| This 33 message thread spans 2 pages: 33 (  2 ) > > || |
A few helpful hints
In light of recent events [webmasterworld.com] I have had to take a good serious look at my PC security and how I can make sure that it stays secure.
The first two are basics, basics that could require you to download a large amount of data. Bit of a problem if you are on dial up.
Install patches for Windows OS
Check for Office updates also
Activate firewall within XP if you have it
Get a decent virus protection program and ensure you have the lastest DAT files. If you think you may have a problem run a stinger
Install spyware programs like Adaware [lavasoftusa.com] and Spybot [safer-networking.org]. Download the latest definition files as new exploits come along all the time. Run both side by side as they detect different exploits. Also use the immunise facility.
Install SpywareBlaster [javacoolsoftware.com] with the latest definitions that will prevent scumbagware (ukgimp TM) from being installed.
When using an email package like Outlook or Outlook express never open mail messages that you are uncertain of. If they look iffy they probably are so you should bin them. If the message is important they will get back to you with a sensible Subject line. Also have the preview pane closed! [helpdesk.graniteschools.org]
If you intend on using IIS as a development machine make sure than you only have the services open then you know you need. Do you really need FTP or SMTP to run ASP pages?
When using IIS, download Microsoft’s IIS Lockdown [microsoft.com] to make sure you have only requires aspects running.
Download a personal Firewall. Zone Alarm [zonelabs.com] is well regarded and is free. There are others out there.
NEVER install software that you don’t know for certain is clean. For example one of my undoing was FreeHistoryCleaner. There are many more, kazaa etc. A lot of peer to peer stuff is a bit iffy.
Trust no one. Never tell your passwords to anyone etc etc.
You could of course say “don’t use windows” but you could also say “don’t use the internet”. You can ignore all of the above or just parts of it. I ignored one part and paid the price of two days trawling thought my registry and still leaving lots of stuff in there and going for a full reinstall after and then changing all my passwords. What fun.
You have been warned!
Consider using an alternative to Internet Explorer (such as Opera, Mozilla Firefox or Netscape - all of which are available for free).
IE is by far the most common browser on the web and plenty of people have a grudge against Microsoft - which means IE tends to be the prime target for browser exploits, spyware, adware and the like.
ukgimp: why bother activating the XP firewall if you are going to use ZoneAlarm anyway?
Also, once you have installed your firewall it is worth performing a portscan on yourself to make sure all the relevant ports are closed (or stealth). The "Shields Up" service at grc.com is good for this.
|ukgimp: why bother activating the XP firewall if you are going to use ZoneAlarm anyway? |
Why have two locks on your front door? :)
I wont be caught out again. I cant afford to lose that time again because of a slip up in my security. If I was on broadband I would get a router that had a firewall installed also.
Good point about a port scan. Do you know any SAFE ones?
Before opening widely the MS updates flood gates
I would like adding a few words of cautions
A) Never be among the early birds to D-load it
Apply a few days of wait and see and peruse PC sites that deal with such.
B) In many instances those updates are dealing with IE
Be prepared to lose basic personal settings
And have cookies fight with the sites utilizing your
registered PW, Username
C )Never perform any MS updates without a prior thorough backup
Firewalls be careful about conflict
One cannot installs FW as a daisy chain
Firewalls are present in you cable connection, in your XP and eventually come with most routers
AV: chose one that will auto provide you with a myriad of auto updates
BTW ZA has discovered that they can be damaged by a DOS
Set up a used box for very few $, and use it only for mail purpose.
And forget about home network, Samba etc..
>>Never be among the early birds to D-load it
Hmmmm, I am only talking about critical patches. Sorry :)
|Good point about a port scan. Do you know any SAFE ones? |
The Gibson Research (grc.com) one that I mentioned is safe (to the best of my knowledge).
I have a firewall built-in to my ADSL router (a re-programmed BT/Efficient Networks one). This prevents all incoming traffic, but I also use ZoneAlarm to keep track of my outgoing connections.
I would add the following:
1) Use NTFS rather than FAT32 (in NT, W2K, XP - tough luck for 98 and Me users) Set limited file permissions on system files etc. for regular users.
2) Install programs as Administrator, but work in a user account with limited permissions when you are connected to the internet. I know it's more of a hassle in Windows than in Unix (su for Windows anyone?) but if you can't install programs as a regular user, you get a very good layer of security.
3) Rename the Administrator account and use a hard password (mixed upper and lower case, numerals and special characters). Disable any guest accounts (already done by default in most cases).
4) Disable any remote connection facility, check and recheck permissions. Unless you specifically need it, make sure you can't remotely connect with Remote Desktop.
5) Use a router as a simple but effective hardware firewall for your network. Don't let any unknown traffic through.
6) Understand what every option does in your Services menu. Disable stuff you don't need. Disable IIS, or at least block access to your local server with the firewall.
7) Worth repeating: DON'T install anything which comes from an uncertain source. That dodgy warez copy of Photoshop you got off Kazaa? That keygen thingy you downloaded off a wierd Russian web site? You are just asking to be rooted. Only download from reputable sources, buy the software you need, and install only from original disks (or from your own backup copies).
8) Spyware, scumware, popup ads galore, spam relays, you name it - most if not all filesharing programs (Kazaa, Limeware, Morpheus) are infested with the stuff - the programs themselves, and much of the stuff you download off their services. If you install them on your machine, you deserve what everything you get.
do not disregard the Google nav bar anti popups
|Good point about a port scan. Do you know any SAFE ones? |
have to second that grc.com's shields up port scan is safe, and a good test.
>>Activate firewall within XP if you have it
Thanks for the site with the explicit directions. I'd wanted to do this, but hadn't deciphered how.
I also have a registry checker, by the people at moosoft. It sets off this bloody loud siren if anything at all changes, so its a good idea to remember that when installing any software :). I use a local port scanner which I use when ever I can, most weekends I run it and update all settings and security problems.
I also have a similar set up to ukgimp, double check everything and make sure things are up to date at all times. I use zonealarm and am currently trying their pro version for free, have to say that I think that the free version is good for the basics so I wont be splashing out the money just now.
To make sure that people receiving my emails know it's a genuine email from me and not malicious - I always start off the subject line with
'From (my real name)'
Then follow with a sensible subject title with the important words first. I'm thinking that if every body did the same it would be much easier to sort the malicious from the genuine.
Doesn't work as well when you are emailing people you don't know of course but you can start off
'From (Real Name) interested in buying your widget, (or whatever)'
[Here's hoping 'widget' isn't rude in some other part of the world - in the UK it's just a substitute word]
And thanks ukgimp for a useful post which I've flagged for future reference.
|When using an email package like Outlook or Outlook express... |
Most email born nasties rely on Outlook holes in order to spred. By using a email client other than the normal, you move your self out of the target group. Although not 100% effective, it adds one more level of safety into your system. There are plenty of alternative available.
>>> C )Never perform any MS updates without a prior thorough backup
My XP box is updated automatically by OS as soon as new patches are available. Never had a problem with it...
Outlook Express 6.0 should be ok. Just my blind belief?
ukgimp says to keep Outlook Express preview pane closed.
I always check my emails via webmail before downloading. Thus I can weed out the rubbish before downloading - saves download time and I'm minded to think that I'm reducing the risk. Outlook Express preview pane can thus be kept open as there will be no nasties.
A heads up on the IIS Lockdown, if your running .net applications. I ran into some issues with my xml web services after running that utility. Once I installed it I had issues debugging and was unable to serialize xml.
just wanted to post as fyi...
I agree with all of the above. I've made Mozilla my default browser, and switched to Eudora as my mail reader (paid version). The free Thunderbird mail reader has a good reputation, too.
Never trust other computers (e.g. in a cybercafe or at a friend's house). Entering passwords there is risky, as there could be keyloggers that steal your passwords and account details.
I've not done it yet, but there are bootable Linux CD-ROMs (e.g. www.knoppix.net) that one can carry around to boot on public PCs or at a friend's house, to reduce the risk. I believe there are variants that even can boot off only a USB memory pen (although, fewer PCs support that, compared to booting off a CD-ROM).
If you use AOL Instant Messenger or other IM programs like ICQ, Yahoo, or MSN, go through the preferences to maximize the security (eg. I've disabled file downloads, voice chat, etc).
Wireless home networking should also be avoided, until the security is more mature.
Some more difficult tips to implement, but good for the technically-inclined, and responses to address some of the issues previously mentioned:
First, I believe that open-source software is inherently safer. The code for open-source software is freely available to the public, so many people are scrutinizing it for bugs. A large group of people (the public community) can find and fix more bugs and security issues than a small group of people (a closed-source software development company). This is the main reason Microsoft software has as many flaws as it does. And Microsoft being on top market-wise is the main reason these flaws are frequently exploited.
<You could of course say “don’t use windows” but you could also say “don’t use the internet”.>
Sure, but there's a disconnect there. By not using the internet, you're severely limiting yourself. By not using Windows, you're not imposing limits so much as changing the way you do things.
For someone who's interested in spending the time (and well-worth it if you're the type that enjoys this type of thing), you can find a non-Windows replacement for virtually all of your Windows software so it's usable on something like Linux. In the case where a suitable replacement is not available, many of these programs (as long as they're simple enough) will work using a Windows emulator, like Wine. And lastly, if a particular application will not function in an emulator, you can actually load a full-blown copy of Windows to run on top of Linux which can be launched only when that application is needed.
<Install programs as Administrator, but work in a user account with limited permissions when you are connected to the internet. I know it's more of a hassle in Windows than in Unix (su for Windows anyone?)>
Absolutely.. Windows (NT/2000/XP) has a service called "Run As." This allows you to a program as another user. Right-click on a program and choose "Run As." Prior to launching the program, a dialog box is presented asking for authentication of the user that you wish to use to run the program.
<Wireless home networking should also be avoided, until the security is more mature.>
It's true that WEP is rather simple to break (there are free tools available for download that will do it for you). But there are ways to secure a wireless network nonetheless. Using a tool such as OpenVPN (which I use on my own network) allows setting up a VPN between your workstations and the firewall. A VPN (Virtual Private Network) is basically what it sounds like.. create a virtual network over a public network (like the internet). A connection is made from one machine to another over the internet (or locally) using a single TCP or UDP port. This traffic is encrypted using either a static key or a public/private key pair (your choice at setup, the latter is more secure), and this virtual "pipe" is used to send all of your traffic. This would be the eqivilent of taking a fully addressed and stamped envelope ready to go, and then putting that in another fully address and stamped envelope, then sending it out. No one would be able to see the header of the enclosed envelope. So not only is the data unknown, but so is the intent of the data (target ip and port, type of packet, etc).
This same setup can be used to connect wireless machines locally, though it requires a router on the network that is capable of installing software, like an actual computer, or a hacked Linksys 802.11g with a MIPS processor that allows re-programming the firmware with a stripped-down version of Linux, DHCPD, IPTables, and OpenVPN. A VPN can also be used to make a private machine available publically without punching a hole in the firewall.
Another way to make a machine accessible remotely through a firewall without opening up a port on the firewall would be to use port-knocking. Let's say, for instance, that you wanted to SSH into a box using the standard port 22. In this case, all ports (including 22) would be closed, or stealth. Then, right before you wanted to connect, you would send requests to certain ports on your firewall, say, 105, then 109, then 4233, then 10104. The firewall would detect these attempts to connection and quietly log them (as it always should), and the routing software (IPTables) could then be configured to act a certain way when it saw a combination of ports being hit in a certain order. The above combination may open up port 22 allowing a connection from the IP address that was "knocking" on the ports. This would work sort of like a combination lock. The firewall could also be configured to allow one connection only, or for the combination of ports to rotate each time so that someone sniffing the connection would not be able to replicate the attempt to connect.
Tools that use FTP, Telnet, POP3, and SMTP send information in plain-text over the internet (namely usernames and passwords). Try using POP3 and SMTP over SSL for mail; and SSH and SCP for remote access and file transfers.
<I've not done it yet, but there are bootable Linux CD-ROMs (e.g. www.knoppix.net) that one can carry around to boot on public PCs or at a friend's house, to reduce the risk. I believe there are variants that even can boot off only a USB memory pen (although, fewer PCs support that, compared to booting off a CD-ROM).>
There is a product called Stealth Surfer that would work well for this, which is basically a self-contained browser (doesn't need to be installed) that runs right off of a thumb-drive. All of your internet cache, mail settings, etc., are stored on the drive. Pop it in, browse, remove it, and there are no traces left on the client computer.
Knoppix is a great distribution with dozens of installed applications, but doesn't allow you to save anything and take it with you (since it runs on a CD).
Also turn off unwanted services - like Server, Windows Time, Plug and Play , but it all depends on your enviroment that you are in. There was a good article on this on the web..
I try to always keep one throw away email address, I have about 15 (used to work for an ISP). If you edit in any directory then it's essential, or if you use any forum that you don't trust 100% then you can give your throw away out.
|It's true that WEP is rather simple to break |
As I understand it most wireless products now support Wi-fi Protected Access (WPA) which is much stronger than WEP (many old products have a firmware upgrade available).
You can also usually restrict access to known MAC addresses. And masking the SSID of the router will help prevent 'drive-by' snooping.
Seems pretty secure to me. The only reason I haven't gone wireless myself is that I'm waiting for the prices to drop a bit (plus I'm not sure I like the idea of being bombarded with yet more radiation! :)).
I would also recommend Norton antivirus 2004 with the full active scan always on, It slows things down a tad but all file activity is constantly monitored and all email is scanned before appearing in the outlook express pane.
As a second simple measure i have all of my passwords on a floppy with a cd-r backup of the floppy in the drawer, Every time i require a password i simply insert and remove after. I leave the disk in the drive bay but not actually in the drive so its a simple matter of quickly pushing the disk in, It sounds simple but i find it a great measure as there are no sensitive files physically attached to my system so as fancy as some intruder may think they are unless they have diegos hand of god and can insert the disk remotely it should provide sufficent protection.
I would finally say never type your password again after the first time saving it to disk, I always access the password file and then copy and paste the info to avoid keyloggers and such, Its not fullproof but the simple things are sometimes the most effective.
If you are being that paranoid then I assume your passwords are not plain text on the floppy? If they are then you might want to check out some of the password safes on the market.. such as 'Big Crocodile'.
I definitely think that some of the suggestions on this thread are seriously OTT and really quite worryingly paranoid.
I mean 'don't trust your friend's PC because he might have a keylogger'... hmm, thats a bit daft. A better defence would be: if you worry about your friends using keyloggers then choose better friends! :)
|I mean 'don't trust your friend's PC because he might have a keylogger'... hmm, thats a bit daft. A better defence would be: if you worry about your friends using keyloggers then choose better friends! |
Depends on your friends ;) Alot of my mates would not know if anyone was attacking their computer, I constantly get calls asking for help because "it's not working the way it should". So caution is always best.
It pays to be a bit parnoid. Or at least that is my take one it these days.
For the keylogger, it wasn't the friend I was worried about (I trust my friends). But, their system might have been unknowingly compromised (i.e. they are infected with a virus, or something), and so I can't assume it's a "trusted" box. Same goes with using a PC at a cybercafe, or a public library, etc.
BBC News - Hackers exploit Windows patches [news.bbc.co.uk]
Here's my 2 cents:
Kerio personal firewall (free limited edition for home use)
Avast! antivirus, winner of the 100% Virus Bulletin award
(again free limited edition for home use and reccomended)
Mmmm...What hasn't been mentioned is "tell everyone".
It might be technically tedious to explain to your mum what a denial of service attack is and how her machine might be a "zombie"...but why not use the viral power of your word of mouth?
Id have to say don't use windows at all :)! Format it, lay down a new linux partition, some swap space, and install that baby. Windows is crap man, get into a more stable, secure, free, higher skill operating system. It may be hard at first to make the transission but god does it feel good to have FREE software, virtually no virri, and an operating system that you dont have to restart when you install an application; one that wont crash with every day use for months (even years!).
I didn't see this tread when it started because I was busy cleaning spyware/scumware/adware from my machine.
I also removed the google tool bar based on the following: Caution: The PageRank display is one of the advanced features of the Google Toolbar. And if those advanced features are enabled, Google collects usage data. Additionally, the Toolbar is self-updating and the user is not informed about updates. So, Google has access to the user's hard drive.
IMO this classifies as spyware
| This 33 message thread spans 2 pages: 33 (  2 ) > > |