Now that you're done chuckling over Green Eggs and Spam in today's Running With Scissors column (you did read it, didn't you? ), you can find out more about the scurvy knaves that make our on-line lives miserable. In this article I'll take a look at what's out there and describe steps you can take to protect yourself. First let's define our terms.
Spam is the electronic equivalent of junk mail. Typically it ends up in your e-mail in-box, but the plague is spreading to instant messaging systems as well.
The terms 'virus', 'worm' and 'Trojan' are often used interchangeably. All three refer to rogue programs that get into your computer and do bad things, but there are differences among them.
A virus is a program that spreads itself by first infecting executable files or the system areas of hard and floppy disks and then making copies of itself and sending them to others. It may damage data on your computer or render the computer unusable, but it may also go about its business without your knowledge.
A worm replicates by creating copies of itself, but unlike a virus, it does not need to infect a host program in order to replicate.
A Trojan is a program that pretends to be something else. It appears to perform valid functions but contains damaging instructions hidden in its code. Unlike a virus, it doesn't make copies of itself and pass itself on.
'Spyware' and 'adware' refer to the cookies and/or programs that are loaded onto your computer when you visit certain Web sites. They are generally benign, in that they don't damage your computer or attempt to steal personal information. However, they do track your on-line behaviour, and could easily do more than that without your knowledge, so persons concerned about privacy don't like them.
Anti-virus software finds the rogue programs that are either already on your computer or are trying to infect your computer. It does this by maintaining a file of identifying viral 'signatures' (ie 'mug shots'). Because new viruses/Trojans/worms show up every week, it's important to keep the signatures file up to date.
Similarly, anti-spam software identifies and blocks spam from entering your in-box. It looks for certain properties typical of spam; for example, the FROM address ending in numbers.
A firewall is a system designed to prevent unauthorized access to or from a computer or network. Firewalls are made up of hardware, software, or a combination of both.
A denial-of-service attack is a concerted effort to make a Web site unavailable by launching millions of attempts to connect to it, making it impossible for legitimate users to log in.
Spammers and Scammers and Porn Sites, Oh My!
Malicious code can be grouped into two categories: annoying and damaging. Most spam falls into the first category: the chain letters, the offers for dubious products that enlarge various anatomical features, the links to porn sites, and scams of various sorts. It typically has nothing much to say, and it says it repeatedly.
Spam doesn't appear to do much besides clogging your in-box and choking your Internet Service Provider's (ISP's) e-mail server. However, it's not without cost; imagine having to pay for the junk mail delivered to your home. Your ISP has to maintain sufficient resources to handle the increasing amounts of e-mail, and you, Mr and Ms Computer User, pay for this. You also waste time sorting through the rubbish and deleting it. Worse, spam can land in your child's e-mail box, which is not a good place for porn.
Dealing with spam is fairly straightforward. The first step is proactive: if you do not use a Web-based e-mail system such as Hotmail, install anti-spam software on your computer. The larger ISP's do a good job of filtering out a lot of the junk before it even gets to you. However, spammers are quite inventive about eluding the filters. They use one-time throw-away e-mail addresses to avoid becoming identified as known spammers, and they misspell words in the subject line (which is why you see things like '[email protected]' and 'pØr_n'). Anti-spam software will stop most but not all spam.
The second step is reactive: just delete it. Don't click on the links, especially if you are at work. Many times they don't work, but a seemingly-innocuous link may send you to the seamier side of the Web -- and it tells the spammer that he's found a working e-mail address. Worse, your visit to the site is stored in your browser's history. If you accidentally wind up at a child porn site, your employer will no doubt want to have words with you. If the spam is advertising a legitimate-looking product, ask yourself: how good is it if the company won't even spend money to advertise it? If you're really interested in a particular product, go shopping and deal with businesses that have a track record of honest dealings.
Something Wicked This Way Comes
Now we get to the real bad guys, and they won't be nearly as amusing as Jack Sparrow.
Spam can also pack a nasty payload in the form of attached viruses, worms and Trojans. The folks who send these are out to harm you in some way, either by stealing your identity or damaging your computer. Rogue programs often arrive as alluring-sounding1 attachments to either e-mail or instant messages. A new variation on this scheme appeared last year when e-mails purportedly from Microsoft urged recipients to run the attached file to fix a security hole in Windows. The attachment was, of course, a virus. Microsoft does not send fixes via e-mail; you must connect to their Web site to download the software.
What happens when malicious code is installed on your computer? There are 3 scenarios:
- The simplest viruses can do lots of damage to your computer; they delete data or make your computer unusable. In this case you know you've got a problem and you need to get it fixed. But once you do, you're back in business with no other harm done; the damage remains pretty much contained.
- Worse are the Trojans that open up your computer for others' use. Once connected, the bad guys can use your computer to send out spam, participate in a denial-of-service attack, or attempt to hack into other computers. In fact, this is becoming the common method of operation for professional spammers. First they send out spam containing the Trojan. Then they use the network of infected computers to send more spam, which is virtually untraceable to its real source. Annoying, no? And there may be legal implications if your computer is used to attack other sites. A friend of mine found out her computer was being used this way when the victim traced the source of the attacks to her computer and notified her ISP's lawyers.
- Worst case scenario is hackers getting a hold of your personal information. They may either grab data from your files, or they may use a keystroke-logging program to 'eavesdrop' when you connect to Web sites with your id and password. Not what you want when you're paying bills on line.
Criminals have discovered that they don't need to go to this much trouble to get your personal information. They just need to ask you for it. Now that most people have figured out the Nigerian e-mail hoax, the bad guys are masquerading as legitimate businesses. They'll send you an e-mail that appears to be from someone you may already do business with, asking you to update your personal information (a practice known as 'phishing'). The more well thought-out scams direct you to a Web site that looks almost identical to the purported company's site. This is really bad. Once these guys have your personal information, it's a simple matter to steal your identity. If you are a victim of identity theft, you'll spend many months and lots of money trying to clean up your credit history. The perp will probably get off scot free and will go on to victimize others.
As with garden-variety spam, the key to avoiding trouble is not responding; never open attachments and never send personal information in response to an e-mail or instant message. Legitimate businesses don't ask you to do this, because data between your computer and its target can travel literally anywhere in the world. Unless you've encrypted it, your e-mail travels as 'clear text', which means any 'sniffers' installed by bad guys can read it as it zooms by on its way to its destination. Updating personal information on a Web site is typically safe if you're initiating the transaction. Responsible businesses use secured servers with high-powered encryption for handling personal information. Two clues can help you recognize secure Web pages. First, look for a little yellow lock icon in the status bar on the bottom right of your browser. Second, secured pages are designated by URL's beginning with 'https:' instead of the normal 'http:' of unsecured pages. If you don't see the icon and 'https:', run.
Trouble in Mind
Feeling paranoid? Not to worry; protecting yourself isn't horribly difficult. Note that no solution offers 100% protection. However, the bad guys look for easy targets first. If you make life difficult for them, they're more likely to go after someone else2.
- Be suspicious. If it sounds too good to be true, it almost certainly is.
- Patch your software, especially if you run Windows, which is still the main target for Trojans and other bad things. Go to the Windows Update site (link below) and let it guide you through the process of downloading the latest fixes. The first time you do this, it should ask you if you want to install the Windows Update Manager on your computer. This is a useful program that automatically scans for important updates, notifies you when they are available, and allows you to download and install them with a couple clicks of the mouse. I recommend using it. I believe Apple offers similar automatic update software for its products.
- Install a suite of security products, including anti-virus software, anti-spam software and a firewall, and update the products regularly. I generally prefer the popular 'brand-name' companies, because they offer a set of products that work together and they release timely updates in response to new threats. This makes life simpler for you and reduces the risk of inadvertently leaving something unprotected3. The updates are critical. There are new malicious programs released every week, and they can make their way around the world quickly. If you can, set up your software to automatically check for and download updates.
- Install anti-spyware software. There are good freeware products out there, but they're often reactive rather than proactive; they don't prevent the spyware from being placed on your computer but rather remove it once it's there. This means that you'll need to run the program regularly to keep your computer clean. There are also a number of products available for purchase that do keep spyware from being loaded on your computer. Some of them also block those annoying pop-up ads. Take your pick. (Microsoft is making noise about adding anti-spyware functionality to future versions of Internet Explorer. With luck, the makers of anti-virus software will also get into the act.)
- Your Mum was right: don't talk to strangers.
- Don't send personal information in response to an e-mail or instant message. Legitimate businesses won't ask you to do this. If you have any questions, contact the company directly.
- Don't open attachments or download software updates contained in e-mail, no matter who sends it to you. Your friend's computer may be infected, and (again) legitimate businesses don't operate that way. If in doubt, open another browser window (never use the link in the e-mail message) and connect to the company's Web site to check for available updates, or check with your friend to see if he or she meant to send you something.
- Computer Virus Resources from the Computer Emergency Response Team (CERT) is a good source of information about malicious code.
- Microsoft's Windows Update page allows you to check whether your software needs to be patched and to download the software.
- The Apple Service & Support page has links to updates for all of their products.
- What, me worry? The folks at Vmyths.com tell us to take a deep breath and calm down.
- For your edification and amusement, you can take a look at the workings behind the Nigerian e-mail scam at Wired Magazine's Web site.
Second lawyer: 'What are you doing?! You can't outrun a bear!'
First lawyer: 'I don't need to outrun the bear. I just need to outrun you.'3There are freeware security products out there that may be quite good, but I'm not as familiar with them. Generally they require more knowledge on your part and don't release updates as quickly. If you consider yourself a geek and you enjoy fiddling with this stuff, have at it.