 Michael and Rebecca Wong |
 |
Michael and Rebecca Wong |
|
Worried about computer security? Well, my own knowledge in this area is only middling, but in a way, that's good (at least, for the purposes of explaining security to newbies). True security gurus tend to launch into complex descriptions of rulesets, and they might expect you to know the difference between a SYN and an ACK, or the value of port assignments for known services. Newbies won't learn anything from such articles (does anyone really care which ports NetBIOS uses?), and frankly, neither will the majority of so-called "power users". While someone who has specialized in security must take the time to understand such things, it is not reasonable to expect the same of people for whom computing is merely a means to an end.
The biggest thing to remember for all you Windows newbies is that you should not use Windows the way it's configured "out of the box"! I say this because those idiots in Redmond set up all the default settings so that your computer will spread its legs to all the passing sailors of the world.
Key things to change:
Make sure you can see file extensions. On Windows 2000, go into "My Computer", "View", and uncheck the box labelled "Hide extensions for known file types". Virus writers are fond of naming files something like "sexychick.jpg.vbs", and with the default settings, Windows will hide the .vbs extension so that it looks like "sexychick.jpg". Countless users have been duped into opening viruses this way, yet Microsoft continues to use this as the default setting even though this problem was identified years ago! In fact, I feel that one could make a strong argument that the losses incurred from this blatant negligence are a tort, and could be reasonable grounds for a class action lawsuit.
Don't use Internet Explorer to surf the Web. If you use IE, you're only opening yourself up for exploration. Its default settings are a joke, and it adds ActiveX and Visual Basic Scripting to the crackers' list of ways to take advantage of your computer. Worse yet, the msn.com page (which is the default home page) complains that it won't work properly if you don't have Visual Basic scripting installed! I suggest the Opera browser, which is an excellent free replacement. It includes Flash, it's slick and secure, and it's the only browser that I would use for popup-happy websites. On IE or Netscape (or Mozilla), those sites can open new browser windows all over your desktop, and these windows can trigger even more windows to open up when you try to close them, so it seems as if you're trapped. In Opera, all browser windows are confined within a single "master window", so you can always escape by simply shutting down the master window.
Don't use Outlook Express to read E-mail. Outlook Express renders HTML (read: "fancy formatted") mail automatically, with no facility for turning it off. That's bad enough already, but it adds Visual Basic Scripting into the mix, for even more security woes! I suggest the Eudora mail client, which is a very competent free replacement. You can tell it not to render HTML executable content, thus giving you the best of both worlds (pretty E-mail with a modicum of security). A plain-text mail reader is even safer, but in my experience, Windows users are too addicted to flashy looks to tolerate that sort of thing.
For NT/2k: use a strong Administrator password. Windows NT/2k automatically shares all of its hard drive contents with anyone in the world who knows your Administrator password (thanks, Microsoft). For example, your C: drive has a "hidden" share, which has the UNC address \\yourpcname\c$. Worse yet, it doesn't tell you it's doing this, so most NT/2k users are unaware of it! Therefore, if you use a stupid Administrator password such as a simple word or your name, someone could literally break into your computer from anywhere on the Internet!
For 9x/ME: disable file and printer sharing. Windows 9x/ME has no real security model, so you should never have file and printer sharing enabled when you're connected to the Internet. To make sure it's off, go to "Control Panel", "Network", "Services" and make sure that "file and printer sharing" is not installed.
After plugging those gaping holes, there are a number of things you can do to further improve your security:
Install a virus scanner and keep it current. Too many people run computers with no virus scanners, or with virus scanners that are ancient beyond belief. Virus writers are a busy lot, and if you don't keep your virus scanner current, you're asking for trouble, particularly if you run Windows, with all of its goofy auto-executing, auto-previewing, and generally auto-stupid behaviours. The biggest names are commercial software companies such as McAfee and Symantec, but I received a tip from a reader named Dale Cox, who alerted me to a freeware virus scanner called AVG Antivirus, made by Grisoft. I downloaded it, checked it out, and I'm quite pleased with it. In fact, I've installed it on both of my Winblows boxes. There's another freeware Winblows virus scanner called H+BEDV Antivir, but it doesn't seem to be as polished as AVG Antivirus, and it's never won Virus Bulletin's 100% detection award (mind you, AVG has only won once, but then again, even the biggest names don't score 100% every month). However, I should stress that a virus scanner complements user vigilance, rather than replacing it. Never open an attachment unless you are absolutely sure that it is not executable (something that's easier to determine if you've followed the previous steps and made file extensions visible).
Have someone check you out from the Internet. Visit Gibson Research Corporation, and run their "Shields Up!" online scanner page. It will determine whether your computer has any ports listening, and whether it is sharing information with the Internet. By the way, do not interpret this link as a recommendation; Steve Gibson thinks your computer is insecure if you can access an FTP site on the Internet, which is rather draconian to say the least. I suppose your decision to follow his advice would depend on how paranoid you are, and how sensitive your PC's data is. If you're worried, then you might want to install something like ZoneAlarm. But beware that it will be inconvenient for you, especially if you're an on-line gamer.
Educate your family. If your wife surfs the Net and sends/receives E-mail, then she'd better understand what a virus is, and how to avoid being infected by one. No firewall in the world can make up for an untrained user.
Just a few tips, assuming you've got a Linux machine acting as a server/gateway for a small LAN:
If you're paranoid, then use squid, and don't forward anything. This is a virtually impenetrable way to set up your LAN, but it's not very flexible. You won't be able to run a lot of popular applications if you do this. It also introduces extra overhead into the process, thus making your web browser appear less responsive.
If not, set up iptables or ipchains. OK, proxy servers are a pain in the ass, but it's hard to set up iptables, right? Don't worry; just set up unfiltered "Internet Connection Sharing" through the Mandrake Control Center (or whatever nice GUI your particular distro uses for this purpose), and then visit the GShield page to make that unfiltered NAT gateway into a firewall. Unpack gShield into /etc/firewall, walk through the very nicely documented configuration file, and then run gShield.rc. Presto, instant firewall! Keep in mind that the basic gShield setup blocks all manner of incoming traffic (ie- attacks), but it doesn't block outgoing traffic, so Steve Gibson would have a fit. If you're worried, then I would suggest installing firewall software on each Windows client.
Secure your Windows clients. If you have Windows clients behind a Linux gateway (a common setup), then secure every Windows machine (see the instructions for Windows newbies). Don't trust your firewall to protect a bunch of poorly configured Windows machines, because no firewall in the world can possibly stop every E-mail virus or trojan.
Use Linux clients for E-mail: Even if you use Windows for games or certain apps, you really shouldn't use it for reading E-mail. Linux mail clients such as kmail (but not Netscape Messenger) are far more secure than any Windows mail clients, for three reasons: 1) you can disable HTML rendering entirely, 2) they don't support Visual Basic scripting, 3) they make it difficult to execute viral attachments, even if you choose to. There's no double-click mechanism for executing an attachment, so you have to save it, open up a command window, and then manually execute it. Moreover, even if you do this, it probably still won't do anything because the vast majority of viruses are written for Windows.
Don't be complacent with your gateway's internal interface. Do not implicitly trust the machines inside your LAN! Avoid hosts.equiv at all costs, and treat tools like rsh and rlogin as potential agents of chaos and destruction. That way, even if someone gains access to one of your PC's somehow, he can't just walk into your server.
Well, there you go! Basic security principles for both Windows and Linux newbies. And finally, one basic security tip for all operating systems: be careful with your passwords. Some people are fond of using the same password for everything. They'll use it when they sign up for websites that require registration, they'll use it at home, they'll use it at work, etc. This is an extremely bad idea, because every time you use that password, you increase the chance that someone will pick it up and gain access to everything at once. Use different passwords for different websites, home, work, etc. If you have trouble remembering them, jot them all down and keep them somewhere handy.
Mind you, every security expert will tell you that it's a bad idea to write down your passwords, but they're over-generalizing. That's true in the work environment, where you don't want coworkers or clients to see your passwords. However, at home, the only people who will see it are your wife and kids. If you need to keep your passwords secret from your own wife and children, then network security is the least of your problems!
It may seem somewhat paranoid to worry about security on a home LAN server. After all, DSL routers often have "firewall protection" built in anyway, and besides, who's going to bother attacking a home LAN? It's not as if you've got valuable trade secrets on your hard drive.
Well, there are two problems with that line of thinking. Firstly, a commercial DSL router is a good idea, but maybe you're too cheap to buy one. Maybe it doesn't have the kind of flexibility you want (it's a safe bet that a $150 off-the-shelf DSL router doesn't have nearly as many configuration options as a multi-kilobuck Cisco firewall). Maybe you're worried that it might have vulnerabilities that you'll never hear about or that you won't be able to patch (even some DSL modems have been found to have vulnerabilities in the past). And what if you don't have a commercial firewall/router at all? What if you're using an analog, ISDN, or DSL device hooked up directly to a computer?
The second problem is the assumption that no one is going to attack your little home network. Even many small businesses are shockingly complacent about this issue, and I've had an accountant solemnly inform me that the pitifully small expense of a firewall (even the cheapest off-the-shelf software variety) is unwarranted and unnecessary because "no one's interested in a small company like ours." I thought that was a little overconfident, but even I had trouble believing in the ubiquity of hacker attacks until one day when I inspected my log files at home. Guess what I saw:
Mar 12 17:52:22 server ftp-gw[321]:
206.105.27.93 host address lookup failed
Mar 12 17:52:22 server ftp-gw[321]: deny host=unknown/206.105.27.93
use of gateway
Mar 13 15:01:03 server ftp-gw[1781]: 24.200.54.39 host address
lookup failed
Mar 13 15:01:03 server ftp-gw[1781]: deny host=unknown/24.200.54.39
use of gateway
Mar 14 02:44:10 server ftp-gw[2116]: 213.93.10.97 host address
lookup failed
Mar 14 02:44:10 server ftp-gw[2116]: deny host=unknown/213.93.10.97
use of gateway
Well, now I was pissed off. Three times in three days, people tried to use an FTP data connection to break into my system! The most amazing thing about all this is that I didn't have my DSL connection at that time, and I was still using an analog modem, which dialed up when necessary and disconnected after a five minute timeout! This means that people were trying to break in during the brief periods when it was connected to the Internet (needless to say, now that I have a full-time broadband connection, intrusion attempts and port scans are much more frequent and varied).
I did reverse lookups on the IP addresses and found that they came from dhcp-93.blowtorch.com, modemcable039.54-200-24.mtl.mc.videotron.ca, and e10097.upc-e.chello.nl. I checked out each one: Blowtorch is a web design company, and both Videotron and Chello are broadband ISPs. As far as I could tell, there were only two explanations, neither of which were particularly appealing:
Three separate people tried to break into my system over a period of three days.
One person tried to break into my system three times over a period of three days, using IP spoofing tricks to make himself seem like three different people.
Either way, this opened my eyes to the ubiquity of hacker attacks. They can happen to anyone, even a home user connecting sporadically with a dynamic IP and an analog modem.
Virus: Software that "infects" your computer by attaching itself to other pieces of software, so that it is executed when those pieces of software are executed. It will then replicate itself.
Worm: Software that replicates itself through network connections.
Spyware: Software that surreptitiously sends information about you or your computer to its author. Many "legitimate" software programs such as download managers and multimedia streaming or sharing apps contain spyware. It has been rumoured that Microsoft software has done this for years, although those rumours have not been substantiated to the best of my knowledge. New versions of Windows and Office will do it quite brazenly, as part of their copy protection scheme.
Trojan: Software that sneaks into your computer and then does something malicious such as damaging your operating system or using your computer for some nefarious purpose. Obviously, the name comes from the climactic finish to the long, legendary Siege of Troy.
Firewall: Software that is designed to block malicious traffic while allowing regular traffic through. This is no easy task, and firewalls are never a simple plug and play solution. The ideal firewall depends greatly on your situational requirements.
Strong passwords: These are passwords which are difficult to guess. For example, a strong password would be a random garble such as "42slTSx", but it's hard to remember. A weak password would be "mike" (my name), which is easy to remember but easy to guess. A pair of random, unusual words such as "verisimilitudemillstone" is somewhere in the middle, since there are roughly 500,000 words in the unabridged Oxford dictionary and therefore 250 billion possible two-word combinations. Unfortunately, it's too long. A good compromise is a phrase you know, but with uppercase letters mixed in and a number or two. For example, "miLLsTone8000".
Last changed: 2001/08/05
Continue to Linux Setup Tips
Jump to:
This site was written using KWrite and OpenOffice, running on Mandriva Linux.