Presentation on the topic "Internet safety." Computer security threats and antivirus protection basics

Your home network is vulnerable to hacker attacks

The Internet is like a planetary minefield where you can easily encounter dangers.

1. Malicious programs and, first of all, Trojans that live on fraudulent sites. They are usually disguised as useful software, and these “attractive” programs are downloaded and installed on their PC by the Internet visitor himself.
2. Websites that exploit browser vulnerabilities to download malware. Moreover, pages with dangerous code can also be placed on completely decent sites that have been attacked by attackers.
3. Phishing sites that imitate the interface of popular sites (from email services and social networks to payment systems) in order to obtain visitor credentials.
4. Spam mailings received by users of almost all existing means of communication: electronic
mail, instant messaging, social networks, etc. Such messages may contain purely advertising information and links to phishing sites or sites that distribute malicious software.
5. Interception of data transmitted in unencrypted form. At the same time, confidential information may fall into the hands of criminals

In fact, all the troubles associated with accessing the Internet can be avoided by following basic safety rules.

Protect physical access to computers

Your system may be protected and locked with the latest tools, but if an attacker gains physical access to it, all your efforts will be nullified. Make sure computers are never left unattended.

Don't use administrative accounts for daily work

In the Windows NT era, before the Remote Desktop Connection client and the runas command, administrators often placed their own personal accounts in the Domain Admins group. This is not recommended at this time; It's better to create additional Active Directory administrative accounts (for example, for myself, I could create a personal rallen account and an administrative rallen.adm account). To run programs that require administrative privileges, use the Remote Desktop Connection service or the runas command. This will reduce the chance (although not much) of accidental damage to the system.

Using a regular user account also reduces the potential damage that a virus or worm can cause to your system.

Update virus definitions and anti-spyware applications regularly

One of the reasons that viruses spread so quickly is that virus definitions are updated too infrequently. These days, new viruses and worms are appearing with alarming frequency, and to be able to combat the virus threat, it is necessary to use the latest definitions. The same applies to spyware, which today has become almost a bigger problem than viruses.

Make sure all critical patches are installed on your computer

Even if virus definitions are not updated as frequently as they should be, most viruses and worms can be stopped at logon if you install critical security updates as soon as they become available. Of course, when Windows NT was widely used and Windows 2000 had just come out, this was not strictly necessary, but today a system in which new security updates are not installed for several days (and sometimes minutes) after release is completely open to new viruses and worms We recommend that you add the following website to your favorites list and visit it periodically to stay up to date with the latest Microsoft security technologies:
http://windowsupdate.microsoft.com.

Enable auditing of important activities
Windows provides the ability to log certain system actions and activities; Thanks to this, you can trace through the event log the necessary actions, such as modification of certain files, if a security threat arises.

Check event logs regularly

Event logs contain a lot of important information regarding system security, but they are often forgotten. Among other things, the reason for this is a large amount of “garbage” in the logs, that is, messages about insignificant events. Develop a process for centralizing and regularly reviewing event logs. Having a mechanism to regularly scan your logs will especially help you when auditing the important activities discussed in the previous section.

Develop an action plan in case of attack

Most people think that nothing like this will ever happen to them, but life shows that this is far from the case. In reality, most users do not have even a fraction of the security knowledge that “professional” attackers can boast of. If a specific attacker (or worse, a group of attackers) has their eye on your organization, you will need to use all your dexterity, intelligence and knowledge to prevent infiltration of the system. Even the largest companies in the world have been attacked. The moral is this: everyone should be prepared for the fact that the target of the next attack may be their system. What to do?
Here are some helpful links to help you develop a response plan.

The Internet is a boundless world of information that provides ample opportunities for communication, learning, organizing work and leisure, and at the same time it is a huge, daily updated database that contains information about users that is interesting to attackers. There are two main types of threats that users can be exposed to: technical and social engineering.

Related materials

The main technical threats to users are malware, botnets, and DoS and DDoS attacks.

Threat- this is a potentially possible event, an action that, through its impact on the object of protection, can lead to damage.

Malware

The purpose of malware is to cause damage to a computer, server, or computer network. They can, for example, corrupt, steal or erase data stored on the computer, slow down or completely stop the operation of the device. Malicious programs are often “hidden” in letters and messages with tempting offers from unknown individuals and companies, in the pages of news sites or other popular resources that contain vulnerabilities. Users visit these sites, and malware enters the computer undetected.

Malicious programs are also distributed through email, removable storage media, or files downloaded from the Internet. Files or links sent by email may expose your device to infection.

Malicious programs include viruses, worms, and Trojan horses.

Virus– a type of computer program, the distinctive feature of which is the ability to reproduce (self-replicate) and be introduced into files, boot sectors of disks and documents unnoticed by the user. The name “virus” in relation to computer programs comes from biology precisely on the basis of its ability to self-reproduce. A virus lying as an infected file on a disk is not dangerous until it is opened or launched. It only takes effect when the user activates it. Viruses are designed to replicate themselves to infect computers, usually destroying files in the process.

Worms- This is a type of virus. They fully live up to their name, since they spread by “crawling” from device to device. Just like viruses, they are self-replicating programs, but unlike viruses, a worm does not need the user's help to spread. He finds the loophole himself.

Trojans– malicious programs that are purposefully introduced by attackers to collect information, destroy or modify it, disrupt the operation of a computer, or use its resources for nefarious purposes. Externally, Trojan programs look like legal software products and do not arouse suspicion. Unlike viruses, they are completely ready to perform their functions. This is what attackers are counting on: their task is to create a program that users will not be afraid to launch and use.

Attackers can infect a computer to make it part of botnet– networks of infected devices located around the world. Large botnets can include tens or hundreds of thousands of computers. Users often do not even realize that their computers are infected with malware and are being used by criminals. Botnets are created by distributing malware in various ways, and infected machines subsequently regularly receive commands from the botnet administrator, so that it becomes possible to organize coordinated actions of bot computers to attack other devices and resources.

DoS and DDoS attacks

A DoS attack (denial of service) is an attack that paralyzes the operation of a server or personal computer due to a huge number of requests arriving at the attacked resource at high speed.

The essence of a DoS attack is that an attacker tries to make a specific server temporarily unavailable, overload the network, processor, or fill the disk. The goal of the attack is simply to disable the computer, and not to obtain information, to seize all the resources of the victim computer so that other users do not have access to them. Resources include: memory, CPU time, disk space, network resources, etc.

There are two ways to carry out a DoS attack.

With the first method A DoS attack uses a vulnerability in the software installed on the attacked computer. The vulnerability allows you to cause a certain critical error that will lead to disruption of the system.

With the second method the attack is carried out by simultaneously sending a large number of information packets to the attacked computer, which causes network overload.

If such an attack is carried out simultaneously from a large number of computers, then in this case they talk about a DDoS attack.

DDoS attack (distributed denial of service) is a type of DoS attack that is organized using a very large number of computers, due to which servers even with very high Internet bandwidth can be subject to attack.

To organize DDoS attacks, attackers use a botnet – a special network of computers infected with a special type of virus. An attacker can control each such computer remotely, without the knowledge of the owner. Using a virus or a program skillfully masquerading as a legitimate one, malicious software code is installed on the victim computer, which is not recognized by the antivirus and runs in the background. At the right moment, at the command of the botnet owner, such a program is activated and begins to send requests to the attacked server, as a result of which the communication channel between the service being attacked and the Internet provider is filled and the server stops working.

Social engineering

Most attackers rely not only on technology, but also on human weaknesses, using social engineering. This complex term denotes a way to obtain the necessary information not with the help of technical capabilities, but through ordinary deception and cunning. Social engineers use psychological techniques to influence people through email, social networks and instant messaging services. As a result of their skillful work, users voluntarily give up their data, not always realizing that they have been deceived.

Fraudulent messages most often contain threats, for example, closing user bank accounts, promises of huge winnings with little or no effort, or requests for voluntary donations on behalf of charitable organizations. For example, a message from an attacker may look like this: “Your account is blocked. To restore access to it, you need to confirm the following data: phone number, email and password. Send them to such and such an email address.” Most often, attackers do not leave the user time to think, for example, they ask to pay on the day the letter is received.

Phishing

Phishing is the most popular method of attacking users and one of the methods of social engineering. It is a special type of Internet fraud. The goal of phishing is to gain access to sensitive data, such as address, phone number, credit card numbers, usernames and passwords, through the use of fake web pages. Often a phishing attack occurs as follows: an email is sent to you asking you to log into the Internet banking system on behalf of an alleged bank employee. The letter contains a link to a fake website that is difficult to distinguish from the real one. The user enters personal information on a fake site, and the attacker intercepts it. Having taken possession of personal data, he can, for example, get a loan in the user’s name, withdraw money from his account and pay with his credit cards, withdraw money from his accounts, or create a copy of a plastic card and use it to withdraw money anywhere in the world.

False antivirus and security programs.

Attackers often distribute malware under the guise of antivirus software. These programs generate notifications, which, as a rule, contain a warning that the computer is allegedly infected and a recommendation to follow the specified link for successful treatment, download the update file from it and run it. Often, notifications are disguised as messages from legitimate sources, such as antivirus software companies. Sources for the spread of false antiviruses include email, online advertisements, social networks, and even pop-ups on the computer that imitate system messages.

Replacing the return address

It is well known that users trust messages received from people they know much more and are more likely to open them without expecting a catch. Attackers take advantage of this and fake a return address to one familiar to the user in order to trick him into visiting a site containing malware or to find out personal information. For example, clients of Internet banks often become victims of their own gullibility.

Ways to protect yourself from online threats

There are many types and methods of attacks, but there are also a sufficient number of ways to defend against them. When browsing the Internet, we recommend that you meet the following requirements:

Use passwords

To create a complex password, you must use a combination of at least eight characters. It is advisable that the password include upper and lower case characters, numbers and special characters. The password should not repeat previous passwords, nor should it contain dates, names, phone numbers, or similar information that could be easily guessed.

Use your computer under an account with limited rights

Before you start using the operating system, it is recommended that you create a user account for everyday use of the computer and use it instead of the administrator account. The user account allows you to perform the same actions as the administrator account, but you will be prompted for an administrator password when you try to make changes to operating system settings or install new software. This reduces the risk of accidentally deleting or changing important system settings, as well as infecting your computer with malware.

Use data encryption

Data encryption is an additional way to protect important information from unauthorized users. Special cryptographic programs encode data so that only the user who has the decryption key can read it. Many operating systems have built-in encryption. For example, Windows 7 uses BitLocker drive encryption to protect all files stored on the operating system disk and internal hard drives, and BitLocker To Go is used to protect files stored on external hard drives and USB devices.

Update your software regularly

Keep your software up to date and regularly, including your operating system and all applications you use. It is most convenient to set the automatic update mode, which will allow all work to be carried out in the background. It is strongly recommended to download updates only from the websites of software manufacturers.

Use and regularly update antivirus programs

To protect your system from possible online threats. Antivirus is a key component of anti-malware protection. It must be installed and updated regularly to help it fight new malware, the number of which is increasing every day. Modern anti-virus programs, as a rule, update anti-virus databases automatically. They scan critical system areas and monitor all possible virus entry paths, such as email attachments and potentially dangerous websites, in the background without interfering with the user's experience. The antivirus should always be turned on: disabling it is strongly recommended. Also try to check all removable media for viruses.

Use a firewall

A firewall, or firewall, is a special filter whose task is to control network packets passing through it in accordance with specified rules. A firewall works as follows: it monitors communications between a device and the Internet and examines all data received from or sent to the network. If necessary, it blocks network attacks and prevents personal data from being secretly sent to the Internet. The firewall does not allow suspicious information to enter and does not allow important information to leave the system.

Avast always tries to stay ahead when it comes to protecting users from new threats. More and more people are watching movies, sports and TV shows on smart TVs. They control the temperature in their homes using digital thermostats. They wear smart watches and fitness bracelets. As a result, security needs are expanding beyond the personal computer to include all devices on a home network.

However, home routers, which are key devices in the home network infrastructure, often have security problems and provide easy access to hackers. A recent study by Tripwire found that 80 percent of top-selling routers have vulnerabilities. Moreover, the most common combinations for accessing the administrative interface, in particular admin/admin or admin/no password, are used in 50 percent of routers worldwide. Another 25 percent of users use their address, date of birth, first or last name as router passwords. As a result, more than 75 percent of routers worldwide are vulnerable to simple password attacks, opening the door for threats to be deployed on the home network. The router security landscape today is reminiscent of the 1990s, when new vulnerabilities were discovered every day.

Home Network Security feature

The Home Network Security feature in Avast Free Antivirus, Avast Pro Antivirus, Avast Internet Security and Avast Premier Antivirus allows you to solve these problems by scanning your router and home network settings for potential problems. With the Avast Nitro Update, the Home Network Security tool's detection engine has been completely redesigned, adding support for multi-threaded scanning and an improved DNS hijack detector. The engine now supports ARP scans and port scans performed at the kernel driver level, which allows for several times faster scanning compared to the previous version.

Home Network Security can automatically block cross-site request forgery (CSRF) attacks on your router. CSRF exploits exploit website vulnerabilities and allow cybercriminals to send unauthorized commands to a website. The command simulates instructions from a user who is known to the site. Thus, cybercriminals can impersonate a user, for example, transfer money to the victim without his knowledge. Thanks to CSRF requests, criminals can remotely make changes to router settings in order to overwrite DNS settings and redirect traffic to fraudulent sites

The Home Network Security component allows you to scan your home network and router settings for potential security issues. The tool detects weak or default Wi-Fi passwords, vulnerable routers, compromised Internet connections, and IPv6 enabled but not secured. Avast lists all devices on your home network so users can check that only known devices are connected. The component provides simple recommendations for eliminating detected vulnerabilities.

The tool also notifies the user when new devices join the network, network-connected TVs and other devices. Now the user can immediately detect an unknown device.

The new proactive approach underlines the overall concept of providing maximum comprehensive user protection.

Router manufacturers often don't care too much about the quality of their code, which is why vulnerabilities are common. Today, routers are a priority target for network attacks, allowing people to steal money and data bypassing local security systems. How can I check the quality of the firmware and the adequacy of the settings myself? Free utilities, online checking services, and this article will help with this.

Consumer-grade routers have always been criticized for their unreliability, but a high price does not guarantee high security. Last December, Check Point specialists discovered over 12 million routers (including top models) and DSL modems that could be hacked due to a vulnerability in the mechanism for obtaining automatic settings. It is widely used for quickly setting up network equipment on the client side (CPE - customer premises equipment). For the last ten years, providers have been using the CWMP (CPE WAN Management Protocol) subscriber equipment management protocol for this purpose. The TR-069 specification provides the ability to send settings using it and connect services through the Auto Configuration Server (ACS - Auto Configuration Server). Check Point employees have found that many routers have an error in processing CWMP requests, and providers complicate the situation further: most of them do not encrypt the connection between ACS and client equipment and do not restrict access by IP or MAC addresses. Together, this creates the conditions for an easy man-in-the-middle attack.

Through a vulnerable implementation of CWMP, an attacker can do almost anything: set and read configuration parameters, reset settings to default values, and remotely reboot the device. The most common type of attack involves replacing DNS addresses in the router settings with servers controlled by the attacker. They filter web requests and redirect those containing calls to banking services to fake pages. Fake pages were created for all popular payment systems: PayPal, Visa, MasterCard, QIWI and others.

The peculiarity of this attack is that the browser runs on a clean OS and sends a request to the correctly entered address of a real payment system. Checking your computer's network settings and searching for viruses on it does not reveal any problems. Moreover, the effect persists if you connect to the payment system through a hacked router from another browser and even from another device on the home network.

Since most people rarely check their router settings (or even entrust this process to the ISP’s technicians), the problem goes undetected for a long time. They usually find out about it by exclusion - after the money has been stolen from accounts and a computer check has yielded nothing.

To connect to a router via CWMP, an attacker uses one of the common vulnerabilities typical of entry-level network devices. For example, they contain a third-party web server, RomPager, written by Allegro Software. Many years ago, a bug was discovered in it in processing cookies, which was promptly corrected, but the problem still remains. Since this web server is part of the firmware, it is not possible to update it in one fell swoop on all devices. Each manufacturer had to release a new release for hundreds of models already on sale and convince their owners to download the update as soon as possible. As practice has shown, none of the home users did this. Therefore, the number of vulnerable devices goes into the millions even ten years after the release of fixes. Moreover, the manufacturers themselves continue to use the old vulnerable version of RomPager in their firmware to this day.

In addition to routers, the vulnerability affects VoIP phones, network cameras and other equipment that can be remotely configured via CWMP. Typically, port 7547 is used for this. You can check its status on the router using Steve Gibson's free Shields Up service. To do this, type its URL (grc.com), and then add /x/portprobe=7547.

The screenshot shows only a positive result. Negative does not guarantee that there is no vulnerability. To exclude it, you will need to conduct a full penetration test - for example, using the Nexpose scanner or the Metasploit framework. Developers themselves are often not ready to say which version of RomPager is used in a particular release of their firmware and whether it is there at all. This component is definitely not present only in alternative open source firmware (we will talk about them later).

Registering a secure DNS

It’s a good idea to check your router settings more often and immediately manually register alternative DNS server addresses. Here are some of them available for free.

• Comodo Secure DNS: 8.26.56.26 and 8.20.247.20
• Norton ConnectSafe: 199.85.126.10, 199.85.127.10
• Google Public DNS: 8.8.8.8, 2001:4860:4860:8888 - for IPv6
• OpenDNS: 208.67.222.222, 208.67.220.220

All of them block only infected and phishing sites, without restricting access to adult resources.

Unplug and pray

There are other long-known problems that owners of network devices or (less often) their manufacturers are unwilling to fix. Two years ago, DefenseCode experts discovered a whole set of vulnerabilities in routers and other active network equipment from nine major companies. All of them are associated with incorrect software implementation of key components. In particular, the UPnP stack in firmware for Broadcom chips or using older versions of the open libupnp library. Together with Rapid7 and CERT specialists, DefenseCode employees found about seven thousand vulnerable device models. Over six months of active scanning of a random range of IPv4 addresses, over 80 million hosts were identified that responded to a standard UPnP request to a WAN port. Every fifth of them supported the SOAP (Simple Object Access Protocol) service, and 23 million allowed arbitrary code to be executed without authorization. In most cases, an attack on routers with such a hole in UPnP is carried out through a modified SOAP request, which leads to a data processing error and the rest of the code ending up in an arbitrary area of ​​the router’s RAM, where it is executed with superuser rights. On home routers, it is better to disable UPnP completely and make sure that requests to port 1900 are blocked. The same service of Steve Gibson will help with this. The UPnP (Universal Plug and Play) protocol is enabled by default on most routers, network printers, IP cameras, NAS and smart home appliances. It is enabled by default on Windows, OS X and many versions of Linux. If it is possible to fine-tune its use, that’s not so bad. If the only options available are "enable" and "disable", then it is better to choose the latter. Sometimes manufacturers deliberately introduce software into network equipment. Most likely, this happens at the behest of the intelligence services, but in the event of a scandal, official responses always mention “technical necessity” or “a proprietary service to improve the quality of communication.” Built-in backdoors have been found in some Linksys and Netgear routers. They opened port 32764 to receive remote commands. Since this number does not correspond to any well-known service, this problem is easy to detect - for example, using an external port scanner.

INFO

Another way to perform a free home network audit is to download and run Avast antivirus. Its new versions contain the Network check wizard, which identifies known vulnerabilities and dangerous network settings.

Defaults are for the lambs

The most common problem with router security remains the factory settings. These are not only common internal IP addresses, passwords and admin login for the entire series of devices, but also included services that increase convenience at the cost of security. In addition to UPnP, the Telnet remote control protocol and the WPS (Wi-Fi Protected Setup) service are often enabled by default. Critical errors are often found in the processing of Telnet requests. For example, D-Link routers of the DIR-300 and DIR-600 series made it possible to remotely receive a shell and execute any command through the telnetd daemon without any authorization. On Linksys E1500 and E2500 routers, code injection was possible through regular ping. The ping_size parameter was not checked, as a result of which the backdoor was uploaded to the router using the GET method in one line. In the case of the E1500, no additional tricks were required during authorization. A new password could simply be set without entering the current one. A similar problem was identified with the Netgear SPH200D VoIP phone. Additionally, when analyzing the firmware, it turned out that a hidden service account with the same password was active. Using Shodan, you can find a vulnerable router in a couple of minutes. They still allow you to change any settings remotely and without authorization. You can take advantage of this immediately, or you can do a good deed: find this unfortunate user on Skype (by IP or name) and send him a couple of recommendations - for example, change the firmware and read this article.

Supercluster of massive holes

Trouble rarely comes alone: ​​activating WPS automatically leads to enabling UPnP. In addition, the standard PIN or pre-authentication key used in WPS nullifies all WPA2-PSK level cryptographic protection. Due to firmware bugs, WPS often remains enabled even after it is disabled via the web interface. You can find out about this using a Wi-Fi scanner - for example, the free Wifi Analyzer application for smartphones running Android OS. If vulnerable services are used by the administrator himself, then it will not be possible to refuse them. It’s good if the router allows you to somehow secure them. For example, do not accept commands on the WAN port or set a specific IP address for Telnet use. Sometimes there is simply no way to configure or simply disable a dangerous service in the web interface and it is impossible to close the hole using standard means. The only way out in this case is to look for a new or alternative firmware with an expanded set of functions.

Alternative services

The most popular open firmwares are DD-WRT, OpenWRT and its fork Gargoyle. They can only be installed on routers from the list of supported ones - that is, those for which the chipset manufacturer has disclosed full specifications. For example, Asus has a separate series of routers that were originally designed with an eye toward using DD-WRT (bit.ly/1xfIUSf). It already has twelve models from entry-level to corporate level. MikroTik routers run RouterOS, which is not inferior in flexibility to the *WRT family. This is also a full-fledged network OS based on the Linux kernel, which supports absolutely all services and any imaginable configuration. Alternative firmware can be installed on many routers today, but be careful and check the full name of the device. With the same model number and appearance, routers may have different revisions, which may hide completely different hardware platforms.

Security check

You can check for OpenSSL vulnerability using the free ScanNow utility from Rapid7 (bit.ly/18g9TSf) or its simplified online version (bit.ly/1xhVhrM). Online verification takes place in a few seconds. In a separate program, you can set a range of IP addresses, so the test takes longer. By the way, the registration fields of the ScanNow utility are not checked in any way.

After the scan, a report will be displayed and an offer to try the more advanced Nexpose vulnerability scanner, aimed at company networks. It is available for Windows, Linux and VMware. Depending on the version, the free trial period is limited to 7 to 14 days. Limitations relate to the number of IP addresses and scan areas.

Unfortunately, installing alternative open source firmware is only a way to increase security, and it will not provide complete security. All firmware is built on a modular principle and combines a number of key components. When a problem is detected in them, it affects millions of devices. For example, a vulnerability in the OpenSSL open source library also affected routers with *WRT. Its cryptographic functions have been used to encrypt remote access sessions via SSH, organize VPNs, manage a local web server, and other popular tasks. Manufacturers began releasing updates quite quickly, but the problem has still not been completely eliminated.

New vulnerabilities are constantly found in routers, and some of them are exploited even before a fix is ​​released. All the router owner can do is disable unnecessary services, change default settings, limit remote control, check settings more often and update the firmware.