Screen Scraping, Trojan Horses and passwords… oh, my

Once again, here’s today’s installment on some of the different ways Microsoft is working on improving your experience with your computer, with blog bits spent on OneCare, Windows Defender, spam, Windows Live Safety Center, and last on phishing.

Today it’s about screen scraping and Trojan horses, and how this can happen to you. 

Screen scraping attacks are becoming more common in scammer’s schemes to subvert sophisticated security systems. The Wikipedia defines screen scraping as “a technique in which a computer program extracts data from the display output of another program. The program doing the scraping is called a screen scraper.”

In plain terms, a screen scraper is a program that captures or records computer screen activity, such as key strokes, mouse clicks and movements across the screen. (In application and web development, screen scraping has a legitimate use to acquire and display information, a.k.a. presentation integration.) But there are surreptitious uses for this technique that are sometimes employed by hackers who ultimately want to gain control of your computer or your personal information.

In some cases a Trojan horse program lurks on your computer waiting for you to visit a web site (a bank, brokerage firm, retailer, epayment) and then captures your interactions with the site. This information can be sent to the bad guys controlling the Trojan horse, who can then use this information to access your accounts.

19th century etching of the Trojan Horse 

Trojan horses may enter your computer through the daily mail, attached as an innocent looking file, like “kids.exe” or some other benign name. And when file extensions are hidden, you may not know that a Trojan horse lurks in the attachment. (Here’s more information on how to view all hidden file types and file name extensions in Office, as well as a list of potentially blocked file extensions.)

Once you open or double-click on a bogus attachment, you may start a process that is hard to stop: the application may launch an application that infects your computer with a computer virus, change or add files to you computer or modify your settings to allow your computer to be used as an extension of the hacker to attack other sites or spread the infected attachment.

Now, back to screen scraping and ways to foil this trick.

When you consider that on average, most people can only remember between five and nine things of a particular kind (alphanumerical sequences, words, numbers), it’s tough to remember strong passwords. And if a screen scraper records your key strokes — and along with it, your passwords — this can be a problem. You have to change your passwords regularly (every few months or so) and be sure not to keep them in an easy-to-find place (you know, the text file on your computer named “passwords.txt”). For the most part, employing strong passwords that are changed regularly will help you foil most common security breaches.

But as attacks become more spohisticated by employing some of these methods, targeted companies (such as banks and brokerage houses) are bringing new technology online that combines the clicks and keyboard entries, user names and passwords with additional unique information. Some companies are taking steps to improve security without just adding the burdon of having to remember a laundry list of strong passwords. One such example from Bank of America:

Bank of America Corp. is deploying a program called SiteKey that uses technology from Passmark Security Inc. that requires customers to click on a preselected image in addition to entering their user name and password to log on to an account, said Betty Riess, a Bank of America spokesperson in San Francisco.

E*Trade is another firm that has implemented ways to step up their security. Through their deal with RSA Security, E*Trade makes available a SecurID key chain (RSA calls it an “authentication token”) to their retail customers to provide an additional layer of protection. I know several companies that use the SecurID system to allow employees to access their confidential and secure sites remotely, prividing an additional security layer with a random six-digit code that is generated by the SecurID token.

A few years ago, employees at Microsoft were issued smartcards to provide an additional layer of technology to access networks. Smartcards can be programmed to provide access to your personal accounts, mobile telephones, buildings and online systems.  

Then there’s the new InfoCard InfoCard technology that was shown at the RSA Conference should make it easier to provide an additional layer of security. As reported on CNET News…

Now, with Windows Vista, Gates feels he finally has the right weapons to supplant the password as a means of verifying who is who on computers and over the Internet.

The new operating system, due later this year, introduces a concept called InfoCards that gives users a better way to manage the plethora of Internet login names and passwords, as well as lets third parties help in the verification process. Vista will also make it easier to log on to PCs using something stronger than a password alone, such as a smart card.

On protecting aginast viruses: There are a number of things you can do to protect your computer against viruses (courtesy of the Security at Home page…): 

  1. Use an Internet firewall (Note: Windows XP with SP2 has a firewall already built-in and active).

  2. Visit Microsoft Update and turn on Automatic Updates.

  3. Subscribe to industry standard antivirus software and keep it current.

  4. Never open an e-mail attachment from someone you don’t know.

  5. Avoid opening an e-mail attachment from someone you know, unless you know exactly what the attachment is. The sender may be unaware that it contains a virus.

Additional resources:

Tags: , , , .

One reply on “Screen Scraping, Trojan Horses and passwords… oh, my”

Comments are closed.