Wednesday, June 27, 2007

Internet Worms

People use e-mail more than any other application on the internet, but it can be a frustrating experience, with spam and especially e-mail worms filling our inboxes.
Worms can spread rapidly over computer networks, the traffic they create bringing those networks to a crawl. And worms can cause other damage, such as allowing unauthorized access to a computer network, or deleting or copying files.

The first incarnations of internet worms weren't the malevolent threat they are today. These early worms (developed in 1982 at Xerox's Palo Alto Research Center by John Shock and Jon Hepps) were in fact, designed to perform useful tasks within a network.
Despite the evident usefulness of these programs it was also clear that, in the wrong hands they could quite easily be turned to malevolent uses.
The first true Internet worm (and probably the most famous) was released on 2nd November 1988 by Robert T. Morris. It attacked Sun and DEC UNIX systems attached to the Internet and within 24 hours had invaded 4,000-6,000 machines.
The Melissa Worm was first recognized on 26th March 1999, it was the first major mail worm - a form of worm which was to become hugely prevalent. Melissa was written by David L. Smith and named after a lap dancer he met in Florida.
Melissa contained a Word macro virus but unlike previous viruses of this type it could spread in a semi-active manner. It attacked Microsoft's Outlook and Word programs (Any time an infected user attached a Word document to an email, this email sent to the first 50 addresses in the recipients' address book if they use Outlook as the mail client).
In 2001 active worms made a return to prominence. The first of these worms to be noticed was called Code Red. Code Red was a relatively simple worm which affected computers running Microsoft's Internet Information Server (IIS) web server. It infected over 350,000 servers in just over 12 hours. Once it infected a system Code Red waited for 20-27 days to launch denial of service attacks on several fixed IP addresses. (Including the IP address of the White House).

How do they spread?
A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. When you receive a worm over e-mail, it will be in the form of an attachment, represented in most e-mail programs as a paper clip.
If you click on the attachment to open it, you'll activate the worm, but in some versions of Microsoft Outlook, you don't even have to click on the attachment to activate it if you have the program preview pane activated.
The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver's address book, and the manifest continues on down the line. Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding.
Other worms can use multiple methods of spreading. The MyDoom worm, which started spreading in January 2004, attempted to copy infected files into the folder used by Kazaa, a file-sharing program. The Nimda worm, from September 2001, was a hybrid that had four different ways of spreading. According to Computer Economics, the associated damage from Code Red and Nimda came to $3.72 billion.

How to protect your computer?
  • Make sure you visit Windows Update site frequently.
  • Most antivirus programs also provide a feature that allows you to update their definitions automatically – make sure you enable that as well.
  • Remove Spyware and Adware.
  • Prevent Spam.
  • Basically there is no one absolute defense from anything – use a combination of software and hardware protection.
  • Don’t run files from unknown sources, and confirm with the sender the authenticity of any unexpected attachment, especially an executable file (*.exe, *.scr, *.bat, *.com, *.vbs, *.cmd, etc).

Thursday, June 21, 2007

Strong Passwords: Tips

One of the problems with passwords is that users forget them. Different networks, sites and applications have their own password requirements and more classified or personal information merits stronger, more unique authentication.
It is difficult when your employer requires a password of at least 8 characters that must include at least one number and one special character, but your bank requires a password of at least 6 characters that must include at least one uppercase, one lowercase and oner numerical character. Then, one web site you visit only allows a 4-character password, all numbers, and an application you use requires an 8-character password, but doesn't allow numbers or special characters.
In an effort to not forget them, users indicate simple things like their dog’s name, their son’s first name and birthdate, the name of the current month - anything that will give them a clue to remember what their password is.
For the curious hacker who has somehow gained access to your computer system this is the equivalent of locking your door and leaving the key under the doormat. Without even resorting to any specialized tools a hacker can discover your basic personal information- name, children’s names, birthdates, pets names, etc. and try all of those out as potential passwords.
To create a secure password that is easy for you to remember, follow these simple steps:

1. Do not use personal information.
You should never use personal information as a part of your password. It is very easy for someone to guess things like your last name, pet's name, child's birth date and other similar details.

2. Do not use real words. There are tools available to help attackers guess your password. With today's computing power, it doesn't take long to try every word in the dictionary and find your password, so it is best if you do not use real words for your password.

3. Mix different character types. You can make a password much more secure by mixing different types of characters. Use some uppercase letters along with lowercase letters, numbers and even special characters such as '&' or '%'.

4. Use a passphrase. Rather than trying to remember a password created using various character types which is also not a word from the dictionary, you can use a passphrase. Think up a sentence or a line from a song or poem that you like and create a password using the first letter from each word.
For example, rather than just having a password like 'yr$1Hes', you could take a sentence such as "I like to read the Internet / Network Security web site" and convert it to a password like 'il2rtA!nsws". By substituting the number '2' for the word 'to' and using an exclamation point in place of the 'i' for 'Internet', you can use a variety of character types and create a secure password that is hard to crack, but much easier for you to remember.

5. Use a password management tool. Another way to store and remember passwords securely is to use some sort of password management tool. These tools maintain a list of usernames and passwords in encrypted form. Some will automatically fill in the username and password information on sites and applications.
Arovax TraySafe password manager was created specially to relieve computer users of headaches about lost passwords, typing usernames, passwords and storing securely valuable information.

Using the tips above will help you create passwords that are more secure, but you should still also follow the following tips:
  • Use different passwords. You should usea different username and password for each login or application you are trying to protect. That way if one gets compromised the others are still safe. Another approach which is less secure, but provides a fair tradeoff between security and convenience, is to use one username and password for sites and applications that don't need the extra security, but use unique usernames and more secure passwords on sites such as your bank or credit card companies.
  • Change your passwords. You should change your password at least every 30 to 60 days. You should also not re-use a password for at least a year.
  • Enforce stronger passwords: Rather than relying on every user of the computer to understand and follow the instructions above, you can configure Microsot Windows password policies so that Windows will not accept passwords that don't meet the minimum requirements.

Wednesday, June 06, 2007

Secure your Credit Card information

Internet Fraudsters keep on finding new methods of using the Internet to scam innocent consumers and online users, which is said to be the common targets. This fraud is very popular because of its anonymity and less risk involved. Added to the fact that not so many countries are already ready to face this disaster and have strong policies and law to pursue the case against the suspected fraudster.
Fraud on the Internet includes, but is not limited to: fraudulent or fake web sites, untrustworthy websites, phishing (fishing) for personal information with fraudulent emails, Online auction frauds - buyers and sellers, increased Nigerian 419 Advance Fee Fraud, Lottery Advance Fee Scams, Business Opportunities & Work from Home Scams, International Modem Dialing and Cramming, and credit card fraud.

Take the first 8 digits of a standard 16-digit credit card number. Search for them on Google. Since the 8-digit prefix of a given card number is often shared with many other cards, about 1/4 of credit card numbers in my random test, turned up pages that included other credit card numbers, and about 1 in 10 turned up a "treasure trove" of card numbers that were exposed through someone's sloppily written Web app.

Protect from what?
The most common and most successful frauds are done through the use of stolen credit card information, which was obtained in many ways:
  • Worms that contains malicious code to extract information from the infected computers. In the past, worms were designed primarily to propagate. Now, many of the significant worms are designed to steal sensitive information such as credit card numbers, social security numbers, pin codes, and passwords and send the information to the attacker for nefarious purposes including identity theft. Unfortunately, attackers have become very adept at circumventing traditional defenses such as anti-virus software and firewalls. Arovax Shield detects and notifies you about all major online threats trying to penetrate your system, isolates & blocks them.
  • Frauds can get access to information about your online credit card payments through your PC in case you ever used online services for purchasing something from the sites that are not secured.
  • Installation of keyloggers and monitoring software of the users’ computers. Keyloggers are a form of spyware that tracks person's keystrokes and then sends the information to someone who can translate and exploit it. This can copy the keystrokes on e-mail, instant messenger, and any other Internet activity. The person collecting the information can get information such as credit card numbers, user names and passwords, and more. These handy little devices have been around for sometime but the increase of spyware has brought them out to the front and center. It is easy to infect a computer with this type of software and very common. A user can easily go to the wrong web site and get infected or someone can manually place this on the computer, as well.
  • Using privacy leaks in your system, frauds get such information about you as your name, your street address or your email, masquerade as a trustworthy person and send you an apparently official email trying to find out your credit card pin and number. Your IP address or "Internet Address" can be used to trace your location and personal information. With Arovax SmartHide whenever you visit websites, your real IP address is not provided to the other people involved in the transaction. Most hacking is based on using your real IP address, which the hacker won’t be able to get, without that they have no idea where to hack into.
Electronic mail (email) is also vulnerable. This is because, like the real post, it spends a lot of time being stored and awaiting delivery: for instance, if a telecommunications link fails, then email that would have used that link will stay, waiting, until the link is restored. It is in principle possible for someone to bribe a computer operator at one of the mail servers and thus somehow gain access to all undelivered mail. A sophisticated program might then be able to extract anything that looked like a credit card number.
Remember, the amount of risk in giving out a credit card number is limited by two important factors:
  1. Anyone taking card numbers from that Web site and trying to use them before they were cancelled, would have put him/herself in a very difficult position. To use a card number and expiration date, without a physical card, to purchase tangible goods by phone or over the Web, you need to give an address to which the merchandise will be delivered, which makes the transaction very traceable. Cash advances require PIN numbers which you never give to online retailers. So the thief would be limited to paying for on-line memberships or buying "soft goods," such as software, content, and music, that can be dowloaded directly from a Web site; and companies in that business tend to take extra precautions to prevent credit card fraud because of their unique vulnerability.
  2. The credit card company limits your liability. Federal law limits your liability to $50 if someone makes unauthorized charges to your account, and most credit card issuers will remove them completely if you report the problem promptly. There are new technologies, such as “substitute” credit card numbers and password programs, that can offer extra measures of protection from someone else using your credit card.
Your level of comfort in using your credit card on the World Wide Web is a personal matter.

How to decrease risks?
  • Know who you’re dealing with. If the seller or charity is unfamiliar, check with your state or local consumer protection agency and the Better Business Bureau. Some Web sites have feedback forums, which can provide useful information about other people’s experiences with particular sellers. Get the physical address and phone number in case there is a problem later.
  • Be aware that no complaints is no guarantee. Fraudulent operators open and close quickly, so the fact that no one has made a complaint yet doesn’t meant that the seller or charity is legitimate. You still need to look for other danger signs of fraud.
  • Don’t believe promises of easy money. If someone claims that you can earn money with little or no work, get a loan or credit card even if you have bad credit, or make money on an investment with little or no risk, it’s probably a scam.
  • Understand the offer. A legitimate seller will give you all the details about the products or services, the total price, the delivery time, the refund and cancellation policies, and the terms of any warranty.
  • Resist pressure. Legitimate companies and charities will be happy to give you time to make a decision. It’s probably a scam if they demand that you act immediately or won’t take “No” for an answer.
  • Be cautious about unsolicited emails. They are often fraudulent. If you are familiar with the company or charity that sent you the email and you don’t want to receive further messages, send a reply asking to be removed from the email list. However, responding to unknown senders may simply verify that yours is a working email address and result in even more unwanted messages from strangers. The best approach may simply be to delete the email.
  • Beware of imposters. Someone might send you an email pretending to be connected with a business or charity, or create a Web site that looks just like that of a well-known company or charitable organization. If you’re not sure that you’re dealing with the real thing, find another way to contact the legitimate business or charity and ask.
  • Guard your personal information. Don’t provide your credit card or bank account number unless you are actually paying for something. Your social security number should not be necessary unless you are applying for credit. Be especially suspicious if someone claiming to be from a company with whom you have an account asks for information that the business already has.
  • Beware of “dangerous downloads.” In downloading programs to see pictures, hear music, play games, etc., you could download a virus that wipes out your computer files or connects your modem to a foreign telephone number, resulting in expensive phone charges. Only download programs from Web sites you know and trust. Read all user agreements carefully.