Internet Security Zone Blog

I'm sure you've seen them -- those pop-up ads that make scary claims:

YOU MAY BE INFECTED!
CLICK HERE TO CLEAN YOUR SYSTEM NOW!

I just ran across one, a friend hit this site, was convinced he was infected and asked how to remove the infection.

My friend wasn't infected. It was a fraudlent anti-virus scan with fake results. This is often called "Scareware" and it amounts to using fear to sell products -- in fact, many of these products will cause more serious problems when you actually attempt to install their "fix" for these fake infections.

There are a couple types of these cons:

• User is dropped on a fake Anti-virus/Anti-spyware scan that detects "false" infections
• User is told their computer is not running properly, download X software to fix it
• User is told their activities are being monitored and recorded, click here to prevent this

Here is an screen shot that shows one of the scanners apparently finding "errors":

In truth, this computer has none of these errors and this is a simple ploy to get you to install their software. In fact, this type of attack and fraud is so common this particular scanner has it's own Wikipedia entry: WinFixer

Here are some of the more interesting quotes:

They display false information with regards to a user's computer, thereby confusing said user into believing their PC is infected with viruses, spyware and/or other forms of malware.

Due to these problems, WinFixer and its sister applications are generally considered scareware spyware.

On September 29, 2006, a San Jose woman filed a lawsuit over WinFixer and related "fraudware" in Santa Clara County Superior Court.[9] KTVU (Channel 2 in Oakland, CA) carried a special report you can view at http://www.youtube.com/watch?v=zBUZHiKhsog.

The best way to protect yourself from these types of scareware attacks is simple: Only install/buy software from companies that are well respected and that you trust. If you aren't sure, use Google to do a quick background check on the company and see what it turns up.

Also, ZoneAlarm products with OSFW will protect you. This scareware often attempts to install to this location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Any process that attempts to write/change this registry key and is not in our SmartDefense Advisor Approved list will create a security alert. The alert below shows me attempting to change the "Run Key" using the Registry Editor:

The Z100G has a built in function that allows you to connect to a PC behind (and protected by) the Z100G through the management interface.

Here's how it works:

• First you enable the remote desktop on the target PC (under Control Panel | System)

• Next you connect to the target PC through the Z100G. The Z100G uses a dynamic DNS service to allow you to connect when you are away from home.

• Last, you select the "Remote Desktop" link and it launches a new window with your remote PC desktop

The login to the Z100G and all communication with the remote PC is encrypted using an SSL tunnel.

Here are more technical details from the Z100G PDF:

The Remote Desktop Protocol (Microsoft RDP) uses TCP Port 3389. You do not need to create specific firewall rules to open this port on the gateway: the port is opened dynamically between the remote desktop client and the server host as needed. This means that the port is not exposed to the Internet, and you can use the remote desktop feature without compromising your security.

We know that home PCs are often hijacked to send spam. We know they are often pilfered for personal data. Did you also know home PCs are sometimes used as "middle-men" or proxies to help hide the source of an attack?

It works like this: An attacker decides on a target network or PC to hack and at the same time, wants to cover their tracks. To cover there tracks, they must connect through multiple systems before attacking the target -- a technique often called "puddle-jumping". This makes tracking them down very difficult -- even if they target company or person determines the computer that attacked them, that system is quite often just one in a string of systems leading back to the attacker.

This posting explains how this system works and provides a great diagram showing how an attacker might bounce through different systems and networks before reaching the target. To actually find and apprehend the attacker, the investigator would have to obtain logs and information from each one of the machines involved in the attack -- something very difficult, even for law enforcement using subpoenas and other legal tools.

What's the best plan? Obviously, securing your own system so you don't become part of this "attack proxy" is the best idea.

The recent AOL search record disclosure caused quite an uproar -- much of it directed at AOL for releasing what many people consider "sensitive" search information. The New York Times even put a face to the number, figuring out who searcher No. 4417749 was and interviewing her about her search data.

But, many of the articles have overlooked the core problem. While AOL releasing search data may be concerning, the fact that search companies maintain, retain, and mine this data is the real issue. The recent AOL disclosure actually allowed many people to understand what the search data looks like (what have you typed into Google lately?) and how this data actually provides a very focused view of the person searching.

I'd even suggest search data provides a better view into the interests and even mind of a person than their web browing behavior -- web browsing mostly consists of links from one page to another, while search data is actual direct input provided by a person. Instead of "surfing" from one page to another, reviewing search data can almost show what a person is thinking.

If you would like to prevent any search company from having this kind of insight into your search information, this might be a way to do it:

How to anonymize your search:

1. Install the greasemonkey extension to Firefox and restart Firefox.
2. Review the information on this page and install the script (with greasemonkey enabled). Firefox will create a pop-up alert warning you that you are about to install a script -- select "Install" to this warning.

Once you have this working, your search queries will be routed through blackboxsearch.com. Black Box Search claims:

"no IP, no tracking cookies, no logging - EVER!"

However, there isn't much corresponding information to support this claim.  So, this is obviously not a product endorsement, just another option -- one that doesn't use the omniscient Google cookie.

Some people leave their WIFI open to allow neighbors and others to use it; other people think that's stealing. Instead of securing their WIFI to prevent unauthorized access, some see it as an opportunity to get some laughs by placing the offenders on an untrusted network and serving them an Apple-Turnover:

Or maybe an eBay upside-down cake:

Either way, be sure to look at things from another point-of-view before making a decision.

• Attackers load drive-by download on Circuit City Message board

• New virus infects OpenOffice/StarOffice (OpenSource alternative to MS Office)

• Consumers overconfident about ID'ing phishing scams?

• Plugin to Encrypt your Gmail

• Drop in virus activity signals change in tactics

• Why steal SSN numbers when you can get them for free?

• Tracking large data loss incidents

We all hate spam -- many of us use filters to find and block it, web based email services use sophisticated pattern analysis to detect it, and that leaves you and I to delete what's left. But, where does all this spam actually come from? Believe it or not -- it often comes from home PC users. That's right -- we are the engine of our own frustration.

As mentioned before, the stats show approximately 50-80% of all spam sent comes from hijacked home PCs. Since you are probably using a personal firewall, you've taken a good step to prevent your own PC from sending out spam. A personal firewall is one of the best ways to ensure your system doesn't become a spam zombie.

Some people suggest personal firewalls are not needed if you have a home router/network with a built in firewall. I wish it was that easy. Consider this:

1. User browses a malicious website with an unpatched machine (or the site could have a 0day).
2. Home PC gets hacked, the payload of this hack is a spam engine.
3. User's PC begins sending large amounts of spam to the rest of the Internet.

How is a router/gateway firewall on your home network going to stop this? Most home network routers don't provide outbound firewalling (blocking the outbound port 25) and if they do, most people wouldn't know to block this port specifically. That's one of the reasons a personal firewall on *the actual computer* is always a good idea. ZoneAlarm even provides Outbound MailSafe Protection to prevent your system from becoming a MetaZombieSpamBot.

Here are some stats and graphs showing which home users (and their ISPs) are sending the most spam:

As you can see, this list is slowly growing as the spammers hack more home PCs users, who in turn, end up sending more spam. Hopefully as people become more aware of this problem, we'll see those numbers starting to drop.

SecurityFocus has a nice checkbox system to let you score your own PC security level. Each checkbox item has a link to get more information. Using this sytem, you can check the boxes you know are 'ok' and follow-up by reading more information about the items which you are unsure.

Example section: 

Personal Firewalls

I have a personal firewall installed and running.
(What's a personal firewall?)

Anti-Virus

My anti-virus software updates itself every _____ days.

Great quiz, take it with your kids and see how many both of you can get cooperating (I've noticed it's sometimes the kids who know quite a bit about security). Besides, learning about security together will help the family stay secure.
                        

So you want your data to survive 1,550 degrees F? Better get one of these (this is not a product endorsement, it's just cool):