Collected from the SANS Institute blog during Cyber Security Month 2010
Securing the family PC
This year we are going to focus on steps that people should be doing with respect to securing their personal corner of cyberspace. Some of the subjects may include technical procedures such as turning off certain ports or services or modifying software, but we really want this to be more about the person rather than the machine.
To get the month started we will spend the first week talking about the computer your parents or your family uses. We’ll get to children and schools next week, but this week let’s stay focused on the adults. Many of us are our parents’ system administrators (as well as our extended family to include brothers, sisters, aunts, uncles, cousins, grandparents, and anybody else who claims to be related to you especially when they remember that you’ve got half a clue about this thing called the Internet) so it’s important to pass along tips to our users whenever we are performing maintenance for them.
So today let’s look at some common sense advice about the family computer. Yes, we all know the mantra about keeping the anti-virus software updated and the system patched (we’ll talk more about that in a few days) but what else should we be doing? Some of the things that I recommend for the family PCs I work on include:
Keep all computers in full view (no hidden machines, no illusion of privacy)
Document computer details in writing (serial number, software, receipts, BIOSpassword, etc.) and keep the documentation in a fireproof box or safe
Use an uninterruptable power supply (UPS) for PCs, laptops have their own built-in UPS
Keep all of the hardware and software manuals, plus any software CDs/DVDs in one place that is easy to find
Use a cable lock to keep intruders from stealing the computer should there be a break-in
Throw a towel over the webcam (better: unplug the webcam)
Unless it needs to always be on, consider turning it off when not in use
Keep plenty of room around the PCso that air can flow through to cool it
Securing the family network
Manufacturers really aren’t doing many of the home users any favours. Devices are sold with worse than lame default settings in the guise of usability. Personally I think that many manufacturers are underestimating the capacity of people to follow instructions, but then I guess Heinz Ketchup does have on the instructions put on food, so maybe Im wrong.
Manufacturers could make things easier for us and many of them kind of do. We now have external hard drives where the backup is a push of a button (even my mother knows how to drive that one) and many of the network devices come with one button configuration settings to secure the network. Personally I’ve had limited success with this, but maybe I’m button challenged.
I know that your home network is as secure as you can possibly make it, but alas your neighbours, cousin, brother, parent, grandparent, etc, network is not up to the same specs. It has been or will be used in the future to spread evil such as Zeus, Stuxnet and even Kevins favourite, slammer. Securing the PC helps, but you do need to secure the network as well. So lets get sraight into it.
Make sure that the device connecting to your service provider at least has some statefull filtering capabilities. They should only allow outbound traffic, but you may wish to check that.
Change the default Passwords. Many devices come with default passwords, typically admin or blank. Many people still have their internet facing devices with these default passwords.
Use long passwords. It will only be used infrequently, so it might as well be a long one. Youll want to write it down and keep it safe, use paper and not a file on the computer. Providing you dont staple it to your windows, keeping the passwords written down should be fine.
Control who connects. Whether you have a wired network or wireless make sure you know what is connecting to your network, your laptop, fridge, media centre, etc. You might want to consider using mac filtering. Not the best, but better than nothing.
If there are security settings available use them. Keep in mind that the security of your network is often dependent on the least secure device. For example I have a couple of older devices that can only use WEP 40 keys. So if I want to use it I either reduce the security of the whole environment, or as in my case, I have a second access point in a little DMZ off the main internet connection.
For wireless networks WPA2-PSK is the minimum to use.
Harden devices. Just like corporations any device you connect to the network should be hardened. Many of the network connected printers have so many services open that will never be used, so shut them down.
Now unless you want to be the extended familys internet helpdesk (might be the only way you get to see them) I suggest that you write down down basic instructions for them, or set things up so they never have to touch it again.
Recognizing phishing and online scams
On day 3 of Cyber Security Awareness Month 2010 the topic is Recognizing phishing and online scams. Which is an interesting discussion. For example, would phishers still bother if no one clicked and freely entered their credit card and personal information? Would 419 scammers bother if no one responded to their messages? Since there is a profit motive behind the miscreants actions if there were a diminishing return, or the actual possibility or prosecution, would we continue to see so many of their emails and web sites? Philosophical questions aside, in oder to reduce the harm of scammer and phishers the people receiving the bait need to be able to recognize the messages as such and not respond or click.
Don’t click or respond to the following:
If it sounds too good to be true, it is.
If the message does not appear authentic, it probably isn’t.
Do the content of the message appear in search engine results?
If you hover your mouse over the link does your browser or security software silently scream at you?
Seeing silly typos, formatting, or grammatical errors a professional would not make.
If the message asks you to send your information to them, rather than the other way around.
If you don’t have an account with the company supposedly sending the email!
Here are some useful links:
We covered phishing and other nefarious fraudulent emails in yesterday’s diary. Today’s entry is about preventing unauthorized access to your email and some email handling issues.
Unauthorized Access to your email can occur for a number of reasons
-you picked a simple password, and someone guessed it
-you picked a good password, but someone guessed the password reset question (remember Wasilla High ?)
-you accessed your email account from an unsafe public terminal
-you accessed your email account from a safe personal computer, but did not use SSL
Derived from this are a few steps you can take to make things harder for snoops:
Pick a good long password. And do change it every now and then. I am certainly no fan of change your password every xx days rules, but for online email, changing it on occasion actually makes good sense — it is your only chance to lose any stalkers you might have picked up over time. Your ex, your dorm roomie, etc, might know your password, and can passively snoop your inbox without you ever noticing. Only changing the password shakes them off.
Actually go through the I forgot my password routine once. Just pretend that you don’t remember the password. And then watch carefully how hard (or not) it actually is to regain access. There are still mail providers out there who require you to have a 10-character password, but at the same time force you to use The color of your first car as a password reset question. Having a password reset option is good (heck, I also forget passwords if the vacation is good and long :), but the reset option should be as hard to guess or fake as the original sign-on. If you got the choice, pick a provider that allows you to write your own question/answer pair and that includes some sort of out of band notification like SMS.
For the unsafe public terminal, well, don’t log into your email there. Within a couple months, all of us will carry web enabled mobile phones, and those shady airport and hotel PCs will hopefully then follow the internet cafe into merciful obscurity.
If you are already using a mobile phone or *pad or *book for email access on the go, make sure that your email client is set to use SSL/TLS. HTTP, IMAP and POP3 should all be avoided if they are not paired with SSL/TLS for encryption (HTTPS, for example). Remember, WiFi signals can be intercepted and recorded by everyone in range. Without encryption, eavesdroppers get to see your login credentials and all the email that you download and read.
Reply to all was not invented for people who click faster than they think. On occasion, these embarrassing broadcasts of a person’s naivet make everyone at the office cringe. Thus, if you are using reply to all, check carefully who is on the recipient and cc: lists. And do everyone a favor and never reprimand a hapless reply-to-all person by also replying to all with an admonishment.
Unsubscribing also has its pitfalls. If you try to unsubscribe from some list that you never actually subscribed to, chances are that you just confirmed to some spammer that you actually read their email. Only use unsubscribe on things that you vaguely remember ever having signed up to, and use mark as spam for all the rest.
Last but not least, EMail is a poor medium to convey irony or sarcasm. As useful as email is, the more contentious a discussion gets, or the more back-and-forth replies pile onto replies, the better off you likely are by picking up the phone, and having an old-fashioned talk.
Sites you should stay away from
As we wander down this path that is CyberSecurity Awareness month it reinforces that on one hand the Internet is a source of an unimaginable wealth of information and knowledge and on the other hand is a scary place where evil lurks in dark corners. The question for the day is how can you explore the Internet while avoiding nasty sites.
As a security practitioner I am often taken off the beaten path of the Internet to do research, so it is important that I have some help avoiding nefarious sites. Here are a few tools that I use:
I use Firefox and the Web-of-Trust add-on to help me identify potentially naughty sites. Web of Trust adds colored circles after all links, green for good, yellow for questionable, and red for bad. McAfee SiteAdvisor and other products do very similar things.
I use OpenDNS and utilize the Web Content Filtering capability to provide a layer of protection.
Computer monitoring tools
As security professionals we all know when our computers are trying to tell us that there is something wrong. We also have our own techniques for poking around under the hood looking for trouble before it gets out of hand. Like car enthusiasts, we know what each rattle and noise means and we take steps to correct the problem early. But what about our parents and extended family members who don’t have the same skills? Like the temperature gauge or check engine light in your car, how does a typical user know that something is wrong?
Most newer operating systems have a system health and monitoring capability. For example, in Windows 7 you do this:
Log on as a local administrator on your computer, click Start, and then click Performance and Information Tools.
Under Advanced Tools, select Generate a system health report.
And in Windows XP you take these steps:
Log on as a local administrator on your computer, click Start, and then click Help and Support.
Under the Pick a task, click Use Tools to view your computer information and diagnose problems.
In the Task pane, click My Computer Information, and then click View the status of my system hardware and software.
Remote access and monitoring tools
It’s 10pm, Sunday night, Anytown. In a quiet house, a phone rings.
Ring, Ring, Ring
Your Mother in Law: Hello Dear, I’ve got an XYZ error message on my screen, I’ve powered off and back on, and the message is still there. Can you help?
You (to yourself, in your inside voice): which means she’s powered her *screen* off and on instead of her computer, here we go again! it really sounds like I need to be there to fix this – can I stop by tomorrow after work?
Her: But I’m bidding on an WXY, and the auction closes tomorrow – can’t we get this fixed tonight? Plus you know how I like to play those fun online games my friend showed me over my coffee every morning.
You (inside voice again): yeah, another XYZ, everyone needs more of those! and don’t get me started on those malware infested flash games! how am I going to get this fixed before work tomorrow? She’s an hour’s drive away and I have an early start tomorrow at work!
You (to her ,out-loud): Will you still be awake in an hour, I can drop by later tonight still if that’s ok?
Her: that’d be lovely – I’ll put a pot of coffee on, and I baked some cookies today. If this is like last time you’ll probably be a few hours!
Wouldn’t it be great if she had an icon on her desktop that would let you remote control her computer, right now? Well, the good news is, there is such an app. And like so many things in IT, the bad news is, well, the bad news is that there is such an app.
Remote control tools like gotomypc (now gotomysupport), logmein, webex, bomgar and the like used to be considered *evil* apps in many IT groups. They pretty much allowed strangers to remote control your desktop computers over SSL or other encryption (or obfuscation or clear text) protocols, and there weren’t a lot of tools out there to control how they got used. I can remember talking to my CFO a number of years back, trying to explain why gotomypc (which was new at the time) was not a good alternative for him, that he should use the corporate VPN access. If you look at what these remote access tools do, it sounds a lot like the ultimate goal of any pen-tester, or of any of the bad guys who of course also want to compromise your network security – total control of internal resources without your knowledge.
On the other hand, as these tools have matured we’re seeing a large uptake in their use in corporate IT groups, to the point that most IT groups will often have such a solution in place to remotely support their own users. We also see it routinely if we call for support on server operating systems or network infrastructure problems – almost the first thing most support techs will do is mail you a remote support link so they can see the problem first-hand and work on it themselves (using your computer).
So for all our family remote support needs, there’s dozens of free tools out there that do exactly this. For our corporate needs, similarly, there are dozens of tools out there that do exactly this, for a per-seat or per-site license fee.
Even in this new world where we’ve now blessed these remote access tools, people are missing some of the Securtiy 101 questions around them. Things like – how good is the encryption on this tool? Where exactly does the session data transit? Am I running this through an appliance in my own datacenter, or am I being run through the provider’s infrastructure on the internet (people call this the cloud these days, like that makes it safer somehow). If the session data goes to the remote support tool provider, what country are they in? How does their privacy, search and seizure legislation compare to yours? Does the tool offer a drive map, which might allow file transfer without the user knowing? The answers to these questions might not matter too much to your Mother-in-Law, but your CEO, CIO and Corporate Counsel should all care.
The traditional remote control tools like VNC or MS Terminal Services have been made a lot less effective by firewalls, especially personal firewalls turned on by default in the OS. They can still be deployed (and controlled) in a corporate setting where you can do things like have Group Policy open workstation firewall ports when at work, and close the affected ports when away, but these tools aren’t much help when your CEO is trying to VPNin from a hotel behind a firewall and 2 timezones away.
Patch management and system updates
Today we want your opinions on patch management and system updates. In this modern world where the gap between vulnerability and exploit is rapidly closing, and exploit code is being delivered via popular websites and ads it is as important as ever to keep your system and applications up to date.
To get you started…when I set up a Windows computer for my family and friends the following are essential:
Ensure Windows Update is turned on, set to install recommended updates and configured to install updates daily at a time when the computer is likely to be on.
Install Secunia Personal Software Inspector (PSI). PSI monitors your Windows applications, lets you know when applications are out of date, and provides download links to help remediate. PSI is free for non-commercial use.
Disposal of an old computer
We have all needed to dispose of unused computers at home and the office. I would like to encourage each of you to consider a responsible choice that helps the environment while at the same time safeguarding yourself, your company and your data. Before disposing of any computer please consider the following as they may be helpful:
Save all important documents off onto a secure removable storage device, preferably encrypted media.
Wherever possible, extract any software license keys for reusable software.
Wipe your hard disk with Kill Disk, Boot and Nuke or like software. I typically keep/destroy my drives, but before I do I will wipe them by attaching them to another computer with my handy hard drive adapter kit. The adapter kit allows me to attach SATA/IDE drives to any computer through the USB port. (It’s handy…and has bailed me out many times.)
Remove any reusable cables or parts such as a network card. (A backup NIC is always handy…)
Remove any batteries and recycle them properly.
Here is a list of URL’s of the recycling programs from some of the well known players in the computing industry. Mileage will vary based on your needs. I have used Best Buy’s program for no other reason than its convenience and accessibility. Many other’s have different things to offer. Review them all and see which suits you.
Donating your computer is always a good choice as well. However, remember if you choose to donate any computer there are things that should be done to prevent harm to you or your company and exposing sensitive data. You will read more on Securing a Donated Computer another day.