14 Golden Rules of Computer Security How to Stay Safe on the World Wide Web Steps every computer user must take to block spam and malware, protect their privacy and prevent data loss.
by Ken “The Geek” Harthun Copyright © 2009 by Ken Harthun All Rights Reserved. Permission is granted to reproduce block quotes of up to 150 words in blog posts and reviews with proper attribution.
http://askthegeek.us
Page 2 of 24
Table of Contents Preface.............................................................................................................................4 Introduction.....................................................................................................................5 About the Author.............................................................................................................7 Golden Rule #1: Don't Invite Attackers into Your PCs or Networks.........................................................................................................8 Golden Rule #2: How Not to Invite Attackers into Your PCs or Network - the First Line of Defense................................................................9 Golden Rule #3: Omit This Setup Step and Your Router Can Be Easily Compromised........................................................................11 Golden Rule #4: Can a Criminal Hacker Guess Your Password?......................................12 Golden Rule #5: If You're not Patched, You're a Target.....................................................13 Golden Rule #6: Turn off Message Preview in Your Email Client....................................14 Golden Rule #7: If Your Laptop is Stolen, Will Your Identity be Stolen?.........................15 Golden Rule #8: Does Encryption Have You Complacent About Physical Security?...............................................................................16 Golden Rule #9: Two Ways to Operate Securely on the Web............................................17 Golden Rule #10: Store Your Backups Securely...............................................................18 Golden Rule #11: TSL/SSL is Your Friend and Protector on the Web..........................................................................................................19 Golden Rule #12: Infected PC? Don’t Just Clean–Wipe and Reload.....................................................................................................20 Golden Rule #13: WiFi Security–The Only Way is WPA.................................................21 Golden Rule #14: If Spam Has You Irate, Obfuscate!.......................................................23 Get your Geek Toolkit Today!...........................................................................................24
Page 3 of 24
Preface It isn’t getting any better on the Wild, Wild Web, despite state and federal government attempts to arrest and prosecute those responsible for electronically-perpetrated criminal acts. Spyware and malware of all kinds are increasingly more stealthy and difficult to remove thanks to rootkit technology. With the advent of Web 2.0 and its emphasis on sharing and collaboration through such social networking websites and services as Twitter, Facebook, MySpace, and the like, web-based attacks are more prevalent than ever. These sites are based on active, dynamic content and rely on special programs that run in your web browser to perform their magic. These programs can be modified by malicious hackers to steal your passwords, bank account information and virtually anything stored on your computer. New laws have done little to deter or eliminate spammers, largely because many of them aren't located in the United States. Despite the few high profile cases in the news, the truth is that few spammers are ever caught. Considering studies that show some spam campaigns can produce as much as $3.5 million in a year, it's easy to see why today the spam problem is worse than ever--some estimates place the amount of spam email at 80% to 90% of all emails sent. These days, everyone is at risk of falling victim to cyber-crime, even those of us who know and practice computer security on a daily basis. The average person who goes to the local big box electronics store and buys a PC or laptop for use at home is often lulled into a false sense of security because their purchase is bundled with some “security suite” by some big-name company. They go home, take everything out of the box, plug it all in and usually end up getting infected with all kinds of nasty things in very short order. I put this book together in hopes that it will make a difference, however small, in how people look at computing and the Internet. Maybe it will save someone from the hardships of financial loss caused by using a compromised PC to access their bank and credit card accounts. Maybe it will save someone from having to pay a big bill to a technician to clean up a severely infected computer. Maybe, just maybe, it will help take some of the profit out of spam and malware. One can always hope. At the very least, I hope that you, Dear Reader, find this information useful and that it helps make your computing experience more enjoyable. Cheers! Ken “The Geek” Harthun
Page 4 of 24
Introduction My How to Secure Your Computer series of articles debuted on January 4, 2007 on my Lockergnome blog, Ask the Geek, Too. I continued to post them there until March, 2008 when other commitments forced me to put that blog on the back burner. I have since revised and re-posted all of the maxims on my Security Corner blog, most of them having been given more catchy titles. You will find the entire archive in descending chronological order in the Security Maxim archives - Security Corner. Below are links to the original postings up to and including Maxim #11 which was the last one posted at Lockergnome; nos. 12, 13, & 14 are new and appear only at Security Corner. 2007.01.04 - How to Secure Your Computer: Maxim #1 2007.02.22 - How to Secure Your Computer: Maxim #2 (or, How Not to Invite Attackers Into Your PCs and Networks) 2007.03.03 - How to Secure Your Computer: Maxim #3 2007.03.14 - How to Secure Your Computer: Maxim #4 2007.05.30 - How to Secure Your Computer: Maxim #5 2007.06.27 - How to Secure Your Computer: Maxim #6 2007.07.25 - How to Secure Your Computer: Maxim #7 2007.07.26 - How to Secure Your Computer: Maxim #8 2007.07.28 - How to Secure Your Computer: Maxim #9 2007.08.17 - How to Secure Your Computer: Maxim #10 2007.10.29 - How to Secure Your Computer: Maxim #11 I recently published my entire list of these so-called “maxims,” renamed as “14 Golden Rules of Computer Security.” I received some good feedback on that list, in particular, this comment: “…you encourage people to go through all the effort of running Virtual Machines to protect themselves from malware, but you don’t actually encourage them to run Anti-Virus software. Which basically, unfortunately, means you’re violating rule #1 and much more likely to run into rule #12.” Any discussion of security, cyber- or otherwise, must be based on the concept of a security baseline—the bare security essentials without which all else is futile. What’s a good PC security baseline? I propose these four bare security essentials: “…a NAT router; a good antivirus program; a good anti-malware program; and, a good software firewall.” These days antivirus, antimalware and a software firewall are usually combined into a single suite. I choose to align with Windows Secrets’ Security Baseline page: “…a hardware firewall that’s built into your [NAT] router, security software that guards against all types of malware threats, a software-update service to ensure that your applications are patched against the latest exploits, and a secure browser.” To that end, I Page 5 of 24
have included the relevant articles “Nine Steps to System Security – 2008", and “The Lazy Man’s Way to System Security”, in the appendix so you have a complete view. What follows is a series of “Golden Rules” of computer security formatted as individual articles, the sequence of which is both chronological and in order of relative importance. I hope the information I've given you here and in my various blogs is useful to you and helps you and your family – perhaps your business as well – operate more securely in the Web 2.0 era
Page 6 of 24
About the Author Ken “The Geek� Harthun has been playing with geeky stuff since 1959 when he disassembled his first wrist watch. Unfortunately, as a six-year old, he didn't have the proper tools and the watch was ruined. He had better luck a couple of years later when he managed to hook up an old phone he found in the trash as an extension in his chemistry lab. In 1963, his father gave him a Digi-Comp I computer . Ken quickly mastered the binary programming and his life-long interest in computers was launched. He has been working with computer technology since 1973 and advocating sensible security practices since 1989 when one of his employees infected a company computer with the Stoned virus. He quickly isolated the infected diskette and implemented strict security policies to prevent future infections. Ken is currently employed as a systems engineer at a computer consulting firm, specializing in network and desktop security for small and medium businesses. He is particularly interested in cryptography and he's helped many a user develop safer computing practices. Ken is a professional writer and blogger, contributor to Search Security.com, IT Knowledge Exchange, produces Ask the Geek, and Ask the Internet Marketing Geek. He's a contributing editor for Dave's Computer Tips, Security Focus section. Ken is currently working on his first consumer-oriented book on computer security. You can follow him on Twitter, and Facebook if such things interest you, and Ken always welcomes your questions and comments at askthegeek@kennyhart.com. For a more detailed biography, visit this About page.
Page 7 of 24
Golden Rule #1: Don't Invite Attackers into Your PCs or Networks Having worked in IT in various capacities since the early 1980’s, I’ve seen the need for security evolve from simple protection against viruses to the need for complex security policies designed to combat multiple attack vectors. These days, it takes constant vigilance to stay ahead of criminal hackers, to say nothing of terrorists; moreover, clueless users are often unwitting accomplices in security breaches. (See my article “Will You Be Used As a Weapon Against Your Own Country?“) Today’s Internet is reminiscent of the Wild, Wild, West, only now it’s the Wild, Wild Web. Make a mistake, and you could be virtually dead before sundown, your identity stolen, your financial resources drained, your reputation ruined. Protecting yourself online seems like a daunting task, especially for the average home computer user; however, it’s not as hard as it seems, given some common sense and an understanding of basic security principles. My goal for this eBook is to provide simple, sound advice and tips that will help you be more secure in your computing both at home and at the office. The first piece of advice I’ll give you is one I consider the most basic principle of computer security, the first Golden Rule of Computer Security: The best security measures are completely useless if you invite attackers into your PCs or networks.
Page 8 of 24
Golden Rule #2: How Not to Invite Attackers into Your PCs or Network - the First Line of Defense Golden Rule #1 gives what I consider to be the most basic security maxim, one on which I base all of my security practices, so let me repeat: The best security measures are completely useless if you invite attackers into your PCs or networks. Windows users will remember back before Windows XP Service Pack 2 was released that simply plugging your computer into your cable or DSL modem was almost certain to result in your being compromised in short order. (Who can forget the havoc that Sasser and other worms wreaked before Microsoft wised up and finally turned the firewall on by default?) Running naked with all ports open to the world is a gold-gilt invitation to every criminal and mischief maker on the Internet, and while running a software firewall is a good idea, it’s not nearly enough–crackers have known for some time how to disable the Window’s firewall. Consider this: every IP address owned and/or issued by your Internet Service Provider, no matter who that may be, is constantly being targeted by hackers that are scanning the’Net for vulnerable systems, and worms, viruses and other malware that have already infected machines on the ‘Net. (As I write this, the IP address assigned to me by my cable Internet provider has been scanned or probed 46 times in the last hour; this goes on 24 hours a day, seven days a week.) I certainly don’t want my PC’s software firewall subjected to this kind of thing. Yet, most people, not knowing any better, plug their computer directly into the broadband modem. There is absolutely no reason to do this when there is an inexpensive, simple, yet effective first line of defense available at any big box electronics or office supply superstore–a router (Fig. 1).
Fig. 1 LinkSys Router
Page 9 of 24
Through the beauty of Network Address Translation (NAT), even the cheapest router becomes an effective hardware firewall, virtually making your PC invisible to the ‘Net. NAT Router Security Solutions by Steve Gibson of “Security Now!” explains NAT in detail. Here’s one of his illustrations from that article:
I must mention that except for one, easy configuration change that is absolutely essential, these simple devices work fine right out of the box. The average user can plug it in and not have to worry about a complicated setup process. Golden Rule #2: A first, important step in securing your PC is to install and configure a NAT router.
Page 10 of 24
Golden Rule #3: Omit This Setup Step and Your Router Can Be Easily Compromised Golden Rule #2 stressed having a NAT router–or router/firewall– between your PC and the Internet as a first line of defense. This is without question the first, most important security step, but it can be useless unless you have it properly configured; in fact, omitting one crucial first step can leave you even more vulnerable to attack that you would be without the device. All routers come with a default user name and password, often as simple as admin/admin (when I’m faced with a router I haven’t seen before, this is the first thing I try–and it often gets me in). Default settings are a good thing because if you ever forget your password, you can reset the router and take it back to square one. However, this is also a dangerous security risk--these defaults are well known and published on the Web. A couple of years ago, for example, three of the more widely used consumer routers, Linksys, D-Link, and Netgear, were vulnerable to a JavaScript web page attack. Go to the wrong site and if you haven’t changed the default password, the attacker can change your router’s settings to send you to malicious websites. For example, you’ll think you’re looking at your bank’s login page, but it will be a fake lookalike that steals your account information as soon as you log in. While the manufacturers try to patch such vulnerabilities, users often don't apply the patches and even if they do, determine hackers often find other ways in. As recently as October, 2009, a blogger who stumbled across a vulnerability in more than 65,000 Time Warner Cable customer routers says the routers are still vulnerable to remote attack, despite claims by the company that it patched the routers. A report by Wired found that 45 percent of 2,729 publicly accessible Linksys routers still had a default password in place. And that is precisely why you should put this on your list as Golden Rule #3: Always change the default user name and password of any configurable device you put on your home network.
Page 11 of 24
Golden Rule #4: Can a Criminal Hacker Guess Your Password? Golden Rule #3 stressed the importance of changing the default user name and passwords of all configurable network devices. That’s good advice. But a weak password, one that is easily guessable, is almost as bad as no password. Far too many people use a password that’s obvious; i.e., given some basic information about the person, a determined hacker could easily guess it without too much effort. Two clients I have serviced, both of which generate some serious confidential data, set up initial passwords for new users in the form password.2008 or changeme. (Thankfully, I recently convinced both of these clients to implement strong password policies!) I’ve been able to use basic observation and small talk to guess users’ passwords about 20% of the time. The first thing I try is a blank password–you’d be surprised how often that works, especially for home users. Next, I’ll try the user name, the spouse’s name or “password.” I may try a couple of other things, like “123456,” “asdfjkl;” or, believe it or not, “********.” Usually, though, I just ask them for the password and they give it to me. According to Wikepedia there are several things many people use as passwords that results in their being predictable: Repeated research has demonstrated that around 40% of user-chosen passwords are readily guessable because of the use of these patterns: • • • • • • • • •
blank (none) the word “password”, “passcode”, “admin” and their derivates the user’s name or login name the name of their significant other or another relative their birthplace or date of birth a pet’s name automobile license plate number a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters. a row of letters from a standard keyboard layout (eg, the qwerty keyboard — qwerty itself, asdf, or qwertyuiop)
So, if you want to protect your router and the other devices on your network, never use anything from the above list and apply Golden Rule #4: Use an unguessable, or difficult-to-guess password always.
Page 12 of 24
Golden Rule #5: If You're not Patched, You're a Target OK. So you’ve installed a NAT router, you’ve changed the default login and passsword, and you’ve used an unguessable password. You’ve done everything right so far; however, you still may be vulnerable--in fact, you probably are, even if you keep your operating system patched. In a 2007 Lockergnome posting, I wrote: “To say nothing of Microsoft Windows, there are few, if any, application software packages that are free of security vulnerabilities. The SANS Institute publishes its Top 20 Internet Security Attack Targets on a regular basis and Secunia currently lists 14,043 pieces of software and operating systems with vulnerabilities.” Not surprising, Secunia reports that as of November 27, 2009 , the above number has increase by almost 13,300: “Our database currently includes 27,298 pieces of software and operating systems.” It probably won’t surprise you that Microsoft leads the list, but that is by no means the only source of security vulnerabilities out there. The truth is, if you’re on the ‘Net and running any unpatched software, you’re a target; I can look at my firewall logs and identify what vulnerabilities are being targeted on my machine. Many of these holes have long since been patched and there’s no excuse for your not having patched them. So much for the bad news. The good news is that most reputable software companies, when informed of a vulnerability by security researchers, promptly issue a software patch to fix it. These are widely available to the public for free download or through update features built into the software packages. Windows and other software packages allow you to enable automatic updates (which you should do). Golden Rule #5: A vital part of PC security is keeping up with software patches for ALL of the software on your system, not just the operating system. Where it is available, use the software’s automatic updates feature.
Page 13 of 24
Golden Rule #6: Turn off Message Preview in Your Email Client Some of these tips may very well be “everybody knows” types of things, but I find that these are often the things that get overlooked. That’s why I’m publishing them as golden rules. Take a look at the 2008 furor surrounding the cold boot attack against disk encryption . That was an “everbody knows,” too. I get questions all the over at Ask the Geek about using a mail client’s message preview feature. Opinions vary, of course, but for this Geek, it’s a bad idea. In order to preview a message, it has to be opened or rendered by the HTML engine. Think about how a PC can be infected by a malicious web site and you’ll immediately understand the danger: The same malicious programs can exist in scripts in HTML messages. It’s a serious security risk. Golden Rule #6: Always disable any message preview or auto-open features in your e-mail client. View messages as text-only until you know they are safe.
Page 14 of 24
Golden Rule #7: If Your Laptop is Stolen, Will Your Identity be Stolen? We frequently hear news of a laptop holding sensitive information having been stolen. Bad in itself, but the reports often note that the information was unencrypted. Doubly bad. The news rarely focuses on personal laptop thefts, however because there’s no news value in reporting the loss of Joe Citizen’s personal files; nothing of value there, they think. But Joe’s entire life savings may soon be wiped out if he has ever used that laptop for on-line banking or other financial transactions. Recently, a friend of mine (who shall remain nameless for security reasons) had his laptop stolen out of his car. Fortunately, he had just purchased it and there was nothing of value on it, but there could have been–he’s an oil company executive. Modern thieves know that if they can get their hands on a computer holding sensitive information — particularly bank or credit card information — they can sell that computer for tens or hundreds of times the value of the hardware. The hardware is virtually worthless to them. From the thief’s point of view, any laptop sitting on the seat or floor of a decent car or a desktop PC in a middle class home office could belong to someone who has access to valuable information. But, if the data is encrypted, the thief is out of luck. I’ll cover physical security later. For now, I present Golden Rule #7: If you store sensitive information on a PC or laptop, even if it’s only personal information, encrypt the folders or drives where the information is stored and use an unguessable passphrase as the encryption key.
Page 15 of 24
Golden Rule #8: Does Encryption Have You Complacent About Physical Security? There’s no question that data security is senior to physical security. The real value in a stolen laptop or PC isn’t in the hardware, it’s in the data. Sure, some druggie might steal your laptop and sell it for a fix, but the real danger lies in the thief who knows the value of the files that are stored on it. If it’s a personal laptop, the passwords to your online banking site, credit card numbers, Social Security number–probably everything about your identity–may be stored on it. If it’s a corporate laptop, depending on who you work for, there could be valuable customer information complete with credit card numbers or other proprietary information that a thief or corporate spy could capitalize on. But physical security is only slightly less important. Don’t get complacent thinking that you’re OK just because your data is secure. It’s an expensive proposition to replace that data, so you must take steps to prevent theft of your hardware. Encrypting your data is analogous to hiding it. So hide your laptop. Chain down your PC. Make it as difficult as possible for a thief to steal it. I keep my PC in a locked room when I’m not nearby and I maintain the attitude that someone’s waiting around the next corner to steal my laptop. So, it’s always either in a secure area or with me–and I mean within a couple of feet of me. I rarely leave it in my car and if for some reason I must, I lock it up in the trunk. I never leave it overnight in the office. Out of sight, out of mind. There are other physical precautions you can take as this Security Focus article outlines. And let’s not forget about removable and external storage devices; hide them, too. For now, I leave you with Golden Rule #8: Physical security is almost as important as data security. Make it as difficult as possible through any physical means for a thief to steal your hardware. Rules of thumb: Lock it up and lock it down; out of sight, out of mind.
Page 16 of 24
Golden Rule #9: Two Ways to Operate Securely on the Web Software developers often test their programs in a protected environment called a sandbox. If the software misbehaves, all they have to do is shut down the sandbox and everything returns to normal, no harm done. No crashes. A sandbox is also a great way to prevent viruses and other malware from infecting your machine while browsing the web. Confine your browser to its own little box and if any malicious software tries to run, it can’t get to your system, it stays within in the box’s boundaries. Kill the box and you kill the malware. The top, sandbox program for Windows–the one I use for secure surfing and testing– is Sandboxie. It runs only on Windows. Run Internet Explorer, Firefox, or any other program under Sandboxie and you should be safe. Flash Update: Seems CheckPoint agrees and has released a product of its own. Check out this article from Dark Reading. You can also operate securely from inside a virtual machine. This is different from a sandbox in that you actually run an entire operating system, rather than a single program. Many people, this Geek included, use virtual machines to run alternative operating systems like Linux. In a virtual machine, you can do everything you do on a real machine and like the sandbox, if things go wrong, your computer won’t be harmed. A big advantage of the virtual machine over a sandbox is that you can examine the actual behavior of malware and any damage to the OS. Microsoft provides the free Virtual PC and VMware provides its free VMware Player and VMware Server. Sun Microsystems now provides Virtual Box. For the Mac, there’s Parallels (not free). Golden Rule #9: When surfing the web, testing unknown programs, or engaging in other activities with the potential to harm your computer, use a sandbox or virtual machine to protect your base system from harm.
Page 17 of 24
Golden Rule #10: Store Your Backups Securely A friend of mine once told me, “I love your computer security maxims, but there’s one thing I don’t have anything to worry about–I keep all of my passwords stored on an encrypted thumb drive.” “Well, that’s a good thing,” I said. “Where do you keep your backups?” “On my external USB drive.” “That’s encrypted, right?” I asked. He blinked and looked away. “No.” Doh! If a cracker is able to access his PC and that drive is connected and turned on, my friend could be toast. If someone breaks into his house and steals the drive, my friend's identity could be stolen. Depending on what is actually stored on the hard drive, full backups can contain lots of personal information–information that is much more valuable than mere passwords. Think about it: if you have the user’s name, address, SSN, pet photos, you-name-it, you’re in Fat City; you can easily assume the identity and recover usernames and passwords. Few people encrypt their data, much less their backups. They should, but they don’t. Some backup programs allow you to make encrypted backups. If this option is available take advantage of it. The most secure plan would be to both encrypt your data and encrypt the backup for a double layer of protection. Then, take the backup media offline and store it in a secure place. And that is Golden Rule #10: When using external removable media for backups, either encrypt the backup files or make sure the media is taken offline after the backup has been completed.
Page 18 of 24
Golden Rule #11: TSL/SSL is Your Friend and Protector on the Web I hope I’ve given you some valuable advice on how to secure your computer. If so, and if you’ve chosen to take my advice, you’re probably careful about what you do on the web. You certainly have strong passwords for all of your logins, all of them different, and you don’t go around telling people what they are or keeping them on sticky notes attached to the monitor at your workplace. But the web can be a dangerous place; make a mistake and you could be in trouble. There’s one common mistake that if you make it, you may as well paint your passwords in 10-foot tall letters on a lighted billboard next to a busy freeway and invite every hacker to drive by it. I’m talking about entering your password — or any sensitive information — into any web page that’s not secure. All communication — including your username and password — between your browser and a web server is normally transmitted in clear text, easily read by anyone who cares to look. Your data is being sent in clear text if you enter anything onto a page that has the prefix http:// in its URL. That’s how you know the page isn’t secure. While not a totally reliable method of identifying a phishing site, it’s a pretty good bet that any financial site or one requesting personal information that displays http:// is suspect; steer clear and don’t enter your credentials. How do you know a page is secure? It will use an encrypted connection, signified by the prefix https://. This page will use a technology known as Transport Layer Security (TLS), formerly know as Secure Sockets Layer (SSL). Any information you put into such a page is unreadable by anyone who might intercept it. Only your browser and the web server at the other end can decipher it. Some browsers even show a lock icon to let you know it’s secure. TSL/SSL relies on cryptographic protocols and special security certificates issued by a trusted authority who has verified the identity of the website you are logging onto. So, I present you with Golden Rule #11: Never enter sensitive information into any web page unless you have verified that the information is being sent over a secure connection signified by https:// in the address bar and a lock icon in the browser’s status bar.
Page 19 of 24
Golden Rule #12: Infected PC? Don’t Just Clean–Wipe and Reload Have you ever had a serious malware infection that seem to defy any and all attempts to clean it up? You persevere and eventually get rid of the files that regenerate upon deletion, clean up the autorun registry entries that keep the malware going, and kill all the malicious processes that keep showing up. You’re proud of yourself; you’ve conquered the beast, out-hacked the hackers. You’re the man: a real, live uber-geek! Pat yourself on the back–you earned it. Then, after you’ve finished congratulating yourself, nuke (as in Darik's Boot and Nuke) the hard drive and reinstall the operating system–you can never trust that machine again unless you do. There’s no such thing as forgiveness in security; once a machine has been compromised, you can never be certain that it’s free of malware unless you completely wipe it out and start from scratch. Just because everything appears to be working properly after your “cleanup” doesn’t mean it is. Modern malware is designed to be tenacious and stealthy. Many malicious programs leave behind remnants of themselves even when good antimalware software is able to take the venom out of them. Rootkit technology is becoming so sophisticated that normal means of detection don’t work as this article in The Register explains. It’s a matter of trust; it’s also a security maxim. So without further ado, I present Golden Rule #12: Once a PC is infected with malware, you can’t trust it. The only way to restore trust is to wipe the hard drive clean and reload the operating system.
Page 20 of 24
Golden Rule #13: WiFi Security–The Only Way is WPA It’s far too easy to set up WiFi for your home or business; all you have to do is go to your local electronics superstore and pick up a wireless router, plug it in to your network, and connect to it. The default configuration of most consumer products–completely open with no security enabled–will allow you to connect without having to enter any configuration information into your wireless PC. That’s why in any given neighborhood you’ll see multiple unsecured wireless network connections available. Most public WiFi hotstpots are also unsecured, open connections. If you just surf the web and send an occasional email, you might be OK (besides the fact that anyone in range can connect to and use your Internet connection), but the moment you start using your PC for banking, making purchases, and paying bills online, that wireless connection absolutely must be secured. It must be done right, and there’s really only one right way to do it. Before I explain that, let me tell you what not to do: 1. Don’t rely on SSID hiding. I’ve seen numerous articles that tout SSID hiding as a security measure. While this technique may serve to hide your network from casual view, there’s nothing secure about it: the SSID is transmitted in clear text in every packet and is easily sniffed by wireless packet sniffers. For example, Network Stumbler will identify the SSIDs of any network within range, regardless of whether or not the wireless access points are broadcasting. 2. WEP is broken. Using 40,000 to 100,000 packets, which can be captured in about a minute, you can crack a WEP key in about three seconds on a Pentium M 1.7 GHz PC. Don’t believe me? Check it out: This list even provides video tutorials on how to do it. Sure, it provides a small measure of security and it’s better than nothing, but why use something that’s already been proven inferior? Would you feel more secure knowing the garage where your store that vintage Corvette is protected by a Master lock or one you bought at an everything-for-a-dollar store? Your personal information is much more valuable than that car. 3. Don’t rely solely on MAC address filtering . I don’t know why so many people are recommending this. MAC address filtering is equivalent to SSID hiding–it’s virtually useless, except to keep a casual user from inadvertently connecting to your wireless network. Like the SSID, MAC addresses are sent in clear text within the network packets and can easily be discovered and spoofed by anyone sniffing your network. That said, using MAC address filtering in conjunction with other measures can give an additional layer or safety. So, what’s the right way? WiFi Protected Access, known by its acronym, WPA. There are two versions: WPA2 and WPA2-Enterprise. WPA2 relies on a pre-shared key (PSK), Page 21 of 24
while WPA2-Enterprise requires a special authentication server and is therefore more suited to corporate environments. WPA2 implements 256-bit encryption and as long as you create a strong, unguessable passphrase, it’s completely secure. Configuring WPA2PSK on a given wireless router depends on the brand, but you can find a general tutorial at this site. And that, my dear reader, is Golden Rule #13: When it comes to securing a WiFi network, the only way is WPA.
Page 22 of 24
Golden Rule #14: If Spam Has You Irate, Obfuscate! Spam email is not only a nuisance, it’s a security risk. Most of the viruses, worms, and trojans floating around these days are transmitted in one form or another via spam. The threat can be attached directly to the email or it can rely on some subterfuge to get a clueless victim to click on a link to a malicious website. No matter the method used, the bottom line is that if the spammer doesn’t have a proper email address, the spam won’t be delivered. Spammers get email addresses in various ways, but the primary method is to use a web bot to scrape them from web sites. It’s not hard to do; the Web is called that because everything is tied together through various links. All the bot has to do is hop around the Web, collecting any email addresses it finds along the way. What the bot is looking for is text strings that take the form of xxx@xxx.xxx. It can easily find those and store them in a database, but it can’t tell whether or not that string is a valid address. You can use this to your advantage; if you can prevent Internet criminals from getting your email address, you can stop them cold. How do you do this? Obfuscate! (Definition: make obscure or unclear.) Bots can’t think; humans can. To you, the string “kengharthunatyahoodotcom” means something; most scraper bots would ignore it. Similarly, “no_spam_kengharthun@yahoo.com” is easily understood by a human; the bot would recognize it as an email address, but it’s not a valid one and any message sent to that address would bounce. This technique is a good way to post your email address in forums, social networking profiles, etc., but what about posting your email address on your home page or web site? There are plenty of free tools on the Web to obfuscate a valid email address. This email obfuscator converts my Yahoo! email address to a meaningless (to most bots) string of characters (go try it and you’ll see what I mean). When properly entered into the html code of a web page, it looks like this: kengharthun@yahoo.com. Anyone clicking on the link will be able to send an email, but your average bot won’t be able to harvest it. This technique isn’t foolproof; more sophisticated bots may be able to figure it out. But it’s going to make it more difficult for them and you’ll be calmer and more secure as a result. So, I wrap up this book with Golden Rule #14: If your email address will be visible to the public, obfuscate it using one of the methods or tools above.
Page 23 of 24
Get your Geek Toolkit Today! The Geek Toolkit is loaded with literally hundreds of security, system maintenance and productivity tools that have been part of my Geek arsenal for more than five years. All of them are safe, proven, and malware-free. It would probably take you hundreds of hours to research and compile this collection on your own. Here's just a few of the categories in the kit: • • • • • • •
Web Servers Useful Utilities Spyware Killers Security Disk Tools Disaster Recovery Info ...and 11 more
This newly updated toolkit will save you time and money and make your life easier and more productive in several ways.
Secure purchase and instant delivery via PayPal No waiting for the mail to arrive! As soon as your payment is processed, you'll be taken to a download page and my mail system will send you the pass phrase to decrypt the archive. The Geek Toolkit, comes with lifetime updates, so you'll always have the most current version available. And I give you my 100% Satisfaction Guarantee: If you're not completely satisfied with the Geek Toolkit, send me an email to tell me why and I'll refund your money. You can keep the toolkit as my gift, but you will no longer be entitled to updates.
Page 24 of 24