[Guide] Gordon's guide to secure computing, part 1


Staff member
Gordon's guide to secure computing
part I
by Gordon (Huggy59)

I'll take a stab at a few things here, and maybe we can assemble a good How-To from this and other posts.

There are four basic areas where I believe most SOHO users can do the most good in protecting themselves. Besides making backups, being aware of the electronic landscape, and educating yourself beyond reading the latest headlines:

1. Run anti-virus and anti-spyware utilities often, and keep them up to date.
2. Reduce the footprint of what is exposed to the Internet to begin with.
3. Stay up-to-date with patches and new versions of software, and scan for known vulnerabilities.
4. Be aware that social engineering is a very lucrative way to get sensitive information from otherwise security-aware people. Even posting to forums like this, a savvy hacker can gain lots of knowledge about a person from reading the various posts. A tidbit here and there eventually adds up to a pretty good picture.

#1: First and foremost, a home user needs to have a working, up-to-date copy of an anti-virus program. There are many, but you should use one that is known and respected, has automatic updates, and automatic scanning of your entire system. Now, some of the IT guys here may differ in this opinion, but I believe that automating it as much as possible helps in the SOHO environment. Just remember if you set the AV software to scan your machine every Tuesday morning at 2:00am, that your machine needs to be left on Monday night through Tuesday morning so the scan can kick off at 2:00am! Scan AT LEAST weekly. New viruses and modified versions of older ones appear daily.

Second, get a copy of Ad Aware and/or Spybot Search and Destroy, or similar. These programs work to help eliminate spyware, which can cause just as much, or maybe even more trouble for you in terms of information leakage and system slow-downs. Ad Aware even has a resident blocker just like most AV software, for a price. Set it up to automatically get updates, as well.

Finally, note that each of these products use signature files to recognize viruses and threats. You can still be hit by a virus/spyware that is completely new and unknown, and these products may not stop it. So, protect and back up your data!

Which leads us to the next area to look at: Reducing your online footprint, and firewall your system(s).

#2: Most SOHO users will now be using a wired or wireless router/firewall for their Internet connection to their ISP. Router/firewalls have come down so much in price, and features are ramping up, so no one should be without one these days. For best results, configure the device to not answer ICMP pings from outside, making you more invisible. This can be a problem if some outside service uses pings to insure you are still alive, but you can usually get around that.

Most router/firewalls work by allowing any internal system making an outbound connection out, but limiting inbound connections from the Internet to a specific set of ports that are either open by default, or can be set to be open in the router config. Make sure your router is not manageable from the Internet side. At least not without significant protection such as encrypted links and secure logon.

The most attacked services today are the ones that are most vulnerable - DNS, web servers, ftp servers, email, IM’s, IRC, and the like. If possible, don't run these types of services at the expected ports. This makes you less of a target for most scripted interrogations.

If you do run a web server at port 80 (the expected port), for example, make sure your web server software of choice is patched with the latest security patches and keep it up to date. Enable logging and check it periodically to make sure you aren't being targeted or that hacking attempts weren’t successful. And you will see attempts being made, so don’t be overly frightened when you do. You may also want to run this on a separate machine that doesn't have personal information on it to further reduce possible information leakage. Most routers today can accommodate port forwarding to accomplish this.

Ok, now on to patches and scanning for vulnerabilities. Some people don’t like to do vulnerability scanning. While you don't have to launch a complete hacking attempt at your systems, it does help to use a scanner that can detect possible problems. You are keeping your patches up, right?

As soon as patches are available, read about what they fix and how they do it. Determine if they will interfere with your existing system and programs, and if not, install them and test them. If they do interfere, you need to assess the risk involved with the particular vulnerability and make some decisions. Be able to roll back if problems are noted, but if not, you are good to go.

Now, get a free security scanner such as Nessus, an open-source vulnerability scanner. It runs as a server service, and you will get a client to access it securely and run scans. It also needs to be updated with rules and scan info, and run it against your whole network (which will take some time) and take a look at the report output carefully. Nessus reports have a lot of good info and suggestions about what to do to fix things. Other scanners are available, as well. You can even have your buddies (or me!) run Nessus against your Internet connection and check what is actually open to the world.

Invariably, there are some checks that *appear* to be vulnerabilities, but upon closer inspection you'll find that they simply can't fully determine whether the problem is actually an issue or not. These you will have to determine through other means. For example, running MS IIS 5 for a web server and using URLScan to block some types of insecure access, the Nessus check for the WEBDAV vulnerability will still think it is possible, when actually URLScan is blocking the access and sending back a message as such. In this case you are protected but Nessus can't determine that (in its current version).

This is one reason why scanning and remediation is difficult. Another is that for some scans, you need administrator permissions on the system being scanned. So, be sure you understand what the scan is doing and how it is being used or you could miss a significant issue because of a poor scan config or a tricky vulnerability in the affected program.

When you do find a problem, follow up on it and determine what the fix or workaround is, taking into consideration the risk factor as you see it. Then apply the solution or accept the risk.

Subscribe to a security mailing list, such as CERT or Symantec (details to follow). This will keep you up to date on the latest significant problems and issues.

On to #4 - Social Engineering.

We’ve all seen it on the news or heard about it somewhere. You read the subject of an email and know you shouldn't open it, but you do, and BAM!, you're letting the virus into your system and soon the entire network. Well, they fire people for that now. Social engineering is the act of using social means to persuade someone to reveal info, run a program, or open a file that they shouldn’t. Like opening an email attachment that contains a virus, or visiting a web site link that has malicious scripting or active content.

Even if you think revealing a small piece of info is not a problem (because they don’t know the other parts that are needed, right?), it could be a real problem, because the hacker could have several other small pieces and eventually they get enough of the puzzle to put it together.

We see most social engineering in emails these days, but it can also be on the phone, in person, in stores, etc. You know the drill, like the phishing schemes that say this email is from your bank, we need you to verify your account and password... Even if it IS from your bank, don't reply to that email. Call your bank’s customer service line and deal with them one-on-one - that way you know who you're talking to and it probably isn't going to be intercepted.

Personally, I like the “HI, this is XYZ Factoid Corp. calling with a research qurstionnaire – can I have 3 minutes of your time?†and then they proceed to ask you about your servers, software, OS, versions, special programs, problems, etc. This could EASILY be a scam and a way of finding out more about your infrastructure, methods, and protection! I tell them I don’t have 3 minutes for them and I would not like to reveal any further info, and if they persist, I hang up. After all, I’m in control of this info!

Pasting passwords to the bottom of your keyboard, or on a post-it note on your monitor is NOT something you should do! Also, keeping them in a file on your system in plain text, or even a protected Word document, is easy to search for and break into. The first requires local physical access (or a good telescope from the neighbor's house), but the second requires only access to your system, which can be done remotely and possibly without your knowledge!

Personal info, once revealed, is very difficult to hide. Usually it must be changed and the new info not exposed. This is not very easy with your social security number, upon which all credit and most identification is based. Do not reveal your SSN so easily. In fact, challenge the company/person, etc. and find out why they want it. In many cases it is within your rights to have them use some other number for an internal account number, for example. Stall them and say you'll call them back, what's their number? It's a lot like phone fraud. If they approach you, how do you know who it is? But if you call them, you’re pretty sure it’s the right people or company, based on your experience. Of course, phones can be scammed, too, and I’m sure we’ll see more of that with IP telephony (VoIP), etc.

If you bank by web or access billing accounts, be aware of the need to close all of your browser windows after using your banking web site, or any SSL-enabled site. Only after closing and restarting your browser will the cookies and session data be cleared properly so that no malicious script at another site can gain access to the contents of the banking info. Browsing the web is a connectionless way of pulling and pushing data around. As such, browsers and web sites keep session info live for a period of time after you stop using the site. Therefore, it could be possible for someone to pick up on your session after you stop using it, if they set things up a certain way and have been watching the data stream between your system and You are making sure that the site IS SSL-enabled, right?

Don't do business with sites that appear to have broken or outdated SSL certificates, and don't use non-SSL links to submit sensitive transactional data such as credit card purchases through the web. SSL encrypts all transmissions from your browser to the remote site so no one will be able to sniff the information on the wires (like eavesdropping on the phone).

Know what data it takes to get a phony credit card? A name that matches a social security number and a matching birth date. That’s it. The rest is easily made up or diverted to people who are in on the scam. Don’t put any two pieces of the needed three into any system unless you trust the owners and know how they use and protect your data. That’s why I’m only 3 or 104 years old on many systems… 01/01/01 !! So what if you don’t get a birthday card on the right date from your retailer?

Have a plan about what you will reveal and what you won’t and stick to it. If you frequent forums like this, limit what is visible, and if you MUST make something visible that you feel uncomfortable about, make up something BUT REMEMBER IT and use it in many places. This makes it appear to be true even if it is false, and hackers are more likely to believe it - and then you've thrown them off. I don't care if a license agreement says you must be truthful - the truth is that if this info is revealed to the public, my privacy is more important than the license agreement in this cyberspace! Yours should be, too.

Next time I'll put some tips together on everyday things, like how to set Outlook to reduce the possibility of getting a spam email that the spammer can use to confirm you are an active account.

In the meantime, if you have questions, post and I'll try to answer them.
Nice job Gordon. Keep going, please. You explain it well enough to do a regular column for Cocoon Tech! :blink:

Great stuff Gordon, i'm looking forward to the next part.

I do have a couple of questions though:

1. I run and have been running Ad-Aware for a while now. I think it's great, keeps me free of registry keys and tracking cookies as well as more serious stuff such as spyware, adware and malware.
Do you think it's worth getting Spybot as well?
I thought Ad-Aware on its own would be good enough, but maybe they look for different things.
What do you use?

2. About routers
I use a wireless router and keep it extremely tight. Maybe too tight.
I use MAC address identification and 128bit WEP encryption, but I've often wondered if the WEP is even necessary since nobody can get on unless I add their MAC address to the list.
What are your thoughts on this?
I run both Spybot as well as Adaware. I find that often they will find things the other one didn't. They are both free and highly recommended so why not use them?

Also just a a precaution I run the Active Online Scanner at www.pandasoftware.com every week or two just as a backup to my local Norton AV.

Just in case it gets by the one it might get caught by the other. Again its free so why not take advantage of it.

just my 2 cents.

I also use both adaware and spybot, and one ot he other will find things the other missed.

Thanks for the link, jwilson, to pandasoftware, I'll try them also. Just renewed my Norton AV on three machines this weekend, and it is set for auto updates and scans.

What else is anyone else using?
Adaware and Spybot here too, it has been proven that both do a crappy job, but together they can get some stuff done. I personally don't run it at all at home as I have no spyware problems, but at work, that's all I run.

As for the wireless, you still want WEP if you are worried about security, as it is fairly easy to set up a wireless sniffer, eventho WEP can be broken without much effort too. If your router supports something like WPA, try to select that, as it is more secure, but your router is pretty secure compared with 99% of the routers out there :D
TechTooth said:
I use a wireless router and keep it extremely tight. Maybe too tight.
I use MAC address identification and 128bit WEP encryption, but I've often wondered if the WEP is even necessary since nobody can get on unless I add their MAC address to the list.
My understanding is that others can read the MAC address data that is flying through the air in these connections. Once they have the address, it's relatively easy to spoof [1]. They can start connecting using the same MAC address.

[1] There are network adapters that allow you to change the MAC address. I assume there are probably also software-only solutions out there.
My understanding is that it would take a pretty decent hacker and lots of time to get your MAC address and clone it. Unless something new has come along since the guy that wrote the article I read on it.

So whats a good free network monitor to use to see who is connecting to and going where behind the firewall?

I believe that it takes about 90 minutes of traffic to hack a 64 bit key.
I don't remember where I read that, but I seem to remember the fact. :D
I have not searched, but I assume that it is very easy to find a program or description of how to do it on the net. Any one of your neighbors could easily find this out. I'm sure there are plenty of kids out there playing with this stuff (who are not otherwise technically knowledgeable).

Out of curiousity, I just turned on the WIFI of my PDA. There are 4 WIFI networks available here (none of them associated with me). Only 1 has WEP enabled. It didn't try and connect to see if they are using MAC addresses.
I would advise activating whatever security precautions the router makes available. WEP is pretty basic and can be cracked in a relatively short time with today's fast processors. The MAC address can be sniffed. If you do use WEP and use MAC filtering, so much the better. Make sure you are not sharing the key!

Personally, I use WPA (stronger encryption) with large key length and PSK - pre-shared keys. This is probably one of the more secure ways built into consumer routers, second to rotating keys with something like a RSA SecureID fob (changes a multi-digit number every 60 seconds). We call it two-factor or three-factor authentication - account name, password and the rotating number that, once used, is no longer good.

Anyone looking for a free Internet connection is just going to pick the most available air, anyway, and not be concerned with your protected wireless network. You need to protect yourself if you have anything personal you don't want revealed on your systems, and for that reason use whatever security capabilities you can.

For spyware, I agree, Ad Aware and Spybot are both not 100%, but using them both tends to get most stuff out there. It's all relative, and they seem to be the leaders for the moment. McAfee sometimes has the latest virus defs and repairs sooner than Symantec (Norton), and vice versa. Eventually they all get it, and they continuously leapfrog each other at the bleeding edge. When they start getting so commercial that they can't be installed simultaneously, like NAV and McAfee, then you've got to pick the one you think is best. In the meantime, use them all. personally, I've been an Ad Aware user for quite a while and havne't run into anything it couldn't remove here. But, like electron, I run pretty secure, too. Still, cleaning the odd ad site cookies is a good move, IMO.

Thanks for the positive feedback, everyone. I'll put together another "article" on some of the things you can do - both configuraiton settings and usage habits - that can help keep your name and email address away from the big, bad spammers out there! But nothing is perfect... not even not using email! hehe I still get at least 3 offers a week for low mortgage rate and equity loans in my mailbox! USPS mail, that is! I can recognize most of them easily now and just toss them in the trash!
Are there any ways to figure out how to remove the spyware that Adaware and Spybot won't detect. I'v been running their latest upates for a few months now and i still have one spyware app on my laptop and one my desktop that it wont get rid of. I think they are two differnt apps because the behave in different ways. The one on my laptop monitors what i am searching in google. Every once in a while when i click a link that i have searched for it takes me to a page other than the what it was supposed to take me to.

The one on my desktop just generated popups doing my browsing with IE. Is there a way to remove everything attached to IE or a way to sheild IE from outside programs.

You would think with all the popup problems and spyware the microsoft would have come up with a version of IE that doesnt allow this type of stuff to occur. I have stoped using ie and switched to Mozilla but sometimes i cant get plugins for mozilla to work. Such as Real Players SMIL plug-in. Its supposed to work but firefox doesnt allow it to work properly.