|
|
TOP STORY — info you need to make Windows work
SPECIAL REPORT: Lock attackers out of your PC
By Brian Livingston
The recent wave of "phishing" attacks was the primary
subject of Brian's Buzz on Windows in both my
May 6 and
May 20
issues.
In a phishing exploit, you receive an official-looking e-mail that appears
to be from an online banking or financial site — perhaps one that you
have an account with. The e-mail says you must "re-confirm" your account details.
If you click the link in the e-mail, you're sent to an official-looking
Web page that's actually controlled by thieves. When you type in
your password or credit-card number, the hackers behind the site capture
the information and use it to steal from your account.
In my previous issues, I emphasized that updating your antivirus program
is the best way to keep these exploits from taking advantage of your PC.
I also listed several other steps to protect yourself from phishers.
In today's issue, I provide you with more detailed recommendations on "locking"
your PC against intruders. There's no foolproof configuration of Windows that
can be guaranteed to protect you against new hacker exploits that may be
invented in the future. But there are steps you can take to
prevent your PC from being open for the taking.
This discussion begins with my view of the "baseline security" that every PC
connected to the Internet needs today. We'll consider some myths that have been
widely disseminated by the media, and some approaches that don't work
to stop phishing. We'll look at the latest reviews of security software.
And finally, we'll consider an idea that many advocate for better Windows
security — running as a plain old User instead of an Administrator
to prevent malware from being able to install itself.
The baseline security you need
It should be considered the scandal of the decade that the Microsoft Corp.
— without vocal objections from most of the rest of the computer industry
— allowed hundreds of millions of copies of Windows to be installed and
connected to the Internet without firewalls, antivirus protection, or
antispyware scanning. But that's what happened. Now we need to go back and make
sure that adequate protection is in place for our PCs and those of everyone
else we come into contact with.
Why do we need all these layers of protection? Because the number of people
who are now connected to the Internet has reached a critical mass that's
attracted organized crime. New exploits are discovered every day. The
amount of money that can now be made by identity theft is making every PC
user into a target.
How bad is the problem? One large Internet service provider
(ISP), Comcast, normally sends out 100 million legitimate e-mail messages a day
from its users. But so many users' PCs have been silently infected
by "zombie" programs that the legitimate flow is a tiny fraction of the total.
Comcast sends another 700 million messages a day that are pure spam
generated by the hackers who control the zombies, according to a May 27
article by Declan McCullagh in News.com.
Beware these widespread security myths
Before we delve into what I consider baseline security, I'd first like to
review some security myths that have been widely circulated in various
media.
-
MYTH: The "lock" icon indicates an encrypted connection.
This is false. As I explained in the
May 6 issue of
Brian's Buzz, the "lock" icon that appears in the status bar of Web browsers
can be faked. The widely-used Internet encryption standard, SSL, supports a
so-called plain-text mode, which isn't encrypted. But the lock shows up
anyway.
- MYTH: "https://" indicates that you're at a legitimate site.
This is unreliable. Hacker Web sites can, in some cases, replace your
browser's address bar with a fake one, which can show that you're
on any site they wish you to believe you're on.
-
MYTH: You can securely visit any financial site by manually typing in
its address. This can't be guaranteed. As I described in the
May 20 issue
of Brian's Buzz, a Trojan horse program can change the meaning of Web
addresses by writing a simple re-direction into your Hosts file. This file,
which exists in both Windows and Linux as well as other operating systems,
can make your browser go to a hacker site — perhaps obscured with numbers
such as 1.2.3.4 — when you type in a legitimate address such as
Citibank.com.
-
MYTH: You can make Hosts and other critical files "read-only" to protect
them. This is not helpful. Hackers can easily write programs to change
the read-only status of a file without your knowledge or consent.
-
MYTH: You can visually examine the Hosts file in Notepad before using a
browser. This is wishful thinking. It's possible for a rogue program to
make an entry in the Windows Registry so that a file named something other than
Hosts is used to re-direct you to a different Web site than the one you think
you're visiting.
-
MYTH: You can use pull-down menus instead of passwords. Some online
banking services, facing the phishing threat, have equipped their logon pages
with pull-down menus that represent each character of a customer's password.
The idea was that the user would never actually type the password, so hackers
couldn't capture the string. This strategy has been defeated by phishers
whose Trojan software now makes screen captures and sends them back
to the hackers.
This last point is worth a bit of extra description. Barclays Bank, a
popular financial institution in the U.K., had implemented a two-step
Web login procedure specifically intended to defeat key-logging attacks
by hackers. After an online banking user typed his or her username on one
screen, a second screen appeared. The second screen asks the user to
select, using pull-down menus, two characters from a previously agreed-upon
password — for example, the 4th and 6th characters.
Hacker software now detects that a PC user is logging in to a Barclays
account and screen-captures the portion of the window on which the drop-down
menus are located. This reveals, over time, all the letters of the
password. A sufficient number of letters may be sent back to the hackers
after only one or two logins for them to access a particular account and
send money wherever they like.
This exploit is explained in great detail in an
article by Code Fish, an antispam site based in
Australia that first analyzed the technique. (Note: The article shows in
plain text a fragment of HTML that some antivirus programs incorrectly
detect as a virus. The text cannot execute and therefore is harmless.)
According to Code Fish, the Trojan that captured all this information was
programmed to send it back to hackers operating in Russia. The Wall Street
Journal reported in its May 27 issue that a Russian phisher who calls
himself "Robotector" — who may or may not be related to the technique
described by Code Fish — has distributed Trojans that record passwords
typed into more than 30 different online banks and payment Web sites. (This
article doesn't appear on the Journal's free Web site, but a machine
translation from a Spanish version of the article is available via the
Google Translator.)
Do these successful attacks mean that things are hopeless and you can no
longer use your PC for anything? Of course not. My previous advice to allow
your antivirus program to continually update itself still stands. For example,
Symantec's antivirus technology has guarded against this attack since April 6.
The company calls the little bugger "Backdoor.Nibu.D" and has posted a complete
analysis.
SpoofStick is an example of what doesn't work
Several of my readers have sent me tips about a new piece of freeware called
SpoofStick,
which was first released on May 10. This program installs an additional toolbar
(picture, left) in the Internet Explorer and Firefox browsers.
This well-intentioned program displays in its toolbar the top-level domain name
of the site the browser is currently visiting, even if the name is obscured
using numerals or other browser tricks. In the picture, for example, the
user is visiting virage.com.
Unfortunately, SpoofStick will do nothing to detect the typical Trojan horse
that captures your passwords or credit-card number while you're visiting a
legitimate site. Customers of Barclays Bank, as described above, actually are
visiting the genuine Web site of the bank when they log on. Hackers who've
planted Trojan horses on users' computers are able to capture their keystrokes
(or collect pictures of the logon screens) despite that fact. SpoofStick
will blithely assure you that nothing is wrong.
In other words, your browser's address bar can say you're at
https://www.paypal.com, and SpoofStick will dutifully report to
you that you are, in fact, on PayPal.com. At the same time, a rogue program can
be recording your passwords and sending them back to Russia or wherever.
It's astounding to me to see the
list of ordinarily sensible computer journalists who've
endorsed this simplistic and misleading program. The add-in may at first glance
seem to be effective, but it's more likely to give you a false sense of
security.
The important question isn't, "What site am I on?" The important question is,
"Is my computer running spyware that's capturing my passwords?" This question
can only be answered using up-to-date antivirus and software firewall programs,
as discussed below.
The development of SpoofStick was undoubtedly sparked by a bone-headed flaw that
was recently found in unpatched versions of Internet Explorer. This coding
error caused the browser to display specially-crafted site names wrongly in its
address bar. A phisher could embed the ASCII characters 00 and 01 and an "at"
sign (@) in the middle of a Web address. When such a link was clicked, Internet
Explorer displayed whatever characters appeared before the ASCII string (such as
www.citibank.com). The characters after the string (usually a hacker site's
numerical address, such as 1.2.3.4), are not shown.
Microsoft released a "critical update" on Feb. 2 that corrects this behavior in
Internet Explorer 5.01, 5.5, and 6. The patch is described in security bulletin
MS04-004. (Note: The patch has negative side-effects that
you should correct using the information in Microsoft Knowledge Base articles
832414 and
831167.)
Educating users about MS04-004 is a better way to eliminate phishing
attacks that obscure the true address of sites visited in a Web browser —
not promoting a free utility that's superficially attractive but ultimately
unreliable.
Set your defenses up to lock attackers out
The basic, minimum defenses that every Internet-connected PC needs are
a hardware firewall (especially for broadband connections), a software
firewall (for all connections, especially wireless), an antivirus program,
a spyware scanner, and an antispam filter.
Whew! That's some list. Let's leave aside for a moment how the computer
industry so badly mismanaged its business that its primary product —
the PC — is actually dangerous to its users unless professional-level
customization is performed. For now, let's just check out the components of
this protective constellation of add-on products we need.
PC World in its June 2004 issue published a remarkably comprehensive
series of reviews of each of these categories. I list their
Best Buy awards below, and provide a link to each article on the Web that
explains the magazine's evaluation:
Software Firewalls
• Zone Labs ZoneAlarm Pro 4.5 ($50) or
• Trend Micro PC-cillin Internet Security 2004 ($50)
Antivirus Program
• Trend Micro PC-cillin Internet Security 2004 ($50)
Antispyware Scanners
• Lavasoft Ad-aware 6 Plus ($27) and
• Spybot Search & Destroy (free)
Antispam Filter
• Cloudmark SpamNet ($48/yr.)
Hardware Firewalls
PC World's June 2004 issue didn't give a Best Buy to any hardware
firewall, but a review in its December 2003 issue recommended the following:
• Linksys's BEFSR41 or
• D-Link's DI-704P (each under $50)
In addition, the April 2004 issue of PC World carried an excellent,
step-by-step guide on how to securely
lock down your PC. I recommend that you read this
and follow the steps that are appropriate for your PC.
Two new types of antivirus software that you may have heard about include
heuristic programs and sandbox programs. Both offerings attempt
to prevent virus attacks that have never been detected before, unlike
signature-based antivirus approaches.
PC Magazine in its June 8 issue reviewed two products in each category.
At this time, they aren't strong contenders for your security baseline.
"Today's heuristics cannot be an effective tool on a single-user PC," the
magazine wrote, although one product, GFI Mail Security for Exchange/SMTP 8.0,
received good remarks for its performance on high-end servers. Furthermore,
"We can't recommend even supplementing your protection with either of
the sandbox products," the review said.
More info
Administrator versus User
Once the security baseline products described above are working for you, you
can stop and ponder what your ideal defensive posture would be.
Couldn't you set up a User account, in Windows 2000 and XP Pro, that has
little or no ability to install software? (In XP Home, this is called a
Limited account.) If you used this account most of the time, any virus
you accidentally ran would be deprived of the ability to install itself. You
could reserve the use of your Administrator account for rare events —
only to install applications and perform other tasks that require a high degree
of privilege.
Microsoft has a
document that describes just such a strategy.
Released in January 2002, not long after Windows XP shipped, the article
proposes a series of "software restriction policies" that would run on
XP and Windows Server 2003. These policies would allow trusted programs
to run but prevent malware from running or affecting a PC at all.
Unfortunately, there are very few commercial programs that can operate today
in Windows if a plain old User account is used most of the time rather than
an Administrator account.
In an April 2004
article written for the Microsoft Developer Network,
security consultant Keith Brown points out, "you can't install 90 percent
of today's software unless you're an administrator," adding, "70 percent
of software won't run properly unless the user is an administrator,
and that's an optimistic number."
The User/Administrator switcheroo isn't yet supported well enough for it
to be completely reliable for most individuals and companies. It may be
possible if you run nothing but Windows and Microsoft Office applications.
But many people run independent applications that make a pure, User-only
approach unrealistic.
Protecting your Hosts file
If the User/Administrator method worked 100% of the time, you could use
this technique to protect your Hosts file from alteration by malware.
As we saw above, a Trojan horse can change the Hosts file found in Windows
and Linux to make your browser go to an official-looking hacker site
while your browser's address bar displays the name of the legitimate site
you typed in. Wouldn't running a User account all the time prevent the
re-writing of the Hosts file?
Fortunately, the tools in the security baseline described above are sufficient
to protect critical files without having to wait for Microsoft to get
most applications to work correctly with User/Administrator configurations.
ZoneAlarm, one of the products recommended by PC World, above,
added a "Hosts file lock" to its software firewall protection in version
4.5.530.0 last November.
SpyBot, another widely recommended product, also has a feature that locks
the Hosts file against malicious changes. You set the program to Advanced mode,
then navigate to "IE Tweaks" and turn on "Lock Hosts File." SpyBot also
can create its own, protected Hosts file, which eliminates browser access
to known hacker Web sites.
Articles about Windows' default Hosts file can be found in the
Computing.net forum. The way SpyBot uses the Hosts
file is described in a
NetworkClue.com article.
What's the perfect answer?
The perfect answer to all of Windows' security needs isn't yet available,
but with a collection of tools from a variety of vendors, the operating system
can be locked down fairly tightly against hacker intrusions. In
future issues of Brian's Buzz, I'll review the security improvements offered by
Service Pack 2 for Windows XP, which reportedly may be
released as early as June 15, and Longhorn, Microsoft's next-generation Windows,
which isn't expected until 2006.
I'd like to thank all my readers who sent in comments on the latest phishing
exploits, and especially James Zall, Ferrell Hurst, Burton Strauss III, and
Marc Erickson for their help with this topic. They'll receive gift
certificates good for a book, CD, or DVD of their choice.
To send me more information about this, or to send me a tip on any other
subject, visit
WindowsSecrets.com/contact. You'll receive a gift certificate, too,
if you're the first to send me a tip that I print.
RECOMMENDED READING — my book reviews of tech topics
The Anarchist in the Library
This little book (256 pages) is a guide to the possible futures we may soon
inhabit — depending on how today's battles over music and digital rights
work out. Subtitled "How the Clash Between Freedom and Control is
Hacking the Real World and Crashing the System," media scholar Siva
Vaidhyanathan (author of Copyrights and Copywrongs) argues that
technology is treading a fine line between "oligarchy and anarchy."
More info:
United States /
Canada /
Elsewhere
Network Security First-Step
This is a baby-level security tutorial for novices, but that's exactly
what many people are looking for these days. Thomas M. Thomas has put the
book together with a Cisco flavor, which is understandable, but other than that
makes no assumptions that the reader already knows any network jargon. A
complete beginner could actually understand most of what's in here, if
they made an effort.
More info:
United States /
Canada /
Elsewhere
Network Security Assessment
Unlike the book reviewed above, Network Securty Assessment is an advanced
work that will appeal to big-time systems administrators. Everyone is talking
about improving security, but Chris McNab — a script kiddie himself
only a couple of years ago — lays out a series of tests you can
actually use to evaluate your own defenses. Another great O'Reilly book.
More info:
United States /
Canada /
Elsewhere
FORWARDING INSTRUCTIONS — news gains value when
it's shared
Please share this information with your friends
You're encouraged to refer your friends and colleagues to this free
newsletter. Because most e-mail programs don't correctly display a formatted
message that's been forwarded, simply call people's attention to
the permanent Web address of this issue:
BriansBuzz.com/w/040603.
HERE'S A TIP — you'll get a better newsletter if you choose the
paid version
You're reading the free version of Brian's Buzz on Windows
Subscribers to the paid version receive additional information in each issue.
Some of the extras this week are:
- Free program controls all running tasks.
This little gem not only kills off spyware critters that try to get into
your StartUp group and Registry — it explains what all those cryptic
filenames that you see in the Task Manager mean!
- Make your windows fit your way.
If you're tired of dragging two or more applications into the same positions on
your monitor to work on them, there's a new utility that automatically "pops"
them into place for you, with a single command.
In addition, paid subscribers are eligible to a free download of valuable,
licensed content at least once every calendar quarter. You also gain
immediate access to search and view all past paid newsletters.
To upgrade, simply make a contribution of any amount that you choose.
If you do this by June 16, 2004, you'll be sent the full, paid version of
this week's newsletter.
To upgrade to the paid version, please visit
WindowsSecrets.com/upgrade.
Thanks in advance.
BRIAN'S BOOKSHELF — new e-books from the author
Spam-Proof Your E-Mail Address
This 27-page e-book in PDF format gives you step-by-step instructions
that can eliminate 97% of the spam that would otherwise clog your e-mail
account. You could call it "Brian Livingston's Spam Secrets." The book
is the result of months of experiments and tests I conducted, and I now
receive little or no spam to the addresses I used as guinea pigs. These tests
show that you can actually reduce your volume of spam to practically nothing,
not just battle an unstoppable and ever-growing flood. The methods I describe
work with Windows, Apple, and Linux and don't require any filters or block
lists — but you can use those in addition to the book's techniques, if you wish.
More info
WACKY WEB WEEK — playing for you the Internet's greatest bits
Save $500 by changing one byte of code
Digital camera enthusiasts were pleasantly surprised last fall when Canon
released its 6-megapixel EOS 300D unit (at left in photo) for a list price
of only $899 (currently about $775 street at Shopping.com). This was hundreds
of dollars below Canon's very similar EOS 10D (at right), which had
shipped earlier for $1,499 (about $1,275 street).
Although the newer camera lacked many of the customizable features of its
older sibling, the sub-$1,000 price of the "prosumer" 300D led the authoritative
Digital Photography Review to say at the time, "This camera
is probably the most fundamentally important step for digital SLR's since
the introduction of the Nikon D1."
Now the reviewers have found that the 300D contains the same basic firmware as
the 10D — and changing a single byte in the code enables all those
"customizable" features! They say this and other tips instantly add $500 to
the value of the model.
Click the "more info" link below, then scroll down to "What Is the Russian
Firmware Hack?" for details. The change voids the camera's warranty, of course,
but you might find that worthwhile.
More info
USEFUL LINKS — more stuff that's good to know
In this section, I provide links to stories I've reported in other media that
you might find interesting.
Whitelists battle for market share
Everyone always talks about whether their e-mail will get through, but no one
ever does anything about it — until recently. At least two companies are
selling access to "whitelists" that promise to get corporate e-mail delivered,
bypassing the spam filters that are now used by Internet service providers.
Suddenly, this idea is making a breakthrough.
More info
Protect your company from "cache bashing"
It's not enough that you have to install firewalls, antivirus programs, spam
filters, and adware cleaners on all your PCs — now you have to guard
against something called "cache bashing," too. If it's important that your
company be findable when potential customers look for your topic in search
engines, you'll want to know how this works and how to protect yourself.
More info
|
|
