Posted by admin on December 30th, 2008 — Posted in Security + More
Computer users are quickly learning of the newest and most widespread threat facing internet use. Spyware has spread to more than 90 percent of computers surprising users who are unaware of the threats and forcing them to find a solution to the privacy invasions.
Spyware programs run on users’ computer without their knowledge. They monitor and record the web sites you visit, purchases you make, outgoing and incoming emails, chat messages and some types of spyware are capable of logging your credit card numbers, bank accounts, personal identification numbers, passwords and more.
Dial-up internet users are at risk of being hijacked by a dialer. Dialers use your internet connection to call 900 numbers and remote areas, billing the fees to you. A spyware infection can take control of your computer system and browser which could result in file damage. The build up of spyware on your computer will cause the system to slow and internet to drag more because of the constant stream of pop up ads.
Users should understand that while it is good to have anti-virus and firewall protection, those security tools cannot detect all spyware applications, which is why a program specifically for spyware detection is needed in addition to other security software. Identity theft in the nation is also on a rise and many of the cases are a result of spyware.
Another factor contributing to a noticeably slower running computer could be adware programs. Working similar to spyware, adware puts pop up ads on your computer repetitively and over time the side effects can cause damage to your computer.
Numerous spyware and adware removal programs can be downloaded, many of which are free, to rid of your malware infestations.
Mitch Johnson is a successful freelance author that writes regularly for http://www.1st-in-remove-spyware.com/, a site that focuses primarily on spyware detection software, as well as tips on how to avoid spyware from popping up on your computer. His articles have also been featured on related spyware sites such as,
http://www.best-in-spyware-detection.com/ as well as http://www.best-sypware-removal-reviews.com/
Comments Off
Posted by admin on October 14th, 2008 — Posted in Security + More
In a word, No. No machine connected to the internet is 100% secure. This doesn’t mean that you are helpless. You can take measures to avoid hacks, but you cannot avoid them completely. This is like a house when the windows and doors are open then the probability of a thief coming in is high, but if the doors and windows are closed and locked the probability of being robbed is less, but still not nil.
1 What is Information Security?
For our purposes, Information Security means the methods we use
to protect sensitive data from unauthorized users.
2 Why do we need Information Sec?
The entire world is rapidly becoming IT enabled. Wherever you look, computer technology has revolutionized the way things operate. Some examples
are airports, seaports, telecommunication industries, and TV
broadcasting, all of which are thriving as a result of the use of
IT. “IT is everywhere.”
A lot of sensitive information passes through the Internet, such
as credit card data, mission critical server passwords, and
important files. There is always a chance of some one viewing
and/or modifying the data while it is in transmission. There are
countless horror stories of what happens when an outsider gets
someone’s credit card or financial information. He or she can use
it in any way they like and could even destroy you and your
business by taking or destroying all your assets. As we all know
“An ounce of prevention beats a pound of cure,” so to avoid such
critical situations, it is advisable to have a good security policy and security implementation.
3 Security Framework
The following illustrates the framework needed to implement a
functioning security implementation:
[ Risk Analysis ] [ Business Requirements ]
|
[ Security Policy ]
|
[ Security Service, Mechanisms, and Objects ]
|
[ Security Management, Monitoring, Detection and Response ]
This framework shows the basic steps in the life cycle of
securing a system. “Risk Analysis” deals with the risk associated
with the data in the server to be secured. “Business Requirements”
is the study which deals with the actual requirements for
conducting business. These two components cover the business
aspects of the security implementation.
The “Security Policy” covers 8 specific areas of the security
implementation, and is discussed in more detail in section 4
below. “Security Service, Mechanisms and Objects” is actually the
implementation part of security. “Security Management, Monitoring, Detection and Response” is the operational face of security, where we cover the specifics of how we find a security breach, and how we react if a breach is found.
4 Security Policy
The Security Policy is a document which addresses the following
areas:
- Authentication: This section deals with what methods are used
to determine if a user is real or not, which users can or cannot
access the system, the minimum length of password allowed, how long
can a user be idle before he is logged out, etc.
- Authorization: This area deals with classifying user levels and
what each level is allowed to do on the system, which users can
become root, etc.
- Data Protection: Data protection deals with the details like
what data should be protected and who can access which levels of
data on the system.
- Internet Access: This area deals with the details of the users
having access to the internet and what they can do there.
- Internet Services: This section deals with what services on the
server are accessible from the internet and which are not.
- Security Audit: This area addresses how audit and review of
security related areas and processes will be done.
- Incident Handling: This area addresses the steps and measures
to be taken if there is a breach of security. This also covers the
steps to find out the actual culprit and the methods to prevent
future incidents.
- Responsibilities: This part covers who will be contacted at any
given stage of an incident and the responsibilities of the
administrator(s) during and after the incident. This is a very
important area, since the operation of the incident handling
mechanism is dependent on it.
5 Types of Information Security
There are 2 types of security. (1) Physical security / Host
Security and (2) Network security. Each of these sections has 3
parts:
- Protection: Slow down or stop intrusions or damage
- Detection: Alert someone if a breach (or attempted breach) of
security occurs, and quantify and qualify what sort of damage
occurred or would have occurred.
- Recovery: Re-secure the system or data after the breach or
damage and where possible, undo whatever damage occurred
5.1 Host Security / Physical Security
Host Security / Physical Security means securing the server from
unauthorized access. For that we can password protect the box with such steps as setting up a bios password, placing the computer box in a locked room where only authorized users have access, applying OS security patches, and checking logs on regular basis for any intrusion and attacks. In Host security we check and correct the permissions on all OS related files.
5.2 Network security
Network security is one of the most important aspects of overall
security. As I mentioned earlier, no machine connected to the
internet is completely secure, so security administrators and server owners need to be alert, and make sure that they are informed of all new bugs and exploits that are discovered. Failure to keep up with these may leave you at the mercy of some script kiddy.
5.3 Which operating system is the most secure?
Every OS has its own pros and cons. There are ways to make Windows more secure, but the implementation is quite costly. Linux is stable and reasonably secure, but many companies perceive it as having little vendor support. My vote for the best OS for security purposes goes to FreeBSD, another free Unix-like OS, but not many people are aware of its existence.
6 Is a firewall the final solution to the Network Security problem?
No, a firewall is just a part of the security implementation.
Again, we will use the example of a house. In a house all the
windows and doors can be closed but if the lock on the front door
of the house is so bad that someone can put just any key-like thing in and open it, then what is the use of the house being all closed up? Similarly, if we have a strong firewall policy, it will restrict unauthorized access, but if the software running on the box is outdated or full of bugs then crackers can use it to intrude into the server and gain root access. This shows that a firewall is not the final solution. A planned security implementation is the only real quality solution to this issue.
7 Security is a continuous process
Continuing security is a on-going process. Security
administrators can only conduct their work on the basis of the
alerts and bugfixes released up to the date of securing, so in
order to accommodate all of the fixes for the latest bugs, security work has to be done on a regular basis.
8 Does Security implementation create overhead and/or reduce
performance?
Yes, Security implementation creates a small amount of overhead,
but it need not reduce overall performance drastically. In order to take care of such things, a well done security implementation has an optimization section where the security administration gives priority to both performance and security. While securing any software, we should secure it in such a way that it provides
maximum performance.
9 Security Audits - What Should be Checked
A security audit is a part of security implementation where we
try to find out the vulnerabilities of the system and suggest actions to improve the security. In a normal audit, the points below should be checked, and a report with the results of that audit should be created.
- Check intrusion detection. Use chkrootkit or rkhunter for this
purpose.
- Check for known bugs in the software installed on the server -
the kernel, openssl, openssh, etc.
- Scan all network ports and find out which ports are open.
Report the ports that should not be open and what program is
listening on them.
- Check whether /tmp is secured.
- Check for hidden processes.
- Check for bad disk blocks in all partitions. (This is just to
make sure that the system is reasonably healthy.)
- Check for unsafe file permissions.
- Check whether the kernel has a ptrace vulnerability.
- Check the memory (Another system health check.)
- Check if the server is an open e-mail relay.
- Check if the partitions have enough free space.
- Check the size of the log files. It’s better that the log size remains in megabytes.
10 How to know if you are being hacked?
To find out if your box is compromised or not, follow these
steps. These are the steps which I used to do and will be handy in most of the situations.
10.1 Check your box to see if your performance has degraded or
if your machine is being over used.
For that, use the commands
vmstat - Displays information about memory, cpu and disk.
Ex: bash# vmstat 1 4 (where 1 is
delay and 4 is count)
mpstat - Displays statistics about cpu utilization. This will help us to see if your cpu is over worked or not.
Ex: bash# mpstat 1 4 (where 1 is
delay and 4 is count)
iostat - This command displays statistics about the disk system.
Useful options:
-d - Gives the device utilization report.
-k - Display statistics in kilobytes per
second.
Ex: bash# iostat -dk 1 4 (where 1 is
delay and 4 is count)
sar - Displays overall system performance.
10.2 Check to see if your server has any hidden processes
running.
ps - Displays the status of all known processes.
lsof - List all open files. In Linux everything is considered a file, so you will be able to see almost all of the activity on your system with this command.
10.3 Use Intrusion Detection Tools
10.4 Check your machine’s uptime.
If the uptime is less than it should be, this can mean that your machine’s resources are being used by someone. Linux doesn’t crash or reboot under normal conditions because it is such a stable OS.
If your machine has been rebooted try to find out the actual reason
behind it.
10.5 Determine what your unknown processes are and what they are
doing.
10.5.1 Use commands like the following to take apart unknown
programs
readelf
This command will display what the executable’s program is
performing.
ldd - This command will show the details of libraries used by a executable.
string - This command will display the strings in the binary.
strace - This command will display the system calls a program makes as it runs.
11 Hardening Methodology
- Read all security related sites and keep up to date. This is
one of the main things a security administrator or server owner
should do. Server owners should be made aware of security and its
importance. Security training is an important part of an overall
security package.
- Create a good security policy. Conduct security audits on the
basis of this policy.
- Keep your OS updated by applying all patches.
- Install a custom kernel with all unwanted services removed and patched with either grsecurity or openwall.
- Disable all unwanted services and harden the services you leave running; Change file and directory permissions so that security is tightened.
- Install a firewall and create good rule sets.
- Test and audit the server on regular basis
- Install an intrusion detection system, log monitor, all of the
Apache security modules, bfd, faf and tmp monitor. Make your
partitions secure.
- Run a good backup system to recover data in case of an
intrusion, crash, or other destructive incident.
- Install a log analyzer and check your logs for any suspicious
entries.
- Install scripts to send out mail or enable notifications when a security breach occurs.
- After a security breach try to find out how, when and through
what the breach occurred. When you find a fix for it, document the details for future reference.
12 Summary
Now lets conclude by covering the main steps by which a
hosting server can be secured.
12.1 Determine the business requirements and risk factors
which are applicable to this system
12.2 Devise a security policy with the above data in mind.
Get management’s approval and signoff on this security
policy.
12.3 On approval of the policy, do a security audit on any
existing systems to determine the current vulnerabilities and
submit a report regarding this to the management.
The report should also cover the methods needed to improve existing security.
A quick checklist:
- Software Vulnerabilities.
- Kernel Upgrades and vulnerabilities.
- Check for any Trojans.
- Run chkrootkit.
- Check ports.
- Check for any hidden processes.
- Use audittools to check system.
- Check logs.
- Check binaries and RPMS.
- Check for open email relays.
- Check for malicious cron entries.
- Check /dev /tmp /var directories.
- Check whether backups are maintained.
- Check for unwanted users, groups, etc. on the system.
- Check for and disable any unneeded services.
- Locate malicious scripts.
- Querylog in DNS.
- Check for the suid scripts and nouser scripts.
- Check valid scripts in /tmp.
- Use intrusion detection tools.
- Check the system performance.
- Check memory performance (run memtest).
12.4 Implement the security policy
12.4.1 Correct all known existing software vulnerabilities either by applying patches or by upgrading the software.
12.4.2 Implement host security
- Protect your systems with passwords
- Check the file systems and set correct permissions and
ownerships on all directories and files
chmod -R 700 /etc/rc.d/init.d/*
Use rpm -Va to find out if an rpm is
modified
- Apply security patches to vulnerable software (ie. patch
-p1 < patch file)
- Remove all unneeded ttys and console logins by removing the
entry from /etc/securetty
- Check system logs (eg: /var/log/messages, /var/log/secure,
etc.)
- Set a password on the boot loader (lilo and grub both support
this)
- Monitor the system (nagios or big brother)
12.4.3 Implement Network security
- Remove all unwanted users and groups.
- Use custom security scripts which will send out notification
when sshing as root or while creating a user with uid of 0,
etc.
- Require passwords with 16 characters (can be done by making
changes in login.def).
- Disable unwanted services using tcpwrapper (unwanted services
can also be disabled through xinet.d or xinetd.Conf).
- Set up an idle timeout, so that idle users will be logged out
after a certain amount of time.
- Disable all console program access (eg: rm -rf
/etc/security/console.app/.)
- Enable nospoof option in /etc/host.conf.
- Specify the order in which domain names should be resolved (eg:
order bind hosts).
- Lock the /etc/services file so that no one can modify it.
- Restrict direct root login (comment out the PermitRootLogin
login option in sshd_config).
- Restrict su, so that only wheel group members are able to su.
(can use pam or disable the permission of other for the su
binary).
- Limit users resources (using pam, specify the limits for each
user in /etc/security/limit.conf).
- Secure /tmp (mount /tmp with noexec,nodev,nosuid).
- Hide the server details. Remove /etc/issues and
/etc/issues.net.
- Disable unwanted suid and sgid files (eg: find -type -perm
-04000 -o perm 02000.)
Examples of these: gpasswd, wall,
and traceroute
- Using iptables, allow only pings from a specific locations (for
monitoring systems to work).
- Take preventive measures against DOS, “ping of death” attacks, etc.
- Install a firewall (eg: apf and iptables) and only allow ports to operate which the box needs for its normal functions; block all other ports to prevent mischief.
Links: http://rfxnetworks.com/ and http://yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html“>
- Install intrusion detection (eg: install tripwire or
aide).
Links:
http://www.cs.tut.fi/rammer/aide.html and
http://redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tripwire.html
- Install sxid to keep an eye on suid and sgid scripts.
Link: http://linux.cudeso.be/linuxdoc/sxid.php
- Restrict ssh to specific IP addresses and specific users (I
suggest key authentication using passphrase).
- Install logcheck to check the logs.
- Install tmpwatch to delete the unused files from /tmp
directory.
- Install and setup portsentry and configure it to use iptables
to block IPs.
- Install mod_security and mod_dosevasive to safe guard
apache.
- Delete files with nouser and nogroup.
- Deleted unwanted files/folders in htdocs, disable directory
indexing.
- Check for unwanted scripts in /root, /usr/local,
/var/spool/mbox.
- Install BFD and FAF for additional security.
- Disable open email relaying.
- Submit a status report to management detailing all discovered
vulnerabilities and fixes.
12.5 Testing phase
Use tools like nessus, nikto, and nmap to do a penetration test
and see how well your server is secured. Also do a stress test.
Security is of utmost importance to a server, compromising
security is compromising the server itself. Hence, an understanding of the same is a prerequisite to server ownership and administration.
Blessen works as Executive team member in Bobcares.com.
He is an Engineer in Computer Science from the College of Engineering, Chengannur. He is passionate about Linux security and looks forward to grow in that field.
Comments Off
Posted by admin on October 13th, 2008 — Posted in Security + More
A couple of years back, I paid my dues the ‘hard way’.
My web site was up and running, the sales letter had been ‘crafted’ with the most influential marketing techniques and the profits had been consistently coming-in, until…
Until I noticed a considerable ‘drop in ClickBank sales’ for 2 months in a row. You can’t imagine how this extensive declination in sales, affected my mood and self-esteem.
I started critiquing my sales literature all over again and re-evaluating every tidbit of my marketing strategy… everything seemed to be “working flawlessly”, but yet… “Not enough sales volume - hey, this isn’t me (I contemplated)… I am one of those copywriters who consistently ‘live-by’ the 4%-6% sales ratios!”
Then one Sunday morning, I rushed to thoroughly check my web site’s statistics, and to my blow…
My ClickBank’s “Thank You” page had been the 4th most visited section of my web site!
Holly-Golly! Almost certainly, an ungracious customer had submitted my “Thank You” web page all over the web. My ‘digital gizmo’ had been downloaded over 460+ times, according to my web server’s statistics. Needless to say that my ‘voice of harassment’ starting ‘echoing’ all over the block (something like “aaaarrrrggrgrghhhh!…ahhh..oh!ohhhhh!”).
After the stalking bang of a sound psychological burst… after several breathe-ins / outs… I finally decided to ’secure’ my digital product with a ‘hack-proof’ system. No “more free lunches”, I sarcastically squealed!
Hence, I installed a simple yet highly powerful CGI script (see http://close-sale.com/automation.htm) and my ClickBank product had finally been ’secured’. from freebie hunters, pranksters and hackers that ‘unconstructively impacted my bank account’.
The ‘Online marketing lesson’ is undeniably straightforward; you *must secure* and automate your business by any means, before your digital product becomes one of the ‘Web’s Top 1000 Free Downloads’; trust me, it doesn’t worth the jeopardy.
This article may be freely distributed / republished, as long as it contains the author’s credits and the precise entirety of the provided article, titled: “Why you Must Secure your Digital Product and ‘Thank You’ Web Page”.
About The Author
Bob Mobino is the Author Behind http://close-sale.com.
Comments Off
Posted by admin on October 13th, 2008 — Posted in Security + More
Nowadays more and more people are using a computer. A lot of them use it at their work place, but an increasing number of computer users have also discovered the need to have a computer at home. At the same time the number of Internet surfers increased. This is a good thing because people are realizing the advantages offered by the world of technology. As soon as they discover this, they start using computers and the Internet more and more, but at the same time not considering the threats that are coming in from all sides. They should know that if you don’t protect yourself, nobody will. These threats are now coming from everywhere and they are growing in number and complexity. First threats of this kind were the viruses. At first, viruses were not that harmful. They were designed to perform a simple task, like flashing a single message onto the user’s computer screen. Also the spread rate was slow, because not many people were connected to the Internet. But now the majority of viruses are programs intentionally written to obstruct with, or harm other programs or computer systems. And they are spreading very fast.
Many companies and people have had a lot of troubles because of these viruses. And so the need for antivirus software was born. At first one very simple antivirus appeared and this was enough. Now, as the threat is growing antivirus software are becoming a lot more complex. Some of them have also included a firewall so to better protect the users. In order to increase the competition, other antivirus software producers have also come up with a wonderful idea: to offer free scan online. This was a big help for people that are frequently using a computer mostly for their personal use, meaning it is not attached to a network and uses the Internet only from time to time. Now, they don’t have to spend a lot of money to buy antivirus software that will be used very rarely.
Most of these antivirus programs have to be bought in order for you to use them at their full capacity. Also you have the option to test a so called “free trial version”. These trial versions include all or most of the software’s features, and are available to be checked out by the user for a short period of time, usually 30 days. After these 30 days, the program can no longer be used. Other antivirus software producers use another method; they offer a free trial version that you can keep forever. But it is not fully operational, meaning some of the options of the program cannot be used as they are not activated. After you have tried a program and you consider it is fit for your need, then you’ll have to buy it to protect your computer at its full capacity.
Lately, viruses are mostly spread through e-mails because this is the most common use of the Internet. Also, e-mail viruses are easier to develop. E-mail viruses make use of the ability of having macros or scripts implanted in word documents, spreadsheets, HTML pages, and are programmed to run when the document is opened. But how does an e-mail virus works? When an e-mail with an infected document or program is received, the user unknowingly opens a document/program, which in turn executes a code to open the e-mail directory and to send a copy of itself as an e-mail attachment to a certain number of addresses. Some of the recipients of the e-mail open its attachment and the process repeats itself.
This is where the antivirus program comes in. This program is set to check all incoming and outgoing messages and their attachments. If an e-mail is detected to have a document or program infected with a virus the program offers several possibilities to deal with the threat: delete the e-mail, put it in quarantine or try to disinfect it. Most of the times, these choices are left to the user’s decision. It is up to the user to set the program in such manner to best fit his needs. But not all viruses are coming by e-mail. A few of them use security errors in the operating system or your Internet browser to be launched automatically. But if you keep your antivirus and all the other programs updated, there will be a small chance of being infected via this route.
Nowadays, most viruses are spread in the form of e-mail attachments. This is because some of the worst recent viruses relay on recipients that throw away common sense and launch a deadly e-mail attachment. Commonly the attachments are with extensions that include .bat, .com, .exe, .pif, .scr, and .vbs. Sometimes to avoid the filters of antivirus software, virus creators enclose their malicious code in a .zip or .rar archive file. The file might even have a password to full antivirus programs that scan inside archives. And obviously, the password is included in the message as an image for the convenience of the naive user. As a simple but reliable rule, you should never open an attachment that you didn’t expect to receive, even if it came from someone you know. Also, make sure your e-mail software is configured so it will not automatically open attachments.
Another common way of spreading viruses is file sharing. Many viruses spread themselves throughout open network shares. You can protect your computer not sharing files or directories over the network. But if you don’t have a choice and you have to share your files, you are still able to reduce the risk of being infected by installing antivirus software and keeping it updated. Other ways to become infected with viruses are downloading files or software from the Internet, instant messaging or even web pages.
If the file you are downloading or the computer you are downloading it from is infected with a virus, there is a big chance that your computer will also become infected with the virus. As for the instant messaging, the major risk comes from accepting files from other users on the network. This risk can be minimized by configuring your antivirus software to scan all incoming files and also configure your other programs not to automatically accept files, and not to automatically execute the files you accept. Certain viruses are known to infect web servers. If you visit a website from an infected server, your computer could be infected with the same virus, but this is a very rare method of infection.
There are many different threats that are targeting the computers. Although they are very different, all of them are popularly called viruses. A virus by definition is a self-replicating file, not considering whether it is malicious or not. Another type of the so called viruses are worms; they circulate mainly through e-mail but also spread through a network. A worm is aware he is located in a network and uses it for replicating itself. Trojan horses (or trojans) are mostly used to insert some remote tools into a system in order to give the attacker free access to that system, without the user’s knowledge. Most Trojan horses cannot replicate automatically.
With the increased number of Internet users, the existing threats are also raising as now there are many more computers to attack and more people that don’t know to stay away from these threats. But the antivirus software producers are making it easier for us. There is a lot of antivirus software which cover a lot of threats. All we have to do is install one.
Mike Ber is the owner of the Canadian Domain Name Portal called http://www.Every.ca
He is also a contributing author to Canadian Computer Magazine and http://www.Developer.ca website.
Comments Off
