You are on page 1of 37

An Alternate Approach for Securing Your Home

PC
By Jaime Ortiz

The Bad Guys Are Getting


Smarter
Email allowed for spread of virus
SPAM lured people
Worms are able to spread themselves
Trojans bring in malicious payload
Malware infected websites installing programs on

PC
Zero-Day attacks
Key Loggers
Root Kits
Phishing and Whaling
Encrypted payloads that are polymorphic

I Dont Have Anything on My


Computer of Any Value
Your computer is worth CASH
BOTNETS pay big want to help take down a
hospital?
Your Identity is worth 50 cents do the math
Do you do online banking?
Access to bank accounts for transfers

Do you have an online broker?


Pump and Dump
Do you shop online?
Credit Card Numbers

Yeah, but I have Antivirus


Reactionary device, NOT preventative
Based on signatures
Virus in the wild can have up to 7000 variants
Ever notice that you still have Spyware?
Have to run Spybot or Malwarebytes
Provides little or no protection in some cases
Phishing, Whaling
Cross-Site scripting
Side-Jacking
Man-in-the-middle
Java Script, Active-X
Patching (Apple)
Root Kits (remember Sony)
Can be bypassed

I am Running a Firewall
So how come someone can send you an

Instant Message?
How can someone SKYPE you?
How can you connect to you computer
running Go To My PC?
Did you configure your Firewall or just plug
and play?
Anyone use BitTorent (aka backdoor)?
Dont you think Google runs a firewall?
How about TJ Max, NASA?

This Does Not Apply to Me, I


Have
a
MAC,
run
Twenty Zero-Day released against Mac this month
Red Hat was compromised and delivered signed
Linux..etc

malicious patches that were automatically


propagated to clients all over the world
Apple does not sign ANY updates
Ubuntu has patches as often or more than Microsoft
Apples browser is one of the weakest
Apple and Linux users dont need antivirus
Soft Target

Market Share dictates rate of compromise NOT the

OS

What about WiFi?


Most WiFi is setup incorrect
Plug and Play
If you use WEP it can be cracked by your neighbors

kid in under 30 seconds


WPA with TKIP crackable offline
Rainbow Tables

Passwords are usually not strong


SSID broadcast does not matter
Hotel WiFi easy to intercept
Neighbors can see what you surf, read your emails
Starbucks, McDonalds, Panera Bread, Hotels = YIKES!

Someone is Watching

What Can We Do?


Lets take it a piece at a time

Keep the computer clean, be a minimalist


Patching
Antivirus
Email
Passwords
Firewall/filtering Setup
Secure WiFi
Backups
Advanced or Radical Changes
Other good ideas

Keep the Computer Clean,


be
a
minimalist
Disable services/functions that are not needed!!
Turn off Windows File and Print Sharing
Turn off Client for Microsoft Networks
Turn off NETBIOS over TCP
If not using WiFi disable Auto WLAN service
Disable Remote Registry
Disable Remote Assistance
Disable IPv6
Disable Remote Desktop
Disable Network Discovery (Vista)
Disable File Sharing
New PC? Run PC Decrapifier

Keep the Computer Clean


(cont)
Good free tools to run at least once a month
Malwarebytes will search for spyware and remove it

http://download.cnet.com/Malwarebytes-Anti-Malware/300
0-8022_4-10804572.html

Spybot Search and Destroy good for immunizing

your PC

http://www.safer-networking.org/en/home/index.html

Ccleaner removes remnants of uninstalled

programs and keeps your registry in shape

http://www.ccleaner.com/

These tools will help maintain your PCs

performance over time

Patch, Patch, did I mention


PATCH!
iTunes
Printer software
Adobe Reader

GotoMyPC

Quicktime

Firefox

Winzip

Chrome

Java

BitTorrent

Flash

Acrobat

Microsoft Office
Drivers

Windows Update
Opera

Skype

VNC

Instant Messenger

Router

Antivirus
Though its effectiveness has diminished over

the years, it is essential


Want to scan a file?

Checkout www.virustotal.com

The popular vendors are not always the best


Checkout www.av-test.org
You dont need to pay for it
Microsoft Security Essentials
Avast Antivirus
AVG

Antivirus (cont)
Watch out for free flash drives, scan them!
Enable SMTP or IMAP scan if you use mail client
Scheduled Scans are required
Run On-Access scans
Yes there is a performance hit

Update everyday as often as possible


Do you need antispyware, antiphishing,

antibacterial???
It does not hurt, but stay tuned..

Email
Not all email uses encryption, watch out for HTTPSHTTP

switch
Gmail accounts are free

Setup your own domain for you and your family

Get two of them


Bus-name@gmail.com
Per-name@gmail.com
Dedicate one to family, friends
Check this out emails
Dedicate the other to Business, dont give this one out
Bank, Online Trading, Shopping
This can help with phishing attacks; SPAM
Watch out for unsubscribe
May want a third for subscribing to sites

Email (cont)
Gmail www.gmail.com
tracks your email content
Big Brother
Gmail anonymizes you and the sender, be careful
Great SPAM and AV protection in Gmail
If you ever leave your ISP, your email stays the same
Uses HTTPS at all times
Treat email like your home, you dont recognize it,

DONT LET IT IN!!!


Your bank will NEVER use email for personal info
Phishing, Spamming, Whaling, very sophisticated
Spoofing makes this very dangerous

Passwords
Passwords need to be strong
Usually means hard to remember
Every account should have a unique password
Banks, Email, Amazon, Instant Messenger..
NEVER click Remember my password
Trivial to steal if you are compromised
Use a password manager http://KeePass.info
Auto generate passwords for you
Complex password
One password unlocks all of them
Cut and Paste
Encrypted storage
On-screen keyboard ideal for typing Master Password

Password Manager

Passwords (cont)
Banks are using RSA Two Factor
http://www.nytimes.com/2004/12/24/technology/24online.html?_r=1&p

agewanted=2&oref=login

Online Games are using Two Factor


World of Warcraft
Credit Cards are offering one time numbers
http://www.creditcards.com/credit-card-news/online-payment-with-

virtual-account-numbers-1273.php

Firewalls
Dont confuse NAT with Firewall functionality
Run both a software and hardware based firewall
Software firewall imperative if you travel or use
public WiFi
Windows Vista or higher firewall pretty good
Zone Alarm free
www.zonealarm.com/security/en-us/zonealarm-pcsecurity-free-firewall.htm
Software based
You need a firewall that warns/tells you when
OUTBOUND connections are taking place
ALWAYS have a router/firewall between your home

network and your broadband connection

Linksys BEFSX41

Netgear
Prosafe

Firewalls (cont)
Use a complex password to manage
Always use HTTPS to manage hardware device
Do not allow WiFi clients to access Firewall
Dont use port forwarding if you can help it
If you need remote access use Logmein and Phone
Factor
If you are a gamer, then learn DD-WRT and isolate
system or use one of the firewalls mentioned below
Want a real firewall for free?
Very Powerful close to what is used in the enterprise

Smoothwall
WRT
Iptables
Untangle

Filtering
DNS is the Achilles Heal
DNSsec is gaining support
Time Warner and Host Servers setting up as we
speak
Use OpenDNS www.opendns.com
Free reliable DNS
Can provide filtering to reduce the chance of your
machine from going to bad sites
Good approach to keep your kids from wandering off
the reservation
Block known sites that are known attack vectors
Setup the IP address of OpenDNS in your router

Filtering (cont)
Your browser can provide filtering
Internet Explorer SmartScreen Filter
Good filter to prevent you from going to

malicious site
Dynamically updated
Checked in realtime

Firefox has filters


Updated almost 48xs per day
Can check legitimacy of website

Secure WiFi
The bottom line if WiFi is dangerous in public
Trivial to use as a method of penetration
Secure it
WPA2 AES with PSK (Pre-Shared Key)

RADIUS and certificates if your are paranoid like me

Setup Infrastructure mode only


Change the default SSID!!!!
Change the Admin password
Setup MAC Filtering
Disable wireless to wireless communication use wired

NAS to share files


Disable SSID Beaconing/Broadcast
Let the password generator create your PSK
Reduce Power Output if you have that option

Secure WiFi (cont)


Most secure is not to use it, I know not practical
Broadband cards (CDMA) have not been compromised

yet
If you want other options try Ethernet over Power
Use your power lines in your house as a network
Great for getting internet access to your DVR
Cheap and encrypted

Remember WiFi signals are EASY to intercept/manipulate


Remember some online email do not use HTTPS
Instant Messenger is not encrypted use SKYPE
When flying, turn off WiFi
Bad guys on planes too
Yes some airlines now offer WiFi.be careful

Backups
When things go south, you want to protect your

data
Perform regular backups

USB Hard Drive or DVDs

Use online backup service to do it for you


Mozy or iDrive are my favorites

www.mozy.com
www.idrive.com

Encrypted backups and very affordable


Automated, no need to remember to do it
Can backup your Blackberry, Android and iPhone
Can perform alternate restores if needed

Do it, you will be glad you did

Radical Approach
There is another way if you choose to accept

your mission
May not cost you money or very little if it does
What if I told you that recent advances in
science have shown a new method that can
save you money, time and may improve your
quality of life
You are right, there is no such thing! But lets
take a look at what we can do.

Radical Approach (cont)


Virtualization to the rescue!
Vmware Server and Player are FREE

www.vmware.com/products/server/

Ubuntu Linux is FREE


www.ubuntu.com/getubuntu/download
Surprisingly easy to use to surf the web
Firefox only no Internet Explorer
Takes very little resources to run
Microsoft Virtual PC is FREE

www.microsoft.com/downloads/details.aspx?
FamilyId=04D26402-3199-48A3-AFA22DC0B40A73B6&displaylang=en
But Windows software is not free
If you bought Windows 7 Pro you are covered

Radical Approach (cont)


How does this help?
Use Virtualization at home
Setup a Virtual Machine and surf the web through this
machine

Do not logon to Virtual Machine as a local Administrator

Your physical computer (the Host) will be safe if your

virtual machine gets infectedfor now


Only use your physical machine to logon to sites where
personal data or financial transactions are taking place
The Virtual Machine is just a single file

Copy this file, and restore it from time to time if you think
your VM has been infected
Brand new PC/load in under 30 seconds

Radical Approach (cont)


Fun Email and Web Surfing take place in VM
Setup business email on Host PC
Use Firefox plug-in to store your Bookmarks online so you

dont lose them


Host PC is the High Security environment
Your Bank
iTunes
Shopping (trusted sites like Amazon)

This approach can protect your Host PC from Zero-Day

attacks
You current PC should be able to run Virtual Computer

Radical Approach (cont)


Why is this a radical approach?
Do you need antivirus?
Do you need to be as diligent with patching?
Do you need to run malware scans?
Do you need to be as concerned where you surf?
Do you care about passwords?
Do you have to wonder if you should install that
free screen saver program?
Do you have to worry about opening up an email?
You be the judge

Alternate Approach
Check craigslist and buy a cheap laptop
Heck, new ones can be bought for $300.00
Make a rule in the house, the laptop is

the High Security Zone


banking
Insurance
Business email
Shopping

Other Good Ideas


We have covered a lot but here are some other things

you should keep in mind

Get a paper shredder for your home

Get one that has a CD Shredder

Always wipe your hard drive before selling or throwing out

your PC www.dban.org/download
Use free Encryption to protect files www.trucrypt.org

Geek Squad has some bad press

Encrypt your Flash drive (Free) or buy Iron Key


Password protect the BIOS of your laptop and disable boot

from USB and CD


Encrypt laptop hard drive with trucrypt
If the HTTPS certificate does not match DO NOT USE
IT!!!!

The Key is Discipline


The web is a necessity
Great source of information
Be safe and look before you leap
Treat your computer like your home.

Dont let anyone in, use discretion