Welcome to PMC Consulting

	PMC Consulting For your Computer Security Needs
Security Fallicies Phishing Scams Physical Security Backup Passwords	Now that our own in-house router is recording a virus, worm or Trojan attack every few seconds we feel motivated to increase our own security measures, and to pass along a few security suggestions. If you are not maintaining your system you potentially affect everyone on the Internet - as you could easily pass along the latest infection. We have links to the Royal Canadian Mounted Police (RCMP) and other law enforcement agencies for SCAM information, and addresses for software utilities and browsers. Read on and enjoy! For a general look at good computer security and data maintenance practices, have a look at our Security Brochure in PDF format. If you need the Adobe Acrobat Reader, download it at Adobe's Downloads Page. Computer Security Tips If you have arrived here on this page, and are reasonably up-to-date (Running Windows, with Windows Update on auto-update, plus antivirus software from the current year (2004) with auto-update); here are additional security considerations for you to think about when you tighten your computer's defenses - or your network perimeter defenses. EMail Security E-Mail security is an growing concern. Many of the recent scams have taken a new twist - their goal is to perform a Compromise of Resources Attack in order to gain control of your system and turn it into a SPAM mailer. Other attacks attempt to steal passwords and account information. Other attacks attempt to get you to provide the information - the "Phishing" expedition. Other email promotes outright frauds and scams. Visit our email security page for further information. Security Tips Microsoft 10 laws of security. Better late than never. From here you can link to other security offerings and information -- mostly by Microsoft. It is nice to see them getting serious. To take advantage of the Microsoft Security offerings you will need to be running the latest version of Windows XP. 419 Scam - Worlds Funniest Take: The lady at Busted up Cowgirl has the Nigerian Scam worked out pretty good. I do not reccomend that you try her methods - unless you have a strong stomach, know how to hide behind a PO box and all that stuff. But it sure is an interesting thought.. Virus Scanner: If you have one, keep it up to date by enabling auto-update or by going to its downloads and updates page on-line regularly! Also - check the date of the scan engine. If you have a version that pre-dates the current year -- you have a problem. The scan engine is updated constantly to track virus behaviour- this is quite different from the signature files which are also constantly updated. In our experience it is usually cheaper to buy a whole new package than pay for the updates - but check for yourself. Sign up for the email alerts provided by the manufacturer and follow their directions for updates. Symantec, Extendia and Panda are three of the companies with reasonable virus checkers. Their packages are sometimes bundled with SPAM reduction software and firewall packages. Education: In some ways I hate to give Microsoft credit, since their initial unwillingness to address the issues exacerbated the problem, but here some credit is due. For free - no less - you can get education from Microsoft. There are many webcasts on Security, secure programming and server setup.The Webcasts are available on their learning website. You must use Internet Explorer, and you must download and install a software tool so that you can listen to the audio. Do not expect in depth coverage of the issues, but you will get a reasonable start, learn the jargon and begin the process. Microsoft has acknowledged the problem and is throwing significant results into all aspects of solving the problem of weak security in their OS products and development tools. Encryption and Security Keys: If you are a sophisticated user, investigate the use of encryption for your sensitive data and email. However, note that if you have spyware running on your system your email will be read before you encode and after you decode. You can choose to encrypt your hard drives or certain directories with the built in Operating System utilities or you can purchase third party tools. Just make sure that you maintain backup copies of the passwords in a physically safe place - offsite! BIO Identification Systems: Bio-identification systems ensure only that an individuals thumb, eyeball or other body part was presented to a security device - not that it was attached to the individual. Maybe these systems should be redesigned to look for blood flow and heart beats. They do not detect coercion either.. yet!. Voice identification and Facial Identification might be better - and better suited to stress analysis. Physical Security - Biometrics and access systems. The Nexus Group offers a range of solutions for corporations. They produce Facial Recognition Systems, incident tracking systems and other security related products. When used as part of an overall security strategy these types of systems can be very effective. These systems are of particular use in Casino security, but they can be used to control access to facilities for large organzations. Stolen Hard Drives: If your hard drive or computer is stolen - the data can be read. All the thief need do is install it in a system that can read it - unless the data is encrypted. All those passwords are to prevent you from installing it as the "root" drive and easily using the OS software. Surprised? Check it out. Think seriously about using encryption if you store sensitive information. Indeed the law may now require encryption if you store customer data -- financial or otherwise. This would include your accounting data -- which should be stored on an encrypted drive. Globe and Mail article: on SPAM, Security and summer 2004 attacks in which they note that small business is receiving more attacks. Go here. Government Systems - Theft of: Recent compilations of government data are pointing to a significant security problem. A Globe and Mail Article highlighted the problem. Government computers are being stolen - possibly with sensitive personal and corporate data. The question is - "What's the target?" -- Is it the computers - or the information? This is just one more reason to guard personal and company data very carefully - and to release only the minimum information required. Software Developer issues: In many organizations software is developed with security as an afterthought. If you want proof, attend a Microsoft Developer webcast and see how poorly attended they are. If you think about it, even 100 attendees is a very low number when you consider the number of developers (in the millions) that use MS products. If you include the developers that use stolen products there are probably 10's of millions of developers using MS tools. The single largest complaint they hear - or so they have said on the webcasts - is that companies will not send developers on security training courses due to budget restrictions. However budget money will be allocated to send developers to learn about new features. Go figure! Backup: No discussion of viruses and security is complete without mentioning backup routines. See our security brochure mentioned above for more information on backup. Those of you using MS Windows must remember to backup the registry on a regular basis. Windows users should also be aware of a couple of other issues 1. If you use MS Outlook (a bad idea) the mail files are hidden files - it takes a little work to find them and back them up; and, 2. If you are logged in as yourself - and not as Administrator when you do your back up - many of your files will be locked - and won't back up properly - perhaps not at all. Configure your programs to store their data in a 'central' location ( e.g. c:\data\docs; c:\data\accounting etc.) and backup that data on a regular basis. Keep a copy of your data offsite -- if you are a small business. If you own a business you should realize that "backup" is a philosophy - it is not a copy of your data. Note that you may be required to encrypt customer data and any backup of that data. If you are a business owner that suffered due to the Great Power Blackout of 2003 in Ontario and the Eastern USA, you should now understand. If you don't understand the issues, hire a consultant who can help. We are available .... That's one of the things we do. Passwords: The object of much of the network hacking is to obtain your passwords, bank card numbers, credit card numbers SIN numbers etc. The easiest way to do this is to "crack" your passwords and access your accounts. A word to the wise: "secret", "kitty", "doggy", "topdog" etc. are not passwords - they are minor annoyances to a good password thief. Most thieves are aware that they can download a dictionary (in the language of their choice - or yours) and try all the known words as well. A secure password is something like "m1a3r5y7" or "johnny!6321" or better yet "g3tur08pkkl". If the program you are protecting allows use of special characters and the number isn't your birth year - or something easily guessable - then set your passwords accordingly. Safe Browsing and Emailing: Are you using Microsoft Internet Explorer or Microsoft Outlook? Consider changing your email and browsing software. Your computer is at extreme risk for virus infection! Check below for links to Mozilla and Mozilla Thunderbird. Firewalls: A firewall can (usually) block malicious worms and Trojans that load spy ware. A firewall can assist in preventing Spy ware from being loaded - it cannot prevent it. A firewall might also prevent any Malware from communicating with outside systems - for the purpose of transmitting your data - maybe. Software-based Firewall or physical router. It is safer to install a router/gateway than to use Firewall software. Although both the hardware and software act as a firewall, filtering traffic before it reaches the internals of your computer, the router appliance is physically separated and tends to isolate the problems more effectively! Any malicious code should "crash" your firewall - not your computer. The routers are cheap ($130 up) and very effective. Consider them very seriously unless you have budget constraints. Buying a router is cheaper than paying one of us (a computer consultant) to recover damaged and deleted files or screwed up operating systems. Software Updates: Obtain and install the latest operating systems and utility program patches. This advice applies to both Linux and Windows. Don't just run the auto updater, use your most up-to-date version of Internet Explorer and go to the "Tools -> Windows Update" menu and run (install if need be) the update scanner. There are many "non-critical" updates that in my opinion are critical. Many Windows utilities - such as Media player, have significant security flaws requiring software updates. (Surprise!) Anti Spyware Software: This is not virus checking software, but rather is a utility that can check to see whether you have picked up "tracking" baggage during your WEB browsing. Some of the packages can block access to known malicious sites. All of them typically remove tracking cookies installed by "banner advertising" and web pages that track and sell your browsing habits. Almost all can remove the code and Registry entries that have "stuck you" on a new home page that you don't want. We like SpyBot - and it also gets rid of Demon Dialers keystroke loggers, and other "crudware". Anti-SPAM software: Most mail packages now have SPAM filters; such as those from Netscape, Mozilla etc. In Mozilla and Netscape, look in the Tools menu for Junk Mail controls. If you have a small company with an email server, you should have your vendor do a security audit, and you should be willing to spend money on email control systems. Anti Spam Research: IBM is doing some interesting anti-SPAM research. If you want to read about their spoof detection, plagiarism and pattern matching algorithms for detecting spam visit their Anti-SPAM Research page. Email Scripting: It is our opinion that EMAIL SCRIPTING is a dumb idea whose time never came. Allowing an email package to execute script code is the reason that we have so many malicious viruses. MS Outlook permits attachments to run scripts. Script kiddies and other malicious types just love this capability. Choose something else - it would be difficult to find a more dangerous package - so make another choice. Eudora, Netscape, Mozilla and Thunderbird can't be worse than MS Outlook. Just say no to MS Outlook - in all its variations. Physical Security: Think of all the ways a thief could use your computer if it was stolen. Also think of securing your important documents. Don't underrate good physical security if you own a small business. It is far too easy to slip unnoticed into many businesses and remove confidential documents and materials. JavaScript and Java: Turn off Java script and Java for Newsgroups and mail packages. Save the scripts for web pages. In Netscape and Mozilla - from the Mail package choose "edit -> Preferences -> Advanced " You can turn off Java and Scripting for email, and turn off pop-ups and other malicious behaviour. Encryption and Security Keys: If you are a sophisticated user, investigate the use of encryption for your sensitive data and emails. Also consider generating a public/private key pair and using it to sign your email. Thawte is one company that offers some of these services. If you are in the habit of backing up customer data you are probably required (or soon will be) to encrypt the backup. Complain: Make it a habit to complain to web site operators who write their web pages specifically for Microsoft Internet Explorer. After all - they will likely be the first ones hacked when a new virus variant makes the rounds. Throw away (most) email with attachments - If you can't recognize the person it came from Then throw it away - unread - or quarantine it if you have a sophisticated mail reader. If you don't know why you are getting an attachment from anyone - be leery of the email. If you don't know the sender and can't get verification of the contents - then you don't need the hassle of inadvertently spreading a virus. Just don't blame us because you tossed a Million dollar Purchase Order...! All we are suggesting is that you verify the email before you open an attachment. If you have the resources set up 'secret' email addresses to deal only with your trusted clients who regularly send you attachments. Do not publish it, and do not give the addresses to any other parties - that's all it takes to keep it secret. Network Address Translation: That is what routers and gateways like the Cisco, D- Link and Linksys systems do... They allow you to hide behind your Router and let it deal with the wild, wild Internet. Just think of it as a moat and a castle wall... Via the router DHCP software, you automatically assign network addresses which do not translate onto the Internet and cannot be read by machines "on the other side" of your hardware box. Most routers come equipped with DHCP (automatic addressing) plus Packet Filtering (to keep out the ding-a-lings and script kiddies) and other features which improve your security. Microsoft Office: Microsoft Office has many security holes. Get the patches from the Windows Update site as mentioned previously. Because scripting is built into MS Office, many of the previously noted security concerns apply. Open Office and Star Office: Consider switching packages if you have security issues with MS products. The Open Office (Star Office) Suite has much of the functionality of the MS office suite - plus a few extra goodies. Open Office can read your MSOffice suite files. There are points of incompatibility throughout both packages since both have some advanced features not duplicated in the others software - but for many users either package will work - and Open Office probably has far fewer security holes. Besides - it doesn't cost $400 a user to get Open Office. You can get it free or preferably you can make a donation to the company that produces it. Linux: If your needs can be satisfied by Linux and Open Office, consider switching both your operating system and application software. If you need a quick assessment - that's what us computer consultants are for - call us. Consider Slackware or Mandrake Linux - if you want solid performers with rich feature sets. We can supply either version of Linux - or you can download it yourself and try it. Demon Dialer Phone Scams: If you have some phone calls to "The Outer Rum Soaked Islands" on your phone bill you are probably a victim of a "Demon Dialer" scam. Many of these scams install a phone dialer routine and dial 1-900 numbers in the Caribbean or African countries. Install a Spyware busting program and consider getting cable or ADSL High Speed Internet Service - then unhook your phone from your computer. If you think a cable modem or high speed service is expensive - wait till you get a fraudulent phone bill! The new service is cheaper than the fraud - trust me on this one! Port Scanners: can be handy tools. You can look at the Firewall Guide Site for further information. AuditMyPC has a few tests you can run for free. Some sites charge you for a scan. If you have a hardware router/firewall none of your network should be visible. If you have a PC that hooks to the Internet directly, you will probably be unpleasantly surprised. Phishing Scams: Royal Bank, BOM or US Bank or Paypal want you to verify your account because some dastardly person has been Phishing though your account? Yeah Right!!! Aside from the fact that you probably don't have an account at the named institution you should consider that the banks don't send these emails - ever. If you respond you can kiss your money goodbye. Some of them actually take you to the official site - to waylay your fears - then pop up a convenient form for you to verify your account. Just say no to "Phishing Schemes"! You fell for one of these? Get on the phone to your bank or your credit card company - NOW! No I am not giving you the phone numbers. The only thing you should trust right now is your friendly phone book or the information operator if you don't have the proper phone numbers in your home filing system. Now visit a couple of sites for more information. There is the Ant-Phishing organization. You can also visit the friendly Royal Canadian Mounted Police at the RCMP web site - to lodge a complaint. A Little Test: Are you vulnerable to being scammed? Could you be defrauded through an email scam? Try the test from the Mailfrontier people. Your reaction to the test results is also important. If you did not do very well - then what will you do about reducing the risk? I got 80%. I rejected two emails that were legitimate. I did not want to take the time to determine if the sites were legitimate, and I believed that the emails did not require immediate action. The two emails that I rejected looked genuine - but I wasn't certain. That's how good the spammers and fishers are getting. It takes considerable time and thought to validate "official" email traffic. Follow my tip of setting up a "secret/private" email to deal with trusted trading partners. Use a "public" email address for casual and newsgroup traffic. Most ISP's allow you five to 10 addresses - use them. Every now and then start a new "public" email address and after a while of intercepting useful email discard your "old" public email address. Anti Phishing tool: Corestreet publishes a tool called Spoofstick usable with the MS IE and Firefox browsers. It is quite simple - all it does is intercept the URL and publish a tool bar showing the site that your browser is really displaying. It is simple to use and install. It helps you guard against sites that overwrite the code which displays the current URL window. I believe that tip came through E-Week Magazine. 419 Scam: You have an email in your inbox that promises untold riches - if only you will help smuggle money from Nigeria, lower Slobovia or some other unlikely place. Oh! You already fell for it? Well this news won't help -- will it? Yes - it is a SCAM. The Nigerian SCAM has been well documented. Canadian Readers go here, and US readers -just go here - and you can read all about it. Make sure you follow the directions to file the information with the SCAM busting unit. If all the letters, emails and faxes I have personally received had any basis in reality - then Nigeria would have hundreds of billions of dollars in loose cash hanging about and even the poorest street child should be able to have a chauffeur driven Rolls Royce. Come to think of it there would be no street children - would there? If we include your emails and faxes make that several hundred trillion dollars ($US no less). General SCAM information: For general SCAM information visit the RCMP - here. You can learn about phony Internet Domain Name Registration scams, bank scams, work at Home scams, Identity Theft and more. Greed Is Bad!- See the above points. Don't believe everything you see on the Internet -- except for our pages of course! Weblogs: Are you a Webmaster? Then check your weblogs regularly. Learn to read then and interpret them for FormMail attacks, virus like activity and general hacking attempts. Learn to use the whois servers and how to complain effectively. There are lots of sites for webmasters - join a few and learn from them. If you have a Linux or UNIX system you can use the "whois" command to submit an IP address for checking. You can also specify the "whois" host through the -h option to get very specific information if a block of addresses has been reassigned to another server allocation than the initial one you retrieved. Backup: Did we mention backup? We did? Just checking! World's Greatest Virus and Worm Attractor Award: Goes to - (oh the suspense! - drum roll please...) Folks we have co-winners this year, MS Internet Explorer and MS Outlook - in all their forms. If you want a virus, Trojan or worm - just use them. Especially in their unpatched versions! Stupidest Worm Detector Utility Award Goes to... (the suspense builds doesn't it...) None other than McAfee Freescan available here- for their utility that helps you scan your system for the LoveSan and other RPC worms. It requires you to have - you guessed it MS Internet Explorer to download and run it. What will they think of next! Well, what the heck if you are already "infected" with IE you might as well use it. If I understand this correctly you need the Worlds Greatest Virus Attractor to help you find a worm. Security For Developers and IT professionals: If you create web pages, design systems or write programs it will be worth your while to check out the US National Institute of Standards and Technology (NIST) Special Publications Page - the 800 series of Publications. They have publications on everything from securing your Windows 2000 server to the implementation of secure E-Commerce. Some publications are of general interest - many are only of interest to WEB Administrators and programmers. You can also get a copy of their 290 page (800-12 publication) Security Handbook in Adobe PDF format (near the bottom of the page.). Canadian Security Web Resources: The Canadian Approach seems to be non existent - except for these private efforts. Perhaps a copy of the criminal code can be thrown at your Security Abusers, or you can threaten them with the RCMP web page (see above) etc. So you will probably have to sponge off the American sites that are available. Another example of your Tax dollars at work I guess - the absence of help that is. The Web Page I did find is run by the Canadian Society for Industrial Security Inc. who are to be congratulated on providing at least some resources in the absence of any significant government effort. If you do find any good Canadian Government links - do forward them. The Standards Council of Canada may have some useful security information - but if so it's darned hard to find. Anything original must be paid for by all appearances - other material which quotes NIST papers seems to be free. Maybe you should just visit NIST. I wasn't going to pay just to find out if they too (like me) sponge off NIST. CSEC: Seems to another tax payer funded body that will sell you security services for communication. It's interesting to note that the Americans accuse us of being socialist - yet provide many of these services for free. In Canada we pay... Unlike the rabidly commercial Americans. Security Fallacies - and why people are getting it all wrong... If you follow security or read papers in any scientific or technical rag - or read the latest hysterical press report you read a comment like this one... Although you can incorporate multiple layers of protection, no system or product is ever 100% secure. Most experts agree that a system is secure when the amount of time and money necessary to compromise the product exceeds the value of the information the hacker extracts. We must assume that, with enough resources, a hacker can break into any system. With no respect whatsoever I say "horse Pucky". The proof is all around you. I might agree with the pontificator if it read something like... Although you can incorporate multiple layers of protection, no system or product is ever secure. Although few experts agree, a system is secure only when an intruder is unable to steal, beg, compromise or borrow the resources necessary to compromise the product. Since it is not the intruders money or resources, there need be no relationship between the value of the product, the resources used and the value of the information the hacker extracts. We must assume that, with enough resources, stolen, threatened, compromised or owned, a hacker can break into any system. A modest example is the US bank SCAM that has spread through email and some of the recent worms spreading via port attacks, and the Google attack which spreads by compromising email and port resources. A cursory review of GRID COMPUTING philosophy and techniques should provide a wake up call to many security experts. After all - if you want to crack a very difficult password - what better way than with a grid of millions of computers - supplied free - by the victims. The vector? A simple unobtrusive virus - spread by email, port attacks or whatever means, and using a commonly used port to share information. If you think about it, a hacker need only be able to raise the initial investment required to write a virus/Trojan/compromise attack that would cause world wide devastation. What's required? Script kiddies do it for free. A professional cryptologist would be a very small investment to a crime cartel. For those who are interested, Sun Tse (an innovative Chinese General) wrote of this style of attack over 2000 years ago - in *The Art of Strategy. Sun Tse knew nothing of Electronic Warfare, but he understood people - and he understood warfare. In summary: As usual the defending Generals are re-fighting the last wars - the ones they studied, and the attackers are launching attacks on new and untested fronts. Protecting your resources is cheaper than it seems and denies resources to the attackers. Start now! dwr JPEG Graphical Image Vulnerability* - There is a vulnerability in the JPEG format and the JPEG viewing libraries. It is known in the Microsoft workd as Exploit MS04-028 (GDIPlus JPEG Vulnerability). For a repair utility created by Diamond CS - look here.

	Security News: The latest information on threats, virus attacks, new products, and tips. E-Week Article on Linux Vs. Windows Security E-Week's Security News E-Week Virus Summary Internet Storm Center:
	Secure Browsing: Concerned about weaknesses in MS Internet Explorer and Outlook? Try Mozilla's browsers and email program -they're secure, easily customized to fit your preferences, and they're reliable! Mozilla.org (Mozilla's classic browser) Firefox (Mozilla's new browser) Thunderbird (Mozilla's standalone e-mail program)
	Security and Webmaster Communities worth spending some time monitoring: Hacker Watch.Org- Find out where the latest hacker attacks are occuring here. Spamcop- Send your spam-mail to these people, who will have the spammers checked out, and another step closer to being OFF-line! Anti-Phishing.Org- Read about the latest, and the oldest, phishing/email scams here! Security Radar - Visit here for information on the latest threats, and links to other security info sites!
	January 26, 2005
	PMC Home \| What's New \| Contact Us
Found a mistake? A broken link? Let the Webmaster know. Your assistance is always appreciated! Material Copyright © 2004 PMC Updated February 26, 2005