Cheap Security

Jeff Jancula

October 9, 2003 Jeff Jancula 2

Disclaimer

• This presentation is designed to create discussion about computer security for home and small businesses. It is not the authority for security, nor does it imply that any techniques described here will actually improve your computer security at all.

• So there.

October 9, 2003 Jeff Jancula 3

Don’t Use Computers

• Own a computer?

• Own a PDA?

• Can it connect to another?

• You are vulnerable

• Turn it off

• Or manage (not eliminate) the risks

October 9, 2003 Jeff Jancula 4

Backup

• Very cheap– Cost of CDs or diskettes– Time to do it– Remembering to do it

• Take backups off-site (home, office, storage)• Consider a backup service

October 9, 2003 Jeff Jancula 5

Security by Obscurity

• Avoid the mainstream– And avoid the hackers, worms, viruses, etc.

• Don’t run Windows– Try MacOS, Linux, BSD, Solaris, etc.

• Intel CPU diet– Avoid x86 architecture (Pentium, Celeron, etc.)– Avoid Intel look-alikes (AMD)– Try Alpha, Sparc, StrongARM, G4, G5

• Is this realistic?

October 9, 2003 Jeff Jancula 6

Obscurity for Windows Addicts

• Replace Internet Explorer Web Browser– Try Opera.com, Netscape.com or Mozilla.org– Mostly free– Mostly compatible (no ActiveX)

• Replace Outlook and/or Outlook Express– Browser replacements include e-mail clients

• Remove the Microsoft component after you’ve replaced it

October 9, 2003 Jeff Jancula 7

More Windows Obscurity

• Replace your Office software– Try OpenOffice.org, 602PC Suite

(Software602.com) or Corel Office (Corel.com)

– Free or cheap– Read/write Word, Excel file compatibility

• Also available for MacOS and Linux

October 9, 2003 Jeff Jancula 8

Windows Server Alternatives

• Replace Internet Information Server– Try HTTP Web Server (Apache.org)– Try TomCat (Jakarta.Apache.org) Java Servlet

environment– Free

• Replace SQLServer– Try MySQL.com– Free and Cheap (supported) versions

• Requires technical know-how• Strong UNIX flavors, but can run on Windows

October 9, 2003 Jeff Jancula 9

Still Hooked on Windows?Patch, patch, patch

• Lesson from MSBlaster– Worm appeared 25 days

after patch release• Use Windows Update on

the Start Menu and/or Automatic Updates– Daily– Apply critical patches

ASAP• Office Update tab (on

Windows Update site)• Look for improved patch

delivery from Microsoft– All products

October 9, 2003 Jeff Jancula 10

Password Obscurity

• Don’t use a blank password• Avoid the dictionary

– Average college dictionary has 100,000 words– My hacker dictionary has 1.1 million passwords– Don’t choose a word, name, sports team, city,

birthday, etc.– Don’t use “password”, “password1”, “admin”,

“admin1”, etc.– Hackers aren’t fooled by “drowssap” either

October 9, 2003 Jeff Jancula 11

More Password Obscurity

• Password crackers can brute-force 100,000 letter combinations/second– Crack 4-character password in 3 minutes– 6-character password in 7 days– 8-character password in 70 years

• Scan password against entire hacker dictionary in 12 seconds

• Use different passwords for different applications– Don’t use the same password for Online Banking and

Amazon.com

October 9, 2003 Jeff Jancula 12

Encrypted File Service

• Built into Windows NT, 200?, XP– Requires NTFS file system

• Right-click on folder or file– Choose Properties, Advanced, Encrypt Contents

• Great protection for stolen laptops• Only user that encrypted can decrypt• Files permanently lost if you delete or lose the

password to the user account• Encryption is lost if you copy files to CD,

Diskette, network (in some cases)

October 9, 2003 Jeff Jancula 13

Web Browsing

• Original web was designed for static content– Safe, simple documents & pictures

• Animated web uses programmable web browsers– ActiveX, Java, JavaScript, VBscript– Great user experience– Also an avenue for security exploits, viruses,

spyware

October 9, 2003 Jeff Jancula 14

Internet Explorer Zones

• Internet– Unknown– Untrusted– Potentially dangerous

• Local intranet & trusted sites– Less dangerous

(except viruses)

• Restricted sites– Known dangerous

sites

October 9, 2003 Jeff Jancula 15

Lock Down Browser Zones

Internet• Reset to “high” settings• Disable or prompt almost

everything– ActiveX– Java– Active Scripting

• May cause incorrect behavior for some web sites– Add sites to Trusted Zone

to fix

Trusted Sites• Start with “medium”

settings• Disable unsigned

components• Set high safety for

everything• Set logon to prompt for

username/password• Change individual options

only as needed

October 9, 2003 Jeff Jancula 16

Use the Trusted Sites Zone

• Don’t relax security of Internet Zone

• Add web sites to Trusted Sites Zone as needed

• Use asterisk (*.ibm.com)

October 9, 2003 Jeff Jancula 17

Privacy Security Tab

• Controls “cookies”– Web sites’ ability to track

you

• Use Advanced– Override automatic settings– Prompt for all cookies– Always allow session

cookies (not dangerous)

• Add web sites to list of “always accept” or “always block” cookies

October 9, 2003 Jeff Jancula 18

Advanced Tab

• Security Section• Enable

– Check signatures on downloads

– Do not save encrypted pages to disk

– Empty temporary Internet files when browser closes

– Warn about invalid site certificates

– Warn if forms submit is redirected

• Disable– Integrated Windows

Authentication

October 9, 2003 Jeff Jancula 19

Spyware, Ad and Pop-up blockers

• Common avenue for privacy invasion– Monitors and reports web browsing habits– Tailors pop-up ads based on your habits– May open a back-channel to share your files with

dubious web sites

• Typically free or very cheap– Google.com has a nice pop-up blocker– Spybot (http://spybot.safer-networking.de)– Your ISP may offer as well– Others (search for spyware blocker)

October 9, 2003 Jeff Jancula 20

Content Filtering

• Block access to inappropriate web, e-mail (spam) or chat sites– Blocks criminal, terrorist, pornography, drug, etc. sites

• Per-machine, or entire network blocking• Not cheap, unless…

– Cost of lost productivity:• Recreational surfing at work• Sifting through spam

– Liability• Harassment: Gender and Racial issues

• SurfWatch, CyberPatrol, many others– Search the web for content filtering

October 9, 2003 Jeff Jancula 21

Web File & Music Sharing

• Examples: Kazaa, Gnutella, Napster, WebDAV protocol

• Recipe for disaster– Legal liabilities (copyright infringement)– Avenue for virus/worm propagation– Privacy problems (your files shared to the

world)

• Inappropriate for business use• Bad idea for personal use

October 9, 2003 Jeff Jancula 22

Disable e-mail Preview

• Automatically reads (possibly executes) malicious e-mail• Disable on View/Layout menu screen

– Clear “Show Preview”

October 9, 2003 Jeff Jancula 23

E-mail Security Options

• Tools/Options menu– Set e-mail to Restricted Zone

• Controlled by Internet Explorer

– Warn when other applications (viruses) attempt to send e-mail on your behalf

– Disable attachments that might contain viruses

• May need to temporary relax for certain, trusted e-mail messages

• Ensure that your virus scanner can intercept and scan e-mail

October 9, 2003 Jeff Jancula 24

Taming Viruses

• Scanners mandatory for Windows• Industry leaders: Norton (Symantec.com),

VirusScan (McAfee.com), PC-cillin (TrendMicro.com)– Reasonable prices for multi-user (corporate or

professional) versions

• Try Antidote (vintage-solutions.com), AntiVir (free-av.com), avast.com, AVG Free (grisoft.com)– Free or cheap

October 9, 2003 Jeff Jancula 25

More on Taming Viruses

• Scanners are effective, however not foolproof– Keep virus signature files up date – update/download frequently

(daily)– Keep signature subscription service up to date (paid)– Does not always block Spyware– Time between virus release and signature created, distributed

• Practice safe computing– Avoid dubious web sites– Don’t open suspicious e-mail, especially mail with attachments– Microsoft and most other vendors do not use e-mail to distribute

programs, patches, updates, etc. – so don’t trust e-mail that claims otherwise

October 9, 2003 Jeff Jancula 26

Personal Firewalls• ZoneAlarm (ZoneLabs.com)

– Monitors and optionally blocks network activity• Outsiders attempting to connect to you• Programs on your machine (including Spyware, Viruses, etc.) attempting to

connect from you to the outside– Free or cheap

• Windows XP Internet Connect Firewall (ICF)– Similar to ZoneAlarm– Free (built into XP)– Control Panel, Network Connections, Local Area Connection,

Properties, Advanced tab• Effective against worms, ping sweeps, vulnerability scanners• Might interfere with home or office network

– Technical ability required to configure properly

October 9, 2003 Jeff Jancula 27

Cable/DSL Router w Firewall

• Prevents outsiders from connecting to your network without explicit exception rules

• Does little (or nothing) to prevent Spyware or viruses from connecting to the Internet

• Effective against worms, ping sweeps and vulnerability scanners attacking from the Internet– However, no protection from Internal LAN

• Caution! – Implement security by obscurity– Change default password (typically “admin”)

• Don’t lose it!

– Change default internal addresses (typically 192.168.x.x)• Try 10.a.b.x, where “a.b” are numbers from 1 to 254.

Cheap Security: Questions?

Jeff Jancula