Issue dated - 13th September 2004

-

Previous Issues
CURRENT ISSUE
INDIA NEWS
OPINION
COLUMNS
TECH FORUM

THE C# COLUMN
BETWEEN THE BYTES
TECHNOLOGY
SPECIALS <NEW>
Symantec Report
Security Headquarters
JobsDB
MINDPRINTS
HMA BANKBIZ
EC SERVICES
ARCHIVES/SEARCH
IT APPOINTMENTS
Openings At Jobstreet.com
WRITE TO US
SUBSCRIBE/RENEW
CUSTOMER SERVICE
ADVERTISE
ABOUT US
 Network Sites
  IT People
  Network Magazine
  Business Traveller
  Exp. Hotelier & Caterer
  Exp. Travel & Tourism
  Exp. Pharma Pulse
  Exp. Healthcare Mgmt.
  Express Textile
 Group Sites
  ExpressIndia
  Indian Express
  Financial Express

 
Front Page > Secure Space > Story Print this Page|  Email this page

Security on the edge

F Matthew Young III on the increasing sophistication of viruses

THE recent spate of viruses has re-focused attention on network and host security with an urgency not seen for some time. The Scob Trojan—also known as Download.ject—and the various Sasser worm variants, are different from the viruses that have come before because of their sophistication, and, in the case of Scob, the danger posed by its payload.

The two reported outbreaks of the Scob Trojan have serious implications for both businesses and individuals. The Scob Trojan is a keystroke logger i.e. it records whatever the user types into his computer, and sends it over the Internet to a hacker. This means that information such as your online banking login user name and password, your Personal Identification Number, and even your network login name and password are no longer secure and confidential.

Although media reports tend to focus on the impact on individuals, these keystroke loggers have disturbing implications for businesses. For example, what happens when banking data gets compromised, and bank customers lose money through these malicious attacks? Should the liability be borne by the bank or the customer? If the infected PC or laptop was operating behind a company firewall, should the company bear part of the blame—and liability too?

The implications for government bodies and the military are even more serious, because it is not just other people’s money at stake, but potentially their lives as well. For this reason, the US-CERT (Computer Emergency Response Team) has issued an advisory calling for people to stop using Microsoft’s Internet Explorer, and switch to another Web browser.

You are not alone

Security problems can sometimes be acute. Businesses in the Asia Pacific, especially in SOHOs and smaller offices, tend to be less strict in enforcing virus scanning, and updating their virus signature files. With their smaller IT budgets and teams, they are more vulnerable to such attacks because they have neither the time, money or human resources to keep such sophisticated attacks out.

There are no easily available statistics for the region at this point, but the latest figures from the Internet Storm Centre Web- site (http://isc.sans.org/port_report.php) show 294,810 reports of attacks worldwide on port 80 (Web browsing) for July 8, 2004 alone. The most virulent strains are the Netsky variants which propagate through e-mail, according to MessageLabs and some other organisations’ Web sites.

Modes of transmission

The omnipresence of viruses and worms propagated by e-mail may have contributed to the browser blind-spot. The Scob Trojan exploits a weakness (some would say “feature”) in Internet Explorer that allows a script to be executed on the user’s machine simply by viewing a Web site. Because the threat comes not from obviously fake Web sites or sites with dubious content (pornography and bootleg software sites) but from reputable sites that have been compromised (the Kelley Blue Book automobile pricing guide and Minerva Health), the virus circumvents typical Web site filtering mechanisms in firewalls. This mode of attack also caught Microsoft by surprise, prompting the company to issue a configuration change in lieu of a fix to be released later.

Although the Scob Trojan is essentially a ‘binary agent’ method of attack—that is, it requires two conditions, a compromised Web site and browser vulnerability, in order to work—that level of sophistication, especially in a virus, is quite frightening. Previous viruses required action on the user’s part such as clicking an attachment or permitting a download, but this attack requires neither. Because the payload is not in the e-mail, virus and spam filtering on e-mail servers simply would not work.

The Web site that received the keystroke information from infected machines was quickly shut down, but the precedent had been set. Typically, when new virus methods are “developed,” they herald more attacks, not less, even though anti-virus companies may have already developed detection and removal strategies and software.

A little history and modern medicine

Security problems have always been with us, even from the early days of computing. For those of us old enough to remember, there was the Michelangelo virus on DOS—predating the Internet—that spread through shared floppy disks. Transmission was slow because there were few companies and organisations that had networks. With the Internet, transmission is a lot easier, and the infection can spread to more computers in a far shorter time.

Anti-virus software is therefore understood by a vast majority of system administrators as a “host-only” solution. That is, anti-virus software is installed on PCs, laptops and servers by system administrators, scans are executed on the machine itself, and virus updates have to be manually downloaded onto the system.

This is a difficult strategy to implement and maintain, as any system administrator will tell you. Users, especially non-technical users, are difficult to train to do periodic virus scans and signature updates, and prone to clicking attachments and infecting their own systems. The problem escalates dramatically for larger companies; for technology professionals already stretched by the demands of the company’s information infrastructure, maintaining security on individual PCs can become low priority—and the single weakest link in the company’s network.

A better strategy would involve stopping viruses and spam at the gateway, and there are companies and products already providing such solutions in the market. The rationale is that if you stop most of the malicious content from entering your network, the security situation on individual PCs and laptops becomes more manageable. System administrators can concentrate on just one, or a few servers or network appliances, instead of tens or hundreds of user workstations.

Performance anxiety

Although a few companies already offer this gateway solution, a lot of people think that it consists of several servers running different security products such as a content-filtering server, a firewall, and an Intrusion Detection System server. This approach is expensive, but is sometimes necessary because commodity servers cannot handle the performance requirements of high-bandwidth networks.

Seven tips for protecting your organisation
  • If you receive an e-mail or a Web site that asks for your credit card information, or online banking password, or any personal information, and it looks suspicious (i.e. a so-called “phishing scam”), you can check against the anti-phishing Web site at http://www.antiphishing.org/. If you click on the phishing archive link, you can see a list of all recorded phishing e-mails. Each item in turn is linked to more information about the scam, including a screenshot that you can compare with your e-mail or the Web site you were redirected to.
  • Some Web sites are not what they claim to be. If you look at the URL (the address bar in your browser), you can sometimes spot a discrepancy. For example, if you expect to be on the Citibank Web site, you should see a URL that has “citibank.com” in the URL, not “citi.com” or “web-citi.com”. Also, if the URL displays just numbers, it probably does not belong to the company.
  • If the Web site requires you to download a file in order to view the page, be careful. A lot of Web sites run Flash and Java applets, and if your Web browser does not have them installed, you may get the dialog box. But if you know that Flash and Java are already installed and the Web site asks to install something else, do not click “Yes” unless you really know what you are doing.
  • One thing that gives “phishing” and fake Web sites away, especially if they try to imitate an actual reputable company’s Web site, is that the English used is sometimes ungrammatical, has spelling errors, or sounds clumsy. Most reputable companies employ professional copywriters who would not make such elementary errors.
  • Install an anti-virus firewall with deep packet inspection. This takes most of the burden off employees, because your first line of defence (the firewall) will also scan data for malicious content. This includes e-mail as well as downloadable content. You should also get a product that does automated push updates so that you don’t have to worry when your network administrator is on leave or at In-Camp Training.
  • You can try to get people to use other browsers (such as Mozilla) for normal browsing, and use Internet Explorer only for certain sites that really require it. Make a list of allowable sites for Internet Explorer, and use Mozilla for everything else.
  • Install or activate anti-spam software on the mail server. A lot of mail servers now have support for Realtime Blackhole Lists which contain a list of known IP addresses and host names that spam originates from.

F Matthew Young III is vice-president, Asia Pacific, Fortinet Inc.

<Back to top>


© Copyright 2003: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in
Mumbai by The Business Publications Division of the Indian Express Group of Newspapers.
Please contact our Webmaster for any queries on this site.