The problem I am talking about is caused by being overly confident in the system provided thus leading to a false sense of security. Much like how the captain of the Titanic felt the puny iceberg was no match for his state of the art ship, so some people feel about being compromised after they implement the latest in security measures.

Lately we had some examples of this due to the high profile assassination in Dubai. As the news has been reporting over and over again the assassins entered the country using forged passports. The passports in question were biometric passports.  Biometric passports are hailed as the ultimate in security. Confidence is so high in their security that the Netherlands has even been trialing an automated passport scanning system, which a pair of ethical hackers managed to fool by getting a fake biometric passport in the name of Elvis Presley registered in a fake country approved.  I am not aware of any country that has gone fully automated; however, even just testing out such automated systems is, in my opinion, a sign of the danger that security can be to itself.  Simply considering automating such a critical security system means that there are some people who have huge faith in how infallible the system is and this in itself is a threat to security.  One should never have such a strong belief that a security system is infallible because, no matter how good it is, it still can, and will, be broken.

The issue isn’t limited exclusively to passports. This type of over confidence is present in more mundane situations. Time and time again I have been asked by a friend to help clean their machine from malware and when I ask them whether they had clicked on dubious attachments in emails they usually would have with the conviction that it was okay. Even if it were to be malicious they believed their antivirus software would protect them from any possible infection.

Companies are not immune to this way of thinking either. Deploying antivirus and patch management mechanisms are at times considered to be enough.  Additional tools such as vulnerability scanning, log management and perimeter security might be considered an unnecessary expense because they are regarded as a second layer of security, where the risk is already being mitigated though virus scanning and patch management. This is true to a point; however, you can never have blind faith that any antivirus software will detect every form of malware and you can never be totally sure that every vulnerability will be patched, and on time.

Going back to the title, Security is the enemy of Security, what does that mean exactly? I am obviously not suggesting that removing security measures will make everyone more secure. What I am trying to say is that no matter how much security one puts into place he should still work under the assumption that they will all fail. Don’t allow security to make you lazy. Anything suspicious, be it a link or an attachment, will still require the same diligence as if one had no antivirus / link scanner in place because if it’s malicious your security system might still fail to detect it.

Always remember that security is not the first line of defense, the user is. Security mechanisms are in place to protect the system when the user fails; they are not a magical filter that knows all good from bad.  There is also a third line of defense which protects the system in the event of the security mechanism itself failing, and that is the Administrator who monitors the system for intrusions and suspicious behavior. If a security system fails, the best you can hope for at that point is that the administrator detects the intrusion in a timely manner and takes corrective action before the damage spreads. These three tiers need to work in tandem. Security will be the enemy of itself if the user relaxes and takes risks under the assumption and ‘peace of mind’ that the security system will take care of any slipups caused by his actions. Security will also be its own enemy when the administrator feels s/he can neglect monitoring duties, confident that the policies in place which users follow and the security infrastructure will prevent any intrusions and malware from ever infiltrating the network.

Trust: Security, the enemy of Security is a post from Talk Tech To Me, a tech blog for network administrators.

According to the findings, in the first quarter of 2009 alone, more new strains of rogue anti-virus program (or scareware) were created than in all of 2008. By June of this year, more than 150,000 rogue programs had been identified.

Scareware and rogue programs have been spreading fast because they fit into a business model that reaps the benefits much faster than using Trojans or other types of malware. With rogue software, cybercriminals just wait for the people who download the software (after getting a shock message that their computer has been infected with some virus or other) to pay up to have their machine cleaned. These programs are often not detected by anti-virus engines and they make changes to the operating system to prevent their removal until the victim pays for the rogueware.

The success that cybercriminals are having with these types of programs indicates that many people simply act before they think of the consequences. If you don’t have an AV solution installed, and you receive a message saying the machine is infected, something is amiss and certainly not right – if you don’t have AV you shouldn’t be told that you have an infection!

However, cybercriminals play on people’s fear that a virus has entered their system. With little or no technical knowledge they fall for the scam and pay up – anything to get rid of the virus.

If, on the other hand, you have anti-virus installed, you should read the message that pops up very carefully. If you are asked to install an AV program (and you know you have one already), that should ring a very loud alarm bell. Unfortunately, many users believe that their AV has failed and they remove it to purchase the rogueware.

For cybercriminals, it’s a win-win situation and the fastest way to make a quick buck.

If you, family members or colleagues do receive AV warnings, treat them with suspicion and check that the company claiming that you have a virus is the same as that whose software you have installed and speak to an IT expert. Whatever happens, do not pay any money.

Some common names used by these programs include: Antivirus2009, Xpantivrus2008, XPAntiSpyware2009 and MSAntiSpyware2009. WinPC Defender, SystemSecurity, System Guard2009.

You can read the full APWG report here.

Scareware on the increase is a post from Talk Tech To Me, a tech blog for network administrators.

Determining whether you’re infected

The first step to take when suspecting your computer might be infected is to actually confirm whether it is or not. There a lot of viruses out there and whilst most anti-virus solutions can detect almost all of them, there is always the risk of being infected with a custom virus – something as yet unknown  or even something that your anti-virus solution might not be able to recognize yet. As such if your anti-virus solution is saying that you’re clean, it’s a good sign, but not necessarily a definite one.

What should one do to be sure?

The first step is to take note of when the symptoms that are making you suspect a virus started. Then think about anything that you might have run/installed during that time. (Note: not all infections start with the user running something but it is the majority of cases. This should also include attachments you opened or ran from your received emails.)

If anything from the above exercise raises a red flag in your mind, or might be of dubious origin (such as receiving an email from a friend that didn’t sound like them), then it is definitely worth investigating that file.

We already know that the virus scanner installed didn’t detect any viruses but we need to be sure – so how about testing the file with multiple anti-virus engines?

Using multiple anti-virus engines

Don’t worry, you do not need to buy them all; there is a free service that does exactly this. All you need to do is upload the suspicious file and see if it is detected as a malicious file by any of the virus engines.

If, on the other hand, you have no idea which file might have caused the infection, the only other option is to scan your computer with another anti-virus. Again we do not have to buy any products for now, most anti-virus offer free anti-virus scanning from the web. These will only detect a virus however, they will not clean it. Still, for our purpose, which is finding whether we’re infected and with what, it’s enough.  You can search for online virus scanners or use one from the list below:

http://www.kaspersky.com/virusscanner
http://www.bitdefender.com/scanner/online/free.html
http://home.mcafee.com/Downloads/FreeScan.aspx
http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/online-scanner/
http://housecall.trendmicro.com/

Once you’ve finished scanning and you do find a virus, you have three options:

• Buy the full product of the brand that detected your virus. (This will ensure that at least you will definitely know that it will be detected)
• Search the web for a free tool that can clean this particular virus or even documentation of how to do it manually. (This is only recommended if you’re an advanced user. Be aware that most of these procedures can be quite advanced and that either not following them correctly or discovering that they have an error in their procedure can make matters worse by breaking your Windows installation)
• Alternatively if you have backups you can also reinstall your Windows installation. This is a bit inconvenient but it is also the only way to be 100% sure that you got rid of the virus. (Make sure your backups are not infected!)

What if I am unable to find any virus?

If, after scanning with multiple anti-virus engines, you still don’t detect anything, it is likely that the symptoms you’re experiencing are coming from something else – possibly a hardware problem. Of course there is still that small chance that either this virus is still too new or that it is custom built and maybe this was a targeted attack. However, it could be that anti-virus use heuristics to detect infestation; i.e. they try to look for  suspicious routines in software that might indicate that the file contains a virus even though that type of virus was never analyzed before by the anti-virus vendor.

Faulty ram

Let’s assume that there is actually no virus. In this case we must look at what the symptoms are and what’s causing them. What people most often mistake for viruses occurs when the computer freezes. This can happen for a number of reasons. The most common being faulty ram. We can test for this using the free program, memtest86+.

Video card issues

If your screen gets garbled before it freezes, it’s likely to be either a video card problem or a power supply unit problem that is not supplying enough power to the video card. It could also be that the graphic card is over-heating. Playing modern 3D games is the best way to stress the video card so if this happens when you’re playing, and occurs in multiple games, then this is definitely something worth looking into. Some graphic cards include utilities to monitor the temperature and current of the card which are definitely worth keeping an eye on to help diagnose the issue.

Hard Disk Failure

If both the above seem okay, then a third possibility is a hard disk failure. Your computer uses a set amount of hard disk space for swapping (to use as memory when this fills out); if the data is corrupted it can cause the computer to freeze when it is accessed again.

To diagnose this just run a scandisk:
- right click on the drive you want to check in windows explorer
- click properties
- switch to the tools tab
- click check now under error-checking
- make sure the check box ’scan for and attempt recovery of bad sectors’ is enabled.

If indeed there are bad sectors, then make sure the swap partition is on another drive that has none. It is also very much recommended that you have a backup of the data on that drive and that you replace it as soon as possible as it might get worse and eventually stop working. 

To change the location of the swap file you need to:
- right click on my computer
- choose properties
- go to advanced settings
- click on the advanced tab
- choose settings under the performance group box
- go to the advanced tab
- click on change under the virtual memory group box.

What to consider if your machine is infected

There are a number of things to do if you find that your machine is infected. If your computer is hooked to a network, isolate it as soon as possible to prevent the infection from spreading. This is done either by disconnecting the infected machine from the network or if you need the internet to fix the issue then disconnect the other machines if it is feasible. (Note that when connected to the internet the infected machine might try to infect other machines, send spam or even launch attacks against certain sites - some infections (Trojan horses) can effectively give control of your computer to a malicious third party so in any case the less time online the better).

Some infections are really insidious and acutally modify the operating system to hide from the anti-virus software. These types of infections called root kits can be impossible to detect from the infected system itself.  In this case we’d need to boot from a clean Windows installation and use that to run our scans.  Luckily there are products out there that offer bootable CDs to use in these cases.

Advanced users can even build their own.

Prevention is better than Cure

Here are a few tips on how not to get infected and even how to protect from getting infected again.

1. It is essential to keep your system up-to-date. Software has bugs and bugs can sometimes be exploited by viruses to infect people’s machines without their intervention. So ensure that your system is up-to-date with the latest security patches. Microsoft for example generally release their security patches on each second Tuesday of the month.
2. Have an anti-virus solution in place to protect your machine. Businesses can go a step further and install products that protect specific vectors such as web downloads and email using products that scan for multiple viruses using multiple anti-virus engines. Having a firewall set up can also reduce the risk of infection.
3. Be careful of what you install and run on your machine. Each time you run an application there is a risk of infection; the more unreliable the source the bigger the risk. No source is ever 100% safe as sometimes viruses have been distributed with hardware and even with magazines such as reported in a recent story about the virus that targets the Delphi development environment: W32/InducA. This is not to say that one shouldn’t run any software but it’s good practice to be aware and protected.

We have discussed at length how to confirm whether your machine has an infection or not, as well as what it could be if there are signs that point to an infection but no virus is found. We have also gone through some good tips on how one can protect their system from infection; however, this is a huge area and individual cases  will be different, but if you have any difficulties or situations that haven’t been discussed here, feel free to leave a comment and I will try to help out if I can.

My PC might have a virus – what do I do? is a post from Talk Tech To Me, a tech blog for network administrators.

This GFI QuickVid talks about GFI MailSecurity – Server Anti-virus for Exchange. Other GFI QuickVids are available on our YouTube channel.

GFI MailSecurity – Server Anti-virus for Exchange is a post from Talk Tech To Me, a tech blog for network administrators.