|
Network Chico security
terms glossary
| @ | A
| B | C | D
| E | F | G
| H | I | J | K | L
| M | N | O
| P | Q | R
| S | T | U
| V | W | X
| Y | Z |
Welcome to the Network Chico
computer security terms glossary.
=H=
Hardware Damage: There
has been much debate about whether viruses, or any other software,
can cause physical harm or 'damage' to computer hardware. Most
claims that such is possible turn out to be one of three kinds
- appeals to ancient and usually badly documented stories of
hardware destroyed by software shenanigans, accelerated wear
and tear, and misunderstanding the difference between damaging
hardware and trashing software stored in some form of (semi-)permanent
storage. There are several reports of ancient hard drives that
(reputedly) had no sanity checking in their control mechanisms.
The usual claim is that such drives could be taken out of service
(even 'destroyed') by directing the drive to seek for a cylinder
(track) past the last physical cylinder location. Stories also
persist about early PC monitors that could have internal electronic
components 'fried' (even setting the monitor on fire if left
long enough) by programming the display adapter to use out of
specification frequencies for the monitor. A variation on the
latter is the 'blow up a monitor by stopping the guns from scanning
so they bombard a continuous beam at one tightly focused spot'
claim. Similar stories and speculation exist about 'overusing'
a device. These include claims that certain (usually unspecified
and ancient) monitors could be damaged by various means or rendered
'practically unusable' via accelerated phosphor burn and the
like. Notions of wearing disks out quickly by repeatedly seeking
back and forward between the very first and last cylinders and
repeatedly updating the contents of CMOS RAM or EEPROMs or Flash
memory are also common. These first two kinds of stories are
pretty much relegated to the scrap heaps of history now, but
another type of claim has recently had quite an airing. The CIH
virus renders a PC unusable by re-flashing the flash memory chip
holding the BIOS. The routine in CIH effectively trashes the
BIOS. However, although it leaves the machine unusable (and often
leaves the mainboard effectively irreparable) this is not an
example of software damaging hardware. The hardware is all still
fully functional, but just happens to be built into a bad design
that prevents the (economical) return of the system to a working
state. For the user faced with a mainboard replacement because
a virus payload triggered, this may seem like splitting hairs,
but there is a clear technical distinction between the CIH virus
rendering a poorly designed system board irreparable and software
damaging hardware.
Heuristic Detection: Apart
from precise identification of known viruses, scanners can (and
do) employ various forms of less-precise detection. The essential
idea behind such heuristic detection mechanisms is to relax the
detection rules somewhat, detecting code that is almost bound
to be indicative of virus infection (or other forms of malware
functionality) and at the same time very unlikely to be seen
in 'innocent' programs. For example, various kinds of unusual
settings in the headers of PE (Windows 32-bit executable) files
may be strongly indicative of virus-related 'tampering'. If it
is also known that such 'odd' headers are never produced by any
PE compiler/linker combinations, detecting such things and flagging
the files to the user as 'suspicious' may be a good heuristic
for detecting certain kinds of new PE infecting virus that the
scanner does not yet detect as a known virus. Similarly, code
analysis of a VBA macro can, in most cases, quickly and reliably
determine whether the macro has code that copies itself to other
documents and templates. However, that alone is not sufficient
as a macro virus heuristic as it is common for legitimate macro
programs to have installation routines that are themselves macros
that copy other macros around. The designer of a good heuristic
macro virus detector will attempt to prevent raising false positive
alarms on such macro installation packages by requiring the heuristic
detector to find more than just code that copies a macro to a
global template (the usual installation location for such macro
programs). Careful tuning of the importance (or 'weight') attached
to various virus-like features can greatly reduce the rate of
such false positives. An approach that combines positive and
negative heuristics is generally considered best. A positive
heuristic is a programmatic feature the scanner considers increases
the likelihood it is looking at a virus and a negative heuristic
is a feature that reduces that likelihood. Often scanners that
include heuristic detection capabilities have these disabled
by default. This can be because they add extra overhead to the
scanning process, but it can also be because the heuristics are
fairly 'liberal'. Particularly in the latter case, you should
only enable the scanner's heuristic detection if a new virus
is suspected, as it's results may further focus your attention
on the likely affected files. Heuristics should also be enabled
and set to their highest levels on e-mail gateway scanners and
other 'interception points' if there is an unavoidable business
need to allow infectible file types into an organization. Some
scanners with heuristic detection abilities allow the user to
set the 'sensitivity' of the heuristics and again, these should
be set to highest sensitivity for e-mail gateway scanners.
Heuristics: Heuristics
means 'rule based'. Normally, for an Anti-Virus product to detect
a virus, the virus must have been seen before, analyzed and detection
added to the signature update files. Heuristics are used as there
are some families of viruses that continually change their appearance
and it is not possible to detect every variant. Heuristics allow
us to set up some rules so if it smells like a virus, and it
acts like a virus we can detect it, even if we have never seen
the virus before.
Hijacker: Any software
that resets your browser's settings to point to other sites.
Hijacks may reroute your info and address requests through an
unseen site, capturing that info. In such hijacks, your browser
may behave normally, but be slower.
Hoax: A hoax is a message,
typically distributed via E-mail or newsgroups, which is written
to deliberately spread fear, uncertainty and doubt. Just like
the viruses they purport to describe, they are sent from user
to user/s, slowing network and Internet traffic and causing damage
'per se', by wasting users time and by prompting well meaning,
(albeit unnecessary) clean up procedures. These messages may
be regarding completely fictitious viruses and trojans, or they
may be misleadingly warning users about legitimate programs (a
common target of past hoaxes was screensavers and more recently,
Windows utilities). Hoaxes prey on the lack of technical knowledge
and the goodwill of all those that receive a hoax. Generally,
hoaxes are warnings about threats to your computer. They tend
to follow a standard pattern, and should you receive an e-mail
that contains the following characteristics, view it with doubt,
if not downright suspicion.
- Reports of a virus that can do massive damage to your pc
- many even going so far as to say that critical hardware will
be destroyed.
- May sound unnecessarily technical (although often meaningless),
thus taking advantage of many users fears of technology/the unknown.
- May quote bogus announcements from Antivirus Industry experts,
some even going so far as to provide a correct link to an AV
site (which strangely enough, if visited, will most likely tell
you that it's a hoax).
- The message may be written in emotive language. That is,
the message may be colored with upper case text and contain large
numbers of exclamation marks (in order to emphasize the severity
of the perceived threat and make the user more likely to forward
the message).
- Asks that you forward the message to as many people as possible.
This is the most obvious line in a hoax. Warnings from reputable
expert sources do not ask you to forward their notifications.
It is this part of the text of the message in particular, that
should immediately make wary users skeptical.
Computer Associates Virus encyclopedia contains current information
regarding hoaxes. Should you receive any unconfirmed virus warnings
you can substantiate them by visiting: the hoax section of the encyclopedia.
Homepage Hijacker: Any
software that changes your browser's home page to some other
site. Hijacks may reroute your info and address requests through
an unseen site, capturing that info. In such hijacks, your browser
may behave normally, but be slower.
Hostile ActiveX: An ActiveX
control is essentially a Windows program that can be distributed
from a web page. These controls can do literally anything a Windows
program can do. A Hostile ActiveX program does something that
its user did not intend for it to do, such as erasing a hard
drive, dropping a virus or trojan into your machine, or scanning
your drive for tax records or documents. As with other Trojans,
a Hostile ActiveX control will normally appear to have some other
function than what it actually has.
Hostile Java: Browsers
include a "virtual machine" that encapsulates the Java
program and prevents it from accessing your local machine. The
theory behind this is that a Java "applet" is really
content, like graphics, rather than full application software.
However, as of July, 2000, all known browsers have had bugs in
their Java virtual machines that would allow hostile applets
to "break out" of this "sandbox" and access
other parts of the system. Most security experts browse with
Java disabled on their computers or encapsulate it with further
sandboxes/virtual-machines.
Hostile Script: A script
is a text file with a .VBS, .WSH, .JS, .HTA, .JSE, .VBE extension
that is executed by Microsoft WScript or Microsoft Scripting
Host Application, interpreting the instructions in the script
and acting on them. A hostile script performs unwanted actions.
HTTP Server: When installed
without user awareness, an HTTP server allows an attacker to
use a web browser to view and thus retrieve information collected
by other software placed in the user's machine.
| @ | A
| B | C | D
| E | F | G
| H | I | J | K | L
| M | N | O
| P | Q | R
| S | T | U
| V | W | X
| Y | Z |
|
