Why is my Computer Interesting for Attackers?
Malware or Badware (Malicious Code)
Why Should I Keep my Username Secret?
Application Security: Never Trust the Client!
Why is my Computer Interesting for Attackers?
There are a number of reasons for this:
In the appendix phase, hacking was a kind of sport in which experts wanted
to prove their skills. In phase II, script kiddies were often behind it, most
of whom didn't even know what they were doing - now it's the playground of
organized crime:
The aim is generally not so much to steal data from a private computer as to
gain access to the computer, and in the worst case to integrate it into a
"botnet", for which special "research centers" are operated to enable attacks
even before Day 0 (Zero Day).
There is now a lot of money to be made from finding such vulnerabilities: government agencies, as well as malware manufacturers, anti-virus software creators, and even the makers of the software themselves pay for it!
A "botnet" is a network of remotely controllable PC robots that
can be used, for example, for a DDoS
attack (distributed attack to disrupt a service), sending spam or cracking
passwords, whereby these "services" can then also be rented on the Internet
for a fee.
Many millions per month are now "earned" by blackmailing major service
providers on the Internet (banks, search engines, betting companies, …).
A botnet is created, for example, by infecting a large number of computers with a worm that then opens backdoors for remote access, e. g. Agobot.
In 2005, for example, J. J. Ancheta from California, who was only 20 years old, connected almost half a million PCs to form a "zombie network" by exploiting a Windows security hole.
Malware or Badware (Malicious Code)
As if it were not enough that ICT
systems are threatened by operating errors, power failures, network
malfunctions, hardware and software defects, there are also troublemakers
who have made it their business to produce malware to make our lives even more
difficult.
In the past, these were people who either wanted to prove to themselves or
others what they were capable of, but for years now there have been tangible
financial aspects in the background.
Malware on the Internet generally refers to code that can cause damage (in whatever form), and the current threats are constantly changing.
A distinction is made between different forms of malware:
Viruses are programs that are spread via host programs and copy themselves into
other programs when these programs are executed (thus also infecting them) -
the spread relies solely on the idiocy of computer users.
"Anyone who travels on the Net without virus protection endangers other users in much the same way as a car driver who travels with broken brakes and thus negligently endangers others." (Sven Karge, German Internet Industry Association
[heise.de, 8.12.2009]).
New viruses now hardly ever occur, but "anti-virus programs" also protect
against other malware and should therefore continue to be used.
Main distribution: Emails (Outlook!).
Protection: Antivirus software.
Worms do not need a host program, but are independent programs that also spread
themselves. In the past, they were also mainly spread via email (and only active
after being clicked), but now they mainly spread themselves via the network and
operating system holes (vulnerabilities, open ports with security holes), but
they still also send themselves via email.
They often do not cause any direct damage to the infected computer and are
therefore hardly noticed by the user, but their massive spread puts a strain
on the network and/or they also attack servers, which then fail due to the
overload - Denial of Service (DoS).
They "live" from the holes in the operating system (or other programs) and
from the fact that users are too lazy (or ignorant) to plug these (often known)
holes with updates (patches).
Main distribution: Email, vulnerabilities in Windows.
Protection: Firewall bzw. Betriebssystem- oder Softwarepatch.
|
Trojans are often hidden and unwanted additional functions in programs that are useful in themselves. For example, a keylogger can be hidden in an IRC client, a program that registers every keystroke (including password entry, etc.) and forwards it to an arbitrary email address, or a backdoor (a new "service" that gives unauthorized persons access to your computer) is installed.
This group includes "greyware" (spyware such as keyloggers or adware that displays unwanted advertising), but also the particularly dangerous rootkits (which are difficult to detect).
Main distribution: Often installed by viruses/worms, but can also be unknowingly installed with (free) software.
Protection: Protection against viruses and worms, do not install software that you do not know, download software only from official download servers.
Worms and Trojans can also be used to create so-called botnets.
|
If you have logged in on a computer you do not know (e. g. in an Internet cafe) with username and password, please change the password in TUGRAZonline as soon as possible on a trusted computer (or e. g. via your cell phone).
Spam generally refers to mass emails that are not wanted.
Although they do not damage the software of the "infected" system, they consume resources (reading and/or deletion time, administration effort on the email server), may block the mailbox or, in extreme cases, paralyze the email server.
As long as only a few "customers" click on the links in the emails of commercial spammers and, on the other hand, sending emails is free of charge, the spammers will continue to spread their garbage.
Main distribution: Intentional sending to previously purchased/collected email addresses, sending by viruses and/or worms.
Protection: Central filters on the email servers (defined via webmail), local (adaptive) email filters in the email client.
Phishing (a made-up word from the parts password harvesting and fishing) refers to the attempt (by sometimes clever deception) to trick Internet users into disclosing account data on a fake website (or by email), which is of course especially problematic for bank account data (but we are not responsible for that).
Tools for phishing campaigns are available free of charge on the net, i. e. it is now possible even for laymen to launch such an attack.
Main distribution: HTML emails to ignorant or inattentive Internet users.
Protection: With HTML emails, always check whether a link actually points to the specified page; it is even better if you deactivate HTML for email. Always check the address of the sender!
|
This is the targeted sending of phishing emails, whereby social engineering etc. is used in an attempt to increase the hit quota, e. g. by pretending that the email comes from a colleague, a superior or the HR department, or from a customer, patient etc.
In most cases, the attempt is not to obtain account data, but to infiltrate a Trojan into the system of the person being attacked or to carry out a BEC attack.
The people who are targeted are those with whom the greatest impact can be achieved: Management, IT administrators, …
Very broadly spread spear phishing.
Phishing aims to lure inattentive users to false addresses (via emails), where web pages that deceptively mimic the real ones try to elicit passwords from the visitor. Pharming uses various methods to manipulate the DNS entry of a computer (DNS spoofing).
Even if you select the correct address from bookmarks or manually, you will end up on the wrong page because the scammers have managed to assign a different IP address to this web address. This can happen, for example, either by adding a false entry to a local hosts file, e. g. by a Trojan, or by foisting a false name server onto the computer (via DHCP or direct entry), which then resolves the web address incorrectly, or by hacking the correct name server, for example, which then provides a false resolution for all users of this network, which then enables a MITM attack, for example.
Main distribution: Trojans, viruses, "rogue" DHCP server.
Protection: Always check the site's security certificate, especially if it is indicated that it has changed.
By exploiting security holes (vulnerabilities) it is possible to infect your computer just by visiting a manipulated website or opening an email.
Main distribution: Manipulated websites, emails.
Protection: Current browser, current plug-ins and add-ons. Up-to-date email program with disabled scripts/macros.
The combination of spam, phishing, spyware, viruses, … with fraud methods from the Web at the application level.
Targeted attacks are generally aimed either at (known) vulnerabilities of the operating system used ("harden" your computers by installing only those programs you really need, use a firewall), at vulnerabilities in widely used programs (e. g. PHP scripts or CMS vulnerabilities as with WordPress on web servers) or at vulnerabilities in your own programs.
Main distribution: There are always more people than you think who are interested in either your data or your Internet connection!
Protection: Hardening of the operating system, use of an (application) firewall, checking of self-written software for vulnerabilities, installation of patches when vulnerabilities of used programs become known (read the corresponding
RSS feeds or newsgroups or subscribe to the relevant mailing lists!)
The admin of a server and/or service must take care of the server (operating system) and/or service (e. g. CMS) on a daily basis!
Scareware is software that reports the (apparent) infection of the computer with malware to the user in order to then offer to clean up the computer for a fee, the best-known example being the BKA Trojan.
Sometimes this is combined with a lock screen, which is then already a version of ransomware. However, the data is usually not lost: If you boot from a CD or USB stick, for example, you can restore the system because often only the start screen is manipulated.
In contrast, ransomware actually infects your computer, encrypts all data on the hard drive (or all accessible memory areas) and only releases it again upon payment of a ransom.
Protection: Regular backup to an external (possibly changing) backup medium. Do not pay money: it is not guaranteed that you will really get the unlock code! Research whether there may already be decryption programs available.
Another form of blackmail is to threaten you with the publication of secret (e. g. patent development, company data, …) or private information (e. g. sextortion).
Protection: Such data should only be stored in encrypted form and access to it should be appropriately secured.
Hoaxes are emails (mostly in chain letter form) that either warn about something or ask for something. They do not cause any damage per se, but the working time, network resources, etc. alone cost money.
Main distribution: Deliberate forwarding by ignorant Internet users.
Protection: In the case of chain letter-like emails, check whether this type is not already known as a hoax.
Through trojans but also Social Engineering etc. (at Graz University of Technology we publish this in TUGRAZonline), it is found out who is the boss (CEO) in a company, what his emails usually look like and who is responsible for accounting/payments.
Then a fake email is used to either try to get the accounting department to transfer money or to try to get employees to buy vouchers, for example.
Best known case in Austria: FACC (damage: 50,000,000 euros).
Deepfakes:
In the meantime, voice and video are also being faked by AI; no medium can be trusted 100% anymore!
Why Should I Keep my Username Secret?
There are 2 good reasons for this:
Why does ZID require that your password is so long and complicated? It can't matter to ZID if someone gets access to your emails, can it?
The answer is that at Graz University of Technology the TU Graz password is used in many places and not all of these are secured by a second factor. An attacker who knows your password thus has access to many services, e. g. also the SMTP server via which the attacker can then send spam, for example, which then lands the TU SMTP server on blocklists. The consequence is that no one can send emails anymore (and this is not a constructed example, this has already happened several times).
ecommendations for passwords (not only in TUGRAZonline):
Such a password is then generally quite complicated and difficult to remember - a hint on how to create a password that meets these criteria and is still not forgotten:
|
More hints can be found in our password policy.
The TU Graz passwords must not be used in systems not connected to TUGRAZonline, because the security might be much lower there! If an institute wants to protect data on the web with the TU Graz account, we offer a SSO solution with Shibboleth!
Many programs now offer you the possibility to save the password - we do not recommend to do this, because
However, the ZID offers you a secure way to store and also share your passwords: sesam.TUGraz.at.
Usage
Use the password (if possible) only on systems whose integrity is guaranteed to a high degree, on insecure systems you should better prefer an SMS-TAN system instead, which is also available for TUGRAZonline via the mobile signature.
Safety and security in the workplace includes many points, which are suggested below:
The security of the operating system software of a workstation requires the following additional settings or precautions:
Use the Windows update server of ZID within the TU Graz!
Please make sure that no data is stored locally on the small computer, but always a network drive is used. Then there can be no unpleasant loss of data in case of damage to the local hard disk!
The servers for the administration and the rectorate are backed up centrally by the ZID.
The institutes are usually responsible for backing up their data on institute servers themselves. Further information can be found under backup.
To ensure trouble-free operation of all servers - and also network components - the machines of ZID are housed in special air-conditioned rooms and are also protected against power failures by an uninterruptible power supply (UPS). Furthermore, a fire protection system and an access control system are in place.
Servers in the institutes' premises that are not secured in this way should at least be protected against unauthorized access by a separate, locked and well-ventilated room and by locking the console.
There is a wide range of software tools that can be used for security control and monitoring of servers.
Access data (username/password) should only be given to users by the administrator in one of the following ways:
Network sockets in (semi)public areas of TU Graz (corridors, seminar rooms, lecture halls, lounges etc.) may only be in one of the following 3 states:
In the network area of the administration, in the sub-centers and the premises of ZID, a solid basic security is established by ZID through appropriate configurations of routers and switches as well as the use of virtual networks and a careful hardware renewal.
A NGFW scans traffic for abnormal patterns (this includes e. g. web traffic on a port that is not normally used by web servers) and blocks unwanted communication; in doing so, all network traffic of Graz University of Technology (i. e. also outgoing traffic!) is checked for possible attack attempts (whether deliberately or unknowingly, e. g. by malware), with the exception of email traffic, which is routed via the cenral mailgates anyway.
If an attack is detected, it is blocked, but the computer's allowed connections are not affected.
If you suspect that a service is blocked (by NGFW) by mistake, please send us an email - due to the large amount of data, log files are only stored for a very short time, so it is often difficult to determine afterwards why something was blocked, the process must then often be reproduced.
Computers infected with malware are blocked at the transition to the Internet by a TUGRAZonline application at the traffic shaper, IPs without DNS entry are automatically blocked.
You can find the status of your own IPs (and a possible reason for blocking like worm or virus or portscan etc.) in TUGRAZonline, the EDV Beauftragten can see the status of each IP in the IP range they are responsible for.
When an IP is blocked, an email with the reason for the block is sent to the "owner" of the IP - each IP should therefore be assigned to a person (as has long been the case), and conversely, only those IPs should be assigned to a person for which that person is actually responsible (this may well have consequences under criminal, civil and official law!). You can also find this blocking reason for an IP (except in the email) by clicking on the status in the host name administration and then going to "Detail" view.
The areas of administration and the central database servers of TU Graz are protected by a central firewall.
Institutes are responsible for securing their network infrastructure themselves, but are supported by ZID depending on the available resources (e. g. setting up "open source" firewalls or using a "virtual" firewall of ZID).
Application Security: Never Trust the Client!
Comprehensive security measures should be implemented in several layers - like an onion or matryoshka:
Already on the network level we try to detect and minimize certain potential dangers (e. g. by port blocking), the NGFW detects certain attacks and blocks access as well, the firewall can allow access only to certain IPs or only to certain protocols, we also support the "hardening" of the operating system, but where we currently cannot help (yet) are (self-developed) programs e. g. in the web server environment, which may be vulnerable: if the web page is called normally, but invalid parameters are passed, then it is the task of the programmer of the application to prevent that damage can occur, an "application firewall" is currently not operated by ZID!
Examples for such attack scenarios on application level:
If your (web) application is based on an SQL database, then you need to check whether it is possible to insert new, additional code via input fields or call parameters.
The above-mentioned procedure could also work, for example, with "normal" programs in script languages: in this case, no attempt is made to include SQL statements, but either command lines in the respective script language (e. g. PERL or PHP) or direct calls to other programs stored on the server. If PHP uses the include() function to load external code, this is also referred to as server-side XSSi (Cross Site Scripting - description and example).
Cookies, Session Parameter, Hidden Field Tampering, Formatstring, FormMail …
Instant Messaging, P2P, Skype, Bluetooth, …
Please note that with many "modern" applications there is a great risk that your computer will be infected with malware:
Virus filters do not take effect here when exchanging data - so hands off if you do not know exactly which options to activate!
Please always consider the GDPR when using new programs and ask the DPC if it is legally possible to use them at TU Graz at all!
|
What to Do in Case of a (New) Threat?
If the computer is locked by ZID:
We ask you to keep yourself informed about security relevant matters (read e. g. RSS feeds or newsgroups or subscribe to the relevant mailing lists!), as this is part of your obligations in TUGnet!