Internet security 2 : There’s a lot more going on than you’d think.

In a previous article here, I gave some information about what basic precautions you should take in order to enjoy the web safely. I’d like to drop down to a slightly lower level and tell you a few more simple things you can do to make surfing the web a lot safer. They won’t be technical at all and are well within the reach of the ordinary computer user.

All operating systems and programs need what are called patches applied to them. A patch is simply a correction made to software because there’s a fault. The fault may be a programming error that causes the software to malfunction in certain circumstances or it may just be closing down a security loophole that has been found. We’ll be looking at the latter.

Everything I’m going to say applies to all computers, irrespective of whether they’re Windows, Apple, Unix or any other types of machine. A factoid, otherwise known as an urban legend, seems to have grown up and entered the consciousness of the internet that it’s only Windows machines that get attacked or have vulnerabilities. This is simply not true. Yes, you hear a lot about security holes in Windows but all the other machines have them too. The worrying thing is you don’t hear enough about them on these other machines, which makes me think they’re not being guarded against and are going largely undetected.

All those smart phones are just another type of computer as well, with the same sort of security loopholes. On the current generation of these, this is a problem that’s not being either acknowledged or addressed by their manufacturers. This is the reason why, for the moment, I stick to using an old phone which can just make and receive calls and text messages.

An unpatched computer is, as you’d suspect, a machine that is missing the latest patches. They haven’t been applied. It’s always important to patch your computer’s programs but if it’s not connected to the internet it’s not particularly urgent. If it’s going to be attached to the internet, it’s crucial. I’m going to try to give you an idea why it’s crucial.

Any time you buy a brand new computer, it’ll be unpatched. Why’s this and how can it be? The answer is that there is a time gap between the manufacture of a computer, the installation of its software, the shipping to a warehouse, its distribution out to retailers and its eventual purchase at some point, perhaps months later, by a consumer. In that time interval, security loopholes will have been discovered and patches developed to plug them but that new machine you’ve just bought won’t have any of them. A security researcher, knowing this, plugged such a machine into the internet to see what would happen.

It was hijacked within 25 minutes.

Who did it, why did they do it and most importantly how did they do it and so fast as well? Before answering those questions, I have to tell you something; your computer has a unique address, like every other computer connected to the internet. It’s called your Internet Protocol address or IP address for short. There’s a lot more to it but conceptually, it’s just like your postal address. If someone wants to send you a letter, they need to know your full address and the reverse applies. If you want to send them a letter, then you need to know their full address. Looked at a certain way, the internet just sends screens containing information between computers but instead of using postal addresses, it uses IP addresses.

What happened to the machine was; its IP address was scanned, the scan detected that a certain security loophole had not been patched so a program was run which exploited the loophole to take over the machine. So there’re people out there scanning IP addresses all the time, looking for unpatched machines? No, what‘s out there are Not Very Nice Persons (NVNPs) who can write a hijack program which will do both the scanning and hijacking of unpatched machines automatically and for a specified range of IP addresses too.

Having written the hijack program, all they need to do is manually find and hijack one machine and install the program on it. From then on, it’s the manually hijacked machine that runs the hijack program that does the scanning and hijacking. They’ve automated the job you see. Some of the newly hijacked machines will have the hijack program installed on them too so pretty soon the NVNP has a large and geometrically growing collection of machines under their control. The number can very quickly grow into the tens or hundreds of thousands. Just to get the vocabulary right, the name for a hijacked machine is a zombie and for the NVNP’s collection of hijacked machines, a botnet. Calling a botnet a zomnet wouldn’t have been half as dramatic I suppose.

But why on Earth do they want your machine? Well, the good news is, it ain’t personal, it’s just business, as the say in all the best gangster movies. They’re not particularly interested in you or your machine, they just need it to post some emails for them. They’re spammers. When you go online, your zombie machine receives fresh advertising copy and a list of email addresses for the current mail shot. For the rest of your online session, it’s invisibly doing some emailing in the background while you’re surfing. The piece of software inside your machine receiving instructions and doing the emailing is called a spambot.

Why can’t they use their own machines? The answer is, they used to use their own machines until enough people complained about the amount of spam being emailed from them so emails from the spammer’s IP addresses were blocked. It’s a profitable business and the only way they could stay in business was to diversify, so to speak. Instead of emailing from their own IP address, which could easily be blocked, they email from the IP addresses of millions of zombies which can’t all be blocked. From a business viewpoint, this also cuts down on their hardware overheads. Over 90% of all email traffic on the internet is now spam, most of it originating from zombies in botnets.

The first generation of spambots used as much of the user’s internet connection speed, called the bandwidth, as they could. This led to the user not being able to use the internet so they didn’t. Not good news for the spammer. The spambots were therefore modified not to use all of the user’s bandwidth and leave some for the user. The spam business, like all businesses, is competitive. There are lots of botnets out there run by different spammers. When competitors hijacked the same unpatched machine, the user ended up with even less bandwidth or none at all so they stopped using the internet. Having several different types of spambots in the same zombie machine also interfered with each others proper operation as well as the machine’s.

This led to the spambot wars which rage to this day. When a hijack program found an unpatched machine with a competitor’s spambots already installed, it deleted all of them and installed its own spambot. The next escalation was to try to fix the security hole with their own patch to keep the competitors out of the unpatched machine. After that, hijack programs were modified to unpick the competitors patch, install their own spambot and put in place their very own patch.

Each botnet is controlled by a spammer from a central machine. If a competitor can find one of the zombies being controlled, they can track back to the central machine. If they watch and analyse the instructions being sent by it, they can find out the IP addresses of all the zombies controlled by it and either start feeding the zombies their own emails to send or attempt to steal the whole botnet. This led to authentication of messages to botnets from the controlling machine to prevent whole botnets being hijacked. And so it goes, on and on. Essentially, it’s the usual arms race.

Email addresses are very important to spammers so having compromised a machine, copying every email address in it is a priority. They’re used not only as targets for spam but in some situations, are used as the supposed senders of the spam. Your friends start sending spam to each other. It can all get very confusing very fast.

The overwhelming majority of machine hijacks are done by spammers but there is another type of person who does the same but for a different reason. They’re assembling a vast collection of zombie machines to commit at some future point what’s known as a Distributed Denial of Service or DDoS attack on a website to make it inoperable.

To get an idea of what a DDoS attack is, imagine a meeting room with a few people in it who are doing a telephone conference call to an external party and asking them questions. Given a bit of politeness, the external party can keep up with a steady stream of questions from the people in the meeting room. However, if the room is invaded by a flash mob of people, all of whom are shouting questions down the phone, the exterior party is soon overwhelmed and can’t answer any questions at all. If you think of the external party as a website, the meeting attendees as its legitimate users and the botnet being activated as the flash mob appearing, that’s pretty much what a DDoS attack is. At any one time, something like 2% of all internet traffic is DDoS flooding.

The third category of person who is interested in hijacking machines is a lot more shadowy and a lot more dangerous to you. They want your machine to act as a buffer and cut-out between their machine and the internet. Essentially, they’re probably up to no good and taking the precaution that if whatever they’re doing is traced back to a machine, it won’t be their one. It’ll be yours.

After this little trip around the murkier but interesting side of the internet, I hope you can see why it’s so important to keep your machine’s software up to date by applying all the latest security patches as soon as possible. That experiment the researcher did with the unpatched machine took place over five years ago. I suspect it’d be hijacked in well under 25 minutes nowadays. As for how to do the patching, on Windows, like other consumer operating systems, this consists of ticking a box in the Security Centre. By default it’s set to on. What happens is your machine checks for new patches automatically every time you go online and if there are any, they’re downloaded and applied to your machine.

The other thing it’s vital to do is to have anti-virus software and make sure it’s up-to-date. If there is a bot inside your machine, it’ll detect it and remove it.

The takeaways from this one are :

  • Always make sure your machine has the latest security patches.
  • Keep your anti-virus software up-to-date.

Look after your machine or you’ll lose it and you might not even know it’s gone.

©Pointman

Related article :

Internet Security 3: The Worst Sort Of Predator.

Internet Security 1 : Let’s be safe out there.

Click for a list of other articles.

Comments
10 Responses to “Internet security 2 : There’s a lot more going on than you’d think.”
  1. UninformedLuddite says:

    I had a machine hijacked before the install process had even finished. Yes, i was dumb and left it connected to the router while doing a clean install. Thankfully it was one of the vulnerabilities (a few years back now) when the exploit used had to force a reboot of the machine. Thankfully I noticed it happening. So i beat 25 minutes. I win the Internet.

    • Pointman says:

      Hello Lud. I always do a clean install on a new machine. Then, to get all the missing patches I configure my firewall to only allow access to the machine from one site; MS update.

      Pointman

      • UninformedLuddite says:

        Once 3D acceleration in virtual machines becomes acceptable I will only ever run windows in a virtual machine. Don’t get me wrong I am not one of those Linux ‘fanbois’ (they bug me) but using Linux day to day makes me feel a hell of a lot more secure online. Windows is only used when the big kid in me needs a bit of FPS entertainment.
        Plus I have it configured to email any attemptive crackers data without me having to lift a finger (www.cipherdyne.org/psad/ – psad is a wonderful program and well worth a look if your net exposed box runs a flavour of Linux). There’s actually a sick & twisted part of me that likes to edit config files from the command line and my PDP11 still worked the last time I turned it on which amply demonstrates my vintage.
        Although to get everything I desire running I need more electrickery than I currently have. We are now completely off the grid and on 60 acres building our own house. If you want to have a look at our project drop me a line. I don’t like exposing the blogspot address to harvesters as i am not trying to sell someone’s crappy cheap products in its comments.

  2. Pointman says:

    “Feds commandeer botnet, issue ‘stop’ command”

    “For the first time ever, the US government has attempted to take down a botnet by setting up a substitute control channel that temporarily disables the underlying malware running on hundreds of thousands of infected end user computers.”

    http://www.theregister.co.uk/2011/04/13/coreflood_botnet_takedown/

    An interesting development in the bot wars. The FBI are taking control of a botnet from the operators.

    Pointman

  3. Grumpy old fart says:

    There’s one thing that you haven’t mentioned here though: NAT. Most personal machines sit behind a broadband router and actually don’t have an external IP address that can be scanned or that will accept incoming connections at all. Connections are only ever made outgoing so vulnerability scanners just don’t see anything they can get hold of (unless they’re scanning the router for unpatched vulns of course). As an experiment I’ve been running my subsidiary PC with no AV and no firewall, continuously connected to the tubes via a NAT broadband router, and checking it every month or so for infections. Nothing so far, and it’s been doing that for over 3 years.
    One of the security concerns about iPv6 is that the need for NAT goes away, so as it starts becoming adopted we’re going to see a huge number of previously hidden PC’s becoming visible to the scanners. Those PC’s are probably going to be in a shocking state since they’ve been unknowlingly protected by NAT and assumed to be secure.

    • Pointman says:

      Hello and welcome Grumpy. There’s a lot of stuff I don’t mention in this series of articles because the intended audience is the general internet user and no special knowledge on their part about software is assumed; it’s just how they can protect themselves by doing things well inside their competance.

      I agree with you about iPv6, it’ll unmask a lot of machines that previously had no direct connection to the internet. If they keep on patching their machines and updating their AV, they’ll still be safe though.

      Pointman

  4. Denis of Perth, Australia says:

    Hi Pointman….
    I will appreciate if you can direct me to any organization that could teach me to track down where an email originates……
    My reason is because I would like to make an attempt to stop some of the regular scam mail I receive……I want to ‘fight’ back….so to speak.
    I did read some time ago of an org….but I am not sure now where they are based….
    Any help or pointers you may be able to give me will be most appreciated.
    Kind regards

  5. Pointman says:

    Hello Denis. Here’s a link to a site that gives a reasonable explanation of how to determine the IP address of a received email from what’s called its header.

    http://www.johnru.com/active-whois/trace-email.html

    In terms of reporting, this site is useful but you’ll have to find out the local organization that handles it in your country.

    http://www.helpwithpcs.com/internet/stop-report-spam-emails.htm

    Downunder, these guys appear to be the ones to get in touch with.

    http://www.acma.gov.au/WEB/STANDARD/pc=PC_310369

    What it’s important to bear in mind is, there’s only a one in ten chance that a spam email is not coming from a compromised machine. The person from whose machine it originates, is probably unaware that it’s sending them out.

    The most effective way of fighting back, is to flag it as spam and this reporting facility is available from all email providers. This is the most reliable way of updating their spam filtering software to bin spam before it ever arrives in your inbox.

    I hope this helps.

    Pointman

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: