An Interesting Conversation About Computer Security
A few days ago I was with one of my good friends who owns a computer repair shop. I love going there because he always has something new and cool to show me (and I get to change to “geek out” for a bit), plus I like helping out so I don’t forget how to fix even the most basic computer problems. While there, a long time customer of his came in to pick up his computer and a very interesting conversation came up. The customer asked why his computer won’t stay clean after bringing it down to the shop.
It’s an interesting thing isn’t it? Why is it that we as admins and security experts and never seem to keep computers clean? Even the most skilled professionals can’t keep a computer clean. Well, it’s not our fault. There are so many security issues out there, and to be very blunt, the bad guys are always one step ahead of the security experts. Sometimes the good guys get a patch out (or publish the exploit) before the bad guys get a chance to exploit the security hole.
Unfortunately even when the good guys find the security hole before the bad guys there is the problem of getting the OS patched before someone becomes a victim. For example, a short time ago there was an ActiveX Draw exploit that affected millions of Windows PCs. Basically the bad guys somehow gained access to Google’s Adsense archive (and several other advertiser’s archives) and “infected” roughly 20% of the ads in the archive. I’m unsure of how the exploit functioned. I have heard everything from nothing to allowing someone to gain full control of your computer. Now, lets say for example that you visit a site, any site. You usually have two ads. One along the top and one down the side. So with one page view you have seen two ads. You click on something, new page, four ads have now been seen. You click again, six ads. Now you have reached the mark. There is a high probability you just saw one of the exploited ads. Whether you like it or not what you see in your web browser is also stored locally on your computer. No one was at fault with this (excluding the bad guys). Microsoft put out a patch after about a week of the exploit being known and Google fixed the hole allowing the bad guys to gain access to the Adsense servers. The problem now? Actually, two problems. One, some people are still making ads that are infected and trying to get them onto your computer. Two, there are still millions of computers that have not been updated.
There are always problems like this. I never like to blame any company directly unless they know of the issue but don’t bother fixing it. Other examples include more advanced techniques. You can gain access to a computer by sending certain information to it causing a hole to open temporarily.
The $1000 question is how do we keep out computer clean. Everyone has their own ways, but we came up with just a few basics. So if you run Windows try these out: Run FireFox instead of Internet Explore. Within FireFox get the extensions Adblock Plus and NoScript. Make sure you have a good Virus Scanner and it’s up to date. Turn on Automatic Windows Updates and keep your Windows up to date. Get anti-spyware programs like Adaware (the free one is fine for me) and Spybot: Search and Destroy. Make sure you have a firewall even if it’s the one built into Windows XP (or later), and lastly, be sure your not connected directly to the internet. Most ISPs will provide you with a modem or router, make sure you have a router even if it has the modem built in! It adds just that slight bit of extra protection.
Granted, those are just a few of the things you can do to keep your computer clean. I always recommend talking to an expert when wanting to try new software. If you feel your computer may not be clean find a “hole in the wall” style computer shop. Those are often the better choice compared to the larger companies. Ask questions to the shopkeep. Will they charge you even if they don’t fix the problem? Do they guarantee their work for at least 30 days? Will they wipe your computer’s hard drive or remove personal files without asking? Will they look at your personal files or web history? The best repair shops will answer honestly and quickly. Hesitation is a bad sign.
Lastly for all your Windows users out there. Get a program called Secunia PSI. It is free for home users. This program will check almost every piece of software on your computer and see if there is an update for it. It works very well. For example a few weeks ago Adobe was consistently updating their Flash Player because of several security holes. Secunia PSI found the version I was running was insecure and provided me with a link to directly download and install the updated version! I must say it has been one of the best security programs I have seen for some time.
P.S. Just a note about NoScript. It can be hard for some users to get accustom to using it, and if you unblock the wrong script you will get infected.
Hey there buddy. I just want to make a couple quick comments.
While I agree with your message, I have a little constructive criticism. I would point out that google was not the only place compromised. There was an entire list of major named companies full of ftp access credentials. IT is floating around tor exit nodes right now. I would also refrain from naming google or IBM in anything. They have powerful lawyers. I would refer to them as a large conglomerate or a Forbes 500 type company over referring to them directly.
I see you used the term infected. I noticed you put that in quotes to denote some sort of reservation. Well, I am sure you meant to say, they weren’t infected as such. They had a layer of code in them that acted either with the mozilla NAPI or the exploder activex counterpart. Much like Mark Dawd, Ryan Smith, and David Dewey’s work detailing the attack surface provided by these two particular api’s has been exposed and the whole ecosystem involved detailed. (See: HustleLabs Attacking Interoperability : The Language of Trust)
Next, when you touch on firewalls in this, you may have gone a little too fast. I would totally disagree that ‘even a modem/router will do’. NAT is not a firewall and the traversal of NAT is a trivial affair. Given that, firewalls should be carefully crafted to each and every situation as an individual. For those of your readers that do not run any servers, as most home users do, then at a minimum, they should have two firewalls.
Now a days, most people have upgraded or bought new computers, leaving their old one looking to be blessed to someone who will appreciate it. Well, instead of tossing that old machine, toss two nics (network cards) into it and install ipcop or smoothwall or m0n0wall or any of the other linux based hardware firewall solutions. My personal preference is a gentoo dist with the best of pfSense in it. I realize that may not be an adequate solution for most of your readers, but IPcop and SmoothWall are easy to set up and deployment is a snap.
That is just the first firewall, however, you should also run a firewall on your computer. With linux, the answer is always iptables and sometimes ipchains. In Windows, there are far more choices. A couple good ones are free. As a rule, you should never have two firewalls on one box, the generally will cancel each other out. So if you add any third party software firewall to your windows box, make sure the windows firewall is disabled. That said, a couple of good firewalls are Comodo, and sygate. If you are more advanced you may prefer something like agnitum’s outpost. If you have a hypervisor of some sort, you can have each container traverse the firewall rules before going to a neighboring container. At any rate, that goes back to each network being specific and the security should be tailored to it.
Lastly, and this may be a bit nit-picky, you mentioned Microsoft took a week to patch. That would be a ‘best case’ situation. There are other ‘0 days’ that hit a few days after “Patch Tuesday” and you would have thought it would take three weeks and a couple days to get a patch, but I can remember one patch that took 6 months to patch and another that went over a year to get patched. That said, there are things that simply don’t get patched and are, in fact, the standard. An example of this in in RFC (request for comments) or the x509 flaw. I am not going to go into the details, simply assert, in some cases third party implementations, no matter how well written and how carefully patched, are written on flawed standards. The more meticulous a developer is in placing his qualified objects on the stack, the lower the likely hood of a stale exploitable object is to being left behind, but no programmer is perfect and even if they were, the standard is still flawed.
So to agree with you in principle is one thing, practical application is a whole different thing. What you played down, I maximize. Every other point you make I agree with totally. I like your selection of apps, and your approach. All in all, I think it is a great article.
You’re absolutely right Spyder. Thanks for clearing things up. I suppose I need to spend a bit more time researching and planning my posts. Tell you honestly, when I wrote this post I was pretty bored and just felt like writing.
I should have written the part about routers to be more clear. I have found that your system is less likely to get hit by a new nasty worm or by a rogue hacker. I didn’t mean it in as a way of saying that it will stop anything. Firewalls are very important. Most ISPs that provide you with a modem/router generally have some sort of basic firewall installed. Better than nothing right?
Also a short time after writing the post I considered going back and changing a few things and rewriting it. Unfortunately I started school again and simply forgot. Thanks again for the comment and clearing a few things up.
Well, in my opinion, “Most ISPs that provide you with a modem/router generally have some sort of basic firewall installed. Better than nothing right?” might leave someone with a false sense of security. That, and a sense of complacency, could leave someone in serious trouble.
Security is always an arms race. The bad guys are usually one step (if not many) ahead of Geek Squad. Keep in mind, there is also a, growing, group of people who rely on NAT routers and some bloated anti-virus, that is by-in-large ineffective, resulting in a box with not just the overhead of that bloated security solution, PLUS the overhead of a couple little trolls in the tubez to harvest the information they desire. These machines exist with numbers in the hundreds of thousands, providing just the sort of botnet the badguys want to harvest your information.
Anyway, it’s not a pretty picture and the, “McAfee type” solution provided by ANY cable internet provider is like trusting the devil to guard your soul.
The solution is not easy for the IT guy (or gal). He (or she) needs to make sure everything is patched and all the proper rules are pointed in the proper directions. If he (or she) is running everything they should be running and has everything up to date, they are still vulnerable to the underlying standard that is, in itself, flawed.
So, as I said, it is an arms race. As an example, I hope everyone gets things like dnssec built, into their networks soon, so we can trust our encryption certs again. Flawed DNS is a serious problem, not to mention having a flawed ssl implementation. Having said that, the ‘researcher’ will always be in the lead. All networks should always be considered ‘hostle’. If you think your un-hackable, then you probably also think you are going to win the lottery. .o0(someday) Rotfl.
Anyway, I digress. The point is, don’t get lazy. Layer your security in such a way that you have redundancy using hardened tools. Keep up on the advisories, and patch. Don’t allow yourself to be lulled into a false sense of security. It simply doesn’t exist.
i am only using free virus scanners like avast and avira but they seem to be great tools though”.`
Nothing wrong with free scanners. On Windows I trust Avast. I have used it for years and very rarely does anything slip by. On Linux I sometimes use Avast Linux Free Edition, otherwise ClamAV. Thanks for the comment!