Sistemas de recuperación

Of course, such a defense exists and has been around for many years. It’s called antivirus software, and if you’re not running it on your system, you’re taking a big risk. Dozens of vendors offer antivirus software. Microsoft publishes a good list at http://support .microsoft.com/support/kb/articles/Q49/5/00.ASP. Most of the major brand names (such as Symantec’s Norton Antivirus, McAfee, Data Fellows, Trend Micro, and Com- puter Associates’ Inoculan/InoculateIT) do a similar job of keeping malicious code at bay.

The one major drawback to the method employed by antivirus software is that it does not provide protection against new viruses that the software has not been taught how to recognize yet. Antivirus vendors rely on update mechanisms to periodically download new virus definitions to customers. Thus, there is a window of vulnerability between the first release of a new virus and the time a user updates virus definitions.

As long as you’re aware of that window and you set your virus software to update it- self automatically at regular intervals (weekly should do it), antivirus tools provide an- other strong layer of defense against much of what we’ve described earlier. Remember to enable the auto-protect features of your software to achieve full benefit, especially auto- matic email and floppy disk scanning. And keep the virus definitions up to date! Most vendors offer one free year of automatic virus updates, but then require renewal of auto- mated subscriptions for a small fee thereafter. For example, Symantec charges around $4 for an annual renewal of its automatic LiveUpdate service. For those penny-pinchers in the audience, you can manually download virus updates from Symantec’s web site for free at http://www.symantec.com/avcenter/download.html.

Also, be aware of virus hoaxes that can cause just as much damage as the viruses themselves. See http://vmyths.com/hoax.cfm?page=0 for a list of known virus hoaxes.

U

Guarding the Gateways

The most efficient way to protect large numbers of users remains a tough network-layer defense strategy. Of course, firewalls should be leveraged to the hilt in combating many of the problems discussed in this chapter. In particular, pay attention to outbound access control lists, which can provide critical stopping power to malicious code that seeks to connect to rogue servers outside the castle walls.

In addition, many products are available that will scan incoming email or web traf- fic for malicious mobile code. One example is Finjan’s SurfinGate technology (http:// www.finjan.com), which sits on the network border (as a plug-in to existing firewalls or as a proxy) and scans all incoming Java, ActiveX, JavaScript, executable files, Visual Basic Script, plug-ins, and cookies. SurfinGate next builds a behavior profile based on the ac- tions that each code module requests. The module is then uniquely identified using an MD5 hash so repetitive that downloads of the same module only need to be scanned once. SurfinGate compares the behavior profile to a security policy designed by the net- work administrator. SurfinGate then makes an “allow” or “block” decision based on the intersection of the profile and policy. Finjan also offers a personal version of SurfinGate called SurfinGuard, which provides a sandbox-like environment in which to run down- loaded code.

Finjan’s is an interesting technology that pushes management of the mobile code problem away from overwhelmed and uninformed end users. Its sandbox technology has the additional advantage of being able to prevent attacks from PE (portable execut- able) compressors, which can compress Win32 .EXE files and actually change the binary signature of the executable. The resulting compressed executable can bypass any static antivirus scanning engine because the original .EXE file is not extracted to its original state before it executes. (Thus, traditional antivirus signature checking won’t catch it.) Of course, it is only as good as the policy or sandbox security parameters it runs under, which are still configured by those darned old humans responsible for so many of the mistakes we’ve covered in this chapter.

SUMMARY

After writing this chapter, we simultaneously wanted to breathe a sigh of relief and to embark on years of further research into Internet user hacking. Indeed, we left a lot of highly publicized attack methodologies on the cutting room floor, due primarily to ex- haustion at attempting to cover the scope of tried and untried attacks against common cli- ent software. In addition to dozens of other clever attacks from individuals like Georgi Guninski, some of the topics that barely missed the final cut include web-based mail ser- vice hacking (Hotmail), AOL user hacking, broadband Internet hacking, and hacking consumer privacy. Surely, the Internet community will be busy for years to come dealing

with all of these problems and those as yet unimagined. Here are some tips to keep users as secure as they can be in the meantime.

▼ _{Keep Internet client software updated! For Microsoft products often targeted} by such attacks, there are several ways (in order of most effective use of time): ■ _{Windows Update (WU) at http://www.windowsupdate.com}

■ _{Microsoft Security Bulletins at http://www.microsoft.com/technet/} security/current.asp

■ _{Critical IE Patches at http://www.microsoft.com/windows/ie/download/} default.htm#critical

■ _{Office Products Security Patches at http://office.microsoft.com}

■ _{Obtain and regularly use antivirus software. Make sure the virus signatures are} kept updated on a weekly basis, and set as many automated scanning features as you can tolerate. (Automatic scanning of downloaded email is one that should be configured.)

■ _{Educate yourself on the potential dangers of mobile code technologies like ActiveX} and Java, and configure your Internet client software to treat these powerful tools sensibly. (See our discussion of Windows security zones in this chapter to learn how to do this.) A good introductory article on the implications of mobile code can be found at http://www.computer.org/internet/v2n6/w6gei.htm.

■ _{Keep an extremely healthy skepticism about any file received via the Internet,} whether as an email attachment or as an offered DCC on IRC. Such files should immediately be sent to the bit bucket unless the source of the file can be verified beyond question (keeping in mind that malicious worms like the ILOVEYOU worm can masquerade as email from trusted colleagues by hijacking their client software).

▲ _{Stay updated on the latest and greatest in Internet client hacking tools and} techniques by frequenting these web sites of the people who are finding the holes first:

■ _{Georgi Guninski at http://www.guninski.com/index.html} ■ _{Princeton’s Secure Internet Programming (SIP) Team at}

http://www.cs.princeton.edu/sip/history/index.php3 ■ _{Juan Carlos García Cuartango at http://www.kriptopolis.com}

HACKING LINUX