DesktopDesktop SecuritySecurity forfor EveryoneEveryone
TylerTyler FarmerFarmer –– [email protected]@microsoft.com Sr.Sr. TechnologyTechnology SpecialistSpecialist IIII EducationEducation SolutionsSolutions GroupGroup MicrosoftMicrosoft CorporationCorporation AgendaAgenda
StateState ofof thethe IndustryIndustry todaytoday Viruses,Viruses, WormsWorms && SpiesSpies –– ohoh my!my! HowHow toto ProtectProtect YourselfYourself StateState ofof thethe IndustryIndustry TodayToday ThreatThreat FollowsFollows ValueValue
The 1950s American bank robber Willie Sutton was asked why he robbed banks. He said he robbed banks because,
“That’s where the money is.”
Today, the money is in Cyberspace
The Internet provides for criminals the two capabilities most required for the conduct of criminal activities: Anonymity & Mobility DoDo TheThe MathMath
SoBigSoBig virusvirus spammedspammed mailmail toto overover 100100 millionmillion inboxesinboxes IfIf 10%10% readread thethe mailmail andand clickedclicked thethe linklink = 10 million people IfIf 1%1% ofof peoplepeople whowho wentwent toto sitesite signedsigned upup forfor 33-- daysdays freefree trialtrial = (100,000 people) x ($0.50) = $50,000 IfIf 1%1% ofof freefree trialstrials signsign upup forfor 11 yearyear = (1,000 people) x ($144/yr) = $144,000/yr OpportunitiesOpportunities AreAre LimitlessLimitless NeedNeed Traffic?Traffic? BuyBuy it!it! NeedNeed AA FamilyFamily Business?Business? Situation:Situation: ItIt isis gettinggetting scary!scary!
WhyMost does attacks this occurgap exist? here
Product Vulnerability Component Patch Patch deployed ship discovered modified released at customer site ExploitExploit TimelineTimeline
exploit patch code
Why does this gap exist?
Days between patch and exploit
Days From Patch to Exploit 331331 The average is now nine days for a patch to be reverse- engineered 180180 151151 engineered As this cycle keeps getting shorter, patching is a less 2525 effective defense in large Nimda SQL Welchia/ Blaster organizations Slammer Nachi TheThe ForensicsForensics ofof aa VirusVirus July 1 July 16 July 25 Aug 11
Vulnerability Bulletin & patch Exploit code in reported to us / available Worm in the world public Patch in progress No exploit Report Bulletin Exploit Worm z Vulnerability in z MS03-026 delivered z X-focus published z Blaster worm RPC/DDOM to customers exploit tool discovered –; reported (7/16/03) z MS heightened variants and other z MS activated z Continued outreach efforts to get viruses hit highest level to analysts, press, information to simultaneously (i.e. emergency community, customers “SoBig”) response process partners, government agencies
BlasterBlaster showsshows thethe complexcomplex interplayinterplay betweenbetween securitysecurity researchers,researchers, softwaresoftware companies,companies, andand hackershackers Viruses,Viruses, WormsWorms && SpiesSpies Virus:Virus:
OldOld ““traditionaltraditional”” virusesviruses usuallyusually requirerequire humanhuman interactioninteraction YouYou havehave toto savesave it,it, runrun it,it, shareshare floppyfloppy disks,disks, etc.etc. EE--mailingmailing aa programprogram // document,document, withoutwithout knowingknowing itit isis infectedinfected TypicallyTypically justjust attachattach themselvesthemselves toto programsprograms && documents,documents, andand thenthen dependdepend onon humanshumans toto propagatepropagate ThisThis isis changingchanging…… Worms:Worms:
SubSub--classclass ofof VirusVirus ReplicatedReplicated AutomaticallyAutomatically withoutwithout humanhuman helphelp ExampleExample isis ee--mailmail addressaddress bookbook attackattack BogsBogs downdown networksnetworks andand InternetInternet ThinkThink ofof aa multimulti--levellevel marketingmarketing company!company! Sasser,Sasser, BlasterBlaster areare examplesexamples Worms:Worms:
ScaryScary partpart –– youyou dondon’’tt havehave toto dodo anythinganything butbut turnturn youryour computercomputer on!on! TrojanTrojan HorseHorse
ProgramProgram thatthat appearsappears toto bebe aa ““goodgood”” program,program, butbut isnisn’’tt MightMight dodo whatwhat itit isis supposedsupposed to,to, plusplus more!more! SomeSome SpywareSpyware fallsfalls inin thisthis categorycategory Spyware:Spyware:
DefinedDefined asas softwaresoftware thatthat collectscollects informationinformation aboutabout you.you. ThisThis mightmight bebe OK,OK, itit mightmight notnot WebWeb pagepage collectingcollecting anonymousanonymous ““clickclick”” datadata RecordingRecording youryour bankbank ## andand passwordpassword ManyMany ofof thesethese areare notnot badbad YouYou signsign upup forfor aa musicmusic service,service, itit gathersgathers webweb sitesite data,data, thenthen sendssends youyou targetedtargeted advertisementsadvertisements thatthat youyou mightmight likelike Spyware:Spyware:
MuchMuch ofof itit isis badbad Example:Example: ToolbarToolbar programsprograms OnceOnce thethe toolbartoolbar programprogram isis installed,installed, itit cancan collectcollect anythinganything itit wantswants to.to. RecordRecord youryour keystrokes,keystrokes, thenthen ““phonephone homehome”” RecordRecord websites,websites, namesnames && passwordspasswords EvenEven ifif youyou removeremove them,them, theythey leaveleave ““breadbread crumbscrumbs”” soso thatthat theythey rere--installinstall themselvesthemselves Spyware:Spyware:
EverEver getget poppop--upsups thatthat constantlyconstantly askask forfor youyou toto clickclick ““OKOK”” andand wonwon’’tt gogo away?away? ThisThis isis SpywareSpyware oror aa virusvirus ofof somesome sortsort Phishing:Phishing:
NotNot aa virus,virus, butbut waysways toto tricktrick youyou intointo givinggiving upup personalpersonal informationinformation SeeSee http://www.antiphishing.orghttp://www.antiphishing.org forfor aa lotlot ofof examplesexamples Visible link: http://signin.ebay.com/aw-cgi/eBayISAPI.dll?Verify
Called link: http://signin_ebay_com_account.rndsystems.co.kr:7308/ebay.htm
HowHow ItIt SpreadsSpreads
VirtuallyVirtually allall wormsworms andand trojantrojan horses,horses, etc.etc. areare spreadspread throughthrough ee--mailmail OneOne personperson gets,gets, theythey telltell allall theirtheir friends,friends, theythey telltell allall theirtheir friends,friends, etc.etc. EverEver seenseen ““MyMy Picture.jpgPicture.jpg .exe.exe”” UsersUsers getget trickedtricked intointo clickingclicking OKOK HowHow toto ProtectProtect YourselfYourself PracticePractice GoodGood SurfingSurfing SenseSense
YouYou knowknow therethere areare badbad partsparts ofof towntown thatthat youyou dondon’’tt gogo toto TheThe InternetInternet isis thethe samesame wayway –– bebe wary!wary! #1#1 RuleRule
NeverNever downloaddownload oror openopen something,something, ifif youyou dondon’’tt knowknow whatwhat itit isis EvenEven ifif youyou knowknow thethe sendersender byby name,name, checkcheck withwith themthem toto seesee ifif theythey sentsent youyou somethingsomething TrueTrue companycompany--basedbased ee--mailsmails nevernever sendsend attachmentsattachments Make sure the link actually goes to their site & not a spoofed one! OnlyOnly downloaddownload whatwhat youyou trust,trust, andand eveneven thenthen bebe wary!wary! PointsPoints toto PonderPonder
HaveHave youyou everever receivedreceived anan ee--mailmail tellingtelling youyou thatthat youyou havehave aa virus?virus? YouYou might,might, oror mightmight notnot…… YourYour addressaddress couldcould’’veve beenbeen spoofedspoofed toto someonesomeone elseelse CouldCould bebe aa tricktrick toto getget youyou toto installinstall somesome ““antianti-- virusvirus”” oror ““patchpatch”” (which(which isis reallyreally aa virusvirus itself!)itself!) HowHow toto GetGet Secure,Secure, StayStay SecureSecure
StepStep 11 –– DonDon’’tt changechange InternetInternet ExplorerExplorer ““ZoneZone”” settingssettings belowbelow ““MediumMedium”” StepStep 22 –– DonDon’’tt taketake downloadsdownloads fromfrom strangersstrangers Only install what you trust “free” music & file sharing programs are wide open doors for hackers StepStep 33 –– TryTry toto seesee ifif youyou havehave anyany issuesissues alreadyalready Does your browser open to a new home page, or search page? Increase in advertisements & pop-ups? Computer seems sluggish? HowHow toto GetGet Secure,Secure, StayStay SecureSecure
StepStep 44 –– GetGet aa detectdetect && removalremoval tooltool forfor spywarespyware (Spybot(Spybot SearchSearch && DestroyDestroy isis good)good) StepStep 55 –– GetGet somesome antivirusantivirus softwaresoftware (Norton,(Norton, McAfee,McAfee, etc.)etc.) StepStep 66 –– GetGet aa FirewallFirewall (Service(Service PackPack 22 oror somesome other)other) StepStep 77 –– KeepKeep everythingeverything upup--toto--date!date! Windows Automatic Updates, Anti-virus, Spyware WhatWhat isis MicrosoftMicrosoft DoingDoing toto Help?Help?
BlockBlock HTMLHTML inin ee--mailmail byby defaultdefault .EXE,.EXE, .BAT,.BAT, etcetc filesfiles areare blockedblocked WarningsWarnings whenwhen ee--mailmail isis sentsent automaticallyautomatically BehaviorBehavior BlockingBlocking technologiestechnologies ServiceService PackPack 22 onon WindowsWindows XPXP Firewall,Firewall, poppop--upup blocker,blocker, othersothers WorkingWorking withwith LawLaw EnforcementEnforcement RewardReward moneymoney $250,000$250,000 forfor SasserSasser paid!paid! ResourcesResources General http://www.microsoft.com/security Consumers http://www.microsoft.com/protect IT Professionals http://www.microsoft.com/technet/security Patch Management http://www.microsoft.com/technet/security/topics/patch Info on Virus, Worms, etc. http://www.microsoft.com/athome/security/viruses/virus101.mspx Info on Spyware http://www.microsoft.com/athome/security/spyware/devioussoftware.mspx http://www.microsoft.com/windowsxp/using/security/expert/honeycutt_spy ware.mspx NowNow forfor thethe GentleGentle Q&AQ&A…… © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.