Computer Security

Half of small and midsize enterprises will suffer Internet attack, says Gartner Group. Elsewhere, IDG News claims small and midsize enterprises need to watch their backs, as they are likely targets for Internet attacks, and many will fall victim between now and 2003.

Indeed, the Oct. 16, 2000 issue of sunbelt-software.com's W2Knews reports that more than half of those that manage their own network security and use the Internet for more than e-mail will be hit and more than 60% of companies that are targeted won't even know what hit them. Gartner recommends four steps for protection: Security checkup, firewall configuration, boundary services and consolidated remote access with strong authentication. Here is the full article: http://www.networkworld.com/news/2000/1011attack50.html

There are many issues related to computer security that potentially affect computer users. In this section, we'll discuss solutions to some of the major risks and concerns.

Solutions >  Linux > Security

08/16/01 - With all the recent hype about Code Red and Microsoft-targeted exploits, it's easy to forget that the same thing could happen to Linux or other platforms. Security Focus explains. This year alone, we've had the sadmind worm, which attacked Solaris systems and used them to deface Web sites running on IIS on Windows systems; the li0n worm, which exploited a BIND vulnerability on Linux systems and installed a rootkit on those boxes; and the Ramen worm, which followed the great Morris tradition and attempted to exploit three different holes on some Linux systems: a wu-ftpd buffer overflow, and format string exploits in rpc.statd and LPRng.

08/07/01 - For a skeptical view of many of the issues hyped in the media these days, take a stroll through the content at grcsucks.com, which aims to let the air out of some of the inflated claims made by so-called security expert Steve Gibson. In our view, Gibson's biggest mistake has been his extended rant on why Microsoft should not support Raw Sockets. Of course, if Robert Cringely's latest conspiracy theory (detailed in a column at PBS, entitled "The Death of TCP/IP") is correct, Gibson may be fighting the right battle, but for the wrong reason.

07/30/01 - Microsoft has released a Post-Windows NT 4.0 Service Pack 6a Security Rollup Package incorporating all security fixes released since SP6a. A fix for the Code Red worm server exploit is among the fixes.

05/22/01 - Microsoft Security Bulletin: RTF document linked to template can run macros without warning.

Affected versions:

  • Microsoft Word 97
  • Microsoft Word 2000
  • Microsoft Word 98 (J)
  • Microsoft Word 98 for the Mac
  • Microsoft Word 2001 for the Mac

Patches are (or will soon be) available at www.microsoft.com

Note: Microsoft Word 2002 is not affected by this vulnerability.

05/01/01 - Microsoft plugs Windows 2000 Web security hole - Calling a recently discovered flaw in the IIS 5.0 web server a "serious vulnerability," Microsoft says it is going to some extraordinary steps to plug a vulnerability that affects Windows 2000. By exploiting a weakness in the operating system's printing architecture, a hacker can attain system level access. Web servers using Microsoft's IIS 4.0 software are not affected by the flaw, and Web servers set up with printing turned off are also safe. Security experts believe this exploit will rapidly become the entry point of choice for hackers, as it affects and estimated 1 million servers running Windows 2000. A Microsoft security advisory has details and a patch.

03/22/01 - Consumers warned of hijacked code - Apparently, someone managed to trick internet security certificate provider VeriSign into issuing two certificates in the name of Microsoft that, security experts fear, could be used by hackers to fool unsuspecting users into installing a virus or other unauthorized software on their computers. Such certificates are "signed" to verify the identity of the originator. In this case, however, if the "Valid from" field starts with either a Jan. 29, 2001, date or a Jan. 30, 2001, date, the certificate is fraudulent and the person should not download the software. A Microsoft security bulletin issued on Mar. 22 states that the vulnerability could affect "all customers using Microsoft products."

03/10/01 - Hawking Cyberinsurance is a report at CNET that discusses the recent increases in "serious" hack attacks and discusses how some companies are hoping to capitalize on the problem.  A couple of statistics quoted in the article paint a disturbing picture: One survey, released in March 2000, found that 90 percent of respondents, mostly large corporations and government agencies, had detected "computer security breaches" of all sorts -- not just hacker attacks -- during the previous 12 months. Of these, a full 70 percent reported financial fraud, system penetration, theft of proprietary information and denial-of-service attacks. 74 percent of organizations surveyed admitted financial losses.

03/03/01 - News.com notes that a backdoor in the Palm OS allows virtually anyone with the widely available Palm developer tools to bypass the password protection and break into any Palm OS device from Palm, Handspring or Sony. In short, the password does no good at all if your Palm is stolen. The vulnerability affects all current versions of the Palm OS.

03/03/01 - neowin.net reports that a little-known registry key in the popular ICQ program from Mirabilis server seems to be secretly instructing PCs to send various components of their system registry to the ICQ servers periodically. This, it is alleged, is being used by Mirabilis to see what software you have installed on your computer, serial numbers used, your name, your company and in some instances even your home address!  Setting the registry value HKEY_CURRENT_USER\Software\Mirabilis\ICQ\DefaultPrefs\Auto Update to "NO" fixes the problem.

03/02/01 - A  Microsoft Security Bulletin details a serious flaw in all version of Windows 2000 that could potentially allow a hacker to perform any system command remotely. The problem, says the company, lies in the fact that the Windows 2000 Event Viewer Contains an unchecked buffer. A Security Patch is available and is highly recommended.

10/06/00 - Microsoft has released a patch that eliminates a "Word Mail Merge" Vulnerability in Word 2000. Because of the issue, an Access database specified as a data source via DDE in a Word mail merge document can cause macro code to run without the user's approval when the user opens that document. The company says a patch for a similar issue in Word 97 will be available shortly. Microsoft Security Bulletin (MS00-071) has details.

09/18/00 - Microsoft has released a patch that eliminates a security vulnerability in the telnet client that ships with Microsoft Windows 2000. The vulnerability could, under certain circumstances, allow a malicious user to obtain cryptographically protected logon credentials from another user. For details, see Microsoft Security Bulletin (MS00-067)
Is there an update to Microsoft's Outlook email client that can reduce its vulnerabilities to macro viruses like "ILOVEYOU"? Yes. A Microsoft Outlook e-mail security update is available for immediate download. See our Virus Alert Bulletins for additional details.
Can websites obtain your email address without your knowledge? (Yes, and a little-known property of cookies is to blame!)
How weak is the password security built into Windows 95 or 98? Just try pressing the ESC key when asked for a password to find out. There are solutions for this shortcoming, of course -- it is, for example, possible to define access policies for specific users or groups that control access and allow customized features. Still, there are risks in everything from sharing your hard drive over a network to sending passwords or credit card info to a remote site. In this article, we'll take a look at these and some of the other issues related to improving the security on your Windows PC, as well as risks you might encounter while giving out credit card numbers or simply surfing the web. With that said, you might be surprised to know that, during 1999, Windows 3.x, 95 and 98 suffered from about half the number of vulnerabilities reported on Linux systems, according to stats collected by SecurityFocus.com. And, in the year 2000, Windows 98 has seen fewer than one third the number of OS vulnerabilities found in Windows NT.
Is Windows NT C2 compliant? (yes, but not out of the box!)

  • l0pht.com on May 7th reported a security issue in Windows NT's Internet Information Server (IIS) version 4.0 that "puts transaction logs, credit card numbers, and customer information potentially at risk. There is even e-commerce shopping cart software that stores administrative passwords in the clear in text files."  Microsoft subsequently released a Security Bulletin discussing the issue. Another popular web server application known as Cold Fusion, also suffered from a highly publicized security hole -- one, in fact, that left a www.army.mil (US Army!!) website vulnerable. A CNet story describes the security holes. L0pht provides more information and a link to a patch.
  • Many users of cable modems have heard it said that their computers are visible to third parties. That's true, but if you take the simple step of password-protecting your hard drive, there's almost nothing a hacker can do to gain access to your system. It's easy to password-protect a network drive. Just right-click the drive or folder you want to share, choose Sharing and assign a password to it. After that, anyone attempting to access it will be prompted for the password before access is granted.
  • Windows 98 also provides some new features that improve upon the security options available for network users. One such feature is known as Virtual Private Networking and allows you to make a secure "tunnel" to your private data, even when using a non-secure connection to the Internet. Recent versions of Windows also include a Personal Web Server that allows you to make web pages and files available either publicly or privately -- a much handier and more efficient way of making files available to your co-workers that emailing them all a copy.
  • Speaking of email, it is no secret that sending sensitive data in the body of an email message is not a very wise plan -- it is easy for hackers to intercept your passwords, VISA numbers or other information from the body of non-encrypted text files. Fortunately, it is easy to protect yourself. Look up the word "security" in your email program's Help file, on how to add a contact's digital ID to your address book. If your email program doesn't support this, consider changing to one that does, such as the freely available Outlook Express or Netscape Communicator.
  • Many users are rightfully concerned about so-called "cookies" that are surreptitiously collected while they browse the web. Most cookies are used for legitimate reasons, such as when Microsoft takes you to a "run once only" welcome page after upgrading to a new version of its Internet Explorer web browser. However, some sites can --and do collect other information without your knowledge when you visit their site. To turn off cookies, look in the Security preferences of your web browser. In Internet Explorer 5, for example, you can disable cookies entirely, or set the system to prompt you when they are encountered. By the way, a cookie-gatherer cannot obtain your email address.
  • AnchorDesk Technical Director Jon DeKeles, in May, 1999, discovered a security flaw in Internet Explorer 5.0 that has since been confirmed by Microsoft. According to a May 4th article at www.hardware-one.com, Jon says your Web surfing is easily exposed if you browse with IE 5 on a Windows 98 platform. Here's how it works: You legitimately go to a secure Web site, giving your login and password. You cruise the site. The pages you visit are stored in your cache. You log off and leave your computer thinking you're safe. But you're not. The next person who sits at your machine can easily return to those sites. When prompted for your password, the snoop merely presses "cancel," the "back" button, the "forward" button, and presto -- he can go wherever you've been online. Jon says the Web site must be using Unix' "htaccess". He first noticed the problem over the weekend. He consulted with other ZDNet technical experts Monday to confirm the security breach. Mike Nichols, Microsoft's Product Manager for Windows, confirms the problem. Microsoft does not yet have a fix, and is investigating whether it affects IE 5 on Windows NT. A quick fix: Clear your cache whenever you leave your machine.
  • Intel has taken some heat over the fact that its Pentium III family of processors (including certain recent Pentium II models) contain an identification number embedded into the microprocessor, ostensibly intended to enable higher data security over the Internet for e-commerce. But, even before the chip's release, some were skeptical. Dr. Tom Pabst, of tomshardware.com, a well-known computer hardware review website based in Germany, says he thinks Intel came up with this new idea for no other reason than for marketing. Says Pabst, "Doesn't it sound nice that you can make your system a 'trusted, connected PC' by simply dropping a Pentium III CPU into it? Wouldn't AMD's, IDT's or TransMeta's CPUs without this beautiful identification gimmick look as if they are 'insecure CPUs'?" He maintains that effective data security takes a lot more than a half-baked solution like an identification number in future Intel CPUs. Still others urged a boycott of the new chips, citing privacy concerns because of the new chips' potential to track users activities on the internet. (It is also widely expected that the ID system will be used in copy-protection schemes in future software products. Intel inside, indeed.) In response to such early criticism, Intel subsequently decided to ship its Pentium III processors with the controversial "on-chip ID" turned off by default, attempting to deflect concern over the potential invasion of privacy and critics' charges that the numbers could be used to track individual users. Unfortunately, it was shown in April that, even when turned off, the number can still be obtained from a PIII user's PC. A Montreal-based company called Zero-Knowledge in May, 1999, discovered a way to access the serial number embedded into Intel Pentium III processors even if it is disabled in the BIOS of the PC. According to InfoWorld, Intel had previously mollified PC manufacturers worried about privacy issues by saying that disabling the number in the BIOS would eliminate potential security problems.   To demonstrate its claim that Intel has not done enough to protect users, Zero-Knowledge posted an example of how a P-III serial number can be snagged over the web. This, of course, has some decidedly Big Brother-like implications. Intel reacted by persuading Symantec Corp., maker of the popular Norton Antivirus software, to include the Zero-Knowledge demonstration program on its list of malicious programs. Consequently, users who visit the Zero-Knowledge website get a warning that they have encountered a virus.
  • And then, in March, a software programmer discovered that Microsoft's Windows 98 registration process is secretly building a database of Ethernet addresses that could allow the company to track where documents came from. Privacy advocates, predictably, raised the alarm after a report in the New York Times noted that the automatic transmission of Ethernet addresses in the Windows 98 registration process could be part of an effort by the company to detect software piracy. Microsoft then admitted  that its Windows 98 software was indeed transmitting a unique hardware identification number during the registration process -- even when users specifically elected not to send data about their hardware, and the company now says it plans a fix. John Lettice of The Register, a UK-based IT publication says, "it would also seem that Microsoft has been doing a pretty through job of 'integrating' the number into a user's entire installation. Aside from being linked to the user's name, it also appears in files the user has created, so Microsoft's database could be used to track both users and the documents they produce across the Internet. For further reading, see Windows ID Numbers -- How They Work, at www.theregister.co.uk.Fig 1: Computer Security1
  • In March, a widely publicized virus  known as W97M_Melissa, became big news (and still remains a problem), primarily because of its advanced replication mechanism --  it is smarter than your usual computer virus. The code, which is technically known as a macro virus, takes advantage of Windows users' Outlook email address books and the macro capabilities of Microsoft Word 97 or Word 2000 to replicate itself. Surreptitiously, it sends the people in your address book a list of 80 porno websites, along with a message that says "Here is that document you asked for ... don't show anyone else ;-)." Because of its self-replicating code, some virus experts term this type of intrusion a "worm." The virus arrives in a Word document called "list.doc" contained in an email message entitled "Important message from..." followed by the sender's name. Ironically, the controversial "Global Unique Identifier" number that Windows 98 secretly encodes into files created with Microsoft's Office tools, as noted earlier, allowed researchers to trace the Melissa virus to its site of probable origin: the New Jersey Web site of David L. Smith, a notorious hacker and writer of virus tools. According to Michael Vatis, director of the National Infrastructure Protection Center, the FBI was not amused -- it arrested the 30-year-old Smith and is currently looking to prosecute the virus creator with a fine of $480,000 and up to 40 years in the big stone house.Fig 1: Computer Security2
  • The most serious PC virus threat at the moment is undoubtedly the Chernobyl (CIH) virus, which strikes on the 26th of each month. On April 26th, there were 240,000 PC victims  in Korea alone. CIH, also known as the Chernobyl virus, delivers a payload on the 26th of each month that can erase certain types of Flash BIOSes, making infected computers completely -- and more or less permanently -- inaccessible. Some variants also erase hard drives. The virus, and many others, can be easily detected and erased using tools such as Norton AntiVirus or Housecall, a free service from housecall.antivirus.com. If you aren't running a virus checker on your system... don't say we didn't warn you. And, by the way, the author of CIH was caught, too.

Fig 1: Computer Security3Computerworld recently reported a potentially malevolent MS Office virus that could infect your system without you opening an email attachment. An April 17 alert issued by Finjan Software Ltd., an Israel-based maker of mobile code security software (www.finjan.com) provides more details.

Fig 1: Computer Security4Of course, Windows isn't the only code affected by security issues. Sun and Netscape Java implementations are vulnerable to a Java 2 security flaw, found a German researcher, who showed in April '99 that it is possible to create a booby-trapped Web page, so that when a victim views the page, an attacker could seize control of the victim's machine and can do whatever he or she wants, including reading and deleting files, and snooping on any data and activities on the victim's machine. Reportedly, Microsoft's latest Java Virtual Machine is not susceptible to the glitch. This error, like most other glitches discovered in web browsers and applications, was subsequently addressed by a program update. It is therefore still a potential problem for those users who don't keep their systems reasonably up to date. Red Hat Linux 6.2 has a serious security breach in the form of an undocumented password acting as a "backdoor." The operating system, which includes a new utility called Piranha, allows users with the name "piranha" and the password "q" to "run whatever command an attacker wants," claims an article on CNET.com. Red Hat, by the way, suffered from half the number of security vulnerabilities reported on Windows NT during the first half of 2000. In other words, it had about 50% more OS vulnerabilities reported than Windows 98.

Fig 1: Computer Security5A communications satellite spun out of control early on March 12th, 1999, in what some worried could be another attack by hackers responsible for an incident that occurred about two weeks earlier. The GE-3 satellite, operated by a division of General Electric, tilted away from Earth for unknown reasons shortly after 4 a.m. Eastern Time, cutting service to a number of broadcasting and media companies, including the Associated Press. Although GE said the cause of the problem was not immediately known, some sources questioned whether this was another hacker attack, similar to an incident that allegedly occurred the week of Feb. 28th, in which hackers claimed to have control of one of the satellites in Britain's Skynet system, which delivers communications services to the nation's Royal Air Force and other and military forces around the world. The Sunday Business newspaper, quoting security sources, said the British government was then the subject of an alleged blackmail threat following the attack.  Predictably, the British government subsequently denied the James Bond-like incident ever took place.Fig 1: Computer Security6

Finally, there are always "con artist" scams to be wary of, too. For example, in April, 1999, a series of scams began showing up in the e-mailboxes of some America Online users. Apparently, the ploy was designed to steal AOL user passwords and credit card info. One such bogus solicitation purported to "store" your password for "faster surfing," while another reportedly said the user's VISA password was invalid and asked for private account information to be forwarded to correct it. Surfers beware.Other net scams abound. For example, you may receive "SPAM" (junk email) that says "To immediately be removed from future mailings please call 1-473-408-xxxx (This is a remove line only!)" This number is in the Caribbean island of Grenada, and you'll be liable for a hefty charge. Other ploys involve numbers in Russia, Moldavia and other areas that have "kickback exchanges."

So, Big Brother really is watching. Libertarians and anarchists alike, in Oct. 1999, made use of spamming techniques by sending hundreds of thousands of messages containing "red-flag" words such as "bomb" and "assassinate" in protest of what they say is an effort by the top-secret U. S. National Security Agency (NSA) to spy on all Internet traffic, watching for subversive activity. Such activities have long been rumored (according to information on ForumsAmerica.com, the project began in the 1980s, and is controlled largely by the NSA in coordination with at least four other countries, including Canada, the United Kingdom, Australia, and New Zealand), but now, the freedom of speech activists say the threat is real, and the NSA system, code-named Project Echelon, is online, scanning international transmissions looking for subversive messages, terrorist threats, and other possible terrorist activity. Naturally, the NSA refused to comment on either the incident or its impact and an NSA spokeswoman said that the agency will not "confirm or deny any Echelon-type activity." However, a report statement by Congressman R. Barr (GA), who has called for Congressional hearings about the project. He asserts that the system allows the government to intercept virtually any internationally transmitted phone conversation, fax, e-mail, or data transfer; the system reportedly monitors two million transmissions per hour, without any court order, oversight, or probable cause to believe the transmission is connected to any criminal activity. Indeed, according to discussion in the ForumsAmerica News and Politics newsgroup, the project has come to light because of information leaked from the Government of Australia.

And then, in July 2000, news emerged about the existence of high-powered computers known as "Carnivores" in use by the FBI that can be used to read all email and other correspondences of suspected crooks. Basically, the FBI sets up a computer in a special tamper-proof case at the Internet Service Provider of a suspected criminal and the machine then sifts through all email looking for evidence of criminal activities. Of course the FBI says it only looks at the messages pertaining to the suspect. Uh huh. ZDNet and the NY Times have additional details, and U.S. Attorney General Janet Reno says she is looking into the possible need for additional regulations.

Latest Updates:

  • Mar. 2, 2001: A Windows 2000 bug could allow a hacker to run code of attacker's choice.
  • Oct. 14, 2000: If you run into a bug or suspected security vulnerability, try the Microsoft Security Response Center at http://www.microsoft.com/security/msrc/default.mspx to check and/or report on it.
  • Oct. 6, 2000: Microsoft Security Bulletin (MS00-071) - Patch Available for "Word Mail Merge" Vulnerability
  • Sept. 18, 2000: Microsoft Security Bulletin (MS00-067)
  • July 13, 2000: Security hole leaves Microsoft's Excel vulnerable (CNet). Famed Bulgarian bug hunter Georgi Guninski has demonstrated yet another bug in Microsoft programs that can potentially give hackers remote control of your machine. This time, the bug affects Excel. Microsoft says it is working on a fix.
  • June 8, 2000: New hacker program targets cable modems, DSL (CNet)
  • June 8: According to Sendmail, Inc., the Linux Kernel versions 2.2.15 and below have a SUID security flaw. The 2.2.16 kernel update fixes this issue.
  • June 8: The Ten Most Critical Internet Security Threats: The site at http://www.sans.org/top20/2000/ contains links to patches for some of the threats it enumerates.