About CERT-MU01. What is CERT-MU?CERT-MU is the Mauritian National Computer Security Incident
Response Centre to handle major computer security incidents in its constituency
i.e. Mauritian cyber community CERT-MU provides information and assistance to its constituents
in implementing proactive measures to reduce the risks of information security
incidents as well as responding to such incidents as and when they occur.
CERT-MU provides three types of services to its constituency.
They are responsive services, awareness services and consultancy services. The
responsive services include incident handling and vulnerability analysis while
awareness services include the issuance of information security news, providing
virus alerts, conducting seminars & workshops and providing a knowledgebase
on our website. Services such as technical audits, penetration testing,
disaster recovery and business continuity planning, advisory for national
security policy development are covered in our consultancy services. ·
handle
security incidents and monitor security problems occurring within public and
private sectors;
·
provide
guidance to providers of critical information infrastructure to adopt best
practices in information security;
·
warn and educate systems
administrators and users by means of information distribution. All users, system administrators from public and private
institutions, parents and members of the
public of Mauritian cyber community
Users and System Administrators can report computer security
incidents and vulnerabilities to CERT-MU.
1. If you encounter any of the violations given below, you
may contact CERT-MU for technical assistance
(i) Attempts (either failed or successful) to gain
unauthorised access to a system or data therein
(ii) Disruption or denial of service
(iii) Unauthorised use of a system for the processing or storage
of data
(iv) Changes to system hardware, firmware, or software
characteristics without owner's knowledge, instruction, or consent
(v) Email-related security issues, spamming, mail bombing etc.
2. Users of different systems working on various platforms
and using different applications may report any vulnerability found in these
systems, platforms, applications, services and devices to CERT-MU.
CERT-MU provides several channels to report an incident. You may fill the incident reporting form on our website, contact us through telephone, send us a fax or email us with the details of your incident.
Website
The incident can be reported by filling up incident reporting form on our website. Fill in as many of the fields as possible to enable us to assess the severity and nature of the incident and assist in recovery, as needed.
Electronic MailThe CERT-MU email address for reporting incidents is:
Telephone Hotline
You can contact the CERT-MU on + (230) 800 2378
Fax
Incident report can be faxed to CERT-MU at +(230) 208 0119 A vulnerability can be reported to CERT-MU by filling up the Vulnerability Reporting Form provided on our website. The information about a particular vulnerability can also be sent to CERT-MU by Fax or by e-mail:
About Important Terms on CERT-MU Website01. What is a computer security incident?A computer security incident is any real or suspected adverse
event in relation to the security of computer systems or networks. It is an act
of violating explicit or implied security policy resulting in, unauthorised
access, denial of service/disruption, unauthorised use of a system for
processing or storage of data or changes to system software, hardware, firmware
characteristics without the owner's knowledge.
A vulnerability is the existence of a flaw or weakness in
hardware or software that can be exploited resulting in a violating of an
implicitly or explicit security policy. A vulnerability scanning looks for known vulnerabilities in your
systems and reports potential exposures. It is a necessary part of
maintaining your information security and should be used more often.
CERT-MU has prepared best practices & system specific
security guidelines to help the Mauritian cyber community enhance security of
their systems and networks.
An incident note is the information provided to its constituents
by CERT-MU in response to wide spread exploitation of a specific vulnerability,
which is based on statistical analysis of incidents reported to CERT-MU and our
observations thereof.
An advisory is the information provided by CERT-MU in response
to a critical vulnerability, affecting or potential to affect a large number of
systems or networks in its constituency.A vulnerability note is the information provided by CERT-MU to
its constituents in response to a new vulnerability discovered in a system,
platform, service or device.
CERT-MU will provide assistance to System Administrators in
handling computer security incidents by providing advice and support in
recovering from an incident, and containing the damage, restoring system to
operation. Refer to Incident
Reporting page.
FIRST is the international forum of incident response and security
teams. Established in 1990, FIRST is a coalition that brings together a variety
of security teams and computer security incident response teams from
government, commercial, and academic organizations. Attending the yearly FIRST
conferences can be a way for a new team to learn more about techniques and
strategies for providing a response capability as well as to get in contact
with established teams.
IMPACT – As the world’s first not-for-profit comprehensive global
public-private partnership against cyber threats, the International
Multilateral Partnership Against Cyber Threats (IMPACT) is the cybersecurity
executing arm of the United Nations' specialised agency - the International
Telecommunication Union (ITU). As the world’s first comprehensive alliance
against cyber threats, IMPACT brings together governments, academia and
industry experts to enhance the global community’s capabilities in dealing with
cyber threats.
Disposal of Computer Equipment with Sensitive Information01. Is it possible to retrieve data deleted with the "delete" command?A typical "delete" command merely deletes the pointer
to a file. The data will not be overwritten until the storage area is reallocated
and re-used. By using commonly available utilities, it is possible to retrieve
the deleted data in a computer.
The "format" command in many cases merely creates an
empty root directory and a new blank indexing scheme for all allocation units
on the storage media making it available for the storage of new files. There
are commercially available utilities to recover lost data from storage media
caused by accidental execution of the "format" command.
Commercial software and services are available in the market to
perform secure data deletion by means of writing over the storage media a
number of times and with different patterns. Those software packages which
overwrite the data space with a character, the complement of that character,
then a random character can be considered as reliable and follow current
industry best practice for secure data deletion. However, you may need to
evaluate the capability and features of such products and consult their
respective product vendors for details to see if they fulfill your specific
requirements. Also, besides technical solution, necessary checks and balances
should be in place to ensure that the secure deletion process is performed and
is successful. Some of the possible measures which you may consider include
proper approval/logging of the whole process, sample check/verification of
erase hard disks, etc.
To recover or reconstruct data that has been deliberately
overwritten usually requires specialised devices and/or environment. Data
recovery and/or guessing would likely be uneconomical and hence impractical
after the secure deletion procedures that follow the industry best practices
are adopted.
In fact, Secure data deletion is one form of security risk management, similar
to other information security topics. The security risk level associated with
data deletion and recovery would be related to the value of the data being
protected, the resources required to delete/undelete the data, and the cost of
the equipment to be reused. Disk
wiping, degaussing, and physical destruction are all methods to remove
confidential information from a hard drive.
Email Security01. What is spam email?According to Coalition Against Unsolicited Commercial Email
(CAUCE), most commonly seen unsolicited commercial emails (UCEs) are:
·
Chain letters
·
Pyramid schemes (including
Multilevel Marketing, or MLM)
·
Other "Get Rich
Quick" or "Make Money Fast" (MMF) schemes
·
Offers of phone sex lines and
ads for pornographic web sites
·
Offers of software for
collecting email addresses and sending UCE
·
Offers of bulk emailing
services for sending UCE
·
Stock offerings for unknown
start-up corporations
·
Quack health products and
remedies
·
Illegally pirated software Every time a spammer sends out spam email, the entire Internet
community has to bear the cost, in particular the recipients and the ISPs at
the receiving end. Some Internet users are paying for their Internet access
time by the minute, so they are forced to spend extra online time and,
therefore, money in downloading unwanted spam email.
Spam is also disruptive to
email users, wasting their time, and ultimately making the email as a
convenient tool less useful if the amount of spam continues to grow. Spam email
also ties up bandwidth and resources on computers and routers all over the
Internet. Every unwanted email message adds to the total cost of operating the
networks of computers that form the path of delivery to recipients. Spam email
can disrupt a network by crashing mail servers and filling up hard drives. It
also constitutes an invasion of Internet users' online privacy Most spam is commercial advertising. Companies and advertisers
rarely send spam directly. They would hire some spammers to do the work.
Spammers obtained mailing lists from some email address harvesters. The
harvesters can collect email addresses via scanning web sites, newsgroups and
email lists. In addition, harvesters can also develop programs to generate
random email addresses lists.
With these lists, harvesters can bombard a domain with messages
and the harvesters can obtain validated email addresses if the recipients
respond to the messages.
With the mailing lists, spammers can start their work using
spamming tool available in the Internet. When spammers first started, they used
to send bulk mails from their own IP addresses. However, as email
administrators learn from experiences and start blocking email from their
sites, spammers have to find a way of sending unsolicited commercial emails.
Finally, they found an easy way to accomplish this - Third Party Mail Relay or
Open Relay. A third party mail relay is an email server receiving email from
an unknown sender and then sending it on to a recipient or recipients that are
not users of that email system. Some email systems enable this relay feature in
the default installation. Taking into account the large number of mail servers
that exist on the Internet, this is still a considerable number of servers
which allow the relay.
Spammers can simply collect lists of third party mail relay in
the Internet through some scanning programs. With the lists, spammers can
configure the spamming tool with a relay's address, so it obscures their
identity from the recipients and places the burden of the work on an email
server that they don't worry about overloading or crashing.
General01. What is Information Security?Information Security is protecting the confidentiality,
integrity and availability of information and information systems from
unauthorized access, use, disclosure, disruption, modification or destruction
There
is no exact definition, but the general idea is to protect of any IT
information and resources with respect to confidentiality, integrity,
availability, non-repudiation and authentication
It is recommended to use a systematic approach by first
considering the security interest of the organization or department as a whole.
First identify the security requirements of ther organization, and then
establish the security policy followed by enforcement. But periodic and
continuous review and monitoring are definitely necessary in order to have an
effective and efficient security policy. Phishing attacks use 'spoofed' e-mails and fraudulent websites
designed to fool recipients into divulging personal financial data such as
credit card numbers, account usernames and passwords, social security numbers,
etc. By hijacking the trusted brands of well-known banks, online retailers and
credit card companies, phishers try to convince recipients to respond to them.
First of all, it is necessary to identify what is going to be
protected, such as equipment and assets. Then, to find out the related threats,
the impact of each threat and the chance of their occurrence. To identify the
threats which are often of different natures, a process namely risk analysis is
normally used. Through this process, one can identify what assets to protect, their
relative importance, and the priority ranking for urgency and level of
protection required. As a result, a list of security requirements can be defined
for one’s organization.
Security policy sets the basic mandatory rules and principles on
information security. It should be observed throughout an organization and
should be in accordance with your security requirements and organization's
business objectives and goals. Security standards, guidelines and procedures
are tools to implement and enforce security policy such that more detailed
managerial, operational and technical issues can be considered. Standards,
guidelines and procedures may require more frequent reviews than security
policy. These include:
·
Goals and direction of the
organization
·
Existing policies, rules,
regulations and laws of the Government
· Organization's own requirements
· Implementation,
distribution and enforcement issues
Developing a Security Policy requires an active support and
ongoing participation of individuals from multiple ranks and functional units. A
working group or task force to develop the Policy should be formed. But the
exact group of personnel required depends on the organization's requirements.
In general, this group may include empowered representatives from management,
technical personnel, system developers, operational personnel, officers or
users. Management represents the interests of the organization's goals and
objectives, and can provide the overall guidance, assessment and decision
making. Technical personnel can provide technical support for various security
mechanisms or technological aspects. Users represent the users of related
systems who may be directly affected by the Policy. Sometimes, a third party
may get involved to review the Policy drafted.
First of all, the group of people involved in developing the
Policy should be identified. Second, make all necessary plans for activities,
resources acquired and schedules. Then determine the security requirements, and
establish the Security Policy. It is required to go through several iterations
of review and refinement for the Policy before a complete one can be
established. As technology, environment and requirements often change,
continuously reviewing and monitoring of the Security Policy should be
regularly practiced in order to make it effective and useful for your
organization.
Typical contents may include the policy objectives and scope,
the assets to be protected, the roles and responsibilities of the involved parties,
the DO and DON'T rules and security incidents reporting and handling. However,
the exact contents and level of details depend on the security requirements and
the organization's business objectives. Before drafting your security policy, one
should also consider the goals and directions of the organisation, the existing
policies, rules, regulations and laws, and implementation, distribution and
enforcement issues.
Entire staff can clearly understand what is and is not permitted
in the organisation relating to the protection of IT resources. This also helps
to raise the level of security consciousness and to provide a baseline on which
detailed guidelines and procedures can be established. It may also help to
support the decision of prosecution against security violations.
You must first observe your organization's procedures, rules and
regulations for implementation. However, no policy is considered to be
implemented unless users or related parties have commitment and communication.
This can be done through briefing, orientation and ongoing training. Make them
aware that the Policy can create benefits to their daily work and if possible,
invite them to participate in the process of developing the Policy. This can
gain their commitment and acceptance of the Policy. Security assessment here is defined as the methods to assess the
security of the network or system. Security assessment software is specially
designed to reduce the chance of internal abuse by searching and eliminating
unnecessary security risks and vulnerabilities on internal hosts and
workstations. These assessment tools are often used for security audit.
A security audit is performed in order to check and review the
effectiveness and completeness of the security controls, the security policy,
standards, guidelines and procedures. It will identify any inadequacies of the
policy and related standards, and will find out if there are any security
vulnerabilities of IT resources. Recommendations and remedy actions on security
measures will be provided. In fact, a security audit should be an on-going
process which should be performed periodically or regularly as there may be new
vulnerabilities coming up daily.
A Security Audit only provides a snapshot of the vulnerabilities
revealed at a particular point of time. But technology and your environment
changes daily. There may be vulnerabilities found in the future even if all
existing vulnerabilities have been identified. So,periodic and ongoing review
is inevitably required.
As Security Audit is a complex task and requires skilled and
experienced personnel accommodated with existing system administrators, it must
be planned carefully. A third party is recommended to perform the audit. This
third party can be another group of in-house staff or an external audit team
depending on the staff's skills and the sensitivity of the information being
audited.
An IT Security Incident is any event that could pose a threat to
the availability, integrity and confidentiality of a computer system. Such
incidents can result in the destruction of data and disclosure of information.
A security incident handling plan should be defined to identify
as far as possible all kinds of security incidents that may occur. The plan
should be set up with a set of goals and objectives. When a security incident
occurs, try to follow the procedures stated in the security incident handling
plan. The plan may list all the activities such as the person to notify, the
actions to protect the evidence and logs, the ways to limit the effect of the
incident and the recovery procedures with minimal user impact. Evaluation of
the incident should not be omitted as this can review the existing security
measures, and ensure the completeness of these security measures.
An intrusion is a set of actions which attempt to compromise the
availability, confidentiality and integrity of an information resource.
Generally speaking, intrusion detection is the methodology by which intrusions
are detected. This includes detection of intruders breaking into a system or
users misusing the system resources.
Firewalls are only part of the total integrated security system.
They do have limitations. They can neither alert on ALL intrusions nor stop ALL
security breaches. They are frequently and easily misconfigured. Organizations
are dynamic. People, technology and process often change. Unless you are
constantly monitoring for intrusions, you cannot know if your firewall is
working properly. Hence, the IDS is a vital tool to monitor your network 7 days
x 24 hours per day. But bear in mind that IDS is just an addition to the
firewall.
Intrusion Detection cannot help you to solve or fix the problem.
It can neither tell you exactly who and how the attack occurred nor the
intention of the attacker. It can only provide you with logs about the origin
of the attack and who is making the attack, but most often these logs may not
be able to tell you who is the real attacker.
A firewall is a group of systems that enforce an access control
policy between two networks. In principle, the firewall can block traffic from
the outside to the inside and permit traffic from the inside to communicate to
the outside world. The firewall can also provide logging and auditing functions
to record all traffic passing through it. In other words, a firewall can
protect the internal network against any attacks from outside by defining an
access control policy to permit or deny traffic. However, the firewall cannot
protect against attacks that do not go through it and cannot protect against
things like viruses or data driven attacks. It should be noted that firewalls
are only part of the overall network security and the proper configuration of
the firewall plays a very important role as well.
Once you install a Web server at your site, you have opened a
door into your local network for external visitors. From the view of the
network administrators, you are opening up potential security hole. You have to
bear the risks associated with this opening. Bugs or misconfiguration of the
Web server can allow unauthorised remote users to access information which is
not intended for them. Hackers may even execute server commands to modify the
system, gain information about the Web server's host machine or launch attacks.
Client side browsers may be attacked by these hackers and their personal
information may be retrieved by these hackers through the hole. Network data
sent from browser to Web server or vice versa may be intercepted by eavesdropping.
Hence, all your information is vulnerable to interception if there is no proper
system security on both browser and server sides.
In general, there are many precautions that can be taken. For
example, you can limit the number of user accounts available on the machine.
Try to ensure that users select good passwords. Remove all unused services,
shells and interpreters. Configure your web servers correctly and ensure that
the file permissions are granted to those authorised parties. Regularly check
for system and Web logs for suspicious activity.
A virus is a piece of code that can replicate itself and spread
to other computers via floppy diskettes or data communication channels such as
emails. It is recommended to install a memory-resident anti-virus program to
continuously monitor the microcomputer. Virus protection should also be done on
servers as well. Administrators are required to install some server-based
anti-virus package into the servers with proper settings. A virus scanning
software should be installed into the server's boot-up drive, and be activated
at all times to prevent boot sector from infection. Administrators should also
include a virus prevention and detection process into their daily routine. Of
course, regular updates on the version of the virus prevention and detection
software are essential to ensure the accuracy of detection and coverage for new
classes of virus.
A virus is a piece of code that can replicate itself and spread
to other computers via floppy diskettes or data communication channels such as
emails. It is recommended to install a memory-resident anti-virus program to
continuously monitor the microcomputer. Virus protection should also be done on
servers as well. Administrators are required to install some server-based
anti-virus package into the servers with proper settings. A virus scanning
software should be installed into the server's boot-up drive, and be activated
at all times to prevent boot sector from infection. Administrators should also
include a virus prevention and detection process into their daily routine. Of
course, regular updates on the version of the virus prevention and detection
software are essential to ensure the accuracy of detection and coverage for new
classes of virus.
It is desirable to limit the connection to outside networks to
those hosts which do not store sensitive information. All access to and from
the local network must be made through a single host computer that acts as a
firewall. Keep the network simple by minimizing the number of network interface
points between the internal and external network. Only authorised traffic is
allowed to pass via the internal network. If possible, use multiple
authentication systems to monitor the users. However, network security only
covers a small area in the overall security system; the data owner is also
responsible for the security of the data.
Physical security refers to the protection of hardware and
computer equipment from external physical threats. Application security refers to the additional security measures
built in the application itself to provide a more secure environment. It is
highly related with system developers.
Internet security covers a wide range of issues such as
identification and authentication, virus protection, software licensing, remote
access, dial-up access, physical security, firewall implementation and other
aspects relating to the use of Internet.
There are many ways to protect your privacy online. For example,
you should not share your personal information such as your name and address
with anyone online, unless you want them to know. Think carefully before giving
out your personal information online, as this information about yourself may
end up being used for other purposes. Secure your email by digitally signing
and encrypting it before transmission and storage. Safeguard your personal
computer at work and at home because it is physically open to attack or theft.
Often change your password and keep it secret. Try not to use passwords that
are your obvious names or easy to guess.
This depends on the password mechanisms and how the user himself
keeps his own password. User should select a password that is difficult to
guess and keep the password as secret as possible. He should also change his
own password immediately after system recovery or upon receipt of the new
password. Administrator should ensure that each new user is granted with a good
initial password instead of using a default one. Procedures should be set up to
ensure that only the real person is requesting the new or change password and
gets that password. No passwords should be displayed on the screen at any time.
User passwords which are used for authentication and administration should be
encrypted before stored.
Spyware is software installed on your computer without your
consent to monitor or control your computer use. Clues that spyware is on a
computer may include slow performance when opening programs or saving files,
toolbars or icons on your computer desktop that you didn't place there, random
error messages, and in some cases, there may be no symptoms at all.
Identity theft is the unauthorized collection and use of your personal information, usually for criminal purposes. Your name, date of birth, address, credit card, and other personal identification numbers can be used to open credit card and bank accounts, redirect mail, establish cellular phone service, rent vehicles, equipment, and accommodation.
- Minimize the risk. Be careful about sharing personal information or letting it circulate freely.
- When you are asked to provide personal information, ask how it will be used, why it is needed, who will be sharing it and how it will be safeguarded.
- Give out no more than the minimum, and carry the least possible with you.
- Be particularly careful about your NID; it is an important key to your identity, especially in credit reports and computer databases.
- Don't give your credit card number on the telephone, by electronic mail, or to a voice mailbox, unless you know the person with whom you're communicating or you initiated the communication yourself, and you know that the communication channel is secure.
- Take advantage of technologies that enhance your security and privacy when you use the Internet, such as digital signatures, data encryption, and “anonymizing” services.
- If credit card or utility bills fail to arrive, contact the companies to ensure that they have not been illicitly redirected.
- Notify creditors immediately if your identification or credit cards are lost or stolen.
- Ask that your accounts require passwords before any inquiries or changes can be made, whenever possible.
- Choose difficult passwords – not your mother's maiden name. Memorise them, change them often. Don't write them down and leave them in your wallet, or some equally obvious place.
- Key in personal identification numbers privately when you use direct purchase terminals or ATM machines.
- Be careful what you throw out. Burn or shred personal financial information such as statements, credit card offers, receipts etc
General Virus Protection01. What is a Virus?Since the first PC virus was found in 1986, the total number of
virus has been rocketing to an enormous figure. As many may have known,
computer virus is a piece of malicious program which is able to affect the
normal operation of a computer system. Why we call these malicious codes computer
virus? Computer scientists have found a number of similarities between
biological virus (like “H1N1 “) and computer virus. First of all, both of them
need a host for residence. In case of computer virus, the host is usually the
infected file / disk. Secondly, both of them are capable of self-replicate from
one host to another. Finally, both of them may cause damage to the host. But
there is at least one difference: computer viruses are created by human while
biological viruses are not. When a virus strikes, the results range from merely
annoying screen displays to disastrous and extensive data corruption. With the
growing popularity of microcomputers, the threat of virus should definitely not
be negligible. Notwithstanding, with appropriate counter-measures in place, we
are still able to prevent/minimize the loss from computer infection.
Computer virus affects the health of your computer just like
their biological counterparts make you sick. Typical payload of computer virus
includes creating some annoyances (e.g. affects your mouse / keyboard),
removing files from your hard disk and formatting your hard disk. It’s only the
discovery of CIH virus that corruption to BIOS data has been added to the list
of payloads. Computer virus may seem remote from you. It may be true in the old
days, when few of us have PC at home and virus spread slowly with the exchange
of floppy disks. But time has changed; virus can now reach us through a number
of routes. They may arrive from the shared files in the server, mails from your
colleagues, files downloaded from the Internet. And worst still, some vendors
delivered the machines / CD ROMS with virus pre-installed. In addition, the
outbreak of the Melissa virus proved that virus could spread around the globe
just within hours.
The Wild List is a list of the most common viruses infecting
computers worldwide, and is compiled by the well-known antivirus researcher Joe
Wells. Wells works closely with antivirus research teams around the world to
update the list regularly.
A product that detects 90 percent of ' in the wild ' viruses
will detect 90 percent of the viruses on this list - or 90 percent of the most
common viruses circulating. Computer virus is around you and me. Nevertheless, we could
minimize the chance of being infected by taking sufficient preventive measures.
The following provides some guidelines on preventing computer virus:
·
DO NOT use Illegal software
under any circumstances.
· Connection to Internet should
be controlled.
·
DO NOT run programs downloaded
from Internet / doubtful origin. If it is necessary to do so, you should scan
the file with an up-to-date virus scanner.
·
Scan files attached in e-mails
with up-to-date anti-virus program before use.
·
Set C: as the default boot up
drive (by changing the settings in the CMOS setup). This will decrease the
chance of infecting boot sector virus.
·
Check floppy diskettes and
files (especially those of unknown origin) with a virus scanning programs
before use.
· Write-protect all floppy
diskettes that you do not expect to write to and remove floppy diskettes from
drive slots when they are not being referenced.
·
Make sure that you backup your
files regularly so that you can recover them after a virus attack.
New viruses are being developed every day. New techniques may
render existing preventive measures insufficient. The only truth in virus and
anti-virus field is that there is no absolute security. However, we can
minimize the damage by identifying virus infections before they carry out their
payload. The following lists some ways to detect virus infections:
·
Watch out for any changes in
machine behaviour. Any of the following signs could be symptoms of virus
activity:
o
Programs takes longer time than
usual to execute,
o
Sudden reduction in system
memory available or disk space
·
A memory-resident anti-virus
program can be employed to continuously monitor the computer for viruses.
·
Scan your hard disk with an
anti-virus utility. You should make sure that an up-to-date virus signature has
been applied and you should update the signature at least once a month.
Employ
server-based anti-virus software to protect your network. You should also
consider employing application-based anti-virus software (e.g. those running on
Lotus Notes) to further protect your machine.Although a virus can write to (and corrupt) a PC's CMOS memory,
a virus can NOT ' hide ' there. The CMOS memory is not ' addressable '. Data
stored in CMOS would not be loaded and executed on a PC. A malicious virus can
alter the values in the CMOS as part of its payload causing the system to be
unable to reboot, but it cannot spread or hide itself in the CMOS.
A virus could use CMOS memory to store part of its code, but
executable code stored there must first be moved to the computer's main memory
in order to be executed. Therefore, a virus cannot spread from, or be hidden in
CMOS memory. And there is no known virus that stores code in CMOS memory.
There had been reports of a trojanized AMI BIOS. It is not a
virus, but a ' joke ' program which does not replicate. The malicious program
is not on the disk, nor in CMOS, but was directly coded into the BIOS ROM chip
on the system board. If the date is the 13th of November, it stops the boot up
process and plays ' Happy Birthday ' through the PC speaker
Theoretically, it is possible to have a virus that hide in BIOS
and be executed from BIOS. Current technology enables programs to write codes
into BIOS. BIOS are the place for storing the first piece of program to be
executed when a PC boots up.
Virus has been found? Don’t panic! The following is some pieces of advice about removing computer virus:
· All activities on infected machine should be stopped (and it should be detached from the network) as the payload may be triggered at any time. Continuing the use of the infected machine help the suspected virus spread further.
· Recover from backup is the most secure and effective way to recover the files.
· In some cases, you may recover the boot sector, partition table and even the BIOS data using the emergency recovery disk.
In case you do not have the latest backup of your files, you may try to remove the virus using anti-virus utilities Computer viruses are not Devils. They are just computer programs
with self-replication function. That means they are able to make copy of
itself. Since the process is automatic, the program is able to spread inside a
computer or inside a network. Anti-virus software is designed by international
companies to detect and clean such virus programs. With up-to-date virus
signature, almost all viruses can be detected and removed easily. For new
viruses not detected by anti-virus software, a new virus signature update will
usually be available within a week. Mobile phones that do not allow user to install new applications on the device and are limited to using only the on-board applications burned into ROM (read only) or Flash memory chips are not susceptible to classical computer virus attacks. However, the new generation of smart phones are essentially mobile-enabled PDAs. These devices permit the user to install new software on the device at any time. Therefore, as with any computing platform, smart phones are also susceptible to virus attacks. Thus far, there have already been some reports of minor viruses attacks on mobile devices. Usually not. The exception is data files that contain executable code, which can be infected by viruses. A good example of this is a Microsoft Word file (.DOC, .DOT). Although Word files are technically data files, they may contain macros, which are executable and therefore susceptible to infection.
Computer viruses are not Devils. They are just computer programs
with self-replication function. That means they are able to make copy of
itself. Since the process is automatic, the program is able to spread inside a
computer or inside a network. Anti-virus software is designed by international
companies to detect and clean such virus programs. With up-to-date virus
signature, almost all viruses can be detected and removed easily. For new
viruses not detected by anti-virus software, a new virus signature update will
usually be available within a week. Mobile phones that do not allow user to install new applications on the device and are limited to using only the on-board applications burned into ROM (read only) or Flash memory chips are not susceptible to classical computer virus attacks. However, the new generation of smart phones are essentially mobile-enabled PDAs. These devices permit the user to install new software on the device at any time. Therefore, as with any computing platform, smart phones are also susceptible to virus attacks. Thus far, there have already been some reports of minor viruses attacks on mobile devices. For more information, see Types of Virus
Usually not. The exception is data files that contain executable code, which can be infected by viruses. A good example of this is a Microsoft Word file (.DOC, .DOT). Although Word files are technically data files, they may contain macros, which are executable and therefore susceptible to infection.
Macro viruses are special macros that self-replicate in the data
files of applications such as Microsoft Word and Excel. The majority of macro
viruses infect Word document files. When a file containing infected macros is
opened, the virus usually copies itself into Word's global template file
(typically NORMAL.DOT). Any document opened or created subsequently will be
infected.
Macro viruses become part of the document itself, and are
transferred with the file via floppy disks, file transfer, and e-mail
attachments.
Like all computer viruses, macro viruses can destroy data. For most users, the worst thing a macro virus might do is to reformat their computer hard drives. While most of the known macro viruses are not destructive, many cause a considerable loss of productivity and time.
Of course the most secure method is to back up your data regularly and use antivirus software that is able to scan your documents before Word startup. Yes. The first Access macro virus JETDB_ACCESS-1 infects Chinese, English, Japanese and other versions of Access. This virus once infects a database will search and infect all .MDB files in the current directory.
The files on the FTP server may be infected with computer virus(es). Your computer will be infected if you run / open the infected file(s). Therefore, you should scan files downloaded from the Internet before use.
If you are only viewing web pages written with HTML only (i.e.
no Active X, active scripting, JAVA, etc.) and that your computer has been
patched with the latest security patches, the answer is ' No ' . However, if
your computer is not fully patched or if you run Active X controls, active
scripting and JAVA applets, or run programs downloaded from the Internet, it is
possible that these programs contain viruses and affect your machine. Computer
users should take the following security measures when surfing the Internet:
·
Ensure that the operating
system and software on your computer have been applied with the latest security
patches.
·
Enable real-time scanning of
anti-virus software and use the latest virus signature.
·
Avoid visiting suspicious/untrusted
websites.
·
Do not execute unsigned ActiveX
control or ActiveX control from un-trusted sources.
·
If possible, disable running
active scripting in browser setting.
Avoid downloading programs from un-trusted websites, since they
have high risk of causing virus infection.
Plain electronic mail messages with pure text containing no executable code will not be infected. However, HTML e-mails which can contain executable scripts as well as files attached to the e-mail message may be infected. Most anti-virus software nowadays can be configured to scan e-mails and their attachments. Firewalls do not screen computer viruses. As the location of firewalls within a network is usually a good place for virus scanning, some firewalls have plug-in virus-scanning modules. And some programs are also available for scanning viruses at a point either before or after a firewall.
You may wish to note that scanning FTP or HTTP traffic adds heavy network overhead but blocks only one of the sources of virus, as virus can get into the local intranet through floppy disks, CDROM or even a brand new PC. A virus scanning engine is the program that does the actual work of scanning and detecting viruses while signature files are the ' fingerprints ' used by the scan engines to identify viruses. New scan engine versions are released for a number of reasons. About 6 to 8 new viruses are found everyday around the world. New types of viruses may not be detected by the old engine. New versions of scan engine usually also enhance scanning performance and detection rates. Some vendors provide updates for both the scan engine and signature file in a single file while others will provide them in separate files .You may find the link to update your anti-virus software in the following web page. Anti-virus software not only detect viruses, but also other types of malicious codes, which may not be cleanable. For example, trojan horse is a type of malicious code that should be deleted instead of cleaned. In other cases, the virus may have corrupted the file and made it impossible to be cleaned / recovered. Nevertheless, there are some tips you can do to maximize the likelihood of recovering the file using anti-virus software:
· Check whether the virus signature files and scan engine are up-to-date.
· Make sure there is enough free space on the disk.
· Check if removal instructions or automatic removal tool is available from anti-virus vendor web sites.
If still unsuccessful, obtain a virus sample and send it to anti-virus vendors for recommended actions
Wi-Fi Security01. How to prevent unauthorized Wi-Fi access?To prevent unauthorized Wi-Fi access, you can consider
implementing the following measures on your wireless access point (AP).
· Change the default setting such
as, user name and password of Access Point (AP).
· Turn on wireless data
encryption WPA2-PSK (Preshared key) with AES protocol; with minimum 20 characters
passphrase contains at least one capital letter and one numeric letter.
· Enable the MAC address
filtering feature on AP and only allow devices with pre-registered MAC address
to connect.
· Do not broadcast the service
set identifiers (SSID).
· Turn off the AP when not in
use.
To prevent unauthorized Wi-Fi access, you can consider implementing the following measures on your wireless access point (AP).
· Change the default setting such as, user name and password of Access Point (AP).
· Turn on wireless data encryption WPA2-PSK (Preshared key) with AES protocol; with minimum 20 characters passphrase contains at least one capital letter and one numeric letter.
· Enable the MAC address filtering feature on AP and only allow devices with pre-registered MAC address to connect.
· Do not broadcast the service set identifiers (SSID).
· Turn off the AP when not in use. Use WPA2-PSK (Preshared Key) with AES protocol for the data encryption. WPA2 is more secure than WPA and WEP and those algorithms had been broken. To protect against brute force attacks, minimum 20 characters should be used and passphrase should contains at least one capital letter and one numeric letter. Apart from the data encryption, user should disable the service (SNMP and WPS) which is not in use and upgrade the firmware regularly. Some AP has built-in function to isolate connection between clients. This function has different name in different products (e.g. AP Isolation, Privacy Separator). In addition, make sure you use https connection as possible while browsing the Internet. If you provide Wi-Fi connection to guest, you should separate them into an isolated Wi-Fi network. Guest should have limited access to Internet only (Web browsing) and not able to access internal resources, such as file server. System administrator should review the traffic and audit log regularly, as it can help in the detection of security incident.Below are some suggestions that you can implement to minimize the exposure of internal Wi-Fi.
· Change the AP default user name and password.
· Do not broadcast the SSID of the AP.
· Only allow registered wireless network devices to connect.
· Turn on wireless data encryption.
· Classified Wi-Fi networks as untrusted networks and password protect your computers and files.
· Use firewall and network intrusion detection to detect and defend network attack.
· Periodically check AP logs for abnormal traffic and rogue users.
· Turn off wireless cards and APs when not in user. Wireless network provides the mobility for user to work within the company. It also provides a way for you to allow visitors to access Internet with their mobile devices. Planning and deploying is more complicated than just plug in the wireless AP within your corporate. You need to establish policies for the usage and control of Wi-Fi network, select the security measure to minimize the risk in Wi-Fi networks and secure Wi-Fi communications.
You may reference the below for planning and deploying Wi-Fi network.
Security Polices:
· Define the usage of the Wi-Fi network and security requirement of the Wi-Fi connection
· Define the type of information that is not allowed to send over wireless network.
· Define the procedure of reporting the loss of WLAN device.
· Keep an accurate inventory of all WLAN devices
· Remove all configuration and sensitive information from the WLAN device before disposal.
Wi-Fi location and network design:
· Wireless site survey should be conducted to tune the power of APs to provide just sufficient coverage and roam capability.
· Treated Wi-Fi network as untrusted network and segment the wireless traffic in a separate network.
Security protection:
· Deploy Network Intrusion system (WIPS/WIDS) which support rouge AP Identification and Denial of Service protection such as AP flooding.
· Disable all insecure and unused management protocols of AP and configure it for least privilege.
· Enable the AP access threshold parameters, such as inactivity timeouts and maximum supported associations.
· Enable the AP logging features and forward the log entries to a remote logging server
· Disable the ad-hoc mode of wireless client device.
· Incorporate the enterprise login system (such as RADIUS and Kerberos) for authentication
· Adopt the latest authentication option, such as Extensible Authentication Protocol (EAP) to get the higher protection level.
· Limit the services provided in WLAN, especially guest WLAN. Apply access control and quality of service control to ban unallowed traffic or unwanted overuse of bandwidth.
Ongoing maintenance:
· Wireless vulnerability
assessment should be performed regularly to look for the enforcement of
security policy, unknown wireless devices or security threat due to
mis-configuration or device vulnerability.
· Regular review of access and
traffic of AP for abnormal traffic and rogue users.
· Update the firmware of wireless
devices periodically.
Security requires ongoing maintenance and education, it is important to regularly maintain the wireless network for highest level of security.
· Regular review of access and traffic of AP for abnormal traffic and rogue users.
· Update the firmware of wireless devices periodically
· Perform wireless vulnerability assessment regularly to look for the enforcement of security policy, unknown wireless devices or security threat due to mis-configuration or device vulnerability.
· Subscribe wireless security newsletter and alert and attend security seminar to keep abreast of new security trend. You should avoid
using free public Wi-Fi without encryption, if you do so, you should avoid
login to your email, online shopping or e-banking web sites.
To avoid connecting to malicious Wi-Fi AP, you should be aware of the SSID you are connecting. Do not connect to a SSID called “Free Public Wi-Fi”, this is usually an ad-hoc network created by another laptop or a trap that trick you to connect to a harmful network and then infect your laptop or steal personal data.
Some wireless AP requires you to accept the usage agreement on the landing page, you should verify their certificate by clicking the SSL Lock icon ( ) before you accept the usage agreement. Finally you should turn off the Wi-Fi device when it is not in use to avoid it automatically connect to unknown AP.Public Wi-Fi access is generally treated as insecure connection. Many public Wi-Fi are completely unencrypted so that users can connect to it easily. Intruder could easily see all data being transmitted if it is unencrypted. Therefore, you should only connect to a Wi-Fi hotspot with encryption enabled. Below are some tips which help you access public Wi-Fi safely.
· Avoid sending financial / personal information over public Wi-Fi network. If you must enter your sensitive information, make sure you are connecting to https web site. There is a lock icon in the browser windows and the site’s address begins with “https”
· Turn off file and printer sharing on computer when connecting to public network.
· Make sure your Internet browser, computer and antivirus signature are up-to-dated and turn on your system firewall. We do not recommend sending sensitive information such as financial information and bank account, at public Wi-Fi hotspot. If you do, make sure you are connecting to a legitimate hotspot and web sites with encryption enabled. The IP address is a number unique to each computer, used to
identify you on the internet. For example: 192.0.2.1
You should make a complaint to the network where the attack came, containing all logs related to the attack reported that their program.
|
|