Wednesday, December 22, 2010

Tutorial: PC Security, Revisited

Now that the Christmas shopping season is in full swing, most of us are going to shop online at some point or another.  Some of us may even buy a new computer, too.  The blogs and pundits are abuzz about computer security with a lot of talk about password management. Password management is just one aspect of security. Today, we’re going to review security as layers of protection rather than attempting to use just one solution for protection.  The ideas I will present here will show how to provide a decent gauntlet for security threats before they can take over a computer.

A little history about me is in order here. I have had the opportunity to watch the Internet grow from the early days in 1991. I got my first email address that year with a BBS (Bulletin Board System) called the 0x0 Republic. With my first email correspondence, I was fascinated with the notion that I could exchange emails with someone across the world. Maybe more than a few of you are old enough to remember those days of the BBS, Compuserve and the 14.4k Modem.

Back then, I had a humble Commodore Amiga 500 computer. No, it didn't run MS-DOS, it ran the AmigaDOS. As you can see from the screenshot for the Amiga 500 in the preceding link, this computer didn't run Windows, either. The AmigaOS borrowed many ideas from UNIX, allowing the use of a command line or windows and icons for operation of the computer. Their user interface was very advanced compared to the Mac and the PC at the time. Unfortunately, through their own management errors, Commodore eventually went into bankruptcy.

Around the time that I was an Amiga user, computer security wasn't really an issue for consumers like it is now. Most personal computers were still single user, general purpose computers and apparently, only a few people bothered to write a virus for the Amiga. Back then, very few people even connected their home computer to another network let alone the Internet.  I can remember reading about the Ethernet connection and wanting to know how I could get one for my computer.  Commodore was a very proprietary company and that made it hard to find a standardized component that would connect my computer to the Ethernet, whatever that was.

Eventually I got an Apple PowerBook 140b. It was with this computer that I first got a taste of the World Wide Web around 1994-5. It was a slow, stodgy, black and white experience, built onto a dial-up connection. But it was enough for me to do my research at the time. Back then, Alta Vista was the search engine of choice and they were considered to be the fastest search engine of the time.

In 1997 I got my first Windows laptop in 1997. I can remember shopping for Windows software for the first time and laughed when I realized what I had been missing while working on the Mac. I found a nice dialup ISP to work with, too. From there, I started to really get a sense of what could be found on the Internet. For years, I went without antivirus, not completely oblivious to the dangers - but just being careful not to open attachments from strangers.

In 1999, I got a computer with Windows 2000 Professional. Around that time I had moved into a place with cable access to the Internet. I went from a 56k modem to 1.5 Mbs in speed. I had taken some classes on Windows and learned something about the security built into it. I started to read the tech news every day and noticed that more and more, viruses and trojans were making the news. So I got some Antivirus software.

I started out with Norton Antivirus and eventually moved on to ESET's NOD32. While working with the antivirus software, I remembered something that my Dad taught me in terms of strategy: no defense can anticipate all attacks. So I started collecting tools and programs in an effort to build a secure environment for myself.  This combination of software tools is what I'd like to share with you. It is built from years of experience and through more than 14 years of running Windows. Because of this training, learning and vigilance, I've only had to rebuild a computer once due to a virus.  

Keep in mind also, that no software can stop you from doing something that you know you shouldn’t do. If you open an email attachment from someone you don't know, you're only asking for trouble. If you click on a link in a spam message that takes you to a site harbouring malicious software, your computer is likely to be toast, even with the best defense available.  Such a site is just waiting for you, and the authors of the site have anticipated the most likely defenses your machine will offer.  So let’s look at the layers of defense you can use to protect your computer.  

First and foremost, if you're running Windows, you're likely to be running as an administrator. An administrator account can do *anything* to your computer, and that includes damaging it. On the other hand, you can also use a "limited" account (XP/Vista) or “standard” account (Windows 7). This is a regular user account that can do very little, if any damage to the computer. To put it simply, admin accounts should only be used for maintenance, upgrades and software installation/removal. Limited user accounts should be used for everything else. A limited user can be used for your daily computing tasks like web browsing, email, playing games, writing correspondence, online banking, etc.

You’re probably asking why you didn’t know about the difference between accounts. Microsoft has slowly but surely been improving the way they educate their users.  However, Microsoft still tends to favor convenience over security and so they tend to leave that part about administrator rights in the education they provide to users.  

It all starts when you booted your computer for the first time.  When you start Windows up for the first time, you're prompted to provide at least one user name and additional names for other people who might use the computer.  You will also be given an option to create passwords for each of these users.   Neither Windows XP, Vista or 7 give you much of an explanation for the differences in user accounts, either. So, unless you're informed, you create one or more admin accounts to use on your computer.  Most people run with the original account that they created from that first day that they started using their computer. Many of them set up that one account to automatically login without any password security. And most of them are hardly aware of the dangers of using that account.

As a rule, you should never be running as admin unless you need to install a printer, software, remove software and the like. For anything else, operate your computer as a limited user. To put this in perspective, analysts estimate that more than 95% of the problems with Windows security goes away if you're not running as admin.

The reason for this is simple, but not very well understood by the general public. You see, most of the latest viruses and trojans install on your computer silently. Virus writers realize that most people will trash emails with attachments from people they don't know (and even from people they do know if they were not expecting that email). So the virus writers use stealth.

When your computer is being attacked, you will get no clue that new software is being installed - when you are running as an admin. Windows 7 can help this in some ways, but W7 also has a very similar programming philosophy to Windows XP: convenience over safety. Yes, you can still get warnings that software is trying to install, but a determined piece of malware can work around that and trash your computer - if you are running as administrator. You can even turn off the security warnings that you would usually get from Windows if you want to.

After a successful attack, you won't really notice much other than that your computer is running a bit slower - maybe even a lot slower - than before. Malware tends to change the computer for its own benefit at the expense of other functions.  Why is it running slower Because when it’s infected, it’s shipping spam by the thousands, hosting a web site, participating in Denial of Service attacks or even offering up more viruses to other people.

Now if you're running as a non-admin or limited user, and you click on a drive by download, you're going to get a message indicating that “you do not have permission to install this software - please contact your administrator!” If, at this point, you were not planning on installing any new software, it's time to leave quietly and never come back to that site. Ever.

So, if you have not done so already, create another admin account. Be sure to give it a password (and don’t lose that password - you’ll need it later). An admin account with no password is an open target for malware.  Then take the account that you've been using from the beginning and turn it into a limited account.  This way, you’ll still have access to your favorites, all your settings, and your documents. Whenever you need to add something to the computer or to do maintenance, log in to your admin account. For everything else, it's Visa, er, Vista, I mean...um...your limited account.

So that's the first step. Just changing the type of account you use for daily computing is a big step towards preventing infection from a virus or trojan.  Remember, over 95% of the vulnerabilities go away when you’re not running as admin.

Windows Update. Whatever you do, once a week, run Windows Update, or at the very least, run it when you see a Windows Update notification. It’s also very important to run Windows Update on the day they are issued, the first Tuesday of every month.  The reason why is that most malware is designed by reverse engineering the latest updates to find the security holes and then targeting new attacks there. Malware engineers are expecting people to be lazy in running their updates.  Running updates for Windows on a regular basis, (and any other operating system for that matter, including MacOS and Linux) will further limit your chances of infection.  If you see a notification for updates on your computer, it’s time to get them done.

It should be noted that Windows 7 has a couple of new features that I’ve never seen before except in Linux and MacOS.  Windows 7 allows you to send notification to non-administrator users that new updates are available.  This allows standard (or limited) user accounts to see them and install them.  You might recall that in XP, Windows will reveal a little yellow badge with an exclamation point on it in the task bar on the lower right-hand corner of your screen. That is the Windows Update notification.  In XP, that is only revealed to administrators on the computer. With Windows 7, even if you’re not an administrator, you can see that too, if you can set yourself up for it.  And when updates are available, you can install them, too.  With this setup, installing updates is the only administrative task you can do as a non-administrator.

Note also, that on April 8th, 2014, Microsoft will no longer release updates for Windows XP. If you don't want to upgrade to the next version of Windows, consider alternatives like Linux Mint, Ubuntu Gnome and Fedora. They are all much more secure than Windows and they will extend the life of your computer by using fewer resources than Windows did. This is great for your kids' career prospects since Linux skills are still hard to find, and when they don't know much about Linux, it's rather difficult for them to mess up their computer by installing a "happy mouse" program they downloaded from some unscrupulous website.


The nice thing about the Windows update notification for non-admins is that you’re not running as administrator all the time, you’re still notified of updates and you can install them without logging out and logging in as an administrator.  This makes it easier to update your computer, and that means your computer will be kept up to date even when you run on a non-administrator account.

And now for antivirus. This is part of what is known as the Windows Tax. The first part of the Windows Tax is that you pay for the Windows license no matter where you buy your computer, even if you don’t want to use Windows. That is the Microsoft way. Then you pay for the antivirus and other security software. Most good antivirus programs are going to cost $40-60 for the first year, and 20-30 bucks thereafter for maintenance. The best antivirus will do a complete update of signatures without user intervention. Norton Antivirus was not one to do that when I was using it (though it’s been a few years and perhaps things have changed with Norton).  As an alternative, I heartily recommend ESET NOD32 simply because the updates occur automatically without you being an logged in as admin. Version upgrades will require admin access, but that is a fairly rare occurrence (once or twice a year).

I don't recommend Symantec/Norton for a couple of reasons: they are a big, fat, complacent company with a huge market share. Try getting a hold of customer service there and you’ll see what I mean. On the other hand, ESET is hungry for your business. I can easily get a hold of their techs without cycling through their entire music on hold playlist. While their songs are interesting, they’re not compelling, and they do offer good tech support.

Yes, there are others to consider, such as the free version from AVG. But you do, in a sense, get what you pay for. Caveat Emptor.

Remember what I said about how no defense can anticipate all attacks? Well, even NOD32 isn't perfect. So I strongly recommend antispyware as well. SuperAntiSpyware or AdAware are both great products that can find a lot of stuff like cookies that you don’t want on your computer.  Cookies can be used to track your movements around the web and send that information back to the Mother Ship. They make a good complement to your antivirus software.

It's worth noting here, that a fellow IT guy told me the following: ESET (NOD32) recommended SuperAntiSpyware as a complement to their own product. I asked ESET about this by phone and they acknowledged that their product won't catch *everything*. That is a very humble and honest statement to make, and heartening for me to hear. I've had similar experiences first-hand myself, so it's nice to hear it from someone else. That is why I like ESET.

So, we've covered the user accounts, the antivirus and the antispyware. You're also going to want a personal firewall. This is useful for stopping malicious software that is trying to call home, you know, to the Mother Ship. I have experience with two products for this purpose: ZoneAlarm and ESET's Security Suite w/NOD32. They are both highly recommended with full acknowledgement of other products out there.

They both provide security for those loose cannons known as "open ports". You can learn something about this, here. Gibson Research Corporation has helped me to understand the open ports issue and inspired me to try ZoneAlarm. Personal firewalls allow you to see when software is trying to call home and gives you a chance to block transmission of sensitive information back to the Mother Ship!

There's another kind of firewall known as a router. This is a physical firewall device that you will know as a sort of switch that allows you to share the Internet connection with more than one computer. Common brand names for routers include Linksys, Netgear, and D-Link. These are all top brands and they all provide an extra level of security. But that security only works if you enable it and configure it properly.  

You can think of the router as the bouncer.  The router uses a public IP address to connect to the world, and gives all of your computers a private IP address that isn’t recognized by the rest of the world.  The router checks each packet or message that comes to it.  When you click on a link in a web page, a request for information behind the link is sent to the inside port of the router.  The router inspects the message, notes it’s destination and then waits for information to come back.  The router then sends the message out to the destination server, which then responds by sending information back to you, through your router.  The router checks to see if the information is “invited”.  If that information is not on the list, it’s not getting in.  But if you made a request for the information, the router will let it in.  That’s what a bouncer is supposed to do.

All routers require some form of administration to enable security. Nowadays, all consumer routers come with a CD you can run to walk you through the steps of configuring the router. This is especially important if you're using a wireless router. On any router, you want to make sure that remote administration of the router is disabled - this is usually the default setting. You will also want to reset the admin password which is usually "admin", by default. If you do not reset the password, someone else can do it for you, as well as reconfigure the router to their liking rather than yours. Check the CD and the online manual for your router for details.  

If you’re not sure how to configure your router, it is highly recommended that you consult an experienced friend or professional you can trust to do the job for you.  If you do consult someone else, make sure he clearly documents the setup so that you know what he did and you can convey that information to someone else if you need to.

If you're using a wireless router, you must also set the passcode for access to your wireless network. Otherwise, your network will be "open" and anyone can freeload on your cable or DSL Internet access. They can also see your computer and the resources on it. It's important that you use very strong passwords to secure your devices and accounts. Words that are easy to remember are also subject to the dictionary attack on passwords. A strong password is a series of characters that doesn't make any sense and is comprised of at least upper and lower case letters and numbers. You should also use non-alphanumeric characters (i.e., !@#$%^&*(_+) as part of your very strong password. The last word on wireless routers is this: if you’re not using wi-fi, turn it off.  It’s one less security hole to worry about.

I know that a good password is hard to remember. Well, fear not. You can save your passwords in an encrypted file by using KeePass. This is a portable, cross-platform password manager that uses very strong encryption to protect your passwords. The program uses a master password to provide access to the encrypted contents. Once the master password is set and the password file is opened, you can start to create a set of credentials for every website or application that you use. This allows you to use a different password for every site that you go to.  And believe me, you will want to use a different password at every site.

Why?  Because all it takes is one slip to fall.  If you’re using the same username and password at every site you go to, even for the bank, then anyone who knows your credentials can try them out everywhere.

I like to use at least a different password for every website that I go.  For financial sites, I don’t really even use a “name”.  Instead, I like to make everything hard to guess.  KeePass allows me to do this with a very good password generator.  KeePass also allows me to copy the username and password into a website. And it allows me to automatically enter the username and password into a website. Don't worry, KeePass will automatically erase the contents of the Windows and Linux clipboards after 30 seconds for security by default, but you can set that for as long or short as you want.

Remember the news about how Sarah Palin's Yahoo account was hacked? She was hacked because she used answers to secret questions that were easy to guess by someone who knew her or her history. A secret question or security question is a question that only you know the answer to, so that if you forget your password, you can recover your password by answering the questions. Instead of using the secret question to answer a question only you know, this is another chance to use a strong password to further secure your accounts if need be.

But I digress. Back to the router. Once you have set up the router, you will also want to set up DNS on the router, too. DNS is the Domain Name Service, which is a service that translates the Internet address you know, like www.google.com, into an IP Address, like 208.67.219.230 (verified with the ping command). DNS is part of the backbone of the Internet. Without this service, you would have to remember the IP addresses of all your favorite websites. This service creates the convenience of allowing us to use names rather than numbers to get where we want to go on the Internet.

Most computers set up your IP address and DNS automatically when they start up. They will get that information either from your ISP or from your router, depending on your setup. In Windows, it's fairly easy to setup your own DNS, too. And most routers will allow you to use another DNS other than the one provided by your cable or phone company.

There are two alternatives I like to use: OpenDNS and Google DNS. OpenDNS provides a great safety service for your Internet connection. OpenDNS does a lot of research to see where the malware, porn and criminal activity is coming from and helps you to steer clear of it. I use the service so that if I should happen to type the wrong address, I can be safely routed away from rogue sites that are serving unwanted content.

Google offers a similar service to OpenDNS, but on a much, much larger scale. Google crawls millions of sites every day looking for sites that dispense malware and putting them on blacklists to keep people away from them. They also report back to website owners when their site has been compromised. Both OpenDNS and GoogleDNS will help to protect you as you browse the web.

Another very good too is the Netcraft Anti-Phishing Toolbar, for Internet Explorer, Firefox and Chrome (the toolbar runs in Chrome and Firefox on Linux, too). This toolbar provides information on every website you visit. First, they give you a risk rating with a colored bar that indicates the risk associated with a website. If it's red, you'll want to go elsewhere. If it's green, then you should be fine. They also tell you how long the site has been there, and the rank in terms of popularity. Along with that, you get the location by country with a nice little flag to denote the nation and the name of the hosting service where the site is maintained.

To give you an example of how this works, imagine for a moment that you've received an email from Bank of America. They're telling you that you need to update your account information because it has not been updated in a while and they're concerned about the accuracy of their records. They kindly provide you with a link to their site. So you click on it. The Netcraft Toolbar reveals that the site is located in Russia and was only created a month ago. Hmmm. Time to close the browser, open a new one and go somewhere else.

In summary, I'm using layers of protection, with each layer providing protection in different ways. Here is a point list summary:

  • Never run as admin on your computer, unless you’re performing maintenance, software installs, hardware upgrades or updating Windows.
  • Run Windows Updates on a weekly if not monthly basis.
  • Install and maintain antivirus that updates without admin support.
  • Install and maintain some sort of anti-spyware.
  • Install and maintain a personal firewall.
  • Install and configure a router (not much maintenance is required for this).
  • Use a secured password manager to manage your passwords (don't leave your credentials on pieces of paper, sticky notes on your monitor or in a spreadsheet on your computer).
  • Use GoogleDNS or OpenDNS for a safer browsing experience.
  • Use the Netcraft Antiphising Toolbar so that you can find out if the site you're on is safe.
Here, I have 9 layers of security to prevent my computer and/or my identity from being compromised. You may want to implement a few or all of them depending on your security needs and desires.  But you should do something so that you can rest easier knowing that at least you’re a bit more secure than before.

The Internet has given us a sort of freedom never before experienced in human history.  The freedom to share ideas, learn new ideas and to grow from the experience.  The price of freedom is eternal vigilance.  But, by practicing the techniques shown above, you can reduce the cost of freedom to just a few pennies and minutes a day once it has been implemented. An ounce of prevention is worth a pound of cure.

I hope you all find this information helpful and can put it to good use.  Have a safe shopping experience while you prepare for Christmas. Be well.

No comments: