Be safe, not sorry
1 April 2005 | 0
If you’ve got a PC, then it’s all but a dead cert that you’ll go online at some time or other, perhaps even everyday. What more awaits you than productive hours with an almost unlimited business resource or the delights of the Information Age? Well, a lot more actually. It is now estimated that if you are online for more than 20 minutes, your PC will be scanned by someone looking for vulnerability. In one test conducted by a security group at Honeynet.org, a standard, unpatched server was put online. This is known as a honey pot – in other words, a machine put out there to attract interest. It was scanned and compromised in five minutes by an automated program. The risks are real. Whether you like to check the latest gardening tips online or are a power user running a commercial network, you need to manage the risk of being online.
Dave Keating, security products manager with Data Solutions, is more used to advising large corporations and multinationals on how best to secure their networks and PCs. Keating points out that most large companies develop a security policy that is comprised of acceptable usage policies, security implementations in hardware and software, and constant updating, as risks change and the technology moves on. However, Keating also says: ‘The principle of these policies can also be applied to the home user or small office. You would not leave your house without locking the door and setting the alarm.’ It is the same with Internet security. Common sense demands that if there are risks, you take appropriate steps against them. So, what are the threats faced by the home or small office users?
Fran McGowran is a senior consultant with Enterprise Risk Services at Deloitte & Touche. He ranks the threats faced by the home or small office users with viruses and worms at number one. At number two, he puts the emerging problem of spyware. Traditional hacking comes in at number three. To combat these threats, you will need a toolkit, a little know-how and a dollop of common sense.
The spread of the e-mail virus, MyDoom, is the latest reminder of how prevalent the problem has become. Every PC needs to have virus protection. One of the market leaders in enterprise-class AV (anti-virus) software is Sophos. Graham Cluley is a senior technology consultant with Sophos. He says: ‘The home or SME (Small to Medium Enterprise) user often does not have the expertise, or the time, to configure an enterprise class solution.’ Cluley points out that the range and depth of options in these packages can be vastly beyond the needs of most home or small business users. The household names like McAfee, Norton and PcCillin offer more suitable products for the home and home office users. However, even a package capable of scanning thousands of machines is rendered useless if is not updated regularly. The common refrain from all consulted for this piece was: ‘Patch early, patch often!’
Prevention better than cure
The anti-virus program is made up of two key components, the scanning engine and the virus definitions. The scanning engine is the bit that does the work of examining each file and taking action where necessary. The virus definition files are the patterns by which the engine is able to identify the viruses on a system. Scanning engines only need updating rarely. However, virus definition files are updated constantly as new viruses emerge and evolve.
Cluley also says that Sophos is planning a version of its software aimed at the home and small office user that employs essentially the same engine as their enterprise class version, but with simplified and automated operations, so that configuration and updates are easier. Scheduled scans and updates mean the latest viruses can be found and dealt with while you get on with gaming or running your business.
Viruses however, are not the only major threat out there. Spyware is software that gathers information about you from your e-mail, your programs or your Internet usage and then sends it back to an unknown destination, often for nefarious purposes. Though some marketers legitimately use trackers like cookies, some are less benign. At best, spyware is annoying as it can soak up bandwidth and cause inconvenience. At worst, it can give away sensitive or confidential information from credit card numbers to customer lists. Graham Cluley makes an important distinction in this area. ‘Certain companies legitimately use tracking software for targeted marketing,’ said Graham. Graham went on to say these companies point out in their end user license agreements that usage information is reported in return for the use of the software. This is legitimate and fair usage. Without infringing on legitimate use, most anti-virus solutions will pick up malicious spyware programmes and take appropriate action.
However there are a few standalone solutions out there too that are extremely effective. Lavasoft’s Ad-aware 6 can detect and clean malicious spyware programmes and even registry entries, and it’s free for personal use. Just like an anti-virus package, it has regular definition updates to catch emerging threats. Spystopper Pro is another popular package among many. It is free to try, but for full functionality, a small licensing fee will see you able to protect against spyware.
The third threat on Mr McGowran’s list was from hackers. What exactly is meant by the term ‘hacker’? In the past, hackers were those people who would simply probe and explore for the sheer joy of learning about systems and architectures. Sadly, today the term ‘hackers’ is generally applied to ‘crackers’. Crackers are often the loners in darkened rooms lit only by the glow of a code-filled screen as they break into systems and steel anything from which they can turn a quick profit. Sadly, there is an element of truth in this image. Hackers still like to see themselves as the benign tinkerers who just like to get under the hood to change things to how they like them. For now though, we’ll use the term ‘hackers’ as this is what most people are familiar with.
Fight fire with firewall
Most people have probably heard of a firewall even if they may only have a tenuous grasp of what it does. A firewall is essentially something, be it hardware or software, that sits between your computer and the network or Internet blocking certain types of traffic and allowing others. For example, normal Web or HTTP traffic, is on port 80 so most firewalls allow traffic through this port. However, there are thousands of ports available and only a few are used by the home or small business user. A protocol like Telnet for example, which can be used for remote administration, can be blocked for most home or small business users. This would be done through a Firewall Rule or Policy that would block all traffic on the Telnet port, 23. Basically, this is how a firewall works. But, and there is always going be a ‘but’, this is not the end of the story.
First of all, the most secure computer is the one encased in concrete, though use is severely restricted. In the same vein, the ‘fresh air firewall’ is the most effective, in other words, a PC that is not network connected at all is the most secure! This is not as flippant as it sounds. For example, even though you may have the latest DSL always-on package, do you really need to be connected 24-7? If not, then disconnect when you don’t need it. You are immediately reducing your risk from all of the threats mentioned. Firewalls, though, are not a panacea for all ills encountered; there are stills risks. Nonetheless, when they are used in conjunction with sensible precautions, they can provide adequate levels of security from all but the most determined attacks. There are many different firewalls available, from the small software type to dedicated hardware offering, so you need to decide what is best for you.
ZoneAlarm is a free, for personal use, software firewall that alerts you to any program looking for Internet or network access from your machine outward and comes pre-configured for various levels of security from external Internet sources. ZoneAlarm allows those who like to get their hands dirty to tinker with various settings, including being able to set blocks of trusted or non-trusted IPS from which to accept or block traffic as you require. It is a good example of a basic firewall that provides good protection.
There are many other personal firewalls suitable for use on a single PC, which enable the PC to look after its own security. Tiny’s Personal Firewall, Norton’s Internet Security package, and Outpost are good firewalls that can provide a basic level of protection against unwanted or questionable Internet traffic. Microsoft’s Windows XP also has a built in firewall, though for some strange reason it is not enabled by default when you install Windows XP. Recent news suggests that this will be addressed in future versions.
Although software firewalls are often cheap and cheerful, or indeed free, more capable pay-for offerings are targeted at the small business market by the market leaders. ZoneAlarm was recently taken over by Checkpoint, one of the behemoths of enterprise firewalls. Dave Keating illustrates that, as with audio-visual products, some of the larger companies are now beginning to make the highest level of capability available in easy to use packages. Checkpoint now offers hardware products, which feature the same basic engines as their enterprise offerings, but with pre-configured, easy-to-use interfaces aimed at the security conscious users who may not be experts. Appliances like the Safe@Office can be had for under EUR500.
Changing virtual landscape
The nature of the Internet is that it is constantly evolving. As such, the threats evolve too. Some companies have endeavoured to prevent the traffic generated by certain applications such as Person to Person (P2P) file sharing networks or Instant Messengers (IM) which used to use certain ports exclusively. However, as these ports were recognised and blocked by firewalls and their administrators, the devious changed their approach and began to use common ports, such as port 80 that are used by your Web browser, thus fooling certain firewalls that were unable to tell the difference.
John Ryan, sales director, Entropy points out that traffic monitoring in the form of Intrusion Detection is an emerging area of focus, even for the small business user. This allows the traffic on a common port, such as Port 80, to be monitored for expected usage patterns. When something begins to talk back and forth that is not expected or does not fit allowed usage parameters, it can be blocked by the setting of programmed rules. This can protect the end user from those clever hackers who wish to use your computer for nefarious reasons like relaying spam e-mails, or for storage of copyrighted material or worse.
The unfortunate situation is that if your computer has been taken over and turned into what is known as a ‘zombie’, that is, remotely controlled by a hacker for dubious purposes, then you may be held accountable. Already, test cases in various courts have begun to go in the direction of a user’s responsibility to ensure that their PCs are protected from such malicious usage. John Ryan says that Entropy has been working to raise awareness among the home and small business users to the dangers and the implications, suggesting that professional associations dealing with small businesses could be used to communicate these issues more effectively than could the industry press alone.
New Year, new threats
Vincent Weafer is senior director for Symantec Security Response. When asked about the emerging threats to home Internet users he said, ‘I think that the major security events of the coming year will be a combination of blended mass-mailer worm attacks that will probably exploit new vulnerabilities in common services or applications.’ As already seen with the MyDoom virus recently, such attacks are out there now. A virus passes itself around via e-mail, but it can also copy itself to P2P file sharing directories. Weafer suggests the layered approach to security: ‘Home users and small businesses need to focus on protecting their complete network with multiple layers of security to ensure maximum protection, and shouldn’t overly rely on a single technology solution for complete protection.’
This combined approach can catch problems that in the past have caused major problems. For example, you have a PC in your office that you use as a workstation/server connected to DSL, or you have a laptop that shares the DSL connection. If you take the laptop home and use dial-up, it needs to have its own defences such AV, firewall and spam filtering. Past virus outbreaks have been compounded by people taking portable devices outside of protected networks. If portable devices are unprotected and are used to access the Internet, they may become infected. Reintroduced inside the protective perimeter of a network, they can wreak havoc from the inside.
Coherent security strategy
Assuming you do have an anti-virus program and a firewall too, you have configured your e-mail client for spam filtering and keep those nasty spyware threats at bay, how do you combine all of these tactics into a coherent security strategy? We asked a professional System Administrator.
James Hallam is a system administrator with travel technology company Traventec. He began by covering the bases of protection for the home or home office user. Amongst others, anti-virus offerings are available from Norton, McAfee and AVG. Available firewall protection includes Norton’s Internet Security, McAfee Personal Firewall, ZoneAlarm and Outpost. Spyware options include Adaware, SpyKiller and PestPatrol. Options for controlling cookies include Cookie Pal, Window Washer and Browser Cookie Controls. Finally, regularly check for updates regarding the following: Hardware, operating system, browser, AV and firewall.
Hallam indicated that there were several hardware solutions available from leading manufacturers, such as routers and DSL modems/switches that include firewalls. These are often only marginally more expensive than those without and add extra layers of protection. He suggests that users can increase their knowledge by using some of the wealth of free information sources on the Web. Grc.com, Experts-Exchange.com, or even a search of google.com will provide public information on basic security. Vincent Weafer of Symantec also says that the Symantec site has online security checks for single machines.
Back ups of data, even if they are only CD-Rs of crucial information, mean that you can recover in the case of infection or outright loss.
Passwords should always be six to eight characters comprised of letters and numbers. James gave examples of cases where a five digit alphanumeric password, without using symbols, could be cracked in about 18 hours. By simply adding another character, the crack time went up to a week. The advice is: Make passwords as long and as random as you can remember.
Hallam advises caution when facing the unknown. If you do not recognise or expect an attachment, then save it before opening it, allowing you to examine the file extension to see if it really is a JPEG or a DOC. Employ the same caution with CDs or floppy disks. If you are unsure of their origin, don’t take the chance.
If services are unused, then remove or disable them. Hallam highlights FTP server, Web server and remote administration as examples of services that most home users will not use, but could provide vulnerabilities to those who wish to exploit.
Hallam also advocates the multi-layered approach and advises users not to rely completely on hardware or software for your security. A combined policy based on the tools mentioned, a little knowledge and a lot of caution, forms the basis of the kind of security policies that the professionals use to protect banks, multinationals and even governments.
How do hackers hack?
However, what do hackers do to try to find out who is vulnerable, and what do they do when find one? Fran McGowran, as security consultant for Deloitte & Touche, is often tasked with probing the security of systems to see if there are chinks in the armour. Port scanners can scan whole IP address ranges looking for ways in. Looking for an open door, these scanners will report back when they find responses indicating vulnerable machines, detailing IP address, operating system versions, patches and connection details. Fran says that it is relatively easy to establish if a user has a DSL connection. When these opportunities arise, the exploits begin. The Honeynet.org example of a machine being compromised in five minutes is at the extreme, but serves to show that complex tools are out there to exploit the unprepared. Fran says that these scanners can be programmed to look for specific vulnerabilities or whole ranges of them, depending on what the exploiter wants to do. ‘The likeliest uses for a hacked machine are as a spam relay to forward spam e-mails, a springboard to attack other machines, or for direct Denial of Service attacks.’
In the event of disaster, there are safe approaches to recovery. The first step is to disconnect your machine from the Internet or network. That way further infection or exploits are stopped. Then, decide whether you can afford to analyse the attack. Often small businesses cannot afford the time, expense and effort needed to fully analyse what has happened. If you cannot afford the time, move directly to repair. Fran suggest that a clean install of a system is the best. He goes on to say: ‘Do as much as you can offline, installing patches and updates to ensure you are as safe as possible before going online for the latest.’
Only after your systems are patched up to date with security fixes and AV should you restore your data from known good media. When you are done, scan and check everything in your new set up to be sure. Even if you did not did engage in analysis, employ what you have learned to refine your configuration to prevent further or similar attacks. However, McGowran points out that few personal firewalls employ logging detailed enough to provide a definitive base for analysis. Now that you are back, examine your security policies to see if you can improve the way you use the computer. McGowran indicates that intelligent usage is often as important as the tools employed.
The Internet is a fascinating, educational and worthwhile resource for fun and business, but it is also a dangerous place. Even the casual users of the Internet need to be aware of the risks so as not to become part of the problem by facilitating the unscrupulous, potentially landing themselves in trouble too. With a small amount of expense and a little know how, you can protect yourself to an adequate level to enjoy the World Wide Web.
Update it early and often. Scan regularly.
Install a firewall and monitor the traffic it allows and blocks. Watch for updates.
Get a spyware detector, or use the one in your AV program. Check regularly for updates.
Be aware of cookies. Use a blocker to filter the good from the bad.
5. Spam filters
Most e-mail clients have filtering to allow you to filter out the spam. Set them and protect against those annoying or offensive offers.
6. Back up
Back up your data often and check that the back ups are valid.
Safe practice for better security
If you are unsure about a file or a program, then don’t open it.
Familiarise yourself with the products and tools you have.
If you have multiple users on a machine or more than one machine, make sure everyone knows the security precautions and practices them.
Do not entrust your safety and security to any one tool or policy. Layered protection is the way professionals do it.
In case of disaster, have a plan as to what you will do. Then you will know how long it should take to recover.
Update regularly for hardware, software operating systems and news in general on viruses and developments.