Introduction to Clean Systems Information Center

Clean Systems Information Center is devoted to educating our clients on common security measures. As a computer user, you need to know how to recognize these potential information technology (IT) security concerns and what to do about them. Clean Systems provides more than just a service; we will educate and inform you of the basic concepts of IT security and help you to become part of the vital effort to ensure the protection of your systems, resources, and information from unintended and unauthorized access or misuse.

Don’t be an online victim!

What follows is a discussion of basic items and terms you may have encountered in your online experience. Click the following links to find out more about a given topic. Finally, at the end of each section you will find real-world examples and steps you can take to protect yourself and maximize the utility of your online experience.

E-mail Security and Privacy

Is my e-mail private?
As a general rule, e-mail is not private unless it's encrypted. Copies of e-mail sent over the Internet can be found in the backups of many servers along the path the message traveled. Once sent, e-mail can not be recalled (the "recall" functions offered by some e-mail systems merely send a second e-mail instructing the recipient to disregard the previous message). There is no way to prevent a message from being forwarded. Also, e-mail can be misdirected (e.g., accidentally sent to a similar name in the directory).
Before you send an e-mail, ask:

• Would this message be more appropriately conveyed over the phone or in person?
• Does it contain any sensitive issues of information about your employees, customers, or contractors?
• Does it contain any private information that would embarrass you if it was read by anyone other than the intended recipient?
• Did you include anything other than the facts?

If you can answer "No" to these questions, it's probably all right for you to click send.

What is spoofing?

Spoofing is sending a “forged” e-mail that looks as though it comes from a reputable business. Spammers and virus writers often spoof the "From" address on e-mail to make it look official (e.g., support@bankofamerica.com) or as if the message was actually sent from someone else (e.g., john.doe@hotmail.com).

What is an e-mail hoax?

A hoax typically arrives in an e-mail note that has been forwarded using a distribution list and urges the recipients to pass the message on (using a distribution list or to everyone the recipient knows, or to "as many people as possible"). Individuals should also be especially alert if the warning urges them to pass it on to their friends. This should raise a red flag that the warning may be a hoax.

A hoax can result in damage to computers. A hoax may contain incorrect information intended to fool the user into performing unwanted actions on his or her system. For example, one hoax e-mail announces, "You may already be infected." It then instructs the recipients to find and delete an obscure-sounding file such as "Jdbgmgr.exe" or "SULFNBK.exe" - but the computer isn't really infected, the file is a legitimate part of the operating system. A hoax that causes users to delete files that are part of their PC's operating system can cost organizations many hours in downtime.

Well-known hoaxes include the following: Good Times virus, Join the Crew virus, PKZip Trojan Horse virus, It takes Guts to Say Jesus virus, and Win a Holiday! virus. None of these are viruses.

How are Internet chain letters harmful?

Internet chain letters often contain threats, warnings, or promises of rewards that will be the recipient's as long as he or she doesn't break the chain. Just consider that if each recipient sends the letter on to 10 others, the ninth resending results in a billion e-mail messages, clogging networks and interfering with legitimate e-mail traffic.

If you receive a chain letter in your e-mail, do not forward it. Delete the message or notify your system administrator or IT Security Officer. They may wish to investigate and warn their users not to pass on the letter. Do not send it to your colleagues, friends, or fmaily mambers because it will slow the network and will lend your reputation to the message, making it appear to be authentic.

What is spam?

Spam (or UCE: Unsolicited Commercial E-Mail) is the Internet version of "junk e-mail." It is an attempt to deliver a message, over the Internet, to someone who would not otherwise choose to receive it. Almost all spam is commercial advertising.

If you receive unwanted e-mail, you can deal with it in several ways. The easiest is to simply delete it. However, it is impossible to stop all spam.

Spammers usually send out messages until they get caught. Once that happens, they move on to another Internet Service Provider (ISP) and find another server to distribute their messages.

It's been estimated that at any time, as much as two thirds of all e-mail messages traveling over the Internet contain unsolicited junk mail or malicious content.

The consultants at Clean Systems can also help you set up junk mail filters that can help prevent many kinds of spam.

What is phishing?

Phishing is a common type of identity theft occurs through e-mail and Internet scams.

"Phishers" impersonate legitimate companies in e-mails sent to entice people to reveal personal data. The term "phishing" applies because these Internet scammers use sophisticated lures to "fish" for users' financial information and password data.

Phishing attacks use fake e-mails and fraudulent Web sites to lure people into sharing credit card numbers, account usernames and passwords, social security numbers, and other personal data. Phishers convince up to 5 percent of recipients to respond to them by using well-known brands of trusted banks, online retailers, and credit card companies.

Identity thieves (phishers) send thousands of e-mails claiming to be from services such as eBay, PayPal, or banks. To make the e-mails look legitimate, they "spoof" or forge the return address on the e-mail so that it says something like "billing@paypal.com."

Identity thieves often register a Web site with an address similar to that of a legitimate site. For example, www.billing-paypal.com, rather than paypal.com. Most people don't notice that the Web site address is slightly off.

The fake Web site contains a copy of the Web page code from the original site. The fake site appears to be part of the real company's site.

The phisher sends an e-mail to many addresses with a link to the replica page. The e-mail or the page will ask for the user's information, such as credit card data or a password. If the user provides this information, it is sent to the phisher. After the user enters the data, the fake Web page usually returns the user to the legitimate Web site, sothat the user does not suspect.

Users who input personal data have just given away their identities. Often they don't notice for months, until they are denied credit or turned down for a loan. In the meantime, the thieves may have used the victim's identity to open a bank account with a line of credit, open credit accounts with stores, obtain cell phones, or buy a car.

What is pharming?

Pharming has been called a successor to e-mail phishing attacks. Pharming is a new name for a relatively old concept: domain spoofing. Rather than spamming you with e-mail requests, pharmers redirect your Web request somewhere else. Your browser does not know that you're connected to an alternative site. This means that you no longer have to click an e-mail link to hand over your personal information to identity thieves.

In publicized attacks, Amazon.com and Google.com have been targets; there were no immediate reports of identity theft resulting from those events.

The best solution to the pharming threat, is to add another layer of authentication. Web servers (sites) would need to prove to you that they are who they say they are and establish a trusted link between you and them. Trusted sites would obtain a certificate from a certificate authority, such as VeriSign.

Many sites already offer certificates. When you visit these sites, you see a dialog box asking if you want to trust the certificate. If the certificate name matches the Web site name, you would log in to the site. If the name on the certificate doesn't match the site you're attempting to reach, you know that something is not right and you leave that site. The target site's Web address (URL) may have been hijacked.

Real-world examples of e-mail and Internet fraud

Customer data leaks are receiving prime-time coverage from the media. Major leaks can destroy an organization's reputation. Here are just a few of the data leaks reported in the first six months of 2005 by the major media: Information from 40 million credit- and debit-card accounts was exposed after an intruder gained access to CardSystems' computer network. HSBC Bank notified 180,000 customers of General Motors-branded MasterCards that they should obtain new card numbers due to a compromise at clothing retailer Ralph Lauren. There were massive breaches of customer data at LexisNexis. ChoicePoint sold personal data to thieves posing as businessmen. PayMaxx leaked employee W-2 tax data. Bank of America lost backup tapes of customer data.

In fall of 2005, The Fédération Internationale de Football Association (FIFA) warned that phishers were targeting World Cup football fans. Phishers were sending e-mail messages that claimed that the recipient had won a lottery. Recipients were then asked to supply personal data, including bank-account information, to claim the prize money. The e-mail messages falsely claimed that the lotteries were operating on behalf of or in association with FIFA.

A recently convicted spammer operated from his house with 16 high-speed phone lines. News articles indicated that he earned $700,000 per month from $40 payments received for sending each group of 30,000 spam e-mails.

The FBI's Internet Crime Complaint Center estimates that $125.6 million was lost in 2004 to online swindles, with a Nigerian e-mail scam ranking among the top 10 scams reported.

As for spammers stealing aid from Katrina victims; while people were waiting to be rescued, spammers were stealing aid meant for the victims by sending out “urgent appeals” for contributions. The Internet sites created by spammers stole the contributions meant for victims. Also, the donors’ credit card information was sold to identity thieves. Real charities don’t spam asking for aid. To help the hurricane victims, donate directly to disaster-relief organizations. Do not use an intermediary who might take a cut (or all) of your donation for "expenses." For details on the variety of scams being tried in the wake of hurricane Katrina, see: http://www.scambusters.org/hurricanekatrinascams.html

How can you protect yourself?

• Phishing e-mails are usually not personalized, while valid messages from your bank or e-commerce company often are personalized
• To make sure you're on a secure Web server, check the beginning of the Web address. It should start with https: (note the "s") rather than "http:" as non-secure sites do.
• Before submitting financial information through a Web site, look for the "lock" icon on the lower right of your browser's status bar. It means your information is secure during transmission.
• Unless the e-mail is digitally signed, you can't be sure it wasn't forged or "spoofed." A digital signature helps you tobe sure of the sender's identity and that the message arrived intact.
  If the digital signature is valid, the e-mail will have a visual cue, such as a red ribbon or a change in background color. Check the documentation for the e-mail program you use to learn more.
• Communicate information such as credit card numbers or account information only via a secure Web site or by telephone.
• If you are uncertain about the information, contact the company through an address or telephone number you know.
• If you suspect the message might not be authentic, don't use the links in an e-mail to get to any Web page. Instead, log onto the Web site directly by typing in the Web address in your browser.
• If you unknowingly supplied personal or financial information, contact your bank and credit-card company immediately.
• If you have been a victim of identity theft, call the FTC's Identity Theft Hotline. The toll-free phone number is 1-877-IDTHEFT (1 877 438-4338). Counselors will take your complaint and advise you on how to deal with the credit-related problems that could result.
• When it comes to phishing: Think! Don't link. Don't click on links in phishing e-mails.
• Do not circulate" virus warning" messages.
• Do not forward chain letters.
• Use the Blind Carbon Copy (BCC) option to address e-mail messages to multiple recipients. Ask your Clean Systems Consultant for more details.
• Learn to recognize e-mail that may contain malicious software. Be careful of any e-mail that meets one or more of these criteria:
  • Is from an unknown party or has a strange variation of the address of a known individual
  • Includes bad grammar, either in the subject or body of the message
  • Is humorous oroverly familiar in nature, but is from what appears to be a professional contact
  • You receive multiple copies of the same e-mail from the same or different people o The subject and/or body of the e-mail is blank, but there is an attachment
  • The message urges you to view the attachment
  • The attachment has a double or triple extension, such as ".gif.exe" or ".jpg.jpg.vbs" (see more below)
  • The message says it has sent a file or information that you requested, but you don't remember requesting it
  • The message claims the attached file is about earning money, losing weight, working from home, pornography, a greeting card, a music file, a screen saver, etc.
• Use e-mail responsibly: e-mail must not be used for offensive communications or to make threats.
  Be careful of attachments received unexpectedly, even if from a known source. Any files or attachments you did not request or you were not expecting should be deleted without opening.
• If you receive a suspicious e-mail from someone you know, do as Ronald Reagan recommended: Trust, but verify. Call them and ask if they intended to send the message. Often, viruses are spread by e-mail without the sender knowing that his or her machine has been infected and is sending infected e-mail.
• Don't open files that have more than one extension, such as ".jpg.vbs" or ".gif.jpg.exe"- the extra extensions are dangerous because unless the full file name is viewed, a computer user might think that a file called "pictureofme.jpg.vbs" was a .jpg, or photographic image, when the file is actually a visual basic script, as identified by the last letters in the file name.
  Keep your anti-virus software up to date.
• Use a text-only or the "plain text" format for e-mail rather than the HTML message format. HTML formats are widely used in today's e-mail environment, and can be a source of virus infection. Ask your Clean Systems Consultant for more details.
• Ensure that your PC has the most current software updates and fixes.
• Do not send e-mail for work purposes through your personal e-mail account.
  Back up critical files.
• Use the longest password that you can. Longer is stronger.
• Whenever possible, include at least one special character (!@#$%) in passwords.
• Do not use words found in any dictionary, spelled forward or backward.
• Do not display passwords on screens or any other media at any time, and do not store passwords in clear-text (unencrypted) form.
• Employ appropriate actions to prevent observers from viewing passwords. o Practice entering your password quickly (use several fingers). o Use your body to prevent the observer from seeing the keys being pressed as you enter your password. o Request that guests do not watch the password entry process. o Perform the password entry prior to demonstrating system use.
• Change your password when it has been compromised, or when you suspect that it has been compromised, and inform your IT Security Officer.
  Memorize your passwords for critical systems. Do not write down or store these passwords in batch files, automatic log-in scripts, software macros, terminal function keys, or any place where others might discover them.
• Do not write down your passwords in any form that can be recognized by another person.
  Never use the built-in feature of any system to save your password or remember your password for you. If you do, your password may be saved/remembered in a clear and readable form that hackers can easily find.
• Use different passwords for each critical account. Using the same password on more than one account could allow a compromise of one to lead to unauthorized access to all the others.
• Do not disclose or share your password with anyone.
• Make new passwords that are not similar to ones you have previously used.
• Avoid passwords based on common single words (e.g., "Pa$$w0rd"). Instead, favor phrase passwords (e.g., "I like to sing in the shower at 6AM " might be "IL2sis@6Am").
• Don't reply to the spammers or follow instructions in the spam for getting yourself "removed" from their list.
• Don't spam, mail bomb, or hack spammers. They will only target you more aggressively.
• Don't go to Web sites on which the spammers may be advertising. A lot of information can be gathered at Web sites. Also, these sites may contain malicious code that could damage your computer.

Internet Security

The Internet allows any connected computer to exchange information with any other connected computer, regardless of location. The most common methods are the Web and e-mail.

What is a (Web) Browser?

Browsers (e.g., Internet Explorer, Netscape Navigator, Opera, Safari, Firefox, and Lynx) are used to access Web sites. Browsers also may be used for downloading software, filingl out forms, participating in chat rooms, and sending and receiving e-mail. Browsers have a basic set of capabilities that may be extended through the use of "plug-ins" and applets. Typical plug-ins are Quick Time, Real Player, Adobe Acrobat, and Flash. Applets may be written in Java or ActiveX and can perform any programmable function, including Windows operating-system functions.

The most common threats associated with Web browsing includethe following: malicious code downloaded in files; aberrant ActiveX controls or Java applets, plug-ins, cookies, viruses, Trojan horses; and exposure to offensive material.

Is instant messaging (chatting) safe?

Instant messaging (IM) and chat channels allow groups of individuals to exchange dialog, Web site address links, and, in many cases, files of any type. Consequently, instant messages can transfer worms and other Malware.

IM programs such as AIM (America On Line Instant Messenger), ICQ (I seek you), MSN Messenger, Yahoo! Messenger and chat applications can expose computers and the your network to viruses, hackers/exploits, and privacy violations.

What are the dangers of peer-to-peer networks and file sharing?

Peer-to-peer (P2P) networks enable computer users to directly access files from other computer users' hard drives. To do this, such users download software that connects their computers to a network made up of other computers running the same software.

Users of P2P software often don't realize that in addition to sharing files they intend to share, they may be allowing others to copy their private files, such as their e-mail messages, photos, or financial or medical records. Web "cookie" files that sometimes include passwords for credit card and e-commerce accounts have been unintentionally shared through P2P networks.

Some P2P or file-sharing programs install spyware that monitors a user's browsing habits and sends that data to third parties. Spyware can result in unwanted advertisements. Worse, it can be hard to detect and remove.

Downloaded software from P2P networks can open systems to viruses.

Sometimes, closing the file-sharing program window does not close the connection to the P2P network. Some P2P programs automatically open any time the PC is turned on.

Organizations, including record companies, have sued some P2P users for what they consider illegal sharing of copyrighted content.

Problems with P2P include the following:

• It can involve an otherwise innocent user in illegal activities: many P2P systems are used tfor sharing copyrighted files illegally.
• File sharing is a security incident waiting to happen: more than 70 viruses are transmitted specifically to P2P systems, and if file-sharing systems are misconfigured, all of the computer's documents may be shared rather than just the music files.
• Many of the files shared are large and transferring them consumes excessive network resources.
• You do not know if the person sharing the files is infected already, or if the files you are downloading contain an infection.

How do I “securely” enter sensitive data on Web pages?

When entering passwords or other sensitive data in Web forms, be sure the Web page is secured using Secure Sockets Layer (SSL).

SSL establishes an encrypted "tunnel" between your browser and the Web site. If a Web page is secured, your browser should display a "closed lock" or other symbol(s) to indicate that SSL has been enabled. The Web site address should also now start with "https://" while unsecured sites start with "http://" (without the added "s").

SSL creates a secure connection between your Web browser and a Web server.

Real-world examples of faulty security

In 2005, 75 pages of highly classified Dutch military documents about human traffickers were found on a P2P site (KaZaa). The most likely cause of these unencrypted documents being available is that a staff member worked on the documents from home and unintentionally shared his entire hard drive with the rest of the world.

In October 2004, a leading Dutch prosecutor resigned after he threw out an old PC. The PC's hard drive contained hundreds of pages about high profile crime cases, his credit card number, and tax files.

US military secrets have also been found on P2P networks, such as Gnutella. In July 2004, documents and photographs with security markings ranging from "For Official Use Only" to "Secret/NO FORN" (NOFORN means "not for release to foreign nationals") containing real-time information about operations in Iraq were downloadable from the P2P network, Gnutella.

How can I protect my personal data?

• Be careful what sites you visit.
• Block malicious code by using anti-virus software.
• Limit plug-ins and verify the source of all plug-ins.
• Do not install any software that is not authorized by your system owner or IT security personnel.
• At the office, know the software installation policies at your organization. In many organizations, software may be installed only by your local system/network administrator or help desk.
• If your computer's performance changes after you visit a Web site, call your Clean Systems Consultant for assistance.
• If you leave your PC on at night, log off your account.

Malicious Software

What is malware?

Malware is the broad term for any software or program that can damage your files, computer, or professional reputation. It can cause a denial-of-service attack by using up available network resources as the code spreads. This prevents legitimate users from using the network. Malware can cause loss of productivity. Some malicious programs allow an attacker to remotely control any computer on which the program is installed.

Malware can be spread in several ways. It can spread via e-mail (usually in attachments) and through network connections (on the Internet or through your network). It can also spread through: sharing files online or on diskettes, CDs/DVDs, or other media; malicious Web sites (be wary of sites that offer free items or make unrealistic promises); and files downloaded from the Internet.

Malware is widespread. Even highly classified military networks that are supposed to be secure have been attacked by malware. Many e-mails, Web sites, and new commercial software have been tainted with malware.

Types of Malware

• Virus - a program that infects a host file (such as a document, spreadsheet, or executable) and usually requires human interaction to spread (e.g., a person must open a file or run an infected program).
• Worm - a program that spreads across networks, usually without human interaction. A worm, once present on a computer, is already active. A worm can replicate and spread itself. Usually a worm uses the infected computer's network. No human action is required.
• Adware - a program that displays advertisements to the user.
• Spyware - software that collects information from a computer and then reports back to the author. Spyware runs without the user's knowledge or permission. Spyware is so common now that unprotected computers can get bogged down with hundreds of these parasites and become unusable.
• Hijacker - a browser hijacker interferes with the operation of your browser. It alters options such as your home page and may direct you to some Web sites, while preventing you from browsing others. For example, if you type www.google.com and www.xyz.com comes up, you have been hijacked.
• Malicious mobile code (active content) - small programs or browser scripts, such as Java applets, JavaScript scripts, Visual Basic Scripts, and ActiveX controls that make your system do something that you do not want it to do. These programs automatically download from a Web site or remote system. They run with little or no human interaction. HTML documents (e-mail and Web pages) are the most common vehicle for mobile code.

How do I detect a virus?

Viruses are often difficult to detect and usually do not modify the operation of the infected program in any way prior to activation. Watch for changes in the pattern of your system's activities: any of the following signs can be an indication of a viral infection:

• Program loads take longer than normal, computer response time is much slower.
• Disk accesses seem excessive for simple tasks.
• Unusual error messages occur with regularity.
• File-modification dates are changed inexplicably.
• System devices indicate activity when there should be none.
• You have less system memory available than usual.
• Programs or files disappear mysteriously.
• You suddenly notice a reduction in available disk space.
• Files mysteriously increase in size.
• PCs and servers experience total failure.
• E-mail programs send mail to every address in your address book.

What is spyware?

Spyware is software that is placed on your computer to collect information and send it back to someone who uses it for some purpose. Firms such as Mattel and Real Audio were caught clandestinely placing such software on machines of people who bought their products. They were using the information collected to build marketing profiles of their customer base. Other firms use this technique to "call home" if the machine has been stolen, much like Lojack for PCs.

The software used for these "good goals," however, could just as easily collect and send back any information that is stored on or is transmitted by your machine. Spyware can scan files and send confidential information to hackers.

Spyware is increasing throughout business and government organizations. It gets into computers and networks through downloaded applications, peer-to-peer file sharing, instant messaging, or a software virus.

For those with home PCs, spyware is one reason for using a personal firewall that manages both incoming and outgoing communications. That way you can catch and stop software that tries to "call home" without your permission. You can also use software programs that look for and eradicate spyware on your machine, such as Spybot Search and Destroy, Ad-Aware, and NoAdware. Be careful if you have a home PC and decide to download this or any other software from the Internet. Make sure you are at the correct Web site for the software, make sure your anti-virus software is up to date, and scan the downloads for viruses.

What is a backdoor?

A backdoor is a program that bypasses normal security controls to give an attacker access.

Analogy: Barbarians disguise themselves as construction workers and enter the village for a job. They take down a part of the village wall. Other barbarians sneak in at night. Hackers can build vast collections of compromised computers. These "zombie" machines can be used to make massive second-hand attacks.

What is a Trojan horse?

A Trojan horse is a program that disguises itself inside, or as a part of, a desirable or useful program while hiding its malicious purpose.

Analogy: Barbarians disguise themselves as gentle villagers. They open the village gate at night so other barbarians can invade the village.

Real-world example of malicious software

Malware cost global businesses between $169 and $204 billion in 2004. The worst year on record according to digital risk management company, mi2g. Malware is getting more costly: the cost of malware damage in 2004 was more than twice what it was in 2003. Its costs include: help desk support costs, overtime payments, and loss of business. Other costs are related to bandwidth clogging, productivity loss, management time, and software upgrades.

"In the history of the Internet, worms have caused the most widespread damage of any computer attack techniques, and could become even more devastating in the near future." - Ed Skoudis, author of "Malware, Fighting Malicious Code" (2004)

In June of 2003, Zone Labs reported that "in a typical enterprise, unwanted spyware can account for over 37 percent of network bandwidth."

How can I protect myself against malware?

• Do not run Windows from an “Administrator” account. Running your computer as a member of the Administrators group makes your system vulnerable to Trojan horses and other security risks. If you need to perform administrative tasks, such as upgrading the operating system or configuring system parameters, then log off and log back on as an Administrator, perform the task, and then log off and log back on as a regular user.
• Chose a strong password to log on to Windows.
• Set Windows Update is set to automatically download and install updates from Microsoft or run Windows Update manually on a regular basis.
• If you use Microsoft Office, check both Windows Update and Office Update for updates.
• Have anti-virus software installed and running, and set to update itself automatically or manually update every several days.
• Have your anti-virus software automatically scan your computer and your instant messaging software for viruses.
• Run your anti-spyware software at least once a week.
• Use e-mail attachments securely.
• Configure Windows to show all file extensions.
• Never open attachments unless you are expecting them.
• Never open attachments that are programs (for example, files that end with: .bat, .chm, .cmd, .com, .exe, .hta, .ocx, .pif, .scr, .shs, .vbe, .vbs, or .wsf).
• Never respond to spam, even to "unsubscribe."
• When you buy online, make sure that sensitive information is entered only on secure pages (https), and look for the lock icon in the lower right of your screen.
• Have a personal firewall installed and running.
  

If you experience any of the above or think you may have been exposed to malware call or e-mail Clean Systems for a diagnostic. We can detect malicious programs running on your computer and remove them before they cause further damage.