UNDERSTANDING INFORMATION SECURITY

VIRUSES, WORMS, HOAXES,

And TROJAN HORSES

Lee Ratzan, MCP, Ph.D. School of Communication, Information & Library Studies at Rutgers University Lratzan@scils.rutgers.edu

ITS A JUNGLE OUT THERE

Computer Viruses Trojan Horses Address Book theft DNS Poisoning Network Worms Logic Bombs Hijacked Home Pages Denial of Service Attacks Buffer Overruns Password Crackers

Zombies, IP Spoofing
Password Grabbers

AND THE EVER POPULAR:

Hoaxes
Ploys Pop-Ups

Scams
Spam

DID YOU KNOW?

In 1980 a computer cracked a 3-character password within one minute.

In 1999 a team of computers cracked a 56character password within one day.

In 2004 a computer virus infected 1 million computers within one hour.

DEFINITIONS
A computer program Tells a computer what to do and how to do it.

Computer viruses, network worms, Trojan Horse These are computer programs.

SALIENT DIFFERENCES
1) Computer Virus: Needs a host file Copies itself Executable 2) Network Worm: No host (self-contained) Copies itself Executable

3) Trojan Horse:

No host (self-contained) Does not copy itself

Imposter Program

TYPICAL SYMPTOMS
File deletion File corruption Visual effects Pop-Ups Erratic (and unwanted) behavior Computer crashes

BIOLOGICAL METAPHORS
1. Bacterial Infection Model:

Single bacterium
Replication Dispersal 2. Virus Infected Model: Viral DNA Fragment Replication

Infected Cells Dispersal

A computer virus spreads similarly, hence the name

WHY DO WE HAVE THIS PROBLEM?

Software companies rush products to the consumer market (No program should go online before its time)

Recycling old code reduces development time, but perpetuates old flaws.

AND A FEW MORE REASONS

Market

share is more important than security

design is more important than security

Interface New

feature designs are more important than security

Ease

of use is more important than security

HACKER MOTIVATIONS
Attack the Evil Empire (Microsoft) Display of dominance Showing off, revenge Misdirected creativity Embezzlement, greed

Who knows what evil lurks in the hearts of men?

NETWORKED SYSTEMS VS SECURED SYSTEMS

Some platforms are more secure than others NETWORKS SECURITY

Open Communication
Full Access

Closed Communication Full Lockdown

Managers must strike a balance

POPULAR FALLACIES
If

I never log off then my computer can never get a virus

If

I lock my office door then my computer can never get a virus

create viruses so they can sell anti-virus software will protect me

Companies

Microsoft

AND A FEW MORE.

I

got this disc from my (mother, boss, friend) so it must be okay

You

cannot get a virus by opening an attachment from someone you know

But I

I only downloaded one file

am too smart to fall for a scam

You
My

can catch a cold from a computer virus

friend who knows a lot about computers showed me this really cool site

THINGS THE LIBRARY CAN DO

ACTION PLAN:

Designate security support staff (and fund them)

Make security awareness a corporate priority (and educate your staff) Enable real-time protection Update all vendor security patches Subscribe to several security alert bulletins

Periodically reboot or re-load all computers

Control, limit or block all downloads and installs

Install anti-virus software on computers (keep it current)

It takes a carpenter to build a house but one jackass can knock it down
(Variously attributed to Mark Twain, Harry Truman, Senator Sam Rayburn)

WHAT CAN THE LIBRARIAN DO?

Set bookmarks to authoritative: anti-virus Web pages virus hoax Web pages public free anti-virus removal tools Provide patrons with: up-to-date information about viruses, etc.

Confirm: that desktops have the latest anti-virus updates

BACK IT UP
Offline copies: Grandfather/father/son (monthly/weekly/daily)

Online

copies: Shared network drive only: Incremental/differential

Changes Do

not back up a file on the same disc as the original!

Assume

every disc, CD, etc is suspect, no matter who gave it to you

Doveryay, No Proveryay (Trust but Verify)

MACHINE INFECTED?
ACTION PLAN: 1) Write down the error or alert message verbatim inform your tech support team quarantine the machine 2) Look up the message in an authoritative anti-virus site (demo) diagnose the problem take recommended remedial action

If appropriate: Download, install, run the anti-virus removal tool (demo)

Apply all missing critical security patches (demo)

3) Reboot the machine Run a full system scan before placing the machine back in service

THE HOAX STOPS HERE

IF THE MESSAGE:
tells you to do something

tells you to take immediate action

cites a recognizable source to give itself credibility (Microsoft has warned that) does not originate from a valid computer vendor

AND: lacks specific verifiable contact information IF IN DOUBT, CHECK IT OUT Confirm the hoax by checking it against authoritative hoax sites Inform other staff so the hoax does not propagate

POPULAR HOAXES INCLUDE:

JDBGMGR (teddy-bear icon)

Tricks users into deleting a file Money scam Pyramid scheme

NIGERIA

$800

FROM MICROSOFT

STOPPING THE TROJAN HORSE

The Horse must be invited in .
How does it get in? By: Downloading a file

Installing a program
Opening an attachment

Opening bogus Web pages

Copying a file from someone else

MORE ON THE HORSE.

A Trojan Horse exploits computer ports letting its friends enter, and once a thief gets into your house he opens a rear window for his partners

Security patches often close computer ports and vulnerabilities

NOTE #1

Search engines are NOT reliable sources of virus information Information may be inaccurate, incomplete or out of date

Search engines generate huge numbers of indiscriminate hits

Some anti-virus Web sites are scams (or contain trojan Horses) Go directly to authoritative anti-virus sites

NOTE #2

Computer companies are NOT reliable sources of virus information

Computer companies:

Usually refer you to an anti-virus vendor are not in the anti-virus business themselves are victims!

ONLINE RESOURCES
Authoritative Hoax Information

securityresponse.symantec.com/avcenter/hoax.html vil.mcafeesecurity.com/vil/hoaxes.asp

Authoritative Anti-Virus Vendor Information

securityresponse.symantec.com/avcenter/vinf odb.html www.mcafeesecurity.com/us/security/vil.htm

REFERENCES
Authoritative Security Alert Information

securityresponse.symantec.com/ (Symantec) www.microsoft.com/security (Microsoft)

www.apple.com/support/security/ (Apple)

Authoritative Anti-Virus Organizations

www.cert.org (Computer Emergency Response Team-CMU)

www.ciac.org/ciac (CIAC-Department of Energy)

www.sans.org/aboutsans.php (Server and Network Security) www.first.org (Forum of Incident Response and Security Teams) www.cirt.rutgers.edu (Computing Incident Response Team-Rutgers)

Authoritative Free Public Anti-Virus Removal Tool Information

securityresponse.symantec.com/avcenter/tools. list.html vil.nai.com/vil/averttools.asp mssg.rutgers.edu/documentation/viruses (Rutgers) some professional library sites have pointers to reliable anti-virus information

PRINT RESOURCES
Allen, Julia, (2001) The CERT Guide to System and Network Security Practices, Addison-Wesley, New York

Crume, Jeff, (2000) Inside Internet Security, Addison-Wesley, New York

Ratzan, Lee, (January 2005) A new role for libraries, SC Magazine (Secure Computing Magazine), page 26

Ratzan, Lee, (2004) Understanding Information Systems, American Library Association, Chicago

A NEW ROLE FOR LIBRARIES?

The cooperation of InfoLink (www.infolink.org) for promoting library professional development programs The Monroe Public Library for the use of its facilities SC Magazine for publishing an essay on libraries being at the forefront of information security Lisa DeBilio for her production of the PowerPoint slides.

THE AUTHOR ACKNOWLEDGES

THANK YOU ALL