Now that our own in-house router is recording a virus, worm
or Trojan attack every few seconds we feel motivated to increase our
own security measures, and to pass along a few security suggestions. If you are
not maintaining your system you potentially affect everyone on the Internet -
as you could easily pass along the latest infection.
We have links to the Royal Canadian Mounted Police
(RCMP) and other law enforcement agencies for SCAM information, and addresses
for software utilities and browsers. Read on and enjoy!
For a general look at good computer security and data
maintenance practices, have a look at our
Security Brochure in PDF
format. If you need the Adobe Acrobat Reader, download it at
Computer Security Tips
If you have arrived here on this page, and are reasonably
up-to-date (Running Windows, with Windows Update on auto-update, plus antivirus
software from the current year (2004) with auto-update); here are additional
security considerations for you to think about when you tighten your computer's
defenses - or your network perimeter defenses.
E-Mail security is an growing concern. Many of the recent scams
have taken a new twist - their goal is to perform a Compromise of Resources
Attack in order to gain control of your system and turn it into a SPAM mailer.
Other attacks attempt to steal passwords and account information. Other attacks
attempt to get you to provide the information - the "Phishing" expedition.
Other email promotes outright frauds and scams. Visit our
email security page for further
10 laws of security. Better late than never. From here you can link to
other security offerings and information -- mostly by Microsoft. It is nice to
see them getting serious. To take advantage of the Microsoft Security offerings
you will need to be running the latest version of Windows XP.
- 419 Scam - Worlds Funniest Take: The lady at
Busted up Cowgirl
has the Nigerian Scam worked out pretty good. I do not reccomend that you try
her methods - unless you have a strong stomach, know how to hide behind a PO
box and all that stuff. But it sure is an interesting thought..
- Virus Scanner: If you have one, keep it up to date by
enabling auto-update or by going to its downloads and updates page on-line
regularly! Also - check the date of the scan engine. If you have a version that
pre-dates the current year -- you have a problem. The scan engine is updated
constantly to track virus behaviour- this is quite different from the signature
files which are also constantly updated. In our experience it is usually
cheaper to buy a whole new package than pay for the updates - but check for
yourself. Sign up for the email alerts provided by the manufacturer and follow
their directions for updates.
Panda are three of the
companies with reasonable virus checkers. Their packages are sometimes bundled
with SPAM reduction software and firewall packages.
- Education: In some ways I hate to give Microsoft
credit, since their initial unwillingness to address the issues exacerbated the
problem, but here some credit is due. For free - no less - you can get
education from Microsoft. There are many webcasts on Security, secure
programming and server setup.The
Webcasts are available on their learning website. You must use Internet
Explorer, and you must download and install a software tool so that you can
listen to the audio. Do not expect in depth coverage of the issues, but you
will get a reasonable start, learn the jargon and begin the process. Microsoft
has acknowledged the problem and is throwing significant results into all
aspects of solving the problem of weak security in their OS products and
- Encryption and Security Keys: If you are a
sophisticated user, investigate the use of encryption for your sensitive data
and email. However, note that if you have spyware running on your system your
email will be read before you encode and after you decode. You can choose to
encrypt your hard drives or certain directories with the built in Operating
System utilities or you can purchase third party tools. Just make sure that you
maintain backup copies of the passwords in a physically safe place -
- BIO Identification Systems: Bio-identification
systems ensure only that an individuals thumb, eyeball or other body part was
presented to a security device - not that it was attached to the individual.
Maybe these systems should be redesigned to look for blood flow and heart
beats. They do not detect coercion either.. yet!. Voice identification and
Facial Identification might be better - and better suited to stress
- Physical Security - Biometrics and
The Nexus Group
offers a range of solutions for corporations. They produce Facial Recognition
Systems, incident tracking systems and other security related products. When
used as part of an overall security strategy these types of systems can be very
effective. These systems are of particular use in Casino security, but they can
be used to control access to facilities for large organzations.
- Stolen Hard Drives: If your hard drive or
computer is stolen - the data can be read. All the thief need do is install it
in a system that can read it - unless the data is encrypted. All those
passwords are to prevent you from installing it as the "root" drive and easily
using the OS software. Surprised? Check it out. Think seriously about using
encryption if you store sensitive information. Indeed the law may now require
encryption if you store customer data -- financial or otherwise. This would
include your accounting data -- which should be stored on an encrypted
- Globe and Mail article: on SPAM, Security and
summer 2004 attacks in which they note that small business is receiving more
- Government Systems - Theft of: Recent
compilations of government data are pointing to a significant security problem.
and Mail Article highlighted the problem. Government computers are being
stolen - possibly with sensitive personal and corporate data. The question is -
"What's the target?" -- Is it the computers - or the information? This is just
one more reason to guard personal and company data very carefully - and to
release only the minimum information required.
- Software Developer issues: In many organizations
software is developed with security as an afterthought. If you want proof,
attend a Microsoft Developer webcast and see how poorly attended they are. If
you think about it, even 100 attendees is a very low number when you consider
the number of developers (in the millions) that use MS products. If you include
the developers that use stolen products there are probably 10's of millions of
developers using MS tools. The single largest complaint they hear - or so they
have said on the webcasts - is that companies will not send developers on
security training courses due to budget restrictions. However budget money will
be allocated to send developers to learn about new features. Go figure!
- Backup: No discussion of
viruses and security is complete without mentioning backup routines. See our
security brochure mentioned above for more information on backup. Those of you
using MS Windows must remember to backup the registry on a regular basis.
Windows users should also be aware of a couple of other issues 1. If you use MS
Outlook (a bad idea) the mail files are hidden files - it takes a little work
to find them and back them up; and, 2. If you are logged in as yourself - and
not as Administrator when you do your back up - many of your files will be
locked - and won't back up properly - perhaps not at all. Configure your
programs to store their data in a 'central' location ( e.g. c:\data\docs;
c:\data\accounting etc.) and backup that data on a regular basis. Keep a copy
of your data offsite -- if you are a small business. If you own a business you
should realize that "backup" is a philosophy - it is not a copy of your data.
Note that you may be required to encrypt customer data and any backup of that
data. If you are a business owner that suffered due to the Great Power Blackout
of 2003 in Ontario and the Eastern USA, you should now understand. If you don't
understand the issues, hire a consultant who can help. We are available ....
That's one of the things we do.
- Passwords: The object of
much of the network hacking is to obtain your passwords, bank card numbers,
credit card numbers SIN numbers etc. The easiest way to do this is to "crack"
your passwords and access your accounts. A word to the wise: "secret", "kitty",
"doggy", "topdog" etc. are not passwords - they are minor annoyances to a good
password thief. Most thieves are aware that they can download a dictionary (in
the language of their choice - or yours) and try all the known words as well. A
secure password is something like "m1a3r5y7" or "johnny!6321" or better
yet "g3tur08pkkl". If the program you are protecting allows use of
special characters and the number isn't your birth year - or something easily
guessable - then set your passwords accordingly.
- Safe Browsing and Emailing: Are you using Microsoft
Internet Explorer or Microsoft Outlook? Consider changing your email and
browsing software. Your computer is at extreme risk for virus infection! Check
below for links to Mozilla and Mozilla Thunderbird.
- Firewalls: A firewall can (usually) block
malicious worms and Trojans that load spy ware. A firewall can assist in
preventing Spy ware from being loaded - it cannot prevent it. A firewall might
also prevent any Malware from communicating with outside systems - for the
purpose of transmitting your data - maybe.
- Software-based Firewall or physical router. It is safer
to install a router/gateway than to use Firewall software. Although both the
hardware and software act as a firewall, filtering traffic before it reaches
the internals of your computer, the router appliance is physically separated
and tends to isolate the problems more effectively! Any malicious code should
"crash" your firewall - not your computer. The routers are cheap ($130 up) and
very effective. Consider them very seriously unless you have budget
constraints. Buying a router is cheaper than paying one of us (a computer
consultant) to recover damaged and deleted files or screwed up operating
- Software Updates: Obtain and install the latest
operating systems and utility program patches. This advice applies to both
Windows. Don't just run the auto updater, use your most
up-to-date version of Internet Explorer and go to the "Tools -> Windows
Update" menu and run (install if need be) the update scanner. There are many
"non-critical" updates that in my opinion are critical. Many
Windows utilities - such as Media player, have significant security flaws
requiring software updates. (Surprise!)
- Anti Spyware Software: This is not virus checking
software, but rather is a utility that can check to see whether you have picked
up "tracking" baggage during your WEB browsing. Some of the packages can block
access to known malicious sites. All of them typically remove tracking cookies
installed by "banner advertising" and web pages that track and sell your
browsing habits. Almost all can remove the code and Registry entries that have
"stuck you" on a new home page that you don't want. We like
SpyBot - and it
also gets rid of Demon Dialers keystroke loggers, and other "crudware".
- Anti-SPAM software: Most mail packages now have SPAM
filters; such as those from Netscape, Mozilla etc. In Mozilla and Netscape,
look in the Tools menu for Junk Mail controls. If you have a small company with
an email server, you should have your vendor do a security audit, and you
should be willing to spend money on email control systems.
- Anti Spam Research: IBM is doing some interesting
anti-SPAM research. If you want to read about their spoof detection, plagiarism
and pattern matching algorithms for detecting spam visit their
- Email Scripting: It is our opinion that EMAIL
SCRIPTING is a dumb idea whose time never came. Allowing
an email package to execute script code is the reason that we have so many
malicious viruses. MS Outlook permits attachments to run scripts. Script
kiddies and other malicious types just love this capability. Choose something
else - it would be difficult to find a more dangerous package - so make another
choice. Eudora, Netscape, Mozilla and Thunderbird can't be worse than MS
Outlook. Just say no to MS Outlook - in all its variations.
- Physical Security: Think of all the ways a thief
could use your computer if it was stolen. Also think of securing your important
documents. Don't underrate good physical security if you own a small business.
It is far too easy to slip unnoticed into many businesses and remove
confidential documents and materials.
Newsgroups and mail packages. Save the scripts for web pages. In Netscape and
Mozilla - from the Mail package choose "edit -> Preferences -> Advanced "
You can turn off Java and Scripting for email, and turn off pop-ups and other
- Encryption and Security Keys: If you are a
sophisticated user, investigate the use of encryption for your sensitive data
and emails. Also consider generating a public/private key pair and using it to
sign your email. Thawte is
one company that offers some of these services. If you are in the habit of
backing up customer data you are probably required (or soon will be) to encrypt
- Complain: Make it a habit to complain to web site
operators who write their web pages specifically for Microsoft Internet
Explorer. After all - they will likely be the first ones hacked when a new
virus variant makes the rounds.
- Throw away (most) email with attachments - If you can't
recognize the person it came from Then throw it away - unread -
or quarantine it if you have a sophisticated mail reader. If you don't know why
you are getting an attachment from anyone - be leery of the email. If you don't
know the sender and can't get verification of the contents - then you don't
need the hassle of inadvertently spreading a virus. Just don't blame us because
you tossed a Million dollar Purchase Order...! All we are suggesting is that
you verify the email before you open an attachment. If you have the resources
set up 'secret' email addresses to deal only with your trusted clients who
regularly send you attachments. Do not publish it, and do not give the
addresses to any other parties - that's all it takes to keep it secret.
- Network Address Translation: That is what routers and
gateways like the Cisco,
D- Link and
Linksys systems do... They
allow you to hide behind your Router and let it deal with the wild, wild
Internet. Just think of it as a moat and a castle wall... Via the router DHCP
software, you automatically assign network addresses which do not translate
onto the Internet and cannot be read by machines "on the other side" of your
hardware box. Most routers come equipped with DHCP (automatic addressing) plus
Packet Filtering (to keep out the ding-a-lings and script kiddies) and other
features which improve your security.
- Microsoft Office: Microsoft Office has many security
holes. Get the patches from the Windows Update site as mentioned previously.
Because scripting is built into MS Office, many of the previously noted
security concerns apply.
- Open Office and Star Office: Consider switching packages
if you have security issues with MS products. The
Open Office (Star Office)
Suite has much of the functionality of the MS office suite - plus a few extra
goodies. Open Office can read your MSOffice suite files. There are points of
incompatibility throughout both packages since both have some advanced features
not duplicated in the others software - but for many users either package will
work - and Open Office probably has far fewer security holes. Besides - it
doesn't cost $400 a user to get Open Office. You can get it free or preferably
you can make a donation to the company that produces it.
- Linux: If your needs can be satisfied by Linux and Open
Office, consider switching both your operating system and application software.
If you need a quick assessment - that's what us computer consultants are for -
call us. Consider Slackware or
Mandrake Linux -
if you want solid performers with rich feature sets. We can supply either
version of Linux - or you can download it yourself and try it.
- Demon Dialer Phone Scams: If you have some phone
calls to "The Outer Rum Soaked Islands" on your phone bill you are probably a
victim of a "Demon Dialer" scam. Many of these scams install a phone dialer
routine and dial 1-900 numbers in the Caribbean or African countries. Install a
Spyware busting program and consider getting cable or ADSL High Speed Internet
Service - then unhook your phone from your computer. If you think a cable modem
or high speed service is expensive - wait till you get a fraudulent phone bill!
The new service is cheaper than the fraud - trust me on this one!
- Port Scanners: can be handy tools. You can look
at the Firewall
Guide Site for further information.
AuditMyPC has a few tests you can run for free. Some sites
charge you for a scan. If you have a hardware router/firewall none of your
network should be visible. If you have a PC that hooks to the Internet
directly, you will probably be unpleasantly surprised.
- Phishing Scams: Royal
Bank, BOM or US Bank or Paypal want you to verify your account because some
dastardly person has been Phishing though your account? Yeah Right!!! Aside
from the fact that you probably don't have an account at the named institution
you should consider that the banks don't send these emails - ever. If you
respond you can kiss your money goodbye. Some of them actually take you to the
official site - to waylay your fears - then pop up a convenient form for you to
verify your account. Just say no to "Phishing Schemes"! You fell for one of
these? Get on the phone to your bank or your credit card company - NOW! No I am
not giving you the phone numbers. The only thing you should trust right now is
your friendly phone book or the information operator if you don't have the
proper phone numbers in your home filing system. Now visit a couple of sites
for more information. There is the
organization. You can also visit the friendly Royal Canadian Mounted Police
at the RCMP
web site - to lodge a complaint.
- A Little Test: Are you vulnerable to being scammed? Could you
be defrauded through an email scam? Try the test from the
Mailfrontier people. Your
reaction to the test results is also important. If you did not do very well -
then what will you do about reducing the risk? I got 80%. I rejected two emails
that were legitimate. I did not want to take the time to determine if the sites
were legitimate, and I believed that the emails did not require immediate
action. The two emails that I rejected looked genuine - but I wasn't certain.
That's how good the spammers and fishers are getting. It takes considerable
time and thought to validate "official" email traffic. Follow my tip of setting
up a "secret/private" email to deal with trusted trading partners. Use a
"public" email address for casual and newsgroup traffic. Most ISP's allow you
five to 10 addresses - use them. Every now and then start a new "public" email
address and after a while of intercepting useful email discard your "old"
public email address.
- Anti Phishing tool: Corestreet publishes a tool called
Spoofstick usable with the MS IE and Firefox browsers. It is quite simple - all
it does is intercept the URL and publish a tool bar showing the site that your
browser is really displaying. It is simple to use and install. It helps you
guard against sites that overwrite the code which displays the current URL
window. I believe that tip came through
- 419 Scam: You have an email in your inbox that
promises untold riches - if only you will help smuggle money from Nigeria,
lower Slobovia or some other unlikely place. Oh! You already fell for it? Well
this news won't help -- will it? Yes - it is a SCAM. The Nigerian
SCAM has been well documented. Canadian Readers go
and US readers -just go
- and you can read all about it. Make sure you follow the directions to file
the information with the SCAM busting unit. If all the letters, emails and
faxes I have personally received had any basis in reality - then Nigeria would
have hundreds of billions of dollars in loose cash hanging about and even the
poorest street child should be able to have a chauffeur driven Rolls Royce.
Come to think of it there would be no street children - would there? If we
include your emails and faxes make that several hundred trillion dollars ($US
- General SCAM information: For general SCAM
information visit the RCMP -
You can learn about phony Internet Domain Name Registration scams, bank scams,
work at Home scams, Identity Theft and more.
- Greed Is Bad!- See the above points. Don't
believe everything you see on the Internet -- except for our pages of
- Weblogs: Are you a Webmaster? Then check your
weblogs regularly. Learn to read then and interpret them for FormMail attacks,
virus like activity and general hacking attempts. Learn to use the
whois servers and how to
complain effectively. There are lots of sites for webmasters - join a few and
learn from them. If you have a Linux or UNIX system you can use the "whois"
command to submit an IP address for checking. You can also specify the "whois"
host through the -h option to get very specific information if a block of
addresses has been reassigned to another server allocation than the initial one
- Backup: Did we mention backup? We did? Just
- World's Greatest Virus and Worm Attractor Award:
Goes to - (oh the suspense! - drum roll please...) Folks we have co-winners
this year, MS Internet Explorer and MS Outlook - in all their forms. If you
want a virus, Trojan or worm - just use them. Especially in their unpatched
- Stupidest Worm Detector Utility Award Goes to...
(the suspense builds doesn't it...) None other than
available here- for their utility that helps you scan your system for the
LoveSan and other RPC worms. It requires you to have - you guessed it MS
Internet Explorer to download and run it. What will they think of next! Well,
what the heck if you are already "infected" with IE you might as well use it.
If I understand this correctly you need the Worlds Greatest Virus Attractor to
help you find a worm.
- Security For Developers and IT professionals: If
you create web pages, design systems or write programs it will be worth your
while to check out the US National Institute of Standards and Technology (NIST)
Publications Page - the 800 series of Publications. They have publications
on everything from securing your Windows 2000 server to the implementation of
secure E-Commerce. Some publications are of general interest - many are only of
interest to WEB Administrators and programmers. You can also get a copy of
their 290 page (800-12 publication)
Security Handbook in Adobe PDF format (near the bottom of the
- Canadian Security Web Resources: The
Approach seems to be non existent - except for these private efforts.
Perhaps a copy of the criminal code can be thrown at your Security Abusers, or
you can threaten them with the RCMP web page (see above) etc. So you will
probably have to sponge off the American sites that are available. Another
example of your Tax dollars at work I guess - the absence of help that is. The
Web Page I did find is run by the
Canadian Society for
Industrial Security Inc. who are to be congratulated on providing at least
some resources in the absence of any significant government effort. If you do
find any good Canadian Government links - do forward them.
Standards Council of Canada may have some useful security
information - but if so it's darned hard to find. Anything original must be
paid for by all appearances - other material which quotes NIST papers seems to
be free. Maybe you should just visit NIST. I wasn't going to pay just to find
out if they too (like me) sponge off NIST.
- CSEC: Seems to another tax payer funded body that will
sell you security services for communication. It's interesting to note that the
Americans accuse us of being socialist - yet provide many of these services for
free. In Canada we pay... Unlike the rabidly commercial Americans.
- Security Fallacies - and why people are
getting it all wrong... If you follow security or read papers in
any scientific or technical rag - or read the latest hysterical press report
you read a comment like this one... Although you can incorporate multiple
layers of protection, no system or product is ever 100% secure. Most experts
agree that a system is secure when the amount of time and money necessary to
compromise the product exceeds the value of the information the hacker
extracts. We must assume that, with enough resources, a hacker can break into
any system. With no respect whatsoever I say "horse Pucky". The proof
is all around you. I might agree with the pontificator if it read something
like... Although you can incorporate multiple layers of protection, no
system or product is ever secure. Although few experts agree, a system is
secure only when an intruder is unable to steal, beg, compromise or borrow the
resources necessary to compromise the product. Since it is not the intruders
money or resources, there need be no relationship between the value of the
product, the resources used and the value of the information the hacker
extracts. We must assume that, with enough resources, stolen, threatened,
compromised or owned, a hacker can break into any system. A modest
example is the US bank SCAM that has spread through email and some of the
recent worms spreading via port attacks, and the Google attack which spreads by
compromising email and port resources. A cursory review of GRID
COMPUTING philosophy and techniques should provide a wake up call to
many security experts. After all - if you want to crack a very difficult
password - what better way than with a grid of millions of computers - supplied
free - by the victims. The vector? A simple unobtrusive virus - spread by
email, port attacks or whatever means, and using a commonly used port to share
information. If you think about it, a hacker need only be able to raise
the initial investment required to write a virus/Trojan/compromise attack that
would cause world wide devastation. What's required? Script kiddies do
it for free. A professional cryptologist would be a very small investment to a
crime cartel. For those who are interested, Sun Tse (an innovative Chinese
General) wrote of this style of attack over 2000 years ago - in The Art of Strategy. Sun Tse knew nothing of
Electronic Warfare, but he understood people - and he understood warfare. In
summary: As usual the defending Generals are re-fighting the last wars - the
ones they studied, and the attackers are launching attacks on new and untested
fronts. Protecting your resources is cheaper than it seems and denies resources
to the attackers. Start now! dwr
- JPEG Graphical Image Vulnerability - There is
a vulnerability in the JPEG format and the JPEG viewing libraries. It is known
in the Microsoft workd as Exploit MS04-028 (GDIPlus JPEG Vulnerability). For a
repair utility created by Diamond CS
- look here.