cheap security jeff jancula. october 9, 2003jeff jancula2 disclaimer this presentation is designed...
TRANSCRIPT
October 9, 2003 Jeff Jancula 2
Disclaimer
• This presentation is designed to create discussion about computer security for home and small businesses. It is not the authority for security, nor does it imply that any techniques described here will actually improve your computer security at all.
• So there.
October 9, 2003 Jeff Jancula 3
Don’t Use Computers
• Own a computer?
• Own a PDA?
• Can it connect to another?
• You are vulnerable
• Turn it off
• Or manage (not eliminate) the risks
October 9, 2003 Jeff Jancula 4
Backup
• Very cheap– Cost of CDs or diskettes– Time to do it– Remembering to do it
• Take backups off-site (home, office, storage)• Consider a backup service
October 9, 2003 Jeff Jancula 5
Security by Obscurity
• Avoid the mainstream– And avoid the hackers, worms, viruses, etc.
• Don’t run Windows– Try MacOS, Linux, BSD, Solaris, etc.
• Intel CPU diet– Avoid x86 architecture (Pentium, Celeron, etc.)– Avoid Intel look-alikes (AMD)– Try Alpha, Sparc, StrongARM, G4, G5
• Is this realistic?
October 9, 2003 Jeff Jancula 6
Obscurity for Windows Addicts
• Replace Internet Explorer Web Browser– Try Opera.com, Netscape.com or Mozilla.org– Mostly free– Mostly compatible (no ActiveX)
• Replace Outlook and/or Outlook Express– Browser replacements include e-mail clients
• Remove the Microsoft component after you’ve replaced it
October 9, 2003 Jeff Jancula 7
More Windows Obscurity
• Replace your Office software– Try OpenOffice.org, 602PC Suite
(Software602.com) or Corel Office (Corel.com)
– Free or cheap– Read/write Word, Excel file compatibility
• Also available for MacOS and Linux
October 9, 2003 Jeff Jancula 8
Windows Server Alternatives
• Replace Internet Information Server– Try HTTP Web Server (Apache.org)– Try TomCat (Jakarta.Apache.org) Java Servlet
environment– Free
• Replace SQLServer– Try MySQL.com– Free and Cheap (supported) versions
• Requires technical know-how• Strong UNIX flavors, but can run on Windows
October 9, 2003 Jeff Jancula 9
Still Hooked on Windows?Patch, patch, patch
• Lesson from MSBlaster– Worm appeared 25 days
after patch release• Use Windows Update on
the Start Menu and/or Automatic Updates– Daily– Apply critical patches
ASAP• Office Update tab (on
Windows Update site)• Look for improved patch
delivery from Microsoft– All products
October 9, 2003 Jeff Jancula 10
Password Obscurity
• Don’t use a blank password• Avoid the dictionary
– Average college dictionary has 100,000 words– My hacker dictionary has 1.1 million passwords– Don’t choose a word, name, sports team, city,
birthday, etc.– Don’t use “password”, “password1”, “admin”,
“admin1”, etc.– Hackers aren’t fooled by “drowssap” either
October 9, 2003 Jeff Jancula 11
More Password Obscurity
• Password crackers can brute-force 100,000 letter combinations/second– Crack 4-character password in 3 minutes– 6-character password in 7 days– 8-character password in 70 years
• Scan password against entire hacker dictionary in 12 seconds
• Use different passwords for different applications– Don’t use the same password for Online Banking and
Amazon.com
October 9, 2003 Jeff Jancula 12
Encrypted File Service
• Built into Windows NT, 200?, XP– Requires NTFS file system
• Right-click on folder or file– Choose Properties, Advanced, Encrypt Contents
• Great protection for stolen laptops• Only user that encrypted can decrypt• Files permanently lost if you delete or lose the
password to the user account• Encryption is lost if you copy files to CD,
Diskette, network (in some cases)
October 9, 2003 Jeff Jancula 13
Web Browsing
• Original web was designed for static content– Safe, simple documents & pictures
• Animated web uses programmable web browsers– ActiveX, Java, JavaScript, VBscript– Great user experience– Also an avenue for security exploits, viruses,
spyware
October 9, 2003 Jeff Jancula 14
Internet Explorer Zones
• Internet– Unknown– Untrusted– Potentially dangerous
• Local intranet & trusted sites– Less dangerous
(except viruses)
• Restricted sites– Known dangerous
sites
October 9, 2003 Jeff Jancula 15
Lock Down Browser Zones
Internet• Reset to “high” settings• Disable or prompt almost
everything– ActiveX– Java– Active Scripting
• May cause incorrect behavior for some web sites– Add sites to Trusted Zone
to fix
Trusted Sites• Start with “medium”
settings• Disable unsigned
components• Set high safety for
everything• Set logon to prompt for
username/password• Change individual options
only as needed
October 9, 2003 Jeff Jancula 16
Use the Trusted Sites Zone
• Don’t relax security of Internet Zone
• Add web sites to Trusted Sites Zone as needed
• Use asterisk (*.ibm.com)
October 9, 2003 Jeff Jancula 17
Privacy Security Tab
• Controls “cookies”– Web sites’ ability to track
you
• Use Advanced– Override automatic settings– Prompt for all cookies– Always allow session
cookies (not dangerous)
• Add web sites to list of “always accept” or “always block” cookies
October 9, 2003 Jeff Jancula 18
Advanced Tab
• Security Section• Enable
– Check signatures on downloads
– Do not save encrypted pages to disk
– Empty temporary Internet files when browser closes
– Warn about invalid site certificates
– Warn if forms submit is redirected
• Disable– Integrated Windows
Authentication
October 9, 2003 Jeff Jancula 19
Spyware, Ad and Pop-up blockers
• Common avenue for privacy invasion– Monitors and reports web browsing habits– Tailors pop-up ads based on your habits– May open a back-channel to share your files with
dubious web sites
• Typically free or very cheap– Google.com has a nice pop-up blocker– Spybot (http://spybot.safer-networking.de)– Your ISP may offer as well– Others (search for spyware blocker)
October 9, 2003 Jeff Jancula 20
Content Filtering
• Block access to inappropriate web, e-mail (spam) or chat sites– Blocks criminal, terrorist, pornography, drug, etc. sites
• Per-machine, or entire network blocking• Not cheap, unless…
– Cost of lost productivity:• Recreational surfing at work• Sifting through spam
– Liability• Harassment: Gender and Racial issues
• SurfWatch, CyberPatrol, many others– Search the web for content filtering
October 9, 2003 Jeff Jancula 21
Web File & Music Sharing
• Examples: Kazaa, Gnutella, Napster, WebDAV protocol
• Recipe for disaster– Legal liabilities (copyright infringement)– Avenue for virus/worm propagation– Privacy problems (your files shared to the
world)
• Inappropriate for business use• Bad idea for personal use
October 9, 2003 Jeff Jancula 22
Disable e-mail Preview
• Automatically reads (possibly executes) malicious e-mail• Disable on View/Layout menu screen
– Clear “Show Preview”
October 9, 2003 Jeff Jancula 23
E-mail Security Options
• Tools/Options menu– Set e-mail to Restricted Zone
• Controlled by Internet Explorer
– Warn when other applications (viruses) attempt to send e-mail on your behalf
– Disable attachments that might contain viruses
• May need to temporary relax for certain, trusted e-mail messages
• Ensure that your virus scanner can intercept and scan e-mail
October 9, 2003 Jeff Jancula 24
Taming Viruses
• Scanners mandatory for Windows• Industry leaders: Norton (Symantec.com),
VirusScan (McAfee.com), PC-cillin (TrendMicro.com)– Reasonable prices for multi-user (corporate or
professional) versions
• Try Antidote (vintage-solutions.com), AntiVir (free-av.com), avast.com, AVG Free (grisoft.com)– Free or cheap
October 9, 2003 Jeff Jancula 25
More on Taming Viruses
• Scanners are effective, however not foolproof– Keep virus signature files up date – update/download frequently
(daily)– Keep signature subscription service up to date (paid)– Does not always block Spyware– Time between virus release and signature created, distributed
• Practice safe computing– Avoid dubious web sites– Don’t open suspicious e-mail, especially mail with attachments– Microsoft and most other vendors do not use e-mail to distribute
programs, patches, updates, etc. – so don’t trust e-mail that claims otherwise
October 9, 2003 Jeff Jancula 26
Personal Firewalls• ZoneAlarm (ZoneLabs.com)
– Monitors and optionally blocks network activity• Outsiders attempting to connect to you• Programs on your machine (including Spyware, Viruses, etc.) attempting to
connect from you to the outside– Free or cheap
• Windows XP Internet Connect Firewall (ICF)– Similar to ZoneAlarm– Free (built into XP)– Control Panel, Network Connections, Local Area Connection,
Properties, Advanced tab• Effective against worms, ping sweeps, vulnerability scanners• Might interfere with home or office network
– Technical ability required to configure properly
October 9, 2003 Jeff Jancula 27
Cable/DSL Router w Firewall
• Prevents outsiders from connecting to your network without explicit exception rules
• Does little (or nothing) to prevent Spyware or viruses from connecting to the Internet
• Effective against worms, ping sweeps and vulnerability scanners attacking from the Internet– However, no protection from Internal LAN
• Caution! – Implement security by obscurity– Change default password (typically “admin”)
• Don’t lose it!
– Change default internal addresses (typically 192.168.x.x)• Try 10.a.b.x, where “a.b” are numbers from 1 to 254.