HOME PC Alamode About Us HELP
Reviews Columns Features Archives Other  

 Preventive Maintenance

Internet Security
April 2000

Russell James is Operations Manager at BJ Associates of San Antonio. They are an authorized service center for Toshiba and Sony systems. They are the laptop specialist and also handle system builds and parts for desktops. They can take care of any IBM compatible hardware or software problem that you have.

Hostile Java applets. Malicious Web sites. Malignant ActiveX controls. You have heard about them on TV. You have read about them in the papers. Maybe one has already trashed your PC. Traditional virus scanners cannot catch them, and the havoc they wreak can put your traditional virus to shame. At least one of these Web-borne evildoers has the potential to transfer funds out of your Quicken-linked accounts. 

Once it is downloaded from a Web site, the control scans a user's computer for Intuit's popular Quicken finance software. The ActiveX control then tricks Quicken into transferring funds from one bank account to another the next time a user logs on to a banking service. 

The incident underscores something that Microsoft, the creator of ActiveX and most computer security experts have known for some time: Its programs are not secure. While Java applets are prevented from performing certain tasks such as erasing files from a user's hard disk, ActiveX controls small Internet programs that work mainly through the Internet Explorer browser are able to do virtually anything on a user's computer that a programmer can dream up, including installing a destructive virus. 

Instead of the "sandbox" model that cordons off Java applets, Microsoft has created an "accountability" system, called Authenticode, which allows software publishers to stamp their controls with a digital signature. If a control does something bad to a user's computer, the publisher can be tracked down and prosecuted. In other words, the Authenticode system does not protect against malicious code; it simply makes it easier to find out who wrote it. 

However, it is easy for users to unwittingly accept an unsigned ActiveX control if they get lazy or frustrated by the Authenticode warning window. The Chaos club's ActiveX control, for example, is not signed. Once it is accepted by an Internet Explorer user, the program is free to do its work. 

Microsoft officials said that they are working to inform users more about the capabilities, good and bad, of ActiveX. Within the next two weeks, the company will kick off an educational campaign that focuses on security issues. To be sure, security risks are involved in using any program, even if it comes off a retail store shelf. But security experts have said that the combination of the Internet and sensitive applications such as online banking can lead to a greater risk of security breaches. 

The good news: these threats are still rare. However, history has proven there is no dearth of hackers who cannot wait to exploit the security holes. Meet the latest breed of disk defenders: Net security "suites," built specifically to defend you against the gaping security hole known as the Internet. In addition to standard antivirus software, these products offer protection against new Net-related threats such as hostile ActiveX controls and Java applets. Privacy buffs, take note: some products remove or reject cookies, encrypt your email, or even let you create personal firewalls. 

Members of this first generation of Net security suites take different approaches to defending your PC. If your browser is new enough to expose you to these latest threats, it is new enough to protect you, too sort of. Both Netscape Navigator and Internet Explorer have built-in security measures that are quite powerful if used correctly. Unfortunately, your browser's security logic is binary: applets and controls are either in or out. Better security suites, on the other hand, perform complex scanning and use heuristics to determine if an applet is hostile. 

ActiveX has a built-in security feature called signing that lets you know where a control comes from. Developers must digitally "sign" any control they create. Before you install and run any control, you are shown a "certificate" telling you where it comes from and giving you the choice to abort installation. Unfortunately, many of us have gotten into the habit of clicking OK without ever reading the certificate. Besides, how can you tell whether a signature can be trusted? 

Thankfully, Internet Explorer 4.0 adds Security Zones, which allow users to specify different security settings for different types of sites. For example, you could allow all ActiveX controls on your company's Intranet, forbid all controls from certain sites, and require Internet Explorer to prompt you before running all other controls. Netscape Navigator takes a different tack, refusing to support ActiveX altogether. You may not have access to everything you would like, but at least you are safe. 

Java's security model is somewhat more primitive, as are your browser's Java security features. Unlike ActiveX, today's most prevalent version of Java (1.0) has no concept of signing. You are left with a simple choice: all or nothing. In both Navigator and Internet Explorer, Java is simply turned on or off. Fortunately, current Java programs run in a sandbox, a "safe zone" where the applet cannot do any serious damage to your system. Of course, a malicious programmer can still make your life difficult by writing Java programs that bog down your system or otherwise annoy you, even if they cannot rename, delete, and write to files as can an ActiveX program. 

There are many features in these products (they are suites, after all), some more important than others. The two most important features are Java/ActiveX protection, and virus protection. Beyond that, look for a suite that caters to your specific security needs by bundling such features as encryption and password protection. 

The most effective Java/ActiveX protection works just like traditional antivirus software, combining a scanner with heuristic abilities. While both Guard Dog and McAfee adopt this security model, McAfee has the better implementation. The scanner should have a beefy catalog of identified hostile controls, bolstered by free, easy-to-install updates. Ideally, the product should contain a list of banned sites and banned controls. It should also halt the execution of suspect material before alerting the user. 

The most useful and popular security suite extra is file and e-mail encryption. Encryption software encodes your data using a secret key, protecting it from all but the most ambitious intruders. Look for a package that is easy to understand the toughest security in the world is worthless if you cannot use it. Other useful extras include backup programs, diagnostic utilities, and Internet content filters for kids. 

The tightest security is worthless if it comes at the price of paralyzing your PC. In addition, since these programs are constantly running in the background, defending you against evil applets, you might expect your PC's general performance to be slowed down some. 

A new, multi-staged attack known as dDoS (distributed denial of service) has appeared on the Internet. This attack uses a console that captures a handful of controllers and thousands of agents. The console sets up the controllers for an attack and then vanishes. After days or weeks have passed, the staged controllers contact the captured agents, which then launch thousands of attacks against a single system. Simply put, dDoS can bring our brave new e-commerce world to its knees. 

Apparently, the only effective defense is to get every legitimate network to implement address filtering. ISPs must put ingress filters on all dial-up and cable servers, and all organizations with dedicated connections need egress filters. Those who own the controllers and agents are hapless accomplices to the true attacker-their systems have been compromised and malicious code has been installed. Fortunately, it takes a skilled hacker to install this code and vendor-recommended security patches go a long way toward stopping these initial invasions and system corruptions. Keeping up with security packets is more important than ever. Not only will you protect your valuable data, you will keep from becoming an accomplice in attacks against your neighbors. Finally, good intrusion-detection software that uses some nonstandard communication protocols can alert administrators that their systems have controller or agent software installed. Law-enforcement agencies may one day use this information to capture real attackers. 

The abundance of hate, spite, greed and insensitivity that has bred dDoS attacks could spell the end of e-commerce as many of us have envisioned it. However, dDoS just may bring us together on the Internet, creating a community that once again cares about what happens to the next guy. If you do not have your system protected with the latest virus protection then you need to stay away from any contact with any other systems. You do not know where they have been and you can only know where you have been.

Copyright© 1996-2010
Alamo PC Organization, Inc.
San Antonio, TX USA