Lock attackers out of your PCThe recent wave of “phishing” attacks was the primary subject of Brian’s Buzz on Windows in both my May 6 and May 20 issues.
In a phishing exploit, you receive an official-looking e-mail that appears to be from an online banking or financial site — perhaps one that you have an account with. The e-mail says you must “re-confirm” your account details. If you click the link in the e-mail, you’re sent to an official-looking Web page that’s actually controlled by thieves. When you type in your password or credit-card number, the hackers behind the site capture the information and use it to steal from your account.
In my previous issues, I emphasized that updating your antivirus program is the best way to keep these exploits from taking advantage of your PC. I also listed several other steps to protect yourself from phishers.
In today’s issue, I provide you with more detailed recommendations on “locking” your PC against intruders. There’s no foolproof configuration of Windows that can be guaranteed to protect you against new hacker exploits that may be invented in the future. But there are steps you can take to prevent your PC from being open for the taking.
The baseline security you need
It should be considered the scandal of the decade that the Microsoft Corp. — without vocal objections from most of the rest of the computer industry — allowed hundreds of millions of copies of Windows to be installed and connected to the Internet without firewalls, antivirus protection, or antispyware scanning. But that’s what happened. Now we need to go back and make sure that adequate protection is in place for our PCs and those of everyone else we come into contact with.
Why do we need all these layers of protection? Because the number of people who are now connected to the Internet has reached a critical mass that’s attracted organized crime. New exploits are discovered every day. The amount of money that can now be made by identity theft is making every PC user into a target.
How bad is the problem? One large Internet service provider (ISP), Comcast, normally sends out 100 million legitimate e-mail messages a day from its users. But so many users’ PCs have been silently infected by “zombie” programs that the legitimate flow is a tiny fraction of the total. Comcast sends another 700 million messages a day that are pure spam generated by the hackers who control the zombies, according to a May 27 article by Declan McCullagh in News.com.
Beware these widespread security myths
Before we delve into what I consider baseline security, I’d first like to review some security myths that have been widely circulated in various media.
- MYTH: The “lock” icon indicates an encrypted connection. This is false. As I explained in the May 6 issue of Brian’s Buzz, the “lock” icon that appears in the status bar of Web browsers can be faked. The widely-used Internet encryption standard, SSL, supports a so-called plain-text mode, which isn’t encrypted. But the lock shows up anyway.
- MYTH: “https://” indicates that you’re at a legitimate site. This is unreliable. Hacker Web sites can, in some cases, replace your browser’s address bar with a fake one, which can show that you’re on any site they wish you to believe you’re on.
- MYTH: You can securely visit any financial site by manually typing in its address. This can’t be guaranteed. As I described in the May 20 issue of Brian’s Buzz, a Trojan horse program can change the meaning of Web addresses by writing a simple re-direction into your Hosts file. This file, which exists in both Windows and Linux as well as other operating systems, can make your browser go to a hacker site — perhaps obscured with numbers such as 1.2.3.4 — when you type in a legitimate address such as Citibank.com.
- MYTH: You can make Hosts and other critical files “read-only” to protect them. This is not helpful. Hackers can easily write programs to change the read-only status of a file without your knowledge or consent.
- MYTH: You can visually examine the Hosts file in Notepad before using a browser. This is wishful thinking. It’s possible for a rogue program to make an entry in the Windows Registry so that a file named something other than Hosts is used to re-direct you to a different Web site than the one you think you’re visiting.
- MYTH: You can use pull-down menus instead of passwords. Some online banking services, facing the phishing threat, have equipped their logon pages with pull-down menus that represent each character of a customer’s password. The idea was that the user would never actually type the password, so hackers couldn’t capture the string. This strategy has been defeated by phishers whose Trojan software now makes screen captures and sends them back to the hackers.
Hacker software now detects that a PC user is logging in to a Barclays account and screen-captures the portion of the window on which the drop-down menus are located. This reveals, over time, all the letters of the password. A sufficient number of letters may be sent back to the hackers after only one or two logins for them to access a particular account and send money wherever they like.
This exploit is explained in great detail in an article by Code Fish, an antispam site based in Australia that first analyzed the technique. (Note: The article shows in plain text a fragment of HTML that some antivirus programs incorrectly detect as a virus. The text cannot execute and therefore is harmless.)
According to Code Fish, the Trojan that captured all this information was programmed to send it back to hackers operating in Russia. The Wall Street Journal reported in its May 27 issue that a Russian phisher who calls himself “Robotector” — who may or may not be related to the technique described by Code Fish — has distributed Trojans that record passwords typed into more than 30 different online banks and payment Web sites. (This article doesn’t appear on the Journal’s free Web site, but a machine translation from a Spanish version of the article is available via the Google Translator.)
Do these successful attacks mean that things are hopeless and you can no longer use your PC for anything? Of course not. My previous advice to allow your antivirus program to continually update itself still stands. For example, Symantec’s antivirus technology has guarded against this attack since April 6. The company calls the little bugger “Backdoor.Nibu.D” and has posted a complete analysis.
SpoofStick is an example of what doesn’t work
Several of my readers have sent me tips about a new piece of freeware called SpoofStick, which was first released on May 10. This program installs an additional toolbar (picture, left) in the Internet Explorer and Firefox browsers.This well-intentioned program displays in its toolbar the top-level domain name of the site the browser is currently visiting, even if the name is obscured using numerals or other browser tricks. In the picture, for example, the user is visiting virage.com.
Unfortunately, SpoofStick will do nothing to detect the typical Trojan horse that captures your passwords or credit-card number while you’re visiting a legitimate site. Customers of Barclays Bank, as described above, actually are visiting the genuine Web site of the bank when they log on. Hackers who’ve planted Trojan horses on users’ computers are able to capture their keystrokes (or collect pictures of the logon screens) despite that fact. SpoofStick will blithely assure you that nothing is wrong.
In other words, your browser’s address bar can say you’re at https://www.paypal.com, and SpoofStick will dutifully report to you that you are, in fact, on PayPal.com. At the same time, a rogue program can be recording your passwords and sending them back to Russia or wherever.
It’s astounding to me to see the list of ordinarily sensible computer journalists who’ve endorsed this simplistic and misleading program. The add-in may at first glance seem to be effective, but it’s more likely to give you a false sense of security.
The important question isn’t, “What site am I on?” The important question is, “Is my computer running spyware that’s capturing my passwords?” This question can only be answered using up-to-date antivirus and software firewall programs, as discussed below.
The development of SpoofStick was undoubtedly sparked by a bone-headed flaw that was recently found in unpatched versions of Internet Explorer. This coding error caused the browser to display specially-crafted site names wrongly in its address bar. A phisher could embed the ASCII characters 00 and 01 and an “at” sign (@) in the middle of a Web address. When such a link was clicked, Internet Explorer displayed whatever characters appeared before the ASCII string (such as www.citibank.com). The characters after the string (usually a hacker site’s numerical address, such as 1.2.3.4), are not shown.
Microsoft released a “critical update” on Feb. 2 that corrects this behavior in Internet Explorer 5.01, 5.5, and 6. The patch is described in security bulletin MS04-004. (Note: The patch has negative side-effects that you should correct using the information in Microsoft Knowledge Base articles 832414 and 831167.)
Educating users about MS04-004 is a better way to eliminate phishing attacks that obscure the true address of sites visited in a Web browser — not promoting a free utility that’s superficially attractive but ultimately unreliable.
Set your defenses up to lock attackers out
The basic, minimum defenses that every Internet-connected PC needs are a hardware firewall (especially for broadband connections), a software firewall (for all connections, especially wireless), an antivirus program, a spyware scanner, and an antispam filter.
Whew! That’s some list. Let’s leave aside for a moment how the computer industry so badly mismanaged its business that its primary product — the PC — is actually dangerous to its users unless professional-level customization is performed. For now, let’s just check out the components of this protective constellation of add-on products we need.
PC World in its June 2004 issue published a remarkably comprehensive series of reviews of each of these categories. I list their Best Buy awards below, and provide a link to each article on the Web that explains the magazine’s evaluation:
Software Firewalls
• Zone Labs ZoneAlarm Pro 4.5 ($50) or
• Trend Micro PC-cillin Internet Security 2004 ($50)
Antivirus Program
• Trend Micro PC-cillin Internet Security 2004 ($50)
Antispyware Scanners
• Lavasoft Ad-aware 6 Plus ($27) and
• Spybot Search & Destroy (free)
Antispam Filter
• Cloudmark SpamNet ($48/yr.)
Hardware Firewalls
PC World’s June 2004 issue didn’t give a Best Buy to any hardware firewall, but a review in its December 2003 issue recommended the following:
• Linksys’s BEFSR41 or
• D-Link’s DI-704P (each under $50)
In addition, the April 2004 issue of PC World carried an excellent, step-by-step guide on how to securely lock down your PC. I recommend that you read this and follow the steps that are appropriate for your PC.
Two new types of antivirus software that you may have heard about include heuristic programs and sandbox programs. Both offerings attempt to prevent virus attacks that have never been detected before, unlike signature-based antivirus approaches.
PC Magazine in its June 8 issue reviewed two products in each category. At this time, they aren’t strong contenders for your security baseline. “Today’s heuristics cannot be an effective tool on a single-user PC,” the magazine wrote, although one product, GFI Mail Security for Exchange/SMTP 8.0, received good remarks for its performance on high-end servers. Furthermore, “We can’t recommend even supplementing your protection with either of the sandbox products,” the review said. More info
Administrator versus User
Once the security baseline products described above are working for you, you can stop and ponder what your ideal defensive posture would be.
Couldn’t you set up a User account, in Windows 2000 and XP Pro, that has little or no ability to install software? (In XP Home, this is called a Limited account.) If you used this account most of the time, any virus you accidentally ran would be deprived of the ability to install itself. You could reserve the use of your Administrator account for rare events — only to install applications and perform other tasks that require a high degree of privilege.
Microsoft has a document that describes just such a strategy. Released in January 2002, not long after Windows XP shipped, the article proposes a series of “software restriction policies” that would run on XP and Windows Server 2003. These policies would allow trusted programs to run but prevent malware from running or affecting a PC at all.
Unfortunately, there are very few commercial programs that can operate today in Windows if a plain old User account is used most of the time rather than an Administrator account.
In an April 2004 article written for the Microsoft Developer Network, security consultant Keith Brown points out, “you can’t install 90 percent of today’s software unless you’re an administrator,” adding, “70 percent of software won’t run properly unless the user is an administrator, and that’s an optimistic number.”
The User/Administrator switcheroo isn’t yet supported well enough for it to be completely reliable for most individuals and companies. It may be possible if you run nothing but Windows and Microsoft Office applications. But many people run independent applications that make a pure, User-only approach unrealistic.
Protecting your Hosts file
If the User/Administrator method worked 100% of the time, you could use this technique to protect your Hosts file from alteration by malware. As we saw above, a Trojan horse can change the Hosts file found in Windows and Linux to make your browser go to an official-looking hacker site while your browser’s address bar displays the name of the legitimate site you typed in. Wouldn’t running a User account all the time prevent the re-writing of the Hosts file?
Fortunately, the tools in the security baseline described above are sufficient to protect critical files without having to wait for Microsoft to get most applications to work correctly with User/Administrator configurations.
ZoneAlarm, one of the products recommended by PC World, above, added a “Hosts file lock” to its software firewall protection in version 4.5.530.0 last November.
SpyBot, another widely recommended product, also has a feature that locks the Hosts file against malicious changes. You set the program to Advanced mode, then navigate to “IE Tweaks” and turn on “Lock Hosts File.” SpyBot also can create its own, protected Hosts file, which eliminates browser access to known hacker Web sites.
Articles about Windows’ default Hosts file can be found in the Computing.net forum. The way SpyBot uses the Hosts file is described in a NetworkClue.com article.
What’s the perfect answer?
The perfect answer to all of Windows’ security needs isn’t yet available, but with a collection of tools from a variety of vendors, the operating system can be locked down fairly tightly against hacker intrusions. In future issues of Brian’s Buzz, I’ll review the security improvements offered by Service Pack 2 for Windows XP, which reportedly may be released as early as June 15, and Longhorn, Microsoft’s next-generation Windows, which isn’t expected until 2006.
I’d like to thank all my readers who sent in comments on the latest phishing exploits, and especially James Zall, Ferrell Hurst, Burton Strauss III, and Marc Erickson for their help with this topic. They’ll receive gift certificates good for a book, CD, or DVD of their choice.
To send me more information about this, or to send me a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate, too, if you’re the first to send me a tip that I print.
