Скачать презентацию Computer Security Jim Crowley C 3 Crowley Скачать презентацию Computer Security Jim Crowley C 3 Crowley

c1ec105d99d7b471cb7a502425b21884.ppt

  • Количество слайдов: 122

Computer Security Jim Crowley C 3 – Crowley Computer Consulting 1 Computer Security Jim Crowley C 3 – Crowley Computer Consulting 1

Apologies This is long haired, geeky stuff. This is long and boring. This is Apologies This is long haired, geeky stuff. This is long and boring. This is version 1. The analogies between safe sex and safe computing cannot be ignored. It is getting very difficult to protect older systems. Too slow and not enough memory for security programs. No new patches older than Windows 2000. This is meant to scare the *#$^ out of you. 2

The Internet brings the world to your computer! 3 The Internet brings the world to your computer! 3

Various services run over the Internet World Wide Web Email Instant Messaging Peer to Various services run over the Internet World Wide Web Email Instant Messaging Peer to Peer sharing Voice over IP phones Gaming Gopher Audio streaming Video streaming The Internet was designed for enhancement. It was not designed for this level of complexity. IE. The easiest way to prevent spam is to authenticate the sender. Email has no method to do this. 4

Services have multiple methods of encoding and delivery IE. World Wide Web HTML XML Services have multiple methods of encoding and delivery IE. World Wide Web HTML XML Java. Script Flash Perl Cold. Fusion VBScript`. Net Active. X SHTML And more!!! 5

Services have multiple methods of encoding and delivery IE. Instant Messaging AOL Google ICQ Services have multiple methods of encoding and delivery IE. Instant Messaging AOL Google ICQ Microsoft Yahoo And more!!! 6

You invite these services in… Email World Wide Web Peer to Peer Sharing Instant You invite these services in… Email World Wide Web Peer to Peer Sharing Instant Messaging Audio streaming Gopher Gaming Voice over IP phones Video streaming 7

The good old days… …it was hard and relatively expensive to “get online. ” The good old days… …it was hard and relatively expensive to “get online. ” …it was slow. Do you remember 300 Bps and 1200 Bps modems? …the web didn’t exist! Do you remember Compu. Serve and Prodigy and AOL? …it was geeky! Users were hobbyists and it was all very 60 s. Exploits were confined to bugging your buddy and showing off! 8

Now. . Everyone is online! Over 50% of users in the USA are on Now. . Everyone is online! Over 50% of users in the USA are on broadband. Exploits are Dirty rotten @#*!!! Money making schemes and ripping off grandma Organized crime 9

Common attacks Virus Worms Trojan horse Spyware Spam Phishing 10 Common attacks Virus Worms Trojan horse Spyware Spam Phishing 10

Did you know… All of these types of attacks are man-made and intentional. There Did you know… All of these types of attacks are man-made and intentional. There is no “natural” or “random” virus. All of these ride the Internet services you invite in! Different companies and organizations Will group attacks differently. Will name attacks differently. 11

Malware Software designed to infiltrate or damage a computer system without the owner's informed Malware Software designed to infiltrate or damage a computer system without the owner's informed consent. Originally harmless pranks or political messages, now have evolved into profit makers. Include viruses, worms and Trojan horses. 12

Malware: Virus a program or piece of code that is loaded onto your computer Malware: Virus a program or piece of code that is loaded onto your computer (without your knowledge and against your wishes), that (generally) replicates itself and (generally) delivers a payload. 1972 13

Virus In the days of yore… Who: typical author is young, smart and male Virus In the days of yore… Who: typical author is young, smart and male Why: looking to fight the status quo, promote anarchy, make noise or simply show off to their peers. There is no financial gain to writing viruses. Now… Who: professional coders or programmers using “kits” Why: financial gain by email delivery payments, renting of botnets, extortion… Often supported by mafia and black marketers. 14

Virus structure Replication: viruses must propagate themselves Payload: the malicious activity a virus performs Virus structure Replication: viruses must propagate themselves Payload: the malicious activity a virus performs when triggered. Payload trigger: the date or counter or circumstances present when a virus payload goes off. 15

Payload examples Nothing - just being annoying Displaying messages Launching DDo. S attack Erasing Payload examples Nothing - just being annoying Displaying messages Launching DDo. S attack Erasing files randomly, by type or usage Formatting hard drive Overwrite mainboard BIOS Sending email Expose private information 16

Trigger examples Date Internet access # emails sent 17 Trigger examples Date Internet access # emails sent 17

Boot sector virus infects the first sector of a hard drive or disk. The Boot sector virus infects the first sector of a hard drive or disk. The first sector contains the MBR or master boot record. 18

File infector virus attaches itself to a file on the computer and is executed File infector virus attaches itself to a file on the computer and is executed when that application is opened. 19

Multipartite combines properties of boot sector and file infector viruses. 20 Multipartite combines properties of boot sector and file infector viruses. 20

Macro virus written using script or macro languages such as Microsoft Office’s VBA, executes Macro virus written using script or macro languages such as Microsoft Office’s VBA, executes when a document containing the virus is opened. 21

Memory resident • virus that sits continuously in memory to do its work, often Memory resident • virus that sits continuously in memory to do its work, often making it more difficult to clean. Most viruses now are memory resident. 22

Stealth virus • a virus that actively hides from anti-virus programs by altering it’s Stealth virus • a virus that actively hides from anti-virus programs by altering it’s state or hiding copies of itself or replacing needed files. 23

Polymorphic virus • a virus that alters its signature or footprint, to avoid detection. Polymorphic virus • a virus that alters its signature or footprint, to avoid detection. 24

Metamorphic virus A virus that rewrites its code each time a new executable is Metamorphic virus A virus that rewrites its code each time a new executable is created. Usually very large. 25

Malware: Worm A self-replicating computer program that uses networks to copy itself to other Malware: Worm A self-replicating computer program that uses networks to copy itself to other computers without user intervention. They often lack a payload of their own but drop in backdoor programs. 1978 26

Malware: Trojan A destructive program that masquerades as a benign application, it requires a Malware: Trojan A destructive program that masquerades as a benign application, it requires a user to execute it. • A variety of payloads are possible, but often they are used to install backdoor programs. • Generally, trojans do not replicate. • 1983 27

Spyware Application installed, usually without the user’s knowledge, intercepting or taking partial control for Spyware Application installed, usually without the user’s knowledge, intercepting or taking partial control for the author’s personal gain Estimates as high as 90% of Internet connected computers are infected with spyware. Unlike a virus does not self-replicate. 28

Spyware: symptoms Sluggish PC performance An increase in pop-up ads Mysterious new toolbars you Spyware: symptoms Sluggish PC performance An increase in pop-up ads Mysterious new toolbars you can’t delete Unexplained changes to homepage settings Puzzling search results Frequent computer crashes 29

Spyware: a loaded system 30 Spyware: a loaded system 30

Spyware: rogue help Antivirus Gold Family Adware Delete Spy. Axe Antivirus Gold Spyware. Strike Spyware: rogue help Antivirus Gold Family Adware Delete Spy. Axe Antivirus Gold Spyware. Strike PS Guard Family Security Iguard Winhound PSGuard Spyware. NO! Spy. Demmolisher Spy. Sheriff Spy. Trooper Spyware. NO! Raze Spyware Reg. Freeze Win. Anti. Spyware 2005 World. Anti. Spy 31

Spyware: rogue help This morning… 32 Spyware: rogue help This morning… 32

Spyware: Adware Any software package which automatically plays, displays or downloads advertising material to Spyware: Adware Any software package which automatically plays, displays or downloads advertising material to a computer Not necessarily “spyware” depending on your definitions Many “free” applications install adware, creating a source of income. Is it spyware? http: //www. symantec. com/enterprise/security_response/thre atexplorer/risks/index. jsp 33

Spyware: Adware 34 Spyware: Adware 34

Spyware: Backdoors Backdoor = Remote Access A method of bypassing normal authentication or securing Spyware: Backdoors Backdoor = Remote Access A method of bypassing normal authentication or securing remote access while remaining hidden from casual inspection. May be an installed program (IE. Back Orifice) or a modification to an existing application (IE. Windows’ Remote Desktop). 35

Spyware: Browser hijacker Alters your home page and may redirect other requested pages, often Spyware: Browser hijacker Alters your home page and may redirect other requested pages, often away from helpful sites. Generally add advertising, porn, bookmarks or payper-surf web sites. 36

Spyware: Dialers Program that uses a computer’s modem to dial out to a toll Spyware: Dialers Program that uses a computer’s modem to dial out to a toll number or Internet site 900 numbers Phone system flood attack Can rack up huge phone bills! Often running to international numbers in the Caribbean. 37

Spyware: Downloaders Application designed to download and possibly install another application. Sometimes, they may Spyware: Downloaders Application designed to download and possibly install another application. Sometimes, they may receive instructions from a web site or another trigger. Also a typical form of Trojans. 38

Spyware: Rootkits A type of Trojan that gives an attacker access to the lowest Spyware: Rootkits A type of Trojan that gives an attacker access to the lowest level of the computer, the root level. Removing rootkits can be very difficult to impossible. Microsoft’s recommendation to remove rootkits from Windows Xp was to reformat the hard drive and start over! Sometimes this is the only option. Have been used for “legitimate” purposes, Sony used for digital rights management licensing on music CDs, system was shown to have security holes, possibly giving up root access to an attacker. 39

Spyware: Scrapers Extracting data from output to the screen or printer rather than from Spyware: Scrapers Extracting data from output to the screen or printer rather than from files or databases that may be secure. Legitimate and illegitimate applications. Temp files are often a great source of information! 40

Spyware: Tracking cookies A small amount of data sent back to the requesting website Spyware: Tracking cookies A small amount of data sent back to the requesting website by your browser. They may be temporary or persistent, first or third party. Cookies are not bad and make browsing life better! Third party cookies are used to track surfing habits and you may want to disable them. weather. com Loc. ID TRUE 13669 / FALSE 1218399413 41

Keylogger A software application or hardware device that captures a user’s keystrokes for legitimate Keylogger A software application or hardware device that captures a user’s keystrokes for legitimate or illegitimate use. Bad keyloggers will store information for later retrieval or spit the captured information to an email address or web page for later analysis. 42

Social Engineering Tricking a user into giving or giving access to sensitive information in Social Engineering Tricking a user into giving or giving access to sensitive information in order to bypass protection. 43

Social Engineering: pretexting Creating a scenario to persuade a target to release information done Social Engineering: pretexting Creating a scenario to persuade a target to release information done over the phone. Often use commonly available information like social security numbers or family names to gain access to further information. 44

Social engineering: phishing Creating a scenario to persuade a target to release information done Social engineering: phishing Creating a scenario to persuade a target to release information done via email. Often use commonly available information like social security numbers or family names to gain access to further information. 45

Social engineering: more Road apple: using an infected floppy, CD or USB memory key Social engineering: more Road apple: using an infected floppy, CD or USB memory key in a location where someone is bound to find and check it through simple curiosity. Quid pro quo: targeting corporate employees as “tech support” until some actually has a problem and “allows them to help. ” 46

True or false? 47 True or false? 47

True or false? 48 True or false? 48

True or false? 49 True or false? 49

True or false? 50 True or false? 50

Spam Junk email. An email message can contain any of the threats mentioned, not Spam Junk email. An email message can contain any of the threats mentioned, not to mention the time wasted downloading and filtering through the messages. You do not have to open an attachment to activate a threat. Webmail eliminates few threats. 51

Spam Threats that activate via merely opening the email are not disabled by using Spam Threats that activate via merely opening the email are not disabled by using the email preview! 52

Now your services have hitchhikers! And they bring friends! Email World Wide Web Instant Now your services have hitchhikers! And they bring friends! Email World Wide Web Instant Messaging Gaming Peer to Peer Sharing 53

Ultimate protection! 54 Ultimate protection! 54

Don’t use the Internet Are you really that isolationist? Other user profiles on your Don’t use the Internet Are you really that isolationist? Other user profiles on your computer? Other computers connected to the Internet Other devices… Xbox, Playstation, Wii Media Center Extenders DVRs 55

Other connections Wireless local networks Bluetooth personal networks Removable storage Floppy CDs DVDs USB Other connections Wireless local networks Bluetooth personal networks Removable storage Floppy CDs DVDs USB memory key Flash memory Other connected devices Printers Digital cameras Video cameras 56

st 1 Computer bug The first bug causing a computer error was found by st 1 Computer bug The first bug causing a computer error was found by Grace Hopper's team in 1945 using Harvard University's Mark II computer. 57

And the stakes get higher… Imagine the home of the Imagine hacker exploits future And the stakes get higher… Imagine the home of the Imagine hacker exploits future Defrost your freezer Broadband Internet Turn off the heat connection shared by… Trip / disable security Computers Record “Boy Meets Television / DVR World” instead of Phone “Desparate Housewives” Security / heating / and “ 24”! cooling Kitchen appliances Cell phone 58

Protection What’s a guy or gal to do? 59 Protection What’s a guy or gal to do? 59

Protection: firewall A software or hardware which permits or denies data into and possibly Protection: firewall A software or hardware which permits or denies data into and possibly out of a computer network depending on levels of trust and authentication. Emerged in 1988. 60

Protection: firewall Levels of protection Network address translation: internal devices carry separate addresses from Protection: firewall Levels of protection Network address translation: internal devices carry separate addresses from Internet connection, firewall translates, masking internal devices. Packet filters: very basic inspection of individual packets of inbound traffic for correct ports for basic services. Stateful filters: compare packets of traffic and rules can change criteria of what is allowed. Application layer: deep packet inspection determines whether traffic is appropriate for a specific port. 61

Protection: hardware firewall Recommend a router with stateful packet inspection Jim’s picks Linksys Sonicwall Protection: hardware firewall Recommend a router with stateful packet inspection Jim’s picks Linksys Sonicwall 62

Protection: software firewall A good program will know configure major applications correctly, but it Protection: software firewall A good program will know configure major applications correctly, but it is easy to answer a firewall incorrectly. Software firewalls often disrupt internal networks Jim’s “sorta” pick Zone. Alarm 63

Protection: virus Most mature category of protection. Detection rate should be near perfect! How Protection: virus Most mature category of protection. Detection rate should be near perfect! How do anti-virus programs work? File fingerprinting Active scanning Heuristics Unusual hard drive activities Protection can be run at the Internet service provider Router Server (if applicable) Workstation – recommended 64

Protection: virus Must be updated! Jim’s picks Norton Antivirus (home) Symantec Antivirus Corporate Edition Protection: virus Must be updated! Jim’s picks Norton Antivirus (home) Symantec Antivirus Corporate Edition or Small Business Edition (offices) AVG for older systems 65

Protection: spyware Fairly new application, running two anti-spyware applications is often recommended, but only Protection: spyware Fairly new application, running two anti-spyware applications is often recommended, but only one should be doing “active scanning. ” Detection rates are not nearly as accurate as virus detection. Anti-virus applications are now capable of replacing active scanning spyware applications. Spyware and virus scanners can fight, causing system freeze ups and instability. 66

Protection: spyware Jim’s picks Webroot Spy. Sweeper Spyware Doctor Spybot * Adaware * • Protection: spyware Jim’s picks Webroot Spy. Sweeper Spyware Doctor Spybot * Adaware * • Not active scanner 67

Protection: spam Spam filtering occurs by recognizing common email addresses and domains for sending Protection: spam Spam filtering occurs by recognizing common email addresses and domains for sending spam and by recognizing keywords in email and moves it automatically to a “junk” folder. Can be done at email server or workstation. Success rates are very individual! 68

Protection: spam Avoid spam – once your email address is a spam target, there Protection: spam Avoid spam – once your email address is a spam target, there is no eliminating it Avoid posting address on web pages. Use throw-away email addresses (IE. Yahoo, Hotmail, Google) when working unknown or very public sites (IE. Ebay, My. Space…) You have to look through your Junk email occasionally to find mis-labeled email! The more “public” your email address, the less you can filter without false positives. 69

Protection: spam Jim’s thoughts Outlook 2007 not bad Andrew likes new Thunderbird Several clients Protection: spam Jim’s thoughts Outlook 2007 not bad Andrew likes new Thunderbird Several clients like Inboxer Several clients like Norton Anti. Spam Several clients like their ISP’s filtering but user must check junk on web site Dial up: ISP filtering 70

Protection: Operating System updates Most updates are security patches not functionality enhancements! I do Protection: Operating System updates Most updates are security patches not functionality enhancements! I do not recommend using driver updates through Windows Updates! Get them only through Windows Updates! 71

Protection: Application updates Browsers, email applications, instant messaging applications, etc. all need security patches! Protection: Application updates Browsers, email applications, instant messaging applications, etc. all need security patches! 72

Protection: Application updates Application Source of updates AOL IM www. aim. com Internet Explorer Protection: Application updates Application Source of updates AOL IM www. aim. com Internet Explorer Windows Updates Microsoft Messenger Windows Updates Mozilla Firefox www. mozilla. com (Help) Opera www. opera. com (? ) Outlook Express Windows Updates Thunderbird email www. mozilla. com (Help) Windows Mail (Vista) Windows Updates Yahoo IM www. yahoo. com 73

Vulnerability: Internet Firewall World Wide Web Windows updates Application updates 74 Vulnerability: Internet Firewall World Wide Web Windows updates Application updates 74

Vulnerability: WWW Virus protection World Wide Web Spyware protection 75 Vulnerability: WWW Virus protection World Wide Web Spyware protection 75

Vulnerability: Email Virus protection Email Spam protection 76 Vulnerability: Email Virus protection Email Spam protection 76

Vulnerability: Instant messaging Virus protection IM Turn off file sharing Close buddy list to Vulnerability: Instant messaging Virus protection IM Turn off file sharing Close buddy list to known 77

Vulnerability: Gaming Virus protection Gamin g Turn off file sharing Close buddy list to Vulnerability: Gaming Virus protection Gamin g Turn off file sharing Close buddy list to known 78

Vulnerability: Streaming Virus protection Audio and Video Streaming 79 Vulnerability: Streaming Virus protection Audio and Video Streaming 79

Vulnerability: P 2 P Peer to Peer 80 Vulnerability: P 2 P Peer to Peer 80

Layers: onions, ogres & protection Broadband Dial up Hardware firewall Necessary n/a Software firewall Layers: onions, ogres & protection Broadband Dial up Hardware firewall Necessary n/a Software firewall Maybe Virus protection Necessary Spyware protection Necessary Spam filtering Recommended Operating system patches Necessary Browser/email/IM/… patches Necessary 81

Protection purchasing Best of breed applications Security suite Best possible protection Probably less bloat Protection purchasing Best of breed applications Security suite Best possible protection Probably less bloat Probably play together better Better pricing Common interface 82

Protection purchasing: suites Jim’s picks Norton Internet Security Norton 360 PC Magazine Editor’s Choice Protection purchasing: suites Jim’s picks Norton Internet Security Norton 360 PC Magazine Editor’s Choice Norton 360 Zone. Alarm Internet Security Suite 7 PC World Norton Internet Security Mc. Afee Internet Security Suite 83

Selecting protection Do Don’t Read reviews from Use advertising or blogs as professional, neutral Selecting protection Do Don’t Read reviews from Use advertising or blogs as professional, neutral sources your main source of information Make sure you can understand your Use reviews from nonsubscription’s status technical sources Realize you generally get Run two software firewalls, what you pay for two anti-virus or two active anti-spyware apps Realize that bundled apps are often 30 or 90 day trials and often not installed 84

Protection: Educate your users Do not open attachments from anyone you don’t know. Suspicious Protection: Educate your users Do not open attachments from anyone you don’t know. Suspicious attachments from any known email address may be threats that spoof senders. Security measures are for their benefit, don’t subvert them. Don’t run Active. X or Java from untrusted or unknown websites. Never click on suspicious ads or popups. Always click the Windows Close X when you can. Any connection can bring in threats… Home computers logging in for remote work. Office laptops connected in public Wi-Fi hotspots. Removable storage. 85

Protection: Educate your users It is much easier to protect yourself than to get Protection: Educate your users It is much easier to protect yourself than to get clean after an infection. Internet Explorer is the only web browser that uses Microsoft’s Active. X tools. Active. X is a security nightmare. Avoid the problem, use a different browser. Jim’s pick: Mozilla Firefox 86

Protection: Educate your users Fake Windows Updates 87 Protection: Educate your users Fake Windows Updates 87

Getting cleaned up 88 Getting cleaned up 88

Procedure at C 3 Interview client. Possibly start system as is to see symptoms. Procedure at C 3 Interview client. Possibly start system as is to see symptoms. Remove hard drive and connect to C 3 testing systems. Prevents threats from going active Improves accuracy of scans for stealth, polymorphic and rootkits Virus scan (Symantec Antivirus Corporate Edition) Spyware scan (Webroot Spysweeper) Hard drive test (Scandisk or Norton Disk Doctor) 89

Procedure at C 3 Clean temp files WindowsTemporary Internet Files UserTemporary Internet Files Possibly Procedure at C 3 Clean temp files WindowsTemporary Internet Files UserTemporary Internet Files Possibly other locations Research infections Return hard drive to client’s system 90

Procedure at C 3 Probable: Safe mode startup and disable Windows System Restore Manual Procedure at C 3 Probable: Safe mode startup and disable Windows System Restore Manual cleaning as needed while “disconnected” All Windows Updates Probable: installation of appropriate security package All Updates Full system scan 91

Procedure at C 3 Total time: 2 to 8 hours Total technician time: 1 Procedure at C 3 Total time: 2 to 8 hours Total technician time: 1 to 4 hours 92

What can you do? Know that Windows cannot diagnose most problems. Know that repairing What can you do? Know that Windows cannot diagnose most problems. Know that repairing Windows requires a clean computer. Know when to say “Uncle!” based on your skill level. Know when to say “Uncle!” if a computer cannot be recovered and must be wiped. Backup, Backup. 93

Backup, Backup, Backup, Backup, Backup, Backup, Backup, 94 Backup, Backup, Backup, Backup, Backup, Backup, Backup, 94

Non-operating Windows Boot from the appropriate Windows CD and attempt a repair installation Must Non-operating Windows Boot from the appropriate Windows CD and attempt a repair installation Must match system Version Home vs. Professional Upgrade vs. Retail vs. OEM Danger Infections may corrupt system further. You may get “running” until the threat kicks in again and repeats its damage. Pros Desperation – you’re doing something 95

Non-starting Windows Safe mode Press F 8 (or hold Ctrl) prior to Windows splash Non-starting Windows Safe mode Press F 8 (or hold Ctrl) prior to Windows splash screen Scan Manual updates? Virus scanner Spyware scanner Document, research, Most threats are inactive in safe mode. You may be able to download scanner updates manually on another computer and install them. Warning: more threats successfully hide themselves in safe mode. follow necessary instructions Limit startups 96

Safe mode F 8 during startup Most drivers and network not running Often, you Safe mode F 8 during startup Most drivers and network not running Often, you must log on as administrator 97

Manual virus definition update Highly dependent on application manufacturer Expired subscription may not allow Manual virus definition update Highly dependent on application manufacturer Expired subscription may not allow use of manual update 98

Limit startups Start Run Msconfig Services and Startup tabs Turn off anything that you Limit startups Start Run Msconfig Services and Startup tabs Turn off anything that you don’t recognize, especially “random” names. Google names. Restart 99

Operating Windows Backup Document! Virus scan Update installed app Online scanner Install new app Operating Windows Backup Document! Virus scan Update installed app Online scanner Install new app Spyware scan or 2 Update installed app Online scanner Install new app Research infections Manual attack and tools Follow instructions! Take your time! All Windows Updates Install appropriate security All updates Scan your backup 100

Update virus scanner Particular to application Many threats will attempt to subvert connection Subscription Update virus scanner Particular to application Many threats will attempt to subvert connection Subscription must be active. 101

Online scanners (virus & spyware) Symantec www. symantec. com/home_hom eoffice/security_response/index. jsp Webroot Spy. Sweeper Online scanners (virus & spyware) Symantec www. symantec. com/home_hom eoffice/security_response/index. jsp Webroot Spy. Sweeper www. webroot. com/shoppingcar t/tryme. php? bjpc=64021&vcode =DT 02 A Trend Micro housecall. trendmicro. com/ 102

I want a real antivirus – now! Many vendors have demo downloads. IE. Symantec I want a real antivirus – now! Many vendors have demo downloads. IE. Symantec offers a 15 day Norton Antivirus trial that can be activated later by purchasing a license or package Delete – don’t quarantine. When macro viruses were the rage, this was a method to recover infected documents. 103

My antivirus isn’t playing! Try updating. Attempt a repair installation. If you bought your My antivirus isn’t playing! Try updating. Attempt a repair installation. If you bought your security online, via download – copy it to CD for semi-permanent archival! Realize all security applications “get old. ” Uninstall and reinstall. Need RAM? 104

Research infections Symantec Threat Explorer www. symantec. com/ho me_homeoffice/security _response/threatexplore r/index. jsp Google www. Research infections Symantec Threat Explorer www. symantec. com/ho me_homeoffice/security _response/threatexplore r/index. jsp Google www. google. com Scumware http: //scumware. com/ 105

Disable System Restore Right+click My Computer Properties System Restore tab Check “Turn off System Disable System Restore Right+click My Computer Properties System Restore tab Check “Turn off System Restore” OK 106

Registry Editor Start Run Regedit OK Procedure Backup! Navigate Nuking the bad guys 107 Registry Editor Start Run Regedit OK Procedure Backup! Navigate Nuking the bad guys 107

Removal tools CWShredder www. cwshredder. net Major Geeks www. majorgeeks. com/downloads 16. html 108 Removal tools CWShredder www. cwshredder. net Major Geeks www. majorgeeks. com/downloads 16. html 108

System cleaning Eliminate temporary files Start All Programs Accessories System Tools Disk Cleanup 109 System cleaning Eliminate temporary files Start All Programs Accessories System Tools Disk Cleanup 109

System cleaning Defragment your hard drive Start All Programs Accessories System Tools Disk Defragmenter System cleaning Defragment your hard drive Start All Programs Accessories System Tools Disk Defragmenter 110

System cleanup Internet Explorer automatically clearing cache Internet Explorer Tools Internet Options… Advanced tab System cleanup Internet Explorer automatically clearing cache Internet Explorer Tools Internet Options… Advanced tab Security section Check “Empty Temporary Internet Files when browser is closed” 111

Know when… You’re… Last backup was made System and application CDs are Over your Know when… You’re… Last backup was made System and application CDs are Over your head Wasting your time Your… Windows is toast 112

Worthwhile freebies Virus scanners AVG – www. grisoft. com Avast - www. avast. com Worthwhile freebies Virus scanners AVG – www. grisoft. com Avast - www. avast. com Spyware scanners Spybot Search and Destroy www. safernetworking. org/en/index. html Discovery tools Hijack This www. merijn. org 113

Web privacy 114 Web privacy 114

Web privacy Google is not the problem. Google is just one way to find Web privacy Google is not the problem. Google is just one way to find this kind of data. Blocking this data on Google will not block other search engines. All of this is in the phone book and then I can go to any mapping application. 115

Email Hijack From: xxxxxxxxx@xxxxxxx. xxx Sent: Monday, June 11, 2007 10: 45 AM To: Email Hijack From: [email protected] xxx Sent: Monday, June 11, 2007 10: 45 AM To: James D. Crowley Subject: SPAM Good Morning Jim: I wanted to report a SPAM issue to you. This morning xxxxx received an email to her xxxxxx account. The email was sent by her from an outside account. It was an email that she sent to someone 6 months ago. Also on the email were individuals CCd who should not have received that email. Basically what is occurring is someone is accessing her email account and is sending its herself and others mail that should not be going out. Is it possible that some type of hacker is doing this? She is also receiving SPAM from xxxxxxx’s email account and xxxxxx’x account. I am receiving SPAM from myself, and cannot block it because its from my account. The frequency of this is increasing. What can we be doing to prevent the SPAM and can someone access confidential information that is being sent via email and send it to people in our contact list? Xxxxxx Administrative Assistant Xxxxx Coordinator Xxxxxxxx xxxx, Inc. 116

Email Hijack Not hijacked – spoofed! Realize there are four primary locations that your Email Hijack Not hijacked – spoofed! Realize there are four primary locations that your email can be hijaaked or spoofed like Anita’s was. Your computer or server Your email server The recipient’s email host The recipient’s computer or server 117

Email Spoofing application It peruses my email and randomly grabs xyz’s message Makes a Email Spoofing application It peruses my email and randomly grabs xyz’s message Makes a copy Probably alters the message somewhat Attaches the virus or whatever its “payload” is Reuses all original email addresses in the To, CC and BCC Maybe adds some more addresses Maybe randomly generates more email addresses And starts sending itself out XYZ may get a copy of her message back… 118

Urban myths 119 Urban myths 119

Resources: Independent antivirus testing www. av-test. org www. icsalab. com www. virusbtn. com 120 Resources: Independent antivirus testing www. av-test. org www. icsalab. com www. virusbtn. com 120

Resources: Reviews www. pcmag. com http: //www. pcmag. com/category 2/0, 1874, 4829, 00. asp Resources: Reviews www. pcmag. com http: //www. pcmag. com/category 2/0, 1874, 4829, 00. asp www. pcworld. com http: //www. pcworld. com/tc/spyware/ 121

Resources: Other sources www. pcmag. com/encyclopedia/ www. snopes. com www. pcmag. com/encyclopedia/ http: //www. Resources: Other sources www. pcmag. com/encyclopedia/ www. snopes. com www. pcmag. com/encyclopedia/ http: //www. netvalley. com/archives/mirrors/robert_ca illiau_speech. htm www. webroot. com www. wikipedia. org 122