Deflecting Assaults on Privacy

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Protecting information is often one of the most challenging and important tasks for administrators today. As I write this, Microsoft is dealing with a new risk with the release of parts of the NT and Windows 2000 source code. If Valve's situation is any indication, it might have been due to a hijacker type program.

Administrators put up all sorts of firewalls, IDSes, Anti-virus software and other security mechanisms to control how information flows in and out but these particular "annoyances" still manage to slip through. Part of this may be the attitude that they aren't really viruses or threats. However, I would disagree as it tends to ensure that information – about the user, where the user has been and the system the user is on – is getting out without proper checking.

These methods, sometimes referred to as browser hijacking, spyware, adware, etc., are all methods of gaining access into a system without the knowledge of the user (even if the EULA or AUP of that software states that they agree to it by looking at an ad) and then forwarding that info to another party. If companies allow employees access to the Web then there is a risk of spyware or other malicious code coming in.

One of the best and strongest defenses against this is user awareness and education. Nothing beats having a user who pays attention to the activities on their machine and informs administrators and technical support of any issues, even on occasion minor ones. Inform users on what spyware is, what the risks are to the company and how to recognize it. Sometimes unusual slow downs, extra unknown activity and/or sporadic computer behavior can all signal the presence of "unknown" software.

Other preventative measures might include the limiting the reception of HTML-based emails. Outlook 2003 and up have options available to disables HTML in such emails. The problem is that many companies still use Outlook Express and earlier versions of Outlook. A nifty little (and somewhat cheap) solution is called NoHtml. This can be added to the base employee image and turned on by default. This eliminates the possibility of "phishing" techniques being used to gather information from the company. Visit http://www.baxbex.com/nohtml.html for a free trial.

We also want to make this protection transparent to the user so a firewall add-on like WebSense is recommended. This tool works with both software and hardware firewalls. In essence, it acts as a filter for specific malicious web activities. The flexibility and scalability of the product ensures that no matter what your users do, you can protect them (and the company) from potential external attacks. Visit Websense's website for more details and comparisons with other similar products (http://www.websense.com).

Other methods of defense include limiting which Web browser is used by your users. While most desktops run Windows, it isn't necessary to run Internet Explorer. Using alternatives to IE can help mitigate some of the activities of spyware/adware/browser hijacking. This can be avoided by using browsers that have built-in pop-up control. Netscape, Mozilla and Opera all have this feature. You can also get pop-up blockers (software specifically designed for dealing with this).

Page 2: Detecting and Removing Spyware

While the preceding apps are examples of preventative measures, the reality is someone or something is likely to get through. And if they do, it isn't a bad idea to have a handy toolkit of utilities to use to detect problems and deal with them on the user's machine. Some utilities will say they catch everything but personally, I've never seen anything as thorough as three products from one software developer: CWShredder, HiJackThis! and StartupList.

What I have found with these three tools is that they often find items that many of the spyware products leave behind. They have a nice "Info" feature that allows an admin/tech support person to check the status of the Registry or system status. As an example, below I've done a CWShredder check first on my system:

CWShredder v1.47.3 scan only report

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\fac3\Application Data
Username: lyne.bourque

Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (734 bytes, A)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
CWS.Vrape/CWS.Addclass Registry value: DefaultPrefix [] http://
CWS.Vrape/CWS.Addclass Registry value: WWW Prefix [www] http://
Registry value: Mosaic Prefix [mosaic] http://
Registry value: Home Prefix [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (1053 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (231 bytes, A)


Looks like my system is ok. Let's check HiJackThis!

Click to enlarge.

Overall nothing serious, but if I'm feeling suspicious I can check items by selecting them and getting information as to the risk they may carry. Configuration options allow me to ignore specific enterprise implemented tasks, creating a startup log (so I can check for any potential "nasties" there) and creating backups.

The last tool, StartupList, is a simple little program that generates a notepad listing of what things begin on a Windows machine. Very handy for troubleshooting.

Now while these tools are often targeted to the home user, administrators in enterprise environments shouldn't shy away from them. Remember that attackers often don't make distinctions between home and enterprise users. All they see is a victim. These three tools can be found at Merijn.org. An interesting side note, the site has been victim of a massive DDoS, perhaps a testament to the effectiveness of the tools finding the results of bad activity?

We have to realize that protecting privacy extends beyond individual end users. Our employees might inadvertently be putting the company at risk by simply performing research for a project or receiving what seems like work-related emails. While education is an excellent method of dealing with these threats, using technology as a backup helps to keep all the bases covered.

Submit a Comment

Loading Comments...