Rampant attacks on home PCs

[InfoSec News <isn () c4i org>]

http://star-techcentral.com/tech/story.asp?file=/2002/3/27/technology/27hac&sec=technology

By M. MADHAVAN 
Wednesday, March 27, 2002

PETALING JAYA: Users who have installed host-based firewall software
on their home PC are beginning to notice an unusual number of
attempted attacks on their home machine and are perplexed by it.

National ICT (Information Communication Technology) Security and
Emergency Response Centre or Niser ( www.niser.org.my ), said the
attacks are largely due to "active scanning" by automated tools
initiated by human or run by malicious codes targeted at any computers
connected to the Internet.

"Until now, scans by old viruses such as CodeRed and NIMDA are still
active although the number have dwindled compared to the first three
months when the viruses were first detected last year," said Raja
Azrina Raja Othman, Niser Assistant Director 1.

(The CodeRed worm racked up damages in excess of US$2.6bil (RM9.9bil)  
worldwide, while the NIMDA virus spread like wild fire and infected
over 2.2 million servers within a 24-hour period.)

Host-based firewall software, which sits on the user's computer,
monitors incoming and outgoing data traffic and will block out
unauthorised access to the computer.

"The active scanning probably has always been there, except it has
been hardly noticed when host-based-firewall were not prevalent among
PC users back then," she said.

Active scanning on the Internet has been reported ever since hacking
tools and Trojans became widely available in 1998, she told In.Tech.

Also, certain Trojans like Netbus or Subseven, make it easier for
other malicious programs to breach a PC's security, Raja Azrina said.

Viruses replicate themselves and spread to other computers via the
Internet, e-mail, infected programs and floppy disks, and usually -
but not always - cause some harm to its host.

Trojans, unlike viruses, do not replicate themselves and require
someone to plant them in your machine or send it to you via e-mail.  
Usually Trojans cause damage or compromise the security of the
intended computer.

Niser, set up by the National Information and Communication Technology
Council (NITC) last year, works with government and private bodies to
address security-related issues in the country.

Niser was originally expanded from the Malaysian Computer Emergency
Response Team (MyCERT), which was set up in 1997.

However, security specialist Symantec Corp (M) Sdn Bhd (
www.symantec.com.my ) said that consumers are becoming a bigger target
because home computers are easier to break into.

"Home computer users are houses with the doors and windows open
whereas big corporations know that they are targets and have hired the
appropriate IT staff to help "lock" their machines from would-be
hackers, said Gun Suk Ling, Symantec country manager for Malaysia and
Indonesia.

According to Gun, being a hacker no longer requires a lot of technical
knowledge and one can easily download various hacking tools from the
Internet.

To gauge the extent of attacks on consumers, the company invited home
computer users from the Sydney PC User Group in Australia to
participate in its research programme.

Research participants were given a copy of Symantec's Norton Internet
Security and asked to carry on surfing the Internet as usual, while
the software logged hacker activities without alerting the users.

In the period of one month over which the research was conducted, the
research participants recorded 1,199 attempted intrusions. And one
person received 166 attacks in just 14 days, she added.

According to statistics on Niser's website, viruses posed the biggest
threat last year, with hacking attempts and intrusion coming in second
and third respectively.

Users can best protect themselves with a properly configured antivirus
program or host-based firewall, said Gun, adding that most PCs sold
these days should be bundled with an antivirus software.

"Antivirus software should not be a luxury item for PCs anymore; it is
a necessity," Raja Azrina said.

Antivirus software needs to be updated regularly and users need to be
educated on basic do's and don'ts of protecting a PC, she said.

For instance, users should practice caution when opening suspicious
looking e-mail messages because a majority of malicious code travels
and infects computers via e-mail attachments, she said.

If users decide to rely on host-based firewalls, they need to do a
certain amount of configuring to make sure they get optimum protection
because some of these software do not offer much protection on default
settings, she said.

A properly-configured host-based firewall will help prevent unwanted
traffic from entering or leaving a PC even if the PC has been
infected, she said.

With the precautions it is safe to access the Net but there is never
100% guarantee because there has been and will always be new and
innovative bugs that will find a security loophole in a PC, she said.

Symantec said that while viruses remain the primary threat to online
users, anti-virus software does not stop hackers from breaking into a
computer.

"Hackers rely on a variety of tools to identify computers on the Net
and to break into them and antivirus software would not stop that from
happening," said Gun.

"Every minute your computer is online, it's vulnerable to intrusions
and information theft. That's true no matter what kind of Internet
connection you have therefore it is important to install an effective
firewall and antivirus software for complete protection," she said.

Symantec recommends using its Norton Personal Firewall 2002, which
provides the most sophisticated technologies available to protect
against Internet threats without sacrificing usability, she said.

The software detects active scans and automatically blocks hackers
from accessing the user’s computer and any suspicious goings-on within
the computer is reported with a threat-level assessment to help users
make the right choice, she said.

One of the readers who sent an e-mail to In.Tech about the incessant
attacks made on his PC wanted to know if it was possible to report the
attacks.

If a user finds many hacking attempts made on their machine, they can
report the incidents to MyCERT at mycert () mycert org my. They need to
provide information relevant to the incident, such as the attacker’s
IP address and when the attacks occurred, she said.

The information can be retrieved from most host-based firewalls, which
dutifully keeps track of all attacks in a log file.

MyCERT will act as the intermediary in coordinating response from
various parties, including Internet Service Provider, law enforcement
agencies and international incident response teams.

A brief observation of the attack would also be helpful, she said,
adding that users should read the article titled Incident Reports at
Niser's website for detailed steps of the process.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.