Touch the Future Now at Staples
Community Newsletter: Q&A: 1/5/07 Help! I need clarification on Internet security
- 1/5/07 11:32 AM
i don't know about THAT, but...
by santuccie - 1/8/07 4:46 PM In reply to: Exactly... by feskridgeI will say this blatantly: you're wrong. I have a wireless router in my home, and my grandma's machine had MSC courtesy of Comcast, complete with McAfee Personal Firewall Plus. When botnet worms broke out in the end of September or the beginning of October, she started getting hit without even going online.
A wireless router could have one of two types of firewalls: NAT (Network Address Translation) or SPI (Stateful Packet Inspection). A NAT firewall hides your computer's IP address behind its own. It does nothing to stop an intruder from getting in. Check out this link to learn more about different firewall technologies: http://www.ciol.com/content/flavour/netsec/101041101.asp
Thanks, but...
by feskridge - 1/8/07 8:58 PM In reply to: i don't know about THAT, but... by santuccieThanks for the link. I'll check it out. But I don't understand what you're saying I'm wrong about. Are you saying your mom got hit without even getting on the Internet? If so, I was right. You should just keep the computer off at all times. That way you'll never get hit. Problem solved. Thank you.
Holy mackeral! Florida just crushed Ohio State!
not good enough
by santuccie - 1/8/07 9:23 PM In reply to: Thanks, but... by feskridgeFunny. That's just what they said on the news in the evening of October 9. But here's how my system is set up...
I have System Scheduler on my machine. At 1:45 a.m., it starts updating my non-automatically updating products and scanners in five-minute intervals. By the time my Citrus Alarm Clock wakes me up in the morning, all the scanners are done, and I get to check the results and close the windows.
Here's a contrast for you. When I saw the news report, I immediately unplugged her ethernet, hit System Restore, and replaced the MSC firewall component with Safety.Net. Actually, I tried Jetico first, but IE couldn't find the server, so then I installed Safety.Net. And what do you know? The attacks came to a screeching halt!!! I was using BlackICE until my subscription expired in mid or late October, and I've also been using Safety.Net ever since. My machine has never been hit. 
Protection vs. Paralysis
by spencebj - 1/10/07 6:19 PM In reply to: Exactly... by feskridgeI'm with you Feskridge ... there's a fine line between protection and paralysis. We do a lot of support at Wi-Fi hotspots in RV parks, and we often see people unable to connect because their firewall is preventing it. Sure, there is a way to configure the firewall to allow the connection, but it's beyond most average users. If you're up-to-date, clean, and scan regularly for viruses and spyware, the one-way firewall that comes with XP is sufficient. And, doing your banking is just as safe on Wireless hotspots as on any other type of connection. The encryption is handled by the bank's servers and protects your information from your computer, thru the hotspot's network, across the Internet AND back.
I believe there is such a thing as too much protection. I see, in my mind's eye, little league hockey players that are so padded and protected that they can't even skate!
Use window's firewall, do your backups, stay up-to-date, scan for viruses and spyware regularly, and accept that there is a certain amount of risk in using the Internet. The only way to be 100% safe is to unplug your computer.
If it works, use it!
by santuccie - 1/10/07 6:48 PM In reply to: Protection vs. Paralysis by spencebj"The only way to be 100% safe is to unplug your computer." Well, that goes without saying, doesn't it? However, if you have broadband service for which you pay $60 every month, and depend on for your livelihood in a Remote Support occupation, you don't have that option.
Why don't you take a look at what's been going on while you were sleeping: http://www.informationweek.com/showArticle.jhtml;jsessionid=LNZDUIB1DD05AQSNDLQSKHSCJUNN2JVN?articleID=196603916
Clearly, signature-based scanners will not provide enough proactive protection against these new threats. But there are solutions. Like I've already said, an SPI firewall will keep intruders out, while an intelligent HIPS product like Cyberhawk will fill in the voids left by your traditional scanners and prevent "non-intruders" from infecting your machine with your unwitting authorization.
By employing these technologies, I have been able to make use of the Internet connectivity I've been paying for, while still managing to keep creepy critters off my machines. 100% secure? Maybe not, but it's a way better answer than "Unplug your Internet." Don't question success, folks!
oops!
by santuccie - 1/10/07 7:21 PM In reply to: If it works, use it! by santucciePardon me. I don't know why, but it sounded like your last comment was directed at me. How very silly of me. My apologies.
I'm just being a little sarcastic.
by feskridge - 1/11/07 12:57 AM In reply to: Protection vs. Paralysis by spencebjSo much ink is put out there regarding the onerous protection schemes that are recommended, some of which contradict others, that I don't see how a newbie would not be completely scared off. I go along with pundit Leo LaPorte: He (and I) use a properly installed wireless router with encrytion, the free MS firewall, the free MS Defender spyware and adware protector, and the free antispyware Avast! by Alwil. This seems to do the job as long as I stay away from obvious traps like links to unknown websites from unknown sources, particularly porn. And it doesn't slow down my machine (much) like Norton or McAffee tend to do. The best part is no subscriptions.
Thought you would like to know, not free anymore?
by BrianO5 - 1/8/07 7:24 AM In reply to: John's winning answer by Lee Koo (ADMIN)
ewido anti-spyware 4.0 has been replaced by AVG Anti-Spyware 7.5 and isn't available for sale and download anymore (under the old name). Instead, please try our new, highly improved version: AVG Anti-Spyware 7.5
re: John's Answer
by tms331 - 1/8/07 1:33 PM In reply to: John's winning answer by Lee Koo (ADMIN)
I was going to report this as an offensive post as it made me feel really dumb concerning my knowledge in this critical area - and I've used computers for many years. But instead I'll send this to friends who know less than I do about this area . Then I can feel just so darn superior! <(:<0)
Seriously, it is a great article and most helpful. I am sending it to friends, not to feel superior (they know better), rather it is just that helpful. Thanx, John.
Modem waking up computer
by jbliever - 1/8/07 4:49 PM In reply to: John's winning answer by Lee Koo (ADMIN)
If you CPU is hooked up to a Power Direction (like a power strip) and is turned off when the computer is shut down, wouuld it still be possible for the modem to "wake up the computer?" It doesn't seem like the modem waking up the computer would be possible then.
Jean
Nice answer Kumar but I have another question about Limewire
by buttdad - 3/17/07 12:56 PM In reply to: John's winning answer by Lee Koo (ADMIN)
I have noticed when I am logged onto LimeWire after downloading a file and there is no apparent activity on LimeWire, in other words, no apparent uploads of my files by other users and I am not downloading. I notice the light on my modem Labeled "PC Activity" is flashing. Is this normal since I am logged onto LimeWire or is it an indication of something not good?
Mark's winning answer
by Lee Koo (ADMIN) - 1/4/07 3:18 PM
In reply to: 1/5/07 Help! I need clarification on Internet security by Lee Koo (ADMIN)
Answer:
This is a response to Kumar's security questions when using Internet. I apologize in advance for the long email, but the questions are much simpler than the answers.
1. Is it OK to leave my wireless broadband router on all the time, even when I switch off the computer or other times when I use other programs such as Word or PowerPoint, rather than Internet. Could some one able to hack into my computer files even when I am not browsing the Internet?
The answer to someone's ability to hack a wireless router is "yes & no". Some can, some will, and some can be stopped easily. There are a few things to consider before deciding on whether or not to leave a wireless router on when not in use. You decide.
Top 3: First, your router is a target. Those who are patrolling the Internet looking for systems to compromise cannot initially tell if there is a system behind your router, so if they can see the router, they will attempt to access it, and to by-pass or compromise it. Routers are in essence, computers that simply inspect and direct packets. If someone can subvert your router, your network is effectively "0wn3d". There is sufficient information in the public domain to make this easy in most cases.
Second, there is a question of what protective controls you have placed on the device to make it "hardened". Does it advertise its SSID? Does it have a hard to guess admin password made up of a long string (I use 16+ characters in my passwords.) of numbers, letters and special characters? Does it use WPA2 or other controls? Do you change the passwords and SSID often? Do you restrict access to the device by MAC address? Follow best practices and use a hardware firewall too.
Third issue is one of liability. While you are not using the wireless router, or even when you are, someone that has access to it can surf whatever they want, including child pornography or other illegal materials. They can also use your network as a free access and jump off point to attack others. As far as your ISP is concerned, that is your connection that is involved, and in essence, YOU.
2. Will someone able to hack into my computer if I use the standard firewall provided with Windows XP?
Again, this depends on how good your other controls are. This is a very basic "firewall". Most NAT routers will stop some casual attackers. Windows XP firewall sill stop some as well. What is really lacking in Windows firewall is outbound protection and application monitoring. Any program that you download, install, or have installed for you by a malicious website or application (happens all the time) will be allowed to make connections outbound. A good desktop or personal firewall will provide you the opportunity to approve connections before they are made. A few years ago, I was surprised to have my personal firewall fire up a warning that Internet Explorer suddenly needed my approval to access the internet, even though I had allowed it access ages ago when I installed the firewall application. This indicated that the IE was either a bogus program launching from somewhere else on my hard disk, or that IE had somehow been changed. Neither is a good thing. Windows firewall offers no protection against spyware or much else. If you have nothing else, run it, but do not consider yourself "secure". It has been stated in the press that an unprotected system will be detected on the internet within 15 minutes. In my own experiences, I have found this to be true, and ANY Operating System will be compromised within another 15 to 20 minutes. It is really that bad out there.
3. From the security point of view, is a wired Internet broadband connection safer than wireless broadband connection via a home wireless router which is encrypted?
Apples to oranges. A wired connection requires physical access to compromise a network, until it is connected to the internet. After that, it is just as insecure as a wireless connection. When thinking about security, don't think "what is more secure" because security is not a device you can attach. It is an evolving mindset. Look at the risks, value to you and motivations of those that might want to compromise your network or PC. Someone wants to make money. They want to use your system to generate spam, they want to use your system to hide their system when launching an attack, they want to steal your identity or personal information. They want to compromise your system so that they can use your VPN tunnel to get inside your business firewall and take over all of your company's systems so they can rent them out as a botnet to make a few quick bucks. You are providing them with a PC in order to do this. You are providing them a wireless connection to do this. All they need to do is find a way to get in. How easy are you going to make it for them to do this?
Encryption doesn't protect anything other than the data stream, making it harder to compromise the things that you are communicating in a session. Encryption can actually hinder an investigation because now the investigator cannot easily see what is passing through the connection. Don't get me wrong. Use encryption on your wireless connections to protect yourself from snooping and data injection, but don't rely on ONLY encryption as a security control.
You have to secure the end points. Harden your O/S. I have a total of 32 out of roughly 100 services enabled in my XP box in order to minimize its attack surface. I have configured its security options through the MMC according to published "best" practices (makes it much faster, too!). I have a hardware firewall to protect my perimeter. I have a software firewall to protect my applications and operating system from the internet as well as from my teenage kids who will download ANYTHING and run it. I have Anti-Virus and malware detection to protect myself from Trojans and the like, in case I have a teenager moment myself. I use a browser protection mechanism to lower the chance of getting a zero-day exploit from a malicious website. I use a non-administrator account for daily use. I use a spam filter and email rules to filter my email, and don't auto-preview it so as not to launch an HTML or scripted attack by accident. Defense in depth is not just for the paranoid anymore. Did I mention that it REALLY is that bad out there?
Security can be thought of as a balance between what is convenient and what is smart. You want to make it as hard as possible for bad guys to do bad things at your expense, while maintaining a measure of simplicity. That is my 2¢.
Submitted by: Mark B.
MMC Best Practices
by 00h00m - 1/5/07 2:18 PM In reply to: Mark's winning answer by Lee Koo (ADMIN)
Any chance you could supply a link to the "best practices" setup for MMC. I have done a lot of tweaking in there but would love to see what is commonly considered the best setup.
Thanks
"Best" Practices Links
by MadMark - 1/8/07 5:16 PM In reply to: MMC Best Practices by 00h00mHi 00h00m,
Understand that I enclose best in quotes, as the application of these practices are, in my opinion, "best" as formed over the past 25+ years working with PC's. Your own opinion, experience and mileage may vary...
The "Best" Practices I refer to are documented in the following locations:
Microsoft's Windows XP Security Guide: http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx
NIST Security Configuration Checklists Repository: http://csrc.nist.gov/itsec/guidance_WinXP.html
Disabling XP Services: http://www.jasonn.com/turning_off_unnecessary_services_on_windows_xp/
& http://www.theeldergeek.com/services_guide.htm
The NIST site offers downloadable configurations -=[BUT]=- exercise extreme caution when you pull them into MMC (Microsoft Management Console). You will want to do a comparative analysis of your current policy using the policy database that you download from NIST. Only after you have compared your settings, and fully understand the settings you wish to change, should you commit any changes. Just plugging in the settings and committing the changes is GUARANTEED to break XP!
I recommend a clean installation of XP before even bothering with this exercise, as you ALWAYS want to start from a known good installation. Otherwise you are just locking the front door and opening all the windows. Download all the patches from the Microsoft site and apply them from CD/DVD WITH THE ETHERNET CABLE UNPLUGGED.
Creating your own Service Pack!: http://www.heise-security.co.uk/articles/80682
Good luck with your hardening!
Mark
About Mark's winning answer
by imaudi - 1/5/07 2:58 PM In reply to: Mark's winning answer by Lee Koo (ADMIN)
This is the one of the best reply I have read sofar in CNET forums. Hats off to him and the susequent replies on this. I am forwarding this reply to all of my friends whom I insist on to become a member of CNET forum.
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
