You could actually title this article "Virus Alert - I just Got Nailed," Part Two. (The link to the first installment, published in December 2001, is www.infosecnews.com/opinion/2001/12/12_03.htm).
While so much has happened to me in a very short time period that it might take several of these Infosecurity Opinion articles to explain it all, it's worth reviewing some of the more problematic occurrences, since this sequence of events was nasty; plus, it could happen to anyone.
A Quiet Sunday Evening...
At least that's what I thought when I came home from church and decided to read my email for the day. One of the email messages was from a person that I know and trust. There was an attachment and I thought that it might be a picture of some food that we were recently discussing (soft pretzels, in case you're wondering). When I clicked on the attachment, it didn't appear to open. It was like there was nothing there. I really didn't think much of it and I went into my browser and started checking the price of something I'd had been watching out for on eBay. After about 30 seconds of being in my browser, my personal firewall lit up my screen with a warning that an executable called kernel32.exe was trying to get out to the Internet from my workstation. I pushed the OK button and off it went. Not good!
In my defense (I'm trying to feel a little less guilty, so humor me), my firewall was as new as my AV software and it was still asking me if I should let certain things have outgoing permissions. Being an old UNIX geek, kernel32.exe sounded to me like something that needed to be running, at least at 10.30 p.m. it did. As far as I knew, everything was fine after I said OK to the firewall request and I proceeded to check on my potential eBay treasure. The price was right, so I submitted my bid (credit card number and all) to eBay. When you do that, eBay sends you an email letting you know that they received your bid and that you were the current high bidder for the item. When I went to check my email again to see if I had received the email from eBay, I immediately knew that something was wrong. I didn't have my eBay email yet, but I did have about a dozen emails from people I didn't even think I knew, who were saying they had received a virus from my workstation. At first, I thought for sure that they had to be wrong.
My Firewall Tried to Save Me
If you read my previous article, you will see that I had the latest version of a major anti-virus software product running and was also running their automatic update option, which checks to see if new updates are available every time I log onto the Internet. The report always comes back telling me that I am running the latest updates. Even though these two products go hand-in-hand, it's the firewall piece that I want to concentrate on here.
After all of that fun on a now very late Sunday evening, I decided that I didn't trust anything anymore and re-installed my AV application and my firewall application. I started off with brand new logs and made the firewall ask me for permission for every application that needs to send something to the Internet, including Internet Explorer as it tried to run for the first time after I re-installed the firewall.
This was quite educational. For the first time, I now know just what my computer is doing (I think) as packets fly in and out of my modem. I'm always concerned about things trying to get into my computer, but I'm even more interested in the things that try to get out. This is especially true about things that I don't know about. There was a cute poster floating around back in the late 80s that read, "It's 11 o'clock. Do you know what your computer is doing?" Back then, I had a good idea of what was running at any time on my IBM 286, with its whopping two meg of memory and its 40Mb hard drive.
I was about to get another shock, as I looked at the firewall logs after the first 30 minutes of use of the newly re-installed application. In that short time, the firewall had logged several thousand violations, mostly incoming to the IP address where I was connected. I don't suspect that I am being targeted, however, since I was connected via dial-up, which assigns me a dynamic IP address each time I connect. If you are connected to the Internet by a cable modem or DSL connection, your IP address will be static and the opportunity for attacks could be even greater.
Will Things Ever Get Better?
I'm not sure of how to answer that one. When I'm out there sharing my horror stories at conferences and other group meetings, I usually ask for a show of hands of all the people in the audience who use a personal firewall. Usually, about half of the hands go up. As I'm driving home, I often wonder how many of those who raised their hands ever look at their firewall's logs. Do they know for sure that the things that their computer is sending out to the Internet are things they want sent out? In short, when it's 11 p.m., do they know what their computer is doing? I try real hard to keep up with mine and, for a while on that Sunday evening, I didn't have a clue as to what it was doing!
As for the people in the groups who didn't raise their hand when I asked the question about who has a personal firewall, well I'll be back in church again next Sunday and I'll try to remember them when I'm there.
Jack Wiles is president and co-founder of TheTrainingCo and is a 30+ year security veteran. He is also the MC of the annual International Techno-Security Conferences. You can email him at [email protected] or find out more about him by visiting www.thetrainingco.com/biojackwiles.html.
