Attached to this note are the minutes from teh 9/16
RMIUG Meeting, "Online Security: Let's Be Careful Out
There."

Thank you to our attendees and sponsors for making
this happen.

Sincerely,

JZ
Josh Zapin
josh@...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Minutes of the 09-16-04 meeting of the Rocky Mountain
Internet Users Group: "Online Security: Let's Be
Careful Out There"

Josh Zapin was the only committee member in attendance
and ran the meeting, which was fairly well attended.
He thanked the RMIUG sponsors for their support:

MicroStaff (http://www.microstaff.com) generously
provides food and beverages at the meetings. The
company provides Creative and Technical Talent for
Web, Interactive Media, Marketing Communications, and
Software Development projects.

ONEWARE (http://www.ONEWARE.com) is a Colorado-based
software company that provides semicustom web-based
applications, and is the sponsor of the RMIUG meeting
minutes.

NCAR gives us the use of their wonderful facility.

Copy Diva (http://www.copydiva.com) provides the audio
visual equipment.

Josh did a quick survey of the audience:
Most have purchased security software and have
contracted a virus.
A few have had to refresh their whole systems due to
an attack.
A few lose some time every day to security issues.
Some are "just plain scared" about the future.
About one-third think online security will be
manageable someday and just part of doing business.

Josh said ignorance is bliss regarding security due to
some alarming statistics:
Verisign, which enables secure transactions on the
Internet, reports security events doubled from January
to March this year (from 2 million to 4 million events
per monitored device), and it now takes an average of
20 minutes to compromise a computer once you connect
it to the internet--down from 40 minutes a year ago.

ANNOUNCEMENTS

Microstaff has technical and creative positions
opening. Visit microstaff.com for details. They would
be happy discuss general info about the job market as
well.
______________

ONLINE SECURITY: LET'S BE CAREFUL OUT THERE

Speakers:

Tonight's speakers are all employees of Webroot
Software, Inc., a private Boulder company that makes
privacy protection software and related products.

Richard D. Stiennon (rstiennon@...)
Richard is Vice President of Threat Research for
Webroot Software where he applies his 20 years of
security industry experience to identify emerging
spyware and other security threats. Richard comes to
Webroot from Gartner, Inc., where he served as vice
president of research and a top security analyst. At
Gartner he led much of the coverage on security topics
including firewalls, intrusion detection and
prevention, security counseling, and services.

Richard will discuss the anatomy of an attack, detail
some of the latest threats, and provide a perspective
on future types of attacks.

Michael Greene (mgreene@...)
Michael is Director of Product Management for Webroot
Software. He brings with him more than 10 years of
product development and management experience
including his work at Raindance Communications and
Thompson and Baxter International.

Brian Kellner (bkellner@...)
Brian is Director of Enterprise Product Management .
He brings with him more than 10 years of experience
managing software products. Brian uses his expert
understanding of business environments to direct
Webroot's enterprise division.

Michael and Brian will talk about how Spyware works
and what you need to know to protect you or your
enterprise against attacks.

RICHARD STIENNON

When evaluating risk, remember it's your personal risk
that's important. Think about the specific information
stored on your computer that could compromise you.
Generally, if you have a PC today running Microsoft
products you have to have antivirus software and
firewalls.

Attacks are either targeted or random--it's the
targeted ones you hear about in the media. These are
denial of service attacks, information theft, and
attacks by disgruntled employees. Security companies
are especially targeted--hackers look for security
companies and hit them often. Some attacks actually
kill servers and even routers.

But what we spend most of our money on are random
attacks, which include viruses, port scans, and
hacks-of-the-month. These hacks of the month will do
port scans on the entire internet, simply scanning for
vulnerabilities. So it doesn't matter how obscure your
internet presence may be, you can still get hit with
these random attacks.

Some companies will hire a hacker to assess their
security by giving the hacker the simple goal of
breaking in. This is unwise. It's much more useful to
do complete scans of all your servers and ports, find
modems, etc, because that's what the hackers do. You
want a tester to go through the same process that
hackers go through.

Anatomy of a Hack

Footprint Analysis:
The first step is to look for publicly available
information that could be useful to a hacker. They do
WhoIs lookups, then maybe search for site
administrators' names for postings to message boards
(for example) to see if they revealed anything useful
(and they often do). NSLookup can provide useful
information too. War dialing can locate modems.
Example: shortly after Dell announced they were
impervious to attack, you could do a search on
"premier member password" and find login instructions
and purchase order information on Dell's customer
websites. Often a company might then claim that it's
just a business issue. The business process side of a
company often doesn't talk to security people--as a
result, security holes are left open because no one
thinks of them in security terms.

Scanning:
Hackers scan machines, ports, and applications to
locate vulnerabilities, and then they just look up the
appropriate hacking recipes on Google.

Exploitation:
Hackers attack targets using a library of tools and
techniques including buffer overflows, spoofing,
password guessing, and denial-of-service.

Damage:
A successful attack can end with identity theft,
blackmail, website graffiti, espionage, and
destruction.

Worms

A tool for random attacks is the Worm. Worms are very
dramatic and tend to affect everybody. The first major
worm, Code Red, appeared three years ago. It was one
of the first server-to-server worms. Code Red scanned
the entire internet from every infected workstation,
making it a multiheaded worm. Months later Nimda
attacked the same vulnerability for people who didn't
patch their systems against Code Red. It spread
through email, file shares, and web browsing. Code Red
also left behind a back door vulnerability that other
viruses could use. The lesson is: always patch your
systems right away. Then came SQL Slammer: another
mulitheaded worm that spread to every vulnerable
machine on the internet--80,000 machines--in six
minutes. The Internet was brought to its knees by this
worm. Carriers eventually blocked the appropriate
high-level ports to stop the worm. This got people to
install firewalls that blocked high-level ports. After
that came MSBlaster which exploited another port
vulnerability. Part of the problem was that Microsoft
tended to make up their own nonstandard and mysterious
protocols which led to vulnerabilities. All of these
worms still exist on the internet, so if you're
vulnerable you'll still get infected today.

Latest threats include new version of viruses (MyDoom
is up to version 28) and back door trojans which
deploy remote tools--they leave something on your PC
that another virus can exploit.

Spyware

The other new threat is spyware. These include
keystroke loggers, voice loggers, and even cleverly
timed screen captures. Spyware has grown faster than
spam. The problem with spyware is that you invite it
in, allowing it to bypass most security software.

Why spyware? You can make a lot of money with it. The
information it records is valuable.

Remember that all spammers are criminals simply
because they have to illegally take over other
machines in order to send multiple emails--because
ISP's won't let you send bulk email.

A particularly tenacious piece of spyware is CWS (Cool
Web Search): it installs under multiple file names,
redirects you to multiple websites, and can be very
difficult to remove.

"Phishing" attacks can make people lots of money by
collecting personal information, leading to identity
theft. That's where the money is. You get an email
with a link to a short-lived website that requests
account info, etc. Then the phishing sites move around
on their own by installing themselves on your server.

Spyware vectors (carriers) include email, web
browsing, instant messaging (getting to be a big
problem), cell phones, and file shares.

There are some interesting Denial of Service attacks
coming from "Russian Bad Guys." They install trojans
in servers all over the internet using a virus. The
trojan contains instructions to request something from
a particular website, and so you have a distributed
denial of service attack ready to go-- no way to block
it. Hackers sell their trojans, or bots, to the
Russian Bad Guys. Online gaming is a huge business in
other countries, and that's who the RBGs attack. They
send them an email saying we're going to attack
you--by activating all these trojans--if you don't
send us money. The blackmail is very effective because
the payout is less than the loss due to an attack. I
predict this will grow to targeting things like
banks--they don't want to end up in the news, so
they'll just pay.

Four ways to protect yourself: use the new FireFox
browser, switch to Mac OS X, update all
windows/microsoft products, get something like
SpySweeper.

MICHAEL GREENE

Spyware and how to protect yourself

Where does it come from? Surfing the web, downloading
shareware, music, games, reading emails, remote
network logons, instant messaging, sharing your PC
with another person. Spyware can also be deployed
through the usual security vulnerabilities and viruses
and worms exploit.

Much of it is related to advertising. They create
popup ads on your desktop. They collect information
about your habits to create valuable marketing
profiles that can be used to sell advertising.

Spyware includes a lot of surveillance: key loggers,
screen caputures, and trojans. These collect
information from your PC and sell it.

The scary truth is that a typical PC has 26 bits of
spyware living on it. And this seems to be doubling
each quarter.

What problems does it cause? Spyware can lead to
significant performance loss, up to 50%. Causes
crashes too.

How to protect yourself:
Be careful what you download.
Don't use one of those free "optimization services" on
the web, they just load spyware.
You can adjust security settings upward to block some
of it.
Install all available security updates from Microsoft.
Get a firewall.
Get antivirus software
Get antispyware software

No one thing blocks everything. Spyware gets through
firewalls. Antivirus software doesn't stop spyware,
especially spyware that's installed with free
software. So you need a dedicated antispyware program.


Free solutions exist but they're not updated often
enough, require manual maintenance, and may not stay
on the market. These include Lavasoft Ad-Aware and
Spybot Search and Destroy

Paid solutions are more effective than freeware, it's
less likely to remove beneficial software from your
pc, and there's more quality testing behind them. Paid
solutions tend to be more accurate and up to date and
provide solutions to new threats. Paid solutions can
be more usable, with good interfaces, help files, and
live tech support (which can help with new threats).
Some software can deploy active shields such as
real-time protection heuristics, prevention of browser
hijacking, windows system shields, startup shields,
etc.

BRIAN KELLNER

IT in enterprises now have to deal with system crashes
due to spyware. One solution is rebuilding the
machines, but that's not acceptable. It can causes
loss of bandwith too: spyware is the number one user
of port-80 traffic. Spyware causes loss of personal
productivity and data privacy issues. Enterprises are
different in four areas: scale, complexity, impact,
and data.

Best to install firewalls, antivirus software,
intrusion detection software, and a spyware solution.
Many ask if you can you stop spyware on its way in
without having to protect every desktop on the
network. Unfortunately, that technology is still in
its infancy, so you do have to manage it at the level
of the desktop. You could just prevent everyone for
installing anything, but that's not a viable solution.
So you need an endpoint on every desktop, and a system
to ensure universal compliance.

Pest Patrol and Spysweeper Enterprise are two products
designed for enterprise today.

QUESTIONS FOR THE PANEL

Q: The CIA, FBI, and others are using spyware to track
sex offenders, etc. Does Webroot make exceptions for
legitimate government use of spyware? Do you advocate
for government or just end users?
A: That just hasn't come up. We do work with
government agencies, but we're not making any special
exceptions. We focus on putting control in the hands
of customers.

Q: How do you shut off some of these vulnerable
"services" running behind windows?
A: Spysweeper can shut down some stuff via shields,
but there are lists available on web that will show
you the rest:
www.theregister.co.uk/2004/09/02/winxpsp2_security_review


Q: A Windows firewall isn't very kid-friendly. Do you
have a nontechnical solution?
A: It's just the nature of the firewall to be that
way. Try a good modern hub/router, which can provide
some automatic, behind the scenes protection.

Q: How do I stealth or hide my WhoIs information?
A: You can pay netsol to stealth it for you, or just
modify it with bogus info for free.

Q: Can you find spyware on your own?
A: Very difficult, I'm afraid. It knows how to hide.
You really need antispyware software to find it.

Q: Does the firewall alert you to spyware?
A: Not usually. Spyware can trick firewalls when it
connects to the internet.

Q: What about when Spysweeper asks about something it
found?
A: Spyware is clever enough to use legitimate
processes, so it asks to help ensure you're not
removing something you need.

Q: Isn't FireFox really buggy?
A: A new version is available now, so check it out.

Q: How do you discover spyware to write your
definitions?
A: We get calls and emails, and we have researchers
out there grabbing whatever they can.

Q: How does webroot protect itself?
A: We don't want to be protected because we want to
find stuff! (joke). Actually we deal with the same
stuff as everyone else, and use the same methods of
protection.

Q: Does spysweeper remove both spyware and adware?
A: Yes, because we include adware in our definition of
spyware.

Q: Is it a good strategy to mix your network up with
different OS's and different network protocols?
A: Absolutely. Diversity does help. Moving away from
common denominator is a great strategy, but
unfortunately it's more expensive.

Q: What about spyware that names itself identically to
legitimate products?
A: A good antispyware product may be able to
distinguish it, but that is the tricky part of this
business.

Q: Since you're a security company, do you have
employees who are
hackers?
A: We look for people who are passionate about
security and privacy.
We screen the best we can, and haven't had any
issues.Q: How do you deal with employee hacking at
webroot?
A: We screen the best we can and haven't had any
problems.

Q: What happened with a linux attack that took down
NCAR?
A: I don't know the specifics, but it does show that
alternative systems are vulnerable, albeit they do
suffer fewer attacks.

Q: Are linux attacks growing?
A: It's getting lots of targeted attacks, but no one's
going to make money by attacking linux machines
because their aren't enough of them out there.

Q: Is spyware research more proactive or reactive?
A: Shields are proactive. But we're still a ways away
from blocking stuff before the vulnerability has been
identified.

Q: Is there a scanner to remove spyware?
A: Not that we know of. Interestingly, some viruses
can attack trojans and replace them. Gives you an idea
of what we have to deal with nowadays.