preload
Mar 13

Security

Nuisances Add comments

1ebeb1d2f212046a4e47fcd414dbad9bI was recently asked what I do to secure my home computer.  This post will tell you some (though not all) of the things I do.  It will probably tell you more than you want to know.  I tried to start simple, and work up to more sophisticated items.

If you have additional advice, let me know and I’ll add it to this post.  I’ve tried to keep it simple and make it a summary; I don’t explicitly tell you the steps to do any of this stuff since you’ve all got access to Google.  Still, if you want more information on any of this, let me know.

My Network

First, a word about my home network.  We have several machines on the network, including laptops, desktops, palmtops, and “boxes” like TiVO’s and printers.  These machines run Windows XP, Apple OS X, and Linux.  It’s a fairly diverse network and requires some effort to keep things working, at least the way I want them working.  Some items I can configure to make them secure, some I really can’t (like the TiVO’s).

I’m currently using cable broadband, and it is sufficient for my needs.  I have my home network set up to allow me to access it remotely and (relatively) securely, so I have to think about security more than you might have to.

Are these steps overkill?  Maybe.  But people have had their network connections used to download and upload Bad Stuff such as child pornography, and people have been prosecuted and sent to prison for the contents of their computer hard drives.  Ultimately you are responsible for what’s on your computers.  I consider most of what is listed here “reasonable maintenance.”  But I’m a computer security professional, so I’m biased.

Windows XP

You are probably running some version of Windows.  Here are some things you should do.

  1. Turn on the firewall.  If you have a third-party firewall, you can use that.  If not, make sure the Windows firewall is on.  If you have an up-to-date installation of Windows, you should be fine.  For the record, I use the Windows firewall that is part of XP.
  2. Install all patches for Windows.  This means running the Windows Update utility.  Even if you have your machine set to automatically get updates, you should still do this manually, at least once per week.  Do not trust the automatic update!  There are lots of reasons why it might not work.
  3. Install anti-virus software.  I won’t make any recommendations here, but I will tell you I use Symantec (or Norton), because it is provided by my employer.  Your employer or ISP may provide you with free antivirus.  You should check.
  4. Keep your anti-virus software up to date.  Even if you have it set to automatically update itself you should occasionally explicitly update it.  Don’t trust automatic updates!
  5. Install spyware protection.  I recommend (and use) Spybot Search & Destroy. You can get it from here.  You can set it to update itself automatically and to run automatically, but even if you do, you should still update it and run it yourself about once a week.
  6. Stop using Internet Explorer.  Go and download Firefox and use it.  I won’t go into all the reasons for this.
  7. Make sure you have passwords set.  Set a password for every Windows user, and disable the guest user and remote administration.

Now there are a lot of other little things you can do.  For instance, you can install safety plugins for Firefox to block scripts.  The above are what I regard as the bare minimum.

There are lots of other guides available online.  Look here for a guide with nice screenshots.

Finally, if you are running Windows XP Home, consider upgrading to Windows XP Professional, or some flavor of Vista.  Actually, at this point, you might want to skip Vista and wait for Windows 7.

Wireless Networking

I run a wireless network at home.  Do not be confused; wireless networks are not secure.  You are broadcasting your network packets to anyone and everyone.  If you are pathological about security, don’t use wireless.  The U.S. government’s Federal Desktop Core Configuration (FDCC) explicitly forbids wireless, and the reasons are good.  Don’t believe me?  Run out and buy a copy of Wi-Foo.

Okay, so you are going to run a wireless network anyway.  Fine.  Do the following.

  1. Set your SSID.  More wireless routers come with the site ID set to something like “linksys.”  Change this.
  2. Enable encryption and do not use WEP.  Turn on encryption on your router, and pick a good passphrase.  My passphrase is over 20 characters in length.  WEP is trivial to crack, and some computers actually come with software pre-installed that will crack it.  Don’t use it.  If your wireless router doesn’t support anything other than WEP, get a new one.  They’re fairly cheap.
  3. Disable broadcasting your SSID.  You know your SSID.  There is no reason to broadcast it.  This means you have to manually add your network on your Windows machines, but that’s okay.  It also means your neighbor doesn’t immediately see that you have a wireless network.
  4. Turn on your MAC filter.  Every network card has an associated identity called it’s MAC address.  Your router should allow you to set it so that only specific MAC addresses can connect.  You have to manually add every computer that will connect wirelessly, but it really isn’t that hard.
  5. Disable remote administration.  Many wireless routers feature remote administration, meaning you can configure the router from outside the network.  You don’t need that, and you don’t want it.  If it is on, turn if off.  If you have a machine plugged directly into your router (not connecting by wireless), consider disabling configuration over wireless, as well.  You can only configure it from a physically plugged-in machine.

Now your wireless network is more secure.  But intruders can still detect your signal, sniff packets, inject packets, capture these packets with software like Kismet, “spoof” your MAC addresses, and compromise your network.  The point is that this takes some sophistication; your neighbor probably can’t do this, and thus can’t use your network connection to download porn.  There are plenty of unsecured networks; intruders will go somewhere else.

Routers

If you have a wireless router, you have a router, and can probably ignore this section.  If, on the other hand, you have the wire that comes in from the wall connected directly to your computer, perhaps by a cable or DSL modem, consider getting a cheap router and installing it between the modem and your computer.  Then configure it.  Often the default configuration of a router allows anyone to modify the settings.  You don’t want that.  Set a password on your router.

Why?  Routers provide a level of protection between you and the Internet.  Even if ports are open on your machine and it is vulnerable, a router can stop traffic that would otherwise get to your machine.  In fact, most routers are configured to do this by default; you have to explicitly open ports to enable P2P applications, for instance.

Vulnerability Scanners

Get and run a vulnerability scanner.  If you are running Windows you should download and run Microsoft’s free Microsoft Baseline Security Analyzer.  Do it now.  I’ll wait.

I routinely run a tool called Nessus.  This is a fairly sophisticated network vulnerability scanner, and it can produce some unexpected and occasionally frightening results.  It scans your network for open ports and reports on vulnerabilities it finds.  Sadly the free version is now limited to the “home” feed, but you should still consider using it.  Do not run this on a corporate network! Running this kind of tool is something the network admins probably do, but is likely grounds for revoking your network access.  Just run it on your personal, home network.  Nessus runs on Windows, Linux, and OS X, but you only need it installed on one machine since it scans the entire network.

Run the vulnerability scanner periodically.  The list of known vulnerabilities changes, and updates to your operating systems (and family members) can open new vulnerabilities.

P2P Software

Using LimeWire?  FrostWire?  Vuze?  Miro?  Transmission?  Or any of the other P2P clients?

Explicitly configure P2P applications.  These applications can transmit your data over the network (that’s what they’re for) and can download information to your computer (that’s also what they are for).  Make sure you know precisely what files on your computer, if any, are available for download externally.  Also, keep in mind that running these clients advertises your computer on the network.  Make sure the computer you use is reasonably secure by following the advice above.  Oh, and keep P2P programs up to date.  Vulnerabilities occur in these programs and new versions are released.  Check them and always use the latest version.

There have been some stories recently about people’s tax returns and other private data being easily available on the Internet, despite this problem being known for years.  This is the result of not configuring P2P software on machines, so that all files are shared by default.

Encryption

Encryption is now easy and simple.  Really.  You can use whole-disk encryption from Windows, and you can encrypt folders on OS X.  This is built into both operating systems.

TrueCrypt is a nice, free, on-the-fly encryption system for keeping your private data private.  It’s easy to install, runs on most platforms, and let’s you create and use multiple volumes.  You can get as crazy about security as you want.

The point of this is that information like your tax return, Quicken account, etc., can be stored in an encrypted folder, and transparently decrypted only when being used.  Then if files are stolen off your machine… they are encrypted.

Intrusion Detection

Okay, if you are really getting pathological about security, consider installing and running an intrusion detection system (IDS).  I do this.  These are programs that observe your network traffic and look for “suspicious” activity.  I run Snort.  This is not for the faint hearted.  Still, if you store company information on your home machines, you might be attacked for that data.  Really.  I’m not kidding.

Backup

Backup your machine.  If you have a Mac, just get an external hard disk and turn on Time Machine.  If you have Windows, you need to do more.  From My Computer you can right-click a drive, open Properties, and select Tools.  You should see backup options there.  You want an external hard disk and periodic backups.

Good security consists of several items:

  • Detect intrusion attempts.
  • Resist intrusion attempts.
  • When intrusion is successful, repair the damage.  This is where backups come in.

You don’t want to have to throw away all your data if your computer is compromised.  Plus, and I guarantee this, your hard drive will eventually fail.

Remote Access

I can access my home network remotely.  If you don’t need to, I suggest you don’t.  If you do, here are some things you can do.  I assume a modest level of sophistication here.

  1. Use a Linux or FreeBSD box.  Forward the ports you want on your router to a machine running Linux or FreeBSD, and not some other OS.
  2. Change the port for SSH, VNC, etc.  Use some port other than 22 for SSH.  For VNC, don’t use display zero or one.
  3. Set strong passwords, and consider disabling passwords for SSH.  My SSH server only allows connections authenticated by certificate.
  4. Use port knocking.  Install knock and knockd, and use them to connect.  Port knocking is a wonderful solution to keeping ports closed, unless you explicitly want to use them.  I use one-time knocks that open a port just long enough to connect.

One other final, perhaps funny, item.  My home system sends me text messages for certain events.  I used to do this using my wireless provider’s web interface and curl, but now I can just send email, thanks to my crackberry.  It’s nice to know what’s going on.

Summary

Security requires routine maintenance.  Run all updates and scans manually about once a week or so.  Why?  To make sure everything is working and to say conscious of any problems.

Owning a computer is really like owning a car.  Both require care and periodic maintenance.  You should get familiar with how things work on the computer.  You don’t have to be a network professional, just get familiar with the software that’s available to help you.  In fact, based on some of the folks I’ve known with degrees in networking, being a “network professional” might not help, and might even hurt.

Hope this helps!

  • Share/Bookmark

Leave a Reply