Cult of the D.O.A. security

A nervous cow (AKA Mr Milkshake)


It isn't only bugs that live in the global net, there are spiders too and these are ready to chew you a new butt hole in your Operating-System and/or shiny new application. Has a spider caught you in its web yet?

The problem of on-line security is it's one of those boring topics which most users don't want to have to deal with, well not until their system decides to go belly up and becomes 'worm food'. The environment of the average computer user doesn't, according to big evil MonkeySlap Corporation(s), need much security. Recent events have shown this to be entirely false. The sheer growth of e-commerce, e-mail and espionage-like attacks have pushed this topic to the front of most surfers' minds, and rightly so.


Too late?

The vast holes in a certain OS have left many people open to attacks. For them surfing comes at a heavy price; someone has removed all the shark signs from the digital beach. Place a foot in the water for long enough and soon you'll be seeing red. That red might be on your bank balance or from your HD light as parts of it go missing in cyberspace. The Windoze system is very weak and looks likely to remain so for the near future. We all know the vast resources the company has and the criticism from both users and the commercial world, yet still they appear unwilling to address the problem of security, instead they favour putting more and more features into each new release.

Sadly for countless users they will only confront the on-line security issue after a visible attack or sometimes after a friend or relative has been the victim of a virus or remote take-over. There are thousands of web sites offering trial or freeware anti-virus programs. Some even provide an on-line scan of your system. So why do so many of us do so little to protect ourselves?

Could it be time, lack of interest or can it be explained by the embarrassment of having to admit that even with all your 'u1tr@-ill-eet' knowledge your punk ass just got nailed by a five-year-old kid using his dad's mobile phone? Perhaps the male ego has contributed (in some small way) to the speed of infection around the world. Big companies and ISPs don't want to broadcast the fact either because most of them sell their products/services on the sole basis of good security. The only ones wanting to publicise the danger of being on-line seem to be the anti-virus providers and some hackers themselves.

Talking about publicity, why do the few televisions programmes which claim to deal with the 'cyber-horror' and 'threat to mankind' give such a shallow insight and only scraps of advice to their terrified audience? Well it could be that most journalists and programme makers are totally lost when looking into the field of computers, the Internet and the hackers, crackers, virus-writers and criminals, or maybe they just want a 'good' story, something to grab the attention of viewers using shock tactics.


Pre-emptive protection

Of course just buying the latest anti-virus utility isn't enough to protect yourself, but it is a start. Something like McAfee or Norton AV is a first step. Installing Network ICE's BlackICE is another good idea. The normal 'make backups' strategy and keeping passwords OFF your computer (e.g., in a text file on a 1.44mb disk) are two more ways in which you can help improve your PC's protection. Using passwords on your ZIP/RAR/ACE/etc... archive files is another basic level of security.


In short, do something NOW !!


Plug-in perils

A million sites offer you free plug-in software to enhance your surfing experience. We have the well known ones like RealPlayer, RealAudio, Flash animation, MP3, MOD players and all the other multi-media players, but there is a large number of mystery plug-ins from companies that you have never heard of before. Now, how can you be sure that these are safe to use?

You can't. There have been obvious 'cyber-squatting' of highly desirable dot com domain names and hijacking of well known, widely used sites. Just imagine the damage which is possible if these net crimes went unnoticed for any length of time. Plug-ins can be faked, bogus software linked from a site and Trojans concealed in your favourite utility.

Take the widely used ICQ communication tool for example. With this program installed on your machine you spend hours on-line chatting to other people. It allows others to know when you're connected to the Internet and provides support for file transfers and e-mails. Now imagine if a bogus ICQ version reached a wide audience. Not only would hackers have access to your machine but they would immediately know when you're on-line, basically telling them "Hey, my door is now open, so please come and hack me!" Think of what could happen if your winZIP/RAR/ACE compression tool or your assembler/compiler got infected.


Still think on-line security isn't important?


Profit before Protection

In the UK we have a current affairs news programme called 'Panorama' (no Chris, this isn't a reference your nice browser.. hehe). In this television programme they explored the world of cyber-crime and talked with a young hacker called Raphael Gray. In January he created a simple program which targeted 9 on-line stores and randomly looked for security weaknesses, and yep, he managed to gain access to over 26000 credit card details on retail sites. Being a good citizen (heheh) he contacted some of the retailers suggesting that they improved their security.... and not one of those companies responded. So he created a site and posted some credit cards details in order to publicise their slack security.

Now, some other evil surfers used some of the credit cards and went on a major shopping spree. This led to Mr Gray getting in a 'little' bit of trouble with the police.


This Cow has ceased to be.

In a certain area of San Francisco lives CDC (Cult of the Dead Cow). In their "New Hack City" (a secret location) Gothic hackers produce some interesting little utilities like Back Orifice 2000 which helps to say to the world, "Hey, wake up!". There were a few nice visual touches in New Hack City like a poster saying "Coding is not a crime: Electronic Frontier Foundation www.eff.org" and of course a dead, cow skull nailed to a post.

The Panorama programme interviewed both Sir Dystic and Deth Veggie who both gave a straight, honest view of the Internet and security (or lack of it). Sir Dystic created the Back Orifice program in order to show up the vast number of flaws in MonkeySlap's Back Office. It gives a hacker the ability to take control of another person's computer. The TV programme set up a little demonstration using the reporter's computer which was placed 3 miles away. Sir Dystic sent the software to the reporter using e-mail. Meanwhile the reporter together with Phreak-out (or is it 'Freak-out'?), another member of CDC, waited by the laptop.

Once the reporter opened the e-mail her laptop was taken over and Sir Dystic had complete control over her machine. Pop-up windows appeared saying "Cult of the Dead Cow Owns you!" and her e-mail message to the editor of Panorama was being edited before her eyes. In affect, she could only look on with horror as someone else took control. The Back Orifice program could grab bank account details, send bogus e-mails and generally screw the machine all thanks to the MonkeySlap dweebs and their slack security.

Sir Dystic said, "By sacrificing security it is not longer a secure platform and it's certainly not something you should be doing on-line e-commerce on and on-line banking on, but they are marketing it for that purpose."

The reporter replied, "But they would say that the fact that you wrote this software is very malicious to show up the faults in this thing."

Sir Dystic: "It's malicious to show up, for example, a faulty seat-belt in a car? I don't understand how that is malicious."

Deth Veggie: "I've thought about this a lot and what Microsoft are doing is basically handing out loaded hand guns to school children and what we are doing is saying 'Hey, thatís really, really dangerous'."

Sir Dystic: "We're pointing out to those kids that if you pull that trigger someone could get hurt."



Do you want 100% security?

First, go to the start menu, select Shut Down and turn off your PC. Now, remove the plug and never use your PC again!

So this isn't realistic, but it does demonstrate that a great number of us need to communicate with others, to spread our digital musings across the globe and this means we must entrust ourselves to lots of 'messengers'. It all boils down to how much risk you are prepared to take. How much do you trust your ISP for example? No matter how unlikely an attack on your machine is, there is still a small chance of it being infected. You can't eliminate risk entirely.

The above silly comment about unplugging your machine does offer an elegant solution (in a way). A hacker or virus can't attack data unless there is some form of physical connection. For example, those 1.44 disks in your case can't be destroyed, copied or modified unless you physically insert the disk in the drive. Even this safety net (excuse the pun) is starting to vanish, now WAP phones and other gadgets are filling our homes and offices. Soon every electronic piece of kit will contain some form of communication ability, the possibilities for mischief would then be almost limitless.


A tale of virus woe

The entire subject of on-line attacks was finally brought home to me when I gained an addition to my InBox. Thankfully it was only a harmless message from an old friend. "Ah nice, another email", I thought, "from someone who I hadn't heard from in a long time." But the contents was shocking to say the least, he had been infected by 3 (repeat 3) viruses. One Trojan horse and two Kat worm viruses. He doesn't know how he was infected and this, for me, is the most troubling part of security. After a small panic-attack he now has, with the help of Norton Anti-virus and the excellent blackICE defender, got a 'clean' machine.

After this email I have scanned my system with at least three different AV programs and informed the people I regularly exchanged emails to check their machines too. I strongly suggest that everyone take the little time now to prevent a major problem in the future.

A simple way to check for email infection is to post a message to yourself and see if any strange attachments arrive.


Lock your doors and don't get hijacked!


TAD