Wednesday, January 24, 2007

A Different Kind of Home Security


No, really, it won't.

Not that I don’t appreciate the desire to help, but please do not forward these sort of things to me, or to your friends or family, or to your co-workers, or to your mailing lists (especially not to your mailing lists).

Don't forward them, even if they come directly from someone you know and trust; or if they say they come from Microsoft, or Symantec, or McAffee, or IBM, or the Department of Defense, or anyone else for that matter; because no reputable organizations send out email virus alerts over the Internet (sometimes your own IT department will, but still, don't forward those warnings to other people).

Most of these virus alerts, are what we call social engineering attacks. They are mostly just chain letter hoaxes; but even the real warnings end up clogging email systems up as much as real virii do. In fact the original writers of the emails are doing that DELIBERATELY; because they know that you want to be helpful and will forward it on to everyone in your address book, who will forward it to everyone in their address book etc..

There are in fact entire web sites dedicated to these virus hoaxes; how to recognize them, and what to do about them (and real virii for that matter).

Now, that doesn't mean you should ignore security; it's good that you want to do something about it; but you need to know the RIGHT thing to do to protect yourself.

We've talked a lot here about how to protect your home physically; but there's a big hole there in protection that we haven't covered. We need to talk about how to protect your information; which is almost as important to your safety as your doors and windows are.

Protecting physical information (especially against identity theft), is another issue we'll talk about later; but it's one where lots of good resources are available online right now. The shorthand version is pretty simple: watch your mail, check your credit every 90 days, and buy (and use), a shredder.

What I don't see very often is good, basic, and comprehensive, advice for keeping your computers and networks secure.

Folks, I do this for a living. Most of you know I'm a security consultant. My company does physical, electronic, and personal security consulting; but for years now, most of my business (and most of my money) comes from information security consulting. I get paid more (a lot more) for protecting peoples information, than I ever got for protecting their property, or even their lives.

Think about it, what would hurt you more. Losing your big screen TV, or losing 10 years of your billing, investment, and tax records?

I do this for large companies mostly (hell, I'm currently working for one of the 100 biggest companies in the world), but I also perform services for small business and for private individuals; and if people would just follow the basics, in both big companies and at home... well, I'd be out of a job.

OK, that sounds good, but actually I wouldn't, because there will always be the hard problems that the basics don't solve; but my job would involve a lot less cleaning up after dumb, easily preventable, mistakes. Preventing them is simple, but cleaning up after them is NOT; and it takes a huge amount of time, effort, and money.

How much money?

How about between 200 billion, and 2 trillion dollars a year world wide; either wasted by malware attacks, or spent cleaning up after them. Those estimates vary hugely, because of different methodologies and estimations etc... but either way it's a lot of money.

On a personal level; my rate for professional consulting is as high as $1250 a day (or $156.25 an hour, four hour minimum - short term, non contract, inclusive corporate rate with no travel); and even for my high volume, long term contract customers it only goes down as low as $75 an hour (my "friend rate" is $40 an hour if I bother charging at all; and it usually takes a friend pestering me unreasonably for a while before I'll charge them, or even accept the money they try to force on me. I DON'T work for family ever, except my mom who I obviously don't take money from; it's just not worth the grief and pain later).

My rates are typical of the industry for serious professionals; and even storefront services like Geeksquad, FireDog, and DataDoctors charge similar rates. Geeksquad for example charges at least $350 to clean up one computer; and that's only if it fits in their standard time period of three hours; which isn't really enough time to do a good job (Geek squad services generally come out to about $125 an hour). If they have to completely rebuild your PC they charge $650 and up... and GeekSquad aren't exactly the best in the business if you know what I mean (to be fair, there are some very good people who work for GeekSquad; the problem is there are far more not very good people who work for them).

Now if only I actually took home that $75 rate for a 40 hour week. Unfortunately, our government, and business expenses being what they are... Anyway, neither here nor there.

It takes an absolute minimum of about three hours, and will typically take me between 6 and 12 hours to completely and properly clean up one single badly virus infected PC; and it can take far longer than that (though some tasks are automated so I can clean multiple systems at the same time sometimes). If a customer doesn't have backups, and originals of all their software, often times I have to literally rebuild every piece of a system from the ground up; which can sometimes take days. Once a registry is compromised, or your system is rootkitted, if you don't have backups, it can literally take days to clean it up; and it may not even be possible.

Hell, if they DO have their original software, most of the time it's easier, and more cost effective, to just pull my customers information off their systems; then wipe them clean and start over; which usually tops out at around six to eight hours per machine.

Worse, if you have one badly infected system inside your network, you can bet most of the other systems in the network have been infected as well; and the costs just add up.

It's become so bad, a lot of folks have taken to just buying new computers when their old ones become too loaded up with viruses and spyware; because it's easier, and even cheaper, than cleaning it up.

None of that would be necessary, if people were trained in how to take some basic security and maintenance measures; and then followed that training (and in fact I offer a one day class on doing just that. $1250, up to 20 students, customized to your environment and onsite at your facility. I also offer a $250 for a two to four hour, individually paced and tailored class, for a single individual in their home or office. It's one of my most popular pieces of training).

I'm talking about these numbers, and about hard hard it is and how long it takes to fix, not to brag about my technical ability, and not as an advertisement for myself (though hey, if you're paying, I'm easy). The biggest complaint I get from small business owners is how much it costs to secure their systems; and the biggest complaint I get from home users is that it's too hard or complicated. Well to that I say, it's a lot more expensive, and a lot harder, to fix the problem afterwards; especially in comparison to how cheap and easy these basic steps are.

Now, when I say (actually in this case repeat over and over again) basic, I really mean it. These things aren't hard, they aren't expensive, and they aren't all that complicated. There are a few very basic things that everyone should do with their computers, especially online, to keep themselves safe; and I'm going to talk about them here (please note, these are all important, they aren't in order):
  1. The first and simplest thing you can do to protect your information security, is not opening attachments of any kind (even after a virus scan) unless you are absolutely clear that their source is clean, and that the person sending it to you did so intentionally (some viruses will pretend to be your friends by taking over their email programs and sending themselves to everyone in the address book).

    In fact, you should just delete without reading (or even previewing) any email with a strange subject line, or an attachment; from someone you do not know (unless it was expected); and you should probably just delete anything with a .exe, .com, .bat, .jar, .js , .asp, .zip, or .scr attachment even if you're pretty sure the person sending it to you is OK; unless you specifically asked them to send you that file.

    That one step alone will take care of better than 90% of the problems people experience with malware (bad software like virii and worms) through email.

  2. If Microsoft, or PayPal, or Ebay, or McAffee or any other company sends you an email with a link in it, or an attachment, to install special patches or security software to block scams or viruses... Yeah guess what... that's a scam designed to get you to install spyware. Legitimate companies don't send security download patch links or attachments by email.

    You may receive a genuine security alert by email from a software vendor, or your bank, or pay pal etc... If you do, go to that vendors web site by typing in the web sites name yourself, then go to their support page, and download the latest patches and updates manually. Better yet, if the software has it's own update mechanism (most security software does, as does Windows), then use that; and turn on the automatic updating feature if it has one.

  3. If you get an email asking for you to enter a password, or that your account has been compromised and you need to update it or it will be cancelled, or that you need to enter personal information, or a credit card; no matter how real it looks, it's probably a scam. This type of scam is called phishing, and all they are trying to do is steal your information.

    Legitimate companies do not send emails asking for this sort of thing EVER. Really, never. Even if it has the little security symbol, and the logo, and the link says it is going to, it's not. It's a scam.

  4. Do not follow strange links, and in general do not click on links in email, or from a website you aren't familiar with. If you need to visit the site referenced, copy the site name and enter the URL manually in your browser. That’ll take care of most phishing and malware sites.

  5. Remember, email and instant messages are not private, or secure. Even though it SEEMS like they are private, they aren't. They're like writing out a message, and then posting it up on the bulletin board in the breakroom with someones name on it. Sure it's intended for them, but other people could be reading it too.

    Maybe a more appropriate image would be the difference between a letter, which is sealed in an envelope that people can't see through, and a post card; which has the writing out there in public where anyone who feels like looking can read it. You wouldn't send your bank account numbers to someone written on a post card would you?

    Instant Messages and chat rooms are just as bad (or worse). They're more like shouting your information across a crowded room for anyone to hear it.

    The simple rule is, never write anything in email or Instant Message that you wouldn't want published in the newspaper.

    Yes, that's hard. Email is such a common communications method; and we use it for private correspondence all the time, what can we do to make it more secure?

    Simple, don't put passwords, account numbers, legal details etc... in any unsecured email ever (or even better, in any email, no matter how secure you think it is). For all private information over email, learn how to use email encryption. Hushmail is simple and cheap (or free for basic accounts), PGP is free for personal use; there are lots of options (and I'll talk about those in another article in the future).

    Oh, and NEVER EVER EVER communicate with your lawyer, agent, broker, or accountant (or anyone else you have confidential, legally sensitive, or financially sensitive business with), over email; except for inconsequential things like meeting times.

    In fact I'd recommend not even doing that; because email doesn't always have an expectation of privacy in the event of a law suit or criminal case; and can in some cases be searched without a warrant or subpoena.

  6. Use Firefox, or Opera, or a Mac, or anything other than Windows, Internet Explorer, and Outlook or Outlook Express. Almost all viruses are written to exploit vulnerabilities in Microsoft software (because that's what most people use, and virus writers want to hit as many people as possible); and there are plenty of them, because the way MS designs software, everything is very tightly interconnected. That's great for your convenience as a user, but it also means that any weak point in any MS software anywhere, can be exploited to compromise the whole damn system.

    I've switched all my browsing to FireFox, and moved all my email usage to online webmail, with built in virus protection.; and I recommend anyone else with an always on internet connection do the same (unless your IT department makes you use Outlook and I.E. in which case, it's their fault, not yours).

  7. Don’t download programs (or images or music or videos), even little ones like screen savers; from sources you don’t absolutely know and trust to be legitimate. Even then virus scan EVERYTHING you download off the net before the first time you open it. Sometimes legitimate software gets compromised by crackers (not hackers. Hackers are good guys, crackers are bad guys).

    Also, don't play online games at site you don't absolutely trust. They download little applications to your computer that can do the same thing as virii; without you even knowing it. Actually any website can do the same thing under certain circumstances so be careful.

  8. Keep a virus scanner program running that actively scans all your incoming and outgoing network traffic (including traffic between hosts behind your firewall); and that specifically scans your incoming and outgoing email.

    Oh and with your virus scanner, you don't want to enable the feature that scans all files every time you access them (usually called “on access” scanning) unless you are in a high threat environment, or just have a blazing fast computer and hard drive that you don't mind losing a large portion of your performance on; because that's what they do. On access scanning slows most computers to a crawl (if a user is having performance issues its one of the first things I check).

    If you have the performance overhead, and a lot of memory in your machine; and you want more security without slowing down your filesystem too much; choose a virus scanner that remains active in memory, and scans any code that tries to execute. This will intercept threats better than on access scanning, without as big a performance hit (though there is still a hit).

    Importantly, update your virus scanner at least weekly; or configure the automatic update system built in (they almost all have one) to do so for you so you won't forget. Also, try and automatically schedule a full virus scan to run at least once a week.

  9. Use two different spyware scanning/blocking/cleaning programs (or even three); run them in the background whenever you are on a network (which for most computers is all the time); and then update, and run a full scan with each of them (along with your virus scanner) at least once a week.

  10. Keep your systems up to date, and with the latest security patches applied; either as soon as vendor tested and released for home users, or as soon as IT approved for work users. I can’t describe how critical this step is, the propagation of most worms and OS level exploits is almost always through unpatched systems.

  11. Choose good passwords for your computers and online accounts; and change them regularly; but don't make your passwords so complex or change them so often that you need to write them down to remember them.

    Good passwords are at least eight characters long, have but letters and numbers of special characters, and aren't based on dictionary words. They should be changed, at a minimum, every 90 days; though I'd really recommend every 30 days if you can do that without forgetting them or writing them down.

    The most common trick I tell people to use, is to pick a song lyric, then take all the first letters of the words in the lyric, and that's the middle of your password. Then take the number of words in the lyric, and stick that on the beginning or end of the letters. Finally, add a punctuation mark to the other end, and voila, there's a reasonably secure password.

    Please, don't write your passwords down; and especially don't store them in computer files, or worse, in your email. For gods sakes NEVER send passwords via email or instant message; because ANYONE could be reading them.

    Also, try not to use the same password for all your sites. I know lots of different passwords are hard to remember, but if one site gets cracked by bad guys, that then could compromise every account you've used that same password for.

  12. Don't open up file sharing to the world; either on your local network, or by using file sharing programs. If you absolutely must open up some file sharing, get someone who knows security to help you set it up so that you aren't giving away the store accidentally.

    Also don't run any programs or services on your computer; that allow the outside world to access your system directly. This includes things like chat servers, web servers, FTP servers, bittorrent trackers etc... If you don't have a properly configured firewall, intrusion detection, and security audtiting systems, you don't want your computer to be publicly accessible in any way.

  13. This is the absolute most important security tip I can give you: Run your network through a hardware firewall.

    An unprotected windows machine on a public network will on average be compromised within 4 minutes.

    Yes, I said 4 minutes. No joke, no exaggeration. If you turn on a windows machine and put it on the public internet (your cablemodem is the public internet); on average within 4 minutes an automated attack bot (a computer that scans for vulnerable systems) will find your computer, and start to try to compromise it.

    You absolutely MUST have a hardware firewall on your home network; even if you only have one PC.

    The so called firewall software that companies sell you to run on your desktop (ZoneAlarm and the like) is usually not very useful on its own; and sometimes will do more harm than good. If you know what you're doing and how to interpret it's warnings it can sometimes be helpful, but most folks just dismiss every warning it gives; because they are almost never configured properly. Even when they are running at 100%, they still only protect against a small subset of threats. That said they are better than nothing, so if you're on a strange network, or using a laptop in the field etc... go ahead and use them; just don't think you are secure because of them.

    What you need to do is put a firewall facing outward from your network, and have all your computers sit behind it.

    Almost all wireless access points, and cablemodem/dsl/home networking routers have at least basic NAT and PAT capability, which will act as the most basic sort of firewall device by hiding your internal systems from the outside world. That said, I strongly recommend that if you can afford it you purchase a real firewall, which will help protect your home network and system far better.

    All of the major networking hardware vendors produce home firewalls for reasonable prices, and some of them like Checkpoints home and small office systems, and Sonicwalls similar products, are actually quite effective security devices. Also, some of the higher end home gateway products from vendors like Netgear, d-link, and Linksys (the three most common home networking vendors), use licensed technology from serious firewall products (like those above), or from linux firewalls.

    You could also take a spare old computer that's too old to even run Windows XP on, throw two network cards in it, and download a LiveCD of SmoothWall or IPCop or another firewall on a disk. Then you plug one side of the computer in to your cablemodem or dsl modem, plug the other side of the computer into a switch for your network to connect to, reboot with the firewall CD in the drive, and follow the simple directions. You'll have a very effective hardware firewall (more effective than most of what the network companies sell), in about 15 minutes, essentially for free.

  14. The second most important tip I can give you, THEY WILL GET IN!

    No matter what you do; no matter how good your firewall or security software, or virus software is; eventually something will get in and screw you up. There aer just too many threats and variables out there to control all of them; so you need to be prepared, and understand how to deal with it when something DOES happen. Heck, it may not be viruses, it might be losing your laptop on the train, or having it stolenfrom your luggage, or your kid spilling soda on your machine or any nubmer of other things.

    There are two elements to prepareing for incident or disaster; and the second is a big enough topic it will have it's own point; but the element I want to address in this point is to preppare your systems to be compromised.

    How? How can you prepare to have your laptop stolen, or a virus try and zombie bot your machine, or a piece of spyware try and steel your info?

    Well, two things. Firast, lock your systems down as much as possible, second, monitor as much as possible.

    Set up your systems services and software (or have someone help you do so), so that they can do the least damage. Don't have two systems you control automatically trust each other; because if one is compromised, the other will be. Disable all unneccessary system services. Write protect the registry and critical system files. Install software that tracks (or prevents and tracks) changes to the registry and system files (it's available free). Install auditing tools for your system so that if there is a successful attack you can have a record of what to fix.

    Most importantly, store as little sensitive information, and do as little sensitive business as possible on a machine that leaves your house (like a laptop), or connects to the internet. Oh and that includes things like removable storage devices (usb drives, thumb drives, flash cards) as well, which are even easier to use, and to lose.

    For those sensitive bits of information that you jsut have to have on an internet connected machnie, laptop, or removable device; YOU ABSOLUTELY MUST ENCRYPT THEM. Good encryption will keep crackers from stealing your data, unless they can get your encryption keys. Talk to someone who knows about the subject how best to implement and secure your encryption setup, but really it isnt all that hard. Heck, encryption (not very good encryption but stil...) is even built in to windows.

    What's encryption you say? Think of it as scrambling your data all up in code; and only descrambling it with your secret descrambler code (whcich could be a passsword, or a file, or a piece of hardware even). It just makes it so that people can't read your files, without your keys. Just as important, it also means that people can't CHANGE your information without your permission either. Can you imagine what would happen if someone broke into your computer, and changed some of your financial records, or your legal contracts?

    Even very decent encryption systems can be had for free, or low cost. Though at first it seems a pain to use them, and there may be a bit of a performance hit; the benefits of being sure that your information cant be stolen, or changed without your permission are more than worth it.

  15. Finally, and this is the msot improtant thing every computer user must do PERIOD, whetehr in regard to security or not; you absolutely MUST perform regular backups of your incremental data (the stuff that you use the computer to work with, like your personal files, settings, etc...); and a separate periodic backup of the entire computer, for restoration and recovery purposes. That way if you DO have a bad virus attack, or far more likely if you have a hardware or software failure; the most you’l lose is the data between the attack and your last backup (which is hopefully no more than a week ago).
If you do all that (and it’s easier than it sounds) the chances you’ll have a virus cause problems for you directly (it may still screw up your network from all the other people not following basic security rules) are very small, and those left over are the viruses you can’t really protect against by yourself anyway; like morphing worms, and other malware that exploit low level holes in networks and operating systems that haven't been patched yet. That's one of the reasons why you keep a good backup, and also one of the reasons that guys like me exist.

You DO keep a good backup don't you? Lemme guess, no like most users you don't right? Well my next techie post will be about keeping good backups OK.

That's just the kind of caring, thoughtful guy I am.

Oh and while we're on the subject, please don't send me any "Bill Gates will pay you by tracking this email", "Timmy has cancer", "the secret cookie recipe is"... or really ANY OTHER CHAIN LETTER OF ANY KIND.

Thanks, I really appreciate that.