Monday, January 14, 2008

Dangerous Territory

By which I mean both the internet, and the software store (or Frys, or Best Buy etc...). For someone who doesn't do this sort of thing for a living, it's kind of like attempting to tapdance through a minefield... only no-one actually... you know... dies.

You CAN end up with a stolen identity, drained bank accounts, run up credit cards, and lost data though; and some of those things can make you wish you've died.

Funny thing, someone was asking about this on the gunthing forums yesterday; so I wrote up this whole thing. I wasn't actually going to publish here, since I've covered this territory before (though in less detail), but after that cartoon showed up this morning... well sometimes the universe is telling you something eh?

Here's goes.

If you want to be secure at home (or home or small office) here's what you do:

1. MOST IMPORTANT Get a good hardware firewall: Almost any router will give you a basic level of protection, but some are better than others. Sonicwall, Netscreen/Junipers home/small office line, Checkpoints small/home office line, Sohoware etc… are all decent commercial products. Unfortunately, they aren’t cheap.

You have some cheaper options though. You can also buy a router (wireless or otherwise) that can have it’s firmware replaced by a linux firewall distro. The Netgear WRT series of wireless routers for example can be modified with the DD-WRT firmware, to provide a very decent home firewall solution (that’s what I ran up until recently, and will most likely run again after I replace my fried WRT-54G).

You can also take an old, cheap computer, or buy a stripped down computer (that $199 refurbished special will do just fine); or even one of those ultra tiny microsized computers no bigger than a book; and as long as they have two network ports, you can make it into a firewall.

There are “firewall on a disk” programs you can download for free. I like smoothwall and IPCop. Just boot off the disk, install it onto that stripped computer, and bingo, you’ve got a very good quality firewall.

Don’t bother with so called “software firewalls”, that you install on your personal computer (ZoneAlarm, SystemDefender, BlackIce etc...).

Firstly, a firewall is a device that provides segregation between a trusted network, and an untrusted network. "Software firewalls" don't do any segregating. What they do, is listen to all incoming connections, and try to figure out what traffic is good and what is bad. Firewalls do that too, but the difference is, a firewall prevents the hostile traffic from ever reaching the vulnerable host.

Software security clients are not firewalls. They don’t work very well, they alert you needlessly about normal things, and miss the bad stuff often when it happens. Even when they detect something real, half the time they can’t stop it. Oh and sometimes, having them on your system actually ATTRACTS more attacks.

How's that?

The proper response to a portscan or a penetration attempt is nothing. Connection attempts to ports that do not match a session or a listener should be silently dropped. This is called “blackholing” or “stealthing”.

ZoneAlarm, (and most other software security clients - one probably comes with your virus scanning software) in order to detect port scans and other attacks, listens on ports that would not otherwise have a listener associated with them (at least in their default configuration). Further, their default behavior for some protocols is not to silently drop, but to block (through a n-ack). Blocking lets an attacking host know that a system is there, and has responded to an attack. In fact, you can often identify systems which have zone alarm on them through response signature based ID.

Once a host is identified as existing, and the attacker knows you have zone alarm, they can work around it. The better way is to simply expose as little information as possible to the outside world.

There are a few software security clients which implement a true stateful inspection stack (which is the closest thing you can get to a real firewall without extra hardware); but they have their own issues. Most of them break a lot of network based software.

The one really useful thing the software security clients do, is block access for applications you don't explicitly authorize. Unfortunately, it's annoying, and most people either allow everything whenever the window pops up, or they just disable that functionality. In order to make an intelligent decision about what to allow or deny you need to understand what applications need what type of network access... and even I dont always know if traffic is legitimate, and I do this for a living.

Also, there is no longer a need to run ZoneAlarm for simple access blocking; that can be managed through the windows firewall service. It isn’t really a firewall (none of the software clients really are), but if you’re only using it for port blocking, it’s jsut as good (or bad) as any other software client.

Of course this might have changed in the last two or three years, since I did any real penetration testing. I doubt it, but it might have.

The only time I ever suggest using them, is when you are using a laptop on an untrusted network; where it may be the only protection you can arrange. In those situations, they are better than nothing.

2. Run at least two different types of anti-virus, and keep them updated: The major commercial AV vendors wont let you install a competitors product while theirs is running, but you can install AVG and Avast! for free... or even ClamAV if you want to stay open source.

If you want a commercial product, I rank the majors as Trend Micro being the best, McAffee next, and Norton third. There are some other players of course, but those three are utterly dominant in the commercial market.

3. Run at least two different types of anti-spyware, and keep them updated: I personally run BillP’s WinPatrol, Spybot S&D, AD-Aware, AND whatever anti-spyware is offered by the virus suite I’ve installed (I have several different on different machines at different times, depending on their purpose, compatibility, testing etc...).

4. Maximize your system memory: Otherwise even basic anti-virus is going to kill your performance completely. bringing me to…

5. The default virus scanning options are a conspiracy: By default, virus scanning companies turn every option on to maximum. This means they scan every bit coming in and out of your computer in every way, at least 4 times. That eats up cpu, memory, and I/O, and makes you think your machine is slow; thus driving you to upgrade.

You don’t need on access scanning of your hard drive. You don’t need to scan outgoing traffic unless you are on a network with a bunch of other pcs that you could infect, and that dont have virus scanning themselves. What you need is nightly full system scans, and every email and download scanned.... and MAYBE scanning web pages as they are loaded, depending on how paranoid you are, and how risky the websites you visit are.

6. Disable all the risky and stupid windows services: Windows ships with a couple dozen “services” enabled automatically. These services are programs that run in the background, transparent to the user, and do things; some of which are quite insecure, and most of which rob performance. MOst of them can be disabled. Unfortunately, you need to know which ones you can and can’t and it changes from user to user depending on your configuration, your network, your software etc…

The ones that EVERYONE should disable unless they are on a corporate PC, are “remote registry”, “remote desktop”, and “telnet”. There are a lot of other that should be, or can be disabled to increase security or performance, but those three are guaranteed to get your computer cracked within minutes of being put on a public network outside a firewall.

7. Never, ever, put a windows box outside a firewall, exposed on the net, if you can at all avoid it: It doesn’t matter what security software you think you’ve got running; unless you run Ciscos CSA or McAffees entercept, and have them configured and maintained daily by experts; you WILL be cracked within minutes.

8. Don’t be stupid: First part of don't be stupid, is a bit controversial. Don't run windows if you can avoid it. There are a lot of alternatives available to you. You might get a Mac, or a Linux box of some kind. I personally run Kubuntu (a version of Linux) for most functions; excepting those functions that absolutely require windows (some of my work functions, and my gaming box).

Now, all that aside; most people are going to run Windows; so we need to do what we can to stay secure with Windows.

First step, if you have to run Windows, don't run Internet Explorer; use Firefox with the adblock, no-script, and flashblock extensions.

Not only will you be more secure, you'll have a MUCH better overall browsing experience.

Don’t download software from sources you don’t know and trust as software sources; and that includes your friends, because it’s like AIDS; you aren’t just sleeping with them, you’re sleeping with everyone they ever slept with. If you do, make sure you virus scan it twice, by two different scanners.

Don’t visit dodgy websites, websites that ask for lots of personal info for no good reason, websites that have lots of popups (except major corporate idiot sites that seem to do that too, no matter how much consumers insist it irritates them).

Don’t download email attachments from untrusted sources, and double virus scan them as well.

Due to the wonders of windows media player, microsoft office, and internet explorer, you can actually embed a virus in almost anything now; not just .exe files. Music files, video files, documents, web pages, they can all contain malware.

Which brings up a very important concept…

9. Eventually, they WILL get in: Unless you compute in a concrete box with no connectivity to the outside world (yes, there are computers that do that, for security reasons), eventually, by maliciousness, by accident, or by stupidity; something will go wrong. Some bit of nastiness will get in… or heck just the hardware gremlins.

You have to be prepared for when this happens. Not IF, WHEN.

10. Backup your computer completely automatically, and externally; at least every week: When I say completely, I mean take a full system image. This is a file for file (or even bit for bit) copy, that can be used to completely restore your system to the exact state it was in before you had a problem.

Automatically means have it be a scheduled process that you can’t forget. You want a full system image at least once a week; possibly once a night, if you’re paranoid enough, and have enough storage space. You also want to keep at least one month of full system images; plus a baseline image (more on that later). You keep multiple copies, in case you don’t notice that you’ve got a problem for a week, or two; so you can go back

You want to do this on a system or hard drive, external to your computer; in case your computer explodes, or burns, or is stolen etc… You can get external hard drives with a terabyte of storage (probably 10 to 50 times what you actually use, unless you work with a lot of video) for $350 these days. They connect directly to your computers USB ports. You can get 500GB for $150.

You can also get storage systems that plug into your network, that all the computers in your house can use. I have a setup like this. I have a NAS (network attached storage) box, with 1.5tb of space on it, that all my systems run a scheduled image backup to once a week.

11. Keep a baseline image: A baseline image is a simple concept. Once you have your computer exactly as you want it, no more, no less; you take an image of it. From that point on, if you ever have to start over again, all you need to do is restore the baseline.

When you make your baseline, the best way is to start with a fresh install of your OS, and all your applications; and then copy your critical data and files onto the system. Make all the tweaks to your settings, templates and interfaces etc… Basically get it ready to do everything you want to do with it, exactly as you want; and then freeze it in time.

12. Keep incremental backups of your important files, or your files that change frequently: If you do a lot of image editing or document manipulation etc… Anything that changes frequently, or that you might need to take to another machine to recover in the event of a fire for example; put backup copies of that data on a USB drive, or portable hard drive

13. Keep offsite copies of both sets of backups: What if there IS a fire, or you are robbed? Make a copy of all that stuff once a month, and put it in a secure location. Safe deposit box, safe at the office, even in a locked box, in a locked storage unit; whatever, so long as it’s secure, away from your primary location, and you can get to it when you need to. There are even services that will do this for you online, if you only have a few gigs of stuff you need to keep secure.

14. Have a set of rescue and restore CDs (or other media): These would include all the data and utilities necessary to get your system back to at least a baseline state; or preferably whatever your last full backup was (if you have the space).

This isn’t just a backup set that I’m talking about. First, keep a bootable CD or thumb drive that has a runnable copy of the restore utility for your backups. That’s the absolute minimum.

If you want to be prepared (and you really should), you should also have a CD/DVD with an installable copy your operating system. More discs with installable copies of your major applications, and your hardware drivers.

I think at a minimum you should also include system rescue, and cleaning and recovery utilities etc… I also include a copy of Knoppix or linuxrescue in my set (and I have a set of forensics tools as well, but that’s for security purposes).

Thankfully with DVD’s these days, having a full set of recovery disks isn’t as hard as it used to be. Each DVD can hold close to 5 gigs of data. There are even USB thumb drives with 64, and 128gb of capacity now (though they are quite expensive), and 32gb drives are quite affordable. Portable USB hard drives are also quite cheap for the capacity you get now.

15. Make sure all your machines, and all the machines on your network, get the same treatment: It’s no good to do this to your work laptop, if your kid is downloading virii all day while he steals music. His computer is going to get infected, and then infect your computer, and all your other computers.

Even if your computer is totally secure (no such thing) his computer will be spying on all the network traffic out of your house, and sending out spam and kiddy porn to the entire world.

Oh and don’t let people put their insecure computers on your network. If they’re going to connect they should be just as secure as you are. If not; make them a DMZ where they can destroy themselves without screwing you up.

You know the old story, a chain is only as strong as its weakest link.

That’s it.

That’s basically everything you can do.

I have never had a machine of mine permanently taken out by a virus, nor has any of my information been compromised in this way, nor have any of my machines become spam relays or secret porn sites. This is because I do these things. I’ve had to clean up plenty of messes for other people though, and lord how I wish they’d have followed this advice.

Oh well, it’s called job security.