cancel
Showing results for 
Search instead for 
Did you mean: 

Security On the Cheap!

N/A

Security On the Cheap!

I’ve Been gossiping to arsefardle about internet security on a budget and he suggested I start a thread on this topic, so what the hell here goes.

Broadband is a bit like saying to the entire Internet “Hey Here I am Attack Me!” Yep that wonderful always on connection you’re using, is just something that is permanently available to be attacked.

So what can we as the poor “victims” do?

There are a few ways that you can protect yourself, some are free, some are cheap and some cost little short of body parts.

The whole point of this thread is to start a discussion I am not the font of all wisdom but out there among that great “Plusnet Community” (No I don’t work for them!) there is a lot of helpful expertise, so why don’t we get talking and help those new friends we haven’t met yet. Sorry I seem to be having a cliché attack here.

First we need to look at how you’re connected to your broadband. Many of us start off with the USB or PCI modem, the cheapest option and potentially the least secure. In this instance it seems to me that it is sensible to try to ‘hide’ your existence by the use of products such as zone alarm, Norton internet firewall, or similar. These work by controlling what traffic enters or leaves your system, and in the case of zone alarm by ‘stealthing’ your computer. This is done by responding to all probes or attacks by not returning the internet’s ‘here I am’ signal to the requesting computer. Hence as far as the world is concerned you are not there, and yes I am simplifying the terminology here. Even if you don’t use one of these products, it is still possible to ‘harden’ a Windows NT derived operating system such as Win 2000 or Win XP (Pro is the better choice here) to at least make it very difficult for an intruder to actually do anything you don’t want them to with your system.
Any Windows 9x derived operating system (95, 98, ME) normally has no effective security at all so I would suggest in the strongest terms get something else to protect yourself, even if it’s only the free version of zone alarm. Oh and that P2P software you use for finding and downloading MP3s or Movies….. OOPS! Wrongly configured that stuff simply shares the entire contents of your system with anyone using that particular software.

If you’re using a Router then you have done two things, one good, one not so good. The not so good bit is that routers cannot reply to a ‘where are you’ request with nothing, they MUST say ‘I’m here’ so they can always bee seen. On the other hand routers typically have some form of firewall attached or integral to them which at least does something to restrict externally originated traffic and so in that respect they’re good. Also if you’re sharing a connection with multiple computers then your speed will be higher with a router as it isn’t all shifted through a single computer which has to do lots of extra processing and internal routing.

So where do we go from here?

My system is a bit belt and braces, I use a router with the inbuilt firewall locked down as much as I can, then between that and my system I have an old £50 computer, obviously a pile of junk, with two network (LAN) cards, one is the green interface (SAFE-internal network) and one the red interface (DANGER – Router), it has no keyboard mouse or monitor. This computer has a 3.2GB hard drive, 32 MB RAM and has installed a free Linux-based firewall system called SmoothWall GPL. This sytem was quite easy to set up and it seems solid as a rock. I have Zone Alarm Pro installed on my main network PC and I have not heard a squeak out of it since I set my system up in this manner. (Prior to that with an ADSL Modem I had 5600 intrusion attempts/port probes blocked in a 3 month period) At least they were blocked eh?

Oh yes and on top of all this then you need to set up, and keep up to date a decent anti virus system!!!

That’s the end of my opening speech… Comments?

Tim

[Moderators note (by Thomas): I've made this into a sticky, as I feel it's a great thread with lots of useful information.]
22 REPLIES
N/A

Security On the Cheap!

Wow! That’s a very good intro, Tim. It’s hard to know where to pitch this.

If we don’t take some steps to protect ourselves, then no one else CAN.

It’s possible that some readers may say, “It won’t happen to me. Who’d bother with a simple home user? There’s nothing on my computer of value.”

Perhaps the most likely “Attacker” would be: -

The Malicious - This type of intruder is out to either bring down your systems, or otherwise force you to spend time recovering from the damage he has caused. He doesn’t care who you are.

What are you protecting?

Against the malicious, your time. If you have to rebuild your system because some jerk with a script thinks it’s funny to cause mayhem, it is unlikely that it’ll be at a convenient time to suite you. What about your data, your work? How good are your CD backups? Up to date?

At the other end of the scale, how many of us make on-line purchases using credit cards? How many of us take the easy option and let our computers remember passwords to other accounts holding personal information? Private letters, emails? Someone willing to attack in this way is unlikely to be scrupulous about how he uses or sells any information gained.

Windows XP is designed with a permanent connection in mind. Users will see security updates from Microsoft almost daily. Clearly Microsoft take this problem seriously. This is sticking plaster. This message was posted only two days ago.

http://portal.plus.net/supportpages.html?a=2&support_action=archive

Under 2003-08-06 10:26:46 Important Security Notice

(Note, it’s a long way down can a Mod. maybe provide a better link?)
Moderators note (by John) can't provide a better link but here is the article inserted as a quote in your post
Quote
Important Security Notice
Dear Customers,

A serious vulnerability has recently been discovered in the Microsoft
Windows operating systems NT4, 2000 and XP.

This flaw allows a remote attacker to gain complete control over your
machine. A "proof of concept" tool that takes advantage of this has
recently been released to the public which has escalated the situation.

Microsoft have already released an update that will protect your machine
against this vulnerability.

Full details of the incident and how to protect your machine are
available from Microsoft's website at the below link:

http://www.microsoft.com/security/security_bulletins/ms03-026.asp

We also advise all users that are not currently running a firewall that
they install one to protect themselves against incidents such as this in
the future.

While we do not recommend a specific product, ZoneLabs make their
ZoneAlarm firewall product available free for personal use at
www.zonelabs.com.

Kind Regards,
Customer Support.


Did anyone miss it? With a few layers of protection it might not matter if you were on holiday for a few days.

There’s no need to spend a lot of money but there is a need to do some reading and take some steps to save time in the long run..

I’m paranoid, but am I paranoid enough?
Community Veteran
Posts: 6,983
Thanks: 8
Registered: 10-04-2007

Security On the Cheap!

On this security issue you would not believe the number of business firms I have pulled out of the mire because they either never thought to install Anti-irus Software or wanted to save a few pounds.
Its only when they cant get to their all important files that they wake up and then come pleading to me to try and recover every thing.
Makes a bit af pocked money for me but I'd rather they had been sensible in the first place.
N/A

Security On the Cheap!

no arsefardle, ur not being paranoid that vulnerability is a major hole and allows attackers admin privliges on your computer, and i reckon that when ( yes when) a worm is released that takes advantage of it , it will infect a great deal of windows nt/xp/2000 pc's , so make sure ur blocking rpc on ur firewall/ router.
N/A

Security On the Cheap!

Thanx, and that was just one very recent example - hopefully caught in time.

Actually I feel moderately safe as I have a very similar LAYERED firewall to Tim's - and even then I do apply the updates.

Folks, security updates come out every few days and are so easy to apply when you have broadband - it's another tool. (I do hope this tendancy to preach isn't permanant or insulting?)

XP tells you automatically when there are updates. 98 and 95 don't unless you go to the Microsoft web site and download a small program - then it's easy to stay up to date. I'm not a Mircosoft fan but still think this is worthwhile - and it DOESN'T COST ANYTHING. My son switched on his '98 machine this evening and there were 14Mbytes of updates - mostly for security. A few minutes work and one re-boot.

Tighten up your router if you have one. Install a firewall.

Also....

Switch off computers when not in use.
Close unused applications - especially Instant Messanger programs, Outlook, and Internet Explorer - most of the security patches usually apply to these three programs.
Install anti-virus software and keep it up to date. Be CAREFUL what you download, open and install. Switch off that automatic preview pane in Outlook. Treat email from people you don't know as suspect.

There's no such thing as water tight, but if you take a few steps you can make it VERY difficult for an attacker - the "Script Kiddies" - the Worm Spreaders and the Malicious will go for easier targets.

Does anyone want more info. on cheap solutions using old, redundant hardware and free software? Links to more reading material?

Spenser.
N/A

Security On the Cheap!

In respect to the layered firewall systems, They DO work. As Spenser said they are not a substitute for proper maintenance of periodic updates from software vendors.

One word of caution on those updates though, I tend to take the risk of leaving an update for a couple of days after release, one recent MS update actually killed the program it was meant to patch in about half of the cases where it was used... OOPS! So backups are important here too.

I just remembered another freebee I heard of some time ago, an article on hardening Windows 2000, this is very likely to apply to XP and can be easily found by searching on google. The first one I came up with is at: http://www.systemexperts.com/win2k/HardenWin2K.html But again backups are a really good idea BEFORE you do any of this.

Don't let anyone tell you that your firewall system is too complicated, if it works and nobody gets in without your say so then it is doing its job! The day it doesn't do its job, is the day you have problems.

A further note that has just occurred passwords.

Passwords used anywhere should obey certain complexity rules, but the firewall admin password should be secure. The name of your dog or your sister's parrot really isn't good enough. You need to be using letters and numbers and varying the case of letters. It's a bit like encryption work out and follow a set of password rules for yourself, such as the following.

Replace all vowels with numbers
3rd letter of all words is upper case

A password system like this is easy to set up, easy to remember and uncrackable by social engieering. (This is one of the methods that professional hackers use to gain access to systems.) unless of course you are silly enough to tell someone the key, or to use it in a situation where passwords are not encrypted by the system.

Got to go now, the wife has woken up and is demanding tea.

Tim
Community Veteran
Posts: 6,111
Thanks: 1
Registered: 05-04-2007

Security On the Cheap!

Quote
Switch off that automatic preview pane in Outlook.

Surely it's better to keep that on, seeing as you can see the e-mail you've received but without scripts running?

Thomas
N/A

Security On the Cheap!

Nope.

The preview pane is a known security hole, by previewing an email, Outlook and Outlook Express are in fact opening a document sufficiently far to enable some malicious programs to execute.

Tim

Paranoia is only bad if the rest of the world is NOT out to get you!
Community Veteran
Posts: 6,111
Thanks: 1
Registered: 05-04-2007

Security On the Cheap!

Really? Oh well. Shockedops:

Thomas
N/A

Security On the Cheap!

That's good advice on updates - and of course, if you have a firewall the updates are lees urgent.

Actually, Widoze XP has a very good "undo" feature that lets you wind the system back to an earlier date - to undo updates. I only found it after HOURS of trying to repair my XP system after I'd ignored all (XP's) advice about installing an old program with known compatibility issues. I was rather Shockedops: and had to admit that Uncle Bill had done something good for once.

You STILL need your backups, though - or you'll lose anything you've done in the mean time.

'95, '98 etc don't have this feature (as far as I know) so maybe you would do well to wait a few days - patches on patches with bugs on a leaky program seems prone to disaster.... perhaps, though, it DOES show how URGENT the likes of Microsnail view security issues.

Passwords, couldn't agree more. Hands up anyone who maybe uses the same password for Hotmail or a chatroom login as they do for +Net login or maybe even their bank account? Is this wise? When did you last change them?

Umm... if you do follow Tim and I with a Linux firewall (on the cheap) then another security tool is file permissions - there's been a few questions over "chmod" on the CGI forum. UNIX may be 30years old (which is why it runs so well on old junk) but it was designed with security in mind. It's almost virus proof, it's powerful and FREE and if you like computers at all it's FUN.

Spenser
Community Veteran
Posts: 6,111
Thanks: 1
Registered: 05-04-2007

Security On the Cheap!

Me has the System Restore thing as well.

Going slightly OT here, but it is useful to "clear out" System Restore occasionally... otherwise you can find GBs of space being taken by old, useless restore points.

Thomas
N/A

Security On the Cheap!

There's an excellent tool called "Shields Up" at http://grc.com which does a scan of your system. If you're going through a router/firewall and using NAT then the results aren't always accurate but if you're not, and aren't using Zone Alarm or similar, it's a real eye opener!

[Moderators note (by Thomas): Post edited, because it contained a reference to a post that's since been removed.]
N/A

Security On the Cheap!

For those of you with wireless networks, or a situation where unauthorised bods can gain access to your physical LAN. You might want to consider IP subnets and their implications.

The standard internal IP address of 192.168.0.1 255.255.255.0 means that the computer with the address 192.168.0.1 is part of a network with up to 253 other client devices. Have you got 254 computers on your network? If not you may want to consider more appropriate subnets.

For instance 255.255.255.240 restricts your local network size to 16 ip numbers with two of them lost (the bottom one is the network address and the top one the broadcast address and cannot be used for client devices) Therefore you can have up to 14 devices on your local network.

You can get even more restrictive than this if you want. The Subnet 255.255.255.252 allows you to have only two devices on your local network. This can be a good way of stopping outsiders on the street connecting their laptops to your wireless network as the DHCP server (usually built into a router or possibly the firewall) won't give them a valid IP number. 255.255.255.248 allows a maximum of 6 client devices, you can then restrict the scope within DHCP to the number of devices you actually have on your LAN. If you can make these leases permenant then you are in a fairly secure wireless environment.

I put part of the above post in another thread but thought I'd add to it and post it here for completion sake.

Tim
N/A

Security On the Cheap!

A well made point. Thanks Tim. I want to play (part) wireless very soon and, yes, I'm guilty of following recommendations on 192.168.0.XXX - easy for a Script Kiddy to guess. Actually, with a router doing NAT, is there anything to stop me using some really odd random mask and IP address range?
N/A

Security On the Cheap!

Yes and no.

There are three reserved ranges within the IP namespace, for use on LANs.

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

While you could use any IP address on a lan, without any serious issues, the problem arrises when you need to talk to a machine on the internet with the same IP address.

Instead of going there, it will goto your LAN machine.

Subnetting is not a security thing, and the idea comes under security through obscurity.

Subnetting is used for IP addres conservation.

If you are using a WLAN, and are using this as a security measure, then you have far more security concerns. How did the person gain access in the first place? You should be using the built in security features of the WLAN protocols.