With all the recent hoopla about security issues going around, I thought I’d share some tips on how to keep your computer safe. I assume that you already know not to open attachments from strangers, and that you should always have a firewall and anti-virus program installed. This entry goes into a little bit more depth than that.
The router. Having a router is a first line of defense. Do not ever connect your computer directly to the modem. Due to how routers work, outsiders are unable to have direct access to your computer – unless you initiate the connection with them first, or modify the settings in your router to allow them to have access. An unpatched Windows XP machine that’s connected to the modem directly will be compromised in minutes.
The Internet browser. Aside from trying to get you by sending you virus-laden emails, the big way that the bad guys will try to get at you is through your web surfing. There’s two facets to this. Some bad guys will try to infect your computer outright, and turn it into a spam-machine. However, the more recent trend is to compromise your online identity: load custom code that gets your computer to spam Facebook or Twitter, without your computer itself being infected. This works by turning your web browser against you, and its much easier to pull off – all you have to do is surf to a website.
Older web browsers have no defense against this type of attack and will fall right for it. So if you’re one of the millions that still use the ancient Internet Explorer 6, switch. Newer browsers such as Mozilla Firefox and Google Chrome check what websites are getting your traffic, and look at the behaviour of the websites you’re on, and will try to warn you if it detects anything suspicious.
At the present time, Google Chrome is my browser of choice. I especially like that it patches itself regularly to defend against the latest attacks aimed at the browser itself. Firefox auto-updates as well, but usually you have to press a few buttons and it’s an invasive process. Chrome does it in the background and doesn’t require any user intervention.
Block ads. Even if you surf sites that are well-known and considered safe, the bad guys can still get some of their code to be loaded by your web browser. Third-party ads are one such approach. The ad company might be legit, but they might sell some advertising space to company B, who divides it up and sells it off to company C, D, and E. Company E might actually be a front for a cyber criminal. He loads in custom code, which then gets displayed on the legitimate site you surf. You and thousands of others get compromised.
Modern browsers such as Mozilla Firefox and Google Chrome have plug-ins you can download to block ads. I very much recommend that you make use of these.
USB Sticks. If someone else passes me a USB stick, I never run anything that’s on it without first scanning its contents with an anti-virus. If you have Windows XP, disable AutoRun, otherwise, the contents could be made to run automatically as soon as the device is inserted into your computer – and inject a virus along with it.
I remember that there was this kid whose computer I cleaned from malware. He put a USB stick that he had used during the infection back in, and his computer got infected all over again.
Beware of PDFs. Alright, so you already know to not open executable files (.exe and .scr) when you check your emails from anyone, including your family. You have to be careful with PDFs as well. Adobe Acrobat is a pretty popular target for bad guys. If you must open the files, then I use something like the Google PDF Viewer, which takes out the offending code.
Update: Check the comments section for some great tips from Sakuramboo!
Comments
5 responses to “Computer Security 101”
You pick Chrome over Firefox?
Yeah. They’re both good, but I find Chrome slightly more responsive and sleeker to look at. Personal preference though.
I think that some other practices should really include the following.
1. Understand what account separation is and utilise it.
example – Create an account named Chrome that has no password and can’t be logged into. As Administrator, install the Chrome Browser for that user into their profile. Then, switch back to your main, limited, user account. Create a desktop icon with the executable starting with “runas /user:chrome chrome.exe” (or something to that extent, it’s been a while since I used Windows).
What this does – It runs Chrome as that user, in their profile, so, if the browser gets taken control of, it only affects that user.
2. Understand what Access Control Lists are and how to use them. They allow a much finer tuning of permissions than your standard user:group read:write:execute permissions.
This one should be done in parallel to the first one. This makes it so, if your browser or program does get attacked, the threat can not spread to the rest of the system, unless the attack has some sort of privilege escalation exploit that gives them Administrator rights. But, then we are talking about an actual planned attack which went away in the mid 90’s. Everything is automated and attacks the most common, now-a-days.
3. Anti-virus is good, but is not to be relied upon. Furthermore, you should never remove malware from an AV program. A lot of times, they do more harm then good. You can have them quarantine the threat, but you should either manually remove them or use your Windows disc to repair any damage that it might have caused.
4. If you don’t have to use Windows, then don’t. Okay, this is really just a Linux user preaching, but there is some validity to this. Why use an operating system that is most sought after by malware writers if all you use your computer for is to stalk your “friends” on facebook, check your email or chat in aim, yahoo, msn, irc or what have you?
About the router information, I wrote a tutorial a long time ago on securing a Linksys WRT54G router. A lot of what I said still holds merit today and is worth a glance.
http://www.sakuramboo.com/wiki/index.php?title=Securing_a_WRT54G_Router
Thanks for sharing some wise advice!
My pleasure.
There is a little known fact that it is possible to secure a Windows computer to never get any bit of malware, but the problem is, the most common methods are not enough.
There are two methods of security, prevention and minimizing damages. Truth be told, it is impossible to prevent all the threats out there. So the key is to minimize the damage when your computer does get infected.
The most common methods of security typically fall under prevention. And this is why everyone always complains a few months after buying a new computer of slowdowns, non responsive and just all around sluggishness of their computers.
The first two methods I outlined fall under minimizing damages. When your browser gets hijacked, the threat can’t spread to the rest of the computer. And then, instead of having to reinstall the OS, you just need to drop the user account, make a new one and just reinstall the browser for that user.
There are some other methods out there, such as using a stateful inspection based firewall. The best out there are going to be hardware based solutions, but building one is pretty cheap, in fact, if you have a spare computer sitting around, make sure it has two network cards in it, place it between your router and modem and install Linux. Enable ip forwarding (echo 0 > /proc/sys/net/ipv4/ip_forward) and start modifying the iptables chains. There are some distributions to really make it easy, the first that comes to mind is IPCop. They have a pretty easy to use web based front end to make managing firewall rules easy.
Software based firewall solutions are a good idea, but most for Windows are not worth anything. Pre XP_SP2, the built in Windows firewall did not prevent outgoing connections, but after SP2, they enabled that and even started up the firewall before the network stack got initiated. This protected the system while it is booting (preventing the dreaded DHCP vulnerability that sprung up around 2006).
If you want some more research material or just other stuff to read up on this, I used to be a moderator for J!NX’s message board and before the forum was shut down, I saved some of the posts I felt were most important. I posted them up on my wiki, so feel free to take a look at them.
http://www.sakuramboo.com/wiki/index.php?title=J!NX_Posts
Just a word of warning, I haven’t really been touching my wiki in a while and apparently, the main page is getting spammed, so the main page might be messed up. I’ve been banning IP addresses, but I need to figure out how to not allow anonymous posting.
Cheers.