Security FAQs
What's "security" and is it necessary?
Across the Internet there are two main groups of undesirables that may
try to gain unauthorized access to your PC. These blighters are constantly
scanning for PCs that they can exploit for a variety of reasons. The only
increased risk that you may have on Broadband is that you are on-line
more often and have a nice fast connection to hijack.
The first type of hackers, and the most common by far, are called "script
kiddies" or "scripties". As the name implies, "scripties"
get hold of scripts written by extremely clever people that will attempt
to exploit a known vulnerablity in an operating system. The attack will
commonly commence as a port scan on your IP address as they search for
particular open ports that may have been caused by a Trojan
or may just be a known weakness in an operating system. If they find what
they're looking for they can often gain access to that PC and "hijack"
the PC & Internet connection to continue their path to world domination
or whatever it is they're up to. Amongst this group are also the spammers
who would love nothing more than to utilise your PC and Internet connection
to help get their emails out.
The second group are the more serious hackers that are often associated
with industrial or political espionage or are just plain thieves and vandals.
A small consolation is that they are not likely to be interested in a
simple home user's PC unless you've done something to annoy or challenge
them. That being said, if you do get their interest, it is extremely difficult,
if not impossible, to stop them.
Check your Security Vulnerability.
There are a few websites that will do an automated scan of your computer
to determine it's vulnerability to unauthorized access. A nice easy one
is the Gibson Research Corporation.
Although not what you'd call comprehensive, it will do a scan of the more
common targets for hackers and scripties. They also have lots of freeware.
More comprehensive scans can be obtained from Hacker
Wacker, Hack
Yourself, Sygate,
Vulnerabilities.org
and Symantec.
If you're running Windows 2000 Server or NT Server, drop by Shavlik
for a special Server Scan to check that you've got all the appropriate
updates and security measures in place.
Firewall.cx has many tools for
checking Network Security.
Firewalls
One thing that helps to stop unauthorized access is to run a bit of software
called a Firewall. Good Firewalls will help secure your PC by blocking
most ports and providing information (logs) about unauthorized access
attempts. Amongst the logs will be the IP address
that the scan originated from. You can gain more info about the scanner
by entering the IP address into one of the on-line security tools like
Sam Spade or Aunic
(for Australian Domains). You can then report the scanner to their ISPs
using the email abuse@bigpond.net.au or whatever ISP it may be. I usually
only bother with this if I get persistent attempts from a local or BigPond
joker.
There are several software applications that I would recommend based
on how effective they are vs cost and ease of use.
Sygate Personal
Firewall: A lovely product to suit the fairly new user and the
more experienced as well. Free for personal use, it is fairly easy to
configure and has one of the best user interfaces I've seen. It keeps
separate logs of security attempts as well as all network traffic and
has an email feature to automatically send the logs to a specified address.
It works well with the installation's default settings and has the ability
for more advanced rules to be put in place.
I have written an example set up and configuration for the BigPond Cable
users in the Heartbeat FAQ. Sygate
Personal Firewall is the best choice for Windows 98 - ME users, particularly
if using ICS. It does not support W2K/XP ICS.
NIS:
Norton Internet Security. It may be a couple of dollars and a little more
difficult to understand and configure, but the trade off is an increased
level of security and a higher amount of configurability. If properly
set up, it will block outbound and inbound traffic with excellent logging.
ATGuard: I'll mention this one as even though there doesn't appear
to be a Home Page for it anymore, it is still readily available for download
at dozens of sites. ATGuard is the original Firewall Engine sold off to
Nortons for their NIS product. It is very, very good, fairly easy to configure
and tight as a drum. The version to find is ATGD322U.
ATGuard 3.22U is ideal for all Windows operating systems, but in particular
works marvelously with Windows 2000 & XP with ICS.
 Warning: Norton's
AntiVirus have recently released an update that conflicts with ATGuard.
It will cause serious crashes when Network Browsing and trying to install
it.
Blackice:
is an "Intrusion Detection System" rather than a traditional
Firewall. It is amongst the better choices to have, at least as a minimum,
for security newbies (and gurus) for several reasons. -
- It is easy to install and requires practically no security knowledge
or configuring.
- It is virtually foolproof and tight as a drum.
- It keeps easy to follow logs.
- It doesn't constantly popup annoying and difficult to understand questions.
- It doesn't interfere with ICS.
However, unlike most other firewalls, BlackIce will not alert you to
any unauthorized outbound traffic.
I highly recommend that BlackIce is used whenever simple proxy or mail server
software has been installed. It was the only Firewall I tested that would
keep these ports blocked.
Once installed, set the protection level to "paranoid" and
specify any IP addresses on your Local Area Network as "trusted"
addresses.
Zonealarm
has a free version for personal use. However, I recommend that you update
to the pro version if you plan on using it with a Network server with
Internet Connection Sharing. The free version will only work in this circumstance
with the security level set to "medium".
Zonealarm is easy to install and set up, even for newbies, and although
it may be free, it is an excellent product and has a handy feature in
that it blocks unauthorized outbound traffic as well as inbound. This
is useful if you do happen to get a Trojan
or Virus or even adware that tries to
gain Internet access to report its presence without your knowledge.
Zonealarm has excellent support and FAQs
on their site and even an email address if you're really stuck. On installation,
set Local Security to medium and Internet to High.
Tiny's
Personal Firewall has been sold off to Kerio (below). The old
version (which was free) is now only available for a 30 day trial and
but now comes with the addition of support for paying customers.
The free version is around in various places. See PCWorld
or ZDNet
or oldversion.com.
Kerio
Personal Firewall 2 is Tinys Personal Firewall with a new name.
Available free for Personal Use, it retains all of the features of the
old Tinys Firewall and is probably the best Freeware Firewall to use on
Windows 2000 Pro.
It does require some understanding of Internet Security and Networking
to configure properly, but is by no means difficult.
Update on Tiny's/Kerio: Alex reports "Tiny
Firewall has been sold to CA.
Kerio did buy it but then Tiny set up on their own again and were subsequently
bought by CA. This has essentially killed off the product as many of us
knew and loved. Tiny url now redirects to CA. (Have used the CA product
and has some issues and still doesn’t offer the flexibility or functionality
the TPF had – closest I have found is Kaspersky Internet Security
running in interactive mode."
Hardware Routers: The ultimate
solution for security is to purchase a hardware router. These are perfect
if you need a simple solution and maximum security. These have come down
dramatically in price over the last couple of years and are now easily
the most cost effective solution for home as well as business users.
See the hardware page to find out more
about Routers.
Rule of thumb with firewalls asking you questions -
If in doubt, block it. If an application that you wanted stops working,
take a step back and allow it.
Warning: Uninstalling
firewalls can sometimes corrupt the TCP/IP stack of PCs. See Winsock fix
on the download page.
If you're running a Mail or Proxy Server on your Network, chances
are you've got an open port 25 on the Internet. All Mail Servers will
show an open port 25, and that's quite normal, but if it allows anyone
on the Internet to use you as their SMTP mail-server, you've got problems.
This means you've got an "open mail-relay" running which
will allow any outside source to use it for sending spam. And believe
me it does happen, and has cost people a packet in excess data usage
to find out the hard way.
To explain further, when an email is sent, it travels through a
variety of Servers around the world. These Servers are called "relays"
and some of them have strict anti-spam policies. If they find that
an email has come from an open relay they will bounce it back to the
sender. If a hacker or spammer discovers your open port 25, they can
use you as a mail relay. If the spam gets traced, guess who gets the
blame...
Some of these Open Relay Black lists will ban everything from a particular
ISP if they find an open Mail Relay. This gives the ISPs headaches
as it's not their fault that their customers have open Relays and
it effects their other customers' email service.
Telstra and Optus have both been known to scan their networks for
open mail relays. Optus have a strict "No Server" policy,
and will cancel your subscription for just having an open port 25
(SMTP Mail Server). Telstra are more reasonable and will test your
Mail Server to see if it allows relay. Telstra's policy is one I applaud,
and if you receive a warning notice, take it as a blessing, as they've
probably saved your wallet some considerable grief had you been discovered
by a spammer. If you log one of these attempts from them, just ignore
it. If you like, you can reply and they will usually reply to you
with confirmation of their identity.
The only firewall I have found that can effectively "stealth"
a mail-server's presence is BlackIce
Defender. Mind you, it may not be ideal to do this if you are
deliberately running your own pop3 and SMTP Servers that need to be
found on the net. If you stealth these, you won't receive emails.
Alternatively you could purchase a
Router.
The only circumstance where it is desirable to stealth your mail
server is if you're just collecting email from an established pop
server and sending via relay to your ISP's SMTP Server. I often set
mail servers up like this in an effort to cut down on Data costs over
the Net. A mail server will relay internal emails without going through
the modem. Very nice if internal emails are common and/or large.
If you are in fact intentionally running a Mail Server connected
to the Internet, you must take steps to prevent relay from
unknown sources.
For info on how to secure your mail-server, see MAPs.
BigPond Cable has an unusual feature called "the heartbeat" that
you'll need to be aware of in setting up your Firewall. See the Heartbeat
Guide for info on this. Without allowing for it, your Internet
connection will mysteriously drop out every five minutes or so.
ADSL users
and other ISPs will not be affected by this.
Possibly more important than firewalls is to have good virus protection.
There are many to choose from and listed below are the most popular
and likely to do what they say they do without stuffing up your PC.
Norton's:
One of the more popular choices. A sensible and easy to understand
interface, automatic live updates and generally runs unobtrusively
in the background. I rarely hear of conflicts or problems, although
it has been criticized for becoming a little bloaty recently.
Vet: A top product I haven't
personally used but is recommended by many high-end IT workers.
PC Cillan: Another goodie
loved by many.
Leprechaun: Quite good
and locally produced.
AVG:
A free one that works well.
AnitVir: Another
Freebie.
Be sure to keep all of them up to date by doing the live updates
at least once a month for them to be effective. The drawback with
having these things constantly checking emails, downloads and files
on boot up, is they have a tendency to slow some computers down, particularly
on the older, slower processors. To stop this, you can disable the
"load on startup" feature and manually do a scan at least once a week.
Or just live with it. :-(
Nearly all anti-virus software producers will allow a 30 day trial
of their software.
A good website that goes through various Anti-virus programs and compares
them is www.av-comparatives.org.
Alex reports an issue to be aware of with some of the new antivirus/internet
security applications now available. "Some like McAfee
(and CA
to a degree) have major issues with HP All in Ones. McAfee installs
a re-director that essentially kills off the AIO being able to scan
or fax across the network. USB is fine, but connecting via Ethernet
(wired or wireless) is a disaster. This means you cant use the menu
on the AIO to initiate scans and you cant use the pc to initiate scans
or faxing. CA has a work around where you have to go in and add all
the HP apps and allow them. McAfee didn’t offer that because of
the re-direction service (last used it in 2007 but believe architecture
is still the same). Had some issues with Norton 360 and a few others
with this too.
Firstly, to settle some paranoia about these, you are unlikely to
receive a Trojan or virus without
actively doing something obvious to initiate it. Warez
applications and games are common sources, as are .EXE's that try
to automatically download and install from web pages. EG Porn sites.
Beware of email attachments, even from people you know. EXE's and
Vbscript in .DOC's and .HTM files (That may deliver a humorous message)
are the most likely "vectors" for loading Trojans onto PC's.
Rules to avoid viruses:
The more common viruses that Broadband users have
been plagued with in recent times and I am still finding on my rounds
are -
Klez: This one is driving me loony lately. I'm getting it
sent to me up to a dozen times per day, and countless other "bounced"
emails from people that erroneously think I sent it to them, and heaps
of clients have managed to get it.
Firstly, prevention is better than cure.
Be sure you've updated your PC to a minimum of Internet Explorer 5.5
with all the security patches.
If you get a window pop up like this 
when you open an email or visit a website, say no to it for goodness'
sake, and delete the email completely by holding the shift key while
pressing the delete button.
Symptoms of Klez vary, but I've so far discovered these features
of infection:-
It attacks and corrupts most Firewalls, including Zonealarm. (In
the case of Zonealarm, it will then block your Internet Connection.)
It attacks and corrupts many anti-Virus applications that it manages
to slip past. However, Nortons 2000 does block it, and Vet will
also detect and delete it from a scan.
If you try to install Anti-virus after being infected, it will corrupt
and end the installation process.
It is dormant in "Safe mode".
If you use an exe to view it or find it in "Normal mode"
(eg regedit, task manager, Norton's removal tool), it will delete
the exe.
To find it manually, check your "tools" > "Folder
Options" > "View" settings when opening My Computer,
check to show hidden files and system files, and you'll find it
in the C:\Windows\System Folder. (You can also use the "Search"
option from the Start menu.) If you find "winkXX.exe",
you have bad, bad news...
On the 6th of each month it apparently randomly destroys files.
On the 6th of January and July, it'll pretty much destroy everything.
It spreads by emailing itself to everyone in your address book and
web cache. (Web cache holds all the email addresses on websites
you've visited)
It forges the reply address to someone else from the above locations.
If you hit reply to an infected email you receive, you'll be replying
to the wrong person who is most likely not infected. To find the
actual source, check in the email's Properties for the "From"
address.
What to do if you've got it.
There is a removal tool that some have reported success with at
AntiVirus.com
Otherwise, you'll need to find an uninfected PC and install Norton's
Anti Virus 2002 on it. (Others may work too, but I know for a fact
that this Nortons 2002 does.)
Install the latest version of Internet Explorer and any Security
patches and updates.
Remove the Hard Drive from the infected PC and install it as a "Slave"
into this clean PC.
Scan the infected Hard Drive.
Delete anything infected that it finds. If it was important, too
bad. It's done for.
Remove the Hard Drive and restore it to the original PC.
Do a rescan of both PCs.
If all this fails, you're up for a format.
CodeRed: If you're wondering why your Firewall's been getting
hot under the collar lately, it's because of this one. CodeRed exploits
a vulnerability in IIS on Web Servers, who in turn scan the Internet
for other vulnerable Web Servers. Microsoft has a patch if you're
running IIS.
Note: If you're running Windows 2000 Server with an Internet
connection, make sure IIS isn't running in the services if you're
not using it.
Nimda: Similar to CodeRed but can infect any Windows Operating
System. Look out for blank Emails that automatically install something,
or web-sites that prompt to download and install some sort of exe.
I would advise upgrading to Internet Explorer 6 to ensure that you
do get a prompt and it doesn't just automatically install.
If you get a window pop up like this ,
without asking for it, always say no!
Sircam: This one comes by email, usually from people you know
who have you in their address book, with varying messages in the subject
line. The text body will have "Hi! How are you? I send you this
file in order to have your advice See you later. Thanks".
It will have an attachment with a varying name. Obviously, don't open
it. It's an exe in disguise and will go wild. Symantec have a removal
tool and some
info about this worm.
QAZ: This one actively port scans and spreads to other PCs
on a network and/or have file& printer sharing enabled on their Internet
connection. Telstra (and Optus) eventually were forced to close the
particular port it was exploiting (Netbios port 139) due to Network
degradation that it was beginning to cause. You'll know if you have
it if you have notepad.exe running on boot.(Or of you ctrl alt del
and it's there in the tasks).
In your c:/windows directory, you'll find a file called "note.com".
Then delete notepad.exe and rename note.com to notepad.exe. This worm
changes its name to notepad.exe and changes the name of the original
notepad.exe to note.com. Then run this reg
patch and reboot and it's gone.
Note: You'll usually need to do this on all your networked PCs. Disconnect
the network while doing it. ;-)
KAK: I still see this one a fair bit. Do a search for "kak"
and you'll find it in there if you've got it. You'll also usually
get an error on start up which will sometimes say "driver memory error".
It's unique in that it was one of the first to attach itself as a
signature to emails, rather than an attachment, and spread to everyone
you send an email. The bad news is, if you've got it, you may have
had it for a fair while and you're probably up for a reformat to get
rid of it. If you're lucky, one of the anti-virus programs will kill
it and fix things up. Norton's will, but only if it's not too far
gone. KAK gets really destructive if left too long. :-(
Snow-white: I mention this one as quite a few people are infected
with it and it usually comes by email from an unknown source - haha@sexyfun.
It's tricky in that it looks like a joke that someone's sent you. You
can also get it sent from people that you know. They will be unaware
that they've sent it to you, of course. The virus does this by exploiting
the infected person's address book. See Norton's
for more info.
Warning:
Some fairly recent viruses can flood a router with so much traffic that
it will cause the router to lock up or reboot giving the false impression
that there's something wrong with the router. See my blog
entry referring to Welchia virus. Another common one is SDBot.
Netgear
released a news bulletin about it when the first of these started
to pop up.
Don't always trust your anti-virus software either. I have seen first
hand on several occasions Welchia or SDBot have been rampant on PCs
running up to date versions of common anti-virus products, and I have
even seen SDBot infect a PC within minutes of going online after a format
and clean installation. The best way to check is to install a network
analyser like the Commview
trial version and check for large amounts of unusual outbound activity.
Junk Email.
Spam can be dealt with in a few ways. One good way is to use a service
like spamcop to
learn how to track, block and report this nonsense.
In Outlook Express, you can block spam email by adding the sender to
your blocked senders list. Simply highlight the message, select "message"
(at the top of the screen) and select "Block Sender" and you'll
never see an email from that source again. If you use Hotmail,
you can activate filters, so that any emails containing certain words
(like "adult" "finance" "money" etc) will
automatically be deleted.
The solution I'm currently using in the office is hMail
server with spamassassin.
Some details of how to get this working can be found here
but don't ask me for more information. It was extremely difficult to
implement and I couldn't have done it without help and still took over
a week! However, it was well worth the effort and I now have a foolproof
anti-spam solution with no false positives and bayesian
learning. I've gone from receiving 400-500 spams per day down to about
20.
At the very least, remember to never, ever reply and especially
never, ever purchase anything from a spammer. (If you reply they
have confirmation of your email address and can on sell it to other
spammers.) Eventually, if it becomes a useless way to promote stuff,
its popularity will decrease.
Adware can be annoying, but as a rule of thumb should be accepted
as part of the agreement to use the software for free. Lots of freeware
applications will have adware, usually in the form of banner adds
somewhere on its display. If it annoys you too much, purchase the
registered version or get rid of it. Some can be removed with hacks.
Do a search on google
for the relevant application and you're sure to find a few.
In this category, I'll include popup windows on websites. I hate
these with a passion even if they are harmless. I especially hate
the ones that open ten new windows with each one you close and the
"mouse trap" windows which prevent you from back-clicking
to where you were, or even stop you from closing the window. Thankfully,
I have found a couple of apps that kill them. Popup
killer is my new best friend. Once installed, I had lots of fun
seeking out sites with popups just to hear the different sound effects
it makes as it detects and kills them. See also webwasher
and POW
from AnalogX.
If you get a window pop up like this ,
without asking for it, always say no! This one is a self-installing
auto-dialling program that will run up an extraordinary Phone bill
if you have a Phone line connected to an Analogue Modem attached to
your PC. Lots of people have been caught out by these and I couldn't
tell you how many times I've had to remove them from people's PCs.
Often, they had no idea they were there.
Beware of Gator, Limewire, Morpheous, Kazaa, Comet Cursor, VirtuaGirl
and iMesh in particular.
The most insidious of all. Spyware is hidden scripts embedded into
software that keeps statistics of your usage of the product and general
web surfing habits and God knows what else. Eventually it will report
the stats back to the author just like a Trojan.
The thing I object to about Spyware is that permission is rarely asked
for and its presence is never announced or mentioned.
My most recent example of this was with a program called "savenow"
that installed itself with another program I had downloaded. It can
thankfully be uninstalled from add/remove programs in control panel.
If you want to check your system for spyware, download and run Adaware
from lavasoft.
It is not uncommon for it to find 200 or more instances of spyware
on a system and it will then give you the option to select the ones
you want to remove in one fell swoop.
Some incidences of spyware can also adversly effect Internet browsing
and it's not uncommon to find some Internet sites unreachable due
to one or more of these "bugs".
Note: Some applications may cease to function without their built
in spyware.
For instance, Kazaa will not run without a file called clint.dll
which Adaware detects as Spyware. When Adaware has finished scanning
your system, scroll through until you find clint.dll, right-click
it and select the option to add it to the ignore list.
I'll also give mention to another hideous thing called gohip.
This thing will stick itself all over your PC and attach it's little
advertisement to all your emails and news group postings. Deleting
it won't work. It reinstalls itself each time you boot up. If you
search their website long enough, you might be able to find the
uninstall for it.
Another curse of a thing installing itself on people's PCs lately,
is lop.com. This horrible thing sets your start page to their
popup riddled website (complete with self installing adware popup).
They have FAQs explaining how you came to get their "virus"
and how to get rid of it.
See their
site. (Warning: Popups and self installing nonsense will ensue.
Be sure to be running at least Internet Explorer 5.5)
"Warez" sounds better than "stolen software",
but you really need to question the motives of why someone would go
to the effort of stealing software and then make it freely available
for anyone to download.
What's in it for them?
Well, often the person is hoping to attract an income from the clicks
on ads and banners that are usually plastered all over the site and
other times they're used to distribute viruses and trojans. These
are sometimes masked inside another inconspicuous file, like a bitmap,
in a technique known as Seran wrapping (Glad wrap) that makes it very
difficult for most virus scanners to discover prior to the software
being installed.
Use Warez, gamez, moviez etc at your own peril.
Additional on-line help and info
Adbusters
AnalogX
Aunic
AVG
bigpond.broadband.security
news group
Cexx
Firewall.cx
Gibson Research Centre
Hacker Wacker
Lavasoft
Lucien
Wells Smoothwall guide
Maps
MyNetWatchman
Network Ice
PopUp
Killer
Sam Spade
Spamcop
Sygate Scan
Symantec
Tiny Software
Vulnerabilities.org
Zonelabs
|
