance company decided to get really nasty they could point out that you knew this sort of attack could take place, that an Internet connection was vulnerable, and that you failed to take reasonable precautions against allowing your equipment to be used in this illegal fashion."

Urk.

Buttoning Up...

Distilled from my conversations with Vincent Weafer, Gus Malezis, and Michael Power, here are the steps any computer user with or without a constantly on Internet connection should take to make his or her system secure.

  • Install and regularly update personal firewall software. Examples include Norton Personal Firewall or Norton Internet Security (Symantec, about $79 to $99 on the street), McAfee Firewall (personal) or PGP Firewall (enterprise – Network Associates, about $40 and $60 respectively. McAfee Firewall is currently bundled with McAfee Anti-Virus at many stores in the GTA for about $40 for both, instead of about $40 for each), or shareware products such as Zone Alarm (www.zonelabs.com) or Black Ice Defender (www.networkice.com).
    • It's admittedly self-serving, and Malezis admits it doesn't apply to Zone Alarm or Black Ice, but he warns that other shareware firewall, and especially anti-virus, software is only as good as the service behind it – meaning regular updates.
    • Don't think you have a problem? Visit www.grc.com (Steve Gibson's site), and run "Shields Up!" to find out how vulnerable your system may be to someone running a random port sniffer.
  • Install and regularly update anti-virus software that will scan both regular applications and Internet software downloads, but also e-mail attachments. Malezis suggests that if you can, setting your A-V software to get an update daily wouldn't be out of line.
    • As a side-point here, you could also adopt my personal policy about e-mail attachments. I don't open them, run them, or even accept them – they get deleted from my system as soon as they arrive.
    • Consider using Go!Zilla, ( www.gozilla.com ), an Internet download manager that will integrate with your anti-virus software to validate downloads before you can get your hands on them (but keep in mind that it also reports your uploads to its home base, too).
  • Apply and use a product that allows you to encrypt e-mail, sensitive data (such as credit and banking or stock portfolio and broker information). Examples include NAC's PGP line of products, but there are others.
    • While you're at it, have a look – no, I mean a good look – at your data backup policy.
  • Regularly search out and apply service releases and security patches for common office productivity applications, particularly your e-mail program – and your computer's operating system.
  • If you're running a small business (or even a large one), make this security monitoring someone's job. If you haven't done so already, you're going to have to do so by 2004 when new legislation comes into effect that will require you to provide safe and secure storage (among other things) for any client profile data you've accumulated.

Bottom Line...

When we're discussing intrusion by hackers, we often point to those with broadband cable or DSL connections that are more than likely "always on" as those who are more vulnerable. And, when you listen to the security experts, it may sound as though miscreants are hiding behind every bush, just waiting for your system to be exposed for a second or two so that they can have their nasty way with it.

The reality is that I've only been hacked once. Fortunately it was by a benign hacker who merely left a message announcing he'd done it. But the kicker here is that it occurred long before I went to a cable connection. It took place one evening after I'd gone to bed, when I forgot to disconnect from a dial-up session.

Did I learn my lesson? You betcha, Bob. Today, my systems are behind both a hardware, and a software firewall, with active anti-virus scanning of everything. Fool me once, that's your fault. Fool me twice....

Back to top

Contacting me
Copyright © 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003  Myles White. All rights reserved.
Revised: December 20, 2002 .