Security notes

an introduction to computer security

Last change: May 14, 2003 AD

Index:

Preface - purpose and reliability of this page
Introduction to Computer Security - what is it, essential issues
Threats:

Viruses and Company (Classification, How to Get Infected, Extension Tricks)
Intruders and Hackers - what they do and some of the techniques they use

Links related to security

Preface

Once, when I got again one of the "virus alert" e-mails that incited me to delete one of the important system files, pretending that it was a virus, I found it necessary to explain to the sender (respectively 'forwarder') what a virus is and how to distinguish true virus alert from a hoax. Then I realized that most of my friends who use Internet know little or nothing about security and I decided to make this page as a brief overview of computer security especially with respect to Internet. The page is intended to be an entry point into the field of security for a novice and a reference for an experienced user. It covers number of topics with varying level of details. It is not supposed to be read all at once, from the beginning to the end. Instead, you can read only the parts interesting for you and skip the rest.
I'm not a security expert and most of my knowledge comes from two courses I've taken and books and web pages I've read. So why do I write about security? Most on-line resources cover in depth one issue while this page is intended to be a superficial overview of a number of issues with links to the appropriate web sites to help you to find whatever you need to know. My knowledge is sufficient for such overview and, since I don't know too much, it should be understandable for those who are new to security. Please keep in mind that the information presented here are not 100% reliable; to be sure, refer to the linked pages written by security experts.

Introduction into Computer Security

What is security?

Quotation from an unknown author's dictionary:

Security: 1. Mythological state of perfection, Heaven, Nirvana, Cloud Cuckoo Land, etc.; 2. Ability to prove that whatever goes wrong is not your fault.; (end of quotation)

In general terms, security could be defined as "the state of risking nothing important in the case an unwanted event happens". This definition is of course too general and even if we restrict ourselves to computer security, the set of 'unwanted events' is huge, including such diverse things like disk failure and disclosure of confidential information. Hence I'll write only about few of them, mostly about those that could be of interest for an ordinary curious Internet user. But you should keep in mind there is much more about security.

Computer security goals

Terms:

Threat: Any possible unwanted event.
Security service: A security service provides protection against a particular kind of threats.
Mechanism: A technique used to implement one or more security services.

The goals:

There are four important security services, or goals, that you meet again and again, first three of them sometimes referred to as 'CIA':

Confidentiality or privacy of information - only the one who is authorized can access the information. Usually it's achieved by means of encryption.
Integrity of data requires that any change to the data can be detected. For that purpose, digital signatures and control checksums are used.
Availability requires that whatever (data, resources ...) you need is available when you need it. A threat to availability is the famous 'denial of service' attack whose aim is to cause a server to reject incoming connections.
Authentication is necessary because you want to know who you speak to. It includes both user authentication (a user needs to authenticate himself to a machine, e.g. to log in) and message authentication (proof of authorship). Also non-repudiation (author cannot deny that he or she has send a message, in a particular time) belongs to this issue. For example passwords and digital certificates are used for authentication.

Security layers

A computer system may be seen as consisting of a number of layers with increasing level of abstraction and complexity:

system layers

examples of services


application layer
Operating system (OS) layer
OS kernel layer
hardware layer


<-- e-mail client, browser
<-- file system operations
<-- basic I/O, processor scheduling
<-- processor, memory, I/O devices

For security to be effective, it must be implemented on all these layer, for two reasons:

low level (layer) doesn't allow for sophisticated solutions that are needed
protection on a higher level can be easily bypassed on a lower level, unless it's also sufficiently protected

But security is even more complicated than that and we have to add two new layers:

security layers

examples of protection


application layer security
Operating system (OS) security
OS kernel security
hardware security
physical security
human factor


<-- SSL, S/MIME, PGP
<-- access control
<-- privileged instructions
<-- normal vs. superuser mode
<-- lockable drive and keyboard
<-- security education

Why are the two new layers important, even more important than the others? Because it doesn't matter how sophisticated access control system do you have, as long as anybody can come, take the hard disk with your confidential data and put it into his machine that will read it's content without asking the operating system. And even if you buy a special super secure door, it makes no change, as long as your employees do not lock it or give the key to anybody who asks. It's tempting to solve the human factor problem by issuing a set of rules, but don't fool yourself, everybody knows, that no strict rules help here. The more strict rules the higher frequency of their violations. The only thing you can do is to educate people, to explain why they have to behave in certain way and what are the risks when they fail to do so.

Threats

There are many possible unwanted events, both intentional(virus attack) and unintentional(disk failure). The measures against intentional events prevent accidents as well (for example regularly made backup of all important files).

I'll consider two sources of threats: human intruders and malicious software. Both of them do with your computer something you don't want - steal or destroy data, occupy disk space, or whatever else.

Viruses and Company

This is only a brief description, because many good on-line resources are available. Refer to the links section for more details.

Classification of Malicious Software

Virus is executable (binary) or interpretable (script or macro) piece of code that attaches itself to a program or document and executes when the program is executed or the document is read (and certain conditions are satisfied). Its important characteristic is that it replicates and infects other programs/documents.
Virus hoax is not a piece of software, it is "make-yourself virus". It's a false virus alert e-mail, that tells you (usually) that if you have a particular file on your disk, it's a virus and you must immediately delete it before it causes a damage and forward the warning to all your friends, because the virus has likely send itself to them. Later on you find out that the file you've deleted was an important system file and the computer can't work without it. Of course not all virus alerts are hoaxes. But before you start deleting , ask a computer expert, or check whether the file is on your system installation CD, or check one of the web sites that warn of hoaxes (e.g. Symantec hoax page; search the page for the hoax e-mail subject or 'virus' filename).
Trojan horse (Trojan) is apparently useful program (e.g. a game) with an unwanted hidden function, for example it can install a trap door (see below). Remote access Trojans (RATs) are used to gain access to a remote system. An attacker tricks a victim to run it on its computer and it opens a trap door he can use to access and control the system. BackOrifice is, strictly speaking, a RAT.
Worm is stand-alone program that spreads on its own via network (for example it finds your saved telnet connections, finds or guesses your password and copies itself to the remote telnet system; some people with Windows share their C: drive with the whole Internet without any protection and without even knowing it and if a worm gets their IP, it can infect them without problems).
Trap door (back door) is a hidden entry point into a program or computer. For example it can be a secret sequence of keystrokes that allows you to skip the authentication procedure or a process that listens on a port ('network door' into your computer) for connections and executes on your computer any command it's told to execute (e.g. famous BackOrifice).
Logic bomb is quite like a normal bomb - when certain conditions are satisfied (e.g. a date), it fires and for instance deletes all files, display a message or whatever any other program can do.

Viruses

There are not always clear borders among different types of viruses, because a virus can combine several approaches together (e.g. it could have boot sector part and binary file infector part).

boot sector virus - every floppy or hard disk may have a small boot program at its first sector. If the disk is used to start (boot) the operating system, this program is executed and loads the system. The boot program is not normally visible as ordinary programs are - even a floppy that seems to be empty may contain it. The problem is that some systems try first to boot from a diskette if it's present (inserted in the drive). Hence if you forget an infected floppy in the drive while starting the system, your computer gets infected.
companion virus does not change a file ('victim'), instead it misuses the capabilities of the operating system to be executed instead of the victim program. One of the possibilities is to use the precedence of execution rules, if there exist some. For example in Windows, if there are two programs of the same name, one with the extension .COM and the other with the extension .EXE, the .com is executed. A companion virus would then find an .exe file, rename itself after the file and use the .com extension. Another way is to use the rule 'the first program found is executed'. Thus, if the directory A is searched before directory B and you want a user to execute your malicious version of his favourite program, provided that the original program is stored in B, you simply store your version in A and since that it will be run instead of the old one. Of course a companion virus can run the original program, if it wants.
file infector is a virus that actually does insert itself into a 'victim file', either executable or a document

executable (binary) virus does infect executable files. It's important to know that there are (too) many types of executable files and if you see an unknown extension (Windows OS), it's safer to assume it is an executable. Some of the executable file extensions are: com, exe, sys, drv, bin, ovl, ovy, scr (screen saver).
macro virus (80% of current viruses) - some document processing applications, such as word processors and presentation composers, have the capability to execute macros, which are pieces of code (usually) embedded in a document. If the macro does something what the user doesn't want to happen, it's a virus. Macros are used to automatize repeated tasks and they started as recorded sequence of keystrokes. Nowadays a macro language can be very powerful, for example Microsoft Visual Basic for Applications (VBA) that is used in MS Office (Word, Excel, Powerpoint etc) allows you to change settings, create, change and delete files, start applications, simulate keystrokes and more (as somebody wrote, VBA "can be used to automate many functions in Windows"; to say the truth I'm frightened by what can be automated and run without me knowing it). A macro can be started for example when you open the infected document or when an action happens (e.g. you save the document).

script virus - script is a program that is not compiled before it is executed, rather it remains as plain text and is interpreted by a program such as a UNIX shell, MS DOS (.bat files), browser and Windows Script Host (WSH). The two most common virus scripting languages are Visual Basic Script (VBS) and JScript (MS version of JavaScript). Both of them can be executed directly by WSH or embedded in a HTML page and executed when you visit it with your browser (MS Outlook supports html as well). Most browsers do not support VBS and do execute JavaScript resp. JScript safely (JavaScript is quite limited and has no functions for operating your filesystem etc.). To limit the danger, you shall always install the latest security patches for your browser and set high security (once you execute a malicious program/script/macro, it can change your settings, so check it from time to time). You can try to disable JavaScript, but I think you can't browse nowadays without it. And, no doubt, you shall disable WHS unless you really need it.

last note

How to Get Infected

boot virus: leave an infected floppy in the drive and reboot (restart) the computer. Even a floppy that seems to be empty may be infected. Protection: a) never leave diskette in the drive when starting system b) disable booting from a floppy (e.g. if you haven't boot floppy, you certainly don't need this functionality).
file virus:

executable program virus: run the infected program. Protection: never run programs from a source that is not trusted; always scan the program before running it (keep your anti-virus software up-to-date). Note: before opening an e-mail attachment, check its last extension - for example cindy.jpg.exe or cindy.jpg.vbs is not a picture.
macro virus: open the infected document in a viewer that is able to execute the macro. (Strictly speaking it doesn't need to run as soon as you open the file, it can wait for an action like 'save'). Note that some e-mail clients either can execute macros or automatically open document in the appropriate (perhaps macro-enabled) viewer. Protection: disable macros or at least let the application to warn you before executing a macro; do not open strange files; use your anti-virus to scan documents before opening them; view documents in a non-native viewer (e.g. open Microsoft Word document in Sun StarOffice); send documents that cannot contain macros (e.g. in Rich Text Format, .rtf). The best-known platform that supports macros is Microsoft Office (Word, Excel, Powerpoint, Access, Outlook ...).
script virus: open the file that contains them. Protection: the same as in the previous cases. In Windows, disable (remove) Windows Scripting Host unless you indeed need it (you can always re-install it from the CD). Visual Basic scripts or JavaScript + InternetExplorer (IE) or Outlook + Windows Scripting Host = great place for viruses/worms. Note that JavaScript can be embedded in a normal web page. So be sure to have latest IE security patches etc.

Virus vs. Anti-virus Software

What viruses do to hide (few examples):

polymorphism - a polymorphic virus changes its code (its signature) every time it replicates, namely a 'child' is never like the parent, though the functionality remains unchanged. It can be achieved for example by re-ordering some pieces of code (if the order doesn't matter), inserting 'dummy code' that either does nothing or is never executed an so on. Encryption (see below) is also a kind of polymorphism. Since virus detectors do, as one of techniques, scan for known virus signatures (the same piece of code is clearly the same virus), in this case they'd be fooled, for the signature always differs.
stealth techniques hide some of the traces of presence of a virus (passive techniques) or actively prevent its detection

compression - since a virus has nonzero size, when it infects (inserts itself into) a file, the file becomes longer. To achieve exactly the same size as before, the virus can compress the original part of the file and when it's run, the virus decompresses it again.
encryption is a kind of polymorphism. During replication, a random encryption key is generated and most of the virus body is encrypted, except the part that decrypts it when it's run. The key is saved in the file together with the virus and the unencrypted part is changed using the classical polymorphic techniques as mentioned above. The result is a unique signature. It's better than the classical polymorphism because it either increases file size (when dummy code is inserted) or tries to exchange instructions which is problematic because the number of instructions that can be reorder is usually quite small and hence it renders only a small set of different signatures.
file attribute falsification - when a file is modified, it's 'last modification time' attribute is updated. Since a virus wants to hide the fact that the file has been infected, it may want to reset the modification time to the original value. It may be needed to change also some other attributes.
active detection prevention - there are numerous ways a virus can prevent detection, provided the virus is memory-resident (i.e. it's present in the main memory when the attempt to discover it is made; still it's present on hard disk too, to survive when the computer goes off). Suppose the virus is stored in the sector S of the disk. Before it infected the disk, it made a copy (image) of the original, uninfected, sector. Now, when somebody tries to read the infected sector S, the virus intercepts the attempt and presents the backup copy of the original sector, instead of the true current sector S. Hence the reader believe he has read S and that it is OK. Or a virus can mark the sector(s) it occupies as invalid so they will be ignored. There is quite lot of things a smart virus can do (including infection of any anti-virus software).

What Anti-virus does to find them (few examples):

structure-based identification (scans for patterns in the virus code)

scan for signature (signature-based scanners)- once a new virus is discovered, it's signature (the piece of code that is the virus) is remembered and suspicious files are scanned for this pattern. If the virus isn't smart enough to use polymorphism, any instance of it is immediately discovered.
scan for suspicious pieces of code (heuristic scanners) that often belong to a virus, for example the encryption loop used by polymorphic viruses.

behaviour-based identification (looks for suspicious behaviour)

look for suspicious actions (MS Word trying to format hard drive ...)
use checksums to verify that a file hasn't been modified. A checksum is "an identifying number calculated from file characteristics. The slightest change in a file changes its checksum" (definition from McAfee glossary). In same cases a virus can arrange for the checksum to stay the same (it depends what algorithm you use etc.). An alternative is using digital signatures.

Generic Decryption (simulated environment) is a way to discover encrypted polymorphic viruses. The main idea is to let the virus decrypt itself, in a controlled, save, emulated environment, and scan regularly for a known signature. Once the virus finishes its decryption, which is the first thing it must do, it's discovered. See an article about GD.

Extension tricks

Creators of viruses use several 'dirty tricks' with file extensions (.exe, .txt ...) to hide that it's an executable file.

multiple extensions ( .exe -> .txt.exe )

article

false extensions ( .exe -> .txt )

Intruders and Hackers

I'll mention this issue only briefly, though it's very interesting too.

A malicious person can either penetrate a system - an intruder - or enter into communication between two parties (for example observe or disturb it). Intruder is a person that does in you system something he is not allowed to do. An intruder can pretend to be somebody else (use account of another user), try to acquire higher privileges than he's authorized to, or acquire administrator (superuser) privileges to suppress the collection of log information or to change them. It's noteworthy that most intruders are internal ones, for instance an employee that seeks higher privileges to be able to use director's printer or to hide his on-line activity.
It should be mentioned that individuals are not the only ones who can misuse computer systems and particularly Internet. There are many great opportunities for organized crime as well. And since mafias and the like have rich resources, they are much more dangerous than individuals (they can hire hackers, bad guys with guns, corrupt employees and so on). The keyword here is 'organized'. With the power of organization and co-operation you can do much - that's actually how the humans conquered the Earth. Imagine a virus that infects a bank (thanks to a corrupted employee), creating a trap door; a group of hacker uses the trap door to shut down the on-line bank server, while another group puts up a faked copy of the on-line bank. For few hours, customers entrust their confident data to this faked bank. Consequently, their accounts are robbed and some of them are blackmailed.

Some of the techniques used by intruders:

'social engineering' - an intruder applies his social skill to a 'victim' to retrieve the information he needs (e.g. the victim's password). It's unbelievable successful and no computer security measures help against it.
password guessing is not as difficult task as it seems to be. Many people use short or easy to guess passwords (login name, phone numbers...). There are password cracking programs that use a long list of possible passwords (e.g. all possible 1-3 character passwords, default passwords for some accounts, list of common passwords, words from a dictionary and various permutations of them, including capitalization of letters). If such a program can test few thousand passwords per second, it's a question of hours when it finds a valid password. That's why you should use long passwords, containing small and capital letters in random order as well as numbers and special symbols. Note that replacing 'to' by '2' is no more sufficient nowadays. A good password could be something like "4%oF5*1$$=2enty." which means "4 % of 5 * 100 is 20" (don't use this).
Trojan horse is a useful program that, in addition to its apparent functionality, performs an action on behalf of its creator that he can't do by himself. For example Smith can modify a game to become Trojan horse and give it to it's boss. While the boss is having fun playing the game, it copies in private all his files to Smith's directory. It can also open 'back door' which enables Smith to control his computer.
security holes are flaws in applications that allow people to do something they shall not be able to do. It's nearly impossible to create a complex application that has no security leaks. These holes are constantly discovered (either by hackers or security experts) and patched, and new ones are introduced when you upgrade your software. You should keep eye on new patches for your software (especially for MS Office and Windows, for there are many people trying to misuse the holes; see MS homepage) and security hole reports (e.g. on CERT page - see links). One of the most common security bugs is so called "buffer overflow". It exploits the fact that in same cases, when you enter too long string (e.g. 500 characters while the maximum allowed is 256), the superfluous characters are executed as a code (since there is not enough space for them, they are moved to some other place in memory, perhaps to the part for executable code). For more see an article about buffer overflow.

Some of the techniques used against intruders:

audit log: record of all actions is made and regularly backed-up. It's analysed to discover any suspicious activity. The detection of intruders is based on the difference in intruder behaviour and normal user behaviour.

Bibliography

1. on-line resources mentioned in "Links" section.
2. course "Computer Security" given by Viiveke Fåk at ISY department of the Linkopings Universitet, Sweden; fall term 2001
3. course "Cryptology" given by Viiveke Fåk at ISY department of the Linkopings Universitet, Sweden; fall term 2001
4. Stallings, W: "Network Security Essentials: Applications and Standards" New Jersey: Prentice-Hall, Inc., 2000.

Notes:

"There are many Mail User Agents and each has many features, some even useful. " -Larry Rogers-

Jakub Holy 2002 AD