Gordon's guide to secure computing
part I
by Gordon (Huggy59)
I'll take a stab at a few things here, and maybe we can assemble a good How-To from this and other posts.
There are four basic areas where I believe most SOHO users can do the most good in protecting themselves. Besides making backups, being aware of the electronic landscape, and educating yourself beyond reading the latest headlines:
1. Run anti-virus and anti-spyware utilities often, and keep them up to date.
2. Reduce the footprint of what is exposed to the Internet to begin with.
3. Stay up-to-date with patches and new versions of software, and scan for known vulnerabilities.
4. Be aware that social engineering is a very lucrative way to get sensitive information from otherwise security-aware people. Even posting to forums like this, a savvy hacker can gain lots of knowledge about a person from reading the various posts. A tidbit here and there eventually adds up to a pretty good picture.
#1: First and foremost, a home user needs to have a working, up-to-date copy of an anti-virus program. There are many, but you should use one that is known and respected, has automatic updates, and automatic scanning of your entire system. Now, some of the IT guys here may differ in this opinion, but I believe that automating it as much as possible helps in the SOHO environment. Just remember if you set the AV software to scan your machine every Tuesday morning at 2:00am, that your machine needs to be left on Monday night through Tuesday morning so the scan can kick off at 2:00am! Scan AT LEAST weekly. New viruses and modified versions of older ones appear daily.
Second, get a copy of Ad Aware and/or Spybot Search and Destroy, or similar. These programs work to help eliminate spyware, which can cause just as much, or maybe even more trouble for you in terms of information leakage and system slow-downs. Ad Aware even has a resident blocker just like most AV software, for a price. Set it up to automatically get updates, as well.
Finally, note that each of these products use signature files to recognize viruses and threats. You can still be hit by a virus/spyware that is completely new and unknown, and these products may not stop it. So, protect and back up your data!
Which leads us to the next area to look at: Reducing your online footprint, and firewall your system(s).
#2: Most SOHO users will now be using a wired or wireless router/firewall for their Internet connection to their ISP. Router/firewalls have come down so much in price, and features are ramping up, so no one should be without one these days. For best results, configure the device to not answer ICMP pings from outside, making you more invisible. This can be a problem if some outside service uses pings to insure you are still alive, but you can usually get around that.
Most router/firewalls work by allowing any internal system making an outbound connection out, but limiting inbound connections from the Internet to a specific set of ports that are either open by default, or can be set to be open in the router config. Make sure your router is not manageable from the Internet side. At least not without significant protection such as encrypted links and secure logon.
The most attacked services today are the ones that are most vulnerable - DNS, web servers, ftp servers, email, IM’s, IRC, and the like. If possible, don't run these types of services at the expected ports. This makes you less of a target for most scripted interrogations.
If you do run a web server at port 80 (the expected port), for example, make sure your web server software of choice is patched with the latest security patches and keep it up to date. Enable logging and check it periodically to make sure you aren't being targeted or that hacking attempts weren’t successful. And you will see attempts being made, so don’t be overly frightened when you do. You may also want to run this on a separate machine that doesn't have personal information on it to further reduce possible information leakage. Most routers today can accommodate port forwarding to accomplish this.
Ok, now on to patches and scanning for vulnerabilities. Some people don’t like to do vulnerability scanning. While you don't have to launch a complete hacking attempt at your systems, it does help to use a scanner that can detect possible problems. You are keeping your patches up, right?
As soon as patches are available, read about what they fix and how they do it. Determine if they will interfere with your existing system and programs, and if not, install them and test them. If they do interfere, you need to assess the risk involved with the particular vulnerability and make some decisions. Be able to roll back if problems are noted, but if not, you are good to go.
Now, get a free security scanner such as Nessus, an open-source vulnerability scanner. It runs as a server service, and you will get a client to access it securely and run scans. It also needs to be updated with rules and scan info, and run it against your whole network (which will take some time) and take a look at the report output carefully. Nessus reports have a lot of good info and suggestions about what to do to fix things. Other scanners are available, as well. You can even have your buddies (or me!) run Nessus against your Internet connection and check what is actually open to the world.
Invariably, there are some checks that *appear* to be vulnerabilities, but upon closer inspection you'll find that they simply can't fully determine whether the problem is actually an issue or not. These you will have to determine through other means. For example, running MS IIS 5 for a web server and using URLScan to block some types of insecure access, the Nessus check for the WEBDAV vulnerability will still think it is possible, when actually URLScan is blocking the access and sending back a message as such. In this case you are protected but Nessus can't determine that (in its current version).
This is one reason why scanning and remediation is difficult. Another is that for some scans, you need administrator permissions on the system being scanned. So, be sure you understand what the scan is doing and how it is being used or you could miss a significant issue because of a poor scan config or a tricky vulnerability in the affected program.
When you do find a problem, follow up on it and determine what the fix or workaround is, taking into consideration the risk factor as you see it. Then apply the solution or accept the risk.
Subscribe to a security mailing list, such as CERT or Symantec (details to follow). This will keep you up to date on the latest significant problems and issues.
On to #4 - Social Engineering.
We’ve all seen it on the news or heard about it somewhere. You read the subject of an email and know you shouldn't open it, but you do, and BAM!, you're letting the virus into your system and soon the entire network. Well, they fire people for that now. Social engineering is the act of using social means to persuade someone to reveal info, run a program, or open a file that they shouldn’t. Like opening an email attachment that contains a virus, or visiting a web site link that has malicious scripting or active content.
Even if you think revealing a small piece of info is not a problem (because they don’t know the other parts that are needed, right?), it could be a real problem, because the hacker could have several other small pieces and eventually they get enough of the puzzle to put it together.
We see most social engineering in emails these days, but it can also be on the phone, in person, in stores, etc. You know the drill, like the phishing schemes that say this email is from your bank, we need you to verify your account and password... Even if it IS from your bank, don't reply to that email. Call your bank’s customer service line and deal with them one-on-one - that way you know who you're talking to and it probably isn't going to be intercepted.
Personally, I like the “HI, this is XYZ Factoid Corp. calling with a research qurstionnaire – can I have 3 minutes of your time?†and then they proceed to ask you about your servers, software, OS, versions, special programs, problems, etc. This could EASILY be a scam and a way of finding out more about your infrastructure, methods, and protection! I tell them I don’t have 3 minutes for them and I would not like to reveal any further info, and if they persist, I hang up. After all, I’m in control of this info!
Pasting passwords to the bottom of your keyboard, or on a post-it note on your monitor is NOT something you should do! Also, keeping them in a file on your system in plain text, or even a protected Word document, is easy to search for and break into. The first requires local physical access (or a good telescope from the neighbor's house), but the second requires only access to your system, which can be done remotely and possibly without your knowledge!
Personal info, once revealed, is very difficult to hide. Usually it must be changed and the new info not exposed. This is not very easy with your social security number, upon which all credit and most identification is based. Do not reveal your SSN so easily. In fact, challenge the company/person, etc. and find out why they want it. In many cases it is within your rights to have them use some other number for an internal account number, for example. Stall them and say you'll call them back, what's their number? It's a lot like phone fraud. If they approach you, how do you know who it is? But if you call them, you’re pretty sure it’s the right people or company, based on your experience. Of course, phones can be scammed, too, and I’m sure we’ll see more of that with IP telephony (VoIP), etc.
If you bank by web or access billing accounts, be aware of the need to close all of your browser windows after using your banking web site, or any SSL-enabled site. Only after closing and restarting your browser will the cookies and session data be cleared properly so that no malicious script at another site can gain access to the contents of the banking info. Browsing the web is a connectionless way of pulling and pushing data around. As such, browsers and web sites keep session info live for a period of time after you stop using the site. Therefore, it could be possible for someone to pick up on your session after you stop using it, if they set things up a certain way and have been watching the data stream between your system and You are making sure that the site IS SSL-enabled, right?
Don't do business with sites that appear to have broken or outdated SSL certificates, and don't use non-SSL links to submit sensitive transactional data such as credit card purchases through the web. SSL encrypts all transmissions from your browser to the remote site so no one will be able to sniff the information on the wires (like eavesdropping on the phone).
Know what data it takes to get a phony credit card? A name that matches a social security number and a matching birth date. That’s it. The rest is easily made up or diverted to people who are in on the scam. Don’t put any two pieces of the needed three into any system unless you trust the owners and know how they use and protect your data. That’s why I’m only 3 or 104 years old on many systems… 01/01/01 !! So what if you don’t get a birthday card on the right date from your retailer?
Have a plan about what you will reveal and what you won’t and stick to it. If you frequent forums like this, limit what is visible, and if you MUST make something visible that you feel uncomfortable about, make up something BUT REMEMBER IT and use it in many places. This makes it appear to be true even if it is false, and hackers are more likely to believe it - and then you've thrown them off. I don't care if a license agreement says you must be truthful - the truth is that if this info is revealed to the public, my privacy is more important than the license agreement in this cyberspace! Yours should be, too.
Next time I'll put some tips together on everyday things, like how to set Outlook to reduce the possibility of getting a spam email that the spammer can use to confirm you are an active account.
In the meantime, if you have questions, post and I'll try to answer them.
part I
by Gordon (Huggy59)
I'll take a stab at a few things here, and maybe we can assemble a good How-To from this and other posts.
There are four basic areas where I believe most SOHO users can do the most good in protecting themselves. Besides making backups, being aware of the electronic landscape, and educating yourself beyond reading the latest headlines:
1. Run anti-virus and anti-spyware utilities often, and keep them up to date.
2. Reduce the footprint of what is exposed to the Internet to begin with.
3. Stay up-to-date with patches and new versions of software, and scan for known vulnerabilities.
4. Be aware that social engineering is a very lucrative way to get sensitive information from otherwise security-aware people. Even posting to forums like this, a savvy hacker can gain lots of knowledge about a person from reading the various posts. A tidbit here and there eventually adds up to a pretty good picture.
#1: First and foremost, a home user needs to have a working, up-to-date copy of an anti-virus program. There are many, but you should use one that is known and respected, has automatic updates, and automatic scanning of your entire system. Now, some of the IT guys here may differ in this opinion, but I believe that automating it as much as possible helps in the SOHO environment. Just remember if you set the AV software to scan your machine every Tuesday morning at 2:00am, that your machine needs to be left on Monday night through Tuesday morning so the scan can kick off at 2:00am! Scan AT LEAST weekly. New viruses and modified versions of older ones appear daily.
Second, get a copy of Ad Aware and/or Spybot Search and Destroy, or similar. These programs work to help eliminate spyware, which can cause just as much, or maybe even more trouble for you in terms of information leakage and system slow-downs. Ad Aware even has a resident blocker just like most AV software, for a price. Set it up to automatically get updates, as well.
Finally, note that each of these products use signature files to recognize viruses and threats. You can still be hit by a virus/spyware that is completely new and unknown, and these products may not stop it. So, protect and back up your data!
Which leads us to the next area to look at: Reducing your online footprint, and firewall your system(s).
#2: Most SOHO users will now be using a wired or wireless router/firewall for their Internet connection to their ISP. Router/firewalls have come down so much in price, and features are ramping up, so no one should be without one these days. For best results, configure the device to not answer ICMP pings from outside, making you more invisible. This can be a problem if some outside service uses pings to insure you are still alive, but you can usually get around that.
Most router/firewalls work by allowing any internal system making an outbound connection out, but limiting inbound connections from the Internet to a specific set of ports that are either open by default, or can be set to be open in the router config. Make sure your router is not manageable from the Internet side. At least not without significant protection such as encrypted links and secure logon.
The most attacked services today are the ones that are most vulnerable - DNS, web servers, ftp servers, email, IM’s, IRC, and the like. If possible, don't run these types of services at the expected ports. This makes you less of a target for most scripted interrogations.
If you do run a web server at port 80 (the expected port), for example, make sure your web server software of choice is patched with the latest security patches and keep it up to date. Enable logging and check it periodically to make sure you aren't being targeted or that hacking attempts weren’t successful. And you will see attempts being made, so don’t be overly frightened when you do. You may also want to run this on a separate machine that doesn't have personal information on it to further reduce possible information leakage. Most routers today can accommodate port forwarding to accomplish this.
Ok, now on to patches and scanning for vulnerabilities. Some people don’t like to do vulnerability scanning. While you don't have to launch a complete hacking attempt at your systems, it does help to use a scanner that can detect possible problems. You are keeping your patches up, right?
As soon as patches are available, read about what they fix and how they do it. Determine if they will interfere with your existing system and programs, and if not, install them and test them. If they do interfere, you need to assess the risk involved with the particular vulnerability and make some decisions. Be able to roll back if problems are noted, but if not, you are good to go.
Now, get a free security scanner such as Nessus, an open-source vulnerability scanner. It runs as a server service, and you will get a client to access it securely and run scans. It also needs to be updated with rules and scan info, and run it against your whole network (which will take some time) and take a look at the report output carefully. Nessus reports have a lot of good info and suggestions about what to do to fix things. Other scanners are available, as well. You can even have your buddies (or me!) run Nessus against your Internet connection and check what is actually open to the world.
Invariably, there are some checks that *appear* to be vulnerabilities, but upon closer inspection you'll find that they simply can't fully determine whether the problem is actually an issue or not. These you will have to determine through other means. For example, running MS IIS 5 for a web server and using URLScan to block some types of insecure access, the Nessus check for the WEBDAV vulnerability will still think it is possible, when actually URLScan is blocking the access and sending back a message as such. In this case you are protected but Nessus can't determine that (in its current version).
This is one reason why scanning and remediation is difficult. Another is that for some scans, you need administrator permissions on the system being scanned. So, be sure you understand what the scan is doing and how it is being used or you could miss a significant issue because of a poor scan config or a tricky vulnerability in the affected program.
When you do find a problem, follow up on it and determine what the fix or workaround is, taking into consideration the risk factor as you see it. Then apply the solution or accept the risk.
Subscribe to a security mailing list, such as CERT or Symantec (details to follow). This will keep you up to date on the latest significant problems and issues.
On to #4 - Social Engineering.
We’ve all seen it on the news or heard about it somewhere. You read the subject of an email and know you shouldn't open it, but you do, and BAM!, you're letting the virus into your system and soon the entire network. Well, they fire people for that now. Social engineering is the act of using social means to persuade someone to reveal info, run a program, or open a file that they shouldn’t. Like opening an email attachment that contains a virus, or visiting a web site link that has malicious scripting or active content.
Even if you think revealing a small piece of info is not a problem (because they don’t know the other parts that are needed, right?), it could be a real problem, because the hacker could have several other small pieces and eventually they get enough of the puzzle to put it together.
We see most social engineering in emails these days, but it can also be on the phone, in person, in stores, etc. You know the drill, like the phishing schemes that say this email is from your bank, we need you to verify your account and password... Even if it IS from your bank, don't reply to that email. Call your bank’s customer service line and deal with them one-on-one - that way you know who you're talking to and it probably isn't going to be intercepted.
Personally, I like the “HI, this is XYZ Factoid Corp. calling with a research qurstionnaire – can I have 3 minutes of your time?†and then they proceed to ask you about your servers, software, OS, versions, special programs, problems, etc. This could EASILY be a scam and a way of finding out more about your infrastructure, methods, and protection! I tell them I don’t have 3 minutes for them and I would not like to reveal any further info, and if they persist, I hang up. After all, I’m in control of this info!
Pasting passwords to the bottom of your keyboard, or on a post-it note on your monitor is NOT something you should do! Also, keeping them in a file on your system in plain text, or even a protected Word document, is easy to search for and break into. The first requires local physical access (or a good telescope from the neighbor's house), but the second requires only access to your system, which can be done remotely and possibly without your knowledge!
Personal info, once revealed, is very difficult to hide. Usually it must be changed and the new info not exposed. This is not very easy with your social security number, upon which all credit and most identification is based. Do not reveal your SSN so easily. In fact, challenge the company/person, etc. and find out why they want it. In many cases it is within your rights to have them use some other number for an internal account number, for example. Stall them and say you'll call them back, what's their number? It's a lot like phone fraud. If they approach you, how do you know who it is? But if you call them, you’re pretty sure it’s the right people or company, based on your experience. Of course, phones can be scammed, too, and I’m sure we’ll see more of that with IP telephony (VoIP), etc.
If you bank by web or access billing accounts, be aware of the need to close all of your browser windows after using your banking web site, or any SSL-enabled site. Only after closing and restarting your browser will the cookies and session data be cleared properly so that no malicious script at another site can gain access to the contents of the banking info. Browsing the web is a connectionless way of pulling and pushing data around. As such, browsers and web sites keep session info live for a period of time after you stop using the site. Therefore, it could be possible for someone to pick up on your session after you stop using it, if they set things up a certain way and have been watching the data stream between your system and You are making sure that the site IS SSL-enabled, right?
Don't do business with sites that appear to have broken or outdated SSL certificates, and don't use non-SSL links to submit sensitive transactional data such as credit card purchases through the web. SSL encrypts all transmissions from your browser to the remote site so no one will be able to sniff the information on the wires (like eavesdropping on the phone).
Know what data it takes to get a phony credit card? A name that matches a social security number and a matching birth date. That’s it. The rest is easily made up or diverted to people who are in on the scam. Don’t put any two pieces of the needed three into any system unless you trust the owners and know how they use and protect your data. That’s why I’m only 3 or 104 years old on many systems… 01/01/01 !! So what if you don’t get a birthday card on the right date from your retailer?
Have a plan about what you will reveal and what you won’t and stick to it. If you frequent forums like this, limit what is visible, and if you MUST make something visible that you feel uncomfortable about, make up something BUT REMEMBER IT and use it in many places. This makes it appear to be true even if it is false, and hackers are more likely to believe it - and then you've thrown them off. I don't care if a license agreement says you must be truthful - the truth is that if this info is revealed to the public, my privacy is more important than the license agreement in this cyberspace! Yours should be, too.
Next time I'll put some tips together on everyday things, like how to set Outlook to reduce the possibility of getting a spam email that the spammer can use to confirm you are an active account.
In the meantime, if you have questions, post and I'll try to answer them.