Friday, 20 March 2015

Attacks & Vulnerabilities: Understanding Computer Security

Spam

James Hunt imparts some essential information about malware

There are many ways that your computer can be attacked, and part of stopping yourself from becoming a victim of malicious or fraudulent activity is knowing how your computer might be targeted, what might be targeting you and why they might be doing it. Although it's common to hear terms like malware, spoofing, phishing and more, it's not always clear what they mean or why they're a problem. Hopefully with this article we can change that for you.


Malware


Perhaps the most frustrating security issue affecting modern computer users is malware. Short for 'malicious software', the term covers any program deliberately designed to interrupt normal computer operation. Viruses, trojans, worms, keyloggers, spyware, ransomware, adware: they can all be placed under the umbrella term of malware, because they're programs that have purely negative effects for the system they're installed on.

The strategies and techniques malware employs are hugely varied. At the least problematic end of the spectrum are programs simply designed to vex or irritate a user. At the opposite end you might find software that tries to directly steal your credit card details for fraudulent purposes. And between those you get programs that try less direct attacks: adware that redirects your searches or displays pop-up ads to earn referral fees, or keyloggers that attempt to steal your personal data it can be sold in bulk to spammers. Some programs don't target you at all and instead co-opt your system resources into a botnet so it's part of a wider attack against another system. The programs may hide in the background so you don't notice them at all or appear up front so you have no choice but to engage with them.

The sheer amount of malware in the wild makes it the single biggest threat to computer users. Anti-virus programs, anti-malware suites and firewalls are all needed to prevent the installation of malware on a system and help remove malware when it gets installed. Most malware uses a combination of exploits and social engineering to get installed without the user realising, whether that means employing a malicious website script to run software without user permission or ambiguous phrasing on a dialogue box so the user inadvertently agrees to install it.

The quantity and complexity of malware means that the only way to prevent a computer from ever getting any is to not connect it to the internet and never use any removable media, which is obviously impractical. Installing the relevant countermeasures is essential, and learning to spot the signs of a malware infection -unusually slow operation, strange browser behaviour and unexplained processes - is essential. Alternative operating systems such as Linux are far less vulnerable to malware and may also be worth considering if you want more protection than an anti-virus program alone can provide.

Spoofing


The word 'spoof' means to forge or imitate, and that's exactly what this sort of attack does. Whether by stealing credentials or broadcasting fake information, a spoof attack tries to trick a system into thinking the attacker is something it isn't.

Perhaps the most popular form of spoofing is phishing (pronounced 'fishing'), in which an attack website gives the impression of being an official outlet - perhaps for an email provider or bank. By copying a site's design and/or imitating the site's URL, phishing websites steal your personal data by trying to make it seem as though you're entering it into an official site. The most sophisticated of these websites may even redirect you to the actual site after you're done, so you won't even notice they've stolen your details!

Common phishing targets include eBay, PayPal and online banking systems - anything that involves access to money. You're usually sent an email or message that claims your account has been disabled or breached, and that entering your login details is the way to unlock it.

An even more sophisticated version of phishing is called 'pharming' (pronounced 'farming'), which involves editing your system's hosts file (or otherwise intercepting DNS requests) so even valid attempts to visit a website redirect you to a fake server.

Other types of spoof attack may involve an attacker cloning your MAC address so a network thinks you're connected to it or stealing an active session ID by monitoring your traffic so a server believes you're still accessing the site even after you've left it.

In all cases, the best way to avoid spoofing attacks is to be vigilant. Log out of websites manually so session IDs expire instantly and become useless, ensure that networks are protected by more than just MAC filtering, and don't trust emails and websites that try to get you to reveal personal information so they can 'help' you recover an account. Resetting a password will never require you to input more than one or two pieces of information for verification purposes, and if you're told that your account has been locked for security reasons, then try to speak to a human at the company in question to make sure it's true before you attempt any unlock process.

Social Engineering


An interesting quality of security breaches over the last decade and a half is that the delivery vectors haven't really become any more sophisticated. Attacks still rely on the same combination of minor rights exploits, filetype obfuscation attempts and drive-by tactics that were spreading viruses as far back as the late 90s. The difference between modern security threats and those of the past is that today, they don't attempt to trick the system; they attempt to trick the person using it.

The rise in prominence of ransomware is a good example of how social engineering has been a success for hackers. Rather than relying on a mechanical search for credit card details, like early viruses might have, or employing a discreet keylogger to hide on your system and wait for the information it needs, ransomware throws itself in the user's face, saying 'pay now or your data will be gone forever', playing on fears and anxieties to extract your money.

Any attack that targets the human element of a system instead of the computer itself is said to use 'social engineering'. This can mean anything from a malicious website pop-up trying to trick you into revealing your passwords 'for security reasons' to sending you a letter in the post asking you to complete a survey with personal details. Social engineering abuses people's trust to get the information attackers need.

It's popular, because while systems can be instantly reconfigured to blacklist websites, block filetypes and filter out emails, it can take years to educate people once a threat becomes common. The sheer scale and apparent success of the Microsoft Tech Support Phonecall scam is a good example of that: rather than exploiting a security hole that could be closed in seconds once a fix was found, the scam works by tricking people into manually installing malware for the attackers, and years after it was first revealed it continues to succeed often enough that the scam hasn't yet died out.

On one level, the increasing reliance on social engineering might actually be cause for celebration. If computer security has become so effective that it's now less effort to manipulate people than software, then that means we're only one step away from some huge victories. To stop social engineering from working, all we have to do is educate people about it and make it as difficult to exploit users as it is to exploit their machines.

Easier said than done, perhaps, but at least it's a goal that feels achievable. It's unlikely malware will ever completely go away, but between more secure systems and better-educated users, progress is definitely being made.

Exploits


Although it's not the only way to install malware, a considerable amount of malicious programs attempt to enter a user's system without them realising. And while there are several techniques that allow this to happen, the most common way is through an 'exploit'.

As the name suggests, exploits use opportunistic techniques to install software on the target system. Normally, this is a security hole such as a memory overrun or a credentials leak, which allows a script or program to execute code that would otherwise be prohibited. This code can then install the software as if it had received permission from the user to do so. It may not be as direct as this, but once the initial incursion into a system has been made, it becomes simpler for programs to elevate their permissions to the point where malware can be installed.

Due to their unintentional nature, when an exploit is discovered in a piece of software, it tends to be repaired quickly. This is why updating software is crucial to maintaining security. Exploits are occasionally brought to developer's attention by 'white hat' hackers, who find them before they're employed by malware creators, but it's more common for an exploit to only be noticed once a piece of malware that uses it is released into the wild. Exploits that have just been discovered and not yet patched are known as 'O-day' exploits and are highly prized by hackers, because they're difficult to protect against.

Although the process of locating and repairing exploits is well out of most users' hands, it's possible to reduce the effectiveness of exploits by keeping software up to date. You may wish to enable automatic updates to programs that support the feature or employ a program like SuMo, Secunia PSI or FileHippo Update Manager to find instances where your software is out of date. The only way to prevent exploits being used is to ensure that they're unavailable when hackers try to employ them, and keeping your software current is the best way to do that.

Denial Of Service Attacks


As the name suggests, a denial-of-service attack is an attempt to make a site or service unavailable to its users through malicious means. The most common way this is achieved is by 'flooding' the target with huge amounts of requests and traffic so it becomes unable to respond normally. In the worst cases, the overload may even force the server to go down completely.

It's possible to launch a denial-of-service attack against a single computer, but they're more frequently aimed at large organisations and employ zombie computers and botnets to launch the attack. A zombie computer is a system - normally an ordinary home PC - which has been infected with malware that allows remote control of its functions, normally without any other negative effects. During a DOS attack, the system can be instructed to send requests and traffic to the target site automatically.

Although one zombie PC isn't necessarily much of a problem for even a small server, when hundreds or even thousands are linked together, the traffic can quickly become overwhelming. When this many zombie PCs are instructed to act in unison, the result is called a 'botnet'. Botnets are hard to block because the traffic comes from hundreds of sources, which have the appearance of completely normal systems. You may sometimes see DOS attacked referred to as 'DDOS attacks', where the extra D at the start means 'distributed', as in 'distributed across many systems' - although other forms are now so uncommon that it can usually be taken as read than any attack is a distributed one.

Even though individuals are rarely the target of denial-of-service attacks, the way they co-opt regular systems means it's important to maintain your system's integrity to ensure you don't become part of a botnet. If nothing else, it could open your system to further breaches and result in you being banned by your ISP and/or the target website due to a failure to control your system properly.

Spam


Many of the threats in this article are mercifully uncommon on a day-to-day basis, but spam is something we deal with on something like an hour-to-hour basis. If you use a good mail client, most of it will be filtered away - but no mail client has a 100% success rate.

Although spam itself is usually more of an irritant than a danger, it isn't universally so. While the days of spam being used to deliver malicious code are more or less behind us thanks to improved mail servers and detection techniques, the majority of adverts delivered by spam are still connected to legally dubious activity and should be entirely ignored.

Even opening a spam email remains a bad idea, because it may use the same tracking techniques as legitimate marketers to see whether you read the emails. If you do, your address is marked as active, and the mailer is more likely to resell it to other spammers. This is why it's a good idea to delete any spam emails unread: the more you look at, the more you get and the greater chance you have of being fooled in some way.

Like DOS attacks, one of the bigger problems with spam isn't necessarily being on the receiving end: it's that your PC might end up sending it instead. Spammers use botnets to avoid having their communications blocked by mail servers looking for high quantities of spam from individual servers, so if your PC has been co-opted by a botnet, you might find that you're one of the people sending the spam you hate to receive, which can again result in negative sanctions from your ISP or email provider.

Dealing with spam is simple: ignore it, delete it, and trust the judgement of any filter that marks mail as malicious. Reducing the amount of spam you get is difficult, but you can keep a tighter rein on it by making sure your email address is kept private. If you post it in forums or leave it public in blog posts, web-crawlers will find it and sell it to spammers. You'll always get some amount of spam, if only through spammers who simply guess at addresses, but the less free your are with your contact details, the lower your chances of becoming a target for spammers.