In a previous blog post, I pointed out that every user has a responsibility to keep their computer malware free. Alas, it takes time and effort to do this!
For any type of computer, patching is the most important protective action you can do. Windows, Macs, and Linux systems all have reasonable user-friendly patching procedures. Some can be set to check automatically for updates. I usually check my computers at least weekly. However, these update programs only update programs installed by the operating system (OS). According to Secunia, third-party programs are responsible for 78% of the vulnerabilities. Therefore, if you install other programs (e.g., Winamp, AIM, Messenger, Flash, Acrobat, Evernote, Dropbox,....), YOU are responsible for checking their patch status and obtaining and installing any patches that are needed. Some programs can be set to check for updates automatically, or when the program is launched; it is good to enable this.
I have friends who hate to update any programs on their computers. They like the way the old programs worked, hate changes, are too cheap to upgrade, and so forth. But it is unsafe to run programs that are no longer maintained by their manufacturer. For example, many security holes in IM programs have been patched, and if you use an old version, you can get hacked. Liking the old smileys is not a good reason to resist updates! My friends go on to say things such as "there is nothing important on my computer, so I don't care." But their hacked computer can attack other innocent users, as described in my previous blog post. Malware will also slow down your computer and use your bandwidth. Most ISPs try to detect infected computers on their networks and block them until they are disinfected.
BACKUP! Yes, I am yelling at you. Hard disks can fail at any time, or you can be required to rebuild your system (due to malware or a screw up). I can't tell you how many times my bacon has been saved by having proper backups. For example, I have over 450 GB of ripped music files that took me years to create. I have five, yes five copies of them, and I have lost two of them at a time. Many backup programs by default only back up your user data. This is nice, but it takes several days to rebuild a computer from scratch , to patch it, and to reinstall all programs. Therefore I am a big fan of full-disk backups of your boot drive. Windows Professional and Ultimate do this nicely in the Control Panel/Backup and Restore/Create a system image. OS X has Time Machine. This is not sufficient—I once had my Time Machine backups erased by accident. I also make full-disk backups (which are bootable) by using SuperDuper!. Disk drives are cheap. Buy several extra disks for backups, and perform the backup regularly.
If you have patched your computer OS and any applications that you installed, it makes it more difficult to succeed at attacking your computer. There are two primary infection vectors: 1) opening mail attachments, and 2) browsing to an unsafe or infected Web site. And yes, reputable Web sites can get infected too, so you always have to be careful.
Almost every week I get emails sent by a friend that were in fact not sent by them. Their mail account got hacked, and their address book was stolen. This is especially prevalent if your friends use Hotmail, AOL, or Yahoo for mail because people often choose easily guessable passwords. So, even if an email comes from a friend, be suspicious of any links it contains or any attachments to it. If necessary, call or email your friend to see if the message was legitimate; they will like to know that their account has been hacked.
It is trivially easy to change the From field of an email you send to be from whomever you wish, such as email@example.com. But it is not easy to change the path that the email takes through the Internet. How do you tell if an email is legitimate? Examine the full headers for the email. The headers contain the route that the e-mail took from the sender to the receiver. In Thunderbird, for example, you can choose View/Headers/Full from the menu to display them at the top of your message. The last part of the header contains the message's true source. For example, an e-mail selling Viagra came from
from 91afzlctrn.ciejzwibscsg.axcqj8tvrug.net (unknown [188.8.131.52]) by psk04-shd.lnhosting.com (Postfix) with ESMTP; Thu, 12 Apr 2012 12:46:44 +0000 (UTC)
Clearly 91afzlctrn.ciejzwibscsg.axcqj8tvrug.net is not a legitimate enterprise.
A legitimate email from field would look like
from mail2.1105newsletters.com (unknown [184.108.40.206]) by psk04-shd.lnhosting.com (Postfix) with ESMTP for <firstname.lastname@example.org>; Thu, 12 Apr 2012 12:33:06 +0000 (UTC)
Furthermore, to cut down on spam some emails now are digitally signed by the sending domain:
DKIM-Signature v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=1105newsletters.com; h=Message-ID:Date:From:Reply-To:To:Subject:Mime-Version:Content-Type:Content-Transfer-Encoding:list-unsubscribe; i=WT@1105Newsletters.com; bh=ND+O3bYTEVzrtfALw17o1/XFVSw=; b=ri0RGeLtJ/E6wsBRT5IrK+fBS7RvOt70l6GX6WTWVsNqoe2W4UWgMxvVd9P3L0cPrDYpQxdb3JEp
DomainKeySignature a=rsa-sha1; c=nofws; q=dns; s=default; d=1105newsletters.com; b=Gc/+fFB2MfiCUtxTQ7ghgQyN5Y+gP0cWAqr4YY49OHRPcHjPVX+ovvjQw9Dc7GQeDXmUADCHZFD6 bs+0Kw+t2h6r7Ri5+IdJHprVgJw8dyKKeHHaHic4T2TLURFY7m9u;
So, you can learn a lot by examining the header of an email.
People are afraid to open a possibly malicious email. But if you have a good email client, it should block any content that requires going to some Web site. Text in a message cannot infect you. Thunderbird displays the following message at the top of an email:
Unless you click the "Show remote content" button or open an attachment, you are safe.
Targeted phishing (called spear phishing) is becoming more prevalent. For example, a recent attack was a supposed letter from an airline containing an attached itinerary change; a friend was in fact flying on that airline, opened the email, and got hacked. Train yourself to detect phishing attacks. If you hover your mouse over a URL in an e-mail, the actual address will be displayed, usually on the bottom bar of your Web browser or mail client. If your message is from a legitimate site, all links should go to that site!
Browsing is one vector to infect your computer with spyware and/or malware. A good video on the subject is at http://outsidelens.scmagazine.com/video/Dealing-with-Spyware-2-How-Spyw;Malware.
I am very much against using Internet Explorer or Safari for Browsing. They are both built into the OS, so a successful attack on them could more easily give the attacker elevated privileges. Instead, I prefer to use Mozilla's Firefox or Google's Chrome. If Firefox or Chrome get hacked, they are "just programs" and not part of the OS. Firefox and Chrome run on ALL operating systems, and even sync themselves across multiple machines.
Firefox has an important advantage: the plugin NoScript. NoScript blocks all sorts of malware, for example the recent Mac Flashback Trojan. It stops scripts from running without your permission, and it stops links to other sites from loading. For example, malware can be hidden in an unnoticeable 1 pixel graphic link. Unfortunately, many pages require some scripts and links to other sites to work properly, so you have to train NoScript by individually allowing links for each page you visit. It takes a while to do this, and can be a pain (especially in e-commerce), but once you examine all the links, and allow them individually, your browsing will be much safer. As an example, the Wall Street Journal's home page displays links from many other sites:
Many of these sites link to ads, so by trial and error, I determined which ones to display in order to see the content I want, and to block the ads I do not want.
The Wall Street Journal ran an article about malicious cookies (up to 90 on some sites!) that track your movements across the Web and report home, thus invading your privacy. The plugin Ghostery (available for both Firefox and Chrome) stops them in their tracks.
Many interactive (e-commerce, social media, subscription) Web sites require that you have a user ID and a password. Many people use the same bad password at every site. This is an awful idea, and is unnecessary. You want a unique good password (to be discussed below) at every site. There is an easy way to do this: LastPass. LastPass is free and is available for every browser on every platform. It is also available on smartphones for a small fee. LastPass generates secure passwords for each site and remembers them for you. You merely have to remember one good password to unlock the LastPass vault. I am a worrywart, so I also store my passwords in an encrypted spreadsheet. (Be sure that you actually encrypt the spreadsheet rather than just requiring a password to open it.) I keep this encrypted spreadsheet in my private Dropbox, so I have it on all my computers, and am protected against all-to-frequent disk crashes.
Another useful plugin is called Web of Trust (WOT). WOT rates each site by placing a little colored circle next to each link. If you actually go to a site they feel might be bad, the site gets intercepted with a warning screen. This might make your teen think twice about visiting an iffy Web page. For example, almost all of the pages you get referred to by Publisher's Clearing House entries are deemed to be unsavory by WOT. WOT is available on both Firefox and Chrome.
I emphasized that you are responsible for patching programs that were not installed by the OS. Fortunately on Windows, there is a wonderful free (for personal use) program that searches through ALL of your programs to find out what requires security patches. Secunia Personal Software inspector (PSI) does this and more. PSI often automatically patches your programs, or tells you where to get the patch, and how to install it. The first time I installed PSI I was stunned to find that I had about a dozen insecure programs, some of which I had not installed. For example, some programs install a Java run-time environment (JRE) which never gets updated if the program that installed it is not patched. Again, it can be a nuisance to keep your computer 100% secure (the PSI icon is green) but it is absolutely vital.
Of course you need good antivirus and antimalware programs. Comcast, for example supplies a version of Norton 360 for free. You can usually buy it free (after rebates) if you keep an eye on fryes.com. The security suites (not the bare antivirus programs which are quite inadequate) usually contain a two-way firewall. The Windows firewall only protects inbound connections. But if malware infects your computer, it will usually "call home" to deliver its captured goodies. An outbound firewall will detect a strange connection to Bulgaria and alert you that something strange is occurring.
Yes, Macs do need good antimalware programs. The initial ones sucked, but they are now reasonably unintrusive and speedy. Comcast offers a free copy of Norton Internet Security for Mac users. I turned off its outbound firewall however, because it does not allow you to set things for Linux programs and daemons. You can only control things for normal Mac apps. Instead, I use Little Snitch, which is a very excellent outgoing firewall. Little Snitch (like NoScript) must also be trained about which programs it should allow to access the Internet. You can also specify things such as allowed sites, communication protocols (TCP, UDP, ICMP), ports, and http vs. https. This generates popup boxes for a few days, but the Little Snitch only bothers you when something changes—a good thing. I recently gave up on Norton for my Mac and switched to Bitdefender (even though I must pay) for both Macs and PCs. It is more effective, and uses fewer system resources.
Secunia does not offer a Mac version of PSI. But CNET.com has the CNET Tech tracker that serves a similar purpose. But it is not as nice as PSI, and I thought it a pain to use, so uninstalled it. For example, they list all programs that have new versions that would require you to pay for an upgrade. Also, I could not get their smart install to do anything. CNET does issue a weekly newsletter that lists all the updates for the week, and I subscribe to that.
Use Disk Utility (in the Utilities folder) to check the permissions on your disks occasionally.
The Linux distributions usually have user-friendly update programs. I personally like OpenSUSE (on desktops) and laptops. If you have an old PC, I strongly urge you to install one of these distributions and try a proper multiuser OS. Linux never goes down unless there is a kernel update. You must still maintain the patch status of programs that you installed that are not part of the distribution.
Although your OS and programs may be all patched, your system can still be very insecure. This is because you must also properly configure your system. Proper configuration applies to OS X as well, because Free BSD, which underlies OS X, must also be properly configured. In general, the owner, group, and permissions of all the files on a Linux system must be correct, especially for the system files. Out of the box, my external music server Subsonic is configured upon install to run as root. This is a bad idea because any hole in the Subsonic server could allow an attacker to gain root privileges, and he would own my system. It took some fiddling and interaction with the subsonic forum users to figure out how to run the program as user subsonic. It is now a lot safer.
Attacks can occur via services that allow incoming traffic from the internet. On my server, there are just three open ports: Subsonic, https, and ssh (secure shell which allows an external user to get a command shell). By "open port" I mean that the firewall on my server allows the traffic and the firewall on my router allows the traffic. Many more services are allowed internally on my LAN to do printing, file sharing, etc. But these ports are blocked at the router.
It takes less than an hour (often just a few minutes) for attackers to discover my open ssh port and to start to attack it. They run automated scripts that go through all the possible user IDs and passwords. Incidentally, all possible 8-character or fewer passwords and their hashes (which are what is stored in the password files) fit on a handful of DVDs called rainbow tables. So if left unchecked, eventually the attacker would guess my password. Here is an example of a non-distributed attack on my computer:
Apr 13 13:39:52 jarfx sshd: Invalid user sandbox from 220.127.116.11
Apr 13 13:40:04 jarfx sshd: Invalid user hub from 18.104.22.168
Apr 13 13:40:06 jarfx sshd: Invalid user mooon from 22.214.171.124
Apr 13 13:40:08 jarfx sshd: Invalid user bluecore from 126.96.36.199
Apr 13 13:40:10 jarfx sshd: Invalid user cjh from 188.8.131.52
Apr 13 13:40:17 jarfx sshd: Invalid user info from 184.108.40.206
Apr 13 13:40:19 jarfx sshd: Invalid user demuji from 220.127.116.11
Apr 13 13:40:26 jarfx sshd: Invalid user diskbook from 18.104.22.168
Apr 13 13:40:28 jarfx sshd: Invalid user diskbook from 22.214.171.124
Apr 13 13:40:31 jarfx sshd: Invalid user diskbook from 126.96.36.199
Apr 13 13:40:35 jarfx sshd: Invalid user firefox from 188.8.131.52
Apr 13 13:40:38 jarfx sshd: Invalid user user0 from 184.108.40.206
Apr 13 13:40:42 jarfx sshd: Invalid user mysql0 from 220.127.116.11
Apr 13 13:40:44 jarfx sshd: Invalid user user0 from 18.104.22.168
Apr 13 13:40:47 jarfx sshd: Invalid user backup from 22.214.171.124
Apr 13 13:40:49 jarfx sshd: Invalid user backup from 126.96.36.199
Apr 13 13:40:51 jarfx sshd: Invalid user firefox from 188.8.131.52
Apr 13 13:40:56 jarfx sshd: Invalid user user0 from 184.108.40.206
Apr 13 13:41:00 jarfx sshd: Invalid user swsgest from 220.127.116.11
Apr 13 13:41:02 jarfx sshd: Invalid user megafile from 18.104.22.168
Apr 13 13:41:05 jarfx sshd: Invalid user i-heart from 22.214.171.124
Apr 13 13:41:07 jarfx sshd: Invalid user i-heart from 126.96.36.199
Apr 13 13:41:11 jarfx sshd: Invalid user bash from 188.8.131.52
Apr 13 13:41:16 jarfx sshd: Invalid user taz from 184.108.40.206
Apr 13 13:41:20 jarfx sshd: Invalid user PruncuTz from 220.127.116.11
Apr 13 13:41:27 jarfx sshd: Invalid user paulb from 18.104.22.168
Apr 13 13:41:30 jarfx sshd: Invalid user michael from 22.214.171.124
Apr 13 13:41:36 jarfx sshd: Invalid user lday from 126.96.36.199
Apr 13 13:41:45 jarfx sshd: Invalid user svn from 188.8.131.52
Apr 13 13:41:57 jarfx sshd: Invalid user joyko from 184.108.40.206
Apr 13 13:41:59 jarfx sshd: Invalid user user0 from 220.127.116.11
Apr 13 13:42:06 jarfx sshd: Invalid user sshserver from 18.104.22.168
Apr 13 13:42:13 jarfx sshd: Invalid user server from 22.214.171.124
Apr 13 13:42:19 jarfx sshd: Invalid user vivian from 126.96.36.199
Apr 13 13:42:22 jarfx sshd: Invalid user prince from 188.8.131.52
Apr 13 13:42:33 jarfx sshd: Invalid user lovetravel-ftp from 184.108.40.206
Apr 13 13:42:46 jarfx sshd: Invalid user ftpuser from 220.127.116.11
Apr 13 13:42:55 jarfx sshd: Invalid user idclicksucai from 18.104.22.168
Apr 13 13:42:58 jarfx sshd: Invalid user gamme from 22.214.171.124
Apr 13 13:43:04 jarfx sshd: Invalid user xmap from 126.96.36.199
Apr 13 13:43:13 jarfx sshd: Invalid user mysqll from 188.8.131.52
Apr 13 13:43:16 jarfx sshd: Invalid user test from 184.108.40.206
Apr 13 13:43:25 jarfx sshd: Invalid user mysqll from 220.127.116.11
Apr 13 13:43:32 jarfx sshd: Invalid user eddy from 18.104.22.168
Apr 13 13:43:41 jarfx sshd: Invalid user eddy from 22.214.171.124
Apr 13 13:43:45 jarfx sshd: Invalid user moon from 126.96.36.199
Apr 13 13:43:52 jarfx sshd: Invalid user vizz from 188.8.131.52
Apr 13 13:43:54 jarfx sshd: Invalid user herosys from 184.108.40.206
Apr 13 13:44:01 jarfx sshd: Invalid user http from 220.127.116.11
Apr 13 13:44:03 jarfx sshd: Invalid user http from 18.104.22.168
So what can you do?
- First of all look at your system logs in /var/log/messages. This will list attempted logins. When I look at them, I get systematic attacks from multiple ip addresses (from a botnet) trying to do coordinated guessing. These occur many times a second. These distributed attacks are very hard to stop. Reviewing the log files is difficult (the can be large) so there are programs such as logwatcher that attempt to summarize the logs and to mail you a summary.
- Do not use easy-to-guess user names. The attacker cannot try to attack the password unless they first obtain a valid external user name! (See above attack.)
- Use a program such as fail2ban to block failed login attempts from the same ip addresses. However, this is ineffective for distributed attacks where only a few attempts come from each ip address. This is one reason that it is important that your computer NOT be part of a botnet.
- Use a program such as tripwire to detect that you are hacked. Tripwire makes a hash of every important system file and stores them in an encrypted database. If something such as your ssh daemon gets replaced with a malevolent version (very common attack), you will get an email.
- Don't use passwords except at the console. Instead, use ssh keys. Ssh keys are long hex strings that are impossible to guess. The public key is on the server in the users ~/.ssh directory, and the private key, which is encrypted with a password is on the remote host, also in the ~/ssh directory. As a security manager on a large network of supercomputers, I can state that we never had a successful attack using encrypted ssh keys. Sometimes, the keys did not have password protection, and they were used. But using ssh keys is not the whole story. You also have to ban the use of passwords for ssh logins, except at the console. This requires editing the files in /etc/sshd, and perhaps in /etc/pam.d. Doing this requires some skill, but Google is your friend.
I hate passwords and think they have outlived their usefulness. Nonetheless, they are required everywhere. I have already discussed generating and remembering them using LastPass and an encrypted spreadsheet.
One good solution is to use a one-time password. PayPal, for example offers two methods of logging in using one-time passwords. One way is to use a text message to your mobile phone (costs just a text message); the other is to use a security token, which is about $30. I have been using a PayPal token for years. If you carry your phone all the time, and do not lose it, the phone method is great also. To use my security token, you press a key on the token, a 6-digit passcode is displayed, and you postpend it to your normal password. It is probably the most secure remote login method available. However, if your computer is hacked, the hacker can still take over your session after you enter the passcode!
Nowadays, you should choose a password with at least 10 characters to thwart those rainbow tables I mentioned earlier. It is also a good idea to use upper and lower case, numerals, and when allowed by the site, special characters (#$%^&....). The Last Pass password generator does this nicely.
But you also need to pick some passwords that are strong, and that you can remember, to unlock Last Pass, and your encrypted spreadsheet. Some suggestions:
- The street address of the place you were born
- A line from a poem you wrote in third grade (I use this—I dare you to guess it)
- The first letters of the words and punctuation from a not very familiar song or poem.
- A long phrase you make up. For example "My favorite place in the house is my computer room."
- By far the best method is to let Last Pass generate and remember a random password for you.
"I got hacked, what do I do?"
First of all, it is not easy to tell whether you have been hacked. Remember that the goal of most hackers is to control your computer to a) steal and exploit your personal information, and to b) sell others time on your computer. Therefore, unlike in the old days when a hack did funny things to your computer display, today most hacks are silent and deadly.
"How do I tell if I am hacked?"
Because both hacking motivations require that the hacker "call home" either to receive new commands, or to deliver a payload, or to mount an attack on someone else, your first line of detection is to detect strange outgoing traffic streams. This is done via an outgoing firewall (e.g., Little Snitch on a Mac or Norton 360 on a PC). Training these can be a pain because they ask you to approve new outgoing traffic streams (although Norton is pretty automatic). Note that the built-in Mac and Windows firewalls only monitor incoming traffic.
Your second line of detection is your system or malware-preventer logs. On a Mac, open the Console app (in the Utilities folder) to see all the log files.
|The console window on a Mac.|
This list of events can be pretty daunting but it also points out system issues. You can see that Symantec is blocking ARP cache poisoning attempts for me. So you need to view this to see what is "normal" so that you can tell what is not normal.
On a PC, Norton 360 keeps a good log of its protection activities, but it is a bit hard to find under Tasks, Check security history:
|The Norton security log.|
Norton intelligently tries to manage the firewall rules for you. However, on my Mac, I had to disable the Norton firewall (and rely upon LittleSnitch) because it has trouble making rules for Unix services that are not Mac applications.
A friend thought he got hacked because his Eudora address book got all jumbled. It is very hard to tell if that happened or not. Files occasionally get munged. If he did get hacked, just fixing the address book will not clear his machine of an infection! Determining if there really is an infection is very difficult because the newer forms of malware block most malware-detection systems, or may load at boot time and hide thereafter. The worst malware can reflash your system ROM and essentially ruin your computer.
One very handy tool to have is malware detection that boots and runs from a CD. Even better is something that runs a different operation system. PC Tools has a free downloadable CD called Alternative Operating System Scanner (AOSS) that performs this trick. I urge everyone to download and burn this ISO before you really need it! Note that this file is the image of a CD, so you have to burn it using special instructions.
How to remove malware
If you have followed my advice about backups and malware prevention, you may be able to save things. It is best to disconnect your computer from the Internet by turning off wireless and/or removing the Ethernet cable. This will prevent the hacker from calling home.
- You are lucky and your malware program identifies the infection. It may fix it for you. If not, you should Google for information about the infection. Usually there is an online procedure to remove infections--it may involve editing the Windows registry. Try to get the instructions using a different computer because it is best if your infected computer is offline.
- Try using the above-mentioned AOSS CD if you are running Windows.
- It is an unknown ("zero-day") piece of malware. The best recourse is to rebuild your system. This is easy, albeit time-consuming. If you have been religious about your backups, you will lose just a little data. You need to decide whether to restore a (hopefully known to be uninfected) system image, or to reinstall the OS from scratch, and to then restore your personal data from a backup made before the infection occurred.
There is some advantage to rebuilding the system ("rebuilding like catharsis is good for the soul"). You get a "clean" system with nothing extra in the registry. If you choose this path, be sure that you choose to reformat the hard disk and that you keep checking for and applying security patches until there are no more. Then you will have to reinstall all your program--a good time consider which ones you actually use. This can be problematical if you have bought program upgrades that require that the old version be installed. You will also need to have all those pesky serial numbers. Finally, restore your user directory from a backup.
If you have an image format of your boot drive, you can restore that using the Windows restore disk (you did remember to make one?...), or Time Machine on a Mac. Be sure you choose to reformat the disk and that you use a backup taken before the infection occurred.
After doing any of the above, be sure to recheck that the malware is gone.
According to Ars Technica, a new GPU-powered computer can crack any 8-character windows password in less then 6 hours. Of course it would need to have stolen the hashed password file to do this. Nonetheless, it is time to increase password length. Since the difficulty of cracking a password goes up exponentially with length, a 10-character password is probably long enough for now.