Thursday, July 03, 2008

How to Secure Your Machine (for free!)

I've had this in my head for over a month now, but I wanted to wait until after the trip to write it all out (and there was a lot to write!). A lot of people don't take security on their home machine under much consideration because, frankly, they were never educated much about it. Why would we be? To be honest, even I didn't really understand what was necessary and why until I took a class on network security last year. I'm going to try to hit all the basics of the minimum you need to use your machine with little chance of bricking it, losing all your stuff, or, even worse, losing your sensitive information. If anything is unclear, feel free to comment. If you catch me saying something incorrect, please also comment so I can correct it; there's a lot here for me to keep up with.

I've never tried a full-on original essay like this before so I hope it goes well...

Introduction

There's a tradeoff between security and convenience. The reason that malicious hackers are able to have so much fun is usually just laziness. Most victims simply just don't do enough to protect themselves because it's human nature to try and enjoy conveniences. That's why 1-click shopping is popular on Amazon and iPods are still selling like hotcakes even though there are competing mp3 players that do more. It's amazing how often a simple password list will work (consists of password, password123, the user's name, etc.) because it's inconvenient to come up with one of random letters, numbers, and symbols. People ignore security patch updates and that's the way a lot of attacks succeed way past the vulnerability has been discovered. Programmers are sometimes sloppy and allow for buffer overflow attacks, which is probably the most commonly exploited vulnerability class. In essence, if you want a machine built like a tank then you're going to have to sacrifice some conveniences, so that will be a recurring theme in this article.

The reason for this tradeoff in convenience is this arms race we have in computer security. When we came out with anti-virus software, they came out with polymorphic viruses that change themselves constantly (like real-life viruses can, I believe?) to make detection harder. So, scanning just isn't enough we also have to be responsible about how we use the computer. Also, there's intrusion detection systems (IDS) (something I did research in last semester), but they rely on looking for anomalous behavior. The question is, how does it know what anomalous behavior is? They still need our help to keep out intruders.

What you have to realize though, nonetheless, is that each one of the following recommendations is an important pillar in your machine's safety as well as that of the information that passes through. Hence, I highly recommend doing all of the following things. Fortunately, you can do these things without buying any fancy software. The only place you'll need to spend money is in my first tip.

Back it up!

Any successful large company understands the merits of mastering disaster recovery. Average people, however, aren't quite so reliable. It's almost as if we think we're invincible, believing that the stories on the news about some widespread virus or worm only happen to idiots. In reality though, the most important tool in your security arsenal is keeping at least one backup of all the programs and files that are most important to you. After all, iTunes won't send you your library again if your hard drive dies. As careful as any of us can be, shit happens. Just accept it and move on with your life. They say you should live your life as if each day is your last. I say the same about your computer: use it as if when you wake up in the morning it won't be there anymore. The attacks and hardware problems that can occur are too numerous to be listed.

Ok, so enough of my soapbox, what do you need to do? First thing is first: you need a backup medium. There are some online services that promise sync your hard drive while your asleep and keep your data somewhere in the clouds (i.e. on a server somewhere far away). I've blogged about some lists of free ones here and here. I've started using Dropbox lately and I really dig it for its simplicity. The premium services are a bit pricey, but usually worthwhile. The reason you'd want to backup online is that if you have a hard backup somewhere in your apartment and your computer is in your apartment then what if your neighbor has a bad day and burns down the building while you're at work?

Barring the natural disaster or physical theft scenarios, keeping a hard backup is a great option and a necessity at an absolute minimum. The advantages are that hard drives and optical media are quite inexpensive, you have complete control over it, it offers you a way to take your files with you without having to lug your computer with you, it protects you from malicious attacks since you can always just format your computer and start fresh from the backup, and it protects you from hardware failures in your computer (i.e. dead hard drive, worn out power supply, etc.) for the same reason. They have some pretty physically small external hard drives out there now for $100 or less, or some bigger ones for the same price but double the capacity. Look for a name brand, read the reviews to make sure people have good experiences overall, and just order one. You need one at least as big as your hard drive, even if you don't backup all your data on it.

Most hard drives will come with free software for back-up right out of the box, but if you decide to use a USB flash drive or optical media (i.e. CDs or DVDs) then you'll need to take to the Internet. I had to do this because Retrospect on my Western Digital doesn't work on Vista. After using several different ones, I liked Karen's Replicator the best. You just setup jobs to copy folders to where ever you want and then set them to run automatically while you're asleep at whatever frequency you want. It does progressive backups, so after the first backup it'll only handle changes rather than re-copying all your data every night and wearing out your backup hard drive faster than necessary. It's not as convenient to do automatic backups on optical media, but they can still be used. A competitor to Karen's Replicator that may be better for optical media is WinBackup. Both of these programs are kind of quick and dirty and don't give you all the features you may want, like taking an image of your entire hard drive. You can always shop around for the paid software that does everything you want, like maybe Genie, which makes it really easy to back up your registry and e-mails and all that.

Oh, and most companies already secretly backup your work machines so consult your IT department on that or ask them for the means to backup your work computer(s). If they don't oblige then you should definitely raise Hell about it.

Spyware: The Silent Killer

If you don't know what the word 'spyware' means, then you probably do but just don't realize it. It's used as an umbrella to refer to software that either intercepts what you do on your computer (i.e. sites you go to so that an advertiser knows what your interests are) or partially takes over your computer without you knowing. It's often just annoying, but there is a security risk in that it could steal sensitive information, as well. It can also install 3rd party software on your computer to the point that your computer is near unusable due to having its resources bogged down. Some tell-tale symptoms are that your computer runs slower than usual, you see windows pop up out of nowhere, browsing the Internet takes much longer than usual, when you go to the task manager you see processes that probably shouldn't be there, and changes are made to your registry that you didn't make.

Side note: You know how Vista always asks you if you want to allow a program to be opened after you just double-clicked it and you think the OS must be retarded? Well, I think it does that because spyware could open software it installs without your telling it to, but if Vista forces the decision to go to you then it's less likely to work. Anyway, you can disable this if it becomes too prohibitive; I don't think you necessarily need it at its default setting.

There are two programs that I think are absolutely necessary in fighting the war on spyware, and both of them are 100% free. The first is Spybot Search & Destroy (they must love that name). Spybot is really three tools in once. My favorite is called TeaTimer, which asks you to approve any changes made to the system registry (which is just a repository for Windows settings and data). This is important because a lot of times spyware manages to install junk on your computer by modifying you registry to tell Windows to do stuff when it restarts (a lot of software you install will make changes to the registry for routine tasks like clean-up or making some changes that it can only make before Windows boots and such). It will also warn you when processes that look suspicious try to run. It isn't as annoying as it sounds, and will give you piece of mind. The second piece of Spybot that's great is immunization, which is basically a preventive measure (much like getting inoculation shots in real life) to keep things like tracing cookies at bay. This will protect your privacy and help keep out nasty spyware. The final piece is its scanning, which I recommend you run regularly (at least weekly). Unfortunately, there's no way to set up a schedule for it to update itself or scan your computer, so be sure to do both regularly. If you don't update it, then you're probably vulnerable to the latest, hottest spyware out there (which is the stuff you're most likely to get).

The other free, great tool is Ad-Aware. It's a great second-tier defense, it doubles as an anti-virus program (paid version), and it's highly respected. If you pay for it, you get some great benefits: scanning on a schedule, real-time protection, a process monitor, and more. It's worth the money if you have it to spare and like the software. Otherwise, just run a scan in Ad-Aware after you run your regular SpyBot scan; it's worthwhile even in its free version.

Fighting Viruses (without buying Norton)

Viruses come in all shapes and sizes. The term 'computer virus' generally refers to malicious code that hides in legitimate applications but can only propagate by being physically run by a person (i.e. cannot spread on their own, they need your help). Some viruses are infected documents or files that exploit vulnerabilities in the programs that process them (e.g. bad .doc files that exploit a problem in Word) but infect the entire program once opened, whereas some infect the operating system so that the infected files look normal (like the Sony rootkit fiasco where Sony CDs restricted your ripping the CD or putting the music on certain mp3 players) and others still spread themselves over P2P networks (some media companies put these out on purpose to discourage piracy over P2P). The really bad part about viruses is the rise in polymorphic viruses, which scramble their own code to make them harder for anti-virus software to detect as they spread (technobabble: via encryption with different keys) or self-destruct when you try to run them in an emulator (you would run it in a safe environment to see if the program is infected or not) or debugger (which would help discover how it works). You might even consider Skype a benign polymorphic virus because of its heavy obfuscation and anti-debugging techniques to hide how it works (for security reasons).

Fortunately, there are a few free applications to help protect you from viruses. You don't need to install them all (just your favorite one), but you can if you want. They each use different definition files, but I'm sure there's a lot of overlap. I personally use ClaimWin Free, which is only for Windows (unless you count the ClamAV engine on which it's based) but it's completely free and it's lite. It has a scheduler and everything. The other popular alternative is Avast, which also has a paid version. Unfortunately, it's also only for Windows (or Mac, if you pay) but AVG has a free version and also works on Linux. Lastly, going back to the ClamAV engine, there is ClamXav for Macs.

The problem is that the way that all the programs I just mentioned work is to look for the signature of a virus: like the fingerprints that a criminal may leave behind at the scene of a crime. If we haven't taken that criminal's prints before then how do we catch him when we see his prints? Similarly, these scanners can only look for what they know about, making it hard for them to catch polymorphic viruses and impossible to catch viruses that haven't been discovered yet. In order to catch those you need an intrusion detection system (IDS) that looks for anomalous behavior, which begs the question of what normal behavior looks like. This is a field that is still being researched because we can get 0 false positives (technobabble: using static analysis of the source code in question all alarms are correct) but not 0 false negatives (i.e. some viruses can get away). The reason that you don't see an anti-worm detector is that worms are standalone programs that self-propagate and usually are known as 0-day attacks because they spread so rapidly before they can be discovered and defended against properly (research Slammer, Nimda, Code Red, Storm Worm, or Blaster for more).

What is the point of creating a virus or a worm? Usually, it's for profit. Sending out large amounts of spam is costly, but if you are forced into a botnet (a network of zombies machines that can be surreptitiously issued commands, sometimes encrypted commands, remotely from a master) then you're part of the source of spam. Another purpose of a botnet could be a distributed denial of service attack (DDoS) where lots of machines try to open a connections to a website simultaneously in order to bring it down by overloading its servers, which can be used for extortion. Sometimes it's not for money though. Sometimes it's just for glory and popularity. Make no mistake about it, worms and viruses are on the rise and you need to stay safe. What can you do about worms though without a reliable IDS? Try following the rest of my tips.

Setup a Firewall

I'm sure you've heard this term bounced around a lot and you may think of it as some sort of virtual, impenetrable shield. Well, it's more like a virtual moat: it tries to separate your computer and local network from the big bad Internet. The idea is to restrict not only access from the outside but outbound connections, as well. It should be obvious that you don't want bad guys to get into your machine, but why would you want to restrict connections coming from your machine? For the same reason you don't cough on people when you're sick: if you become a zombie in a botnet then you'll be phoning home to your master for commands (to do bad things to others) and if you have a worm then it'll try to spread itself so we want to keep things like this from happening.

There are several types of firewalls: packet filtering (dumb and stateless, it just examines each data packet you receive individually and follows some set rules without considering other packets), session filtering (packet filtering but in the context of the connection the packets connect to, so some state is involved), and application-level gateways (filtering rules set up by specific applications) are some examples of the more common ones. Some of the reasons why firewalls aren't as powerful as the name may suggest are that they don't prevent insider attacks (I know, that's a low blow), they don't fix the problem I mentioned above of buggy software (which cause big vulnerabilities for attackers to exploit), they don't prevent denial of sevice attacks (hitting a machine or server hard with requests to overwhelm them into breaking down), and misconfiguration woes (more on this in the next paragraph). Also, realize that software that you may install on your computer from a CD that's bad and stuff that doesn't involve connections to/from the Internet are completely unprotected from a firewall.

Still, you should use a firewall because it does help keep your Internet connection tighter so that it's much harder for bad guys to get to you to cause harm and also hard for them to do more damage even if they do get nasty code onto your machine. The most popular solution out there is ZoneAlarm. Aside from keeping out connections that clearly don't make sense, it's famous for its impressive program control functionality: whenever any of your software tries to access the Internet or act as a server, it asks you to approve it. Don't fret, you can set to always approve a certain application that you trust without a shadow of a doubt, but it's such a great idea for you to make sure that a virus isn't hiding out and trying to receive or send data (or receive remote commands). I know it seems annoying, but you'll get used to it and it's definitely a necessary addition to your arsenal.

Use the Right Browser

This is pretty much a no-brainer: Firefox is consistently hailed as the safest browser around and Internet Explorer has historically been the worst, but Microsoft has been making changes to help rectify this. Because it's so popular, Internet Explorer's vulnerabilities are constantly being tracked down and exploited, so it's not entirely their fault. Still, Firefox's vulnerabilities are typically fixed faster and discovered less often, whether or not it has as many as Internet Explorer.

Also, Firefox 3.0 has some great security additions. It provides you with identity information right in the address bar to prevent phishing (where a bad guy designs a site identical to a site like a bank and gets you to input sensitive information that gets sent to the bad guy, but this feature allows you to verify that it's the site you think it is), it actively warns you of forged sites (again, phishing), and it blocks pop-ups (which is an easy route to force malicious code onto you). But wait, there's more! The NoScript add-on is invaluable and a must-have for anyone who browses the web: it blocks all scripts (Java, JavaScript, Flash) by default and punts to you for approval of each domain's scripts permanently or temporarily. This helps pages load faster but, more importantly, scripts that would otherwise load automatically and could do serious damage now don't and so if you click a link on accident or something like that then you're safe! Think of it like a condom for your web browsing: it just works. It keeps the main culprits of web browsing woes, even for sensible Internet users, safely at bay. Plus, you don't get the irritating ads that appear over the article you're reading (though you can get AdBlock Plus for this). I know approving scripts can get tiresome, but after a few weeks you'll be browsing your favorite sites with ease. Oh, and Tools->Clear Private Data is also excellent for maintaining your privacy.

E-mail

Here's a biggie: safe e-mail usage. You don't need software for this, you just need to use your head. You could use Gmail though, which has 2 great features: you can read the start of your e-mails before opening them to see if it's gibberish or important and it won't load images until you tell it to (yes, images can carry malicious code).

When you download attachments, I'd say you should always scan them (ClaimWin adds an option to your shell menu for when you right-click on files) before you open them. Even if it comes from a trusted source, you never know (maybe they've been compromised, like in a vampire movie).

Whenever you click a link, always always always mouseover the link and look into your status bar to check that the URL matches the text you're clicking on or where it should be going (e.g. www.paepal.com is not the same as www.paypal.com). If you know that a site uses https (this means it has a Secure Socket Layer (SSL) to prevent eavesdropping), then the URL the e-mail takes you to should also start with https and not http. However, https does not mean you can trust a given site! Anyone can set up SSL for their site, if they pay for it, to secure your transmissions, but if you're using SSL to talk to a bad guy then it just means that no one can see what you're sending to the bad guy except for them. If someone wants you to go to a fake site that involves you spending or managing your money, they're going to do a great job of replicating it and pick a URL that looks just like it should except for a couple of letters. They may even write a URL in the e-mail that you can click on that ends up going somewhere else altogether! Check the URLs you click even when you're browsing the Web normally though with a simple mouseover.



Watch out for spam! Mark spam as you see it in your favorite e-mail client and don't bother reading it. If, for whatever reason, it happens to be an ad that's tempting and you think may be from a trusted source, then research the URL it suggests before you click on it. Just do a simple Google search, or do a simple DNS lookup/whois (i.e. check that the URL domain belongs to someone legitimate). It's honestly just that simple. People are lazy and don't do this so many fall for scams and phishing attacks.

In general, don't read e-mails that you don't expect. That's a pretty good policy to follow.

Don't Forget Security Patches!

Keep your system patched! Don't you have to get your kids the proper shots before they go to school? And don't your pets have to get their shots, too, before you take them home? So why not give your computer the same treatment? You must install any security updates that your OS pushes out as well as your browser, anti-virus software, anti-spyware software, or your firewall, or else they're useless. That's just at a minimum: you should really be patching anything you use. Some pretty big outbreaks have come out of unpatched software, like Code Red I, which hit unpatched copies of Microsoft's IIS Server software. From sifting through hundreds of vulnerability descriptions in my research in the NVD I can safely say that not keeping some of your simplest software updated can completely compromise your entire computer. Don't avoid updates because they require restarts or something like that, just take the 5 minutes to do it! You'd be surprised how severe the consequences can be if someone takes advantage of your procrastination.

Passwords

This is more of a general tip that doesn't require much explanation: you need to have good passwords for anything that matters to you. What's a good password? It can't be a dictionary word and should be hard to guess based on any information about you that's publicly available. So if my password was "eltoneptiger" then I'd be kind of dense. The best password crackers in the world rely first on creating passwords from what they know about you, then try common passwords (like "password") and default passwords, and then they try dictionary words. The best way to thwart them are random combinations of letters (upper and lower case), numbers, and symbols. Of course, if it's random how do you remember it? Just try to come up with a story that is abbreviated by the characters in your password or similar mnemonic devices. You can start here.

Please do me a favor: when given a default password, always change it. Kevin Mitnick likes to tell a story of how a bank was robbed because of a router using its default password. There's an attack called drive-by pharming where if you don't change the default password on your router an attacker could use an invisible Javascript script to reconfigure your router so that putting in things like "www.wamu.com" will take you to their fake WAMU site so that you can hand over your password. The scary part of that attack is that you wouldn't know you had been victimized because the URL would probably look alright (your router is supposed to look up the URL domain using a Domain Name System (DNS) server, but if it's corrupted then it may not do this properly). (Note: if you used NoScript then I think you'd be safe from this attack)

If you want to protect your CPU, you can change your computer's password in its BIOS so that if your computer gets stolen the CPU is useless. I personally don't do this, but it's not a bad idea. You should also have a password to run your OS and make the screensaver ask for a password when you resume usage. Always lock your computer when you walk away from it when around other people so that it asks for this password, and make it a good one so that it can't be cracked.

Quick tangent from passwords: be sure to encrypt your important data so that it's useless even if stolen. Software like Microsoft OneNote and Excel have this functionality built-in, but there's plenty of other software (like Notepad++) that can do this.

Conclusion

I know I've given you a lot to swallow and following all of them still doesn't guarantee that you're 100% safe, but it means that you're better protected that 90% of people out there so it'd be pretty hard for you to run into issues. Since I've started following them over the past several years I haven't had a single security breach. The key is not necessarily to be scared, but to be vigilant and use common sense.

Have a great 4th of July weekend everyone! I head to Seattle early Monday morning to arrive on Wednesday night, but I'll do my best to squeeze out another post before then including reviews of Wall-E (A+) and Get Smart (B+/A-).

No comments: