Rossander’s Security Reader

Every once in a while, security geeks talk about "rootkits" in tones of fear or loathing. Here’s what we’re talking about and why we worry about them (and why you should, too).

A rootkit is a particular type of malicious software. It is different from an ordinary virus in that it is specifically designed to seize control of your computer at the highest possible level. (In the old unix terms, this was called ‘root’ access – the equivalent level of authority in Windows is ‘administrator’.) Once the hacker has a rootkit on your computer, he/she has full access to everything on the computer. More than that, the hacker can usurp control of the computer and make it run other malicious programs (perhaps as part of a botnet) or can use it as a jumping-off point to attack other data on your network. The hacker can do anything on the computer that you can do – and many things that most of us can’t.

Rootkits are also different in that they generally limit themselves to seizing and holding control of one system – a virus, on the other hand, is will try to spread itself to other computers. Rootkits are also often kits, that is, combinations of multiple malicious programs that work together. Ordinary viruses are usually single programs. That said, an ordinary virus can be sent out to infect your computer and can, as its first act, load a rootkit onto your computer. Using a virus as a component of a rootkit is a fairly common attack now. According to some researchers, as many as one in five PCs are infected with a rootkit.

Rootkits frequently masquerade themselves as other files and/or deliberately hide files from programs that are used by legitimate administrators to hunt for viruses. This makes them particularly difficult to clean out once your computer has become infected.

Not all rootkits are created by hackers. In 2005, Sony BMG included rootkit software on some music CDs in an attempt to prevent music piracy. Unfortunately, the rootkit exposed every one of their customers’ computers to exploitation by anyone who knew to look for the backdoor the rootkit created.

To defend against rootkits:

• Practice safe surfing – don’t go to virus-infected websites. Music-sharing, video, software, porn, hacker and other ‘gray’ websites are frequently loaded with virus-infected downloads. While there are some legitimate freeware sites, “there ain’t no such thing as a free lunch“. If they’re not making money through sales or advertising, they’re probably getting something else out of the deal – don’t let that something be your computer.
• Keep your antivirus program on and up-to-date. But recognize that this is probably incomplete. Rootkits are specifically designed to defeat the major antivirus programs.
• Keep all the applications on your computer fully patched.
• Keep your firewall turned on and locked down as far as you can go. This won’t necessarily stop you from picking up that first infection but it might prevent the virus from sending out the command to download the rest of the kit.
• Turn off your computer when you’re not using it. First, restarting the computer each day triggers a number of cleanup activities. More importantly, the computer isn’t exposed to exploit while it’s turned off.
• If you are infected, take your computer to an IT specialist. Rootkits are especially difficult to clean out and will often reinstall themselves if part is missed. The usual practice is to wipe and rebuild the machine – they’re that hard to get rid of.

All the kids are doing it. And depending on which news reports you read, it’s either the inevitable wave of the future or another sign of the collapse of our society – or both. But what is filesharing really?

Filesharing is the term for software designed to make it easier for you to share stuff through your computer with other people. (I use the technical term “stuff” here because you can share literally any electronic file through these tools but the most common shared files are documents, music files and videos – and viruses. More on that in a minute.) The most common form of filesharing is “peer-to-peer” (P2P) sharing, a way to share files directly from your computer to someone else’s computer without needing to store it on a server somewhere. If I want to download a file that you’ve offered up for sharing, I reach through the internet and grab it directly off your computer.

This kind of filesharing requires special software such as Limewire, BitTorrent or Kazaa. These applications create an index of the files that you’ve offered for sharing and publish the index to the Internet so others can find your files. They also let you access the index and download the files you want. Filesharing is an easy way to publish documents widely and can get you access to all kinds of free content. Music is especially easy to find.

The problem with filesharing is that it exposes you and your computer to all sorts of risks that are not disclosed by the filesharing network or those “friends” who are pressuring your kids.

• When you use P2P, it is essentially impossible to verify that the file is trustworthy. Hackers hide spyware, viruses, worms and trojan horses and other malicious code into the files. When you download the file, you infect your own computer.
• P2P also opens up your computer to outsiders. The applications claim to only expose certain directories but 1) you don’t know if the application is locking the folders down properly and 2) it’s too easy to misfile a confidential document in a shared folder. Any little mistake opens up your confidential information to the world.
• Most P2P applications require you to open up certain ports on your firewall so it can send or receive the files. Hackers exploit those open ports to attack your computer directly anytime it is connected to the internet.
• And, of course, the big risk that got so much press when Napster was being sued into bankruptcy is the phenomenally high proportion of copyrighted material being illegally offered for “sharing”. If you download pirated content, even unknowingly, you could face fines or other legal action. The Recording Industry Association of America (RIAA) is especially aggressive about finding and suing individual users who have illegally copied content on their computers.

If you run a network, either at a business or at home, I strongly recommend that you block filesharing sites. Remember, you go to jail or pay the fine whether they downloaded the illegal software with your knowledge or not. If you have kids, turn on your computer’s parental controls and block those sites. Teach your kids to buy their music legitimately.

Westfield recently started receiving "alerts" about internet domain registrations from a company in Asia. This company claims to have received an application for internet domains that are close to Westfield’s main domain, westfieldinsurance.com, but carry different suffixes such as westfieldinsurance.net.cn, westfieldinsurance.hk or westfieldinsurance.asia. The email claims that the company "discovered" that the brand keyword matched our name and trademark and asks someone to contact them "before we finish the registration" for the other company.

On the Internet, the domain naming system treats every combination of domains as a unique destination. Owning example.com gives you no special rights to example.org. And while you may be able to make a case for trademark infringement, the domain naming system has a strong bias in favor of "first-come, first-served." If a domain name is important to your brand, you need to act to protect it.

If you’re not already monitoring internet domain registrations that are similar to your trademark and business, you really should start. There are several good monitoring services out there, some that will send daily alerts for free. Remember, however, that you can’t commandeer every possible variation of your domain – there are just too many possibilities. Get the domains that you think are most important and monitor the rest.

The message from the Asian company, however, is a scam. We have traced two different types of these messages so far. In the first case, it was a straightforward con for a credit card number. In the second case, it was an actual domain registrar using questionable tactics to generate business. In both cases, we investigated the company – a Google search on some keywords from the email will often return examples of others who have run into the same con – and decided not to respond to their phishing attempt.

If someone registers a domain name similar to yours, look at the domain registration. (There are several excellent lookup tools on the web. I tend to use whois.domaintools.com). If the other person registering the domain appears to be a legitimate business that just happens to have a similar name to yours, don’t worry too much about it. We regularly bump into the the Westfield Group that owns Westfield Shoppingtown Malls (an Australian firm). We also know about domains registered to a car repair shop on a Westfield Road in Indiana. There’s no connection and no evidence of fraud – and they got to the domain first. As long as they keep the domain out of the phishers’ hands, I can live with that. I also don’t worry too much about the domain resellers who buy the domain name then “park” it with some generic ads. (Here is an example.) As long as there’s no evidence of misuse and no obvious confusion with my brand, I’m willing to let most of those sit.

Metadata is getting a lot of press lately, especially among companies that are wrestling with the new electronic discovery standards issued by the US Supreme Court. But what is it really?

Technically, metadata is data about other data. If the customer’s address is data, the number of entries in your address book is metadata. If the body of a Word document is data, the date you last opened the file is metadata. If the values in an Excel spreadsheet are data, the formulas in each cell are metadata.

From a legal point of view, metadata is everything about the document that’s not immediately visible when the document is printed. It includes all the MS Office "properties" like file size, author and character count. It also includes any hidden features such as the old versions that are still buried in the document when you leave the Track Changes option on. It includes formulae in spreadsheets and formatting commands like the print area.

For most normal uses, the metadata about a document is just background. We take it for granted and almost always ignore it. But if your metadata reveals facts that you wanted to keep private, it can be embarrassing and expensive. In one case, a major pharmaceutical company deleted some study data from a report – and got caught when the New England Journal of Medicine looked in the Tracked Changes to show the deleted comments. In another case, a confidential White House policy paper about Iraq was outed when a quick command revealed the report’s author. In yet another case, officials covered up classified information with black bars, not realizing that readers could easily uncover the text by copying it from under the black and pasting it elsewhere.

When you get into a legal situation, metadata becomes even more important. Metadata is used to show “who knew it and when they knew it” – to provide the context around the document in question. Metadata can either clear you or convict you. Because of its importance, metadata must be preserved and unaltered when you are collecting documents that will be used in court. This is hard because routine Windows operations will change the metadata just by opening the file. Make sure that you have the tools you need to keep metadata intact before you get into the lawsuit.

And, of course, be very careful before you post a document publicly. Make sure you clean out the metadata that you don’t want public.

Most people surf the web and chat online thinking that they are hidden behind the anonymity of the computer screen. Few people realize that they are leaving footprints all over the web anytime they go online. Here are some of the things that are automatically sent to the website’s computer whenever you visit the site:

• Your IP address – Every computer on the internet is assigned a specific, unique IP (internet protocol) address. That IP address can’t be easily traced to a name directly except by your internet service provider but it can be correlated with your other online activity. So if you disclose your name in a blog or when writing a book review, someone might be able to trace that back and match it to your other internet habits. You can look up your current IP address at showmyip.com.
• Your computer’s software load – Many websites want to know what web browser you are using (including which version). Legitimate sites use this information to adjust for differences between the way browsers display the webpage. A page that looks fine on Internet Explorer may not display properly through Mozilla’s Firefox so the website developer adds code to tweak the display based on your browser. Unfortunately, the information sent to the website does not end with the browser. They may also be able to read your operating system and other details.
• Your page visit history – The website can often track which pages you visited, how long you stayed on a given page and where you were just before you came to the website. (This is often helpful for companies who want to know if you came to the site from a search engine and if their advertising dollars are being well-spent.)

If a web site uses cookies, they can collect even more information. The information they can collect about your browsing habits is limited only by their own privacy policy.

On the other hand, If the site you’re visiting is malicious, all bets are off. Your privacy is completely dependent on the strength of your antivirus/antispyware programs and how up-to-date you keep your patches. Hackers at these sorts of sites can use all sorts of techniques to either steal information or trick you into revealing more than you intended. They will try to steal passwords (knowing that many people reuse the same password and that, by compromising this password, they have a very good guess at your online bank or work password), load viruses and may even attempt to alter the security settings on your computer so that they can access and use your computer for other malicious activity.

You can reduce the amount of information revealed about yourself by only visiting legitimate sites, checking privacy policies and paying careful attention to the personal information you provide. Don’t post your address, password, or credit card information unless you trust the site. Look for indications that the site uses SSL to encrypt your information. Limit what cookies you allow and be careful which web sites you visit; if it seems suspicious, leave the site.

And, of course, always keep your antivirus software up-to-date and your computer fully patched.