You are on page 1of 37

An Alternate Approach for Securing Your Home

By Jaime Ortiz

The Bad Guys Are Getting

Email allowed for spread of virus
SPAM lured people
Worms are able to spread themselves
Trojans bring in malicious payload
Malware infected websites installing programs on

Zero-Day attacks
Key Loggers
Root Kits
Phishing and Whaling
Encrypted payloads that are polymorphic

I Dont Have Anything on My

Computer of Any Value
Your computer is worth CASH
BOTNETS pay big want to help take down a
Your Identity is worth 50 cents do the math
Do you do online banking?
Access to bank accounts for transfers

Do you have an online broker?

Pump and Dump
Do you shop online?
Credit Card Numbers

Yeah, but I have Antivirus

Reactionary device, NOT preventative
Based on signatures
Virus in the wild can have up to 7000 variants
Ever notice that you still have Spyware?
Have to run Spybot or Malwarebytes
Provides little or no protection in some cases
Phishing, Whaling
Cross-Site scripting
Java Script, Active-X
Patching (Apple)
Root Kits (remember Sony)
Can be bypassed

I am Running a Firewall
So how come someone can send you an

Instant Message?
How can someone SKYPE you?
How can you connect to you computer
running Go To My PC?
Did you configure your Firewall or just plug
and play?
Anyone use BitTorent (aka backdoor)?
Dont you think Google runs a firewall?
How about TJ Max, NASA?

This Does Not Apply to Me, I

Twenty Zero-Day released against Mac this month
Red Hat was compromised and delivered signed

malicious patches that were automatically

propagated to clients all over the world
Apple does not sign ANY updates
Ubuntu has patches as often or more than Microsoft
Apples browser is one of the weakest
Apple and Linux users dont need antivirus
Soft Target

Market Share dictates rate of compromise NOT the


What about WiFi?

Most WiFi is setup incorrect
Plug and Play
If you use WEP it can be cracked by your neighbors

kid in under 30 seconds

WPA with TKIP crackable offline
Rainbow Tables

Passwords are usually not strong

SSID broadcast does not matter
Hotel WiFi easy to intercept
Neighbors can see what you surf, read your emails
Starbucks, McDonalds, Panera Bread, Hotels = YIKES!

Someone is Watching

What Can We Do?

Lets take it a piece at a time

Keep the computer clean, be a minimalist

Firewall/filtering Setup
Secure WiFi
Advanced or Radical Changes
Other good ideas

Keep the Computer Clean,

Disable services/functions that are not needed!!
Turn off Windows File and Print Sharing
Turn off Client for Microsoft Networks
Turn off NETBIOS over TCP
If not using WiFi disable Auto WLAN service
Disable Remote Registry
Disable Remote Assistance
Disable IPv6
Disable Remote Desktop
Disable Network Discovery (Vista)
Disable File Sharing
New PC? Run PC Decrapifier

Keep the Computer Clean

Good free tools to run at least once a month
Malwarebytes will search for spyware and remove it

Spybot Search and Destroy good for immunizing

your PC

Ccleaner removes remnants of uninstalled

programs and keeps your registry in shape

These tools will help maintain your PCs

performance over time

Patch, Patch, did I mention

Printer software
Adobe Reader










Microsoft Office

Windows Update



Instant Messenger


Though its effectiveness has diminished over

the years, it is essential

Want to scan a file?


The popular vendors are not always the best

You dont need to pay for it
Microsoft Security Essentials
Avast Antivirus

Antivirus (cont)
Watch out for free flash drives, scan them!
Enable SMTP or IMAP scan if you use mail client
Scheduled Scans are required
Run On-Access scans
Yes there is a performance hit

Update everyday as often as possible

Do you need antispyware, antiphishing,

It does not hurt, but stay tuned..

Not all email uses encryption, watch out for HTTPSHTTP

Gmail accounts are free

Setup your own domain for you and your family

Get two of them
Dedicate one to family, friends
Check this out emails
Dedicate the other to Business, dont give this one out
Bank, Online Trading, Shopping
This can help with phishing attacks; SPAM
Watch out for unsubscribe
May want a third for subscribing to sites

Email (cont)
tracks your email content
Big Brother
Gmail anonymizes you and the sender, be careful
Great SPAM and AV protection in Gmail
If you ever leave your ISP, your email stays the same
Uses HTTPS at all times
Treat email like your home, you dont recognize it,


Your bank will NEVER use email for personal info
Phishing, Spamming, Whaling, very sophisticated
Spoofing makes this very dangerous

Passwords need to be strong
Usually means hard to remember
Every account should have a unique password
Banks, Email, Amazon, Instant Messenger..
NEVER click Remember my password
Trivial to steal if you are compromised
Use a password manager
Auto generate passwords for you
Complex password
One password unlocks all of them
Cut and Paste
Encrypted storage
On-screen keyboard ideal for typing Master Password

Password Manager

Passwords (cont)
Banks are using RSA Two Factor


Online Games are using Two Factor

World of Warcraft
Credit Cards are offering one time numbers


Dont confuse NAT with Firewall functionality
Run both a software and hardware based firewall
Software firewall imperative if you travel or use
public WiFi
Windows Vista or higher firewall pretty good
Zone Alarm free
Software based
You need a firewall that warns/tells you when
OUTBOUND connections are taking place
ALWAYS have a router/firewall between your home

network and your broadband connection

Linksys BEFSX41


Firewalls (cont)
Use a complex password to manage
Always use HTTPS to manage hardware device
Do not allow WiFi clients to access Firewall
Dont use port forwarding if you can help it
If you need remote access use Logmein and Phone
If you are a gamer, then learn DD-WRT and isolate
system or use one of the firewalls mentioned below
Want a real firewall for free?
Very Powerful close to what is used in the enterprise


DNS is the Achilles Heal
DNSsec is gaining support
Time Warner and Host Servers setting up as we
Use OpenDNS
Free reliable DNS
Can provide filtering to reduce the chance of your
machine from going to bad sites
Good approach to keep your kids from wandering off
the reservation
Block known sites that are known attack vectors
Setup the IP address of OpenDNS in your router

Filtering (cont)
Your browser can provide filtering
Internet Explorer SmartScreen Filter
Good filter to prevent you from going to

malicious site
Dynamically updated
Checked in realtime

Firefox has filters

Updated almost 48xs per day
Can check legitimacy of website

Secure WiFi
The bottom line if WiFi is dangerous in public
Trivial to use as a method of penetration
Secure it
WPA2 AES with PSK (Pre-Shared Key)

RADIUS and certificates if your are paranoid like me

Setup Infrastructure mode only

Change the default SSID!!!!
Change the Admin password
Setup MAC Filtering
Disable wireless to wireless communication use wired

NAS to share files

Disable SSID Beaconing/Broadcast
Let the password generator create your PSK
Reduce Power Output if you have that option

Secure WiFi (cont)

Most secure is not to use it, I know not practical
Broadband cards (CDMA) have not been compromised

If you want other options try Ethernet over Power
Use your power lines in your house as a network
Great for getting internet access to your DVR
Cheap and encrypted

Remember WiFi signals are EASY to intercept/manipulate

Remember some online email do not use HTTPS
Instant Messenger is not encrypted use SKYPE
When flying, turn off WiFi
Bad guys on planes too
Yes some airlines now offer careful

When things go south, you want to protect your

Perform regular backups

USB Hard Drive or DVDs

Use online backup service to do it for you

Mozy or iDrive are my favorites

Encrypted backups and very affordable

Automated, no need to remember to do it
Can backup your Blackberry, Android and iPhone
Can perform alternate restores if needed

Do it, you will be glad you did

Radical Approach
There is another way if you choose to accept

your mission
May not cost you money or very little if it does
What if I told you that recent advances in
science have shown a new method that can
save you money, time and may improve your
quality of life
You are right, there is no such thing! But lets
take a look at what we can do.

Radical Approach (cont)

Virtualization to the rescue!
Vmware Server and Player are FREE

Ubuntu Linux is FREE
Surprisingly easy to use to surf the web
Firefox only no Internet Explorer
Takes very little resources to run
Microsoft Virtual PC is FREE
But Windows software is not free
If you bought Windows 7 Pro you are covered

Radical Approach (cont)

How does this help?
Use Virtualization at home
Setup a Virtual Machine and surf the web through this

Do not logon to Virtual Machine as a local Administrator

Your physical computer (the Host) will be safe if your

virtual machine gets infectedfor now

Only use your physical machine to logon to sites where
personal data or financial transactions are taking place
The Virtual Machine is just a single file

Copy this file, and restore it from time to time if you think
your VM has been infected
Brand new PC/load in under 30 seconds

Radical Approach (cont)

Fun Email and Web Surfing take place in VM
Setup business email on Host PC
Use Firefox plug-in to store your Bookmarks online so you

dont lose them

Host PC is the High Security environment
Your Bank
Shopping (trusted sites like Amazon)

This approach can protect your Host PC from Zero-Day

You current PC should be able to run Virtual Computer

Radical Approach (cont)

Why is this a radical approach?
Do you need antivirus?
Do you need to be as diligent with patching?
Do you need to run malware scans?
Do you need to be as concerned where you surf?
Do you care about passwords?
Do you have to wonder if you should install that
free screen saver program?
Do you have to worry about opening up an email?
You be the judge

Alternate Approach
Check craigslist and buy a cheap laptop
Heck, new ones can be bought for $300.00
Make a rule in the house, the laptop is

the High Security Zone

Business email

Other Good Ideas

We have covered a lot but here are some other things

you should keep in mind

Get a paper shredder for your home

Get one that has a CD Shredder

Always wipe your hard drive before selling or throwing out

your PC
Use free Encryption to protect files

Geek Squad has some bad press

Encrypt your Flash drive (Free) or buy Iron Key

Password protect the BIOS of your laptop and disable boot

from USB and CD

Encrypt laptop hard drive with trucrypt
If the HTTPS certificate does not match DO NOT USE

The Key is Discipline

The web is a necessity
Great source of information
Be safe and look before you leap
Treat your computer like your home.

Dont let anyone in, use discretion