One of the most wildly successful attacks on the Internet ever was the Sapphire worm. When this nasty little piece of code was released onto the Net, it spread from computer to computer with extraordinary speed. During its first minute on the Net, its rate of spread doubled every 8.5 seconds. Within three minutes it had reached its virulent peak and was scanning over 55 million IP (Internet Protocol) addresses a second, searching for more machines to infect. By the end of 10 minutes it had spread worldwide and infected around 90 percent of vulnerable hosts—over 75,000 machines. In the process it caused network outages, canceled airline flights, caused ATMs to fail and interfered with elections.
One worm. Ten minutes.
While Sapphire did not contain a malicious payload, merely by replicating itself it caused considerable harm, overloading networks and knocking database servers out of commission. In the words of the Cooperative Association for Internet Data Analysis (CAIDA) and four other organisations that jointly issued an analysis of Sapphire, “There is no conceivable way for system administrators to respond to threats of this speed.”
What, me worry?
Now perhaps you’re sitting there snug at your home computer or at a PC in your three-person office thinking “Well, that’s not my worry. I’m hardly a target for such things.” In a limited sense, you’re right. After all, Sapphire targeted machines running Microsoft SQL Server and the SQL Server Desktop Engine, software that runs primarily on business servers and workstations.
But, of course, it is your worry. The Sapphire worm and its ilk have a deleterious, if passing, effect on the Internet’s functioning and thus on all of us who are online. And the success of such attacks bears lessons for us all.
Lesson one: Software is full of vulnerabilities, ripe for exploitation. Sapphire’s target may have been business server software, but plenty of worms have targeted security holes in home and small office software, including Windows, Linux, Internet Explorer, Firefox, Adobe Reader, QuickTime, AOL Instant Messenger and so on.
Lesson two: Patches and firewalls make systems less vulnerable. In 10 minutes Sapphire infected 90 percent of vulnerable hosts. What made the others invulnerable? Two things: patches and firewalls. Microsoft had released patches one whole year before Sapphire hit and those who had installed these software Band-Aids were protected from the worm’s actions. In addition, the worm made use of the Microsoft SQL Monitor port to gain access to SQL Server on a target machine. If that port was blocked by a firewall, Sapphire stood no chance.
Lesson three: Antivirus software is not sufficient. Online threats take a variety of forms. Antivirus software is useful for stopping a particular group of threats, but other tools and actions are required to counter different types of dangers.
Lesson four: There are no innocent bystanders. Worms such as Sapphire exploit unprotected machines in order to launch attacks on others or on the fabric of the Internet itself. There’s no point in thinking “No-one would be interested in attacking my computer”; your computer may not be the target, but it is as attractive as any other as a launch pad for further attacks.
The home front
Let’s bring all this down to a more personal level, to the level of the simple broadband or dial-up connection linking your computer to the Internet.
That connection to the online world brings with it such a richness of information and resources it makes an unconnected computer seem pointless. At the same time it lays you open to risks that go far beyond Sapphire and its ilk. Spam, spyware, data theft, viruses, Trojans, privacy invasions, identity theft, system hijacking, credit card fraud. Your Internet connection makes you vulnerable to all these things and the sorry truth is it’s almost impossible to protect yourself completely from them all. But it’s certainly possible to minimize your exposure, making the online risks well worth the benefits and reducing the dangers to mere frustrations.
There are four steps you can take to ensure your Internet connection is not leaving you vulnerable to attack:
- Understand the nature of the threats you face;
- Use tools to combat those threats;
- Protect your data so you can recover if something slips past your guard;
- Keep up to date with news of evolving dangers.
Before the days of the World Wide Web, you could go for years without encountering a virus. In fact, you had to work pretty hard to fall prey to one. Nowadays, viruses are far more common. That’s because the Internet provides the ideal medium for disseminating viruses, Trojans, worms and other undesirables.
The important thing with viruses is not to let familiarity breed contempt. Anyone who’s seen what a really malicious virus can do to a system knows it’s nothing to trifle with. That’s why using antivirus software is so important.
Having said that, you should realize your antivirus software is only as good as its last update. Most of the current crop of antivirus programs take upon themselves the responsibility of downloading and installing updates, recognizing this is the sort of thing humans have a tendency to let slip. But don’t assume this is the case. If you’ve been letting the presence of an antivirus icon in your taskbar lull you into a sense of security, take the time to check whether this feeling is justified. It’s easy enough to do: simply open your antivirus scanner, look for an update option and run it manually. If the manual update doesn’t turn up anything new, chances are the software is doing a good job of auto-updating and you can leave it to its own devices.
Practical steps: virus prevention
- Install and use good antivirus software. If you can find free software that works well, fine. But tests consistently show that most free antivirus software is less effective than its commercial counterparts. Also, ensure your antivirus software works with your email program and web browser—those are two of the key entry points for viruses.
- Keep your antivirus software active at all times and make sure you’ve set it up to do a full system scan at regular intervals.
- Keep your antivirus software up to date using automatic updates. Every now and then, do a manual update to ensure the software is being updated.
- Use Windows Update to keep your operating system and other Microsoft products patched.
- Check regularly on vendors’ sites for patches for other software, especially browsers, email, instant messaging, chat and any other Net-based programs.
- Pay regular visits to your antivirus maker’s site to check on possible hoaxes as well as new virus alerts.
- Establish clear, easy-to-understand security policies and ensure everyone follows them. This goes for home use as well as in businesses and other organisations.
- Don’t open email attachments from unknown sources; they are one of the most common sources of infection.
- Don’t open unexpected email attachments from known sources without first checking with the sender. Some viruses replicate by using the contact lists of unsuspecting victims, emailing themselves to everyone on the list. Thus the message appears to come from someone you know, when the sender is really the virus itself.
Never forget your Internet connection is a two-way affair. It lets you browse the web, receive email and download files. It lets you chat, tweet and instant message with others. It also lets remote computers discover information about you including your IP address, which uniquely identifies your computer on the Net, and your computer name. And it lays open to the world any unprotected shared folders on your local area network.
In fact, without specific defenses installed, your computer is an open box to any determined cracker. The crackers don’t even need to raise a sweat to discover your vulnerabilities. All they need is a freely available, automated program called a port scanner that scans the Net for unprotected machines, noting those that are vulnerable. If you’re on the list, you become a prime target for a direct attack or as a way-station for an attack on other, juicier targets.
That’s where firewalls come in. Firewalls block unauthorised access to your computer. If a firewall does its job really well, it should render your computer completely invisible to attackers.
Firewalls come in two flavours, hardware and software. Hardware firewalls excel at blocking outside access and hiding your system from snoopers, but they’re not as effective at blocking unauthorized outgoing activity. Software firewalls are not quite as secure as hardware firewalls, but they are more effective at blocking outgoing traffic and are often highly configurable, so you can adjust them to your needs.
Your need for a firewall increases if you have a high-speed connection to the Internet, such as DSL or cable. Not only do such connections leave you permanently connected to the Internet and thus vulnerable at all times, they also tend to use static IP addresses, making it easier for crackers to locate your computer. Dial-up connections, being temporary and usually having dynamically assigned IP addresses, are not such easy targets, but don’t assume your dial-up connection makes you safe from attack.
Practical steps: cracker deterrence
- Install a firewall on your computer. If you have an always-on connection, consider using both a hardware and a software firewall. Many DSL/cable routers have hardware firewalls built in. Note that Windows 7 comes with a firewall built in. Make sure it’s active.
- Consider using a firewall from a third-party developer in addition to the Windows firewall, especially if you’re using a pre-Windows 7 version. Note that the Windows 7 firewall can co-exist quite happily with compatible firewalls: it winds down its own operation and cedes control in most areas to the add-on firewall.
- Learn how to use your firewall. The default configuration is not always adequate. If you take the time to learn the ins and outs of your firewall you can significantly beef up your security.
- Test your firewall using Gibson Research’s Shields UP (it’s free). If you have both hardware and software firewalls installed, test each independently: to test the software firewall, connect your cable/DSL modem directly to your network interface card; to test the hardware firewall, connect your modem via the hardware device (router/hub) and disable or uninstall your software firewall.
- If you use your home network purely to share your Internet connection and don’t use it for sharing files or printers, disable File and Printer Sharing. File and Printer Sharing opens your files to outsiders. If you do use File and Printer Sharing, use it wisely: create strong passwords and don’t share the root folder of your drive (for example, C:\). Sharing the root folder means you’re sharing every single folder on the drive; it’s far safer to nominate specific folders for sharing.
Using a firewall not only protects you from outside attacks but also from some spyware activity. Spyware is software that is either installed by stealth on your system or which is installed openly but then takes covert actions once installed.
Spyware has grown to become more of a threat than viruses. That’s because, in its worst manifestations, it is a tool of thieves. Criminals, including organised Internet gangs, create spyware that surreptitiously watches what you do and grabs important information such as your passwords and user ids that in order to steal from your bank accounts or to make purchases using your credit card.
Less dangerous spyware comes in the form of adware—software that is free to download but which contains advertising delivered from the Internet. Sometimes you may decide it’s worth accepting the adware in order to get a desirable program. More often, though, you’ll find such software is highly invasive. Advertising and marketing companies use adware to monitor your online activities and preferences so they can create a profile of your interests. While most adware and spyware does not collect personally identifying information, some does. And, of course, it’s almost impossible to tell what sort of data is being sent home to the mother ship once the software is installed on your system.
Practical steps: stopping spyware
- Do not use early versions of Internet Explorer. Windows 7 comes with Internet Explorer 8 and if you’re going to use IE, that’s the version you want to use. Earlier versions, in particular IE 6, are unsafe.
- Whichever browser you use, make sure you check for updates regularly to ensure you’re using the most secure version.
- Install a firewall. To help prevent spyware activity, configure your firewall’s outgoing settings. This way you can prevent monitoring software from reporting home.
- Read the licence carefully before you install any software on your system, particularly freeware or shareware. The more interminably the license drones on and on, the more worthwhile it is to read it thoroughly. Very often a long license is one which is trying to bore you into submission.
- Pay for software. If an author offers both freeware and paid versions of a program, opt for the latter. Paid software rarely contains adware or spyware. In addition, paying for software encourages authors to junk the adware approach.
- Use anti-spyware software. You should install and run a combination of anti-spyware programs, as no single program catches all spyware. I recommend Windows Defender (it’s part of Windows 7) and the free SpyBot Search & Destroy in conjunction with SuperAntiSpyware. Also, many of the security suites, such as Eset and Avast, combine both antivirus and anti-spyware software, so you may want to use such a combination product. Keep in mind that disabling adware may also disable the freeware program on which it piggybacked.
- Read before you click online. Some websites try to trick you into installing software on your computer. It’s especially important not to click OK on dialog boxes which pop up unexpectedly.
One of the nastier perils of using email is a scam known as phishing.
Phishing is the attempt to inveigle you into parting with important information by sending you email which purports to come from a legitimate source. In most cases, the email appears to come from a financial institution or an online service where you have a financial account—a bank, an online escrow or payment service, a credit card company, an auction site. In most cases, the phishers try to lure you to a bogus website where you’re asked to enter your name, user ID, password or account number.
It sounds like the sort of thing that should be easy to spot and avoid, but it’s not. Some phishing scams are remarkably polished, with phony email and accompanying websites difficult to distinguish from the real thing. The scams also make use of some critical flaws in earlier versions of Internet Explorer which make it easy for scammers to hide themselves.
And phishers move fast. Within minutes of hooking a credulous phlathead, a phisher will run up charges against an account.
How does phishing work? Cleverly crafted phish-mail uses mimicry and the loopholes in HTML code to mask wicked intent with a benign face.
Here’s how a phishing email works:
- It comes from a seemingly trusted source, such as your bank or PayPal. PayPal is a prime phishing target because millions of people use it to pay for their online auction purchases or other international payments. Phishers almost never know whether you have an account with PayPal or any other financial institution, but by spamming millions of users they are sure to hit many people who do have such an account. Those who don’t have an account, of course, will immediately recognize the phishing lure for what it is.
- The From address in the email is ‘spoofed’, so it appears to come from a legitimate source. This is a common technique used by spammers as well as phishers.
- The email is in HTML (hypertext markup language) format, complete with graphics, logos and text formatting borrowed from the actual site. So, for example, if you receive a phishing email purportedly from Citibank, the email will contain logos and graphics from Citibank’s own site. These “genuine” elements help mask the central link you’re invited to click.
- The hook is well baited. The content of the email will provide a seemingly legitimate reason for the email. For example, one PayPal phishing scam claimed that a computer crash had deleted some PayPal member data. It requested the recipient to sign in and verify their data. As an inducement and to ‘apologize’ for the inconvenience, the email offered the “next two incoming transfers for free” to those who updated their data. Recipients’ fears were soothed further by the statement “Account balances have not been affected.”
- Many of the links in the email go directly to the legitimate site. The critical link, designed to get you to log on and divulge your details, goes elsewhere but its destination is disguised. So if you hover your mouse pointer over that link you’ll see an innocuous address, such as https://paypal.com when, in fact, the link leads somewhere else.
As you’ll note, every single element in a phishing email may well be entirely innocuous, with the sole exception of the critical login link.
Practical steps: avoiding the phishing bait
Despite the sophistication of some phishing scams, most are easy to detect and, with a little work, it’s not too hard to steer clear of the sophisticated versions. Here’s how to avoid taking the bait and becoming a phlathead yourself:
- Watch out for spelling errors, poor grammar, and bad formatting. While legitimate companies may send out such shoddy emails, usually it’s a good sign the email is fraudulent.
- If you get an email requesting you update your account details, do not use the links within the email to connect to the site. Instead, open your browser and type in the company’s regular website address, or contact them by phone.
- Beware of generic emails from financial institutions. Most banks and other financial institutions will use your name and/or the final digits of your account number, so you know the email has been sent directly to you. Remember, phishers succeed by sending out millions of generic emails on the assumption that some of the recipients will have accounts at the bank they use as “cover”.
- Never send personal financial information via email.
- Keep your browser updated to the latest version.
- When entering financial or confidential information online, check that you’re on a secure site (you’ll see a padlock in the status bar and the site’s address should begin with ‘https’ instead of the usual ‘http’).
- Check the website address displayed in your browser’s address bar, as well as checking the status bar and text displayed when you hover over a link.
- Keep an eye out for unauthorized activity on your accounts. If your bank or credit card companies provide online access to your account, check these regularly. If a phisher hooks you, you’ll spot unauthorized charges quickly.
- Consider using a browser other than Internet Explorer. Firefox, Opera and several other browsers are not subject to the same address-spoofing flaws.
What I use
These are plenty of very good security products available. The ones I like:
- provide good, reliable protection;
- provide updates automatically and frequently;
- don’t affect my computer’s performance adversely;
- operate quietly and unobtrusively;
- are easy to use. (I don’t mind getting my hands dirty, but I like to use software I can recommend to those with less computer experience.)
Given those criteria, these are the programs I use:
- Antivirus: Avast (free version at home, Avast Pro at work)
- Anti-spyware: Superantispyware and Spybot Search & Destroy. Remember, with anti-spyware software, it’s better to double up your defences. Spybot is free, while Superantispyware comes in two versions, a free Home version and the Professional version. I use the Professional version because it provides real-time monitoring and blocking of threats plus automatic updates. You can see a comparison of the two versions here.
- Firewall: Windows 7 firewall and ZoneAlarm Free (plus the hardware firewall in my Linksys router).