Backup = Insurance

Data backup enables you to save your information to a safe place and restore it later if something happens to the device on which your data normally resides. It is an indispensable tool if you want to be sure your original work, or files, or whatever data you value stays intact no matter what may threaten that data; it means you can always roll back to a previous state and restore what’s been lost or compromised. When critical information is at risk, data backup is your primary resort to be safe in knowledge that your digital valuables are not jeopardized. Data backup is especially helpful in the following situations:

• When you’re about to install a new application or a major update and you’re unsure whether it’s going to cause systems disruptions or compatibility or interoperability problems. Ironically, this application could be a security program or Windows Service Pack that introduces significant modifications to your existing OS configuration which may in turn cause other problems. Backing up is also a sensible precaution for users who like to experiment with advanced system settings, like manually tweaking registry entries and testing different system drivers or services.
• When you experience, foresee, or want to preempt hardware malfunctions. There could be a number of indicators suggesting your hardware may be failing, such as system instability or overheating, or your hard drive is degrading. Hard drive problems really need a whole article to themselves, but for the purposes of this article, there are a few warning signs you should be aware of. When a hard drive is nearing the end of its life, Windows starts to report disk readability or writeabilty issues, or the SMART hard disk diagnostics system warns of an impending crash and recommends you promptly save and transfer your data to a safe place. Backing up is also advisable if you don’t use a UPS (uninterruptible power supply), as an electric surge can make your hard disk or motherboard unusable beyond repair. It’s hard to predict a future malfunction, but not impossible. Experienced users know of potential problem indicators, but for everyone else, here’s some advice: the older your system is, the more chance there is of it failing because of lack of proper servicing or care. If it’s kept in a dusty, humid or hot environment, the likelihood of failure is higher. It’s a good idea to run a free-to-try diagnostics utility such Sisoftware’s Sandra or Everest from time to time, as these tools can be helpful in predicting hardware crashes.
• Backing up also makes sense if you want to mitigate the impact of viruses and other malware programs that may get past your defenses. Beyond their primary mission of stealing information, malware can be more directly destructive by damaging system configuration settings, corrupting files, and blocking or diverting network connections. As we’ve repeated many times in Security Insight, the use of security software is only one layer in the quest to safeguard your data, and no security solution can keep you safe from every threat. Backups can often be a more effective way to restore your system after a malware infection than antivirus.
• You intend to use your computer on-the-go and are concerned about data integrity or safety. If you lose your laptop or if it ends up in the water, a backup of your important data will save the day.
• You may be the unofficial tech support person for your friends and relatives. If anything goes wrong with one of their machines, you can simply roll it back to the last backup data.
• A backup is handy if you plan to change to a new PC. Just save all your files and restore them on the new PC. It’s important to remember, however, that if the configuration of a new PC significantly differs from your old one, restoring the operating system and all installed programs won’t be possible, because the different hardware will likely require different settings.

What can be backed up

When you select items to back up, consider what is important to you. Essentially, the following can be backed up:

• Individual files and folders (documents, photos, music, etc). With your backup software, simply designate those items that you want to be backed up and it will save them automatically. Don’t forget to update your backups regularly to take care of new files and updated originals.
• Local and remote storage, including logical disks (partitions) and physical disks. In addition to files, your backup system can save the entire contents of selected hard drives and later restore their contents to a new or old destination.
• Removable storage, such as USB flash drives, DVDs and other external devices.
• Your operating system and its settings, including all installed software. You can save the state of your operating system and then revert back to the last image point when needed.

How it works

Modern backup software is relatively easy and straightforward to use. Generally, after you’ve installed it, you select the locations that you intend to backup, specify the location where these objects will be stored and press ok. Once the backups are created, you can restore them when needed. Your first backup should always be a full copy of the original location, whereas subsequent backups are incremental, backing up only content that is new or changed since the last backup. This saves time and disk space needed for backup.

Later backups can be either on-demand (you ask the program to perform backup at a desired time) or on schedule. On-schedule backups can be set to occur at regular intervals specified in the backup program itself. You might also want to consider on-event backups offered with select programs, which can be set to occur when a certain event, such as prolonged idle time or a power problem, are indicated.

Backup storage

When you back up your data, you save it to a specific destination. Usually, this destination is a large compressed file on a local device – either a removable hard drive or a high-capacity memory card. The backup location can be customized and it’s very important to keep in mind that the place where you store your backup copy should be secure – if your primary data source fails, you need to be sure you can access and use your backup. Keeping your backed-up data in a safe, dry place disconnected from the power circuit will ensure your backup will stay in good shape and enable you to get your data back in case of emergency. It’s not a good idea to keep your backup copy on your primary hard drive or an old ROM disk, because these can be exposed to disaster as much as your main storage.
You can back up your data to remote storage or use one of the free or commercial online backup services available. Bear in mind that storing your data at somebody else’s facilities has advantages and drawbacks. The advantages are:

• Your backup is not affected by local events, such as power surges, lightning, fire, flooding, earthquakes and other natural disasters.
• Storing your data with a credible organization that has expertise in data storage and continuity operations is generally reliable. Such organizations generally run fault-tolerant systems with multiple backups that should ensure your data will be safe.

Disadvantages are:

• You have to trust the organization where you store your data, to be sure its confidentiality is maintained.
• Uploading your saved data and later downloading it to restore from will require a lot of bandwidth and data support, so your ISP account should allow for unlimited data and high throughput.
• There’s some concern over the security of your data when it is in transit. The risk is small, but it could be accessed by third parties. In that regard, check with your backup provider concerning the precautions they take to make sure this process is safe.
• Managing your remote backups may not be as simple as local backups, and remote backups don’t always give you the full benefits of local backups. As an extreme case, you would not be able to restore a backup if your computer is so damaged that it cannot boot the OS. You’d have to use another computer to connect to the internet, download the required remote image and initiate the restoration process. In contrast, local backup software usually offers the option to create a CD-ROM boot disk that will initiate restoration to the desired point if your computer cannot be started in the usual way. You simply insert the CD, connect to the device on which you keep your backup, and your hard disk is restored in an hour or so.

Forms of backups:

The following forms of backup exist:

• Disk cloning, where your entire physical drive is copied onto another hard drive. In case anything happens to your original drive, you can simply connect a new drive to your PC and it will boot from it. The new drive will be an exact copy of your original drive, and will have all the files and documents as existed on the old one at the moment of cloning operations. If the size of the disks differs, your partitions (logical disks such as C, D, etc) will be shrunk or expanded proportionally. If you make a clone of the disk, remember that the computer configuration should stay the same.
• File storage, where all backup data is compressed and stored in one single file. This file is compressed to save space and can be password-protected to ensure other people can’t view its contents.
• Restore points selectable within your backup software. Restore points are assigned according to the date a backup was made, and if anything happens to your PC, you can always revert to the last restore point from within the program interface.

Different flavors of backup solutions

Computer backup solutions exist in both software and hardware forms. Hardware systems are usually automated, always-connected devices that copy the contents of the primary hard drive to an embedded magnetic tape or hard drive. Mirrored Raid Arrays (RAID-1) are two internal hard drives running in parallel mode, where the second drives automatically backs up the contents of the first drive on the fly. If the primary drive becomes corrupted, the contents can be recovered from the second drive. Effective against hardware HDD failure, RAID arrays are of no use in case a virus harms your main system, because the same infection will be instantly duplicated to the second drive as well, negating all efforts. RAID systems are relatively easy and inexpensive to deploy, but require a degree of expertise to manage in the first configuration stages.

Back-up functionality is present in many of today’s software applications, from Security Suites such as Norton360 to OS-bundled software such as Apple’s Time Machine and Windows’ Backup or Restore Wizard. These programs usually offer less functionality than dedicated, specialized backup tools such as Acronis True Image, but still perform basic backup tasks and are quite sufficient for many people.

Conclusion

Backing up your system is a very good habit to develop. It will save you a lot of hassle and stress in case a system malfunction or virus infection occurs. There you have it, folks – I hope you found this article informative and useful.

The term leak test, or leaktest, has become a popular buzzword among the security cognoscenti in the last couple of years. It’s in the news, it’s in the comparison charts, but what does it really mean? Why should regular PC users be concerned with leaktests and their implications in their day-to-day computer activity? How do leaktest results help you when it comes to choosing a robust security product?

These are just a few of the questions this article aims to answer. After reading this material, you’ll have all the information you need to understand leak tests and interpret their results.

What is a leaktest?

A leaktest is a tool or a set of procedures that attempts to determine a security product’s ability to prevent outbound data breaches that are designed to steal or compromise your personal information. As the name implies, leaktests are used to find out if a security product reliably protects your data against accidental or deliberate transmission through security barriers, often called data leak prevention.

Leaktests have been in existence since the appearance of the first personal firewall products more than five years ago, and their main objective has been to test the firewall’s ability to prevent unwanted applications from “phoning home” or otherwise communicating data across the Internet without the user’s consent. Leaktests have recently evolved into a broader category that includes tests using the simulated termination of a security product’s operation, controlling advanced program interactions, and other complex technologies that hackers might use to target personal information stored on users’ PCs.

If a product passes a certain leaktest, it means that the product has successfully blocked a would-be attack that’s based on a specific intrusion technique. There are many techniques known to be in use by hackers, and a robust security program should be ready to detect and rebuff all of them. New techniques are constantly being created by miscreants to get hold of personal data, so vendors of security products are constantly developing countermeasures to ensure their customers are properly protected.

When Windows XP came out in 2001, a number of malicious programs, like Trojans and spyware, already existed that could easily steal valuable user data such as login credentials or credit card information and transfer them to unauthorized third parties. In an effort to stop these breaches, security firms came up with firewall solutions that would block network activity initiated by malevolent applications by denying them outbound network access. To test firewalls’ performance, security professionals developed special tools that emulated attacks; these tools checked if the firewall was able to block such attacks from connecting by asking users to decide whether the activity should be permitted. These first leaktests were quite primitive, but they managed to expose significant deficiencies in certain firewall products.

The first leaktests used simple methods such as file name spoofing or running a trusted application with additional parameters that instructed it to send a certain text string to a target location with the goal of fooling the firewall into seeing the application as a trusted activity acting on its own behalf and consequently allowing this transfer. The earliest well-known leaktest was GRC’s Steve Gibson’s “Leak Test”, which simulated an attack in which a malicious application would rename itself to Internet Explorer (a legitimate Internet-enabled application) and determine whether the firewall was able to detect this change.

Much has changed since those days, and today’s leaktests are way more sophisticated, using advanced interaction mechanisms and network properties to simulate the data mining capabilities typical of today’s malware.

Leaktests examine the proactive protection capabilities of security solutions, checking how they respond to a particular intrusion technique, or attack vector. This is very different from the process used to examine antivirus solutions, where tests are used to determine whether a solution is resistant to a specific malware sample.

Techniques employed by leaktests

Leaktests are too varied to fall into convenient classifications for their operations, and most are based on different techniques for testing security products. These techniques are constantly evolving and improving, and the more leaketsts exist, the more rigorously security solutions are tested.

To generalize, leaktests will try to emulate one of the following techniques:

• Impersonating a legitimate application installed on a computer or leveraging its access credentials to send information to the Internet (i.e., spoofing, trusted application launch with special parameters)
• Interacting with a legitimate application using embedded Windows controls such as OLE Automation or DDE requests
• Modifying active applications in memory, attaching malicious components to benign applications – for example, component injection, direct memory patching, creation of malicious threads
• Using trusted network services and protocols to send unauthorized data in the hope that the firewall will miss the unconventional activity; such activities might include false DNS requests, BITS service exploitation, or lax ICMP filtering
• Installing a new network adapter driver through which to route data
• Disrupting or disabling the protective functions of an installed security application
• Initiating system shutdown to check if the firewall monitors the activity of untrusted processes through to its completion
• Intercepting keystrokes

Synopsys: program interactivity

The majority of leaktests were designed for Windows XP which, unlike Vista, does not verify a program’s permissions to interact with other installed programs or perform any other activity from the list above if the user has Administrator privileges. This situation creates the potential for exploitation, as any malicious program can piggy-back on a trusted, legitimate program as a means of carrying out targeted attacks. Gone are the days when malware would attempt to steal user data itself; now, it would use a legitimate application’s network access credentials with the firewall to transmit data. Security solutions need to be able to not only detect malicious programs, but be prepared to monitor the integrity of legitimate applications and the use of network resources for the advanced leak techniques used by malware.

Tradeoff: wordy alerts versus looser control

Thousands of internal interactions occur on a PC every hour. Of course, only a fraction of these are malicious. So if the firewall monitors and prompts the user regarding each operation, the user will be bombarded with alerts, making it impossible to do anything productive on the computer. As a solution to this limitation, security vendors have implemented a mechanism that “memorizes” a user’s response to a particular event so that, next time this event occurs, the previous input will be used to handle the event, and no alert is displayed. Additionally, vendors of leading security solutions such as Outpost Security Suite Pro, Kaspersky Internet Security and Comodo Firewall use online databases to automatically designate permissions for the majority of Windows applications, so the decisions are made in the background, without interrupting the user’s normal PC use. Windows Vista, with its new User Account Control (UAC) functionality, has made significant progress in stemming illegal or unauthorized activity. It does this by lowering the privileges until the user has allowed a particular operation by okaying the UAC’s foreground prompt. Unfortunately the responses given cannot be memorized, so the alert window displays start up again, frustrating the user once more.

Other vendors, such as Symantec and ESET, have chosen to control fewer events on the user’s computer, reducing the number of prompts displayed to the user. The downside of this approach is that the level of monitoring is reduced, resulting in less control over activities and the potential for some techniques actively being used in malware could bypass the protection. It’s no wonder, then, that these solutions fare quite poorly in group tests. Time will show who has the better approach, but considering that malware is becoming more sophisticated, an effective security solution really needs to control the maximum number of events on a computer, and require less user interaction.

Leaktest usage

Leaktests are safe applications designed to verify if a firewall is able to prevent an attack that uses different techniques to steal data. Leaktests can be downloaded from the Internet and executed on a user’s machine. If the security solution displays an alert when the test is run, it means that the solution successfully detected the leaktest activity and would most likely be able to deter real-world attacks based on the technique used in the leaktest.

Although successfully passing a leaktest doesn’t always mean the security solution is bullet-proof, it essentially means that it will do its best to protect a user in case a real attack strikes.

Interpretation of results

There are specialist organizations that carry out leak testing, the most active of which are Matousec Transparent Security and Firewall Leak Tester. They have vast information resources and update their leaktesting results whenever new security products come out or when updated leaktests are released. As a rule of thumb, the closer a security program to an absolute pass score of 100 percent, the more resistant to malware attack it is.

Leaktests versus other testing mechanisms

As noted earlier, leaktests test how well a security solution is equipped to combat malware that uses different intrusion techniques to bypass outbound protection. Leaktests are technique-centric, as opposed to virus testing, which is largely signature-oriented. Leaktests verify the potential of a solution to deter unknown attacks without the use of a particular threat signature.

The benefits of leaktests

It is hard to overestimate the contribution leaktests make to the security community. Leaktests are the primary techniques used to test whether a security product is capable of keeping unknown malware at bay by restricting its activity within the software environment of a PC. Leaktests have a practical value to the end user; many product reviews are complemented by leaktest results, which should give you a good indication of how well a security product is able to keep you safe from today’s widespread anonymous threats.

Conclusion

We hope this article has shed some light on the concept of leaktests and their relevance in testing the ability of a security product to prevent unauthorized outbound data leakage. Leaktests serve as a practical and effective tool in measuring the quality and scope of protection against the kinds of advanced breaches that are used to carry out actual attacks.

Over the summer, I started thinking about why people think about security the way they do, and what might be causing people to make elementary mistakes when securing their computers. I’m not talking about the choice of products or the measures they take to keep their computers secure, but rather what is fundamentally flawed in the way they think about security. As I found out during conversations with people as I travelled around Europe, most users’ security knowledge is far from what I, as a so-called ’security expert’, might consider adequate. As I delved deeper into the subject, I discovered that quite a large number of users have completely wrong ideas and misconceptions about how to tackle security issues. These conversations prompted me to write this article in an attempt to correct the most common myths and misconceptions.

Myth #1:
I will be perfectly safe if I get the best security software and keep it up-to-date, – that’s all I need to do

It’s true that use of reliable software to shore up your computer’s defenses is vital, but before that comes careful and intelligent use of your computer to prevent security incidents in the first place. It is a truism that the weakest element in the security chain is the computer user himself. In my view, relying on security software alone is like relying on car’s crash test results to ensure that you’ll be unscathed after a major wreck. But I think we would all agree that it’s better to drive safely, wear a seatbelt, and obey the speed limit. The same applies to security: you need all the safety systems, but if you don’t adhere to basic standards of safe conduct, you put your computer at unnecessary risk. So think before you open unknown files or email attachments, or react to spam and phishing attempts – these are most likely designed to undermine your security. Also, don’t forget to install latest Windows and programs updates to keep you safe from known vulnerabilities found in vendors’ products. Remember, no matter how strong your preferred security program is, it will have one of the following weaknesses:

1. Your anti-virus can’t recognize every virus in existence and is consequently not equipped to provide complete protection. A variety of factors contribute to this, including reliance on virus signatures and heuristics — based instruments — that struggle with the detection of different and ever-changing virus behaviors.
2. Your firewall or HIPS may have one or more of the following weaknesses. Both MAY exhibit delayed reactions to a security incident. Both can sometimes miss an unwanted/illegitimate operation simply because these solutions cannot detect every possible type of system/network operation. Leak tests, no matter how theoretical their scenarios might be, serve as a good (but not perfect) indicator of a solution’s protective thoroughness. These systems may also fail to activate when it’s most needed – when a new attack strikes.
   Rootkits and system interceptors that remain invisible to the operating system and the majority of security programs can be used to hide the presence of a malware payload. Rootkits are being increasingly adopted by hackers to mask malware operations such as spam, botnets and Denial of Service (DoS) attacks.
3. Security software sometimes interferes with normal operation of a PC, impacts its performance or displays alerts and action prompts that might be confusing for a normal person to respond to. It can also block WiFi connectivity or report false positives that may accidentally delete a legitimate file.
4. Some security programs require that, once infected, manual remediation be used to undo the changes brought by malware – a task beyond the ability of most normal computer users.
5. Your security program turns out to not be the trusted software you thought it was but instead is a rogue program that only advertises a promise to protect.
6. Antispam and antiphishing solutions produce a high number of false positives, and phishing sites are so short-lived that, by the time a security company issues a security update to block the domain, the location has already harvested its share of stolen IDs and financial data and moved on.

Myth #2:
Why would I be hacked? I’m small fry, I’m not interesting to hackers

People do a lot of different things on the Internet, and sometimes they expose personal data. An average internet user is vulnerable to these kinds of threats:

• Theft of personal or financial data. We shop, we enter our credit card numbers and other personal details. This creates risk and the data could be abused if you’re using an unprotected PC. A keylogger could be silently monitoring your keystrokes and capturing everything that you type on your PC; later, it will communicate this information to the hacker who sent it out hunting. If you shop and the channel of communication (i.e. the web browser traffic) is not encrypted, everything that you send over the Internet is vulnerable to being copied and used without your knowledge. Your log-in passwords, email and social network accounts can also be hijacked in a similar way. Using both known and new techniques, a sophisticated hacker can eavesdrop on your Internet sessions using what’s called "man-in-the-middle" techniques to intercept and later exploit seized data. To protect yourself from such threats, it’s vital that you use a robust firewall and ensure traffic is transmitted over an encrypted route.

And that’s not all.

• Botnet infections, where the victim’s computer and Internet bandwidth are hijacked and used to harm other Internet users. Botnets are responsible for spewing out spam or phishing attacks that look like they come from the victim’s computer, and may also be used to conduct distributed Denial of Service attacks on legitimate organizations and take control of the organization’s website.
• Hackers are always on the lookout for a vulnerable PC on the network. Once found, these PCs are earmarked for later use for nefarious purposes. By using special tools to probe for exploitable machines, a hacker doesn’t target a specific host, but rather, thousands of poorly protected computers that can be amassed in a matter of minutes.

Myth #3:
My company uses a gateway firewall, so I have nothing to worry about

Gateway firewalls, if properly configured, provide solid perimeter protection for your company. Malicious inbound data will be blocked and hackers probably will not be able to break into your PC. But outbound data can still leave your computer, meaning passwords, financial data stored on hard drives, and other critical resources will still be accessible to attackers. Plus, being protected from outside doesn’t necessarily mean you’re safe from hackers inside your company’s borders. You could be inadvertently attacked by a colleague who’s become a victim of, say, an Internet worm that spreads by sending itself to all contacts listed in someone’s address book.

Myth #4:
I only visit "good" places on the web, I never visit objectionable or adult sites. So I am safe from threats that spread over the Internet

If you’re being truthful, I’d say you’re in a low-risk group. However, there are some things to keep in mind as you surf around legitimate websites:

• Sections of legitimate sites can be hijacked as easily as adult sites, and bad content placed on them temporarily until the problem is detected by the site’s operators. This happened to the Bank of India’s website not too long ago. Additionally, legitimate sites often incorporate Flash animations and JavaScript code that may be vulnerable and open up a backdoor to your computer. And last but not least, cross-site scripting (XSS) vulnerabilities may be employed by attackers to capture your logon session. You can read about XSS in greater detail here.

Myth #5:
If I connect to a credible WiFi provider like British Telecom at the airport, my Internet connection is protected

We’ve covered the secure use of WiFi extensively in other articles, but it seems the message still has not fully got through to people. If you use an unencrypted wireless signal, regardless of the network provider, even a novice intruder can easily read what you send or receive over the network, so don’t ever take the risk and post anything confidential over a public WiFi connection.

Conclusion

Well, I hope this "back to school" article has served to remind you that, whatever protection you have on your machine, security still begins and ends with not taking unnecessary risks while you’re online. It’s a lesson every Internet user needs to learn.

There are some areas of computer security over which a user has almost no control; from involuntary exposure to software vulnerability exploits to hijacked DNS servers that divert visitors to infective locations, there is little that a user alone can do to avoid becoming a victim.

These challenges – as well as a multitude of others – require action by software vendors to design less vulnerable products and by responsible authorities to deploy an Internet infrastructure that’s less vulnerable to abuse – or at least enable fast mitigation when flaws are found.

The same principle can be applied to cross site scripting attacks. This type of web compromise cannot be solved by individual Web users alone but should be the responsibility of web application and browser developers. However, it appears this level of prevention won’t be available for some time, so it’s important to recognize the impact of cross site scripting vulnerabilities and minimize inadvertent exposure wherever possible. That’s the topic of this article.

What is cross-site scripting?

A script is a set of machine language commands processed on a user’s computer or by a web server. Cross-site scripting (XSS) vulnerabilities occur when scripts originating on one website (usually a malicious site) are permitted to interact with the content of another website, or an HTML page stored locally – hence the term “cross-site”. Unlike other types of attack, the perpetrators of cross-site scripting attacks use vulnerable servers as an intermediary to stage attacks on visitors to compromised websites; they do this by forcing the user’s browser to run the scripts placed on those vulnerable web servers.

XSS vulnerabilities first appeared at the turn of the century, when a number of security experts reported concerns over the potential use of JavaScript code with malicious intent in a cross-boundary attack.

In an XSS attack, after the script has been executed on the user’s PC, it starts issuing commands and remotely controlling the behavior of the target browser window in such a way that it appears the user is performing these actions himself. The script may execute locally on the user’s computer or lie dormant on the web server, attacking other users as they access this page.

The problem with XSS is so significant because, as a result of an XSS exploit, the script takes control of the victim’s web session while the attack is carried out in the background, leaving no footprint behind and thus making it extremely hard to detect.

In order for XSS attacks to succeed, certain criteria must be met: the use of flawed browser software that does not validate the script’s origins and permissions, or poorly-written Web server code that does not exercise proper validation routines. Social engineering is also widely used to lure victims into clicking the link containing the malicious script.

To give an idea of the scale of the problem, it is estimated that more than half of all websites today have XSS holes, and XSS flaws account for more than 80 percent of all documented web vulnerabilities. Almost every well-known web portal has been compromised by XSS attacks at some time – the likes of Google, MSN, Facebook and other prominent sites have experienced XSS exploits first-hand.

Different types of XSS

There are currently three types of cross-site scripting vulnerabilities:

• Local, or Type 0, XSS, where the problem exists in the client-side script of a web page. To exploit the vulnerability, an attacker constructs a web page with malicious JavaScript code in it and sends potential victims a link to it (via email, IM, etc.). Once the link has been clicked, the script executes and serves up a locally-created vulnerable HTML page which contains JavaScript code that can be run with the the current user’s privileges (most users log on as Administrators). After that, an attacker can gain access to the victim’s local computer, including viewing files and other sensitive data.
• Non-persistent, or Type1, XSS is one of the most common, and involves vulnerabilities of server-side scripts that do not sufficiently validate user input. Non-persistent XSS occurs when a user receives a link with malicious script while logged on to a web site. After the link is clicked and the malicious script executed, it hijacks the user’s session and controls the activity of the page the user is currently on. This type of compromise can be executed in the current browser session only.
• Persistent, or Type2, XSS is the most blatant and dangerous vulnerability because it can affect many users without the use of much social engineering. The vulnerability is in the server-side scripts but can exist for a long time, so it can affect a much greater number of users. It arises when a legitimate server persistently stores portions of malicious scripts placed on it by the hacker and later feeds that code to the visitors’ browsers for the latter to execute.

What the perpetrators are after

Most attacks target session cookies – files loaded onto users’ machines by the web sites they connect to. Cookies are easy mechanisms for identification on the site, so once the perpetrators get hold of your cookie files, they can impersonate you and act on your behalf. Cookies are transferred to attackers by the commands in the script.

What victims can lose

As a result of successful exploitation of an XSS hole, victims may lose important data and be exposed to ID theft. Once your session has been hijacked, the “script masters” can perform any activity that a legitimate owner of the compromised account can do – read and delete emails, perform financial transactions and credit payments, create postings on social networking sites – just about anything the legitimate user is authorized to do.

What makes XSS attacks possible?

XSS attacks happen for two reasons: sloppy programming and haphazardly-created website engines that do not filter user input. Either of these situations can enable a malicious user to insert a piece of a JavaScript code in, for instance, a search field; the server would return a results page along with the original search query, which could be interpreted by the client software as executable code. So it’s important that web developers create code that filters user input and translates certain characters used in JavaScript into plain text, not executable commands.

Another contributing factor to XSS vulnerability is the use of outdated web browsers that don’t apply the necessary security policies when processing (parsing) code coming from different sources.

How can users protect themselves?

While developers carry much of the blame for the majority of XSS attacks, there is still something a web user can do to minimize vulnerability. The key element is preventing client-side code from being sent to the browser by untrusted websites. Internet Explorer users can do this by raising their security slider to “High” in the Security tab, restricting the ability of any potentially malicious code on any website to run, and specifying a list of sites that are still allowed to run code. Firefox users can use the NoScript addon to block JavaScript and only allow it on sites specified in the exclusion list, as it is the case for IE. Another option would be to increase the Privacy setting in IE so that no permanent cookies are stored by the browser, and to specify a set of exclusions.

Another useful habit to get into is to always log off from a web session when it’s completed, and to open unknown links only after the user has left the site (the cookie file is removed from local storage and no attack is possible).

It’s also important to keep your browser and Windows up to-date so that any past vulnerabilities won’t apply to leave you vulnerable.

Summary

XSS attacks arise because of errors in web code that does not sufficiently check user input for malicious executable code. Vulnerability is avoided if potentially-malicious data that a user submits to a server is extracted and returned as plain text (non-executable) data. While we wait for a solution from web application developers, there are actions users can take to minimize their exposure to XSS: logging off from a session before clicking and following any links, disabling JavaScript code for unknown sites, using the latest versions of web browsers. And lastly, continue to follow the ‘rules of the web’ – don’t open links from strangers and don’t trust contacts you don’t know.

According to some estimates, more than thirty percent of US web traffic is taken up by users interacting on social networks like Facebook, Myspace and LinkedIn. Social networks (SN) can be fun and useful places to be when you want to hang out with your friends online, meet new colleagues, discuss a news event or engage in hot-button debate. The primary benefit of social networking is that it connects people with common interests or occupations and provides an easy way to share information, opinions, photos, videos, and just about everything else.

But there are also drawbacks to the open environments that constitute social networking. As you may have guessed from the title, the dark side of social networking is the focus of today’s article.

Basic guidelines

Registering with a social network

When you first sign up, you’re required to provide your real name and a valid email address that your future account will be associated with (your email address is usually used as your username for the SN). Make it a rule to choose at least a six-character strong password for your account. Also remember that passwords for your registration email address and SN login should be different, so that in the unfortunate event your account is compromised, you can always reset the password by using your email to restore your SN credentials; this presumes that the perpetrator cannot access your email inbox and read incoming messages.

Minimizing vulnerability exposure

Whereas Windows is your offline desktop platform that you can manage and secure to the best of your knowledge or expertise, your online social networking platform resides on remote servers over which you have no control; your SN identity and activities are only as well-protected as the underlying SN engine.

So, it is up to you to protect yourself – we suggest following these ‘safe practices’:

• Use the latest browser software and install Windows Updates as soon as they become available.
• Use a firewall to protect your system against unknown threats; use up-to-date antivirus to block known threats and intrusion prevention software to alert you to potentially dangerous activities on your computer.
• Do not download, open or respond to content published or sent by unknown people. There has recently been a virus outbreak in the Russian portion of an SN that resulted from unwary users clicking on a reference to a fake image file that led to the activation of a virus that then wiped user data from the affected computers.
• Remember that SN is still in its infancy: the engines are still immature and the platforms are vulnerable to determined attackers. Reports of faulty SN code appear regularly in the media, and you cannot rely on the integrity and non-disclosure of your personal details due to multiple weaknesses in SN systems. Cross-scripting errors (XSS) enabling attackers to view restricted sections of user data have affected almost every SN site, much like the way spyware targeted Windows systems that had not been patched with SP2 back in 2003.
• The 3rd party applications (widgets) that Facebook and Myspace offer as additional downloads are even more problematic. These programs are not tested for compatibility or security defects, so be sure you understand exactly what you are installing when you choose to use one of these applications.
• Don’t access your online profile from public computers – such actions are fraught with additional risk because of the potential for theft or malware compromise. Your log-in details might be stored in a local cache and later extracted and used to illegally access your profile, or the computer may be infected with keylogger that will silently capture any piece of information, including log-ins and dialog sessions, and relay this data to unauthorized third parties.

Privacy precautions

Do not disclose sensitive information – ever!

A recent British survey revealed that more than half the SN users interviewed publish contact details and private details in their online profiles, making them the easy targets to ID thieves and other miscreants.

Due to the open nature of the Internet and the fact that your account can be hijacked, coupled with the vulnerabilities of SN platforms, you should NEVER publish any sensitive information about yourself, like your home address, Social Security or cell phone numbers. And don’t post anything that could backfire against you, like videos of your student parties, or anything else that you wouldn’t want a prospective employer to see.

Prevent anonymous users from viewing your profile

By making your profile private, you limit access to your online profile only to friends and people you know.

Authorize and add as friends only people you know

The smaller your inner circle of friends, the more private your online profile is.

Never trust online-only acquaintances

It’s important to keep in mind that people and their identities are not always what they claim to be, and you should not blindly trust people that you meet online. Don’t meet these people in real life except in very public, safe places, and you must strive to avoid any other physical contact with them.

You may have heard the dramatic story of a girl committing suicide after her online date supposedly let her down, whereas in fact the cheating partner was the mother of a teenager who didn’t want her son to date the girl. If she had been a little less trusting of what she read online, she would probably be alive today.

Favor sites that use encryption

Facebook, for example, encrypts your interactive sessions, whereas Myspace hasn’t yet followed suit. Encryption garbles data in transit so that no-one can read intercepted information, protecting your passwords and other information from outsiders.

Report abuse

Should you encounter cases of spam, harassment, stalking or other intrusions into your private life, you should report such incidents to the people responsible for proper conduct on the social networking site. Consult the FAQ or Contact Us section to find specific contact information.

Don’t access SNs from your workplace

Research indicates that half of the workforce access SNs during the workday, reducing productivity and distracting from work-related issues. Such activities may also be in violation of your employer’s “appropriate Internet use” policies.

Summary

Social networks are growing in scope and number of subscribers. People use it for business, personal and leisure contacts. It’s important to remember that the information you provide about yourself is easily available even if you designate your online profile as “private”, so never publish any information about yourself that can be used to hurt you. Remember, employing safe internet usage practices, common sense and knowledge is the best protection online.

Most people are familiar with Instant Messaging (IM) – applications that let users communicate in real-time with online friends and acquaintances over the Internet and monitor their availability. Instant messaging brings tangible benefits by making it easy to exchange information and take advantage of other extra services such as video conferencing and voice chat. However, with these benefits comes responsibility, and a person who uses IM must understand and address its security and privacy implications in order to stay safe online and keep personal information hidden from prying eyes. The safe use of IM is our main topic today.

Introduction to IM

Overview

Instant messaging has been in mainstream use for the past ten years, and continues to grow in both user base and sophistication as use of the Internet grows. IM’s popularity is due in large part to the fact that, unlike traditional email, IM can be delivered and replied to in a few seconds, dramatically speeding up communications. Plus, you can check if your friends or colleagues are online and indicate to them your availability or willingness to chat. In addition to conversation, you can send a file or a link over IM, as well as initiate a VoIP chat or video session, which is available with some advanced services. You can even play a game or share a desktop application remotely with someone you know.

Pre-requisites

To get started with IM, you really just need to choose a network and install the software. The most widely used IM networks today are AIM (AOL Instant Messenger), ICQ, Windows Live Messenger, Yahoo! Messenger, Jabber, and Skype. You access these networks using proprietary client software which is available as a free download. There are also independent third-party clients such as Miranda or Trillian that can support multiple protocols under one hood so that anyone who’s a member of, say, both the ICQ and AIM networks doesn’t have to install two separate client applications – he/she can configure these services within one IM client and switch between their profiles as needed.

How IM works

You can log into your IM account using the software you’ve downloaded from the network you’ve chosen, or initiate a session within your browser without downloading any software. This latter approach is becoming more common as more applications transition to web-based services instead of using desktop software. Google Talk, for example, provides such an option.

There are two ways in which messages can be sent over an IM network: using the IM server as an intermediary to deliver data, or using direct peer-to-peer data exchange.

In the first case, the information that two clients exchange passes through the central IM server, which then routes the corresponding messages to their designated recipient. In the second case, the server facilitates the initial hookup by explaining to both clients how they should “talk” to each other (by supplying the corresponding IP addresses and communication port numbers). From then on, the messages are exchanged directly between the two clients, avoiding any server participation. The latter case is more efficient in terms of resource allocation because it doesn’t require the server’s processing and bandwidth resources to manage data. It is also more secure because the messages travel across a shorter distance if the clients are nearby, resulting in less exposure. Using this approach, if two people connected to an office or home LAN want to chat on the ICQ network, their messages won’t leave the boundaries of that network, making it almost impossible for outside parties to capture their dialogs.

The most common way, though, is to connect through the client-server-client configuration which is used by the majority of Internet protocols. However, transfers of large files or remote desktop sharing sessions over IM occur exclusively on a peer-to-peer basis to minimize the server load.

Log-in procedure

The majority of IM services log members in using the standard ID/password combination supplied by the IM client to the authorization server when the user attempts to connect to the service. This information is sent in unencrypted format, meaning that anyone who has managed to infiltrate the authorization session can easily intercept login data and steal user identities. A more secure way to authenticate users is through the “secure login” option available in some IM services such as ICQ. Essentially, this means that the IM client encrypts the user’s credentials with a special hash key issued by the server on connection. This reduces the possibility of network packets being captured and log-in data extracted from them.

On successful validation, the system logs the user in, and the user’s “friends” list is populated, along with other relevant information such as the current status of people on that list.

IM security essentials

Your IM profile

When you’re choosing a screen name (or nickname), try using names that can’t easily be identified with your personality, such “ja_cool26” instead of “johnandrews26”. Also, do not ever divulge your personal data such as home address, telephone number or other sensitive information on your online profile. When choosing a password, make sure you make it at least 6 characters long and use a combination that differs from other accounts (such as the password for the email address to which the confirmation email would be sent in the case of a lost password).

Most IM clients save your password in a local cache to automate future logins. We recommend that you manually enter your password each time you log-in (in other words, do not save you passwords), but if you chose otherwise, make sure the password is not visible on the logon screen or in your local cache, usually stored in the Windows Registry. Consult your IM vendor concerning how the cached passwords are managed locally.

Avoid using IM in public places such a library or internet café. If you absolutely have to, never opt to save passwords on log-in.

Make sure your system is clean of viruses, keyloggers and other malware, as these can completely negate your password preservation efforts by directly recording your keyboard activity and relaying it to scammers. If your IM account has been hijacked, notify your contacts and try to restore your account by providing as much information as possible in the special accounts restoration section on the IM service’s website.

Usage

One key thing to remember when using IM is that all information you send or receive is communicated in plain, easily readable text, so don’t ever communicate confidential or private information over IM. Many people underestimate this risk until it’s too late, and their account has been hijacked, credit card data stolen, or confidential information exposed or misappropriated.

A hacker or unethical ISP can easily eavesdrop on IM sessions, capturing conversations and selling them for financial gain or posting them in public forums just for fun. This kind of intrusion is possible because, by using sophisticated “sniffing” software that intercepts network traffic or through a deficiency in the TCP/IP protocol, hackers can stage man-in-the middle attacks and impersonate either the sender of information, or its recipient, without the knowledge of the other party.

You can overcome this limitation in part by installing additional plug-ins that can encrypt IM traffic with PGP keys. Miranda, a free cross-protocol IM program, can optionally enable data encryption for confidential communication. It is believed that plotters of the Sept.11 Terrorist Attack used encryption in instant messaging to exchange details of the upcoming attack so that the CIA couldn’t decipher their messages.

As with every Internet-enabled program, bugs and vulnerabilities can lead to system compromises. Make sure you keep Windows and your IM client software updated and patched. IM worms exploit vulnerabilities in IM software and send copies of themselves to the people listed in victims’ contact lists, spreading rapidly. Another rule of thumb is to never download or open executable files received over IM, and if possible, check all other files with updated antivirus. Never click on a link in an instant message, especially if it comes from an unknown source; it’s also wise to treat messages from your friends as potentially hazardous; these can also be deployed from hacked or compromised accounts. Internet links can point to infected locations and you can unwittingly infect your computer by clicking to them. As file downloads usually take place on a peer-to-peer basis, your IP address is revealed to the other party creating an opportunity for remote intrusion if your network is not protected by a firewall. Older clients, such as ICQ 2003, may reveal your external IP address by default, so remember to update your IM client software to the latest version.

Many IM clients record your conversations locally for the purpose of viewing it later. You may opt to deselect this option thought the IM client’s configuration option.

SpIM (spam over IM) is another nuisance. These messages can be doing anything from enticing you to purchase a certain item to attempting to infect your PC with drive-by downloads. Many IM clients have spam protection functionality that you may find very usable. However, the most appropriate response to spam is to not react or reply – just the action of your replying tells the sender (human or bot) that there is a live email account at that address. Some clients offer to deploy a challenge-response systems, which will pass the message from an unknown sender to you only if the sender answers a simple question, ensuring the sender is not a spam bot.

Requests to authorize a new user should be treated with suspicion and you should investigate the soliciting user before granting authorization. Cases of stalking need to be reported to the responsible authorities. Do not respond to chain letters and other solicitations from unknown people.

Conclusion

IM is a very efficient and convenient way to communicate because messages can reach the recipient very quickly. There are a few rules that should be followed when using IM – never send sensitive information if no encryption is available (by default, your messages are sent in unencrypted form), never run executable files obtained from unfamiliar or dubious sources, use your antivirus and firewall to protect from propagating threats and network intrusions, and treat the links that your contacts send you as potentially malicious.

Now that we’ve reviewed the key essentials in security software (firewall, antivirus, proactive tools), it’s time to take a look at some applications that will enhance those basic security measures with additional security and privacy capabilities.

Anti-spam

It’s estimated that more than 80 percent of all e-mail messages are spam. Spam is a major irritant and time-waster; it’s also one of the major vehicles for the distribution of malware, phishing attacks, and other sources of identity theft and financial loss.

Spam peddlers send their bulk, unsolicited messages in the hope that enough people buy what they’re offering to cover their costs. Sadly, that hope is more often than not fulfilled, or they wouldn’t continue to do it. Spammers also seek to steal money by conning recipients into participating in financial scams based on stock appreciation schemes, fake letters of intent, lottery winnings promises, and other fraudulent activity.

Phishing, now a well-documented offense, operates by impersonating bona-fide organizations and demanding log-in or other privileged information to purportedly “update your account”. In reality, any information you supply to such solicitations winds up in the hands of fraudsters who’ve set up fake websites imitating legitimate locations to “fish” (phish) for your money or passwords.

Because many of these attempts to separate you from your money or other valuable information are quite sophisticated, it’s strongly recommended that you use an antispam solution to protect against such scams. Even if you recognize spam and have learned not to react to it, it’s still a major time-saver to have your in-box cleaned of junk automatically. And some spam can even infect your PC without your interaction by automatically executing malicious scripts in the background if your email client or Web browser is not properly patched.

Anti-spam programs use a variety of techniques to protect the integrity of your inbox.

Antispam companies process millions of spam messages per day, adding new spam definitions to their databases as a result of their analysis. So the next time you are about to receive a spam message that’s already included in those databases, it will be automatically deleted or blocked from landing in your inbox by an antispam program that uses those databases. The databases include information such as a spammer’s domain name, message header, body text, attachment names, links, and other data. Users of some anti-spam applications can participate in a collaborative spam identification effort. To do that, they mark messages in their inboxes that they believe are spam, and after enough users have voted on a particular message and unequivocally flagged it as spam, the details of the message are added to the database so that new users receiving this message will have it filtered out automatically.

Another method to catch spam is identifying it according to Bayesian-based algorithms. These algorithms assess the probability of a new message being spam if it exhibits similar characteristics attributable to a known spam message. For instance, if the term “Viagra” or “Replica” is found in a message along with other valid entries, and the presence of those terms strongly suggests the message is spam, the Bayesian algorithm attempts to verify the probability of the entire message being spam and assigns the message a spam score (e.g., this message has a 60% probability of being spam).Then, depending on the user’s sensitivity threshold, this message is either classified as definite spam, suspected spam, or valid mail. This technique helps to block new spam that resembles past spam and also lets a user “train” the filter to his/her personal definition of spam. Software products such as Inboxer (commercial) or SpamTerrier (freeware) use this approach .

Spam can also be classified according to user-defined rules, for example:

• Whitelisting: Consider all messages coming from people listed in the recipient’s address book as trusted. Also trust contacts to whom the user has sent messages in the past
• Filtering based on message encoding: Setting acceptable languages for messages, while blocking the rest
• Keyword lists: Block emails if they contain specific words or phrases, blocking of emails sent from particular domains, or specifying whether a mail can contain attachments and how many

The majority of email clients (Microsoft Outlook, Mozilla Thunderbird, The Bat!) have built-in spam filters. Webmail services such as Google’s gmail have spam filters that process mail at the gateway level. There, too, you can define a variety of spam filtering criteria.

One of the key performance indicators of an antispam program is how many valid emails it erroneously categorises as spam, also known as false positive. The lower the number, the fewer genuine email messages are sent to the junk mail folder. The leading programs manage 2% or less percent false positives, meaning that the chances of losing important messages are slim. And although leading antispam programs can let as much as 15 percent or more spam through to your inbox, it is still a lot fewer messages to manually process.

Detecting graphical spam (spam contained in embedded graphics), document spam (spam coming as a form of a PDF or Word attachment) or voice spam (spam coming as a webcast or MP3 file) remain major challenges for anti-spam vendors to resolve.

Anti-phishing tools

Phishing can be very dangerous, especially if you are one of those people who are “click happy” (over-trusting of links and sites requesting personal data). If you receive a letter that purports to come from a bank demanding that you “verify” your credit card data, you might be tempted to simply do as you’re told. Unfortunately, that’s the most effective way to become a victim of a fraudulent phisher. While the answer to the phishing problem is quite simple and straightforward: ignore messages requesting personal data, as they are almost all illegitimate requests, in reality there’s a need for antiphishing tools in place to protect people from their own actions.

Both Internet Explorer and Firefox have built-in antiphishing tools that will alert you if you are about to access a suspected fraudulent site, and they’re both reasonably accurate. They will protect you against more than 60% of real-world phishing attacks, which is a step in the right direction. The rest of it is up to you, so be vigilant and think before you click.

Web browsing security

As you surf the web, you run the risk of becoming a victim of drive-by downloads that exploit weaknesses in browser software or unwittingly execute malicious Java or ActiveX scripts that silently install malware on your computer. The danger lies in that it requires little or no interaction on your part for this to happen.

There are security programs out there that analyze the locations your browser is pointed to and check whether they are safe before letting you proceed to them. Finjan SecureBrowsing is one of them. Google, too, offers advice on the safety of web search results based on the sites’ track record. Outpost will automatically block access to sites that are known to have participated in malware distribution or botnet activity.

Conclusion

As you can see, there are benefits to be gained from adding complementary protection to your key essentials. What you select is a factor of your personal choice and the level of risk you feel you are exposed to. But don’t forget that the biggest contributor to online safety is your own knowledge, vigilance, and – dare we say it – common sense. Remember – if it sounds too good to be true, it almost certainly is.

We’ve already covered two corners of the golden triangle of security – firewall and antivirus, and this article addresses the third – proactive protection. By proactive protection, we mean software that attempts to block illegal or unwanted application activity without the need to compare that activity to a set of known “fingerprints” that specifically match a particular threat.

Overview

There is no universal definition of what proactive security really is but the general consensus is that it represents any solution that blocks or otherwise prevents illegal or suspicious activity by applications at a local level. These solutions don’t need signatures to identify a potential attack – what they do is look at the application’s behavior in order to attempt to identify a potentially malicious process and stop an attack before it can infect or otherwise compromise the system.

Let’s take a look at the currently-available categories of proactive security solutions.

HIPS

HIPS stands for Host-based Intrusion Prevention System. The name itself is not very intuitive, but the way HIPS works is this: imagine a solution that monitors every application’s activities and interactions with the Operating System and alerts you whenever a new or unknown event occurs. As soon as such an event occurs, the solution asks you whether the activity should be permitted or blocked, and the resulting rule is added to the database of choices already learned by the program.

Although this approach might seem overly intrusive and distracting, it can provide the best protection against unknown attacks because it’s hard to go wrong when every activity is under your control, or, rather, is dependent on how you treat it. HIPS acts a whistleblower – informing you of incompliant activity and letting you decide whether it is OK to proceed.

Here is a list of activities typically monitored and controlled by HIPS solutions:

• Application memory integrity and sharing of common components (DLLs)
• Loading of system drivers
• Creating or registering new services
• Changes in the Windows Registry
• Keyboard and screen interactions, including copy/paste commands
• Controlling the use of typical Windows applications and services with uncommon parameters
• Controlling interactions between applications; controlling interface windows
• Changing Windows and application settings (browser homepage, HOSTS file, etc.)
• Low-level disk access
• Other special functions and operations

Although these activities may appear rather ambiguous to most users, keeping a close eye on them does safeguard the computer against the majority of attack techniques used by real-world malware.

To be able to control these activities, HIPS programs use special monitoring and intercepting functions that enable the activity of target processes to be suspended and then resumed or stopped later based on user input.

Examples of classic HIPS solutions are Outpost Firewall Pro and ZoneAlarm firewalls.

The downside of such close monitoring of system operations is the large number of requests for user input. To mitigate this issue, developers of HIPS solutions create and update configuration policies that can be applied automatically in the background without the need for the user to respond to security alerts. The list of predefined policies is, of course, continuously expanding and is regularly distributed to users over the Internet.

When we talk about HIPS, one of the things that come to mind is the leaktest. Leaktests are closely related to HIPS because they test HIPS’ performance and evaluate how good these tools are against real attacks using sophisticated intrusion techniques. While they are somewhat biased towards measurement of outbound network resistance strength, leaktests do serve as a useful tool to record the types of interactions a particular security system can resist. You can read more about leaktests and their use here (“Leaktests as a Measure of Outbound Protection”).

Behavior blockers

Behavior blocking software is a natural evolution from HIPS because it uses analytical processes to assess the legitimacy of operations. Instead of alerting to every single event, behavior blockers evaluate the sequence of events and determine the chances of a particular activity being malicious based on analysis of the observed behavior.

For example, instead of asking whether a new program should be permitted to auto-start with Windows, behavior blockers investigate whether the new program also attempts to infiltrate critical system areas, register new system services, interact with other Windows programs, or otherwise exhibit typical malicious patterns. After sufficient suspicious activities have been observed to conclude that the suspect is “up to something” and the critical threshold is reached, the program is classified as malicious and is either shut down automatically or the user is asked what should be done with it.

Examples of such programs include PrevX and CyberHawk Pro. Although they dramatically reduce the number of user prompts as compared with classic HIPS solutions, these programs are more prone to being bypassed by hackers because the analytical logic may not be as precise as it needs to be. However, for some, that may be a worthwhile trade-off (everything in security is a compromise between efficacy and ease of use).

Sandboxing and whitelisting

Sandboxing is a way to define a list of permitted activities or trusted programs, after which all other activity will automatically be blocked. Products such as DefenseWall use this principle, where you can specify which applications on a computer you consider safe and allow critical operations to interact with, while all other applications have considerable restrictions placed on their activities.

Prevention of unauthorized shutdowns

One key element of proactive security is maintaining active protection even if malware attempts to shut it down. In the past, it was relatively easy to switch off or disable many security products, enabling a security breach to take place. Realizing the need to make their products more resistant to such attacks, many security vendors have added self-protection functionality to prevent this type of unauthorized termination.

Conclusion

Proactive security is valuable for its push to combat threats based on behavior patterns rather than by relying entirely on identifying them according to known samples. This approach can stop new or obscure threats that cannot be identified by an anti-virus or other signature-based product. Proactive protection is a perfect match for the firewall and antivirus, adding another layer of protection against the risks that are always close by in our interconnected world.

This is the second in our series of introductory articles intended for less-experienced users who wish to learn more about the security product options available to them today. Others may also find these articles interesting as a concise summary, update and review of what is frequently a disparate collection of information. The goal of the series is to provide a balanced overview of currently-available categories of security solution, citing their main uses and capabilities as well as their limitations and drawbacks.

This second article focuses on anti-virus functionality which, along with firewall software, is considered an essential part of computer security. The firewall article is available on our website here.

Essentials

It’s rare to find a pure antivirus product today – viruses are losing ground to more commercially-motivated malware such as spyware, keyloggers, and information-stealing Trojans. Today, when we talk about anti-virus, we usually mean a security scanner capable of detecting and removing a whole range of malicious programs: viruses, spyware, botnets, Trojans, and more. Some of these ‘combination products’ are more successful than others, so it’s as well to understand the specific capabilities of each element as you consider the type of solution that’s right for you.

So what exactly is anti-virus and how does it work?

Anti-virus is essentially a type of security software that scans your computer for self-propagating malware (usually viruses and worms) and neutralizes them. To achieve this, it uses a number of detection techniques:

• Signature detection

  Signature detection is the dominant technique used by anti-virus programs today; it involves analyzing the malware code for known “fingerprints”. To accomplish this, the anti-virus program inspects the files’ content for fragments that match a known pattern identified in their databases as malicious. If such a pattern is found, the infected file or file fragment is flagged as infected and is then quarantined, disinfected, or deleted according to the functionality of the individual anti-virus product. The method is based on pure comparison and is a quick, accurate way to identify infections from existing viruses. The downside of this method is that the user must always have an up-to-date virus database to benefit from accurate detection. Additionally, signature detection is not effective in dealing with new or polymorph (mutating) viruses that obscure their presence by modifying parts of the payload (the damage the virus delivers).

• Heuristics and approximation

  As noted above, as threats mutate, traditional detection is less effective because it cannot detect that the original code has been altered. One way to address this deficiency is heuristics detection, which assesses the likelihood of slightly modified code being a copycat version of an original sample. This is a complex and demanding process, but is incorporated by most of the more technologically advanced anti-virus products. Due to its immaturity, heuristics still needs to be complemented by other types of detection; it is also somewhat error-prone, in that it can yield a high number of false positives (legitimate objects incorrectly identified as malicious).

• Virtualized simulation

  This is a promising new approach that has potential to aid detection of new and unknown viruses. Instead of running a traditional signature scanner on a suspect file, virtualization creates a safe temporary environment in which to execute the file and examine it more closely. Because the environment is isolated from the rest of the PC, a possibly infected file can be run without endangering the security of the host PC – the virtualized operation cannot affect real user data. After the file has been started in this virtualized state and its payload activated, the techniques it uses to hide itself (we’ll briefly describe these later in the document) will no longer apply, because the code runs “in the clear” in memory. This means that the file’s internal workings are visible to the anti-virus software and can be scanned using traditional signature analysis. Due to its relative newness and complexity, virtualization is still in its infancy as a virus scanning technique, and is not widely available yet in anti-virus software designed for personal use. Virtualization works hand-in-hand with complementary technologies such as behavior blocking and sandboxing technologies, which we’ll discuss in detail in Part 3 of this series.

What happens once a virus has been detected?

After a malicious sample has been identified, it needs to be treated accordingly. If a normal, legitimate file has been infected by a virus that modified its contents, the malicious section of that file needs to be mapped and wiped out and the original content reinstated so that the file can be safely used again. Examples of this process might include an executable (*.exe) file or a software driver component (*.sys) file that has been damaged as a result of an attack being restored to its original state. This restoration process is quite complex, and is only handled effectively by a few commercial anti-virus products. Besides, each type of virus infection requires a different treatment approach: a file infected by a virus A can only be repaired by an anti-virus product that knows exactly what virus A does and how it operates, in order to undo the damage it causes. Providing this level of protection requires a skilled team of virus analysts to reverse-engineer each virus, understand what it does, and then carefully constructing the repair process. Even if you have a proactive security solution that blocks unknown files from entering your PC, it’s still a good idea to ensure that you back up all your valuable programs and data on a regular basis in case you encounter new virus for which no repair process yet exists.

Fortunately, viruses that insert infections into existing files happen very infrequently these days. Most often, infective malware comes in the form of a standalone program; in these cases, the program can simply be removed from the system in its entirety. These standalone malware programs serve no other purpose than to infect, steal, destroy or hijack – quite different from the infected legitimate files described earlier.

As soon as a malicious program is found, it is either automatically deleted or moved to a special quarantine folder to ensure it can no longer activate as originally intended. Users can view a list of quarantined objects at any time and choose whether to delete them permanently or restore any of the files to their original location if there is a certainty that the file is in fact not malicious. False positives do occur, and sometimes it’s advisable to temporarily store suspect files in a special secure location (quarantine) while more detailed analysis can be undertaken. A recent example of this was when an antivirus vendor mistakenly deleted a valid Windows file from users’ hard drives and then had to restore the file when the mistake was discovered.

Dealing with the consequences of a virus infection is another challenge for anti-virus programs. After a malicious program has been successfully removed from a computer, it might have left traces behind it. These “scars” may cause system-wide inconsistencies or filesystem errors (modified registry entries, networking stack changes, or altered browser settings) which can affect performance or render some Windows functions inoperable. In this case, it is really essential to have a ‘Plan B’ approach to protecting sensitive data, using proactive security and/or frequent backups.

Complicating factors

There are a number of techniques that viruses employ to make the task of anti-virus software much harder; most use a variety of approaches to hide their presence and thus evade detection:

1. Packers – a way to compress executable code using a special algorithm not known to the antivirus, so that the anti-virus software cannot uncompress the file and analyze the malware code in its raw form.
2. Polymorph cryptors – similar to the above, the original executable is encrypted with variable keys so that the signature of the source code is new every time. This technique defeats any pure signature-based approach.
3. Rootkits – a seemingly-innocent masking device to hide the presence of malware on a system.

Where anti-virus looks

To be optimally reliable, an anti-virus solution must examine all of the following locations/processes on a PC:

• Email. Almost all anti-virus solutions can scan incoming and outgoing email for malicious content and automatically remove it.
• Web traffic. Every item of data that you send and receive over the Internet should be scanned and verified for legitimacy. Web exploits – malicious code automatically loaded onto the system if you access an infected site using an unpatched browser – may also be analyzed and blocked by the more advanced anti-virus products.
• System configuration. This includes registry, start-up entries, drivers and services, network infrastructure data, browser add-ons, and other internal locations.
• Active processes. This includes all currently-active programs and other executable modules – everything that resides in the computer’s memory.
• Local file system. This refers to your PC’s files, folders and hard drives, including data that may be stored in alternate streams of the NTFS file system.
• Removable storage. This covers optical drives, flash thumb drives, and other digital gadgets with memory modules that can be plugged into a USB port, such as smart phones and iPods.
• Remote storage. This includes shared LAN folders, backup facilities, and web-based backup locations.

When anti-virus activates

The primary task of any anti-virus solution is to detect malware and prevent it from spreading infection by removing it before it can attack legitimate files. Anti-virus solutions generally offer three approaches to virus detection and removal:

1. Real-time monitoring. This means that the anti-virus software watches the PC’s current activity and automatically blocks known malicious operations.
2. On-demand scanning. This means that the anti-virus software scans the PC’s contents for malicious files when you tell it to do so.
3. On-schedule scanning. You can set up a schedule for future scans to occur at a specified time and date, or in the event of some particular situation, such as the computer being left idle for a prolonged period of time.

Summary

What anti-virus can do:

• Check your PC’s contents for known or identifiable threats and remove or disable them
• Check individual files, such as those recently downloaded from the Internet, to see if they are clean
• Repair an already-infected legitimate file
• Prevent identifiable viruses from spreading

What anti-virus cannot do:

• Detect or remove threats that cannot be identified either by signature or heuristics
• Block network intrusions and the theft of personal data as a result of an attack by unknown malware

Potential drawbacks of anti-virus:

• Unknown threats cannot be stopped
• Reactive approach means delayed response to countering a virus
• Interoperability or stability issues can arise if more than one anti-virus program is running on a single machine.

Conclusion

While this has been a brief overview/refresher on what anti-virus software can and cannot do, it’s clear that anti-virus is a must-have element in any computer security product portfolio. Our next article will address the strengths and weaknesses of complementary technologies like sandboxing and behavior blocking, but if you have any questions in the meantime, please don’t hesitate to ask them now in the Security Teacher comments space.

This is the first in a series of introductory articles intended for less-experienced users who wish to learn more about the security product options available to them today. Others may also find these articles interesting as a concise summary, update and review of what is frequently a disparate collection of information. The goal of the series is to provide a balanced overview of currently-available categories of security solution, citing their main uses and capabilities as well as their limitations and drawbacks.

This first article focuses on software firewalls which, along with anti-virus software, is considered an essential part of computer security. We’ll be looking at anti-virus in the next article.

The Software Firewall

The firewall’s main task is to prevent malicious or unwanted connections between your computer and the network (usually the internet). Firewalls act like entrance guards – allowing authorized people (network traffic) in and out, and blocking less well-intentioned individuals (malicious or unauthorized connections) from entering or leaving, as determined by the boss (the PC user), and awaiting further instructions whenever it detects unknown activity (visitors with unknown IDs).

The firewall is considered a primary security element because it helps block unknown threats by denying them network access. Firewalls are proactive in their approach – they stop unknown connections, ask the user how these connection requests should be treated, and grant access only to those connections defined by the user as trusted. By blocking network access, firewalls block malware’s main propagation route – the Internet. Most of today’s threats – Trojans, botnets, worms and other malware – use the Internet to spread themselves and transmit stolen personal data to unauthorized individuals or entities.

Firewalls can hide a computer’s presence on the Internet so hackers can’t locate and exploit vulnerable machines. Some advanced firewalls also incorporate a list of known attacks and intrusions, automatically preventing those from reaching the PC. Firewalls can also be used to control the exchange of data in internal networks (such as a home network or office LAN), making sure data is sent to the designated recipient, preventing internal hacks and man-in-the middle attacks.

Firewalls monitor and control traffic in both directions. Data received from the network is referred to as inbound, while data that is sent out is called outbound. Although the majority of today’s threats constitute breaches of outbound security, it’s imperative that both directions are monitored. Some of the more basic firewalls, including those supplied with Windows Vista and XP, don’t monitor outbound connections by default; they must be specifically configured to provide this protection.

Unlike typical anti-malware applications, firewalls are not signature-based, meaning they don’t need to identify a threat according to a known sample of that threat in order to block it. Instead, they ask the user whether a particular program should be allowed to connect to the network or not. This is the most difficult part of firewall operation for users because, understandably, most people are not equipped with the specialist knowledge needed to make this determination. They are not familiar with the specifics of networking or operating systems’ internal functions and cannot provide an informed answer to the firewall’s question.

So, to a certain extent, the firewall is only as secure as the user’s ability to answer these questions; if it turns out that the user responded incorrectly and inadvertently allowed access to a Trojan, the firewall was simply doing what it was told by granting access to this particular malicious program. In an attempt to alleviate this situation, the majority of firewalls now include a “white list” of known good applications and system services that are automatically granted network access without asking the user. To enhance the user’s understanding of individual activities and help in making the right decision when configuring new access permissions, some firewalls now incorporate a system of context-sensitive advice and live hints in this process.

In order to correctly handle network activity for the majority of internet-enabled applications not covered by the firewall’s existing white list, some sophisticated firewalls (including Outpost Firewall Pro and ZoneAlarm Pro) are supported by a continuously-updated online database of known good/and known malicious programs that is regularly downloaded to users to minimize the number of questions users need to answer to keep their protection up to strength. But of course, no system is perfect, and not every software application will be included in any vendor’s list, so there will always be a few questions users need to answer for themselves.

As we can see, firewalls are rarely clearly-defined traffic filters. Many now include additional functionality such as Host Intrusion Prevention systems (HIPS) to control local interactions and application activity, parental control features, safe surfing controls, advanced connection monitoring and logging systems, and other approaches that will be discussed in future articles.

Summary

What firewalls can do:

• Guard network and internet connections against malicious or unwanted content.
• Block known internal or external attacks and protect the integrity and privacy of intra-network data.
• Prevent malicious code from accessing the network and transmitting personal data to cyber criminals.
• Filter network data according to user-defined criteria.
• Hide the presence of a PC on the internet, protecting it against network probes and botnets looking for vulnerabilities.

What firewalls cannot do:

• Remove malware from a system that has already become infected.
• Provide automatic protection against unknown connection attempts; user input is required for these decisions.

Potential drawbacks of firewalls:

• Because the firewall is a mutually exclusive tool, two firewalls cannot peacefully coexist on one system. Firewalls operate at a low level, communicating directly with networking hardware, and only one such set of communications can take place at one time.
• Firewalls may slow data transfer speeds and use additional processor resources when monitoring large volumes of data being sent over high-speed connections.
• Most firewalls also include some additional, secondary functionality such as parental controls or website content filtering which may cause interoperability issues with other security software offering similar functionality.

Conclusion

While this has been a brief overview/refresher on what firewalls can and cannot do, it’s clear that the firewall is a must-have element in any computer security product portfolio. Our next article will address the strengths and weaknesses of anti-virus, but if you have any questions in the meantime, please don’t hesitate to contact us through the Security Teacher comments space and we’ll do our best to help.