I beg the List's indulgence once more time. This is a concluding report
to my Computer Security treatise of 8/30/03, and includes additional
pointers and information from folks a lot more knowledgeable in this
field than myself. Again, this has nothing to do with Philmont, and so
if you are not interested, please delete this message now, with my
apologies. And again, I intentionally sent this on a weekend when
bandwidth use is low.
I have tried to write this as a standalone piece of work; however,
because many of the comments are in direct followup to points made in
the first treatise, you may be better served by re-reading that writeup
before diving into this one. In order to keep the length reasonable, I
have *not* included the first writeup as an addendum to this posting -
if you need the first writeup and have since deleted it, please feel
free to contact me off-line for a personal re-send.
New/additional pointers, guidelines, and recommendations:
A) Backups - Several folks pointed out that before attempting to
eradicate programs off your computer, you should back up your files.
This is, of course, Standard Operating Procedure and an excellent idea
even if you have zero problems with your computer. Note that this does
not mean backing up your entire computer, but rather just your personal
files: email, word processing, photos, etc. However - and this is
important - should you ever need to reinstall those archived files, be
sure to scan these backups with both anti-viral (AV) and anti-spyware
(AS) programs, lest you reinstall the very malware you just eradicated.
As you can see, paranoia becomes a way of life in this field.
B) The Inherent Vulnerability of Microsoft Operating Systems - As a
preface, note that I am no Bill Gates hater, and all I have used for
almost 25 years is MS DOS and MS Windows. Even now, I've got no major
beefs. But Windows really is appallingly vulnerable. Here is a brief
from Steve Putnam (slightly edited by myself):
"When you refer to ports, you are actually talking about software ports.
They are part of the TCP/IP protocol, the current protocols covering
communications across the internet. Each type of communications you
initiate across the internet has a port number assigned to it. In that
way, you can have multiple sessions going on at the same time. For
example, an http session initiates with a port number of 80, an smtp
(simple mail transfer protocol) starts with a port number of 25, etc.
The protocol calls for the computes starting a particular type of
communication to start on this port, and then to switch to a mutually
agreed upon higher port. This allows the port to be freed up so mutiple
sessions can be started. The port numbers start at 0 and run up to
65,535. The assigned ports are from 0 to 49152. The ones assigned
dynamically for the actual session communications are 49153 through 65535.
A firewall will block the ports you don't want to communicate on.
Typically, these are set up either as default settings or the user can
change them. For example, the port used by the Sobig worm was one that
typically wouldn't be used by a home user and should have been blocked
anyway.
In a system without a software firewall, a computer will respond that a
connection has been refused if an attempt is made to connect on a port
that isn't turned on. Hackers will typically run scans by machine
address (IP address) just looking for a computer. Once they find one,
they will run port scans looking for open ports in which they can
connect. A good software firewall will turn off the auto response for
protected ports so it appears as if the computer doesn't exist - but
will still respond for ports needed to establish legitimate
communications." <END>
The analogy is people walking up and down an endless street and checking
every door and window on every house, looking for one that's open. In
some cases, they even have keys.... How bad is it? Since I installed
ZoneAlarm less than a week ago, I have had just under 14,000 "tries" on
my system, about 1,200 per hour. Of those, ZoneAlarm rates 21 as having
been "high-rated" (serious) attempts. Who knew?
C) Firewalls - There are basically three types of firewalls - software,
hardware, and gateway/router. Each close off all those thousands of
electronic ports, except for the very few you need to run your programs.
Software is the least secure, gateway/router is the most secure.
However, this is not to say that a software firewall is bad, just not as
good as the other two options. Even a "freeware" firewall is
light-years better than not having anything at all. "Better" software
firewalls - meaning the ones you pay for - (apparently) do pretty much
the same job as a freeware firewall; however, they usually also include
sophisticated back-tracking abilities to determine who is trying to
infiltrate your computer, and/or have anti-viral abilities, and/or have
anti-spyware abilities. That's a bit of a simplification, but you get
the idea. A hardware firewall is, as noted above, basically always
better than a software firewall. In essence, this is because a software
firewall electronically closes off those thousands of electronic ports -
and such software "locks" can be defeated by other software. But
hardware firewalls for home PC's are apparently fairly expensive, and
most people who know about these things recommend a router instead, as
being both more secure and less expensive. Here is a writeup on routers
by Rick Cordray, the webmaster of eaglescout.org, who explains it better
than I ever could:
"I would recommend getting a router with a firewall. A lot of
routers are designed for DSL or cable modem installations, but there are
some for dial-up modem use too. The advantage of a router is NAT -
network address translation. Your router is assigned an IP address by
the ISP, and is visible to the internet, but your computers on the
inside of the router are assigned an private IP address, not accessible
by the internet. This is a key technique in preventing hackers and
their software from reaching your computer. They can't do much to mess
with the modem/router, and they can't see your computer at all. When
they can't see your computer, hackers can't exploit security holes in
Windows or the internet protocols to mess with your machine directly.
Once you have done this, your principal risk of being hacked is from
viruses which get into your system and programs which communicate
outwards such as adware and spyware, which you have under control." <END>
D) Cookies - In my original treatise, I recommended that everyone
eliminate all the cookies on their computers, and reset the cookie
security to high - meaning your computer will ask you for permission
whenever an outside website wants to load a cookie. This is quite an
education in itself, by the way, since some websites try to load as many
as 20 cookies in a single session! As a clarification, note that you
will have to allow some sites to set cookies - such as banks, ebay,
paypal, anyone you're trying to pay a bill to electronically, etc.
Other sites will not allow you to access their site unless you enable
them to put cookies on your computer. Note that in all such cases, you
can go into tools after you have completed your business and eliminate
any and all cookies that were installed. Should you? Well, if your
transaction was a one time deal, or a once a year kind of thing, yes.
But if you're on-line with that site every day, you may prefer to just
live with it - in short, up to you.
E) Is This Malware? - Several persons inquired as to whether things that
PestPatrol or other similar programs discovered were spyware or not.
For example, what is RPCSS.exe? In general, I have found that Ad-Aware
and PestPatrol (and other programs such as SpyBot or SpyCop) do a pretty
good job of identifying what a program is - and if it doesn't identify
something as being a problem, it probably isn't. But if you're
mistrustful of something, you can almost always just type it into Google
and get back a wealth of information in a hot second. If that isn't
enough, or if you're like me and can't understand it half the time, then
it's time to talk to a pro. If you don't have anyone handy, there are
several pay-by-the-minute or pay-by-the-question services available that
you can call, for example, 1-888-Geek-Help. These services can also
help you with virus or spyware problems, or just general computer
issues. And as long as you don't talk like I write, the cost is reasonable.
F) Special Caution Concerning Work Computers - Note that if you discover
spyware on your work computer, it is entirely possible that it was
installed by your employer. Many businesses do in fact install spyware
on their computers to keep tabs on what their employees are doing.
Employers have every legal right to do this, although the moral and
ethical right is perhaps another matter (that I won't touch). Anyway,
the point being is that you can get in serious hot water if you
eradicate such company-installed spyware from your work computer. In
summary, if you check your work computer and find spyware, the first
thing you need to do is contact your computer security personnel and see
if it's legit (and if it's not, you can bet that they will be only too
happy to eradicate it themselves).
G) Passwords - If you find that you were hacked as badly as I was, you
should consider all your passwords to be compromised, all your credit
card numbers, expiration dates, and 3-digit security codes to be known,
all the PIN numbers for your bank accounts or credit cards, etc., to be
known, the "security questions" for your credit cards or accounts like
ebay, paypal, e-trade, Ameritrade, etc., to be known, and your Social
Security Number to be known. In short, you're wide open. Assume
everything is compromised. Obviously, in such cases you have a lot of
cancelling and changing to do - and quickly too. I don't think I need
to lecture anyone on the horrors of identity theft.
H) Kids, Kids, What About My Kids? - As I mentioned in the original
treatise, "instant" communication programs such as Instant Messenger
(IM) or Internet Relay Chat (IRC), and "file-sharing/music sharing"
programs such as Napster, Kaaza, and similar, basically all operate
through permanently open ports that are easily exploited. In short,
they are a computer security nightmare waiting to happen. This is why
you should not use them. But of course that is not realistic if you
have computer-savvy teenagers in your house. Several of my subject
matter advisors suggested that people whose kids use IM, etc., should
get a cheap stand-alone computer for that purpose only. That way, only
it gets nuked "when" (not "if") it gets compromised. Of course, a lot
of folks don't have this luxury - cheap being a relative term - and
furthermore even if you do get a standalone you then need a "kid
firewall" to prevent them from transferring files in-house via diskette.
Yeah, good luck on that! If you can't solve this issue by laying down
a very unpopular law (you cruel parent, you), then you can only protect
yourself by doing the daily AV and AS scans, and also backing up your
files regularly (between once a week and once a month is recommended for
the average user).
I) Several people objected to my recommendation for daily scans - even
while agreeing they were a good idea. The problem was the time
requirement - a full Norton virus scan can take as long as 3 hours if
you have a zillion files. For what it's worth, I now check for updates
late at night, log off-line, then do a PestPatrol scan first (takes
about 5 minutes), then start my Norton anti-viral scan and go to bed.
So the time requirement for me is less than 10 minutes. It is also
possible to auto-schedule the scans to take place in the middle of the
night if you'd rather not spend the minute it takes to manually start
the process. Either way, you'll have the results awaiting when you get
up the following morning.
This is about as far as I think I'm willing to take this. Thanks to one
and all - quite a few people in fact - who gave suggestions and
pointers. I hope the collective wisdom and advice is useful to everyone.
- Dr. Bob Klein, SM-111, Arlington, VA
-------------------------------------------------------
Scouting E-mail Discussion Lists @ usscouts.org
Subscribe/Unsubscribe at http://usscouts.org/lists/
Listserv Commands at http://usscouts.org/lists/lc.asp
-------------------------------------------------------
Send listserv commands to: listserv@troop47.com
Send postings to: philmont@troop47.com
List FAQ found at: http://usscouts.org/lists/faq.asp
List Administrator: philmont_owner@troop47.com
-------------------------------------------------------
As you gather around this virtual campfire with fellow
Scouts and Scouters, do your best to be trustworthy,
loyal, helpful, friendly, courteous, kind, obedient,
cheerful, thrifty, brave, clean and reverent.
-------------------------------------------------------
Received on Fri Sep 5 21:18:09 2003
This archive was generated by hypermail 2.1.8 : Wed Jul 26 2006 - 12:00:14 CDT