COMP 2121 Internet Technology Richard Henson University of

COMP 2121 Internet Technology Richard Henson University of Worcester March 2011

Week 6 – Client-End Security and the Internet n Objectives of Session Ø Identify potential security threats to data displayed/stored on a client machine Ø Explain how a computer virus works and how it can be removed Ø Explain how adware and spyware can get onto a client computer Ø Implement a client security system to protect against viruses, adware, and spyware

“Remote Link” Client and LANbased Client n Two ways for a client to be on-line: ØDirect link to an ISP ØIndirect Internet link, through a LAN Part of this session will deal with computers with direct ISP connections n LAN-based computers should have their own LAN-based security… n

Remote Access to Internet clients n In theory, any person (or software – can be automatic) already on the Internet can access a client machine Ø just need the IP address… n Whenever a client computer communicates via the Internet, it reveals its IP address!!! Ø very useful for remote client-server applications to work e. g. streaming audio Ø also provides an opportunity for a remote user to gain access to your local hard disk!!!

Programmes ARE executed remotely on any client machine via the Internet!!! n Does this sound frightening? Ø it happens all the time… n Example: Ø a client machine makes a request for a streaming audio service to a web server via the Internet Ø in doing so, it reveals its IP address n The web server is just one of over 700 million Internet servers offering a web services from all parts of the world…

Remote Computer (e. g. Real Audio Server) 700 million computers! Local computer

A Brief Preview of Real Audio (more detail in a later lecture… n Real Audio is a Client-server application; Ø Server process runs on remote webserver Ø Client process runs on the local machine n Stages: Ø Client makes request to Server for Real Audio service Ø Server sends a Java or Visual BASIC applet (a small program) down the Internet, using the client’s IP address to locate it Ø downloaded Applet runs on the local machine: » causes Real Audio to starts up on the local machine » sends a message back to server IP address Ø Streaming audio data is then sent by the server to the client IP address: » » converted into digital sound on the client machine played through client machine’s speakers

Cookies and Internet clients n n Most web sites have software that detect incoming IP addresses… Respond by: Ø send an applet to the local computer Ø applet writes data onto a file on the local hard disk – known as a “cookie” Ø the cookie actually stores information about website navigation behaviour Ø next time the client logs onto that website, the cookie configures the displayed webpage n If cookies can do this SO EASILY!!, so could other programs from ANY remote server… Ø indeed, downloaded applets could do anything!!!

Possible Implications for Client Machines Possible dangers for client machines: Ø destructive data could be written to the hard disk e. g. a virus, worm, or trojan Ø annoying applications such as adware or spyware could be installed Ø the system could crash or be rendered nonoperational by faulty downloaded software Ø data could be deleted remotely Ø data could be copied to a remote site

What can be done - 1? n Client machines should NOT have a “static” IP address Ø should receive a randomly chosen IP address every time it logs on to the Internet Ø easily achieved by a server running: » PPP (point-to-point protocol) » DHCP (dynamic host configuration protocol) n Hackers get an IP address, but will not be easily be able to use it to track that machine Ø DHCP automatic choice of IP address from an IANA authorised range (“dynamic addressing”) means no clash of IP addresses can occur

Dynamically IP addresses or Static IP addresses? 700 million computers! Local computer

Dynamic v Static IP addresses n n At one time, client IP addresses were all static!! Thankfully, most Internet Service Providers now allocate client IP addresses dynamically Ø hacker can’t guess and tap into a client IP address because it regularly changes… n However, within a logon session, the IP address WILL be the same Ø one further safeguard for dynamic addresses would be to log off and back on at regular intervals n NOTE: for a client computer to provide services, it needs a static IP address

Corruption of Unprotected Data on Fixed IP address machines n n Once the IP address has been obtained, software can be used to detect the security “holes” (usually open TCP ports) on that machine Depending on the operating system, once a TCP port has been breached, the file system is at the mercy of the hacker: Ø Windows XP without logins or NTFS has very little security » files could therefore easily be copied, deleted, or tampered with using an open TCP port

Protection of clients with fixed IP addresses n Use an operating system that allows file and directory level security: Ø NTFS on Windows 2000, XP, Vista, or Windows 7 Ø one or other breed of UNIX n n Configure that operating system only to allow folder viewing… let alone file access… to authorised users Configure also to provide alerts when external users try to gain file access Ø could mean they are trying to hack your username/password

Protection of Clients within a Logon Session n An Internet session could last for hours… Ø plenty of time for remote programs to: » find the IP address » locate “open” TCP ports » use such ports to gain access to the hard disk n n Unix is a mature operating system (circa 1973!), and all major leaks have long since been plugged However, Windows NT series (started 1993) is more recent… and probably still has unknown weaknesses…

Solutions for Windows Clients n Make sure “leaky” Microsoft TCP ports are secured using “Windows Updates” as soon as the leak has been officially detected Ø software “patches” also regularly available for Internet Explorer as security holes become apparent n Secure all TCP ports using commercially available programs Ø e. g. Zone. Alarm

Cyber Beasties! Mutants, Malware Programs that invade a computer system and affect the running of that system in some way n Examples: n ØViruses – make copies of themselves on any available storage medium ØTrojans – like viruses, but disguised as “innocent” code ØWorms – once in, can attack files on disk as they are accessed

Entry of Malware n At one time, usually passed on via floppy disk… Ø DOS “boot sector” viruses especially lethal n Modern operating systems less susceptible to boot sector infection n BUT… ANY copied files from any source (ESPECIALLY executables) could be suspect: n Any downloaded files, including email attachments, may contain programs that (accidentally or by design!) cause damage to data on PCs, or even to the machine itself

Detection of Malware n All have a digital footprint ØOnce the mutant has been identified & catalogued , can be easily identified using free software Øhowever, not always be possible to detect harmful programs held in compressed form » e. g. in zip files; detection software needs to have the capability to open the zip folder

What is a Virus? n A program that can: Ø Bind itself to software not belonging to itself • • The virus can snuggle up in memory with other loaded software, and be executed automatically when that software runs… the software will then perform the function(s) of the virus Ø Exist on a storage media in a form which, if loaded, will: • • • perform all the functions of the virus including binding itself to software… Virus can just “lurk” dormant on a hard or floppy disk and be started automatically when a trigger occurs e. g. a particular date… (Chernobyl, 26. 4)

Type of Virus n Viruses can be classified in a number of ways. One of the most common ways is by the method of infection: ØBoot Sector Viruses (BSVs) ØPartition Sector Viruses (PSVs) ØFile Viruses (FVs) ØMacro viruses (MVs)

Boot Sector Viruses n n Spread by infecting the boot sector of hard disks and floppy disks Once the boot sector of a disk is infected the virus is loaded into memory every time the computer is booted from that disk Ø this could be used to prevent the disk from booting up the operating system… Ø the virus can then also infect any non-write protected disk which is inserted into the computer! n Thankfully due to operating system improvements, BSVs (and PSVs) are rare nowadays

File Viruses Affect a particular executable file that could be held on any rewritable media n If an infected file is run, the virus places itself in memory n Then any non-infected program which is run is infected by the virus, n Øthis includes programs on portable media Øthus unknown to the owner, the virus can easily spread to other machines

Macro Viruses n Similar to file viruses, but attach themselves to normally non-executable files as macros Ø A macro is a set of instructions telling the computer to do something Ø Most written in a “macro” language such as VBA (Visual BASIC for applications) Ø Can easily attach to e. g. Word and Excel filesl n n These viruses can only infect other files that are able to attach the same macro code Once an infected file is loaded the macro executes

Malware: Important Terms n A Trojan Ø A computer program Ø enters your system on false pretences Ø then does something other than what it claims to do (like the Trojan Horse in mythology) n Example: The 'AIDS Information Program' Ø claims to tell you about AIDS but also contains code which prevents you from getting access to your files on the hard disk unless a payment is made to a specific company!

Malware: Important Terms n A Worm Ø can also enter under false pretences Ø then “wriggles” round the hard drive corrupting files or changing their indexing information Ø Example: the “I love you” worm: » destroys graphical image files & replaces them by its own code and a tell-tale. vbs suffix » initially transferred by email » then changed so it could be easily spread using floppy disks - especially devastating for floppy disks containing graphics files

Stealth Viruses n n Use “stealth” techniques to conceal their presence Example - sector masking: Ø when an infected disk sector is read, a different sector appears instead Ø So the infected sector appears clean! n Many viruses also use Memory Resident Techniques. This allows them to stay in memory and infect programs as they are loaded

Polymorphic Viruses n Encrypts the virus code in an unpredictable way, making it harder to trace through its footprint Øthe loader which does the decryption changes with each infection! Ømakes it very hard for virus scanners to detect the virus, as the code is apparently constantly changing!!

Downloading Malware from the Internet n Infect client machines easily as described previously… Ø Downloading software; » zipped FTP » zipped HTTP » Unprotected TCP ports Ø E-mail attachments » (don’t click on. EXE files from strange email addresses!) Ø Even e-mail headers are now vulnerable n Web pages…? ? ? Ø If static probably OK, but beware the pop ups!

Protecting Dynamic Web Pages n Client-side scripts contain code which could be infected… Øcould in turn infect client machine n Server-side scripts and data downloaded to client machine from server Øif client is contaminated, could infect the server… Øcould then crash the server!!!

Protecting Dynamic Web Data n Good idea for one particular reason… Øcustomer data is private! Øprotected in EU countries by local Data Protection Act » could be picked up by malware at the client end… » Could also be intercepted en route: n n Downloading: server --- client Uploading: client --- server

Businesses, the web, and Protection of Data n Many businesses now trading online Ølot of sensitive data… » on the move, through the Internet » held on their servers Øloss or illicit copying of that data could have a devastating effect… » fines from ICO » loss of business because server can’t run properly & has to be rebuilt

Employees and Protection of Data n n Special (DPA) responsibility if dealing with data accessible from outside via Internet Ensure that Ø sensitive data is stored as encrypted Ø data that needs to go to/from clients cannot be hacked on the Internet » should use the secure Internet (Public Key Infrastructure) » designed by Netscape & Internet gurus especially for this purpose: n look up https, SSL, public key encryption…

E-commerce and Securing Data n E-commerce involves Ø personal data (policed by ICO) » fines up to £ 100000 (v. recent…) Ø financial data (policed by FSA) » fines of several million (happens regularly) n ANY business even thinking about buying/selling online must consider this carefully Ø evidence suggests that many still don’t… Ø especially in matters regarding personal data

Removing Malware n n Many added/discovered every day. A number of companies specialise in virus detection and removal. Most popular: Ø Mc. Afee (www. mcafee. com ) Ø Dr Solomon’s (www. drsolomon. com ) Ø Norton (www. symantec. com ) Ø Sophos (www. sophos. com ) Ø PCcillin (www. pccillin. com ) n 30 -day trial versions available on the Internet Ø best to buy the actual product after the 30 days have elapsed – free updates can then be downloaded on a regular basis

Prevention is better than cure! n CMOS Protection: Ø Some viruses (e. g. Exebug) can write data to the CMOS part of the BIOS chip on the motherboard Ø It is possible to protect the BIOS from being attacked in this way, although PC performance is slightly affected n Memory and File Scanners Ø can be programmed to run each time the computer boots up Ø can continue to be active even after boot up, but will slow the machine down

Email Viruses n Outlook/Outlook Express particularly vulnerable: Ø “Melissa”: sends an embarrassing message to everyone in the address book! Ø “Bad Trans”: 1. when a contaminated email message is opened, installs itself on the computer 2. becomes resident in memory next time the computer boots up 3. When Outlook (Express) is opened, it sends a copy of itself back to the sender of each unread message in the mailbox Ø Bad Trans 2 is even worse will do the above as soon as the message header is highlighted!

Email Viruses n n n Because of the nature of email messages, and the presence of an address book, the potential for embarrassment is ENORMOUS! Outlook Express has regular updates to help prevent infection by email viruses BUT… Ø new email viruses become available all the time Ø Not always detected by conventional scanners Ø could in theory send a copy of any email from any folder to any address, and add as copy of itself for good measure!!!

Removing and Preventing E-mail Viruses n E-mail viruses spread very quickly… Ø often before Microsoft or the manufacturers of antivirus software can make a fix available!!! n Therefore worth getting anti-virus software from an email virus specialist Ø often freely available on the Internet (e. g. VCatch) » www. vcatch. com Ø provide protection (phew!) for the address book

Spyware and Adware n “Of questionable legality” software that allows: Ø snooping on browsing activity Ø adding browser toolbars and searchbars Ø flooding the browser screen with popups n Also malicious in other ways: Ø invade your PC in such a way as to make themselves difficult to remove Ø take up your hard drive space and slow down CPU n As with cookies Ø happens “behind the scenes” Ø an infringement of UNCHR personal privacy

Removal of Spyware and Adware n n Very many products available on the Internet Well worth the investment, in terms of: Ø safeguarding the performance of your PC Ø protecting your personal data n Freeware options detect them all, and then just delete one… Ø rest only deleted on payment…

Thanks for Listening