REQUEST: PC Security How-To

Squintz

Senior Member
Many of us don't have a clue when it come to securing our PC from hackers and viruses. I was wondering if some of you IT guys would pitch in and write up a How-To for dummies covering all the essentials of protecting your Home PC. For instance Proper router setup. Im talking about the cheap D-Link and LinkSYS routers. And maybe even a list of software we should be running. A good how-to on this subject might save all of us alot of headaches in the future.
 
That would be great. I have about 6 ports open for HS, network cameras, etc. According to my router log, port scans are almost continuous. I think I'm safe, but it just makes me a little paranoid.

As far as viruses/adware, I have Norton AV, SpySweeper and others - but I still occasionally see some odd PC behavior that defies explanation and makes me wonder.

I have tried doing my own research on the web to help ease my mind, but much of the information available on the web is over my head and raises more questions than it answers.

Mark
 
feel free to post any questions you have on this board, we have plenty of people doing this for living!
 
I'll take a stab at a few things here, and maybe we can assemble a good How-To from this and other posts.

There are four basic areas where I believe most SOHO users can do the most good in protecting themselves. Besides making backups, being aware of the electronic landscape, and educating yourself beyond reading the latest headlines:

1. Run anti-virus and anti-spyware utilities often, and keep them up to date.
2. Reduce the footprint of what is exposed to the Internet to begin with.
3. Stay up-to-date with patches and new versions of software, and scan for known vulnerabilities.
4. Be aware that social engineering is a very lucrative way to get sensitive information from otherwise security-aware people. Even posting to forums like this, a savvy hacker can gain lots of knowledge about a person from reading the vaious posts. A tidbit here and there eventually adds up to a pretty good picture.


#1: First and foremost, a home user needs to have a working, up-to-date copy of an anti-virus program. There are many, but you should use one that is known and respected, has automatic updates, and automatic scanning of your entire system. Now, some of the IT guys here may differ in this opinion, but I believe that automating it as much as possible helps in the SOHO environment. Just remember if you set the AV software to scan your machine every Tuesday morning at 2:00am, that your machine needs to be left on Monday night through Tuesday morning so the scan can kick off at 2:00am!

Second, get a copy of Ad Aware and/or Spybot Search and Destroy, or similar. These programs work to help eliminate spyware, which can cause just as much, or maybe even worse trouble for you in terms of information leakage and system slow-downs. Ad Aware even has a resident blocker just like most AV software, for a price. Set it up to automatically get updates, as well.

Finally, note that each of these products use signature files to recognize viruses and threats. You can still be hit by a virus/spyware that is completely new and unknown, and these products may not stop it.

Which leads us to the next area to look at: Reducing your online footprint, and firewall your system(s).

#2: Most SOHO users will now be using a wired or wireless router/firewall for their Internet conneciton to their ISP. They have come down so much in price, and features are ramping up, so no one should be without one these days. For best results, configure the device to not answer ICMP pings from outside, making you more invisible. This can be a problem if some outside service uses pings to insure you are still alive, but you can usually get around that.

Most router/firewalls work by allowing any outbound connection out, but limiting inbound connections to a specific set of ports that are either open by default, or can be set to be open in the router config.

The most attacked serices today are the ones that are most vulnerable - DNS, web servers, ftp servers, email, and the like. If possible, don't run these types of services at the expected ports. This makes you less of a target for most scripted interrogations.

If you do run a web server at port 80 (the expected port), for example, make sure your web server software of choice is patched with the latest security pathces and keep it up to date. Enable logging and check it periodically to make sure you aren't being targeted or any hacking attempts were successful. You may also want to run this on a separate machine that doesn't have personal information on it to further reduce possible information leakage.

Ok, now on to patches and scanning for vulnerabilities. Some people dont' like to do vulnerability scanning. While you don't have to launch a complete hacking attempt at your systems, it does help to use a scanner that can detect possible problems. You are keeping your patches up, right?

As soon as patches are available, read about what they fix and how they do it. Determine if they will interfere with your existing system and programs, and if not, install them and test them. be able to roll back if problems are noted, but if not, you are good to go.

Now, get a free security scanner such as Nessus. It runs as a server, and you will get a client to access it. It also needs to be updated with rules and scan info, and run it against your whole network (which will take some time) and take a look at the output.

Invariably, there are some checks that *appear* to be vulnerabilities, but upon closer inspection you'll find that they simply can't fully determine whether the problem is actually an issue or not. These you will have to determine through other means. For example, running IIS 5 for a web server and using URLScan to block some access, the Nessus check for the WEBDAV vulnerability will still think it is possible, when actually URLScan is blocking the access and sending back a message as such. In this case you are protected but Nessus can't determine that.

This is one reason why scanning is difficult. Another is that for some scsans, you need admin permissions on the system being scanned. So be sure you understand what the scan is doing and how it is being used or you could miss a significant issue because of a poor scan config.

When you do find a problem, follow up on it and determine what the fix or workaround is, taking into consideration the risk factor as you see it. Then apply the solution or accept the risk.

On to #4 - Social Engineering.

We;ve all seen it on the news or heard about it somewhere. You read the subject of an email and know you shouldn't open it, but you do, and BAM! you're letting the virus into your system and soon the entire network. Well, they fire people for that now. Social engineering is the act of using social means to persuade someone to reveal info they shouldn't. Even if you think revealing a small piece of info is not a problem, it could be, because the hacker could have several other small pieces and eventually they get enough of the puzzle to put it together.

We see most social engineering in emails these days, but it can also be on the phone, in person, in stores, etc. You know the drill, like the phishing schemes that say this email is from your bank, we need you to verify your account and password... Even if it IS from your bank, don't email them back. Call your customer service line and deal with them - that way you know who you're talking to and it probably isn't going to be intercepted.

Pasting passwords to the bottom of your keyboard, or on a post-it note on your monitor is NOT something you should do! Also, keeping them in a file on your system in plain text, or even a protected Word document, is easy to search for and break into. The first requires local physical access (or a good telescope from the neighbor's house), but the second requires only access to your system, which can be done remotely.

Personal info once revealed is very difficult to hide again. Usually it must be changed and the new info not exposed. This is not very easy with your social security number, upon which all credit and most identification is based. Do not reveal your SSN so easily. In fact, challenge the company/person, etc. and find out why they want it. In many cases it is within your rights to have them use some other number for an internal account number, for example. Stall them and say you'll call them back, what's their number? It's a lot like phone fraud.

If you bank by web or access billing accounts, be aware of the need to close all of your browser windows after using your banking web site, or any SSL-enabled site. Only after closing and restarting your browser will the cookies and session data be cleared properly so that no malicious script at another site can gain access to the contents of the banking info. You are making sure that the site IS SSL-enabled, right?

Don't do business with sites that appear to have broken or outdated SSL certificates, or don't use SSL for transactional data such as credit card purchases. SSL encrypts all transmissions from your browser to the remote site so no one will be able to sniff the information on the wires (like eavesdropping on the phone).

Have a plan about what you will reveal and what you won.t and stick to it. If you frequent forums like this, limit what is visiable and if you MUST make something visiable that you feel uncomforatble about, make up something BUT REMEMBER IT and use it in many places. This makes it appear to be true even if it is false, and a hacker is more likely to believe it - and then you've thrown them off. I don't care if a license agreement says you must be truthful - the the truth is that this info is revealed to the public, my privacy is more important than the truth in this cyberspace! Yours should be, too.



Next time I'll put some tips together on everyday things, like how to set Outlook to reduce the possibility of getting a spam email that the spammer can use to confirm you are an active account.

In the meantime, if you have questions, post and I'll try to answer them.
 
PC and network security is a very valid concern. However in thinking about social engineering, I got to thinking about all the ways we reveal information about ourselves and we are not even tricked into doing it. This can open up a whole bag of other security concerns.

My biggest concern is my house and family...

Diary of a high-tech criminal:

Mon. Jan 3rd. I notice that Joe Blow on the HomeSeer forums lives in the same town as me and check out his site. Joe Blow is using HomeSeer and has his own domain... www.joeblowshouse. I do a whois on www.Joeblowshouse.com and find that Joe lives at 1234 West St. Now I poke around Joe's site some more.... Joe has a huge collection of DVDs and has a device called Plasma. I can only guess that is a nice big Plasma TV. I want one of those!

Tues. Jan 4th. I visit Joe's site again. I notice that the set back temperature drops 4 degrees and all the lights go out at 10am... the temp does not come back up until 3pm. Also I can look at Joe's webcam and see that the garage is empty. I assume everybody is a work.

Wed. Jan 5th. I visit Joe's site again. This time I use a Proxy server and a different IP, just incase he get suspicious of all my logins. I notice the same pattern again, with the house being empty from 10am to 3pm. I also make a note of all the computers Joe has and which rooms they are in.

Thurs. Jan 6th. Another trip to Joe's site. Again I use a Proxy server. This time I pay close attention to Joe's alarm system. I notice there is one window in the back of the house that seems to be unmonitored. I also note the model number of Joe's security system. Luckily he had talked about it once in the HomeSeer forum. Then a quick Google and I find a .pdf of the manual. Now I know how to get in the house and disarm the alarm.

Fri. Jan 7th. Today I verify that they will be gone. I place a call to the house (Joe provided his home number in his domain whois info) and claim that I am a Phone Company employee and we are doing a check of lines in the area to help track down a problem in the neighborhood. I tell him that we are planning to stop by his house today or Monday and ask wanted to verify that the phone box will be easy to get to, and I want to verify that he does not have a dog or any other obstacles we need to be aware of. Toward the end of the conversation... I off-handed ask him if anyone will be there to test the phone from the inside. He says no and I respond, "ok, no big deal". Thanks, have a nice day and thanks for using SBC. I use a payphone to make the call, and If he asks about the caller ID... I'm simply a phone guy on the go and my cell phone has died. A little suspicious, but Joe has been very trusting... why would he doubt that.

Sure, this may be a stretch, but there is nothing here that is impossible and with all the information about us on the forums and our own site, this is only one scenario of many possibilities. We all love to share our setups, our information, and about all our hi-tech toys. However, a tech savvy criminal, could easily do a whois on a our domain, and if you don't have that information blocked, find your home address. A few days of watching your HomeSeer website can determine your daily coming and going pattern. And if you have your DVD collection, photos of equipment, floor plan, etc. up on your site... He knows exactly what he is looking for when he gets there. I don't mean to scare everybody, but I can rebuild a computer, It is not so easy to recover after being burglarized.

Is anybody being cautious of the information they share? Are there things we could do and don't to protect ourselves? I would like to see at least a good dialog of weeknesess in this area.


Jim
 
You forgot to mention that JoeBlow also uses the Ultra View plugin and displays the floor plans of his house which just happens to contain information about which windows and doors have sensor on them along with which rooms have motion detectors and pressure sensors.
 
Jim, that's the exact reason why my site isn't open to the public, only a few trusted IP addresses can get to it. Social Engineering is definitely something to watch out for.
 
Geez, Jim. You scared the crap out of me. You've got that criminal mind - I'm keeping my eye on you. ;)

Mark
 
I also note the model number of Joe's security system. Luckily he had talked about it once in the HomeSeer forum. Then a quick Google and I find a .pdf of the manual. Now I know how to get in the house and disarm the alarm.
TWEET! FOUL! You were doing well until you got to that statement. The myth that possession of an installers manual allows someone to circumvent the alarm system is exactly that. A myth. A bunch of hogwash pumped out by the alarm dealers for purely selfish reasons.

The installers manual will provide only two items of limited value. The installers code is the "backdoor" to the system, but is only useful if the installer or homeowner left it at the default setting. Alarm companies change the installer code as a matter of course, so the only question is did the homeowner change it if the alarm was a DIY install?

The second is the value of the EOL resister. With that information, the burglar can carefully cut a hole in the house wall, fish around for the alarm contact wire, clip on his handy-dandy James Bond alarm buster kit with the correct resistance, bypass the contact and enter the house, then shrink himself down to the size of a gerbil to avoid tripping the motion sensors.

The more likely way the burglar will work has nothing to do with defeating the alarm. He will most likely just throw a lawn chair through the window and be long gone before the cops arrive, and/or cut the telephone line where it enters the house. The NID on most houses is outside and easily accessable.
 
I'm not suggesting that there is some default or secret code. I am just suggesting that the perpetrator will know how the system works an be able to turn it off, in order to open the door, once he gets inside through the unmonitored window.

Really this was not meant to be an accurate technical exposé. But rather a point that internet security, while it is important, is not the only security we need to be aware of. I'm sure many of us know this already and do take our own measures to protect ourselves. But, as with social engineering the biggest hole in our security is ourselves. What kind of mistakes do we make and not even realize it that result in opening ourselves up for intruders?

I didn't mean to scare... I probably got a little carried away...maybe I should write for 60 Minutes. LOL.





Jim
 
You raise some valid points, though, jroberts. When I brought this up on other boards, I got poo-poo'ed that most burglars are low-tech and wouldn't use the Internet. In my book that's a bit like saying, "I park my car around the corner behind a van so it won't be stolen, cause it isn't in the same parking lot as the others and it can't be seen easily," ie. a bit naive.

The more info divulged, the easier it is to formulate plans to get around the easy stuff. Granted, an alarm installed and monitored by a local company isn't always easy to bypass or get around, but in today's world, that's not a big deal - a smash'n'grab only takes 30-45 seconds, and a floor plan of where things are will help in that type of burglary.

I do wonder if someone looking at houses over the Inet does take into consideration the webcams and stuff like that. I like to think that even with the webcams being run by the computer, they would move on to easier targets instead of trying to guess which PC or risking the fact that a PC may house pictures of them entering the premises. These days, even if they cut the phone lines and power, it may be too late - cell or wireless could be used to send a pic to a remote machine or a cell phone, etc.

One way to foul up the plans posted above is to use a domain management service that hides the true domain owner, and therefore the owner's address will not show up in a WHOIS. I use this service for my domains and it is also very good at hiding your email address from spammers... cheap enough so that I sprung for it on all my domains.

But it is easy enough to get other info that, when cross-referenced with other publicly-available info, can lead you to a physical location or "close enough" to be able to look around a find it.

Of course, that's why we all carry insurance on our belongings, right? ;-)

I also lock my fence gate, but in all reality, someone could just hop the fence and be in the back yard. It's more to keep people from opening it and letting the dog out than anything else.

If they hit you, they hit you. My mom used to live on the town road that led to the dump - very busy on weekends and somewhat on weeknights. She also had an alarm. That didn't stop them from smashing the kitchen door and grabbing the stereo, TV and microwave and heading out in the middle of the day. Twice.

That said, you could be talking about me... I think I have my HS on the web at the moment - it usually isn't, though. I need to get a good web user account and security package for IIS or Apache and not use the HS pages at all.
 
I never put my personal address in the domain registration info, there are just too many psycho's out there ;)
 
Yeah, but there are plenty of psychos that could just follow you home or pick a random name out of the phone book.
 
those examples are just random events smee, there are plenty of people online who don't like other people for stupid reasons, i.e. imagine someone going after Rich because of the plugin issue ;) internet stalking is a bigger problem than some random stalker!
 
Back
Top