We all learn at a very young age to analyse – either consciously or unconsciously – other people’s body language and intonation. Research shows that about 60% of the time, we pay more attention to a person’s body language than what they are actually saying, and we use this information to draw conclusions about how truthful a speaker is being. These conclusions are vital in helping us avoid falling victim to scammers, fraudsters or anyone else trying to manipulate us. But fraud and deception aren’t just a threat in real life – a range of virtual scams have been increasing significantly on the Internet for some time now. This means we have to take a new approach to evaluating possible threats; there’s no body language or intonation involved in email or social networks, and generally we only have text and graphics to guide us. So does this mean that we can no longer rely on gut instinct?

This would appear to be the case, at least on the face of things. However, the Internet does offer other aspects which can be interpreted and compensate for the gut instinct we feel is lacking; however, for this to work, we need to learn what to watch out for. Cybercriminals and scammers are unlikely to reinvent the wheel, so once you’ve encountered a scam or threat once, and have learnt that it’s a scam, you can use this information in the future. This article therefore focuses on some typical examples, and explains how you can protect yourself. This article is primarily aimed at those who are new to the Internet, but who knows, maybe the examples given could also help Internet veterans learn a thing or two.

Classic E-mail Threats

If you’re new to the Internet, probably one of the first things you’re going to do is set up an email account. Not only do you want friends and family to be able to contact you, you’ll need a valid email address if you want to buy things online or sign up for forums or social networks.

Unfortunately, just as your mailbox at home can get crammed with advertising fliers which you never requested, your email address can also get filled with unwanted messages. Up to 89% of all emails sent are what is known as spam: messages you never asked for which offer you cheap credit, discount Viagra and a wide range of other products and services. These offers are in no way legitimate, and often the messages will contain links to websites which are infected with viruses, Trojans, or other nasty programs. You should delete the messages without reading, and then they won’t be able to damage your computer – the only thing you will lose is the time you spend deleting them.

It’s easy to say you should delete these emails, but sometimes they just look too tempting to throw out. Cybercriminals are smart: they’re particularly active around major holidays such as Christmas, Easter, and of course Valentine’s Day. The latter in particular is a golden opportunity for the bad guys – it’s traditionally the day where you can admit your feelings for someone without embarrassment, even if that person is just a distant acquaintance. So if you got an email on Valentine’s Day with the subject ‘I love you’, would you open it?

It’s not only holidays and hot topics that the cybercriminals make use of. The Internet is often described as the ultimate in entertainment media, and there are lots of sites dedicated exclusively to amusing articles, images and videos. We all love a bit of distraction, and cybercriminals play on this, sending messages with intriguing subjects like ‘Check out this funny video!’ or ‘Funny photo!’ But you should resist the temptation to open the file that’s attached to the message: it’s 99.99% likely to contain programs which can damage the data stored on your computer, spy on your online activity, and/or defraud you in some way. In her article, “Spam evolution: June 2009″, my colleague Tatyana Kulikova stated that 0.31% of all emails sent on the Russian Internet have malicious attachments. This might not appear to be a particularly high percentage, but given that 500,000 types of spam are sent every day, the total number of messages is going to be fairly large, especially when you consider that any one spam message will be sent to millions of email addresses.

Phishing

Probably one of the best-known scams is phishing. You receive an email which asks you to go to a site (the link is given in the email) and enter some personal information – this might be a password, a bank account number etc. The email might look as though it’s come from your bank, from eBay, from a payment system like PayPal etc. However, no matter how convincing the message might look, it’s a fake; if you click on the link and enter the information requested, cybercriminals can get hold of your data and use it for their own ends.

A lot of banks have now put additional security measures in place to combat phishing attempts, and this means that phishing emails which target the most widely-used banks are on the decline. However, this doesn’t mean that this type of scam isn’t being used anymore – it’s simply been modified to keep up with the changing times.

Phishing emails are an international phenomenon: a basic text gets translated into a range of languages, and an email is then designed to imitate the look and feel of a well-known bank or financial institution. Most of the effort goes into the design of the email, and the logos and colours used are often difficult to distinguish from a genuine communication. The text, on the other hand, is likely to be riddled with spelling and/ or grammar errors: an instant red flag. Additionally, emails that start “Dear customer” rather than using your actual name are a strong indication of a phishing attempt; these days, where even newsletters can be personalized, a legitimate communication is unlikely not to use your name. And finally, legitimate banks never request PIN numbers, TAN numbers or other sensitive information, and certainly not via email.

As mentioned above, it’s not just banks which can suffer from phishing attacks. Recently, a large number of phishing emails are designed to harvesting account data for online payment systems such as PayPal or auction sites such as eBay. Phishing mails make up 0.94% of all spam, and an incredible 60% of these messages target at PayPal. Phishing emails of this type often threaten with closure of your account, because allegedly it’s not been used for some time. To retain your account, the message says, you should log in; and of course, there’s a handy link provided in the email. If you click on it, you’ll see a page which looks like the site in question, and it asks you to enter your user name and password. Although it might look like the real thing, this website is a fake. You should never use links in emails which lead to a page where you’re requested to enter sensitive information. Use the bookmarks in your browser or enter the address yourself in the address line of your browser. Even if the link appears to be legitimate, JavaScript in the background can open a completely different address to the one displayed.

If you’re unsure if an email is valid or not, call the company in question directly or send them an email asking if the email is genuine. However, if you choose to contact a company via email, don’t just reply to the dubious message: check the company’s website for a contact address and use this instead. This ensures that your query goes to the company itself and not to an invalid return address used by scammers or spammers.

Who wants to be a money launderer ?

In the current economic climate, lots of us are looking for jobs, so news of vacancies is always welcome. Suppose you get a job offer via email, which promises a good salary for a job that allows you to work from home and that requires minimum time and effort. Even if you’ve already got a good job, the idea of making an extra €1,500 to €2000 each month is obviously appealing. So what do you need to do? Simply receive sums of money from account A and transfer these to account B via Western Union, minus a certain percentage which you keep as commission.

Sadly, if something appears to be too good, it’s usually just that. The sums you’re being asked to transfer comes from phishing or other scams; your role is to ensure that the money reaches the scammers and cybercriminals account by a convoluted route. This makes the criminals far less easy to trace, but the transaction you’ve made will be very obvious. By completely such transactions you’ll become what’s known as a money mule, and guilty of money laundering or of aiding and abetting criminal activity. If you get caught, you could face a hefty fine and potentially, a criminal record. So once again, the best way of dealing with these emails is simply to hit delete, no matter how tempting the offer might sound.

Scareware

Imagine this: you’re browsing websites looking for new wallpaper for your desktop. Suddenly a message pops up telling you that your computer is infected with 527 Trojans, viruses and worms. This might seem strange; you’ve got security software on your computer, and it’s not said anything about infections or threats. Maybe it’s not working properly? Or it’s overlooked something?

Once the initial shock passes, you take a closer look at the message. It says you can download new antivirus software that will solve your problem. And best of all, the software is free! Relieved, you take advantage of the offer, download the program and install it. You run the virus scan again manually, only to find that the software has now found even more infections and this time you’re shown a different message: the malware can only be removed by the full version of the product which you have to purchase. A quick look at the website reveals prices between €30 and €80. As the security software you installed initially seems to have let you down, you pin your hopes on the newly-discovered “miracle solution”, but it, and click on “Disinfect”. All the threats seem to be quickly eliminated…. or are they?

This is a scam that’s become well-established; it plays on your fear that your computer is seriously infected. The approach taken by scareware programs of this kind can differ. The most common approach is that while you’re surfing the Internet, you get shown a popup window which appears to be carrying out a scan of your hard drive. It then shows a randomly-generated number of malware infections. A slightly less common approach is called a drive-by-download: you’re surfing an infected website, and a piece of unwanted software gets onto your computer. In the case of scareware, the software would frequently display messages informing you that your machine is infected. Even your wallpaper may get changed to remind you of the infections (which, it should be remembered, don’t actually exist). Changing the wallpaper back to the original image is a challenging task; the option to do this is removed from the settings menu, and although there are other ways to do this, they involve more technical knowledge than many people have. So what initially appears to be a “miracle solution” turns out to be software which doesn’t have any benefits for the user.

However, scareware does have benefits for the cybercriminals: they can make money from selling licenses for this fake security software. Additionally, such fake software often includes clearly malicious software which can be used to gain access to your machine, steal your personal data (which can then be resold) or turn your computer into a zombie machine which can be used to send enormous amounts of spam. Although this last might not seem to be obviously profitable, spammers will pay good money to buy or rent such machines to ensure that their messages are widely distributed – it’s just one more way to make money in the world of cybercrime.

The name scareware is entirely justified; a lot of effort is put into making sure firstly that the messages are convincing, and secondly that the scareware programs themselves look genuine. In addition, such programs often have names which sound similar to the names of legitimate security applications. This all helps to initially lend the scam an air of respectability which can fool even more experienced Internet users. So what should you do? Make sure you’ve got a reputable antivirus solution installed. If you start seeing messages like this, don’t be frightened, and certainly don’t buy the software on offer. Use your current security solution to run a full system scan.

Buyer beware: the danger of hidden subscriptions

These days, freeware – software which you don’t have to pay for – is available for almost every purpose imaginable. There’s something for everyone – games, media players, instant messenger clients etc – and a number of places where you can these programs. Let’s say you’re looking for new software for office purposes – word-processing, spreadsheets, etc. You run a search, and your search engine gives you a large number of options. The first sounds promising; a website that’s got the files you need, and it appears to be legitimate, so you click without giving it any further thought. However, before you can download what you want, the site requires you to register by entering your name, address and a valid email address. Although you think this is a bit unusual, you’ve heard of download portals where you have to register in order to benefit from the full download rate. So, a little irritated, but well-versed thanks to having registered with various online shops, social networks and forums in the past, you enter the requested data in the fields provided. You quickly activate the checkbox indicating that you agree with the terms and conditions; you don’t bother actually reading these, because after all, they’re always the same. A moment later, you’re happily downloading the program you need.

But a little while later you get a nasty shock in the form of an email demanding that you transfer Euro 96. In agreeing to the terms and conditions, you’ve taken out a 2-year support subscription. If you don’t pay up, legal action will follow.

It’s estimated that 10 to 20% of victims pay up. However, you shouldn’t let yourself be intimidated by threats of this kind. This type of scam attempts to extract money by playing on people’s fear of the law. After all, you know that you didn’t read the terms and conditions (perhaps because you realized you had little chance of understanding them, or perhaps because you’ve never heard of any negative consequences). If you get an email like this, do some research: try and find similar cases on the Internet, or call your lawyer. It’s likely that the threat either has no legal force, or will remain just that – a threat – because the cybercriminals are content to get money from the 10 – 20% of victims that do pay up.

Scams on social networking sites

Young people in particular are attracted by social networks such as Facebook or MySpace. These sites means you can keep in touch with existing friends, exchange information, and also search for new friends.. However, there are also social networking sites for older users; you can use these to make and maintain business contacts or search for old school friends.

Whatever site you use, there are dangers here as well. Suppose a close friend asks you for help – you’ll probably say yes immediately. Now transfer this situation to a social networking site. A friend sends you a message on the site telling you he’s stuck at Heathrow, has been robbed and threatened with a weapon. Now he’s got no money, credit card or plane ticket, and he asks you to transfer $400 via Western Union so he can get home. You might hesitate a bit; why does the money have to go by Western Union? Your friend insists this is the only way that he can access the money. You ask if you can call him, but apparently the thieves have stolen his mobile phone as well. You gradually become more and more suspicious – your friend seems to be behaving in a peculiar way, and he’s using words and phrases you’ve never heard him use before. Maybe that’s just because he’s in such a stressful situation. Since you’re worried about your friend, and you don’t want to have a bad conscience, you eventually transfer the money. And then you don’t hear from him again.

So what’s actually happened? This type of scam is currently very popular and very effective because it’s relatively unknown. The explanation is quite simple: cybercriminals have gained access to your friend’s account and are trying to get money from all his contacts. If you use social networks a lot, you could have hundreds of friends, and you won’t always know where each person is, which makes the story more believable.

However, there are also clear signs that fraud is being attempted in the case described above. A European stuck in London would hardly ask another European for US dollars. The same applies to the language and phrases used. If you get a message like this, make sure you contact your friend directly. Even if he says in his message that his mobile has been stolen, try calling it: you’ll be pleasantly surprised when he picks up the phone, and not only will you get to chat to him, you’ll also make sure that the message you received was not genuine.

If you want to protect your own social network account(s) from being abused in this way, you just need to follow a few simple rules. One possible way of securing your account relates to the method for resetting your password. When you register on a social network, you often have the option of answering a “secret question”. If you forget your password, you can generate a new one by entering the answer to the question. Usually, you can only choose from three “secret questions”, which are very general – for instance, the name of your pet, or the first school you attended. If you’ve included any of this information in your profile or on your page, accessing your account will be child’s play.

In order to make your account more secure, remember that you can modify the question and answer at any time. Make sure you keep your login and password to yourself. Additionally, make sure you don’t fall victim to phishing attacks (described above) and use an up-to-date antivirus solution: this will keep your computer clean of Trojans which might steal your password and send it on to cybercriminals.

Twitter – the dangers of short URLs

Since 2006, Twitter has grown enormously. More than 25 million users want to know the answer to the site’s slogan “What are you doing?”, Twitter is a social network with a difference – the micro-blogging format limits messages to 140 characters, and this makes it difficult to include URLs which would take up a good 50% of the available characters. And this is where less well-known Internet services come in: ones which convert long, convoluted addresses into a significantly abbreviated form. These URL shortening services have their drawbacks: it’s difficult to tell where a short, cryptic URL actually leads, and this means that transparency suffers.

Cybercriminals have seized this opportunity, and use these services to convert addresses leading to infected websites into short form. Such messages can be spread automatically, and promise the truth about some sensational news, such as the death of a celebrity (e.g. Michael Jackson). When there’s no sensational news, the cybercriminals just invent something – for instance, the supposed death of Britney Spears was widely broadcast on Twitter, even though the singer was alive and well.

Such messages containing links to infected sites are simply a more evolved version of email scams – they’re trying to take advantage of your curiosity. Unfortunately, this type of cybercrime shows that short URLs simply can’t be trusted. You can protect yourself by using add-on tools: for instance, a popular plug-in for Firefox will reconvert a short URL to the original format when you hold your mouse cursor over the link. This gives you a good idea if the link leads to a reputable site or not.

Films, games, music…and malware

If you’re new to the Internet, the first things you might look for are films, music, TV programs or computer games. Apart from the legal aspects of downloading such content – which have been extensively detailed by others – there are other issues to consider. If you’re looking around for content like this, you might think that so-called peer-to-peer networks offer the quickest route. So you download a program which will help you access the network and start helping yourself to what you want. Although you might have read somewhere that these files might come with malware attached, you just ignore this. However, you do this at your own risk.

For instance, games available for download often contain crack tools which can be used to circumvent copy protection. These tools are provided by hackers, either because they believe that all content should be free, or because they want to make an impression on the hacker scene. And download files may come with associated malware; cybercriminals know there’s a big market for free content, and by disguising their malware as popular files, or adding their malware to popular files, they’re increasing the number of potential victims. For instance, a banking Trojan might come with a game download – although young people rarely use online banking, the computer they download the file too might belong to their parents, who regularly check their account online. This approach therefore kills two – or more – birds with one stone.

The chance of downloading malware via a peer-to-peer network is relatively high. So while illegally downloading a game or film may save you the purchase price, downloading a Trojan designed to steal your banking details could cost you hundreds of Euros, which quickly puts any anticipated financial gain into perspective. There’s no doubt here that honesty is the best policy.

Conclusion

Cybercriminals are very creative and are constantly adapting their scams as new Internet technologies and applications evolve. Mostly, this is a case of old scams being recycled to target new media. The best example of this is the classic spam message which contains a link to a malicious website. By now, lots of people know that you should never click on a link in an email from an unknown sender. However, when their approach was adapted to messages sent via social networking sites, the number of people who clicked increased enormously.

A few years ago, the design of a website could make it clear that the site was a fake: spelling mistakes, poor layout, etc. Now, however, cybercriminals have become far more sophisticated. If you suspect a scam, use a search engine to try and uncover further information; if there is a scam involved, other victims will probably have written about it. Search suspicious sites for contact information, and then verify this against other sources.

Finally, use your common sense. As stated above, anything that looks too good to be true probably is. If something sets alarm bells ringing, pay attention to your Internet instincts. A healthy dose of scepticism will go a long way in helping to protect you against fraud and scams: a reputable security solution and up-to-date software will take care of everything else.

Circumventors, shadow surfing, anonymizers, proxy avoidance – call them what you will, anonymous proxies have been with us for about as long as we’ve been filtering the web. What they provide is simple – online anonymity. This may be a lifeline for political dissidents in countries where censorship is a problem but it is also a major problem for educational establishments and organizations who need to safely control and monitor their users’ web access. In basic terms, anonymous proxies are simply proxy servers – they pass users’ web requests onto other servers on the Internet. They help students to sidestep school security by allowing them to browse secretly through them – and view banned online content within them – without disclosing the URLs they visit to filtering products.

Why is Proxy Abuse a Problem?

There are now millions of proxies in existence with miscreants changing URLs and developing new ones far faster than security vendors can hope to block them. The proliferation of proxies is already well beyond the control of URL based filtering products and although keyword-based filters will catch sites with ‘proxy’ in the title, most have legitimate-sounding names like examstudies.com.It only takes one proxy to put a gaping hole in your network security. Using a web filtering solution that doesn’t block proxies is the equivalent of putting a big bolt on your front door but leaving the back door wide open.

How do students know/find out about proxies?

As with most things, the first port of call is the web. Try entering “unblock myspace” into Google – the results run to hundreds of thousands of sites, all offering the same thing – anonymous browsing. ‘Backdoor’ URLs are passed quickly from student to student with some proxy sites even offering to send daily updates on the newest and hottest proxy sites via email or text message. There are also plenty of step by step videos on YouTube showing students how they can use proxy tools to bypass school ! lters. These are the very skills that we don’t want our children to learn in school – digital lockpicking and worldwide web breaking and entering.

Different types of proxy and how to defend against them:

–>Web-based Proxies

Web-based proxies work entirely through a web browser and use server-side software such as CGIProxy, Glype, PHProxy and other custom scripts. All students need do to use these sites to surf anonymously is enter the web addresses they wish to browse to in the box provided (usually on the home page). URL or keyword-based filters may block some of these but the only way to reliably prevent access is to employ an intelligent filter that is capable of detecting – and accurately blocking the characteristic signatures or patterns of proxies, as SmoothWall’s School Guardian web filter does (see below diagrams).

–>Open Proxies

These are HTTP or SOCKS proxy servers that are open and accessible via the Internet. Most require users to reconfigure their browser settings to use them and so can be easily blocked with simple firewall rules. These rules can also prevent the use of Firefox or other browsers via USB sticks and other portable data storage devices.

–>Secure/SSL Proxies

SSL proxies use HTTPS connections which allow users to secretly view illicit material (including media files) within a secure tunnel where content is encrypted. URLs visited via SSL proxies don’t appear on logs and so IT staff are often unaware of the extent of their problems with the secure variety of these proxy pests. URL and keyword based filters are an utterly futile defense against SSL proxies. Even some so-called ‘third-generation’ filters aren’t intelligent enough to provide proper protection. Some offer the option of blanket blocks on all HTTPS traffic – but this is
far from practical since secure transactions often need to be made in the daily business of running a school. A whitelist of authorized HTTPS sites is a better option but will still result in over-blocking complaints, due to the sheer number of sites now using SSL encryption. To accurately defend against SSL proxies, filters need to be capable of inspecting and validating SSL certificates (few proxies have valid ones) and ideally decrypting and inspecting all incoming and outgoing HTTPS traffic, to make signature and content-based filtering possible again.

–>Proxy Networks (e.g. TOR)

Various proxy networks exist (TOR is the best known example) that use layered encryption (also called “onion routing”) and peer-to-peer networking to allow their users to communicate anonymously with each other. Most rely on end-users to donate bandwidth and other resources to the network. Because the servers used are not controlled, some are operated by malicious individuals – who use them to distribute malware and other web nasties and intercept traffic. To defend against the use of proxy networks requires a combination of firewall rules, web filtering rules and local policy settings.

–>Proxy Software Applications

Some subscription-based services offer client-side application software to automatically configure your browser’s proxy settings. Most are simply open proxies dressed up with a fancy interface but some use HTTPS connections to outwit less intelligent filters and are hence becoming popular options for students. One of the most popularly used applications (Ultrasurf ) is a free 100kb download. Blocking downloads and denying installation rights to anyone but administrators helps to prevent their use. Several of the prevention methods listed above for other types of proxies also work on application-based proxy tools.

Who makes proxies and why?

Proxies require a lot of bandwidth to host. This bandwidth costs money, sometimes quite a lot. So who is hosting these proxies, and who is footing the bill? A few proxies are hosted by technically-adept students, bypassing their school filters, and limiting the use to a select group of their peers. Frequently these types of proxy are hosted on a home broadband connection, but with a handful of users, that’s no problem. These are the only truly ‘free’ forms of proxy and they can also be pretty tricky to block – URL list-based filters will almost never catch them! Public web proxies on the other hand (the most common type) can eat their way through many gigabits of bandwidth. The cost of this is usually offset by placing pay per click adverts on the proxy page. Revenue is miniscule, but with many hits, it all adds up. Of course, the proxy owners have to advertise too – top proxy lists are
one way of doing this, but sometimes legitimate ads are placed as well. Some software-based proxies charge a fee but the majority are free and don’t carry any ads. Since it is highly unlikely that the creators are magnanimously footing the hosting bills, these proxy services will undoubtedly be selling on browsing habits, injecting ads or unwanted text, and even pushing malware.

Proxy abuse – what are the risks?

–>Legal risks

Internet security standards at a school in Kent were recently exposed on the BBC news after the mother of one young boy complained that her son had returned home with a printout of a pornographic image obtained via school computers. The head was forced to send letters home to all parents regarding the matter and suspend Internet use until the security standards were improved. Although schools are not yet facing lawsuits for security breaches of this type, it is only a matter of time before a protective parent decides to prosecute.

In the US, schools must comply with the Children’s Internet Protection Act (CIPA), a federal law enacted by Congress in 2000 to protect children using school, college and library computers from offensive Internet content. All obscene, harmful and pornographic content must be blocked and all student web use monitored. Institutions that fail to comply risk losing e-rate funding (special Government discounts designed to make telecommunications and Internet access more affordable for schools).

–>Cyberbullying

Anonymous proxies are also popular with cyberbullies, who need them to cover their tracks so they can taunt teachers and students with impunity. Proxy tools help them to keep their online activities off the radar so they can remain unidentifiable and escape punishment.

–>Malware

Not only do proxy sites give students unfettered access to the content you are attempting to block, they also help malware and other web-related threats to sneak into networks undetected. SSL proxies are a particular problem since the secure tunnels used allow malicious viruses and worms to sidestep firewall and web filtering security entirely.

–>Phishing and password theft

Many students who use proxies are also unaware of the risks to their own personal security and identity. Malicious proxy servers do exist and are capable of recording everything sent to the proxy, including unencrypted logins and passwords. Although some proxy networks claim to only use ‘safe’ servers, due to the ‘anonymous’ nature of these tools, proxy server safety is impossible to police. Students should be educated to understand that whenever they use a proxy, they risk someone “in the middle” reading their data.

Other tips to prevent proxy abuse

• Educate teachers to recognise illicit surfing or proxy abuse and report it to the IT department
• Educate students about the danger of using proxies.
• Allow slightly more lenient filtering outside of core hours
• Make sure your AUP covers anonymous proxying and that both students and teachers are familiar with its content. Make it clear that proxy abuse can be tracked to individuals.

:-p

The researcher, Laurent Gaffié, claimed in his advisory that the vulnerability causes a Blue Screen of Death, a pernicious crash on Windows system, but other researchers have subsequently concluded that the flaw is actually remotely exploitable, a more serious issue.

Microsoft acknowledged the flaw on Tuesday in an advisory. The flaw does not affect the latest version of Windows 7, Windows Server 2008 R2, nor Windows XP, the company stated. Microsoft took the researcher to task for disclosing the information before it fixed the security issue.

Yet, Gaffié argued that the disclosure was fair. The software company should have done more software quality assurance (SQA) on the networking components, he said in an e-mail interview with SecurityFocus. If they did, they would have easily found the issue — it took his fuzzer only 15 packets to crash the component, he said.

“So I personally think  the one who has been irresponsible is Microsoft for shipping this driver on any Server 2008, Vista, and Windows 7 (system) without doing any SQA and security review,” he responded.

Gaffié said he notified the company, but had a typo in the e-mail address.

The flaw was disclosed on Monday, the day before Microsoft’s regularly scheduled patch day. The software giant issued five patches for eight vulnerabilities, including three flaws in the company’s TCP/IP networking stack. Other flaws affected Windows’ Javascript engine and its Windows Media components.

While Microsoft has not released a fix for the issue, the software giant recommended that administrators disable SMB version 2 or block the specific TCP ports (139 and 445) used by the file-sharing feature.

Most computer vulnerabilities can be exploited in a variety of ways. Hacker attacks may use a single specific exploit, several exploits at the same time, a misconfiguration in one of the system components or even a backdoor from an earlier attack.

Due to this, detecting hacker attacks is not an easy task, especially for an inexperienced user. This article gives a few basic guidelines to help you figure out either if your machine is under attack or if the security of your system has been compromised. Keep in mind just like with viruses, there is no 100% guarantee you will detect a hacker attack this way. However, there’s a good chance that if your system has been hacked, it will display one or more of the following behaviours.

Windows machines:

• Suspiciously high outgoing network traffic. If you are on a dial-up account or using ADSL and notice an unusually high volume of outgoing network (traffic especially when you computer is idle or not necessarily uploading data), then it is possible that your computer has been compromised. Your computer may be being used either to send spam or by a network worm which is replicating and sending copies of itself. For cable connections, this is less relevant – it is quite common to have the same amount of outgoing traffic as incoming traffic even if you are doing nothing more than browsing sites or downloading data from the Internet.
• Increased disk activity or suspicious looking files in the root directories of any drives. After hacking into a system, many hackers run a massive scan for any interesting documents or files containing passwords or logins for bank or epayment accounts such as PayPal. Similarly, some worms search the disk for files containing email addresses to use for propagation. If you notice major disk activity even when the system is idle in conjunction with suspiciously named files in common folders, this may be an indication of a system hack or malware infection.
• Large number of packets which come from a single address being stopped by a personal firewall. After locating a target (eg. a company’s IP range or a pool of home cable users) hackers usually run automated probing tools which try to use various exploits to break into the system. If you run a personal firewall (a fundamental element in protecting against hacker attacks) and notice an unusually high number of stopped packets coming from the same address then this is a good indication that your machine is under attack. The good news is that if your personal firewall is reporting these attacks, you are probably safe. However, depending on how many services you expose to the Internet, the personal firewall may fail to protect you against an attack directed at a specific FTP service running on your system which has been made accessible to all. In this case, the solution is to block the offending IP temporarily until the connection attempts stop. Many personal firewalls and IDSs have such a feature built in.
• Your resident antivirus suddenly starts reporting that backdoors or trojans have been detected, even if you have not done anything out of the ordinary. Although hacker attacks can be complex and innovative, many rely on known trojans or backdoors to gain full access to a compromised system. If the resident component of your antivirus is detecting and reporting such malware, this may be an indication that your system can be accessed from outside.

Unix machines:

• Suspiciously named files in the /tmp folder. Many exploits in the Unix world rely on creating temporary files in the /tmp standard folder which are not always deleted after the system hack. The same is true for some worms known to infect Unix systems; they recompile themselves in the /tmp folder and use it as ‘home’.
• Modified system binaries such as ‘login’, ‘telnet’, ‘ftp’, ‘finger’ or more complex daemons, ‘sshd’, ‘ftpd’ and the like. After breaking into a system, a hacker usually attempts to secure access by planting a backdoor in one of the daemons with direct access from the Internet, or by modifying standard system utilities which are used to connect to other systems. The modified binaries are usually part of a rootkit and generally, are ‘stealthed’ against direct simple inspection. In all cases, it is a good idea to maintain a database of checksums for every system utility and periodically verify them with the system offline, in single user mode.
• Modified /etc/passwd, /etc/shadow, or other system files in the /etc folder. Sometimes hacker attacks may add a new user in /etc/passwd which can be remotely logged in a later date. Look for any suspicious usernames in the password file and monitor all additions, especially on a multi-user system.
• Suspicious services added to /etc/services. Opening a backdoor in a Unix system is sometimes a matter of adding two text lines. This is accomplished by modifying /etc/services as well as /etc/ined.conf. Closely monitor these two files for any additions which may indicate a backdoor bound to an unused or suspicious port.

SOURCE – KASPERSKY LABS.

has mounted almost daily attacks on Indian computer networks, both government and private, showing its intent and capability.

The sustained assault almost coincides with the history of the present political disquiet between the two countries.

According to senior government officials, these attacks are not isolated incidents of something so generic or basic as “hacking” — they are far more sophisticated and complete — and there is a method behind the madness.

Publicly, senior government officials, when questioned, take refuge under the argument that “hacking” is a routine activity and happens from many areas around the world. But privately, they acknowledge that the cyber warfare threat from China is more real than from other countries.

The core of the assault is that the Chinese are constantly scanning and mapping India’s official networks. This gives them a very good idea of not only the content but also of how to disable the networks or distract them during a conflict.

This, officials say, is China’s way of gaining “an asymmetrical advantage” over a potential adversary.

The big attacks that were sourced to China over the last few months included an attack on NIC (National Infomatics Centre), which was aimed at the National Security Council, and on the MEA.

Other government networks, said sources, are routinely targeted though they haven’t been disabled. A quiet effort is under way to set up defence mechanisms, but cyber warfare is yet to become a big component of India’s security doctrine. Dedicated teams of officials — all underpaid, of course — are involved in a daily deflection of attacks. But the real gap is that a retaliatory offensive system is yet to be created.

And it’s not difficult, said sources. Chinese networks are very porous — and India is an acknowledged IT giant!

There are three main weapons in use against Indian networks — BOTS, key loggers and mapping of networks. According to sources in the government, Chinese hackers are acknowledged experts in setting up BOTS. A BOT is a parasite program embedded in a network, which hijacks the network and makes other computers act according to its wishes, which, in turn, are controlled by “external” forces.

The controlled computers are known as “zombies” in the colourful language of cyber security, and are a key aspect in cyber warfare. According to official sources, there are close to 50,000 BOTS in India at present — and these are “operational” figures.

What is the danger? Simply put, the danger is that at the appointed time, these “external” controllers of BOTNETS will command the networks, through the zombies, to move them at will.

Exactly a year ago, Indian computer security experts got a glimpse of what could happen when a targeted attack against Estonia shut that country down — it was done by one million computers from different parts of the world — and many of them were from India! That, officials said, was executed by cyber terrorists from Russia, who are deemed to be more deadlier.

The point that officials are making is that there are internal networks in India that are controlled from outside — a sort of cyberspace fifth column. Hence, the need for a more aggressive strategy.

Key loggers is software that scans computers and their processes and data the moment you hit a key on the keyboard.

This information is immediately carried over to an external controller — so they know even when you change your password. Mapping or scanning networks is done as a prerequisite to modern cyber warfare tactics. MEA has a three-layered system of computer and network usage — only the most open communication is sent on something called “e-grams”.

The more classified stuff uses old-economy methods — ironically, probably the most secure though a lot more time-consuming. The same is true of other critical areas of the government. But the real gap inside the national security establishment is one of understanding the true nature of the threat.

National security adviser M K Narayanan set up the National Technology Research Organization, which is also involved in assessing cyber security threats. But the cyber security forum of the National Security Council has become defunct after the US spy incident. This has scarred the Indian establishment so badly that it’s now frozen in its indecision. This has seriously hampered India’s decision-making process in cyber warfare.

“The trojan [dubbed Trojan.Grups] in this case is fairly simple,” wrote Gavin Gorman, security researcher for Symantec, in a post Friday on a Symantec blog. “But when executed, it logs onto a specific Google account and requests a page from a private newsgroup, which contains encrypted commands for the malware to carry out.”

In the past, Twitter has been used to deliver commands, by which an account was being used as a command-and-control hub to issue instructions to infected computers. Tweets coming from the malicious accounts were encoded and looked like a random combination of letters and numbers. But the tweets were actually being used to issue new instructions to bots.

“This is the first time a newsgroup being used as a command-and-control conduit,” Gerry Egan, director of Symantec Security Response, told SCMagazineUS.com Friday. “It establishes a two-way communications pipe, using a legitimate infrastructure.”

Experts believe this is just a test — research-and-development for malware writers to see if the idea is feasible.

“Based on analysis of the source code, Symantec believes this may be a prototype implementation, testing the feasibility of web-based newsgroups as command-and-control structures,” Gorman wrote. “Analysis also indicates that this trojan is seeking to remain discreet and undetected, being used to subtly gather information and potentially determine future attack targets.”

The reason that this sort of attack is attractive to cybercriminals could be the difficultly in identifying and shutting down such sources, Egan said.

“In a sense, it makes it harder to detect,” he said.

Rogue pharmacies are using Microsoft’s Bing search engine to illegally sell drugs, including addictive substances without prescriptions, according to a report released on Monday.

Nine out of 10 of the pharmacies are operating illegally, according to the report “No Prescription Required: Bing.com Prescription Drug ads” by Interent compliance company Knujon and LegitScript, an Internet pharmacy verification organization. Illicit activities include:

–Selling prescription drugs, including controlled substances, without prescriptions.

–Not being licensed as a pharmacy in any U.S. jurisdiction, despite Microsoft’s policy of only sponsoring Internet pharmacies that supply drugs from the United States or Canada.

–Providing unregulated, unapproved prescription drugs.

The investigators also found that in some cases the ads displayed for legitimate pharmacies, but actually directed users to illegal sites. Some of the rogue pharmacies were identified as members of affiliate pharmacy networks linked to Russian organized crime.

The authors said that this is just the first in a series about U.S.-based corporations “that facilitate, and/or profit from rogue Internet pharmacies.”

“We’re not “picking on” Microsoft,” said Garth Bruen, Knujon owner, in a posting on the MIT Spam Conference LinkedIn page. Microsoft has been made aware of some of these specific cases previously and has been sent a copy of this report.”

Commonly promoted drugs include controlled drugs that are often abused, such as Soma (carisoprodol, a muscle relaxant), Ultram (tramadol, a pain reliever) and Ambien (a sleep aid), erectile dysfunction drugs–Viagra, Cialis, Levitra,and Valtrex, used to treat herpes.

The report said that Microsoft has received letter from the National Association of Boards of Pharmacy, National Center for Addiction and Substance Abuse and the American Pharmacists Association expressing concern over the rogue pharmacies.

Microsoft issued a statement that it is taking the claims “very seriously” and will investigate.

Reports of such cases were also present in the past but were overlooked upon as a small fraction of the Internet using population purchased drugs online. But with the increase in medical e-Commerce, rouge pharmas are finding it easier to sell illegal drugs to people who are not able to get a prescription for them.

Seriously, these kind of illicit hoardings are definitely bound to have an impact on websites that legally sell these drugs on prescription.

So, keep an eye out for such sites and report them to authorities immediately.

The affected websites, including Facebook, Twitter, YouTube, LiveJournal and Blogger, experienced downtime or were extremely slow for several hours simultaneously. The  attacks seem to have originated from millions of compromised PC’s in several global botnets. This was the first coordinated attack on sicial media websites on such a scale.

The attacks, however, only served to draw global attention to Cyxymu’s cause. He himself later posted to Twitter claiming Russia’s KGB had been behind the attack. Facebook, Twitter and Google have responded more causiously, saying their investigations are still underway.

Cyxymu also recently had his identity spoofed as the source of a massive spate of spam attacks. These events signal the opening of a new front in cyber warfare in which any dissent can be swiftly silenced.

Compromised passwords are one of the means by which unauthorized people gain access to a system. Someone logging on under your name has access not only to your computer files, but may also have access to your personal information (e.g. benefits, bank information) and may impersonate you to send malicious e-mail.

Many times you are requested to choose and maintain a password for various purposes (e.g. sign on to a file server, access your e-mail, use a password protected screensaver).

It’s important to choose a strong password and protect it since there are many password-cracking programs readily available on the Internet and passwords are the key to access many computer systems or applications. A strong password makes it reasonably difficult to guess the password in a short period of time either through human guessing or the use of automated password cracking programs.

Choosing a Strong Password

The following are general recommendations for creating a Strong Password:

A Strong Password should -

* Be at least 8 characters in length
* Contain both upper and lowercase alphabetic characters (e.g. A-Z, a-z)
* Have at least one numerical characters (e.g. 0-9)
* Have at least one special character (e.g. ~ ! @ # $ % ^ & * ( ) – _ + =)

A Strong Password should not -

* Spell a word or series of words that can be found in a standard dictionary
* Spell a word with a number added to the beginning and/or the end
* Be based on any personal information such as user id, family name, pet, birthday, etc.
* Be based on a keyboard pattern (e.g. qwerty) or duplicate characters (e.g. aabbccdd)

Use a passphrase or a nonsensical word

A passphrase could be a lyric from a song or a favorite quote. An example of a strong passphrase is “Superman is $uper str0ng!”. A nonsensical word can built using the first letter from each word in a phrase (e.g. C$200wpG., represents “Collect $200 when passing Go.”). These typically have additional benefits such as being longer and easier to remember.

Each system or application may have different password restrictions or requirements.
Using Passwords

The following are several recommendations for using Passwords:

Do not share your password with anyone for any reason
Passwords should not be shared with anyone. In situations where someone requires access to another individual’s protected resources, delegation of permission options should be explored.

Change your passwords periodically
The frequency of password changes is generally based on the privilege or access level of the account. Accounts with greater privilege or access should have their password changed more frequently.
Do not write your password down or store in an insecure manner
As a general rule, you should avoid writing down your password. In cases where it is necessary to write down a password, that password should be stored in a secure location (e.g. in your wallet or in a locked file) and properly destroyed when no longer needed. Consider writing down hints, not the password. Never store a password in an unencrypted electronic file or use the “save my password” feature for important passwords.

Use a password manager with strong encryption
Using a password manager to store your password is not recommended unless the password manager leverages strong encryption and requires authentication prior to use. Be sure to use a strong password for your password manager. Password Safe is an example of a password manager that uses strong encryption.

Avoid reusing a password
When changing an account password, you should avoid reusing a previous password. If a user account was previously compromised, either knowingly or unknowingly, reusing a password could allow that user account to, once again, become compromised. Similarly, if a password was shared, reusing that password could allow someone unauthorized access to your account.

Avoid using the same password for multiple accounts
While using the same password for multiple accounts makes it easier to remember your passwords, it can also have a chain effect allowing an unauthorized person to gain unauthorized access to multiple systems. This is particularly important when dealing with more sensitive accounts such as your email account, Enterprise account or your online banking account. These passwords should differ from the password you use for online newspapers and other web-based accounts. Avoid using the same password for test and production systems.

Do not use automatic logon functionality
Using automatic logon functionality negates much of the value of using a password. If a malicious user is able to gain physical access to a system that has automatic logon configured, they will be able to take control of the system and access all your information.

Log out and quit applications
When vacating your workstation, completely log off the computer or otherwise secure your workstation from unauthorized use (e.g. locked screensaver). When vacating a public computer (kiosk or public lab), completely log out and quit the application before you leave.

Be aware of Phishing tricks
Never provide your password over e-mail or based on an e-mail request. Hackers try to trick people into giving away their passwords and other personal information by sending fake e-mails that appear to come from common Web sites such as the University, eBay, PayPal, or a local bank. See Phishing Topic on Safe Computing for additional information.

Today computers are a very essential part of our lives. They are machines without which life for some people is useless !!! We do a lot of things on computers from surfing the web to listening t our ever increasing music collection….. from creating the next revolutionary software to debugging your faulty applications, but all this is at risk. Your system can be compromised at any time and your priceless data, lost forever if you are careless and ignorant to the security threats that are as real as terrorism is !!!

This blog is specifically aimed to help people understand the dynamics of InfoSec and to secure their systems in a more enhanced manner.