As the name suggests, a fi rewall acts as a barrier between networks or parts of a network, blocking malicious traffi c or preventing hacking attempts.
A network fi rewall is installed on the boundary between two networks. Usually this is between the internet and a company network. It can be a piece of hardware, or software running on a computer that acts as a gateway to the company network.
A client fi rewall is software that runs on an end user’s computer, protecting only that
computer.
In either case, the fi rewall inspects all traffi c, both inbound and outbound, to see if it meets certain criteria. If it does, it is allowed; if not, the fi rewall blocks it. Firewalls can filter traffi c on the basis of
• the source and destination addresses and port numbers (address fi ltering)
• the type of network traffi c, e.g. HTTP or FTP (protocol fi ltering)
• the attributes or state of the packets of information sent.
A client fi rewall can also warn the user each time a program attempts to make a connection, and ask whether the connection should be allowed or blocked. It can gradually learn from the user’s responses, so that it knows which types of traffi c the user allows.
These programs use a combination of methods to decide whether an email is likely to
be spam. They can:
• Block email that comes from computers on a blocklist. This can be a commercially available list or a local list of computer addresses that have sent spam to your company before.
• Block email that includes certain web addresses.
• Check whether email comes from a genuine domain name or web address. Spammers often use fake addresses to try to avoid anti-spam programs.
• Look for keywords or phrases that occur in spam (e.g. “credit card”, “lose weight”).
• Look for patterns that suggest the email’s sender is trying to disguise their words (e.g. putting “hardc*re p0rn”).
• Look for unnecessary HTML code (the code used for writing web pages) used in email, as spammers often use this to try to conceal their messages and confuse anti-spam programs.
The program combines all the information it fi nds to decide the probability of an email being spam. If the probability is high enough, it can block the email or delete it, depending on the settings you choose.
Anti-spam software needs frequent updating with new “rules” that enable it to recognize the latest techniques used by spammers.
Many users worry that anti-spam software will delete personal or useful email. In fact,your email is safe, and you can even see selected spam if you wish. Anti-spam programs can be very accurate. Typically, they may block less than one genuine email in ten thousand, or even a hundred thousand. Even if the program does incorrectly identify an email as spam, it can be confi gured to place it in a “quarantine” area, rather than deleting it. An administrator can then decide whether to let the mail be delivered or to delete it. Some programs let each user reclaim any quarantined mail that they want.
How software adapts to your needs
Some anti-spam software is “adaptive”: it learns which subjects you fi nd acceptable and which ones you don’t.
Suppose that a pharmaceutical company installs anti-spam software. At fi rst, the software tries to spot spam by looking for words like the following: credit, free, consolidate, debt, mortgage, drugs, prescription, medication, doctor. It blocks email with too many of these keywords, but allows individual users to retrieve mail that they want to read.
Someone in the research department fi nds that genuine mail about new drugs has been blocked, and asks for it to be released. The software learns that that user frequently receives email about drugs – and so gives less weight to drug-related words when checking for spam.
In the fi nance department, users reclaim email with fi nancial terms in it, so the software learns to give less weight to these words – but still blocks drug-related email for that user.
Anti-virus software uses a scanner to identify programs that are, or may be, malicious.
Scanners can detect:
• Known viruses – The scanner compares fi les on your computer against a library of “identities” for known viruses. If it fi nds a match, it issues an alert and blocks access to the file.
• Previously unknown viruses – The scanner analyzes the likely behavior of a program. If it has all the characteristics of a virus, access is blocked, even though the fi le does not match known viruses.
• Suspicious fi les – The scanner analyzes the likely behavior of a program. If that behavior is of a kind usually considered undesirable, the scanner warns that it may be a virus.
Detection of known viruses depends on frequent updating with the latest virus
identities. There are on-access and on-demand scanners. Most anti-virus packages offer both.
On-access scanners stay active on your computer whenever you are using it. They automatically check fi les as you try to open or run them, and can prevent you from accessing infected files.
On-demand scanners let you start or schedule a scan of specifi c fi les or drives.
A virus or Trojan can infect a computer and open a “back door” that gives other users access. As soon as this happens, the virus sends a message back to the virus writer, who can now control the computer remotely via the internet. From now on, the computer is a “zombie”, doing the bidding of others, although the user is unaware.
Collectively, such computers are called a “botnet”. The virus writer can share or sell access to control his or her list of compromised computers, allowing others to use them for malicious purposes. For example, a spammer can use zombie computers to send out spam mail. Up to 80% of all spam is now distributed in this way. This enables the spammers to avoid detection and to get around any blocklisting applied to their own servers. It can also reduce their costs, as the computer’s owner is paying for the internet access.
Hackers can also use zombies to launch a “denial-of-service” attack. They arrange for thousands of computers to attempt to access the same website simultaneously, so that the web server is unable to handle all the requests reaching it. The website thus becomes inaccessible.
Phishing originally involved sending out emails that include links to bogus websites, where victims are asked to enter account details or other confi dential information. Voice phishing (also known as vishing, v-phishing or phone phishing) asks the victim to call a phone number, rather than visit a website, but the intention is the same: to steal details for fi nancial gain.
An example is the PayPal voice phishing email. The email appears to come from PayPal, the electronic payment service, and claims that the user’s account may have been used fraudulently. It warns that the account will be suspended unless the user calls a phone number to “verify” their details. When the user calls, an automated message asks for their card number. Criminals can then misuse the number for their own gain.
Users may be wary of following links in unexpected email, and they can ensure that they enter the correct web address when they visit a fi nancial services site. They are less likely to know the company’s phone number, though. To protect against phone phishing, you should use anti-spam software, which can detect phishing mails, and always treat unsolicited email cautiously.
Hoaxes are usually in the form of emails that do some or all of the following:
• Warn you that there is an undetectable, highly destructive new virus.
• Ask you to avoid reading emails with a particular subject line, e.g. Budweiser Frogs.
• Claim that the warning was issued by a major software company, internet provider or government agency, e.g. IBM, Microsoft, AOL or the FCC.
• Claim that a new virus can do something improbable, e.g. The A moment of silence hoax says that “no program needs to be exchanged for a new computer to be infected”.
• Use techno-babble to describe virus effects, e.g. Good Times says that the virus can put the PC’s processor into “an nth-complexity infi nite binary loop”.
• Urge you to forward the warning. If users do forward a hoax warning to all their friends and colleagues, there can be a deluge of email. This can overload mail servers and make them crash. The effect is the same as that of the real Sobig virus, but the hoaxer hasn’t even had to write any computer code.
It isn’t just end users who overreact. Companies who receive hoaxes often take drastic action, such as closing down a mail server or shutting down their network. This cripples communications more effectively than many real viruses, preventing access to email that may be really important. False warnings also distract from efforts to deal with real virus threats.
Hoaxes can be remarkably persistent too. Since hoaxes aren’t viruses, your anti-virus software can’t detect or disable them.
Computer viruses spread from one computer to another, and from one network to another, by making copies of themselves, usually without your knowledge. Viruses can have harmful effects, ranging from displaying irritating messages to stealing data or giving other users control over your computer.
A virus program has to be run before it can infect your computer. Viruses have ways of making sure that this happens. They can attach themselves to other programs or hide in code that is run automatically when you open certain types of fi le. Sometimes they can exploit security fl aws in your computer’s operating system to run and spread themselves automatically.
You might receive an infected fi le in a variety of ways, including via an email attachment, in a download from the internet, or on a disk. As soon as the fi le is launched, the virus code runs. Then the virus can copy itself to other fi les or disks and make changes on your computer.
A Trojan program claims to have one function (and may even appear to carry it out), but actually does something different, usually without your knowledge. For example, DLoader-L arrives in an email attachment and claims to be an urgent update from Microsoft for Windows XP. If you run it, it downloads a program that uses your computer to connect to certain websites, in an attempt to overload them (this is called a “denial-of-service” attack).
Trojans cannot spread as fast as viruses because they do not make copies of themselves. However, they now often work hand-in-hand with viruses. Viruses may download Trojans that record keystrokes or steal information – and some Trojans are used as a means of infecting a computer with a virus.
If a company’s mail server allows connections to the SMTP port, anyone can connect to that port and send email that appears to be from an address on that site; the address can be a genuine email address or a fi ctitious address. This is called “spoofing”.
Spoofi ng can be put to a number of malicious uses. Phishers, criminals who trick users into revealing confi dential information, use spoof sender addresses to make it appear that their email comes from a trusted source, such as your bank. The email can redirect you to a bogus website (e.g. an imitation of an online banking site), where your account details and password can be stolen.
Phishers can also send email that appears to come from inside your own organization, e.g. from a system administrator, asking you to change your password or confi rm your details. Criminals who use email for scams or frauds can use spoof addresses to cover their tracks and avoid detection.
Spammers can use a spoof sender address to make it appear that an innocent individual or company is sending out spam. Another advantage for them is that they are not inundated with non-delivery messages to their own email address. You can avoid spoofi ng in various ways. You can configure your mail system to prevent anyone from connecting to your SMTP port.
Consider a single point of entry for email to your site. You can implement this by configuring your firewall so that SMTP connections from outside your firewall must go through a central mail hub. This will provide you with centralized logging, which may assist in detecting the origin of mail spoofi ng attempts to your site.
Unlike phishing, which involves mass-mailing, spear phishing is small-scale and well-targeted. The spear phisher mails users in a single business. The emails appear to come from another member of staff at the same company and ask you to confirm a username and password. A common tactic is to pretend to be from a trusted department that might plausibly need such details, such as IT or Human Resources.
Sometimes you are redirected to a bogus version of the company website or intranet. When you reply, the phisher takes the details and misuses them. The spear phisher can easily generate the victims’ addresses by using spammers’ software that combines given names and family names, for example. He or she also needs to send emails to only a single domain, which makes it less likely that the email
will be detected as spam.
The commonest types of spam concern:
• prescription drugs, drugs that enlarge or enhance body parts, herbal remedies, or weight-loss drugs
• get-rich-quick schemes
• fi nancial services, e.g. mortgage offers or schemes for reducing debts
• qualifi cations, e.g. university degrees, or professional titles available for purchase
• online gambling
• cut-price or pirated software.
Spam sometimes comes in disguise, with a subject line that reads like a personal message, e.g. “Sorry about yesterday”, a business message, e.g. “Your account renewal now due”, or a non-delivery message. Spammers often disguise their email in an attempt to evade anti-spam software (see
Obfuscated spam).
People send spam because it is profi table. Spammers can send millions of emails in a single campaign at a negligible cost (and if they can hijack other people’s computers to send the mail, the cost is even less).If even one recipient out of ten thousand makes a purchase, the spammer can turn a profit.
Does spam matter?
• Spam wastes staff time. Users without anti-spam protection have to check whichemail is spam and then delete it.
• Users can easily overlook or delete important email, confusing it with spam.
• Spam, like hoaxes or email viruses, uses bandwidth and fi lls up databases.
• Some spam offends users. Employers may be held responsible, as they are expectedto provide a safe working environment.
• Spammers often use other people’s computers to send spam
Share price scams, also known as “pump-and-dump” schemes, involve mass-mailing misleading tips about “high-performing” companies. Victims are encouraged to invest in a company’s shares, pushing up the price artifi cially; the scammer then sells their own shares at a profi t, before the price collapses.
Pump-and-dump mail has all the characteristics of spam. It is unsolicited commercial mail, usually distributed from “zombie” PCs that have been taken over by hackers, and it uses obfuscation techniques to avoid anti-spam software (e.g. the subject line may use “st0ck” instead of “stock”). These emails also make inaccurate claims, although they may include some genuine information from the featured company to appear more plausible.
These scams harm both investors and small companies. When the bubble bursts and share prices plummet, investors lose their money. The collapse in value can also be devastating for companies that have limited assets.
The advice for dealing with these scams is the same as for any other spam: don’t buy, don’t try, don’t reply.
When malicious software, such as an internet worm, gains access to your computer, it sometimes installs a rootkit. This is often used to hide the presence of utilities that allow a hacker to open a “back door” that gives continuing access to the computer. The hidden utilities may also give the hacker rights to carry out functions that can usually only be performed by a user with special privileges. (On UNIX and Linux computers, such users are called “root”, and hence the name rootkit).
A rootkit can hide keystroke loggers or password sniffers, which capture confi dential information and send it to hackers via the internet. It can also allow hackers to use the computer for illicit purposes, e.g. launching a “denial-of-service” attack against other computers, or sending out spam mail, without the user’s knowledge.Even if a rootkit is not installed with malicious intent (as in the case of Sony’s Digital Rights Management, used to prevent pirating of music CDs), it can make the computer
vulnerable to hackers.
Detecting rootkits is diffi cult. Once a rootkit is running on the computer, you cannot reliably identify all the processes running on that computer, or all the fi les in a directory – so traditional anti-virus software may not fi nd evidence of the rootkit’s presence. A rootkit may also suspend its activity until the software has fi nished its scanning. A sure method of fi nding the rootkit is to turn off the computer, restart it from a rescue CD and then use anti-virus software to scan the computer. As the rootkit is not running, it cannot hide itself.
Anti-virus programs can detect the Trojans or worms that typically install the rootkit, of course, and some programs can now detect the rootkit itself while it is running.
In the past, malicious software typically used to corrupt or delete data, but now it can hold your data hostage instead. For example, the Archiveus Trojan copies the contents of “My Documents” into a password-protected fi le and then deletes the original fi les. It leaves a message telling you that you require a 30-character password to access the folder, and that you will be sent the password if you make purchases from an online pharmacy.
In that case, as in most ransomware so far, the password or key is concealed inside the Trojan’s code and can be retrieved by virus analysts. However, in the future hackers could use asymmetric or public-key encryption, which uses one key to encrypt the data, but another to decrypt it, so that the password would not be stored on your computer.
In some cases, the threat to deny access is suffi cient. For example, the Ransom-A Trojan threatens to delete a fi le every 30 minutes until you pay for an “unlock code” via Western Union. If you enter an incorrect unlock code, the Trojan warns that the computer will crash after three days. However, the threats are a bluff, as Ransom-A is not capable of doing these things
Potentially unwanted applications are programs that are not malicious but may be unsuitable on company networks.
Some applications are non-malicious and possibly useful in the right context, but are not suitable for company networks. Examples are adware, dialers, non-malicious spyware, tools for administering PCs remotely, and hacking tools.
Certain anti-virus programs can detect such applications on users’ computers and report them. The administrator can then either authorize the applications for use or remove them from the computers.
Phishing is the use of bogus emails and websites to trick you into
supplying confi dential or personal information.
Typically, you receive an email that appears to come from a reputable organization,
such as a bank. The email includes what appears to be a link to the organization’s
website. However, if you follow the link, you are connected to a replica of the website.
Any details you enter, such as account numbers, PINs or passwords, can be stolen and
used by the hackers who created the bogus site.
Sometimes the link displays the genuine web site, but superimposes a bogus pop-up
window. You can see the address of the real website in the background, but details you
enter in the pop-up window can be stolen.
Sometimes the hacker uses a technique called “cross-site scripting”: the link takes you
to the correct website, but subverts it by pulling in content from elsewhere. Once again,
the part of the site where you enter information is controlled by the hacker.
Phishing had its origins in the 1990s, when scammers used the technique to collect
AOL account details so that they could gain free internet access. The details were
called “phish” because they were gathered by “fi shing” for users. The “ph” imitates the
spelling of “phreaker”, the term for those who used to hack into the telephone network.
You should always be wary about emails that use generic salutations, e.g. “Dear
Customer”, and about following links sent to you in emails. Instead, you should enter
the website address in the address fi eld and then navigate to the right page, or use a
bookmark or a “Favorite” link. Even if you enter the address, there is a risk of being
redirected to a bogus site (see Pharming), so you should always exercise caution.
Anti-spam software can block many phishing-related emails. Some software can detect
phishing content on web pages or in email, and can provide a toolbar that shows the
real domain for the website you are following a link to.
Pharming redirects you from a legitimate website to a bogus copy,
allowing criminals to steal the information you enter.
Pharming exploits the way that website addresses are composed.
Each computer on the internet has a numerical “IP address”, e.g. 127.0.0.1. However,
these are not easy to remember, so web addresses also have a domain name, like
sophos.com. Every time you type in an address, the domain name has to be turned
back into the IP address. A DNS or Domain Name Server on the internet handles this,
unless a “local host fi le” on your computer has already done it.
Hackers can subvert this process in two ways. They can send out a Trojan horse that
rewrites the local host fi le on your PC, so that it associates the domain name with a
bogus website. You are then directed to that site, even though you enter the correct
address. Alternatively, they can “poison” the DNS directory, i.e. alter it so that anyone
who tries to visit that address is directed to the bogus site.
To avoid pharming, make sure that you use secure web connections when you access
sensitive sites. Just look for the https:// prefi x in the web address. If a hacker tries to
mimic a secure site, a message will warn you that the site’s certifi cate does not match
the address being visited.
If you see a warning that a site’s certifi cate is not valid or not issued by a trusted
authority, you should not enter the site.
There are also software solutions. Some software can display a warning if you enter
personal information in reply to an unknown email address. Other utilities can check to
see if websites or IP addresses are blacklisted.
Parasitic viruses, also known as fi le viruses, spread by attaching
themselves to programs.
When you start a program infected with a parasitic virus, the virus code is run. To hide
itself, the virus then passes control back to the original program.
The operating system on your computer sees the virus as part of the program you were
trying to run and gives it the same rights. These rights allow the virus to copy itself,
install itself in memory or make changes on your computer.
Parasitic viruses appeared early in virus history but they can still pose a threat.
Palmtops or PDAs provide new opportunities for viruses, but so far
virus writers have shown little interest.
Palmtops or PDAs run special operating systems – such as Palm and Microsoft
PocketPC. These are vulnerable to malicious code, but so far the risks are low.
There are currently only a few items of known malware written for Palm.
Virus writers prefer to target desktop systems, perhaps because they are more popular
and allow viruses to spread rapidly via email and the internet.
The real risk at present is that your palmtop will act as a carrier. When you connect
it to a home or offi ce PC to synchronize data, a virus that is harmless on the palmtop
could spread to the PC, where it can do harm. To avoid this risk, follow our tips on
How to avoid viruses, Trojans, worms and spyware and always run anti-virus software
on your desktop computer.
users and redirect them to other websites.
Scammers copy pages from an established website and put them on a new site that
appears to be legitimate. They register this new site with major search engines, so that
users doing a search fi nd and follow links to it. When the user arrives at the website,
they are automatically redirected to a different site that displays advertising or offers
of different services. They may also fi nd that they cannot escape from the site without
restarting their computer (see Mousetrapping).
Scammers use page-jacking to increase the number of visitors to a website. That
means that their site commands more advertising revenue and is also more valuable if
they decide to sell it. Alternatively, the scammer can redirect users to another site and
claim a fee for “referring” visitors to that site.
Page-jacking annoys users and can confront them with offensive material. It also
reduces revenue for legitimate websites, and makes search engines less useful.
In some cases, page-jacking is used in phishing attacks.
To avoid page-jacking, use a bookmark or “Favorite” (but you must be sure that you did
not set up the favorite at a page-jacked site), or type the desired website address (the
URL) in directly.
www.sophos.com
fool anti-spam software.
Spammers are constantly trying to fi nd ways to modify or conceal their messages so that
your anti-spam software can’t read them, but you can.
The simplest example of this “obfuscation” is putting spaces between the letters of
words, hoping that anti-spam software will not read the letters as one word, for example
V I A G R A
Another common technique is to use misspellings or non-standard characters, for
example
V!agra
These tricks are easily detected.
More advanced techniques exploit the use of HTML code (normally used for writing
web pages) in email. This allows the spammer to write messages that anti-spam
software “sees” quite differently from the way you see them.
For example, words can be written using special numerical HTML codes for each letter,
e.g. instead of “Viagra”, you can write
Viagra
HTML can also allow the reader to see one message, while the anti-spam software sees
another, more innocent one. The more innocent message is in the same color as the
background.
Viagra
Hi, Johnny! It was nice to have dinner with you.
Spammers often include large amounts of hidden text, often cut from online reference
books, to try to fool anti-spam software that assesses mail according to the frequency
of certain key words.
If you are redirected to a bogus website, you may fi nd that you cannot quit with the
back or close buttons. In some cases, entering a new web address does not enable you
to escape either.
The site that mousetraps you will either not allow you to visit another address, or will
open another browser window displaying the same site. Some mousetraps let you quit
after a number of attempts, but others do not.
To escape, use a bookmark or “Favorite”, or open the list of recently-visited addresses
and select the next-to-last. You can also press Ctrl+Alt+Del and use the Task Manager
to shut down the browser or, if that fails, restart the computer.
To reduce the risk of mousetrapping, you can disable Java script in your internet
browser. This prevents you from being trapped at sites that use this script, but it also
affects the look and feel of websites.
Mobiles can be infected by worms that spread themselves via the
mobile phone network.
In 2004, the fi rst mobile phone worm was written. The Cabir-A worm affects phones
that use the Symbian operating system, and is transmitted as a telephone game fi le (an
SIS fi le). If you launch the fi le, a message appears on the screen, and the worm is run
each time you turn the phone on thereafter. Cabir-A searches for other mobile phones
nearby using Bluetooth technology, and sends itself to the fi rst it fi nds.
There are also conventional viruses that send messages to mobile phones. For example,
Timo-A uses computer modems to send text (SMS) messages to selected mobile
numbers, but in cases like these the virus can’t infect or harm the mobile phone.
Until now, the risks for mobile phones have been few. The reason could be that they
use many different operating systems, and that the software and device characteristics
change so rapidly.
internet connections.
Internet worms can travel between connected computers by exploiting security “holes”
in the computer’s operating system. The Blaster worm, for example, takes advantage of
a weakness in the Remote Procedure Call service that runs on unpatched Windows NT,
2000 and XP computers and uses it to send a copy of itself to another computer.
Many viruses, such as MyDoom or Bagle, now behave like worms and use email to
forward themselves.
A worm can have malicious effects. For example, it may use affected computers to
deluge websites with requests or data, causing them to crash (a “denial-of-service”
attack). Alternatively, it can encrypt a user’s fi les and make them unusable. In either
case, companies can be blackmailed.
Many worms open a “back door” on the computer, allowing hackers to take control of
it. Such computers can then be used to send spam mail (see Zombie).
Quite apart from such effects, the network traffi c generated by a fast-spreading worm
can slow down communications. The Blaster worm, for example, creates a lot of traffi c
on the internet as it spreads, slowing down communications or causing computers to
crash. Later it uses the affected computer to bombard a Microsoft website with data,
with the aim of making it inaccessible.
Microsoft (and other operating system vendors) issue patches to fi x security loopholes in
their software. You should update your computer regularly by visiting the vendor’s website.
Many of the most prolifi c viruses distribute themselves automatically by email.
Typically, email-aware viruses depend on the user double-clicking on an attachment.
This runs the malicious code, which will then mail itself to other people from that
computer. The Netsky virus, for example, searches the computer for fi les that may
contain email addresses, and then uses the email client on your computer to send
itself to those addresses. Some viruses, like Sobig-F, don’t even need to use your email
client; they include their own “SMTP engine” for constructing and sending the email
messages.
Any attachment that you receive by email could carry a virus; and launching such an
attachment can infect your computer.
Even an attachment that appears to be a safe type of fi le, e.g. a fi le with a .txt
extension, can pose a threat. That fi le may be a malicious VBS script with the real fi le
type (.vbs) hidden from view.
Some viruses, such as Kakworm and Bubbleboy, can infect users as soon as they read
email, exploiting a vulnerability in the operating system or mail program. They look
like any other message but contain a hidden script that runs as soon as you open the
email, or even look at it in the preview pane (as long as you are using Outlook with the
right version of Internet Explorer). This script can change system settings and send the
virus to other users via email.
Email viruses may compromise your computer’s security or steal data, but their most
common effect is to create excessive email traffi c and crash servers.
To avoid email viruses, you should run anti-virus software and avoid clicking on
unexpected attachments. You should also install the patches issued by software
vendors, as these can close down the vulnerabilities exploited by email viruses.
that are embedded in fi les and run automatically.
Many applications, such as word processing and spreadsheet programs, use macros.
A macro virus is a macro program that can copy itself and spread from one fi le to
another. If you open a fi le that contains a macro virus, the virus copies itself into the
application’s startup fi les. The computer is now infected.
When you next open a fi le using the same application, the virus infects that fi le. If your
computer is on a network, the infection can spread rapidly: when you send an infected
fi le to someone else, they can become infected too. A malicious macro can also make
changes to your documents or settings.
Macro viruses infect fi les used in most offi ces and some can infect several fi le types,
such as Word and Excel fi les. They can also spread to any platform on which their host
application runs.
Macro viruses fi rst appeared in the mid-1990s and rapidly became the most serious
virus threat of that time. Few viruses of this type are seen now.
premium-rate number.
Dialers are not always malicious. Legitimate companies that offer downloads or games
may expect you to use a premium-rate line to access their services. A pop-up prompts
you to download the dialer and tells you how much calls will cost.
Other dialers may install themselves without your knowledge when you click on a
pop-up message (for example, a message warning you about a virus on your computer
and offering a solution). These do not offer access to any special services – they simply
divert your connection so that you access the internet via a premium-rate number.
Broadband users are usually safe, even if a dialer installs itself. This is because
broadband doesn’t use regular phone numbers, and because broadband users don’t
usually have a dial-up modem connected.
Anti-virus software can detect and eliminate Trojan horse programs that install dialers.
your details.
When you visit a website, it can place a fi le called a cookie on your computer. This
enables the website to remember your details and track your visits. Cookies can be a
threat to confi dentiality, but not to your data.
Cookies were designed to be helpful. For example, if you submit your ID when you visit
a website, a cookie can store this data, so that you don’t have to re-enter it next time.
Cookies also have benefi ts for webmasters, as they show which web pages are wellused,
providing useful input when planning a redesign of the site.
Cookies are small text fi les and cannot harm your data. However, they can compromise
your confi dentiality. Cookies can be stored on your computer without your knowledge or
consent, and they contain information about you in a form you can’t access easily. And
when you revisit the same website, this data is passed back to the web server, again
without your consent.
Websites gradually build up a profi le of your browsing behavior and interests. This
information can be sold or shared with other sites, allowing advertisers to match ads
to your interests, ensure that consecutive ads are displayed as you visit different sites,
and track the number of times you have seen an ad.
If you prefer to remain anonymous, use the security settings on your internet browser to
disable cookies.
to other people.
Chain letters, like virus hoaxes, depend on you, rather than on computer code, to
propagate themselves. The main types are:
• Hoaxes about terrorist attacks, premium-rate phone line scams, thefts from ATMs
and so forth.
• False claims that companies are offering free fl ights, free mobile phones, or cash
rewards if you forward email.
• Messages, which purport to be from agencies like the CIA and FBI, warning about
dangerous criminals in your area.
• Petitions. Even if genuine, they continue to circulate long after their expiry date.
• Jokes and pranks, e.g. the claim that the internet would be closed for maintenance
on 1 April.
Chain letters don’t threaten your security, but they can waste time, spread
misinformation and distract users from genuine email.
They can also create unnecessary email traffi c and slow down mail servers. In some
cases the chain letter encourages people to send email to certain addresses, so that
these are deluged with unsolicited mail.
The solution to the chain letter problem is simple: don’t forward such mail.
internet browser.
Some websites run a script that changes the settings in your browser without your
permission. This hijacker can add shortcuts to your “Favorites” folder or, more seriously,
can change the page that is fi rst displayed when you open the browser.
You may fi nd that you cannot change your browser’s start page back to your chosen
site. Some hijackers edit the Windows registry so that the hijacked settings are restored
every time you restart your computer. Others remove options from the browser’s tools
menu, so that you can’t reset the start page.
In every case, the intention is the same: to force you to visit a website. This infl ates
the number of “hits” and the site’s ranking with search engines, which boosts the
advertising revenue that the site can earn.
Browser hijackers can be very tenacious. Some can be removed automatically by
security software. Others may need to be removed manually. In some cases, it is easier
to restore the computer to an earlier state or reinstall the operating system.
computer to start up.
When you switch on a computer, the hardware looks for the boot sector program –
which is usually on the hard disk, but can be on a fl oppy disk or CD – and runs it. This
program then loads the rest of the operating system into memory.
A boot sector virus replaces the original boot sector with its own, modifi ed version (and
usually hides the original somewhere else on the hard disk). When you next start up,
the infected boot sector is used and the virus becomes active.
You can only become infected if you boot up your computer from an infected disk, e.g.
a fl oppy disk that has an infected boot sector.
Boot sector viruses were the fi rst type of virus to appear, and they are mostly quite old.
They are rarely encountered today.
with Bluetooth-enabled mobile phones or laptops.
Bluejacking depends on the ability of Bluetooth phones to detect and contact other
Bluetooth devices nearby. The Bluejacker uses a feature originally intended for
exchanging contact details or “electronic business cards”. He or she adds a new entry
the phone’s address book, types in a message, and chooses to send it via Bluetooth.
The phone searches for other Bluetooth phones and, if it fi nds one, sends the message.
Despite its name, Bluejacking is essentially harmless. The Bluejacker does not steal
personal information or take control of your phone.
Bluejacking can be a problem if it is used to send obscene or threatening messages or
images, or to send advertising. If you want to avoid such messages, you can turn off
Bluetooth, or set it to “undiscoverable”.
Bluetooth-enabled devices may also be at risk from the more serious Bluesnarfing.
Bluesnarfing
Bluesnarfing is the theft of data from a Bluetooth phone.
Like Bluejacking, Bluesnarfi ng depends on the ability of Bluetooth-enabled devices to
detect and contact others nearby.
In theory, a Bluetooth user running the right software on their laptop can discover a
nearby phone, connect to it without your confi rmation, and download your phonebook,
pictures of contacts and calendar.
Your mobile phone’s serial number can also be downloaded and used to clone the
phone.
You should turn off Bluetooth or set it to “undiscoverable”. The undiscoverable setting
allows you to continue using Bluetooth products like headsets, but means that your
phone is not visible to others.
computer via the internet without their permission.
A backdoor Trojan may pose as legitimate software, just as other Trojan horse programs
do, so that users run it. Alternatively – as is now increasingly common – users may
allow Trojans onto their computer by following a link in spam mail.
Once the Trojan is run, it adds itself to the computer’s startup routine. It can then
monitor the computer until the user is connected to the internet. When the computer
goes online, the person who sent the Trojan can perform many actions – for example,
run programs on the infected computer, access personal fi les, modify and upload fi les,
track the user’s keystrokes, or send out spam mail.
Well-known backdoor Trojans include Subseven, BackOrifi ce and, more recently,
Graybird, which was disguised as a fi x for the notorious Blaster worm.
To avoid backdoor Trojans, you should keep your computers up to date with the latest
patches (to close down vulnerabilities in the operating system), and run anti-spam
and anti-virus software. You should also run a fi rewall, which can prevent Trojans from
accessing the internet to make contact with the hacker.
computer or website.
In a DoS attack, a hacker attempts to overload or shut down a computer, so that
legitimate users can no longer access it. Typical DoS attacks target web servers
and aim to make websites unavailable. No data is stolen or compromised, but the
interruption to the service can be costly for a company.
The most common type of DoS attack involves sending more traffi c to a computer than
it can handle. Rudimentary methods include sending outsized data packets or sending
email attachments with names that are longer than permitted by the mail programs.
An attack can also exploit the way that a “session” of communications is established
when a user fi rst contacts the computer. If the hacker sends many requests for a
connection rapidly and then fails to respond to the reply, the bogus requests are left in
a buffer for a while. Genuine users’ requests cannot be processed, so that they can’t
contact the computer.
Another method is to send an “IP ping” message (message requiring a response from
other computers) that appears to come from the victim’s computer. The message goes
out to a large number of computers, which all try to respond. The victim is fl ooded with
replies and the computer can no longer handle genuine traffi c.
A distributed denial-of-service attack uses numerous computers to launch the attack.
Typically, hackers use a virus or Trojan to open a “back door” on other people’s
computers and take control of them. These “zombie” computers can be used to launch
a coordinated denial-of-service attack.
Adware, or advertising-supported software, displays advertising banners or pop-ups on
your computer when you use the application. This is not necessarily a bad thing. Such
advertising can fund the development of useful software, which is then distributed free
(for example, the Opera web browser).
However, adware becomes a problem if it:
• installs itself on your computer without your consent
• installs itself in applications other than the one it came with and displays advertising
when you use those applications
• hijacks your web browser in order to display more ads (see Browser hijackers)
• gathers data on your web browsing without your consent and sends it to others via
the internet (see Spyware)
• is designed to be diffi cult to uninstall.
Adware can slow down your PC. It can also slow down your internet connection by
downloading advertisements. Sometimes programming fl aws in the adware can make
your computer unstable.
Advertising pop-ups can also distract you and waste your time if they have to be closed
before you can continue using your PC.
Some anti-virus programs detect adware and report it as “potentially unwanted
applications”. You can then either authorize the adware program or remove it from the
computer. There are also dedicated programs for detecting adware.
What is spy-ware?
Spy-ware is Internet jargon for Advertising Supported software (Ad-ware). It is a way for shareware authors to make money from a product, other than by selling it to the users. There are several large media companies that offer them to place banner ads in their products in exchange for a portion of the revenue from banner sales. This way, you don't have to pay for the software and the developers are still getting paid. If you find the banners annoying, there is usually an option to remove them, by paying the regular licensing fee.
Known spywares
There are thousands out there, new ones are added to the list everyday. But here are a few:
Alexa, Aureate/Radiate, BargainBuddy, ClickTillUWin, Conducent Timesink, Cydoor, Comet Cursor, eZula/KaZaa Toptext, Flashpoint/Flashtrack, Flyswat, Gator, GoHip, Hotbar, ISTbar, Lions Pride Enterprises/Blazing Logic/Trek Blue, Lop (C2Media), Mattel Brodcast, Morpheus, NewDotNet, Realplayer, Songspy, Xupiter, Web3000, WebHancer, Windows Messenger Service.
How to check if a program has spyware?
The is this Little site that keeps a database of programs that are known to install spyware.
Check Here: http://www.spywareguide.com/product_search.php
If you would like to block pop-ups (IE Pop-ups).
There tons of different types out there, but these are the 2 best, i think.
Try: Google Toolbar (http://toolbar.google.com/) This program is Free
Try: AdMuncher (http://www.admuncher.com) This program is Shareware
If you want to remove the "spyware" try these.
Try: Lavasoft Ad-Aware (http://www.lavasoftusa.com/) This program is Free
Info: Ad-aware is a multi spyware removal utility, that scans your memory, registry and hard drives for known spyware components and lets you remove them. The included backup-manager lets you reinstall a backup, offers and multi language support.
Try: Spybot-S&D (http://www.safer-networking.org/) This program is Free
Info: Detects and removes spyware of different kinds (dialers, loggers, trojans, user tracks) from your computer. Blocks ActiveX downloads, tracking cookies and other threats. Over 10,000 detection files and entries. Provides detailed information about found problems.
Try: BPS Spyware and Adware Remover (http://www.bulletproofsoft.com/spyware-remover.html) This program is Shareware
Info: Adware, spyware, trackware and big brotherware removal utility with multi-language support. It scans your memory, registry and drives for known spyware and lets you remove them. Displays a list and lets you select the items you'd like to remove.
Try: Spy Sweeper v2.2 (http://www.webroot.com/wb/products/spysweeper/index.php) This program is Shareware
Info: Detects and removes spyware of different kinds (dialers, loggers, trojans, user tracks) from your computer.
The best scanner out there, and updated all the time.
Try: HijackThis 1.97.7 (http://www.spywareinfo.com/~merijn/downloads.html) This program is Freeware
Info: HijackThis is a tool, that lists all installed browser add-on, buttons, startup items and allows you to inspect them, and optionally remove selected items.
If you would like to prevent "spyware" being install.
Try: SpywareBlaster 2.6.1 (http://www.wilderssecurity.net/spywareblaster.html) This program is Free
Info: SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It achieves this by disabling the CLSIDs of popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.
Try: SpywareGuard 2.2 (http://www.wilderssecurity.net/spywareguard.html) This program is Free
Info: SpywareGuard provides a real-time protection solution against so-called spyware. It works similar to an anti-virus program, by scanning EXE and CAB files on access and alerting you if known spyware is detected.
Try: XP-AntiSpy (http://www.xp-antispy.org/) This program is Free
Info: XP-AntiSpy is a small utility to quickly disable some built-in update and authentication features in WindowsXP that may rise security or privacy concerns in some people.
Try: SpySites (http://camtech2000.net/Pages/SpySites_Prog...ml#SpySitesFree) This program is Free
Info: SpySites allows you to manage the Internet Explorer Restricted Zone settings and easily add entries from a database of 1500+ sites that are known to use advertising tracking methods or attempt to install third party software.
If you would like more Information about "spyware".
Check these sites.
http://www.spychecker.com/
http://www.spywareguide.com/
http://www.cexx.org/adware.htm
http://www.theinfomaniac.net/infomaniac/co...rsSpyware.shtml
http://www.thiefware.com/links/
http://simplythebest.net/info/spyware.html
Usefull tools...
Try: Stop Windows Messenger Spam 1.10 (http://www.jester2k.pwp.blueyonder.co.uk/j...r2ksoftware.htm) This program is Free
Info: "Stop Windows Messenger Spam" stops this Service from running and halts the spammers ability to send you these messages.
----------------------------------------------------------------------------
All these softwares will help remove and prevent evil spammers and spywares attacking your PC. I myself recommend getting "spyblaster" "s&d spybot" "spy sweeper" & "admuncher" to protect your PC. A weekly scan is also recommended
Free Virus Scan
Scan for spyware, malware and keyloggers in addition to viruses, worms and trojans. New threats and annoyances are created faster than any individual can keep up with.
http://defender.veloz.com// - 15k
Finding . is a Click Away at 2020Search.com
Having trouble finding what you re looking for on: .? 2020Search will instantly provide you with the result you re looking for by drawing on some of the best search engines the Internet has to offer. Your result is a click away!
http://www.2020search.com// - 43k
Download the BrowserVillage Toolbar.
Customize your Browser! Eliminate Pop-up ads before they start, Quick and easy access to the Web, and much more. Click Here to Install Now!
http://www.browservillage.com/ - 36k
BIOS Overview
When a computer is first started, it needs some direction as to what to do. It needs to know where to find the OS's startup files, how hardware is to be accessed by the OS, what hardware is installed on the system, among other things. It is the job of the BIOS to perform these tasks. BIOSs are made by a number of different companies, often customized by the motherboard manufacturers or system builders for a particular motherboard or computer. Some common BIOS brand names are Phoenix™, AMIBIOS®, Award™, IBM®, and MR BIOS®. They are in the form of CMOS chips that store the information.
Power On Self Test (POST)
On the CD The first event that happens when a computer is powered on is the POST, performed by the BIOS. The POST consists of a quick series of diagnostic tests, mostly to make certain that essential hardware is present and operating. The most essential hardware is the BIOS itself, processor, memory, video system, and a source of OS startup files (almost always a hard drive). The POST first checks the BIOS, and then the other items. If any of these are not operating correctly, the computer might not start or run correctly. As long as the BIOS program is not set to "Quiet Boot," the POST will give a single beep to let you know that all the tests were successful. If the POST detects problems, it will give a beep code and/or a text message to let you know what is wrong. You can find a list of common beep codes on the accompanying CD-ROM.
Setup Program
The program run by the BIOS is usually called the setup program. Different motherboard manufacturers vary as to how to access the setup program. The most common method is to press a given key just after the first information appears on the screen after the computer is powered on. Often, the screen will give a prompt such as "Press Delete to access Setup."
| Note | Before you go into a setup program, make sure that you are ready to write down any changes you make. Some setting changes can render a computer unbootable, and if you don't know which changes you made, you'll have a difficult time finding the change that caused the problem. |
To help prevent changes from causing serious problems, BIOS manufacturers offer a way out. After you have changed BIOS settings, setup programs offer you a choice to accept or discard changes as you exit the program. Use this function if you are unsure of any changes you have made, or if you haven't recorded those changes on paper. You can always go back and make the changes again. Figures 2.1 and 2.2 show examples of setup screens.
Important BIOS Settings and Information
Because there is so much variability among setup programs on different BIOSs, we will cover common and important items only.
System Date and Time: This can also be set in Windows.
BIOS version number: Sometimes it is necessary to update the BIOS. BIOS programs are delineated by version numbers; if the motherboard or computer manufacturer's Web page shows a download with a higher number, that means a more recent BIOS is available. See Chapter 3, "Motherboards and their Components," for more information on updating BIOSs.
Port assignments: If the computer has ports (serial, parallel, etc.) that are not being used, and it is necessary to free up their resources, you can disable them in the setup program. Conversely, if you need to use them and they are disabled, you can re-enable them in Setup.
Supervisor and user passwords: You can set passwords for the computer.
| Note | If you set a supervisor password and forget what it is, you can also forget about retrieving it, and you might not be able to finish booting the computer. Sometimes, there are steps you can take to reset the password. See Chapter 3 for more information. |
Power settings (ACPI, or Advanced Configuration and Power Interface): Contains power use settings including those for hibernation, standby, and in battery-powered computers, power conservation settings. Often, BIOSs contain settings that allow proper shutdown of Windows just by pressing the power button on the computer or keyboard once. Some systems have different levels of standby types.
Boot order: Traditionally, a computer is set to boot first from the floppy drive, and then from the main hard drive (Drive C). This means that the computer will check the floppy drive first for boot files. If there is no disk in the floppy drive, the computer will then go to the hard drive to look for boot files. That is why if you leave a non-bootable floppy disk in the drive and try to boot up, you'll get an error message such as "NTLDR is missing. Press any key to restart." or "Non-system disk or disk error." This can be changed to pretty much any order, including CD and DVD drives. It is useful when installing Windows on a new or just-formatted computer to set the computer to boot first from a CD-ROM drive, and then insert the Windows installation CD-ROM into that drive. This saves you from having to use boot floppies that might or might not come with the Windows CD-ROM.
Memory settings, DRAM Timing: Don't change these unless so instructed by a support technician.
AGP Aperture: Don't change unless you are familiar with troubleshooting techniques and feel comfortable in this area. The main thing to remember here is that the AGP Aperture Size should almost always be set to at least 16MB and never to more than the actual physical RAM installed in the system. This setting will allow a possible increase in graphics (video) performance by permitting the graphics system to share system memory if needed. A higher setting often (but not always) means better graphics performance, so test the results of any change you make here by viewing the graphics performance.
CPU Frequency, Voltage Control, other settings such as frequency (speed): On many BIOSs, this can be set automatically or manually. If you're setting them manually, you have to know the exact settings for your CPU so you don't damage your motherboard or CPU. Settings other than those specified by the CPU manufacturer should be made only by very experienced technicians.
PC Health: These include CPU and system temperatures at which warnings are made and shutdowns occur.
Integrated peripherals: These are items such as sound "cards" and network adapters that are part of the motherboard. The most common use of these settings is to disable these devices when additional peripherals of the same type are installed. For example, if the user installs an expansion sound card on a system that has onboard sound (because the onboard sound device has failed or because the user wants to upgrade to a better sound device), the onboard sound needs to be disabled to prevent problems that can occur with two active sound cards.
Interrupts (IRQs): These settings can also be changed in the Windows Device Manager (we provide more information later in this chapter).
Extended System Configuration Data (ESCD): If this setting is available, it should be enabled every time a new component is installed in the computer. Each time ESCD is enabled, the configuration resets at next boot. If a computer won't boot after installation of a new component, enabling ESCD and rebooting the system can sometimes solve the problem.
IDE Detection: This is normally set to Auto for automatic detection of IDE disk drives. Disabling auto-detection on unused drive channels can speed the boot process. See Chapter 6, "Magnetic Disk Drives," for more information on IDE drives.
Self-Monitoring Analysis and Reporting Technology (S.M.A.R.T.) drives: This technology, incorporated into most modern IDE hard drives, can alert the user of possible impending hard drive failure and most likely allow for data backup before this happens. Because of this, S.M.A.R.T. drive support should always be enabled in the setup program. Interestingly, computers are often delivered from the factory with S.M.A.R.T. drive support disabled.
Plug and Play (PnP) settings: We describe Plug and Play capability later in this chapter. PnP should be enabled in the vast majority of cases. Sometimes in Windows 95, you will have to disable Plug and Play support. There are certain other unusual situations that require you to disable Plug and Play, as you might find when researching certain problems or reading installation manuals.
Load defaults: Setup programs have default settings. Loading default settings is a good way to get your computer back to its original configuration. Do this only if all else fails. Before loading the default settings, go through each screen and write down every setting. Some devices might not work with the default settings.