Random Synapses

The first e-mail I have sent was sometimes in 1994, so I’ve been very much alive and active online for a whopping 13 years. I’ve got a fleet of e-mail addresses, a long list of forum accounts, and many logins for various online services. 9 years ago I was launching my own tentative of a site, on Tripod. Remember Tripod, Hotbot, Lycos, Netscape and all those buzzwords back then? Gosh I’m old.

One would think it had to happen sooner. Having an account hacked into, I mean. Nope. I think I defy statistics. This must be some sort of a record, to be so prolific online and only have the first intrusion today. And it wasn’t even something important — it was my 10 year old eBay account, which only saw around a dozen transactions over the years. How pathetic is that? Not even my Yahoo! account.

So here I am, talking with eBay customer support about unlocking my account, and unsure whether I should worry or laugh. I have no idea how it happened, since those principles that kept me safe so far have not been crossed. I’m thinking of an exploit on eBay’s site used to spam sellers with ads through the “Ask seller a question” option. This would make more sense than breaking my random consonnants and digits password, always changed less than a month ago. I mean, you’d probably screw up the login even if I spelled out the password to you, twice.

For the peace of mind, I just took a tour on my major accounts and gave them fresh, random passwords. The eBay account lock-out has been addressed within 3 hours. Now I think I’ll celebrate this glitch in a perfect score, the reminder that even with the best protective measures in place, mistakes do happen. It’s only natural, and it had to happen. Issue contained, damage insignificant, moving on.

Have you been hacked? How did you deal with it?

Heads up, everyone. The software developers are back from their holidays with new goodies for us.

WordPress has now reached version 2, and it really is a fantastic piece of software. It features automatic import from Blogger and Movable Type, better support for plugins, an easier way to manage users and a pretty rich text editor for WYSIWYG writing. But I won’t spoil all the surprises for you.

Javacool Software has released Spyware Blaster 3.5.1. For those of you with a raised eyebrow, this is a freeware, must have utility for your computer’s security. It has a list of over 5,000 sites related to automatic distribution of malware and prevents Internet Explorer, Firefox and any other application (such as a virus or spyware seeking to auto-update itself) from accessing these sites. If you already have it installed, the recommended upgrade procedure is to download the new version, run the old one, remove all protection, close old version, uninstall from Add/Remove Programs, install new version, run the online updater then enable all protection.

Stay tuned for Microsoft’s batch of Windows updates, released as usual on the second Tuesday of the month. Hopefully they will get the patch for the WMF exploit ready by then.

All the best for 2006!

The results of a study conducted last year by AOL and the National Cyber Security Alliance shows, among other things, that 81% of home PCs are insecure; that is, they lack basic security software — an antivirus program updated less than a week ago, a personal firewall and an anti-spyware solution. Moreover, 70% of the participants fell for phishing e-mails. 26% of the users had a wireless connection at home, half of them without any encryption enabled.

Are you surprised? I’m not. But I’m troubled. Not by percentages, but by the methodology of this study and, inherently, the way people look at computers. Allow me to detail.

Firstly, the study was made by AOL. Correct me if I’m wrong, but my guess is that the participants to this test were all AOL subscribers. I really doubt AOL obtained permission to investigate the security of subscribers from RoadRunner or Level3 or SouthWestern Bell or any other competitor. If the study focused only on the computers of AOL subscribers, then we’ve got a major flaw to begin with: one can’t generalize the results of an experiment conducted on a statistic population whose diversity has been limited by a certain factor — the Internet Service Provider. No offense or disrespect meant to anyone, but AOL seems to attract and hold the dumbest people you’d find. Not necessarily dumb as in real life dumb, but generally in technical matters; you know, the ones that “ooooh” and “aaaah” when you skip your way from one field to the next in an online form with the Tab key instead of clicking the fields. Most of them have no clue whatsoever about properly using their PCs. Keeping their PCs secure may seem rocket science to many of them. It may be true that other Internet Service Providers have their share of technologically-challenged people, but it may also be true that the percentages of insecure PCs of other ISPs’ subscribers are not the same with AOL’s. The point is, in a study you cannot assume that the numbers are the same for other groups than your own statistical population because this can greatly affect the validity of any conclusions. What we’ve got here is a flawed assumption for hypothesis.

Secondly, I believe that the test’s definition of a secure computer is wrong. For instance, as a power user, I have a well-thought set of rules for using the computer safely. These common sense rules keep my computer from getting infected with viruses or worms or spyware or for catching me in a phishing scam without running any antivirus application in the background. Also, back when I had a hardware router between my PC and the cable modem, my PC was protected by the router’s firewall; therefore, keeping a software firewall running on my PC was redundant. So, even that my computer was as clean and secure as it gets, according to the definition of this study, my PC would have been tagged as “insecure”. That’s the second error of the statistic study: flawed methodology.

Thirdly, and this is where I was getting to, this study shows a major social problem: it’s how erroneously we perceive computers. We think of them as simple machines, like a lawn mower or perhaps a pocketable Tetris game. “I’m not at home touching the thing, so it’s not doing anything.” Wrong. It’s doing a gazillion things at any time, behind that static wallpaper image and frozen mouse cursor, especially if it’s connected to the Internet through a permanent, high-speed connection like cable or DSL. It’s a part of a global network and an active participant to it. And it’s far more powerful than your brain, even if it lacks your intelligence — that’s what makes it dangerous, too. Such a beast needs to be watched over and tamed constantly by someone trained for the job. Are you? Most likely not.

Try and follow me through this analogy. In a car accident, do you blame the car for not paying attention to the red light and traffic, or the absent-minded driver? Do all people get tested and certified for driving before being allowed behind the wheel? OK then; when a computer is found infested with worms and viruses and just doing all sorts of nasty things, why does it get the blame instead of its owner? Why does the computer get tested for security, instead of testing the owner for managing the computer responsibly and knowledgeably? After all, the computer is not as dumb as a lawn mower. It needs to be managed properly, controlled and supervised. Any computer owner needs to be aware that the PC left on and online at home is doing things without human intervention. So if the owner is not trained and licensed to control the computer, someone else must do the job. Mr. Ron Teixeira, executive director of the National Cyber Security Alliance, came exactly to the conclusion that “The security is only as good as the user.”

I am really looking forward to the day when buying or owning a computer has strings attached. Someone needs to be responsible for it, to be tested and licensed to operate it, and fined if the computer has been doing something bad. Posing as a victim with the excuse “I don’t know how my PC got infected” or even worse, “I didn’t know it could happen,” needs to come to an end. It’s the owner’s fault for allowing something bad to happen, even through his or her passive attitude. Computer security is rocket science to some, but so is flying an airplane or driving a car. If you can’t do it, pay a professional to do it for you. We need companies that provide security maintenance services to the computer owners, when the owners are clueless about security. And that, ladies and gentlemen, may be the first day when spam, worms, viruses, phishing, DDoS, drones, open proxies and all the other ill-reputed aspects of today’s Internet will start disappearing.

Too few people take computer security seriously. One can buy a computer from the supermarket these days. It is no longer regarded as a specialized tool but as a common household device. But nobody told you that you are also the administrator of this powerful device, did they?

Why is security important? Because, if you are reading this, your computer is connected to the Internet. Which means, it is a part of the Internet. Just as you can access other computers (servers) connected to the Internet to use their shared resources (web sites, file servers, e-mail servers and so on), so can others access your computer. So if your computer’s software is insecure, others can exploit those vulnerabilities with various purposes in mind. For example, one could try to access your personal files — things you’d like to keep private, like e-mails and address book, financial reports and credit card information, your medical records, your children’s photos and any sensitive information you have saved on your hard drive. One could try to remotely install programs to give them full access to your computer, thus preparing it to be used in other illegal activities, such as spreading viruses, attacking other computers or websites, or sending millions of spam e-mails.

If such things happen, it’s not the fault of those so-called “hackers”, nor the fault of the producer of your operating system. It’s your computer and your responsibility to manage it. That’s why there’s an “Administrator” or “root” account on your computer. Stop blaming others, it’s not rocket science to secure your computer yourself.

So how does the cat-and-mouse game work? Specialized organizations try to find vulnerabilities in all operating systems, and publish their findings regularily. Since most users use Windows, I’ll focus on it. Every month, new vulnerabilities in Windows’ components are being found, vulnerabilities that can be exploited in certain ways. As soon as such a vulnerability is discovered, Microsoft prepares a “patch” that updates the faulty Windows component; these patches can be downloaded free of charge, and the entire process of discovering newly available updates and installing them is completely automatic through the Internet’s best kept secret: Microsoft’s WindowsUpdate website. On the other hand, “hackers” try to find computers whose administrators didn’t install the patches and which are still vulnerable, and exploit those vulnerabilities to get complete access to that computer.

Let’s make an analogy to make it clearer. Suppose you have a nice barn (your computer) filled with all sorts of goodies (files, resources) for the winter. All your neighbours have similar barns. Everyone is happy with their barns. Once a month, a bunch of city folks with funny hats (security organizations) drive by, and inspect the barns for holes in the walls (software vulnerabilities). Then, they tell about those holes to the builder of all barns (the producer of the operating system) which, in turn, makes plugs to exactly fit each hole (the software patches). These plugs are free and the builder even installs them for free, all you need to do is call them (visit the WindowsUpdate site once a month). Why? Because mice (“hackers”) also learn about those holes in the barns (vulnerabilities), and they will try to get through the known holes to reach the goodies inside (exploit the vulnerabilities). If the barn has all known holes filled with the right plugs, then the mice can’t get in. If one of your neighbours didn’t make the call to the guys with the plugs, his barn will be crawling with squeaking rodents. Get it?

To keep your computer secure, the first step is to elliminate all known vulnerabilities. You do that by visiting the WindowsUpdate website once a month and allowing the site to detect what components need to be updated, to download the patches and install them. Yes, it’s that easy. No, it won’t take forever. Patches released in one month are usually a few megabytes or less, and your computer won’t need all of them; downloading shouldn’t take more than one hour even on a crawling dial-up connection. Is one hour each month too much to spare for the sake of your computer’s security? All you need to remember is to start Internet Explorer and select “Windows Update” from the “Tools” menu once a month. Easy!

If your barn had holes and mice settled in, then apart from plugging the holes you need to eradicate the mice as well. In other words, your operating system’s vulnerabilities are usually exploited by a certain kind of viruses called “worms.” These worms “crawl” through the Internet from one vulnerable computer to another. Once they have found a vulnerable computer, they will infect it and start spreading by finding other vulnerable computers to infect. Preventing the infection is done by patching the vulnerable components, as I have detailed above. But cleaning the worms from your computer is a different task. You could use a commercial antivirus to clean them, but there are free solutions to this problem, too. For example, Symantec, the creator of Norton Antivirus, offers free cleaners for specific viruses. The advantage is that these cleaners are free, are small, and do their job very well. The problem is that you need to know which virus you have in order to get the correct cleaner. This is where Stinger comes in: it is also a free cleaner from McAfee, it’s about one megabyte in size but it knows to detect and remove the most recent and dangerous worms spreading on the Internet — about 50 of them, each with a number of different variants. This is the perfect tool for automagically scanning and cleaning worms in your computer, very simple to use. In other words, Stinger would be the supercat you lock in your barn to find and eat all the mice inside. Is that cool or what?

Enough lecture for today. There’s more to computer security, so make sure you don’t miss the next class. You are one step closer to the rocket scientist diploma you have always dreamed of. Assignment due next time: get Stinger and scan your computer, and install all critical updates for your version of Windows.

Preventing an infection is easier to do than trying to recover from an infectious disaster. Here are a few guidelines for measures you can take:

• Update your Windows regularily to prevent getting infected because of newly discovered bugs.

  It is so easy to install all needed patches for Windows: just open WindowsUpdate.Microsoft.com with Internet Explorer. There is a link for Windows Update in the Start menu, another one in Favorites, and a third one in Tools menu of Internet Explorer. Microsoft releases patches for Windows bugs about once a month, so make sure you visit the site and follow the steps to discover which patches you need and let them download and install automatically. It’s very simple to use, and the downloads shouldn’t take more than an hour on a slow dial-up connection; if you update monthly, it should only take a few minutes!

  If you don’t install the patches, then virus creators will create viruses that exploit the bugs in Windows, and your PC will become infected as soon as it is connected to the Internet, even if you don’t download or do anything. Your infected computer will try to send the virus to other computers, making your Internet connection almost impossible to use.

• Do NOT connect to the Internet or to a local network with a freshly installed Windows!

  This is a very serious problem and most people ignore it. NEVER install Windows when you are connected to the Internet; unplug your network cable from your network card. The clean installation of Windows doesn’t have the needed patches (see above paragraph), and it can become infected a few seconds after it is connected to the local network or the Internet. After you have completed installing Windows, you need to:

  1. Install a personal firewall to protect your computer online, such as:
     • ZoneLabs ZoneAlarm Free (not Pro, not with antivirus) – free for personal use, very simple to use and good for beginners;
     • SyGate Personal Firewall – free for personal use, more powerful than ZoneAlarm;
     • Kerio Personal Firewall – free for personal use, a very powerful firewall for advanced users, will go to basic functionality after 30 days unless you purchase the full version, but free version is also good;

     and

  2. connect to the local network or the Internet and update your Windows by visiting WindowsUpdate.Microsoft.com (read above about it); if the firewall detects an incoming connection from the Internet to your computer while you are connected to the network or the Internet, forbid/block/disallow the connection.
• Do not open files obtained from untrusted sources without scanning them with an antivirus program with its virus definitions updated daily.

  “Files obtained from untrusted sources” means files received by e-mail from people you don’t know or from who you did not request such a file, files downloaded from personal websites or peer-to-peer networks, or files obtained on CDs or floppy disks from friends.

  If you need to download software, do it from reputable websites such as Download.com and TuCows.com, or directly from the product’s homepage.

  Do not open file attachments received in e-mail unless you requested those files or you know what the files are! Most computers in the world become infected because people open attached files without thinking they might be dangerous.

  Do not obtain software from peer-to-peer networks such as Kazaa, eDonkey and others; these files have a high risk of being infected with viruses, and downloading copyrighted materials from these networks is most likely illegal. A person I know has become infected with over 180 viruses from a single program downloaded from Kazaa!!!

• Do not share folders and files with full access and without a password.

  If you really need to share files and folders on the local network, make sure that you set read-only permissions and also set a password for each share. Don’t share sensitive information on your computer, such as your entire C: drive where Windows is located, because ill-minded people will try to find your passwords, e-mails, documents, financial information (credit card numbers) and so on. Create a separate folder with the stuff you want to share and set read-only share permissions to it; create another folder for receiving files, with full access permissions.

• Do not use the computer logged in with unlimited Administrator priviledges.

  The Administrator account has unlimited permissions to access the software and hardware on the PC; this freedom is a potential security risk, because if a virus becomes active by accident it will have full access to infect all files on your hard drive. Create a separate password-protected account for each person using the computer, set the username membership to Users group (with limited access to other files outside the account’s home folder), and rename the Administrator account to make it more difficult for bad people to obtain access to the computer. Disable the Guest account and create separate password-protected accounts for all users on the network you wish to allow to access your shared files. All these are done in Control Panel – Administrative Tools – Computer Management – Local Users and Groups – Users.

• Use an antivirus program and keep its virus definition list updated.

  Find an antivirus program you like (most can be used as trial versions to help you decide) and pay for it; the antivirus is a good investment into your computer’s security and your lack of headaches. Set the antivirus to update its list of known viruses automatically every day or at least every week and use it every time to scan downloaded files before opening them. When you become a “computer power user,” you will be able to keep the antivirus’ options turned off (so it doesn’t scan constantly the files on your computer, which you know they are clean) and only scan manually the folder of downloaded files before using them.

This is not a comprehensive list! Computers have become powerful instruments, and their users should be responsible and learn to use them correctly and safely. Use your brain for every action you take, learn about using a firewall and an antivirus program, and know that being a part of the global network – the Internet – can be a risky activity if you do not take minimum precautions to defend yourself. All of the above are simple things you can do yourself for free, but if you ignore them you can lose your files or become unable to use the computer or the Internet.