September 16th, 2004
"Online Security: Let's Be Careful Out There"

Minutes of the 09-16-04 meeting of the Rocky Mountain Internet Users Group (RMIUG):
"Online Security: Let's Be Careful Out There"

Josh Zapin was the only committee member in attendance and ran the meeting, which was fairly well attended. He thanked the RMIUG sponsors for their support:


MicroStaff (http://www.microstaff.com) generously provides food and beverages at the meetings. The company provides Creative and Technical Talent for Web, Interactive Media, Marketing Communications, and Software Development projects.

ONEWARE (http://www.ONEWARE.com) is a Colorado-based software company that provides semicustom web-based applications, and is the sponsor of the RMIUG meeting minutes.

NCAR -- for the use of their wonderful facility.

Copy Diva (http://www.copydiva.com) provides the audio visual equipment.


Josh did a quick survey of the audience:
Most have purchased security software and have contracted a virus.
A few have had to refresh their whole systems due to an attack.
A few lose some time every day to security issues.
Some are "just plain scared" about the future.
About one-third think online security will be manageable someday and just part of doing business.

Josh said ignorance is bliss regarding security due to some alarming statistics:
Verisign, which enables secure transactions on the Internet, reports security events doubled from January to March this year (from 2 million to 4 million events per monitored device), and it now takes an average of 20 minutes to compromise a computer once you connect it to the internet--down from 40 minutes a year ago.



Microstaff has technical and creative positions opening. Visit microstaff.com for details. They would be happy discuss general info about the job market as well.




Tonight's speakers are all employees of Webroot Software, Inc., a private Boulder company that makes privacy protection software and related products.

Richard D. Stiennon (rstiennon@webroot.com)
Richard is Vice President of Threat Research for Webroot Software where he applies his 20 years of security industry experience to identify emerging spyware and other security threats. Richard comes to Webroot from Gartner, Inc., where he served as vice president of research and a top security analyst. At Gartner he led much of the coverage on security topics including firewalls, intrusion detection and prevention, security counseling, and services.

Richard will discuss the anatomy of an attack, detail some of the latest threats, and provide a perspective on future types of attacks.

Michael Greene (mgreene@webroot.com)
Michael is Director of Product Management for Webroot Software. He brings with him more than 10 years of product development and management experience including his work at Raindance Communications and Thompson and Baxter International.

Brian Kellner (bkellner@webroot.com)
Brian is Director of Enterprise Product Management . He brings with him more than 10 years of experience managing software products. Brian uses his expert understanding of business environments to direct Webroot's enterprise division.

Michael and Brian will talk about how Spyware works and what you need to know to protect you or your enterprise against attacks.



When evaluating risk, remember it's your personal risk that's important. Think about the specific information stored on your computer that could compromise you. Generally, if you have a PC today running Microsoft products you have to have antivirus software and firewalls.

Attacks are either targeted or random--it's the targeted ones you hear about in the media. These are denial of service attacks, information theft, and attacks by disgruntled employees. Security companies are especially targeted--hackers look for security companies and hit them often. Some attacks actually kill servers and even routers.

But what we spend most of our money on are random attacks, which include viruses, port scans, and hacks-of-the-month. These hacks of the month will do port scans on the entire internet, simply scanning for vulnerabilities. So it doesn't matter how obscure your internet presence may be, you can still get hit with these random attacks.

Some companies will hire a hacker to assess their security by giving the hacker the simple goal of breaking in. This is unwise. It's much more useful to do complete scans of all your servers and ports, find modems, etc, because that's what the hackers do. You want a tester to go through the same process that hackers go through.

- - - - - - - - - - - -
Anatomy of a Hack

Footprint Analysis:
The first step is to look for publicly available information that could be useful to a hacker. They do WhoIs lookups, then maybe search for site administrators' names for postings to message boards (for example) to see if they revealed anything useful (and they often do). NSLookup can provide useful information too. War dialing can locate modems. Example: shortly after Dell announced they were impervious to attack, you could do a search on "premier member password" and find login instructions and purchase order information on Dell's customer websites. Often a company might then claim that it's just a business issue. The business process side of a company often doesn't talk to security people--as a result, security holes are left open because no one thinks of them in security terms.

Hackers scan machines, ports, and applications to locate vulnerabilities, and then they just look up the appropriate hacking recipes on Google.

Hackers attack targets using a library of tools and techniques including buffer overflows, spoofing, password guessing, and denial-of-service.

A successful attack can end with identity theft, blackmail, website graffiti, espionage, and destruction.

- - - - - - - - - - - -

A tool for random attacks is the Worm. Worms are very dramatic and tend to affect everybody. The first major worm, Code Red, appeared three years ago. It was one of the first server-to-server worms. Code Red scanned the entire internet from every infected workstation, making it a multiheaded worm. Months later Nimda attacked the same vulnerability for people who didn't patch their systems against Code Red. It spread through email, file shares, and web browsing. Code Red also left behind a back door vulnerability that other viruses could use. The lesson is: always patch your systems right away. Then came SQL Slammer: another mulitheaded worm that spread to every vulnerable machine on the internet--80,000 machines--in six minutes. The Internet was brought to its knees by this worm. Carriers eventually blocked the appropriate high-level ports to stop the worm. This got people to install firewalls that blocked high-level ports. After that came MSBlaster which exploited another port vulnerability. Part of the problem was that Microsoft tended to make up their own nonstandard and mysterious protocols which led to vulnerabilities. All of these worms still exist on the internet, so if you're vulnerable you'll still get infected today.

Latest threats include new version of viruses (MyDoom is up to version 28) and back door trojans which deploy remote tools--they leave something on your PC that another virus can exploit.

- - - - - - - - - - - -

The other new threat is spyware. These include keystroke loggers, voice loggers, and even cleverly timed screen captures. Spyware has grown faster than spam. The problem with spyware is that you invite it in, allowing it to bypass most security software.

Why spyware? You can make a lot of money with it. The information it records is valuable.

Remember that all spammers are criminals simply because they have to illegally take over other machines in order to send multiple emails--because ISP's won't let you send bulk email.

A particularly tenacious piece of spyware is CWS (Cool Web Search): it installs under multiple file names, redirects you to multiple websites, and can be very difficult to remove.

"Phishing" attacks can make people lots of money by collecting personal information, leading to identity theft. That's where the money is. You get an email with a link to a short-lived website that requests account info, etc. Then the phishing sites move around on their own by installing themselves on your server.

Spyware vectors (carriers) include email, web browsing, instant messaging (getting to be a big problem), cell phones, and file shares.

There are some interesting Denial of Service attacks coming from "Russian Bad Guys." They install trojans in servers all over the internet using a virus. The trojan contains instructions to request something from a particular website, and so you have a distributed denial of service attack ready to go-- no way to block it. Hackers sell their trojans, or bots, to the Russian Bad Guys. Online gaming is a huge business in other countries, and that's who the RBGs attack. They send them an email saying we're going to attack you--by activating all these trojans--if you don't send us money. The blackmail is very effective because the payout is less than the loss due to an attack. I predict this will grow to targeting things like banks--they don't want to end up in the news, so they'll just pay.

Four ways to protect yourself:
  1. use the new FireFox browser,
  2. switch to Mac OS X,
  3. update all windows/microsoft products,
  4. get something like SpySweeper.



Spyware and how to protect yourself

Where does it come from? Surfing the web, downloading shareware, music, games, reading emails, remote network logons, instant messaging, sharing your PC with another person. Spyware can also be deployed through the usual security vulnerabilities and viruses and worms exploit.

Much of it is related to advertising. They create popup ads on your desktop. They collect information about your habits to create valuable marketing profiles that can be used to sell advertising.

Spyware includes a lot of surveillance: key loggers, screen caputures, and trojans. These collect information from your PC and sell it.

The scary truth is that a typical PC has 26 bits of spyware living on it. And this seems to be doubling each quarter.

What problems does it cause? Spyware can lead to significant performance loss, up to 50%. Causes crashes too.

How to protect yourself:
  • Be careful what you download.
  • Don't use one of those free "optimization services" on the web, they just load spyware.
  • You can adjust security settings upward to block some of it.
  • Install all available security updates from Microsoft.
  • Get a firewall.
  • Get antivirus software
  • Get antispyware software

No one thing blocks everything. Spyware gets through firewalls. Antivirus software doesn't stop spyware, especially spyware that's installed with free software. So you need a dedicated antispyware program.

Free solutions exist but they're not updated often enough, require manual maintenance, and may not stay on the market. These include Lavasoft Ad-Aware and Spybot Search and Destroy

Paid solutions are more effective than freeware, it's less likely to remove beneficial software from your pc, and there's more quality testing behind them. Paid solutions tend to be more accurate and up to date and provide solutions to new threats. Paid solutions can be more usable, with good interfaces, help files, and live tech support (which can help with new threats). Some software can deploy active shields such as real-time protection heuristics, prevention of browser hijacking, windows system shields, startup shields, etc.



IT in enterprises now have to deal with system crashes due to spyware. One solution is rebuilding the machines, but that's not acceptable. It can causes loss of bandwith too: spyware is the number one user of port-80 traffic. Spyware causes loss of personal productivity and data privacy issues. Enterprises are different in four areas: scale, complexity, impact, and data.

Best to install firewalls, antivirus software, intrusion detection software, and a spyware solution. Many ask if you can you stop spyware on its way in without having to protect every desktop on the network. Unfortunately, that technology is still in its infancy, so you do have to manage it at the level of the desktop. You could just prevent everyone for installing anything, but that's not a viable solution. So you need an endpoint on every desktop, and a system to ensure universal compliance.

Pest Patrol and Spysweeper Enterprise are two products designed for enterprise today.



Q: The CIA, FBI, and others are using spyware to track sex offenders, etc. Does Webroot make exceptions for legitimate government use of spyware? Do you advocate for government or just end users?
A: That just hasn't come up. We do work with government agencies, but we're not making any special exceptions. We focus on putting control in the hands of customers.

Q: How do you shut off some of these vulnerable "services" running behind windows?
A: Spysweeper can shut down some stuff via shields, but there are lists available on web that will show you the rest: www.theregister.co.uk/2004/09/02/winxpsp2_security_review

Q: A Windows firewall isn't very kid-friendly. Do you have a nontechnical solution?
A: It's just the nature of the firewall to be that way. Try a good modern hub/router, which can provide some automatic, behind the scenes protection.

Q: How do I stealth or hide my WhoIs information?
A: You can pay netsol to stealth it for you, or just modify it with bogus info for free.

Q: Can you find spyware on your own?
A: Very difficult, I'm afraid. It knows how to hide. You really need antispyware software to find it.

Q: Does the firewall alert you to spyware?
A: Not usually. Spyware can trick firewalls when it connects to the internet.

Q: What about when Spysweeper asks about something it found?
A: Spyware is clever enough to use legitimate processes, so it asks to help ensure you're not removing something you need.

Q: Isn't FireFox really buggy?
A: A new version is available now, so check it out.

Q: How do you discover spyware to write your definitions?
A: We get calls and emails, and we have researchers out there grabbing whatever they can.

Q: How does webroot protect itself?
A: We don't want to be protected because we want to find stuff! (joke). Actually we deal with the same stuff as everyone else, and use the same methods of protection.

Q: Does spysweeper remove both spyware and adware?
A: Yes, because we include adware in our definition of spyware.

Q: Is it a good strategy to mix your network up with different OS's and different network protocols?
A: Absolutely. Diversity does help. Moving away from common denominator is a great strategy, but unfortunately it's more expensive.

Q: What about spyware that names itself identically to legitimate products?
A: A good antispyware product may be able to distinguish it, but that is the tricky part of this business.

Q: Since you're a security company, do you have employees who are hackers?
A: We look for people who are passionate about security and privacy. We screen the best we can, and haven't had any issues.

Q: How do you deal with employee hacking at webroot?
A: We screen the best we can and haven't had any problems.

Q: What happened with a linux attack that took down NCAR?
A: I don't know the specifics, but it does show that alternative systems are vulnerable, albeit they do suffer fewer attacks.

Q: Are linux attacks growing?
A: It's getting lots of targeted attacks, but no one's going to make money by attacking linux machines because their aren't enough of them out there.

Q: Is spyware research more proactive or reactive?
A: Shields are proactive. But we're still a ways away from blocking stuff before the vulnerability has been identified.

Q: Is there a scanner to remove spyware?
A: Not that we know of. Interestingly, some viruses can attack trojans and replace them. Gives you an idea of what we have to deal with nowadays.


RMIUG (http://www.rmiug.org/) appreciates the sponsorship of
MicroStaff (www.microstaff.com), ONEWARE (http://www.ONEWARE.com), and Copy Diva (http://www.copydiva.com).

Select a Year

2009 Minutes
2008 Minutes
2007 Minutes
2006 Minutes
2005 Minutes
2004 Minutes
2003 Minutes
2002 Minutes
2001 Minutes
2000 Minutes
1999 Minutes
1998 Minutes
1997 Minutes
1996 Minutes
1995 Minutes
1994 Minutes

Copyright 2004 RMIUG.org, All Rights Reserved