Security is always an arms race. The bad guys are usually one step (if not many) ahead of Geek Squad. Keep in mind, there is also a, growing, group of people who rely on NAT routers and some bloated anti-virus, that is by-in-large ineffective, resulting in a box with not just the overhead of that bloated security solution, PLUS the overhead of a couple little trolls in the tubez to harvest the information they desire. These machines exist with numbers in the hundreds of thousands, providing just the sort of botnet the badguys want to harvest your information.

Anyway, it’s not a pretty picture and the, “McAfee type” solution provided by ANY cable internet provider is like trusting the devil to guard your soul.

The solution is not easy for the IT guy (or gal). He (or she) needs to make sure everything is patched and all the proper rules are pointed in the proper directions. If he (or she) is running everything they should be running and has everything up to date, they are still vulnerable to the underlying standard that is, in itself, flawed.

So, as I said, it is an arms race. As an example, I hope everyone gets things like dnssec built, into their networks soon, so we can trust our encryption certs again. Flawed DNS is a serious problem, not to mention having a flawed ssl implementation. Having said that, the ‘researcher’ will always be in the lead. All networks should always be considered ‘hostle’. If you think your un-hackable, then you probably also think you are going to win the lottery. .o0(someday) Rotfl.

Anyway, I digress. The point is, don’t get lazy. Layer your security in such a way that you have redundancy using hardened tools. Keep up on the advisories, and patch. Don’t allow yourself to be lulled into a false sense of security. It simply doesn’t exist.

I should have written the part about routers to be more clear. I have found that your system is less likely to get hit by a new nasty worm or by a rogue hacker. I didn’t mean it in as a way of saying that it will stop anything. Firewalls are very important. Most ISPs that provide you with a modem/router generally have some sort of basic firewall installed. Better than nothing right?

Also a short time after writing the post I considered going back and changing a few things and rewriting it. Unfortunately I started school again and simply forgot. Thanks again for the comment and clearing a few things up.

While I agree with your message, I have a little constructive criticism. I would point out that google was not the only place compromised. There was an entire list of major named companies full of ftp access credentials. IT is floating around tor exit nodes right now. I would also refrain from naming google or IBM in anything. They have powerful lawyers. I would refer to them as a large conglomerate or a Forbes 500 type company over referring to them directly.

I see you used the term infected. I noticed you put that in quotes to denote some sort of reservation. Well, I am sure you meant to say, they weren’t infected as such. They had a layer of code in them that acted either with the mozilla NAPI or the exploder activex counterpart. Much like Mark Dawd, Ryan Smith, and David Dewey’s work detailing the attack surface provided by these two particular api’s has been exposed and the whole ecosystem involved detailed. (See: HustleLabs Attacking Interoperability : The Language of Trust)

Next, when you touch on firewalls in this, you may have gone a little too fast. I would totally disagree that ‘even a modem/router will do’. NAT is not a firewall and the traversal of NAT is a trivial affair. Given that, firewalls should be carefully crafted to each and every situation as an individual. For those of your readers that do not run any servers, as most home users do, then at a minimum, they should have two firewalls.

Now a days, most people have upgraded or bought new computers, leaving their old one looking to be blessed to someone who will appreciate it. Well, instead of tossing that old machine, toss two nics (network cards) into it and install ipcop or smoothwall or m0n0wall or any of the other linux based hardware firewall solutions. My personal preference is a gentoo dist with the best of pfSense in it. I realize that may not be an adequate solution for most of your readers, but IPcop and SmoothWall are easy to set up and deployment is a snap.

That is just the first firewall, however, you should also run a firewall on your computer. With linux, the answer is always iptables and sometimes ipchains. In Windows, there are far more choices. A couple good ones are free. As a rule, you should never have two firewalls on one box, the generally will cancel each other out. So if you add any third party software firewall to your windows box, make sure the windows firewall is disabled. That said, a couple of good firewalls are Comodo, and sygate. If you are more advanced you may prefer something like agnitum’s outpost. If you have a hypervisor of some sort, you can have each container traverse the firewall rules before going to a neighboring container. At any rate, that goes back to each network being specific and the security should be tailored to it.

Lastly, and this may be a bit nit-picky, you mentioned Microsoft took a week to patch. That would be a ‘best case’ situation. There are other ’0 days’ that hit a few days after “Patch Tuesday” and you would have thought it would take three weeks and a couple days to get a patch, but I can remember one patch that took 6 months to patch and another that went over a year to get patched. That said, there are things that simply don’t get patched and are, in fact, the standard. An example of this in in RFC (request for comments) or the x509 flaw. I am not going to go into the details, simply assert, in some cases third party implementations, no matter how well written and how carefully patched, are written on flawed standards. The more meticulous a developer is in placing his qualified objects on the stack, the lower the likely hood of a stale exploitable object is to being left behind, but no programmer is perfect and even if they were, the standard is still flawed.

So to agree with you in principle is one thing, practical application is a whole different thing. What you played down, I maximize. Every other point you make I agree with totally. I like your selection of apps, and your approach. All in all, I think it is a great article.