|Hostile Java applets.
Malicious Web sites. Malignant ActiveX controls. You have heard about them
on TV. You have read about them in the papers. Maybe one has already trashed
your PC. Traditional virus scanners cannot catch them, and the havoc they
wreak can put your traditional virus to shame. At least one of these Web-borne
evildoers has the potential to transfer funds out of your Quicken-linked
Once it is downloaded from a Web site, the control scans a user's computer
for Intuit's popular Quicken finance software. The ActiveX control then
tricks Quicken into transferring funds from one bank account to another
the next time a user logs on to a banking service.
The incident underscores something that Microsoft, the creator of ActiveX
and most computer security experts have known for some time: Its programs
are not secure. While Java applets are prevented from performing certain
tasks such as erasing files from a user's hard disk, ActiveX controls —
small Internet programs that work mainly through the Internet Explorer
browser — are able to do virtually anything on a user's computer that a
programmer can dream up, including installing a destructive virus.
Instead of the "sandbox" model that cordons off Java applets, Microsoft
has created an "accountability" system, called Authenticode, which allows
software publishers to stamp their controls with a digital signature. If
a control does something bad to a user's computer, the publisher can be
tracked down and prosecuted. In other words, the Authenticode system does
not protect against malicious code; it simply makes it easier to find out
who wrote it.
However, it is easy for users to unwittingly accept an unsigned ActiveX
control if they get lazy or frustrated by the Authenticode warning window.
The Chaos club's ActiveX control, for example, is not signed. Once it is
accepted by an Internet Explorer user, the program is free to do its work.
Microsoft officials said that they are working to inform users more
about the capabilities, good and bad, of ActiveX. Within the next two weeks,
the company will kick off an educational campaign that focuses on security
issues. To be sure, security risks are involved in using any program, even
if it comes off a retail store shelf. But security experts have said that
the combination of the Internet and sensitive applications such as online
banking can lead to a greater risk of security breaches.
The good news: these threats are still rare. However, history has proven
there is no dearth of hackers who cannot wait to exploit the security holes.
Meet the latest breed of disk defenders: Net security "suites," built specifically
to defend you against the gaping security hole known as the Internet. In
addition to standard antivirus software, these products offer protection
against new Net-related threats such as hostile ActiveX controls and Java
applets. Privacy buffs, take note: some products remove or reject cookies,
encrypt your email, or even let you create personal firewalls.
Members of this first generation of Net security suites take different
approaches to defending your PC. If your browser is new enough to expose
you to these latest threats, it is new enough to protect you, too — sort
of. Both Netscape Navigator and Internet Explorer have built-in security
measures that are quite powerful if used correctly. Unfortunately, your
browser's security logic is binary: applets and controls are either in
or out. Better security suites, on the other hand, perform complex scanning
and use heuristics to determine if an applet is hostile.
ActiveX has a built-in security feature called signing that lets you
know where a control comes from. Developers must digitally "sign" any control
they create. Before you install and run any control, you are shown a "certificate"
telling you where it comes from and giving you the choice to abort installation.
Unfortunately, many of us have gotten into the habit of clicking OK without
ever reading the certificate. Besides, how can you tell whether a signature
can be trusted?
Thankfully, Internet Explorer 4.0 adds Security Zones, which allow users
to specify different security settings for different types of sites. For
example, you could allow all ActiveX controls on your company's Intranet,
forbid all controls from certain sites, and require Internet Explorer to
prompt you before running all other controls. Netscape Navigator takes
a different tack, refusing to support ActiveX altogether. You may not have
access to everything you would like, but at least you are safe.
Java's security model is somewhat more primitive, as are your browser's
Java security features. Unlike ActiveX, today's most prevalent version
of Java (1.0) has no concept of signing. You are left with a simple choice:
all or nothing. In both Navigator and Internet Explorer, Java is simply
turned on or off. Fortunately, current Java programs run in a sandbox,
a "safe zone" where the applet cannot do any serious damage to your system.
Of course, a malicious programmer can still make your life difficult by
writing Java programs that bog down your system or otherwise annoy you,
even if they cannot rename, delete, and write to files as can an ActiveX
There are many features in these products (they are suites, after all),
some more important than others. The two most important features are Java/ActiveX
protection, and virus protection. Beyond that, look for a suite that caters
to your specific security needs by bundling such features as encryption
and password protection.
The most effective Java/ActiveX protection works just like traditional
antivirus software, combining a scanner with heuristic abilities. While
both Guard Dog and McAfee adopt this security model, McAfee has the better
implementation. The scanner should have a beefy catalog of identified hostile
controls, bolstered by free, easy-to-install updates. Ideally, the product
should contain a list of banned sites and banned controls. It should also
halt the execution of suspect material before alerting the user.
The most useful and popular security suite extra is file and e-mail
encryption. Encryption software encodes your data using a secret key, protecting
it from all but the most ambitious intruders. Look for a package that is
easy to understand — the toughest security in the world is worthless if
you cannot use it. Other useful extras include backup programs, diagnostic
utilities, and Internet content filters for kids.
The tightest security is worthless if it comes at the price of paralyzing
your PC. In addition, since these programs are constantly running in the
background, defending you against evil applets, you might expect your PC's
general performance to be slowed down some.
A new, multi-staged attack known as dDoS (distributed denial of service)
has appeared on the Internet. This attack uses a console that captures
a handful of controllers and thousands of agents. The console sets up the
controllers for an attack and then vanishes. After days or weeks have passed,
the staged controllers contact the captured agents, which then launch thousands
of attacks against a single system. Simply put, dDoS can bring our brave
new e-commerce world to its knees.
Apparently, the only effective defense is to get every legitimate network
to implement address filtering. ISPs must put ingress filters on all dial-up
and cable servers, and all organizations with dedicated connections need
egress filters. Those who own the controllers and agents are hapless accomplices
to the true attacker-their systems have been compromised and malicious
code has been installed. Fortunately, it takes a skilled hacker to install
this code and vendor-recommended security patches go a long way toward
stopping these initial invasions and system corruptions. Keeping up with
security packets is more important than ever. Not only will you protect
your valuable data, you will keep from becoming an accomplice in attacks
against your neighbors. Finally, good intrusion-detection software that
uses some nonstandard communication protocols can alert administrators
that their systems have controller or agent software installed. Law-enforcement
agencies may one day use this information to capture real attackers.
The abundance of hate, spite, greed and insensitivity that has bred
dDoS attacks could spell the end of e-commerce as many of us have envisioned
it. However, dDoS just may bring us together on the Internet, creating
a community that once again cares about what happens to the next guy. If
you do not have your system protected with the latest virus protection
then you need to stay away from any contact with any other systems. You
do not know where they have been and you can only know where you have been.