The Internet may not be crawling with dangerous hackers as the news media like to pretend, but it is inundated with billions of bytes of incredibly lousy and often malicious code, while most PCs are loaded with gigabytes of wretched software that either offers no protection or is itself malicious. Hackers are not your primary security concern; bad software is. This may not be terribly sexy news, but it’s true. Your computer is insecure because your software is insecure and because you’ve probably got several malware applications installed on it to boot.
Before we dig into the details, let’s take a brief survey of the most common malware vectors and other common routes to exploitation.E-mail
In addition to executing code, e-mail also transports a great number of malicious file attachments. People are repeatedly warned never to open attachments without first scanning them for malware, but still they do so every day. Some mass-mailing viruses are capable of sending themselves automatically to each correspondent in a victim’s e-mail address book. The next recipient recognizes the sender as a known contact and is therefore more likely to open the attachment and infect himself, propagating the virus to his own contacts, and so on. The Melissa, IloveYou, and Slammer e-mail worms used this technique and managed to clog up portions of the Internet for brief periods, though they contained no destructive payloads. However, many in-line scripts and e-mail attachments do contain malicious payloads, so it is very important to disable code execution (i.e., switch off HTML and all scripting and plugin support) and never to open any attachment, regardless of who sent it, without first scanning it for the presence of malware. E-mail attachments are probably the single largest vector of malware. Switching off HTML is also an important step because spam is often loaded with malicious scripting and remote images that can track recipients. Admittedly, it can be irritating to read HTML-formatted mail rendered in plain text. If your friends and regular correspondents have the habit of sending HTML e-mail, take a moment to explain the security risks of in-line scripting, and suggest that they consider sending mail in plain text.Browsers
It’s easy for an attacker to force a victim’s browser to run malicious code and scripts, and this is especially true of Internet Explorer. Sometimes an attack involves redirecting a browser session to a malicious Web site without the user’s knowledge; sometimes it involves enticing a user to visit a malicious site with a link in an e-mail message; sometimes it involves spoofing or obscuring URLs and filenames; sometimes it involves sending malformed packets to the browser, and sometimes it involves tricks that cause code from untrusted sites to execute in the “trusted” Internet Explorer security zone. Cookies can be misused to compromise privacy and even to hijack browser sessions and gain access to private online accounts. Local files can be read by remote attackers; downloaded files can be forced to execute automatically; and buffer overflows can be caused, allowing arbitrary code to run on a victim’s machine without any user interaction. There are literally hundreds of ways for an attacker to turn a victim’s browser against him. Some have been patched; others have not.
Here again, Windows users are at a disadvantage. The Internet Explorer browser is designed primarily as a code-execution environment and is deeply embedded in Windows. This makes it particularly dangerous because there are a vast number of exploits against it and because attacks against the browser can more readily become attacks against the system. For one ironic example, in July of 2003 an online “security scan” offered by security services giant Symantec was found to be loading a dangerous, and exploitable, ActiveX control on Windows users’ machines, which in turn allowed external code to run with the victim’s level of privilege. An ActiveX control is an executable program that can operate at a very low level within the Windows operating system, often delivered as Web content.
Internet Explorer also makes it difficult for users to clear their computers of data traces from their browsing sessions. A great deal of data is stored in the Windows Registry; and the default directories where the URL history, page cache, and cookies are stored can be difficult to clear.
Internet Explorer also does not permit fine-grained control of images to be loaded and so offers little protection against Web bugs, a commercial tracking and profiling gimmick that uses tracer images embedded in Web pages by third-party marketers. The scheme is similar to the tracer images in HTML e-mail, by which a spam victim’s e-mail account is verified. In this case, the bugs track a person’s surfing habits by logging their IP address, and possibly cross-referencing this behavior with login information and data stored in cookies.
This is a generic term for quite a few similar things. Essentially, a script is a series of commands to be executed without user interaction. They are not programs per se but, rather, commands that programs will respond to or instructions they will execute. The simplest ones are called batch files in Windows parlance and shell scripts in UNIX parlance. Most users have entered commands at a shell prompt or a command prompt. A batch file or shell script would simplify this by entering the commands in sequence automatically until the desired task is completed.
Scripts are everywhere and come in many forms. They often appear in Web pages and e-mail memos, where they provide interactive features and dynamic content. What they all share is the ability perform tasks without user interaction. They are wonderful tools for automating repetitive chores and therefore of great value to sysadmins, Webmasters, and users alike. They are also of tremendous value to attackers. Scripts in Web pages and e-mail are frequently used as weapons because scripting languages are easy to learn: an attacker does not need any experience in programming to hack out a malicious script. A trick called cross-site scripting (XSS) allows an untrusted Web site to execute code in the security context of a trusted Web site without the user’s knowledge. Therefore, scripting support in any type of Internet client, including instant messaging, and in programs that invoke Internet clients (such as a word processor might do when one activates a hyperlink in a document file) is inherently risky. Scripting support is a significant and ever-present vector of compromise, and it must be controlled by the user with prejudice against allowing it except where necessary.Instant Messaging
Instant messaging, or IM, is one of the more enjoyable services available over the Internet, one that can bring people together from anywhere in the world in real time for the price of an ISP account. However, graphical IM clients like MSN Messenger, AIM, and ICQ, as well as the text-based IRC (Internet relay chat) clients, are major vectors of infection. One reason is that the clients offer scripting support. There are many useful and innocent capabilities associated with IM and IRC scripts, though it should be said that the vast majority of packaged ones available for download have at least some malicious function, such as mass messaging (spamming), channel and network flooding, grabbing user IP addresses and other data, hijacking accounts and screen names, and the like. Another problem is that IM attracts children and teenagers and makes exchanging files very convenient. Young people tend to trust their peers and so typically end up accepting a great number of malicious files that can compromise not only their own privacy, but the overall security of a home network. Finally, it is important to know that many of the graphical IM and IRC clients contain adware and may reveal more about a user than he is willing to share with the IM service provider.
Businesses are also using IM as an inexpensive way for telecommuters to touch base with workmates on site in real time, and even for virtual conferences. This is an extremely insecure method of communication. IM clients can reveal a user’s true IP address; they can leave one open to man-in-the-middle attacks where one’s chat session is intercepted by a third party; they can be hijacked by scripts; and users can easily be impersonated. IM is fine for casual communication, but it is not an appropriate substitute for teleconferencing via a secure VPN (virtual private network). Simply permitting IM clients on a company network is a moderate security risk; using them for sensitive communication is positively reckless.
The MSN Messenger IM client is tied to a user’s Passport and Hotmail accounts and is deeply integrated with Windows as well. Browser action, such as logging into Hotmail, can invoke the IM client and vice versa. There is also a very dubious feature in Messenger called “shared browsing,” which enables two people on different computers to synchronize their browsers. “Even if you’re in Hollywood, CA, and your friend is in Hollywood, FL, you can both be on the same page—literally. You’ll see each other’s cursors on screen and you can chat in real time via MSN Messenger,” an MS marketing copywriter gushes. This level of integration and “synergy” is an open invitation to system compromise and privacy violation from many fronts. Exploits against Passport, Hotmail, and MSN Messenger are common, and a weakness in one increasingly implies a weakness in the others, since Microsoft’s trend is toward more, not less, application and Internet service integration. It is not a bad idea to replace MSN Messenger with a third-party clone like Trillian, which does not burrow so deep in the bowels of Windows and allows connections to numerous other IM networks. Even better from a security point of view is Gaim for Windows or Linux, which is both open source and adware-free, and, like Trillian, features cross-network compatibility. Gaim lacks the handsome user interface of many IM clients, but it is a fine choice for security reasons. However, all IM clients have been found susceptible to numerous exploits in the past and need to be patched regularly.P2P Software
Much loved by young people for trading music files, illegally cracked editions of expensive software, and pornography, P2P applications like Morpheus, KaZaA, Grokster, and the like are major malware vectors even worse than IM clients. For one thing, most are infected with adware or spyware to help fund the developers. A great deal of user behavior is tracked across the Internet in this way, though the companies producing the applications soft-pedal this fact with the same dissimulating PR-speak that any flack from the music lobby would use. For example, KaZaA “contains no spyware,” developer Sharman Networks claims. The company “does not condone the use of spyware nor support the distribution of spyware to others,” we’re told. However, the KaZaA application feeds advertisements to users through third-party ad servers. Sharman assures us that this is all benign, that no one is tracked. But since you cannot possibly verify this claim, you would be foolish to believe it. “No spyware” is pure marketing spin. The company can call it what they please, but to any security-conscious user, adware is spyware.
P2P applications also function as servers so that users can upload files to each other’s machines, which means that their potential to spread malware is tremendous. Most of them are also capable of acting as super nodes, meaning that they can relay search requests from potentially millions of users. Enabling (or, rather, not disabling) the super-node function may cause users to violate their ISP’s use policy by inadvertently exceeding bandwidth limits, and the server function can expose users to every manner of malware known. These dangerous functions are often enabled by default, so users should take care to ensure that their P2P application is not behaving more promiscuously than they wish.
Permitting strangers to load files on your machine is essentially foolhardy. So is taking files from machines to which anyone can perform uploads. All such files must be scanned with antivirus software before activation, and users who permit uploads should scan their share directory periodically. However, AV software is only effective against known malicious files; it is hardly foolproof, so some risk will always remain no matter how careful or conscientious one is. Files downloaded via P2P applications or stored in an open share directory should be treated as malicious until proven otherwise. Careful scrutiny of file extensions is not an adequate defense: even seemingly normal MP3 files have potential to cause buffer overflow conditions against media players and use them as springboards to further system exploitation. While it may seem antisocial to use P2P software only to find and download files for yourself, this is, if not quite safe, the least risky way to go about it.
Assuming that the embedded adware and real potential for attracting root-kits hasn’t daunted you, there is yet another hazard. A powerful and quite ruthless lobbying organization for the music labels, the Recording Industry Association of America (RIAA), initiated a vendetta against file sharing in the summer of 2003. Armed with federal legislation called the Digital Millennium Copyright Act (DMCA) of 1998, written by the music and film lobbies and pushed through Congress on the wings of lavish campaign donations, the labels have begun identifying and suing file sharers with a streamlined subpoena process made possible by the DMCA. According to the Act, any copyright owner is permitted to file a simple subpoena obtained from a court clerk against anyone suspected of copyright violation, without a judge’s approval. There is no standard of evidence or probable cause.
The RIAA has been serving these inexpensive, do-it-yourself court orders against ISPs and obtaining the identities of P2P users, who are then sued. Usually, the accuser will be a simple software robot automatically trawling P2P networks, identifying likely candidates for legal persecution by their online nicknames or screen names. The subpoenas, essentially fishing licenses enabling the RIAA to accuse first and gather evidence later, are then used to obtain the suspected infringer’s true identity from their ISP. The RIAA is conducting an intimidation campaign in the form of a vendetta, lashing out at random members of a virtual “family” in order to chasten everyone else.
Meanwhile, telecommunication outfit Verizon objected to revealing its customers’ names on the basis of these flimsy subpoenas and fought the RIAA in court. The U.S. Court of Appeals for the District of Columbia ruled against the quick-and-dirty subpoena process, though no doubt a long, bitter legal battle over the music industry’s tactics will ensue. The practice may be reprehensible, but it may yet be upheld by the U.S. Supreme Court, thanks to the eternal inflooding of entertainment industry money into the U.S. political system. While there are valid political reasons for defying the RIAA and its sister organization, the Motion Picture Association of America (MPAA), and the custom-designed legislation they purchased on Capitol Hill, from a security point of view, P2P sharing is moderately risky at best, and positively self-destructive if all the features are enabled.
Users of P2P applications would do well to run a packet sniffer on their Internet connections from time to time and observe directly what sort of data is being exchanged, and with whom (we will learn to do this in Chapter 4). One should be especially suspicious of encrypted data shuttling back and forth between their computers and some Internet marketing outfit. It’s also wise to seek an open-source P2P application so that no secret functions can be hidden in the code. When choosing any open-source product, always look for the availability of source-code packages. Many P2P developers like to call their products “open,” a marketing label with no more meaning than any other PR copywriter’s phrase, such as “all natural.” Unless the source-code files are available so that you can build the application yourself, it is not open source.
blog comments powered by Disqus