Monday, June 05, 2006

Of Viruses, Worms and Spyware: The Dangerous World of the Internet

TECHNICS

A quarter-century ago I bought my first PC computer for a wallet-busting $6,900. It was a Heathkit, a do-it-yourself marque that regrettably disappeared when cheap Far Eastern labor made mass-produced computers more affordable.

A primitive memory, fragile doughnut-holed 5-1/4-inch floppy disks and a 12-inch monochrome monitor accompanied a Diablo 630 printer--a clattering behemoth cousin to the Teletype machine. The combination, however, was little more than an expensive word processor. Today, a compact computer system with 640 times the speed and 15,000 times the memory of my original computer can be bought for one-tenth of its price.

About 1994, when public access to the Internet became available, a brave new world opened for computer users. Suddenly, intellectual riches and instant communication were available to and from the farthest reaches of the planet. Such benefits were not without attendant hazards. Unscrupulous types quickly turned the Internet into a dangerous neighborhood for the unwary. Today, any computer user who naively ventures into the perilous thicket of the Internet faces mounting challenges. Lurking criminals are poised to filch their pocketbooks, if not their very identities, from the unwary.


REDUCE YOUR VULNERABILITY

Here are some of the steps you can take to reduce the likelihood of disaster:

Backup. Backing up your computer files at regular intervals should be a standard housekeeping computer practice. In the beginning, backup storage was done on disks, then streaming tapes and later CDs. If there is danger of fire or theft, many business computer users store their backup files off the premises. A plug-in external hard drive is another useful device for backup storage.

One practical suggestion is for computer users to buy two external storage drives and do a full backup once a week, say every Sunday. Each week's backed-up drive should be stored at a safe location and swapped for last week's drive with its stored information. In the event of a disaster, at the worst you'll only lose one week's data.

Regardless of the medium used to backup your files, it is imperative that the copied files be stored at a location away from your computer. The type of backup you choose should be dictated by your specific needs. Any backup system, however rudimentary, is better than no backup system at all.

Make your e-mail address harder to find. Sophisticated devices electronically troll the Internet looking for e-mail addresses from which to compile address lists. If you post your Internet address on a Web page, substitute the word “at” in place of the @ sign and the word dot for the period (.) in your address. This will make reading it more difficult to be read by a spammer’s address-mining software.

Avoid easy-to-crack passwords. Don't be lazy or try to be cute and use the eight-letter word "password" as your password. Avoid common words or the name of a family member or pet. Create passwords that are at least eight characters long. Password-cracking software exists and enables unscrupulous types to decipher your password, so be sure to include numerals and symbols (such as # or ^) in yours to defeat the efforts of such programs.

Have more than one e-mail address. Use one e-mail address for personal use and give out the address only to friends and relatives. Use another for everyday use and a third for your business, if you operate one from home. The security of such a tripartite system far outweighs the chore of checking several e-mail addresses regularly. If any of your e-mail addresses attracts too much unwanted traffic, merely abandon it and tell only those who need to know the new e-mail address that replaces it.

Use e-mail judiciously. Curiosity killed the cat, and it can play havoc with your use of e-mail. Do not open an attachment you were not expecting, even from someone you know. Never supply personal information to anyone in response to an e-mail. Never reply to links embedded in strange e-mails, and do not click on a link labeled "unsubscribe." Doing so merely confirms for the spammer that your e-mail address, one of hundreds of thousands on a mailing list of doubtful reliability, is indeed a valid address.

Browse the Internet carefully. Be wary of e-mails announcing that you have won a lottery or online free offers, such as IQ tests, personality analyses, puzzles, games, screen savers, videos, music and movie file-sharing programs. You may get more than you bargained for. The prize announcement or freebie also may conceal unwanted spyware.

Have more than one computer. If your personal computer contains financial records, income tax returns, or confidential information of any kind, get another computer for your children to use, especially if they share and download files. Moreover, separate computers for your children reduce the possibility of accidental destruction of valuable family or business records through misuse.


UNDERSTAND THE RISKS

Here are some of the dangers you face online:

Spam, used as a noun and a verb, is unsolicited, unwanted, irrelevant or inappropriate messages, especially commercial advertising, sent indiscriminately in bulk quantities. It is the electronic equivalent of junk mail. To be considered spam, the recipient must not have verifiably granted explicit and revocable permission for it to be sent. The issue here is about consent not content.

Most e-mail traffic these days is spam and by its very volume, much of it is more an annoyance than a hazard. If your ISP (Internet service provider) offers spam blocking, diverting it to a "bulk mailbox," by all means enable it. Among the ISPs offering this at no extra charge are AOL, Yahoo, Earthlink and MSN. Should the volume of spam getting past this first line of defense be large, you should consider installing an antispam program, either as part of an e-mail program or as an add-on. Cost of the former can range from $90 for Microsoft to $130 for Apple, while add-on programs cost an average of $30.

Viruses, worms and Trojan horses are all malicious programs whose objective is to damage your computer. A virus is a dangerous computer program or piece of computer code whose characteristic feature is the ability to generate copies and replicate itself, thus spreading. The first virus made its appearance in 1987 and infected ARPANET, a large network used by the Defense Department and many universities engaged in research. Life on the Internet hasn't been the same since.

Loaded onto your computer without your knowledge and running without your permission, most computer viruses carry a destructive payload that can be activated under certain conditions. Even a simple virus can be dangerous because it can quickly use all of your computer's available memory and bring your system to a standstill. The most dangerous type of virus is one capable of transmitting itself across networks and bypassing security systems.

Most viruses are attached to an executable file, which means that it cannot infect your computer unless you open or run the malicious program. In short, a virus cannot be spread without human action. The antivirus program I use is Trend Micro's PC-cillin Internet Security (trendmicro.com). Norton Antivirus is also popular (symantec.com).

As recently as a few weeks ago, an e-mail purporting to be from the FBI circulated on the Internet. It read: "We have logged your IP-address on more than 30 illegal websites. Please answer our questions. The list of questions are [sic] attached." Opening the attachment launches the w32/sober virus and may affect the user's computer. Given the recent revelations of government eavesdropping on telephone and Internet traffic in the U.S., recipients of this spammed e-mail could hardly be blamed for believing it to be genuine.

One popular fallacy is that you will never get a virus if you limit the e-mails you open to those from people you know. But there are no guarantees that a friend's or relative's computer may not already be infected.

A worm is a special kind of virus that can replicate itself and use memory, but cannot attach itself to other programs. Worms can travel from computer to computer but, unlike a virus, they have the ability to do this without any help from you. The biggest danger from worms is their ability to send out hundreds of thousands of copies of themselves with devastating effect. Viruses and worms spread by e-mailing copies of themselves to addresses listed in your address book.

A Trojan horse performs the same service as the hollow wooden horse the Greeks constructed and parked outside the walls of Troy. After it was trundled into the city by the delighted Trojans, Greeks hidden inside sprang out and threw open the gates of the city to permit entrance of their army.

At first glance, the Trojan horse appears to be useful software, but it will actually do damage if installed on your computer. A Trojan horse's effect can range from annoyance, such as adding silly desktop icons, to serious damage by deleting files and destroying crucial information. Unlike viruses and worms, Trojan horses do not reproduce by infecting other files, nor do they self-replicate.

Antivirus protection is available from several sources, including ISPs like AOL, Yahoo, Earthlink and MSN, from a retail store, or by downloading directly from the software manufacturer's website.

Spyware is any software that covertly gathers information about a computer user through an Internet connection without the user's knowledge. The first recorded use of spyware occurred in 1995. The behaviors of spyware may include tracking the user's Internet browsing by recording and reporting on the websites visited by the user for statistical research purposes.

Spyware may be secretly bundled with so-called freeware--programs available for downloading from the Internet. Once installed, spyware monitors the users' activity on the Internet and transmits that information to a third party. Spyware does not directly spread the way a computer virus, worm or Trojan horse does. Instead, spyware gets on a system through user deception or the exploitation of the vulnerabilities of a piece of software.

One clever spyware device appears on what looks like a standard Windows dialog box. It contains a message saying "Would you like to optimize your Internet access?" Regardless of whether you click on the "yes" or "no" button, a download starts, installing the spyware on your system.

System monitors are an insidious form of spyware. One, called a keylogger, can record and transmit to third parties every keystroke you strike, including names and passwords, enabling eavesdropping and reading of e-mail messages. Equally sneaky types of spyware can capture screen images of your electronically filed income tax returns, and online checkbook and personal records.

Spyware is sometimes called "adware" when it displays commercial advertisements with or without the user's consent. Adware does not operate surreptitiously, but the ads that pop up annoyingly can interfere with your browser. If you notice unusual behavior or degradation of your system's performance, chances are it is already infected with spyware.

Gaining unauthorized access to a computer is illegal under computer crime laws such as the U.S. Computer Fraud and Abuse Act. Even when the owners of computers infected with spyware claim they did not authorize the installation of detected spyware, few prosecutions of the authors of spyware have followed.

Three steps you can take to protect your computer from spyware are: Set your Web browser's security configuration at medium or higher configuration to help resist spyware. Install antispyware. And regularly scan your computer with antispyware software.

Free programs are available to counter spyware. These include Microsoft's Windows Defender (Beta 2), offered as a free download for Windows XP 2000 and Windows 2003 users (microsoft.com). Another free download is Lavasoft's Ad-Aware SE Personal (lavasoft.com). Because no antispyware program can intercept every piece of spyware, an additional program can be helpful. I use a program called Spy Sweeper offered at $30 by Webroot Software (webroot.com). Lavasoft's more advanced Ad-Aware SE Plus at $26.95 is also popular. I also installed Webroot Software's Window Washer, which cleans my PC, erases my system's Internet history and optimizes it for better Internet and computer security.

Many users install a Web browser other than Microsoft's Internet Explorer, such as Opera or Mozilla's Firefox, because they exhibit fewer security vulnerabilities. Unfortunately, no single browser is totally safe. Viruses and spyware programs concentrate on Windows-based PC computers simply because they outnumber Macintosh computers by about ten to one. Thus, using a Web browser other than Internet Explorer or using a Macintosh computer can reduce your risk of infection.


"PROTECT YOURSELF AT ALL TIMES"

These words--the final instructions the referee gives each fighter at the start of a boxing match--are equally pertinent watchwords for computer users. If anything can cause the Internet to implode, it will be the unchecked growth of so-called white-collar Internet crime, and the inability of authorities to prosecute it successfully.

The individual computer user is not the only target of computer attackers. According to the FBI, almost nine out of every ten U.S. companies suffered a security incident last year. Attacks came from 36 different countries, but the U.S. and China accounted for more than half the attempts. Total cost of all attacks was $32 million. Viruses and worms accounted for $12 million of the losses.

Phishing (pronounced "fishing") is the act of tricking a computer user into revealing private or confidential information by sending an e-mail falsely claiming to be a legitimate enterprise. The term is believed to have originated with "phone phreaks," persons whose hobby is studying and exploiting the phone system. The information obtained through phishing is invariably used in the fastest-growing criminal threat to our society: identity theft.

Phishing is now by far the most common means of identity theft. Millions of spam e-mails are distributed indiscriminately. Addressed to "Dear valued (eBay, PayPal, or named bank) customer," they inform recipients that a problem has arisen with their accounts. By spamming large numbers of people in shotgun fashion, the criminals count on the e-mail reaching some who actually have accounts with the purported sender, and who will supply the crucial information.

The e-mail invariably directs recipients to visit a website, where they are asked to update or verify personal information, such as credit card numbers, social security numbers, bank account numbers, pin numbers, and passwords. Despite exhibiting logos, code numbers and other earmarks of a legitimate site, is bogus. Instead of being sent to the purported sender, a legitimate enterprise, the victim's crucial information is transmitted to a criminal network.

One clue to the bogus nature of such e-mails may be obvious errors in spelling or grammar, such as "If you do not respond, you leave us no choise [sic] but to close your account." Another clue is the flood of such e-mails sent on Sundays and holidays, when most businesses are closed. The important point to remember is that banks and responsible businesses do not use the Internet to communicate with customers about accounts.

Among the common scam e-mails purporting to advise recipients of problems with their accounts are those from eBay and PayPal. Banks are also favored targets, including Chase, Wells Fargo, Washington Mutual, and Bank of America. Demonstrating their lack of knowledge of American banking and geography, some scams use shotgun tactics in an attempt to target customers of smaller regional banks, such as the Laredo National Bank in Texas, and credit unions.

Authorities believe that many of these phishing e-mails originate in Eastern Europe. It's not easy for authorities to do much if the personal information you so foolishly send off to what you think is a bank or other legitimate business enterprise shows up on the screen of a laptop computer of a slimy-looking individual sitting at a cafe table in Bucharest, Rumania.

Pharming, a variant of phishing, is a technique used by criminals and unscrupulous companies to obtain personal and financial information without your knowledge. It is similar to phishing, except the desired information is collected without the user having to click on a link in an e-mail. Like phishing, pharming's objective is to separate you from your money.

As in phishimg, pharmers send e-mails to users reporting that account information needs to be updated. It differs from phishing in that the e-mail contains a virus that installs a small software program on the user's computer. When users try to go to their bank's genuine website, the program redirects the user's browser to the pharmer's fake site. It then asks the user to update sensitive information.

Maintaining up-to-date antispyware and firewalls on your computer, thus reducing the likelihood that a virus will redirect you to a malicious website, can stop this virus-based method of pharming. A list of popular sites that use a secure page for logins is maintained at pharming.org. It also displays a surprising list of sites that use an unsecured login page.

Whom can you trust? The answer is no one. Even government agencies are being used as cover. At tax time, spam e-mails flooded the Internet telling recipients that they were eligible for a tax refund of $571.84. The e-mail claimed to be from tax-returns@irs.gov. A link was provided to access a form to complete to receive the refund. The e-mail was a hoax. If you completed the form and supplied the personal information requested, your credit cards and bank accounts evaporated in the blink of an eye.

Another scam e-mail told recipients that they had been selected to receive a grant of 2.6 million British pounds (about $4.5 million) and instructed them to contact the organization, The Diana, Princess of Wales Memorial Fund. Some messages asked for personal information and others directed recipients to wire money by Western Union to designated people. Surprisingly, many complied.

If you receive such hoax e-mails, file a complaint with the FBI at www.ic3.gov.

Identity theft is the fastest-growing crime in the United States and is the ultimate goal of e-mail scammers. Facilitating this is our casual--or more properly "careless"--attitude toward the security of our Social Security numbers.

Social Security numbers are more widely used for identification than was ever intended back in 1935 when the Social Security Act was passed. It was not until the end of 2004 that Congress finally passed a law forbidding their use on drivers' licenses. The military services use them in place of serial numbers. At colleges and universities, they are the universal identifiers; some instructors require them to be placed on homework and test papers and display them when posting marks publicly.

Once your Social Security number is in the hands of identity thieves, they can apply for credit cards in your name and make life a veritable financial hell for you. The rules for protecting your Social Security number are simple. Do not carry your card with you in wallet or purse. Instead, memorize your number. Never give you number to anyone except when absolutely necessary. Protect your personal information zealously. Never provide your Social Security number, bank account number or credit card number to anyone who contacts you by e-mail or telephone.

Do not carelessly discard pre-approved credit card applications. These can be used to open an account in your name at a false address. Carefully examine bank statements and credit card bills as soon as they arrive for evidence of unusual activity or charges. Shred all mailed credit card solicitations and credit card purchase receipts. Destroy previous years' bank records, canceled checks and credit card statements. Make sure any online credit card charges are handled through a secure site or in an encrypted mode. You'll know you are on a secure site if the Web page on which you conduct your transaction begins with https instead of the usual http.

Internet frauds. Online Internet sales increased to an all-time high in the year just past. Something else also increased to an all-time high: Internet crime. Most Internet crime involves deceptive or fraudulent activity of some kind. Last year, scammers swindled millions of Americans and their banks and credit card companies out of billions of dollars.

Auction fraud online accounts for three out of each four complaints logged by the FBI's Internet Crime Complaint Center (formerly the Internet Fraud Complaint Center). The most common eBay complaint is the one in which bidders send their money and either receive nothing in return or else the product is nothing like what was described. If you are a regular eBay user and report the scam, the seller--using fake names--may retaliate by posting negative eBay reports about you.

Another fraud is the reshipping scam in which an offshore corporation seeks someone with a U.S. address or bank account to receive funds or goods and reship them overseas. Products are received, but these have been purchased with stolen credit cards--and so you are guilty of receiving stolen goods. Similarly, any money you receive and transfer abroad turns out to have been stolen from victims of identity theft. The final blow comes when you discover that your bank account has been quietly cleaned out.

Beware "the Nigerian letter. " You receive an e-mail written in flowery prose. It describes a situation in a faraway country--usually in Africa--and most often in Nigeria. Someone has died leaving money totaling anywhere between 30 and 50 million dollars reposing in a bank account there. The letter, usually from a government official or bank officer, seeks an overseas accomplice who will assist by transferring the idle millions illegally into his or her bank account for a percentage of the total--typically 30 percent. As a conspirator in this shady deal, you are required to pretend to be a relative of the deceased owner of the millions.

Similar e-mail messages have recently begun to turn up from Russia. One such scam e-mail was received from Mrs. Larisa Sosnitskaya, "personal treasurer to Mikhail Khodorkovsky, the richest man in Russia and owner of the Yogos Oil Company, who is presently in jail." It sought help in recovering $46 million.

There's always a small hitch, of course. You must also advance several thousands of dollars to be used for attorney costs, taxes, recording fees and official bribes. Believe it or not, many people fall for this scheme, which dates back to the 16th century, when it was known as "the Spanish prisoner letter." But there are no stashed millions, and the only money that ever changes hands is the money the gullible victim has advanced.

If victims of the Nigerian letter scam complain about the slowness of the millions to materialize, they are invited to come to Nigeria (at their own expense, of course) and are told that no visa is necessary to enter the country. Entry is arranged through a bribed official. At this point the victim is in Nigeria illegally, a crime for which penalties are high. Now virtually a captive, to get out of the country, he must hand over more money after using his credit card. Several victims have been killed or reported missing after going to Nigeria to protect their investment in this swindle. You cannot become a victim of a swindle if you remember the first rule of carnival operators: You can't cheat an honest man.

What the future holds. The number of phishing attacks launched by e-mail doubled in number from 2004 to 2005. This tremendous surge in attacks revealed increased sophistication in strategies as well as more organized efforts by online criminals.

Identity theft remains a big problem, not only on the Internet but everywhere in our society. The recent loss of crucial personal information by banks, insurance companies and agencies of government opens up grave probabilities of the use of such information for in Internet fraud.

Online banking use will likely decline because of concerns about vulnerability. Consumer confidence in the security of online banking has already been shaken. Look for wider use of new authentication systems that assure customers they have indeed reached the desired website and not a fraudulent site. Similarly, such systems must let the bank know that it is dealing with genuine customers and not with criminals. This will require verification devices more secure than the traditional "mother's maiden name."

Gullibility is a very human quality on which showman P.T. Barnum capitalized. In his famous New York City museum of wild animals and "curiosities" at Park Row and Broadway, he posted signs reading "This way to the egress," with arrows leading eager visitors to a door. Eager visitors who passed through it expecting to see another exhibit found they were out on the street and had to pay again to reenter. Gullibility is the human frailty Internet scam artists thrive on.

Con men, liars, cheats, swindlers, and even murderers abound on the Internet. Fortunately, these still make up only a small part of the brave new world spawned by computers. When Shakespeare wrote the phrase "O brave new world" in his play The Tempest, he was writing about a world just beginning to give up its secrets to daring adventurers and explorers. The Bard of Avon inadvertently made the quotation equally fitting for today by adding the words, "that has such people in it!"T

Labels: , ,

AddThis Social Bookmark Button


Comments: Post a Comment | Postscripts Homepage

This page is powered by Blogger. Isn't yours?