Computer Security Guide
This document discusses why we need to keep PCs and website servers secure and how to do it. It is relevant to website owners and PC owners. It is especially relevant to online business owners.
Firstly, why is all this necessary?
Internet security
The Internet will soon be the world's largest economic force; it's the home of billions of individual resources; it allows a small local business to trade globally; and it allows an attacker in Indonesia to get inside your home and your business. It's huge - immeasurably huge - and anonymous. On one thing you need to be quite certain: there is no law. It's the modern equivalent of the Wild West. "There's no law west of the Pecos", so they said - and there's no law once you connect to the Net. The only protections you have are the walls you build yourself.
Nobody is protecting you, nobody is looking out for you, and nobody probably cares much even if you are the victim of crime. The UK Police not long back announced that if you were a victim of Internet crime, then you should not report it to them, but to a bank. You might be amazed by this statement but it's actually a realistic statement of the blunt truth - nobody can help you, and especially, nobody can find out who did it or prosecute them, or of course undo what they did.
You should also combine this knowledge with the information that attackers are continually probing your defences with computerised searches for an entry point. They probe individual PCs and website servers. If you connect a PC to the Net without any firewall at all, it will be infiltrated by some sort of trojan within a few minutes - without visiting any websites or doing anything else.
Attackers can be anywhere in the world, they are almost always completely beyond the reach of the law, they are totally anonymous and cannot be identified, they have powerful tools at their disposal, they may have brighter minds working for them than are trying to defend against them, and the attacker always has the advantage.
Their ultimate aim is:
- To get your personal or business data
- To compromise your website server, in order to spread their reach by exploiting vulnerable browsers
- To 'recruit' your PC into a botnet - a large group of PCs they control without the owners' knowledge
Industry insiders say botnet masters control 20% of the world's computers - that's one in five. The botnet slave computers are used for all sorts of criminal purposes such as mass attacks, email spam, web spam, fraudulent PPC click campaigns, and other tasks that are invariably fraudulent in one way or another. And the great thing is - if discovered, the trail leads back to you, not the botnet controller. It's a win-win situation for them.
I would remind you of the statement made by the UK hacker who broke into hundreds of US Defense Department computers and accessed information there. When asked if it was difficult he replied, "Ridiculously easy". And that would almost certainly apply to the PCs of many reading this document. It also applies to PC owners running Linux (though to a lesser extent), and of course to Mac owners. At a recent hacking convention and contest a competitor demonstrated in front of the assembled expert audience, breaking into a Mac in eleven seconds and stealing the target file. Both Safari and Firefox on the Mac have been successfully exploited and the computer infiltrated (the Firefox exploit has since been patched). Macs are a little more secure than PCs, but mainly they just have fewer people attacking them since they are only 5% of the machines in use.
However, if you are a business owner with a Mac and have competitors or others who wish to infiltrate your resources, that is little comfort.
More exploits of all this software will be found. The top hackers can get in almost anywhere (the Pentagon can't keep them out), so if your business might be vulnerable to an aggressor with a decent budget, your defence must include cryptography.
How do these hacks work?
Some attacks are human-controlled, but the vast majority are automated software. They are bots that continually probe for weaknesses. They try to get into servers in order to load malware onto them, which then allows them to exploit vulnerable browsers. Those browsers allow the attacks to gain entry to the host PC.
Alternatively, the bots trawl the Net looking for weak broadband-connected PCs. These will have a trojan inserted that gets past the weak defences by looking like something else.
In both cases, the trojan now has a job to do:
- It may host a virus whose job is to destroy
- Far more likely now, it will have some criminal financial agenda
- It wants to find private data
- It wants to find passwords
- It wants to phone home with that data (otherwise it's useless)
How to defend against hackers
This can be broken down into web server and PC defence.
Website security
Website and server security is a big area and ultimately, any online business owner should consider a security consultant's audit. However business website owners can at least follow these tips, which try to help you secure your own PC against website access data leakage, secure your email, and secure the communication channel to your server. These are relevant only to a website owner, and those in the next section are for all.
- Use a host who supplies https / sftp channels as well as the http / ftp channel.
- Always connect via https not http, using the secure channel, when communicating with your server, whenever possible. This applies to FTP, cPanel, and the webapp's admin backend.
- Use a host with a quality policy - this means timely patches and upgrades to server software.
- Keep your server access passwords in an encrypted file on your PC.
- Never send passwords in plain text in an email. If they have been sent in a plain email - change them.
- Listen to what your advisors tell you - and imagine the worst-case consequences.
Home and office computer security
Your office PC has more security issues because you have to take care of all the loose ends that a webhost handles. In brief, these are the requirements for an online business owner, with details after:
1. Use a secure browser such as Firefox or Opera. Other choices may be far more vulnerable. A browser is the #1 entry point for many exploits.
2. Keep your passwords or private data in an encrypted file on your PC.
3. Use a password manager such as Roboform that holds passwords in an encrypted file.
4. Always connect, on broadband, via a router with a hardware firewall. Never use an ISP's free USB router (they have no firewall).
5. Use a top-rated software firewall and keep it updated.
6. Use a top-rated security solution / anti-spyware / antivirus, and keep updated.
7. Set a password on your PC - and don't use a simple name.
8. Never send passwords in an open email.
9. Use the OpenDNS IPs on your router.
10. Use an email anti-spam solution to block dangerous email.
11. Be aware of 'social engineering', and resist it.
12. Work safe - follow the safe working practices outlined in the details below. And keep your kids out of your work machine.
Explanations
1 -- A browser can be exploited and entry gained directly to your PC, by a compromised website. This is one of the easiest and most popular attack vectors. Some browsers are notably weak, and the persons responsible for maintaining that software are also notably lax. In contrast, when a hole is discovered in Firefox (all software is vulnerable on the Net, there is no such thing as unexploited webware), it is patched within three days. In other browsers that cannot be mentioned, that might be three months - or longer - and before that, more holes are found anyway.
2 -- Due to the possibility that someone somehow might access your PC, as a business owner you should protect the 'crown jewels'. Those are your private data and Net passwords. We recommend two PC security solutions: TrueCrypt, for the truly paranoid, or Axcrypt, for the rest of us. TC is excellent but of course difficult to live with, as all effective security solutions of any kind are. Axcrypt is what might be described as 'Windows-style security': it works almost transparently and is good enough for the job.
See foot of page for resources.
3 -- If you keep your passwords in plain text then you cannot describe your PC or Mac as secure. In addition, a password manager allows you to use a real password and not 'fido' or 'tibbles'. Using a password manager like Roboform means you can instantly login to any online resource, with an encrypted password manager, with an unlimited number of real passwords of 20-odd random characters. You don't have to remember them and the passwords can be strong.
4 -- Broadband (= DSL = ADSL = cable broadband) is a fast and easy channel for attackers to probe you using a high bandwidth facility. Your router (wifi router, switch) must contain a hardware firewall that must not be switched off or subverted by placing your PC in the DMZ (a quick and dangerous way to get complex 2-way webapps working through the ports on your PC by placing it outside of the firewall zone). The hardware firewall in your router is one of the best defence tools you have.
5 -- In addition you need a software firewall on the PC. The hardware and software firewalls cannot conflict and do not conflict - you need both. You can check the latest and highest-rated firewalls and other security software via the site given in resources.
The top-scoring firewalls right now are Online Armor, Comodo, and Agnitum Outpost. I recommend Online Armor. You can try the free version first to see if you can live with it. Unfortunately, more security means less freedom and more niggles - but that's the price. Make sure to block Internet Explorer in the firewall, so that it can't dial out.
6 -- There is now a two-way choice in anti-malware PC software, and you can decide between virtualisation or traditional protections. Virtualisation or sandboxing is where you run your browser in a sandbox, which means that it is in a temporary environment that is scrubbed as soon as you reboot. It is a fine solution but I don't recommend it for the average user as it is not foolproof - it's best for enthusiasts. Looking at the traditional players, I recommend Avast antivirus and SuperAntiSpyware. Again, you can try the free versions to see if they work, for you, on your set-up - not all applications or combinations are suitable for all users on all equipment. An alternative is AVG security suite, if the ones I offer don't hit the spot for you. Check the site I give in resources for their editors' views.
7 -- Your PC password should be an easily-remembered word with numbers, uppercase and lowercase letters. It must not be any word that can be found in any dictionary. As an alternative you can use a 'keyboard skip', which is a zig-zag trip along the keys that you can do without any memory needed. I believe that a PC password should be simple enough for you to remember without writing out anywhere, but that all contents of the PC should be better protected.
A real password cannot be remembered, it has to be held in a password manager - it is around 20 characters, totally random, of numbers, lower-case and upper-case letters. I do not advise the use of symbols because some applications cannot accept them, or they cause problems. A password can be made full-strength without them, by making it longer.
8 -- Email is a public form of communication. It is regularly intercepted by the great, the good, and not very nice at all. What you send in an email is essentially public knowledge - it's like a postcard. Would you send your bank card PIN written on a postcard? Probably not. But that's what you're doing by sending a password in an email. The best solution is OpenPGP / Enigmail but it's too complex to set up for me to recommend. Instead, simply send your private data in an Axcrypt file that your contact can easily view with the password that you agreed by phone. An even simpler encryption app is dsCrypt, which is entirely portable (no installation needed). Another method is using a 7-zip encrypted zip file. This can also create an SFX file, which means a self-extracting archive - an encrypted zip that does not need any app at the far end to open.
9 -- OpenDNS is an alternative to your ISP's DNS service. This is getting a bit complicated, but basically it means you replace some IPs in your router with better ones. When you go online, you go via a safer route and can't reach any known bad sites that download malware to your PC. It's highly complex to explain but simple to fix. See resources at foot.
Also see the Note on how ISPs are trying to defeat OpenDNS by remotely reprogramming your router - and how to stop their trickery.
10 -- Email management for small and medium business might have several prerogatives but all I consider here is trojan attacks via email. The choices are detailed in the separate section below.
11 -- A business owner - and especially staff - need to beware of social engineering. This is a combination of computer engineering attack and human weakness attack. For example, a staff member will receive a call from John at Head Offfice IT Department who is fixing that glitch on the network and needs to check if your password still works... Or, a knock on the door reveals a technician from the local PC shop who has come to sort out the trouble with the server power supply woggle unit. You know the story. It works - and it works very well. If you don't think so, then go through the PC keyboards in the office, turn them upside down, and look underneath them for the Post-It note with the passwords. See?
12 -- Use safe working, sensible practices. Don't download things like screensavers because they are the #1 choice for attackers to load up with their goods. Don't download 'economy' software. Don't use a wide-open browser (you know the one). Use a secure browser; if you love IE that much then get a skin for Firefox that makes it look exactly like IE. Don't allow instant messaging using the usual app that comes with the box, use eg Trillian as a business solution. You can also install WOT or LinkExtend to warn you of bad sites - they come up red when you hit a bad site. Don't open Excel or PowerPoint files without scanning them with an anti-spyware app - they can easily host some nasty trojans. Don't send Word files outside your office, they contain a ton of hidden data that you don't want to leak - convert to RTF or PDF first, these have no serious metadata issues. Delete all your passwords from IE once you have loaded them onto Roboform. Never download 'spyware cleaner' or PC tune-up' programs from any website except a recommended one - they often contain spyware.
Email security
Here, I'm only concerned with blocking trojans delivered via email. For corporate users with other factors to consider, you will have access to other advice.
- Don't use the default email solution that comes with the average PC as it's wide open
- For an open-source, free solution, use Thunderbird
- For a more capable solution that needs a budget, use Outlook
- For a simple way to cut spam and risk, route your email via Gmail
If you use the standard email application, you are asking your security software to handle the large number of threats that will download to your machine. That doesn't seem a logical answer. Thunderbird will block 95% of spam but needs a lot of user input at first in order to set up the filters. Much also depends on the business website host's email spam solution, since email is routed via your website server.
Outlook is a surprisingly good solution when combined with plugins. The best for the last nine years has been the Cloudmark SpamNet solution. I was using this back in 2000 and at that time it was basically the only solution - and it's still good. They've dropped the 'SpamNet' part of the name, now they have a brand, and supply desktop / server / enterprise solutions. It's a subscription service and worth it if you want a top solution.
Another option is to route your email via Google, who as you might expect have good spam defences. Users of a solution that involves Gmail at some point say that it's the best method of all, and only one in 1,000 spams gets through. However good the Gmail system is though, I can't really recommend third-party solutions for all your data unless encrypted. You will have to decide.
Children
Your kids won't like it but they shouldn't be using your work machine anyway, because they are about the worst security risk imaginable - they use a popular IM app that is the botnet controller's favourite way into a PC, for chatting with their pals 24/7; they visit bad-news games sites; they 'accidentally' come across dodgy sites that you wouldn't want your mum to see and are highly likely to be compromised; they download risky stuff; they play online games that allow full 2-way PC traffic without control, and all the rest. If you need a useful machine to do anti-spyware testing on, you can't find a better one than your kids' machine - it's normally riddled with the stuff.
A note on open-source software
In cryptography it is recognised that the best solution is open-source software, because it cannot be compromised. Nothing can be added, it can't carry out anyone else's agenda, it will not contain software errors for long, and the community will ensure it is of ultimate strength. Open-source often has the highest quality, and therefore freeware of this type - especially in highly-sensitive areas - is a good choice. It is not a second-class or cheap option. But make sure to download your open-source solution from a genuine source - I recommend the original author's site or Softpedia.
Your PC, your vital data, and your server security are easily compromised. Some businesses who lose data this way or have their computers / servers compromised never recover. At the very least it will hurt you harder than you can believe - so don't be lazy, fix it.
Chris Price
June 2009
_____________________________________________________________
Computer security resources
Computer Security Guide
