Computer and Internet Security JCCAA Presentation 03142009

1
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• Yu-Min (Phillip) Hsieh
• Sr. System Administrator
• Information Technology
• Rice University

2
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• Malwares malicious software
• Why do people write malwares?
• Financial gains, Political reasons, Personal
  reasons
• What are the other names?
• Trojan, Virus, Worm, Spyware, Adware, Rogue AVA
  What do they do?
• Send spam mails steal identity, financial
  information and trade secrets attack other
  Internet websites

3
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• Malwares other names?
• Trojan
• Virus
• Worm
• Spyware
• Adware
• Rogue Antivirus Applications

4
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• How does a machine get infected?
• Application Vulnerabilities
• When an application is listening on the network
  and it is not written securely a remote,
  unauthenticated attacker could gain elevated
  privileges and execute arbitrary code, example
  buffer-overflow
• User Activities
• Compromised administrative credentials

5
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• How to prevent malware infections?
• Windows and application update
• Windows firewall
• Antivirus application
• Ignore spam mails no curiosity, no greed
• Careful browsing on the Internet
• You can never be 100 protected
• zero-day exploit and piggy-back download

6
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• How to remove malware infection?
• Antivirus program
• removes known malwares
• inform you about specific removal steps
• Seek professional help
• Restore an earlier good system state
• system restore or ntbackup (restore)
• Windows recovery console
• Reinstall operating system

7
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• Why are those special recovery procedures needed?
• Can any antivirus application automatically clean
  a system 100 of the time, if it knows what the
  malwares executables are?

8
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• Is the system really compromised?
• Is the system really secure?

9
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• Malware characteristics
• Installs silently / deceptively
• Break the system when removed
• Starts automatically on reboot
• windows registry
• Running in the background
• Obscurely named / pathed
• Cannot be removed easily
• Hidden
• Permission, alternate data stream, rootkit

10
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• Is the system really compromised?
• Not when there is a malicious registry entry
• Not when there is a malicious executable
• Only when a malicious code is running ...
• Is the system really secure?
• Not unless you know what are running in the
  system and are able to verify them

11
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• Orthrus
• A Host Intrusion Prevention Application
• Why develop Orthrus?
• Bad security incident w/o vendor support
• How is it developed?
• What would an administrator do
• What are the goals?
• Monitoring host security and user recovery

12
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• Orthrus Download
• http//www.wnsc1.com
• Click Free Orthrus Download link
• Orthrus Main Components
• Orthrus.exe
• Orthnote.exe
• Custom Event Log

13
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• Orthrus
• Knowing what are running
• auto-start executables
• operating system modules and sub modules
• no user applications
• What are automatically removed
• registry entries without an executable
• windows exploits
• rootkit malwares

14
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• Orthrus - Verifying an executable
• Trusted by Windows File Protection
• Trusted by Trusted Installer ownership
• Digitally signed and verified
• Obscurely named / pathed
• Falsified extended file information
• Internet lookup
• Exploits

15
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• Orthrus Information collected extended file
  information
• process history (exceptions, and warnings)
• Orthrus Information transmitted
• secure http protocol (https//)
• Orthrus Information not touched
• identity of the user and the computer

16
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• Orthrus System Recovery
• last-known-clean restore point
• ntbackup restore
• windows recovery console

17
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• Orthrus Weakness
• Speed
• Support
• Verifying and permit executables manually

18
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• What if I dont want to known and dont want any
  one else to know what are running in my system
• Use a more secure operating system
• Windows VISTA, Windows 7
• Windows and application security updates
• Windows firewall
• Antivirus application
• Ignore spam mails no curiosity, no greed
• Careful browsing on the Internet

19
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• Orthrus
• Send questions on how to use Orthrus application
  to phsieh_at_rice.edu
• with the exact subject line
• Orthrus Questions
• All other inquires may be ignored

20
Computer and Internet SecurityJCCAA Presentation
03/14/2009

• Questions ?