Importance of Security

The Internet has undoubtedly become the largest public

data network, enabling and facilitating both personal and

business communications worldwide. The volume of

traffic moving over the Internet, as well as corporate

networks, is expanding exponentially every day. More

and more communication is taking place via e-mail;

mobile workers, telecommuters, and branch offices are

using the Internet to remotely connect to their corporate

networks; and commercial transactions completed over

the Internet, via the World Wide Web, now account for

large portions of corporate revenue.

While the Internet has transformed and greatly improved

the way we do business, this vast network and its associated

technologies have opened the door to an increasing number

of security threats from which corporations must protect

themselves. Although network attacks are presumably more

serious when they are inflicted upon businesses that store

sensitive data, such as personal medical or financial records,

the consequences of attacks on any entity range from mildly

inconvenient to completely debilitating—important data

can be lost, privacy can be violated, and several hours,

or even days, of network downtime can ensue.

Despite the costly risks of potential security breaches, the

Internet can be one of the safest means by which to

conduct business. For example, giving credit card

information to a telemarketer over the phone or a waiter

in a restaurant can be more risky than submitting the

information via a Web site, because electronic commerce

transactions are usually protected by security technology.

Waiters and telemarketers are not always monitored or

trustworthy. Yet the fear of security problems can be just

as harmful to businesses as actual security breaches.

General fear and suspicion of computers still exists and

with that comes a distrust of the Internet. This distrust can

limit the business opportunities for companies, especially

those that are completely Web based. Thus, companies

must enact security policies and instate safeguards that

not only are effective, but are also perceived as effective.

Organizations must be able to adequately communicate

how they plan to protect their customers.

In addition to protecting their customers, corporations

must protect their employees and partners from security

breaches. The Internet, intranets, and extranets enable

fast and effective communication between employees and

partners. However, such communication and efficiency

can of course be impeded by the effects of a network

attack. An attack may directly cause several hours of

downtime for employees, and networks must be taken

down in order for damage to be repaired or data to be

restored. Clearly, loss of precious time and data can

greatly impact employee efficiency and morale.

Legislation is another force that drives the need for

network security. Governments recognize both the

importance of the Internet and the fact that substantial

portions of the world’s economic output are dependent

on it. However, they also recognize that opening up the

world’s economic infrastructure to abuse by criminals

could cause major economic damage. National

governments are therefore developing laws intended

to regulate the vast flow of electronic information.

Furthermore, to accommodate the regulations enacted

by governments, the computer industry has developed a

portfolio of security standards to help to secure data and

to prove that it is secure. Businesses that do not have

demonstrable security policies to protect their data will be

in breach of these standards and penalized accordingly.

An Introduction to the Key Security Issues

With the explosion of the public Internet and e-commerce, private computers, and computer networks, if not
adequately secured, are increasingly vulnerable to damaging attacks. Hackers, viruses, vindictive employees
and even human error all represent clear and present dangers to networks. And all computer users, from the
most casual Internet surfers to large enterprises, could be affected by network security breaches. However,
security breaches can often be easily prevented. How? This guide provides you with a general overview of the
most common network security threats and the steps you and your organization can take to protect
yourselves from threats and ensure that the data traveling across your networks is safe.

How to shop online more safely

These tips can help you determine that you're shopping at a secure and trustworthy website.
Look for signs that the business is legitimate

Buy from reputable stores and sellers. Here are some ways to check:

Find out what other shoppers say. Sites like Epinions.com or BizRate have customer evaluations which can help you determine a company's legitimacy.

Look for third-party seals of approval. Companies can put these seals on their sites if they abide by a set of rigorous standards such as how personal information can be used. Two seals to look for:

If you see the seals, click them to make sure they link to the organization that created them. Some unscrupulous merchants will put these logos on their websites without permission.
Look for signs that the website protects your data

On the web page where you enter your credit card or other personal information, look for an "s" after http in the web address of that page (as shown below). (Encryption is a security measure that scrambles data as it traverses the Internet.)

Also make sure there is a tiny closed padlock in the address bar, or on the lower right corner of the window.

Image of green address bar in Internet Explorer

Use a filter that warns you of suspicious websites

Find a filter that warns you of suspicious websites and blocks visits to reported phishing sites. For example, try the SmartScreen Filter included in Internet Explorer.

11 tips for social networking safety

Social networking websites like MySpace, Facebook, Twitter, and Windows Live Spaces are services people can use to connect with others to share information like photos, videos, and personal messages.

As the popularity of these social sites grows, so do the risks of using them. Hackers, spammers, virus writers, identity thieves, and other criminals follow the traffic.

Read these tips to help protect yourself when you use social networks.

Use caution when you click links that you receive in messages from your friends on your social website. Treat links in messages on these sites as you would links in email messages. (For more information, see Approach links in email with caution and Click Fraud: Cybercriminals want you to 'like' it.)

Know what you've posted about yourself. A common way that hackers break into financial or other accounts is by clicking the "Forgot your password?" link on the account login page. To break into your account, they search for the answers to your security questions, such as your birthday, home town, high school class, or mother's middle name. If the site allows, make up your own password questions, and don't draw them from material anyone could find with a quick search. For more information, see:

What was the name of your first pet?

What is screen scraping?

Take charge of your online reputation

Don't trust that a message is really from who it says it's from. Hackers can break into accounts and send messages that look like they're from your friends, but aren't. If you suspect that a message is fraudulent, use an alternate method to contact your friend to find out. This includes invitations to join new social networks. For more information, see Scammers exploit Facebook friendships.

To avoid giving away email addresses of your friends, do not allow social networking services to scan your email address book. When you join a new social network, you might receive an offer to enter your email address and password to find out if your contacts are on the network. The site might use this information to send email messages to everyone in your contact list or even everyone you've ever sent an email message to with that email address. Social networking sites should explain that they're going to do this, but some do not.

Type the address of your social networking site directly into your browser or use your personal bookmarks. If you click a link to your site through email or another website, you might be entering your account name and password into a fake site where your personal information could be stolen. For more tips about how to avoid phishing scams, see Email and web scams: How to help protect yourself.

Be selective about who you accept as a friend on a social network. Identity thieves might create fake profiles in order to get information from you.

Choose your social network carefully. Evaluate the site that you plan to use and make sure you understand the privacy policy. Find out if the site monitors content that people post. You will be providing personal information to this website, so use the same criteria that you would to select a site where you enter your credit card.

Assume that everything you put on a social networking site is permanent. Even if you can delete your account, anyone on the Internet can easily print photos or text or save images and videos to a computer.

Be careful about installing extras on your site. Many social networking sites allow you to download third-party applications that let you do more with your personal page. Criminals sometimes use these applications to steal your personal information. To download and use third-party applications safely, take the same safety precautions that you take with any other program or file you download from the web.

Think twice before you use social networking sites at work. For more information, see Be careful with social networking sites, especially at work.

Talk to your kids about social networking. If you're a parent of children who use social networking sites, see How to help your kids use social websites more safely.

What does digital citizenship mean to you?

Digital citizenship is usually defined as the "norms of behavior with regard to technology use." It encompasses digital literacy, ethics, etiquette, online safety, norms, rights, culture and more. Microsoft recognizes that good digital citizenship, when you use computers, gaming consoles, or mobile devices, promotes a safer online environment for all.

The visual whitepaper, "Fostering Digital Citizenship," discusses why digital citizenship matters and outlines the education young people need as they explore, learn, and essentially "grow-up" online. This paper also addresses the three types of risks you might encounter in online activities: Content, Contact, and Conduct.

Managing your online behavior and monitoring your reputation are important elements of good digital citizenship. Microsoft recently surveyed teen and parental attitudes, awareness of, and behaviors toward managing their online reputations.

Teens share considerably more information online than their parents and, as a result, expose themselves to more risk; they also feel more in control of their online reputations.

Teens believe the benefits of sharing information online outweigh the risks, with the exception of sharing a physical location.

Teens and parents worry about different things. Teens are most concerned about getting into college (57%), landing a job (52%,) and being embarrassed (42%). Parents worry about fraud (54%), being embarrassed (51%,) and career (43%).

The encouraging results suggest that American parents and teens are actively managing their online reputations—and with an eye toward good digital citizenship.

DDoS attacks

All statistical data presented in this report were obtained using Kaspersky Lab’s botnet monitoring system and Kaspersky DDoS Prevention.
The quarter in figures

The most powerful attack repelled by Kaspersky DDoS Prevention in Q2: 500 Mbps
The average power of the attacks repelled by Kaspersky DDoS Prevention: 70 Mbps
The longest DDoS attack in Q2: 60 days, 1 hour, 21 minutes and 9 seconds
The highest number of DDoS attacks against a single site in Q2: 218.

DDoS and protests

Distributed denial-of-service attacks are no longer being carried out simply to make a profit. Cybercriminals are increasingly targeting government resources or the sites of big companies to show off their skills, demonstrate their power or, in some cases, as a form of protest. These are exactly the sort of attacks that get maximum publicity in the media.

The most active hacker groups in the second quarter of 2011 were LulzSec and Anonymous. They organized DDoS attacks on government sites in the US, the UK, Spain, Turkey, Iran and several other countries. The hackers managed to temporarily bring down sites such as cia.gov (the US Central Intelligence Agency) and www.soca.gov.uk (the British Serious Organized Crime Agency (SOCA)). This shows that even government sites safeguarded by specialist agencies are not immune to DDoS attacks.

Attacking government sites is a risky business for hackers because it immediately attracts the attention of law enforcement authorities. In Q2 of 2011, for example, more than 30 members of Anonymous were arrested on suspicion of launching DDoS attacks on government sites. More arrests are likely to follow as authorities continue their investigations. However, not all those involved are likely to be convicted because participation in the organization of a DDoS attack is still not considered illegal in many countries.

One big corporation subjected to a major attack was Sony. At the end of March, Sony brought legal action against several hackers accusing them of breaching the firmware of the popular PlayStation 3 console. In protest at Sony’s pursuit of the hackers, Anonymous launched a DDoS attack that crippled the company’s PlayStationnetwork.com sites for some time. But this was just the tip of the iceberg. According to Sony, during the DDoS attack the servers of the PSN service were hacked and the data of 77 million users were stolen. Whether or not it was done intentionally, the DDoS attack by Anonymous served as a diversionary tactic for the theft of huge volumes of data and which, at the end of the day, affected Sony’s reputation.
DDoS attacks on social media

The second quarter of 2011 is likely to be remembered by Russian Internet users for the series of attacks on LiveJournal. The resource is popular with a variety of people, with housewives, photographers, pilots and even politicians posting blogs on the site. According to our botnet monitoring system, the mass attacks on LiveJournal began by targeting journals of a political nature, in particular, that of the anti-corruption and political activist Alexey Navalny.

Our botnet monitoring system has been tracking a botnet named Optima which was used in the DDoS attacks on LiveJournal. In the period between 23 March and 1 April Optima received commands to attack the anti-corruption site http://rospil.info, http://www.rutoplivo.ru and http://navalny.livejournal.com as well as the furniture factory site http://www.kredo-m.ru. On certain days only http://navalny.livejournal.com was attacked. At the beginning of April the botnet received a command to attack a long list of LiveJournal addresses mostly belonging to popular bloggers who cover a wide range of subjects.

The Optima botnet has been known on the market since late 2010. From the type of code used, it is safe to say that Optima bots are developed by Russian-speaking malware writers and they are mostly sold on Russian-language forums. It is difficult to determine the size of the botnet because it is highly segmented. However, our monitoring system has recorded instances of the Optima bots that attacked LiveJournal receiving commands to download other malicious programs. This suggests the Optima botnet includes tens of thousands of infected machines because such downloads are considered unprofitable for small botnets.

The motive for the attacks on LiveJournal remains unclear as nobody has yet claimed responsibility. Until the cybercriminals behind the attacks are identified, it will be difficult to say whether the attacks were ordered or just a show of force.

DDoS attacks on social media are becoming more frequent because these services allow the immediate exchange of information between tens of thousands of users. Blocking this process, even if it is just for a short time, can only be achieved with the help of DDoS attacks.

We expect to see a further growth in these types of attack in the future.
Commercial DDoS attacks

Ordinary criminals also continue to make active use of DDoS attacks. However, information about attacks that aim to extort or blackmail organizations is rarely made public and when it is, it is usually related to the subsequent criminal investigation.

In April, a court in Dusseldorf handed down a sentence to a cybercriminal who tried to blackmail six German bookmakers during the 2010 World Cup. The culprit used the familiar routine of: intimidation, a trial attack on the victim’s site, and a message containing a ransom demand. Three of the six offices agreed to pay off the attacker. According to the bookmakers, a few hours of website downtime can result in the loss of significant sums – 25-40,000 euros for large offices and 5-6,000 euros for smaller offices. Surprisingly, the scammer only demanded 2000 euros. He received money in U-cash vouchers – a method which had already been used by the author of the well-known GpCode Trojan program. The court sentenced the defendant to nearly three years in prison – the first time in German legal history that someone has been imprisoned for organizing a DDoS attack. Such attacks are now classified by the country’s courts as computer sabotage and are punishable by up to 10 years in jail.

In June, the Russian judicial system also addressed the subject of DDoS attacks. On 24 June, a Moscow court sanctioned the arrest of Pavel Vrublevsky, the owner of ChronoPay, Russia’s biggest Internet payment service provider. Vrublevsky was accused of organizing a DDoS attack against competitor firm Assist in order to undermine its chances in a tender for a lucrative contract to process payments for Aeroflot, Russia’s largest airline. Sources close to the investigation said Vrublevsky was also considered the owner of the Rx-Promotion affiliate network which specializes in spreading pharmaceutical spam.

What to do

The first thing to do is make sure that the antivirus database is up-to-date and scan your computer. If this does not help, antivirus solutions from other vendors may do the job. Many manufacturers of anti-virus solutions offer free versions of their products for trial or one-time scanning – we recommend you to run one of these products on your machine. If it detects a virus or a Trojan, make sure you send a copy of the infected file to the manufacturer of the antivirus solution that failed to detect it. This will help this vendor faster develop protection against this threat and protect other users running this antivirus from getting infected.

If an alternative antivirus does not detect any malware, it is recommended that you disconnect your computer from the Internet or a local network, disable Wi-Fi connection and the modem, if any, before you start looking for the infected file(s). Do not use the network unless critically needed. Do not use web payment systems or internet banking services under any circumstances. Avoid referring to any personal or confidential data; do not use any web-based services that require your screen name and password.
How do I find an infected file?

Detecting a virus or Trojan in your computer in some cases may be a complex problem requiring a technical qualification; however, in other cases that may be a pretty straightforward task – this all depends on the degree of the malware complexity and the methods used to hide the malicious code embedded into the system. In the difficult cases when special methods (e.g. rootkit technologies) are employed to disguise and conceal the malicious code in the system, a non-professional may be unable to track down the infected file. This problem may require special utilities or actions, like connecting the hard disk to another computer or booting the system from a CD. However, if a regular worm or simple Trojan is around, you may be able to track it down using fairly simple methods.

The vast majority of worms and Trojan need to take control when the system starts. There are two basic ways for that:

A link to the infected file is written to the autorun keys of the Windows registry;
The infected file is copied to an autorun folder in Windows.

The most common autorun folders in Windows 2000 and XP are as follows:
%Documents and Settings%\%user name%\Start Menu\Programs\Startup\
%Documents and Settings%\All Users\Start Menu\Programs\Startup\

There are quite a number of autorun keys in the system register, the most popular keys include Run, RunService, RunOnce и RunServiceOnce, located in the following register folders:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\]

Most probably, a search at the above locations will yield several keys with names that don’t reveal much information, and paths to the executable files. Special attention should be paid to the files located in the Windows system catalog or root directory. Remember names of these files, you will need them in the further analysis.

Writing to the following key is also common:
[HKEY_CLASSES_ROOT\exefile\shell\open\command\]

The default value of this key is “%1" %*”.

Windows’ system (and system 32) catalog and root directory are the most convenient place to set worms and Trojans. This is due to 2 facts: the contents of these catalogs are not shown in the Explorer by default, and these catalogs host a great number of different system files, functions of which are completely unknown to a lay user. Even an experienced user will probably find it difficult to tell if a file called winkrnl386.exe is part of the operating system or foreign to it.

It is recommended to use any file manager that can sort file by creation/modification date, and sort the files located within the above catalogs. This will display all recently created and modified files at the top of the catalog – these very files will be of interest to the researcher. If any of these files are identical to those occurring in the autorun keys, this is the first wake-up call.

Advanced users can also check the open network ports using netstat, the standard utility. It is recommended to set up a firewall and scan the processes engaged in network activities. It is also recommended to check the list of active processes using dedicated utilities with advanced functionalities rather than the standard Windows utilities – many Trojans successfully avoid being detected by standard Windows utilities.

However, no universal advice can be given for all occasions. Advanced worms and Trojans occur every now then that are quite difficult to track down. In this case, it is best to consult the support service of the IT security vendor that released your antivirus client, a company offering IT assistance services, or ask for help at specialized web forums. Such web resources include www.virusinfo.info and anti-malware.ru (Russian language), and www.rootkit.com and www.gmer.net (English). Similar forums designed to assist users are also run by many antivirus companies.