Computer Software
Can Always Cause Trouble,
Especially if it is Designed to Do So.
~ Practice Safe Computing. ~
***
Stop Viruses Now. Read our Virus Alert Bulletin ***
Need a Free
Anti-Virus Solution?
Fighting Spyware
or Adware?
(Are Popups a Problem?)
Phishing
is NOT Phun. Don't let an Email con you.
Tired of Viruses?
So are we. End the problem.
Please see our proposal:
Whole Office
Anti-Virus Protection
Virus Definitions:
A Virus
is a program designed to copy itself and spread on its own, typically
on a single computer system.
A Worm is an advanced form of Virus,
designed to copy itself and spread on a collection of computers.
Most "viruses" today are technically "Worms".
A Trojan Horse is a program that contains
a surprise "payload" of software that was not expected
by a user. It is a program for one function that disguises itself
as another. Viruses and Worms often transmit themselves as "Trojan
Horses".
None of these programs are necessarily dedicated
to causing damage. However, many of them do.
The problems
created by the Worm programs "Melissa", "Love
Bug", "SirCam", "Klez", and "Bugbear"
have pointed out flaws in the defensive systems of Microsoft
Windows based computers. Until these flaws are better defended
against, we must take personal responsibility for the safety
of our computer environment. There are several steps that can
be taken to properly protect against destructive software.
The term "Safe Computing" is more
than a catch phrase- It describes an unfortunate fact of life.
Users who do not practice "Safe Computing" will probably
have significant problems with destructive software. Even users
who rely strongly on their anti-virus software packages can be
devastated by the sudden appearance of a new threat, such as
the "Love Bug". How can you defend yourself when anti-virus
products fail?
NOTE: Users of InoculateIT may appreciate reading our Addendum to our basic InoculateIT install instructions. Requires
Adobe Acrobat.
Windows XP Professional:
Microsoft's
new Windows XP Professional introduces significant new security
technologies that can greatly limit the ability of viruses to
cause harm. Microsoft HAS begun to take security seriously with
the release of Windows XP Professional, and (to a certain extent)
Windows XP Home.
Users who are logged into XP Professional in
"Power User" mode do not have the ability to install
software. This can block the action of virus software, and may
be an ideal scenario for most office networks. Windows 2000 Professional
also has the "Power User" user type, with similar features.
This should not be viewed as a substitute to anti-virus software,
but simply an additional layer of protection for users.
1)
Get to know your computer.
Each computer has a basic pattern of "normal activity"-
Processes that take place when it starts up, runs certain software,
and shuts down. If your computer starts to react in unusual ways,
be suspicious.
One common clue that there is a problem is
your computer constantly connecting to the Internet without any
obvious reason. (This can also occur when opening a folder if
this is set: View menu, under Folder Options, in the "General"
tab. Press the "Custom Settings" button. Do not set
under "View Web Content in folders" to "for all
folders with HTML content", unless you like your computer
connecting all the time.) On a computer that is permanently connected
(such as on a LAN or a DSL connection), this connection not going
to be obvious. However, a dial-up connection can be set to only
connect with a confirmation dialog. Go to My Computer, and open
it. Go to Dial Up Networking, and open the folder. Find the file
that contains your Internet access settings. Click twice on the
file. Remove the check for "Remember Password" (You
do know your Internet Connection password?). The next time you
start your browser to connect to the Internet, a dialog will
ask you for the Password. In this dialog are two check boxes:
"Remember Password" and "Connect Automatically
to Internet." You can check again the Remember Password
option, but remove the check from "Connect Automatically
to Internet". Your system will now present a confirmation
dialog before each Internet connection is made.
Probably the easiest way to the examine software
that is currently active on a Windows computer is to use the
key combination of Ctrl-Alt-Delete. Press all three keys at the
same time. Do it once, only. (Ctrl-Alt-Delete done twice should
restart the computer.) Windows XP will give a dialog box which
includes a Task Manager option. Open the Task Manager and examine
the "Processes" tab. With Windows 9x, a "Close
Program" dialog box similar to the one shown below should
appear:
Either the
Task Manager's "Processes" tab or Windows 9x "Close
Program" dialog will list all the currently active software
on your computer- including a possible destructive "virus"
program. You can use this display to examine each of the active
programs. A program that you are unsure about can be researched,
either on your computer (you can search for each item in the
Windows Key-F "Find" routine, and see if it appears
to be a reasonable item), or with an Internet search engine such
as Google,
Yahoo, Altavista,
or Lycos.
You can make this exam simpler by saving a "clean"
copy of the standard programs running on your computer. This
should cut down on the number of options that you may wish to
research. To save a copy of your Ctrl-Alt-Delete program list,
you can take screen shots from the dialog and save them in a
word processing document.
Taking Screen Shots to document
running programs:
To
take screen images, start by closing all open programs and folder
windows. Run your word processor of choice, such as Microsoft
Word, Word Perfect, or Works. Open a blank document. Now bring
up the Ctrl-Alt-Delete Close Program dialog by pressing those
keys together, once. Once the dialog box appears, take a picture
of the Active Window on the screen and place it on the Clipboard
(an area of memory for temporary storage of objects) by holding
the ALT key and pressing the Print Screen key once. (Alt-PrtScr).
Hit CANCEL to put away the Close Program dialog. Now click on
the blank document, and Paste (Ctrl-V) the screen image onto
the document. (NOTE: Word 97 users should use the Paste Special
function from the Edit menu, and remove the check box for the
"Float over text" option before each paste of a picture.)
Again, do Ctrl-Alt-Delete to bring up the Close Program dialog
box again. Scroll down to get the rest of the screen, and use
Alt-PrtScr again to capture the next screen. Again, use Cancel
to put the dialog box away, and paste this next screen into your
document. Continue until you have screen shots of all running
processes. Save the document with a descriptive name. You can
refer to this document when you need to examine any new programs
that may be running on your computer.
Please be aware that destructive Word "Macro
Virus" software such as "Melissa" uses Microsoft
Word as the tool for its destructive task. Therefore, there will
be no indication of new or destructive software in the Close
Program dialog for macro viruses that use other programs to do
their damage.
Also (thinking like a virus author) the program
that you unleash on a machine may have the same name as a standard
program that can appear in any user's Close Program dialog. Or
the virus may take over an existing program for it's own dirty
work. Virus programs often take the place of legitimate programs
on your machine, making them very difficult to find and eliminate.
Still, if you are suspicious and watch a new or unusual program
appear in the Close Program list, you can have a good chance
of stopping a hacker's work before it can cause too much damage.
SubSeven- A example of a clever
disguise:
As of 4/26/00, anti-virus software was not
detecting the effects of backdoor, also known as subseven. This
is a Trojan Horse, and released a payload that is very complex
and can be easily modified to avoid detection. Anti-virus software
was detecting the virus in the Trojan file before the software
was run, but was not detecting the problem AFTER the payload
was installed and delivered. (This has since been corrected for
most anti-virus software.) Files that were infected included
msrexe.exe, and ipack.exe or clspack.exe running on startup.
Clspack.exe was a legitimate Windows program, but the program
replaced it with its own copy. The SubSeven program suite was
easily modified by an inexperienced person, so the individual
program's names may change. Subseven variants still exist, and
has been modified to become part of newer viruses. SubSeven remains
a very serious security problem.
2)
Run Anti Virus Software, and Update It Often.
Anti-virus software can defend an enterprise on three different
levels: On each desktop PC, on a central Server computer, and
on a Communication system such as firewall, proxy server, or
SMTP device. Anti-Virus software can be run on each of these
three levels to fully protect an enterprise from a known threat.
The most common software in use is the classic Anti-Virus software
run on desktop computers or network servers.
To protect an entire office, software should
be configured to automatically load and update itself on each
network computer. Without this type of central distribution,
individual machines may lack updated protection and can expose
the entire network to a virus infestation.
Each of the products listed below are available
in network-wide packages, with automatic update options. Three
popular Anti-Virus packages include:
Norton Anti-Virus,
or NAV. This is perhaps the slowest program that you are
likely to run on your computer. Slow, because it appears to slow
all other software down. NAV has also been known to cause Shut
Down failures, and interferes with some programs. Due to severe
performance problems, the Norton Anti-Virus package is not recommended.
Many computers now come with an evaluation copy of NAV installed.
This evaluation copy normally "expires" the update
function in about two months.See "Why Update Anti-Virus
Software?" below.
McAfee
does not seem to interfere much with the computer's operation.
It also has a very complete function list. We have been pleased
with McAfee's performance. An evaluation copy of McAfee's Virus
Shield (Vshield) product is distributed with many computers sold,
and gives good basic protection. Their full Virus Scan product
is much more comprehensive. Updates are on a subscription basis.
McAfee products are not inexpensive. McAfee also offers "whole
office" protection systems, with automatic updates.
InoculateIT,
part of Computer Associates eTrust initiative and now known as
eTrust Antivirus v7, is available in both
Corporate ("workgroup") and personal versions. SoftProse
Technology, Inc. believes that eTrust with InoculateIT is the
best value and performance for anti-virus software available
to the industry. InoculateIT has reasonably priced solutions
for the entire enterprise, and does not appear to include significant
performance problems. See our
proposal for solutions for entire office networks.
Why Update Anti-Virus Software?
Whatever software is employed, it must include
a system to update it often. Anti-virus software that is not
updated may be WORSE than no protection at all- It would provide
just the illusion of protection. Most viruses do the most damage
in the first 72 hours, as they can fool virus protection software
until an update is available. Don't get caught without current
protection! For machines with a permenant connection to the Internet,
we suggest checking for new virus "definitions" every
four hours.
3)
Set Reasonable Defaults in the Anti-Virus Software. The software cannot find problems if
it does not examine the right type of file. Most Anti-Virus programs
are set to only examine programs. We suggest changing this default
to include documents as well. Both "Melissa" and the
"Love Bug" are contained by documents, not programs.
If you have an automatic scanning option, set it to run on a
weekly basis. Check the software periodically to insure that
it is running properly. If the program includes an "automatic
update" feature, and you have made provisions (buying a
service plan, for example) to use this feature, confirm that
the update process is completing successfully.
4)
Say NO to Strange Email Attachments. This sounds simple, but is more difficult than
it seems. It happens- we have had bad experiences with Email
attachements ourselves. If you accidentally run one, and your
computer starts to act in a strange fashion, SHUT DOWN the computer
right away. (Pull the plug if it comes to that.) At this point
you may consider seeking professional help.
Email-delivered Trojans, Virus and Worms can delete
your hard drive, send destructive copies to everyone you ever
sent Email to, take over your software to make more copies of
itself, erase or damage every document in your machine, install
software that sends every keystroke you type to unusual places
on the Internet, or permits others to control or observe your
machine without your knowledge. Some programs do ALL of these
things.
In our experience, America On-Line (AOL) is the single biggest
source of viruses, worms, and Trojan Horses. AOL has apparently
not taken significant steps to stop their messaging systems from
transmitting these programs.
A cutsy little "South Park" animation
which really is a disguised "Trojan" program can destroy
weeks of work, and may shut down your company server or message
system. Think about it.
|
"You
are not paranoid if they really are out to get you." |
5)
Protect Your Security.
If your computer's security is compromised by a hacker's program
(installed from a Virus, Trojan Horse, or Worm), change all your
passwords and take steps to protect personal information that
may be stored on that machine. For example, have you entered
credit card numbers on the computer? Inform your credit company
that their may have been a breach of your security, and change
your credit card numbers.
Common ways that hacker programs can effect
the machine include copying your bookmarks, cookies, and important
Windows system files to the hacker's own computer system. These
programs also specialize in Key Capture, where every keystroke
typed on the keyboard is copied to a file which is regularly
transmitted to the hacker. Take no chances- If the computer's
security is breached by hacker software, assume the contents
of the entire machine may have been compromised. Update your
anti-virus software, run scans, and work to protect yourself.
6)
IT Professionals Should 'Know Thine Enemy'. Persons responsible for security on office systems
should investigate hacker sites, such as cultofthedeadcow.com.
(Be aware that by visiting hacker sites, you may be setting yourself
up for some unusual "real life" hacking attempts...
Be prepared to flush your cache, browser software, or whatever
else is required if you must tour these web sites...) Constant
vigilance is the price of computer freedom. Don't take anything
for granted- Some of these hackers are extremely clever, and
the anti-virus software is absolutely not catching these problems
quickly enough. SubSeven (mentioned above) is from the Cult of
the Dead Cow.
7)
Keep "Macro Virus Protection" Active in Microsoft Word.
This is set under the Tool menu, Options, and the General tab.
Macro Virus Protection is a checkbox setting that will tell the
user whenever a document is opened in Word that contains a Macro
program. Most Word users do not use this macro feature, and should
avoid running Word macros. There is a software patch from Microsoft
for Word 97 and 95 that will stop software from turning off or
bypassing this check box automatically. One of the features of
macro programs such as "Melissa" is that it will turn
off this protection. Check periodically to see that the Macro
Virus Protection is still checked, as evidence of possible infection.
Note that with Office 2000, Word macro viruses are much less
likely to be a problem. Still, Word and Excel's macro system
(actually VBA, or Visual Basic for Applications, a subset of
the full Visual Basic programing language) can certainly support
all sorts of virus programs, and remains a source of concern.
A new "Signed Macro" option is available from Microsoft
for developers who would like to deliver macros with a certification
certificate.
8)
Keep a Sense of Perspective.
Practicing "safe computing" has been an important part
of the professional computer environment for many years. This
is nothing new, just on a greater scale. Microsoft has not responded
properly to the security threats presented by these malicious
programs, and is therefore also part of the problem. As long
as reasonable precautions are taken by users, you should be able
to eliminate or avoid most problems with virus, worms, and Trojan
Horse programs. Your best defense remains with awareness (not
running strange attachments, or be aware of problems if you do…),
and having recently updated, good quality, anti-virus software.
10)
Apply Security Patches for Your Major Software. Outlook is most often attached by these
new Worm programs. Microsoft releases frequent security updates
for Windows, Office, and their other software. Internet Explorer,
for whatever version, always has some security problem that must
be addressed. Microsoft.com
has several areas to download security patches for both their
software and those of selected vendors.
The "Windows Update" program, found
either in the Start Menu or accessable at http://windowsupdate.microsoft.com (you must
download a plugin to get the most recent version) is the easiest
way to discover important security updates for your computer.
Network administors should also keep an awareness of these updates,
and make them available on the network. (Often this includes
an automated installation process.)
Operating system and Microsoft software patches
are often combined into large update collections known as Service
Packs. This is the simplest way to apply a large number of updates
at one time.
Note: Some "security patches" make
settings adjustments in the currently installed software. Some
of these adjustments may be unpleasant. Read the documentation
that accompanies these patches to better understand what effect
they may have on your system.
Microsoft's Responsibility For System Security:
SoftProse Technology,
Inc. strongly believes that attacks by worms such as the "Love
Bug", "Melissa", "SirCam", and "Klez"
indicates that there are areas of security in Microsoft products
that must be addressed by the company with software modifications.
Many concerns are resolved by the most recent versions of Microsoft's
software, including Windows XP Professional. (For example, running
the software logged into "Power User" mode gives reasonable
protection from most viruses.) However, Microsoft has had difficulty
in the past in responding to the security problems demonstrated
by the hacker community. They continue to have problems by a
lack of a comprehensive defensive strategy for their operating
system software to prevent the most common avenues of successful
virus attacks.
Recent News- Microsoft may be
responding to these security issues in their "successor"
to Windows XP, code named "Longhorn".
Network World Fusion had an article on this.
Our suggested changes to Windows
software includes:
Email Confirmation: The Windows operating system should
have a setting to require a confirmation before sending any Email
messages. This confirmation should be able to be turned off and
on at will for selected programs. The computer should not be
able to send out hundreds of Email messages without any notification
to the user.
Although Microsoft Outlook 2000 has the ability
to be protected in this manner with the installation of the SR-1a
(or higher) security update from Microsoft, this is NOT sufficient.
Defense against sending rogue Email messages should be a function
of the operating system (Windows) itself. New viruses don't need
Outlook anymore to send Email; they come with their own Email
system! Until the computer's Windows system software blocks this
means of virus transmission (such as requiring a warning message
before permitting any program to send Email), Microsoft software
will remain the preferred choice of 99.9% of all virus authors.
Software Access Confirmation: There should be a setting to require
a confirmation before major functions of programs such as Outlook
are accessed outside of the "user interface", as by
a program running in the background. Again, software (such as
a worm) should not be able to read the Outlook address books
without the ability to warn the owner of that material that this
action is taking place. This warning dialog should, again, be
able to be turned on and off by the user as needed. There should
also be a setting to permit authorized software to take a requested
action.
Although similar functionality to this is now
available for Outlook 2000 users with the SR-1a update or higher,
this function is implemented in a crude and confusing manner.
If Microsoft was serious about security, there would be an entire
interface system available to manage interactions between software.
Currently, there is only something close to chaos, with any protection
implemented in awkward and undesirable ways.
Software Interaction Log: There should be a log of all interactions
between Microsoft software, which could be read by anti-virus
software and used to detect or defend against possible attacks.
Again, this could be part of an overall Software Access Confirmation
system, described above.
With the release
of Windows XP, Microsoft has shown that it is able to respond
to user's concerns. However, their response has not been comprehensive
or complete, requiring third-party software to defend a computer
system that is unable, by it's nature, to properly defend itself.
Until such time as defensive options such as
those described above are made available to the user base, all
Microsoft software including all versions of the Windows operating
systems can and will be subject to repeated attacks. These attacks
may be by relatively unskilled criminals and vandals working
with crude but effective tools. These tools are provided by Microsoft
itself, and by a growing hacker community. |
