Rossander’s Security Reader

A firewall looks for and attempts to stop forbidden communications between two computers. Firewalls work by examining each piece of traffic entering or leaving the network and blocking those which do not meet specified criteria. If the communication is an allowed type (for example, Windows passing your user name and password to the company network during login), the message is allowed through. If the communication is unrecognized (for example, a virus attempting to impersonate Lotus Notes but really sending your password out to a hacker), the traffic can be stopped.

There are two kinds of firewalls: "personal" or software firewalls and "network" or hardware firewalls.

• Software firewalls are relatively easy to install and provide good protection. They filter traffic entering or leaving a single computer. Software firewall programs (such as ZoneAlarm, Norton or Comodo) can be downloaded from the Internet and may be available in a free version for home users. (Note: If your home computer’s operating system is Windows XP or Vista, it has a built-in software firewall but Windows has not traditionally performed well in bench comparisons. Most security experts recommend replacing or at least supplementing the Windows firewall.) For more on personal firewalls and how they work, see the first page of this article.
• Hardware firewalls require you to buy and connect a separate piece of equipment, but they provide stronger protection. They plug in between your internet connection (such as the cable-modem or DSL line) and the computer. Hardware firewalls are often built into routers, allowing multiple computers to share a single, protected connection to the internet. Hardware firewalls often also have the ability to perform network address translation (NAT) which hides the specific IP address of your computer and makes it much harder for a hacker to launch an attack against you. Hardware firewalls are available at many electronics retail stores, usually starting at $50-$75.

CERT (the Computer Emergency Readiness Team) strongly recommends the use of hardware firewalls, especially if you have a broadband or "always on" connection. See "Before You Connect a New Computer to the Internet" for more information.

Some firewalls will display a pop-up box asking if you want to allow the message. If you see one of these pop-ups, never allow the traffic unless you are sure that you know exactly what it is doing. Remember, the firewall won’t do any good if you give permission for the virus to send out your password.

Security geeks often talk about keeping your computer "patched". Here’s what we mean and why it’s so important.

In a perfect world, all the code on your computer would do exactly what it’s supposed to do and nothing more. In the real world, new code was added on top of existing code to fix a problem or to add some new feature until, over time, the code became too complicated to test for every possible scenario. Hackers found ways to exploit the holes in the code. By sending just the right command in just the right circumstances, they could make the computer do something it shouldn’t – like give the hacker permission to install software and take control of the computer.

When such a vulnerability is discovered, the developers who made the software have to figure out how to plug the hole – how to change the code just enough to stop the hacker without shutting down the new feature they added or interfering with some other application. “Patches” are the bits of code to be added to your computer to fix that hole. (Patches can also be used to add a new feature or fix something else in the program but for now we’ll stick to security patches.)

At work, your IT team should be responsible for keeping your core applications up-to-date and fully patched. For your home computer, you should set your computer to automatically update the software whenever new patches are available. That’s the safest way to be sure that you have the latest code protecting your computer. While most vulnerabilities are found in the operating system (those core instructions that the computer needs just to turn itself on), more and more vulnerabilities are being found in applications – Word, Adobe, QuickTime, RealPlayer, etc. No modern application is completely safe. In Windows, you can set the updates through the Control Panel. (Look for something like Automatic Updates or Windows Updater.) In other programs such as Quicken, you usually set the updates via Tools/Options or Preferences.

Of course, there’s no such thing as a free lunch or perfect software. Sometimes, the patch will fix the program but will also break some function that some other program needed to run. When that happens, you must either decide to wait (and hope that the developers at one of the two companies will send out yet another patch to fix the breakage) or take the risk and reverse out the last patch. Unless the patch broke something that’s absolutely mission-critical, you are almost always better off leaving it in place.

Incidentally, Microsoft has been releasing a packet of security updates on the second Tuesday of each month (so-called Patch Tuesday) for several years now. Some hackers are now exploiting that pattern and holding their latest virus until the second Wednesday so they have the most possible time before they are shut down. Even if you stay fully patched, there are no guarantees in life.

Have you ever received an error message about an email that you didn’t send? Or wondered why someone from your own company’s email address is sending you ads for Viagra or financial alerts for penny-stocks? Have you gotten a spam message from yourself? If so, you’ve just seen email spoofing in action.

Anything about an email can be edited or overwritten including the From, Return-Path, and Reply-To fields. Commands inserted into the header of the email can make the message appear to come from anyone, anywhere saying whatever the sender wants it to say. Spammers and other hackers know that their response rate is 10% higher if they can match the recipient’s name – they rely on curiosity and trust to trick you into opening a malicious message. The trick is built right into the hacker tools that are used to generate mass-mailing worms and other malware.

If you think you received a spoofed message, simply delete it. Most email programs allow you to block future messages from that address but that approach is no longer effective at actually stopping spam. The problem is that blocking User1@spoofvictim.com still lets junk through from User2@spoofvictim.com, User3, etc. The odds that the spammer will pick the same victim next time are negligible. But if you ever do get a legitimate message from User1, you’ll never see it. If there really is enough spam from one location to justify a black-listing, our spam-filter vendor will find it and include it in their master list. That fixes the problem not just for your email but for everyone else at the same time.

Do not send a complaint to the person that you think sent you the spam. If it was a spoof, they can’t do anything about it anyway. If it was not a spoof, all you’ve done is confirm that you’re the kind of person who opens spam messages. You’ll get more spam, not less. You can, however, forward a copy to spam@uce.com, a department of the Federal Trade Commission which collects and reports on spam trends.

If you think that your address has been spoofed, delete that message too. Some virus writers are deliberately mimicking the email error messages in the hopes that you’ll open the attachment “explaining the problem” and infect your computer with their program. If you don’t remember sending the message, trust your memory. It’s very likely a scam.

At some point, you’ve probably seen an error message pop up that "Active Content on this webpage has been blocked. Click here for options." Microsoft and the other browser makers give us these warning so we can try to make choices about what to trust on the web and what to avoid. Unfortunately, most average computer users don’t know what "active content" is or how to decide what to trust. There are no easy answers for deciding who to trust but after reading this overview, you should have a little more idea of the risks you are taking.

Active content today comes in two basic flavors – web scripts like JavaScript or VBScript and programs such as Java or ActiveX. Both use code embedded in the webpage to help the webpage do something extra (like drop-down menus) or formatting of the page look better. While these scripts make the webpage more user-friendly, they can offer a way for hackers to get into your computer.

Web scripts are used on almost every web site now. These scripts let the web designer customize the look and feel of the site and are very easy to use. The script is written into the webpage and is executed by your browser. There are limits to what the script can do, making them mostly safe. Unfortunately, one of the ways they can be exploited is to redirect you from a legitimate web site to a look-alike malicious one that may download viruses or collect personal information.

Java and ActiveX controls are actual programs that are already on your computer or can be automatically downloaded into your browser. ActiveX can do anything on your computer that you can do. That’s helpful if the web page is supposed to find and run a program for you but very dangerous if exploited by a hacker. Untrustworthy ActiveX controls can be used to load spyware, collect personal information, connect to other computers or do other damage. (If you’re trying to load or update well-known software like Flash Player or Adobe Reader, it’s probably okay. On the other hand, if the browser is trying to launch something like WeatherBug or MemoryMeter, SAY NO!) Java applets usually run in a more restricted environment and have less rights on your computer (and therefore can do less damage if exploited), but if that environment isn’t secure, malicious Java applets may be used for attack as well.

In general, you should set your Internet Options to block ActiveX. For computers containing highly sensitive information, you should also consider disallowing Java and JavaScript. Only allow the content through if you are sure that you are at a trusted website. Recognize, however, that the added security may cause some features of the website to not function or to function improperly. Once you’ve verified the security of a site, you can designate it a “Trusted Site” and allow future active content from that site. And always keep your anti-virus, anti-spyware and firewalls running and your software fully patched.

A cookie is a tasty treat.

It’s also a small string of text that’s used to keep track of your computer when you browse the Internet. An HTTP cookie might track general information about your computer (such as IP address you used to connect or the type of browser you use) or more specific information about your browsing habits (such as the last time you visited a particular web site or your personal preferences for viewing that site).

The bit of text that makes the cookie is sent to your computer by a server when you first visit a website (or sometimes when you sign in to the site). After that, whenever your computer accesses that server, it sends the text string unchanged back to the server. The cookie identifies your computer to the server and lets the server know to send back the content that’s relevant to your request and keeps it from mixing up the reply with the next person’s request.

Cookies serve several different purposes depending on how long your computer stores them.

• Session cookies store information only as long as you’re using the browser. Once you close the browser, it is erased. Session cookies are a way to keep you logged in so you don’t have to reinput your password on every page. Session cookies can also hold onto your preferences or keep track of whether you’ve already visited a particular page. Session cookies are used on many websites to keep track of the contents of your electronic shopping cart.
• Persistent cookies are stored on your computer’s hard-drive so that your personal preferences can be retained over time. Persistent cookies are how your computer knows to fill in your username by default when you open your Yahoo! or Hotmail email account or to display your personalized page appears when you visit Amazon.com. Persistent cookies can also be used by advertisers and others to keep track of your browsing patterns. If an attacker gains access to your computer, he/she may be able to gather personal information about you through these files. Persistent cookies may be set to "expire" after a certain period of time (usually a few days or weeks) but can be set to never expire.

Because of the privacy concerns, cookies can be controversial. Many people recommend blocking or limited the use of cookies in your web browser. While this can make sense in many situations, it will cause some sites to stop working. To control cookies, go to the options or preferences section in your web browser. In Internet Explorer, the path is Tools/Internet Options/Privacy. In general, you should set higher restrictions on third-party cookies – those used by advertisers on a site to track your behavior across multiple webpages – than on first-party cookies – those used by the site that you are actually visiting.

If you are using a public computer, you should make sure that cookies are disabled to prevent other people from accessing or using your personal information.