Stuart's
Stuff
PC security measures for the home user
Welcome to my latest page I use to help friends in various ways.
Because I'm an InfoSec geek/hacker (by trade), I inevitably get asked
virus-spam-spyware-related questions quite often - and I keep typing the same
advice over and over. So I finally decided to put together some of this kind of
advice and product recommendations on my personal web page. Being that the
huddled masses out there typically use Micro$oft Windows (which is a hackers
playground and a virus writers dream), this advice is geared towards that environment (although the
methodology can be applied anywhere, using different products). Introductions
aside, let's cut to the chase....
Keep your PC updated with the latest patches
This can't be emphasized enough. If you don't patch your PC at LEAST
every month (I recommend weekly checks for patches), you're asking for trouble
and it will surely find you. Go to the Windows update page now, and get
patching (follow the instructions when you get there). Perhaps you should
make it your home page for your browser, unless you're PC is configured already
to check for updates routinely. Here's the link:
Microsoft © Windows Update
For those on dial-up connections who need LOTS of patches (that you'll never be able to download easily), the following sections are EXTREMELY critical risk mitigation controls (in lieu of patching). For those on broadband (DSL/cable), patch now and patch often (along with the following as well)!
Protect your PC with a Personal Firewall
Install and use a personal firewall "properly". When I say
"properly", I mean use at LEAST a "medium" or "normal" policy setting,
and don't enable inbound connections that you don't understand the ramifications
of. When in doubt, ask someone who is savvy in the methods used by
hackers and attack code.
Having a personal firewall still won't keep you from unwittingly or
unknowingly downloading and installing spyware, trojans, etc, but a decent
configuration will definitely keep such items from "phoning home, sending out
your private info, or attacking other systems via zombie code".
Regarding that, I HIGHLY recommend the Sygate personal firewall. I've
installed and tested every personal firewall extensively, and it's hands-down
the best. It USED to be a free download for personal use, but they
changed that policy in the past 6-8 months. Luckily for you, I have an
old free version you can download here (just don't register it, if prompted to...actually go ahead and register it, IF it keeps asking you to upon bootup - it's been a while since I did an install and I can't remember which version requested that repeatedly):
Sygate © Personal Firewall download
There are a couple of other free products on the market, but none holds a
candle to Sygate (trust me, I know). But feel free to use others you
find comfortable for your use (using anything is better than using nothing).
That Sygate download is a fairly large file (8MB). If you're on dial-up and/or would like a less robust solution (translation: less confusing for the techno-challenged, although I find Sygate very user-friendly), let me know and I'll give you a custom-built, nearly-invisible personal firewall that will fit on a single floppy diskette and download a lot faster.
Protect your PC from viruses
First, you should obtain, install, and use anti-virus software. Second, you should configure that software so that its virus signature file is updated daily and that it quarantines or deletes viruses in real-time.
NEVER EVER click on ANY e-mail attachment that you're not 100% certain is something safe, from someone you know and trust. However you can still get very nasty viruses from people you do know and trust, which is why any attachment you open better be something you EXPECT from that person. Virus writers are clever (and mean), and they will create self-propagating viruses that spread from your friends to you via e-mail, with subject lines like "Check out this joke" and an attachment that looks very innocuous. DON'T be fooled!
Delete ALL e-mail from anyone you don't know. And delete e-mail from people you do know if there are any attachments that you don't have 100% trust in. Leave the delicate dissection and analysis of potential viruses/malware/trojans to the experts. I fit in that expert category, yet I don't start analyzing any virus files unless office machines are already infected (and I have to do forensics to determine how to clean brand new viruses that the anti-virus vendors don't have signatures for yet). Otherwise I do exactly as instructed above with suspicious e-mail.
If you need an anti-virus solution, I have one here you can download and use (I have permission to distribute it freely). The catch is that the virus pattern updates/downloads MIGHT be problematic in the future. Either the hosting server or its connection is REALLY slow, which is why I can distribute copies here on a fast server/connection. But I doubt I'll be routinely updating the copy here, so you're kinda on your own with this going forward. However, I'll reference another equally good free anti-virus product in the next section. Here is this product download:
Anti-Vir © Software download
Anti-Vir © Virus Pattern Updates download
Cleaning a virus/worm/spyware/zombie/trojan/backdoor-infected PC
So you already see signs of an obvious infection, or your PC has become very flaky. You should:
1) Go to this site to run a FREE remote virus scan (and follow whatever
cleanup instructions it provides):
Trend Micro © PC Virus Housecall
2) Next go to each of these sites to download their FREE anti-spyware/adware
software (and updates), and run it:
SpyBot © Search & Destroy
Ad-Aware © Removal Software
3) And if you don't have anti-virus software on your PC already, here's a
decent FREE version to download, install, and run:
AVG © Anti-Virus Software
Once your machine is clean, simply use caution when installing some
"free" utilities (READ the user agreement and privacy notice), and use the
resources above if your PC is invaded again. The "free" utilities
recommended above are completely safe (verified July 2004). And make sure you keep your anti-virus software up to date with the latest virus signatures.
The "free" software and utilities are where most of the spyware/adware comes from. And hopefully now you better than to open e-mail (especially e-mail attachments) from unknown senders (and sometimes friends), which is where a lot of viruses/trojans come from. And don't click on web pop-ups...ever! Click the upper-right "X" to close them (which doesn't always work), along with the useful advice below. Worms and hackers don't need "invitations" or user-action to make you and your PC miserable, but are easily thwarted by a good firewall (running a sound policy).
Dealing with Web Pop-Ups, AdWare, and Spyware
There are several ways to get rid of annoying (and often very dangerous) pop-ups:
1) Disable Active-X and Active Scripting in your IE browser settings,
which will disable functionality you MIGHT need in websites you might need
to visit (i.e., your online banking, office apps accessed via VPN, etc.).
Active-X and active scripting can install Spyware, AdWare, and other nasty items.
At the least, if using Internet Explorer © click on its Tools - Internet Options -
Security - Custom buttons/panels. You should now see a Security Settings dialog box.
Make sure that "Download signed ActiveX controls" is set to "Prompt" and
that "Initialize and script ActiveX controls not marked as safe" is set to
"Disable".
2) Use a browser like Mozilla © or Firefox ©, which is flexible/smart enough to only disable
active components (like pop-ups) and not web-server features you expect to
use. You can download Firefox for Windows here:
Firefox © Browser
3) Install some "pop-up killer" software. There's a variety of this
stuff on the market, with lots of varying results. Most of the free
stuff doesn't "block" pop-ups, but immediately closes them after they
open. I'm not a big fan of that. Others install a "wrapper"
of sorts, that can inspect HTTP content at the network layer and block it
before it hits the application layer (your browser). Typically you'll
have to pay for anything decent, although I admit this is one area I've not
researched a lot.
4) Do what I do on my home systems. I created a "hosts" file and loaded
it with hundreds of ad-server addresses. About 90% of all pop-ups comes from
a surprisingly small block of ad-servers, which webmasters embed
redirect links for in their websites (to make money of course).
Each "hosts" file entry has a corresponding IP address of 127.0.0.1 (the loopback interface
of every IP-enabled system). Then I run something like "Tiny-Web" © (a
stripped-down small and free web-server), with a blank "index.html" and nothing
else enabled. So every time I hit a web page that has ad-server
referral code in it, the DNS lookup refers to the "hosts" file first, finds a
matching entry, and sends the referral to my loopback interface where it dies
immediately. It takes a little effort to set up initially, but you reap the
benefits from then on. My personal firewall won't allow Internet
connections to "Tiny-Web", only my local redirects.
I only do this on my Windows partitions on my two boxes at home, and use
Mozilla on the Linux partitions. If you want me to hook you up with the
comprehensive "hosts" file and instructions for setting it up, let
me know. Otherwise you're free to just keep closing the pop-ups or try
one of the other methods mentioned.
Wrap-Up
That's all for now on this topic. If you have any questions, drop me an
e-mail and I'll try to respond at my earliest convenience. But I do have a
life, so please understand that there may be some limit to how much help/time I
can provide. And fixing some problems without me being physically in front of the
PC in question can be almost impossible (unless you're a PC expert, in which
case you probably wouldn't be here in the first place).
-- Stuart Thomas, CISSP, SSCP, HIJKLMNOP, etc. (cough)
("Any resemblance between the above views and those of my employer, my terminal, or the view out my window are purely coincidental. Any resemblance between the above and my own views is non-deterministic. The question of the existence of views in the absence of anyone to hold them is left as an exercise for the reader. The question of the existence of the reader is left as an exercise for the second god coefficient. A discussion of non-orthogonal, non-integral polytheism is beyond the scope of this article.")
Older Topics:
ICMP Filtering Tips (for very advanced users and enterprise environments)
NOLAB (a blast from my past)
** All other links removed, at least temporarily! **
All Site Content (except where noted) Copyright © 2006, Stuart Thomas