An Alternate Approach for Securing Your Home PC By Jaime Ortiz

The Bad Guys Are Getting Smarter

Email allowed for spread of virus SPAM lured people Worms are able to spread themselves Trojans bring in malicious payload Malware infected websites installing programs on PC Zero-Day attacks Key Loggers Root Kits Phishing and Whaling Encrypted payloads that are polymorphic

I Dont Have Anything on My Computer of Any Value

Your computer is worth CASH BOTNETS pay big want to help take down a hospital? Your Identity is worth 50 cents do the math Do you do online banking? Access to bank accounts for transfers Do you have an online broker? Pump and Dump Do you shop online? Credit Card Numbers

Yeah, but I have Antivirus

Reactionary device, NOT preventative Based on signatures Virus in the wild can have up to 7000 variants Ever notice that you still have Spyware? Have to run Spybot or Malwarebytes Provides little or no protection in some cases Phishing, Whaling Cross-Site scripting Side-Jacking Man-in-the-middle Java Script, Active-X Patching (Apple) Root Kits (remember Sony) Can be bypassed

I am Running a Firewall
So how come someone can send you an Instant

Message? How can someone SKYPE you? How can you connect to you computer running Go To My PC? Did you configure your Firewall or just plug and play? Anyone use BitTorent (aka backdoor)? Dont you think Google runs a firewall?
How about TJ Max, NASA?

This Does Not Apply to Me, I Have a MAC, run Linux..etc

Twenty Zero-Day released against Mac this month Red Hat was compromised and delivered signed

malicious patches that were automatically propagated to clients all over the world Apple does not sign ANY updates Ubuntu has patches as often or more than Microsoft Apples browser is one of the weakest Apple and Linux users dont need antivirus
Soft Target

Market Share dictates rate of compromise NOT the OS

What about WiFi?

Most WiFi is setup incorrect Plug and Play If you use WEP it can be cracked by your neighbors kid in

under 30 seconds WPA with TKIP crackable offline

Rainbow Tables

Passwords are usually not strong SSID broadcast does not matter Hotel WiFi easy to intercept Neighbors can see what you surf, read your emails Starbucks, McDonalds, Panera Bread, Hotels = YIKES!

Someone is Watching

What Can We Do?

Lets take it a piece at a time

Keep the computer clean, be a minimalist Patching Antivirus Email Passwords Firewall/filtering Setup Secure WiFi Backups Advanced or Radical Changes Other good ideas

Keep the Computer Clean, be a minimalist

Disable services/functions that are not needed!! Turn off Windows File and Print Sharing Turn off Client for Microsoft Networks Turn off NETBIOS over TCP If not using WiFi disable Auto WLAN service Disable Remote Registry Disable Remote Assistance Disable IPv6 Disable Remote Desktop Disable Network Discovery (Vista) Disable File Sharing New PC? Run PC Decrapifier

Keep the Computer Clean (cont)

Good free tools to run at least once a month Malwarebytes will search for spyware and remove it

http://download.cnet.com/Malwarebytes-Anti-Malware/30008022_4-10804572.html

Spybot Search and Destroy good for immunizing your PC http://www.safer-networking.org/en/home/index.html Ccleaner removes remnants of uninstalled programs and

keeps your registry in shape

http://www.ccleaner.com/

These tools will help maintain your PCs performance over

time

Patch, Patch, did I mention PATCH!

iTunes
Adobe Reader Quicktime Winzip Java Flash Microsoft Office Drivers Skype Instant Messenger

Printer software
GotoMyPC Firefox

Chrome
BitTorrent Acrobat Windows Update Opera VNC Router

Antivirus
Though its effectiveness has diminished over the years,

it is essential Want to scan a file?

Checkout www.virustotal.com

The popular vendors are not always the best Checkout www.av-test.org You dont need to pay for it Microsoft Security Essentials Avast Antivirus AVG

Antivirus (cont)
Watch out for free flash drives, scan them!
Enable SMTP or IMAP scan if you use mail client Scheduled Scans are required Run On-Access scans Yes there is a performance hit Update everyday as often as possible Do you need antispyware, antiphishing,

antibacterial???
It does not hurt, but stay tuned..

Email
Not all email uses encryption, watch out for HTTPSHTTP switch Gmail accounts are free Setup your own domain for you and your family Get two of them Bus-name@gmail.com Per-name@gmail.com Dedicate one to family, friends Check this out emails Dedicate the other to Business, dont give this one out Bank, Online Trading, Shopping This can help with phishing attacks; SPAM Watch out for unsubscribe May want a third for subscribing to sites

Email (cont)
Gmail www.gmail.com tracks your email content Big Brother Gmail anonymizes you and the sender, be careful Great SPAM and AV protection in Gmail If you ever leave your ISP, your email stays the same Uses HTTPS at all times Treat email like your home, you dont recognize it, DONT

LET IT IN!!! Your bank will NEVER use email for personal info Phishing, Spamming, Whaling, very sophisticated
Spoofing makes this very dangerous

Passwords
Passwords need to be strong Usually means hard to remember Every account should have a unique password Banks, Email, Amazon, Instant Messenger.. NEVER click Remember my password Trivial to steal if you are compromised Use a password manager http://KeePass.info Auto generate passwords for you Complex password One password unlocks all of them Cut and Paste Encrypted storage On-screen keyboard ideal for typing Master Password

Password Manager

Passwords (cont)
Banks are using RSA Two Factor
http://www.nytimes.com/2004/12/24/technology/24online.html?_r=1&pagewanted=

2&oref=login

Online Games are using Two Factor World of Warcraft Credit Cards are offering one time numbers
http://www.creditcards.com/credit-card-news/online-payment-with-virtual-

account-numbers-1273.php

Firewalls
Dont confuse NAT with Firewall functionality Run both a software and hardware based firewall Software firewall imperative if you travel or use public WiFi Windows Vista or higher firewall pretty good Zone Alarm free www.zonealarm.com/security/en-us/zonealarm-pc-securityfree-firewall.htm Software based You need a firewall that warns/tells you when OUTBOUND connections are taking place ALWAYS have a router/firewall between your home

network and your broadband connection

Good Hardware Firewalls

Linksys BEFSX41

Netgear Prosafe

Firewalls (cont)

Use a complex password to manage Always use HTTPS to manage hardware device Do not allow WiFi clients to access Firewall Dont use port forwarding if you can help it
If you need remote access use Logmein and Phone Factor If you are a gamer, then learn DD-WRT and isolate system or

use one of the firewalls mentioned below

Want a real firewall for free? Very Powerful close to what is used in the enterprise

Smoothwall WRT Iptables Untangle

Filtering
DNS is the Achilles Heal DNSsec is gaining support Time Warner and Host Servers setting up as we speak Use OpenDNS www.opendns.com Free reliable DNS Can provide filtering to reduce the chance of your machine from going to bad sites Good approach to keep your kids from wandering off the reservation Block known sites that are known attack vectors Setup the IP address of OpenDNS in your router

Filtering (cont)
Your browser can provide filtering
Internet Explorer SmartScreen Filter Good filter to prevent you from going to malicious site Dynamically updated Checked in realtime Firefox has filters Updated almost 48xs per day Can check legitimacy of website

Secure WiFi
The bottom line if WiFi is dangerous in public Trivial to use as a method of penetration Secure it WPA2 AES with PSK (Pre-Shared Key)

RADIUS and certificates if your are paranoid like me

Setup Infrastructure mode only Change the default SSID!!!! Change the Admin password Setup MAC Filtering Disable wireless to wireless communication use wired NAS to share files Disable SSID Beaconing/Broadcast Let the password generator create your PSK Reduce Power Output if you have that option

Secure WiFi (cont)

Most secure is not to use it, I know not practical Broadband cards (CDMA) have not been compromisedyet If you want other options try Ethernet over Power Use your power lines in your house as a network Great for getting internet access to your DVR Cheap and encrypted Remember WiFi signals are EASY to intercept/manipulate Remember some online email do not use HTTPS Instant Messenger is not encrypted use SKYPE When flying, turn off WiFi Bad guys on planes too Yes some airlines now offer WiFi.be careful

Backups
When things go south, you want to protect your data Perform regular backups USB Hard Drive or DVDs Use online backup service to do it for you Mozy or iDrive are my favorites

www.mozy.com www.idrive.com

Encrypted backups and very affordable Automated, no need to remember to do it Can backup your Blackberry, Android and iPhone Can perform alternate restores if needed

Do it, you will be glad you did

Radical Approach
There is another way if you choose to accept your

mission May not cost you money or very little if it does What if I told you that recent advances in science have shown a new method that can save you money, time and may improve your quality of life You are right, there is no such thing! But lets take a look at what we can do.

Radical Approach (cont)

Virtualization to the rescue! Vmware Server and Player are FREE

www.vmware.com/products/server/

Ubuntu Linux is FREE www.ubuntu.com/getubuntu/download Surprisingly easy to use to surf the web Firefox only no Internet Explorer Takes very little resources to run Microsoft Virtual PC is FREE www.microsoft.com/downloads/details.aspx?FamilyId=04D264023199-48A3-AFA2-2DC0B40A73B6&displaylang=en But Windows software is not free If you bought Windows 7 Pro you are covered

Radical Approach (cont)

How does this help? Use Virtualization at home Setup a Virtual Machine and surf the web through this machine

Do not logon to Virtual Machine as a local Administrator

Your physical computer (the Host) will be safe if your virtual

machine gets infectedfor now Only use your physical machine to logon to sites where personal data or financial transactions are taking place The Virtual Machine is just a single file

Copy this file, and restore it from time to time if you think your VM has been infected Brand new PC/load in under 30 seconds

Radical Approach (cont)

Fun Email and Web Surfing take place in VM Setup business email on Host PC Use Firefox plug-in to store your Bookmarks online so you dont

lose them Host PC is the High Security environment

Your Bank iTunes Shopping (trusted sites like Amazon)

This approach can protect your Host PC from Zero-Day attacks You current PC should be able to run Virtual Computer

Radical Approach (cont)

Why is this a radical approach? Do you need antivirus? Do you need to be as diligent with patching? Do you need to run malware scans? Do you need to be as concerned where you surf? Do you care about passwords? Do you have to wonder if you should install that free screen saver program? Do you have to worry about opening up an email? You be the judge

Alternate Approach
Check craigslist and buy a cheap laptop Heck, new ones can be bought for $300.00 Make a rule in the house, the laptop is the High

Security Zone
banking
Insurance Business email

Shopping

Other Good Ideas

We have covered a lot but here are some other things you should

keep in mind
Get a paper shredder for your home

Get one that has a CD Shredder

Always wipe your hard drive before selling or throwing out your PC

www.dban.org/download Use free Encryption to protect files www.trucrypt.org

Geek Squad has some bad press

Encrypt your Flash drive (Free) or buy Iron Key Password protect the BIOS of your laptop and disable boot from

USB and CD Encrypt laptop hard drive with trucrypt If the HTTPS certificate does not match DO NOT USE IT!!!!

The Key is Discipline

The web is a necessity
Great source of information Be safe and look before you leap Treat your computer like your home. Dont let

anyone in, use discretion

Questions.