Save Your PC From Cyber Extortion
It's a new twist on an old racket that's haunted businesses for centuries -- "Give us money or we'll shut you down."
Or, they may be a bit more subtle -- "Pay us for protection against hoodlums, crooks and vandals."
But the funny thing is, the guy collecting the money is closely associated with those very hoods he's promising to protect you from.
Cyber extortion is very real and it can affect anyone from a major corporation to a mom and pop business. And, unlike those crooks from the hood, the perpetrators can be anywhere in the world.
The types of attacks vary but can include a denial of service attack (DOS), theft of confidential data or defacement of your Web site. Another more recent variation is an attack that locks up or encrypts your data. If you want to get access to your own information, you have to pay to have it unencrypted. Otherwise your precious data files could be nothing but binary gibberish.
There are technologies that help you recover from such an attack. But the cost can be quite high, says one security specialist.
"Some of these attacks have so much throughput we can get into $100,000 for a single attack," said Barrett Lyon, Chief Technology Officer of Prolexic Technologies, a company that helps companies deal with these problems. The company offers a prevention and recovery service for enterprises starting at about $5,000 per month for most companies.
There was a time when an attack would come from a single machine located somewhere on the Internet. But these days they tend to come at you from multiple machines – possibly thousands of them – all at the same time. Such an attack is called a Distributed Denial of Service (DDoS) because they attackers are distributed across the Internet.
Typically the machines that are doing the attacking are not operated by the perpetrator but by unaware individuals or businesses or organizations whose machines have been infiltrated either by a hacker or by a virus, worm or Trojan horse. Once a machine has been infected it can be turned into a zombie to attack other machines.
That's why the federal government's National Strategy to Secure Cyberspace urges everyone with an Internet connected computer to guard against attacks.
"Securing cyberspace is a difficult strategic challenge that requires coordinated and focused effort from our entire society—the federal government, state and local governments, the private sector and the American people," notes a report on cyber security from the agency.
Prevention is your best defense. In addition to services those offered by Prolexic and other security companies, organizations that maintain their own Web servers can purchase software that looks for and prevents "unusual" activity that may be associated with an attack.
Grogor Freund, Chief Technology Officer for Check Point Software, says his company's industrial strength firewall software "in most cases proactively protects you from these types of attacks."
Freund describes his company's FireWall-1 GX with the integrated SmartDefense service as "an intelligent firewall that looks for anything out of the ordinary and automatically stops it. Instead of saying 'I know a specific vulnerability,' it says 'this doesn't like look normal activity.'"
When evaluating firewall software, be sure that it has an auto-update feature to automatically update the software to protect against new threats as they are discovered.
Freund says DOS attacks "are notoriously hard to defend against." But the good news is that a denial of service attack, which can slow down or even prevent access to your site, rarely puts you in serious jeopardy because they tend not to last very long.
Of course not all companies run their own server. Most small businesses rely on Internet Service Providers (ISPs) to host their Web site. If that's the case, be sure to have a talk with your ISP to find out what they are doing to help secure your system. A common vulnerability is user scripts that run on ISPs servers. Scripts are pieces of software that can be used to customize your site to provide services such as surveys, customer feedback forms or web-based email.
While such scripts can be enormously useful, it is possible that they could have a vulnerability that can be exploited by a hacker. Discuss all your scripts with your ISP's tech support department to be sure that they are considered safe and that you are using them in a safe manner.
Again, be sure that all software on your server, including scripts, are up-to-date. Out-of-date programs are notoriously vulnerable. It's not uncommon for companies to issue new versions of programs to protect against security problems but to take advantage of those fixes; you have to install "patches" or the latest version.
Hackers have access to software that scans the net looking for vulnerable servers. If your server has software or scripts that are known routes for hackers to gain access, you're a sitting duck.
Protecting the server is essential but it's only part of the battle. Even if the server is well protected, there could be other sources of vulnerability, including the desktop or laptop computers of people inside or outside the company who might have legitimate access to the server.
For example, if the PC of an employee who accesses the server is hacked or compromised by a virus, worm or Trojan horse, it might be possible for someone with to obtain the usernames and passwords to get into the server and do virtually anything including shutting it down, defacing it or stealing data.
That's why it's important for everyone associated with the company to practice safe computing on all PCs and other devices that they use. That means using a firewall program on each PC as well as anti-virus software and software that protects against "spyware." Spyware programs, like viruses, are malicious programs can be configured to do virtually anything to a PC ranging from popping up ads to logging all keystrokes, making it easy for the attacker to gather data that can be used to attack other systems.
As with servers, it's important that all PCs with access to a server have up to date software. It's especially critical for Microsoft Windows users to have the most recent security patches that can be found at windowsupdate.microsoft.com and it's a very good idea to configure Windows to automatically update itself.
When doing a security audit, don't forget consultants and designers who may work outside the company. If they have access to your server, you have a right to insist that they, too, practice safe computing practices including using different passwords for your server than they use for their own email or other programs.
One solution for PCs is an Internet security suite such as ZoneAlarm Security Suite (from Check Point subsidiary Zone Labs). Other major players include Symantec, Trend Micro, McAfee and Panda Software. Some of these programs protect against all of the known threats but not all, for example, include spyware protection so you might have supplement the software with additional programs such as free (user supported) Spybot Search and Destroy or a leading commercial program like Spy Sweeper from Webroot Software.
It may seem obvious but one of the most common vulnerabilities is simply insecure passwords. Don't post your password on a sticky note on your monitor. Don't give it out and never give it out to someone who calls you on the phone with a seemingly legitimate reason to know it. The IRS recently did a study where they had people call employees claiming to be from the IT department and an alarming percentage of people gave the person their password on the phone. If you get a call like that from your IT department or ISP, call them back. Never give it out to someone who calls you.
People have a tendency to use passwords that are easy to guess. Never use your name, street or anything relatively obvious as a password and always include letters or symbols or a combination of upper and lower case letters. One easy way to create a password that you – and only you – can remember is to think of a phrase such as "I dated John when I was 22" and build a password around those initials that like "IdJwIw22." That password will be as easy to remember as your relationship and, hopefully, even John won't figure it out.
Finally, if you do think you have a problem, know where to call. Have the phone numbers of your IT staff or ISP handy and, if worse comes to worse, contact the appropriate officials. You can learn more about computer security at the Homeland Security Administration's United States Computer Security Readiness Team Web site at www.us-cert.gov.
By Larry Magid