Firewalls

Aug 31 2008   9:44PM GMT

Software for Secure Computing: Personal Firewalls

Posted by: Ken Harthun
Firewalls, Security, Routers, NAT, Anti-virus, Anti-malware, Secure Computing

How to Secure Your Computer: Maxim #2 stressed the importance of using a NAT router to make your network “invisible” to criminal hackers and other Internet riffraff.  This is excellent protection against inbound malicious connections, but it does nothing to block outbound connections originated on the local network. The router won’t stop back-door trojans, adware, spyware, and the like from “phoning home” with your sensitive information. This behavior is by design; if outbound connections were blocked, you’d never be able to browse the Web. The problem is that if you inadvertently get infected by a mistaken click or a cross-site scripting (XSS) vulnerability, you’re in trouble. You may not even know you’ve been infected–I’ve seen bot-infected machines running up-to-date antivirus software happily spewing spam emails by the thousands.

One of the most important pieces of software for secure computing is a properly configured, proven software firewall. Don’t rely only on Windows XP’s built-in firewall–it blocks inbound attacks only (see Is Microsoft’s Firewall Secure?) and has flaws of its own (see Windows Firewall flaw may hide open ports). While Vista’s firewall does offer outbound filtering, it isn’t much better (see Analysis: New Windows Vista Firewall Fails on Outbound Security for more information).

My favorite personal firewalls for secure computing are the Comodo Personal Firewall (free), and the Sunbelt Kerio Personal Firewall (full-featured for 30 days, then runs free in limited-feature mode, $19.95/yr for full version). I’m currently testing the ESET Smart Security suite and from what I’m seeing, this may be one to recommend to your non-savvy home users; it’s non-intrusive in automatic mode, allowing you to surf freely without those annoying do-you-really-want-to-do-this popups.

Aug 5 2008   1:01AM GMT

New Article Series: Software for Secure Computing

Posted by: Ken Harthun
Firewalls, Intrusion detection, Anti-virus, HIPS, Anti-malware, Secure Computing

I recently posted the last article in my How to Secure Your Computer series of security maxims (an eBook will be available shortly–stay tuned for details). While editing the book, I realized there’s a wealth of free and Open Source software available that can help anyone from the novice to the professional practice secure computing.

My “Nine Steps to System Security - 2008” (originally posted as “Seven Steps to System Security - 2004“) is the latest iteration of what is essentially the basis of all the maxims. It lays out a plan that’s been proven highly workable and will serve as a rough guide for the sequence of articles in the new series. The maxims will provide additional layers as the series develops.

At last count, there were 26 pieces of software mentioned in the main articles. Many of those will be grouped into a few general categories, but I believe the Software for Secure Computing series will be substantial.

First in the series will be “Software for Secure Computing: Secure Browsers.”

Jul 29 2008   10:47AM GMT

The Lazy Man’s Way to System Security

Posted by: Ken Harthun
Firewalls, Security, Routers, Malware, Anti-virus, Anti-malware

A good many people have responded to my various articles on system security. Most of the feedback has been positive, but many wondered if there might be a simpler approach, some basic things you can do to protect yourself without too much hard work.

You’re in luck. Call it the lazy man’s way to system security; if you install protection against the the three biggest threats to your on-line security–infections by viruses, worms and Trojans, malicious software (spyware, adware, browser hijackers) and crackers who wish to secretly access and control your PC–you’ll be protected from the worst of security problems. One caveat, however: if you go to questionable sites (you know the ones I mean!) and are in the habit of clicking on links in pop-ups and spam emails, you’re out of luck—nothing can help you because you’re inviting infection.

But, for those who generally try to avoid the bad stuff, these are the four bare security essentials: a NAT router; a good antivirus program; a good anti-malware program; and, a good software firewall. Simple, and highly effective for most users.

Before you ask, the answer is yes, you still need a software firewall, even if you already have a NAT router or hardware firewall. Most hardware firewalls are configured to keep bad traffic from getting in, but will let most traffic from your network out, so they don’t keep those sneaky tracking programs from phoning home. A software firewall will at least give you some warning when a program is trying to access the Internet and you can decide whether to allow it. Besides, it gives you an extra layer of protection, just in case.

I highly recommend you read and apply Nine Steps to System Security - 2008, but if you’re feeling a bit lazy today, the four essentials will get you by.

Jul 27 2008   4:09PM GMT

Nine Steps to System Security - 2008

Posted by: Ken Harthun
Firewalls, Security, Microsoft Windows, Routers, Browsers, Vulnerabilities, NAT, spam, Malware, Email security, Phishing, Anti-virus, Opinion, Rootkit, Anti-malware

It isn’t getting any better on The Wild, Wild Web, despite state and federal government attempts to arrest and prosecute those responsible for electronically-perpetrated criminal acts. Spyware and malware of all kinds are increasingly more stealthy and difficult to remove thanks to rootkit technology. With the advent of Web 2.0 and its emphasis on sharing and collaboration, web-based attacks are more prevalent than ever, especially those that rely on JavaScript and other scripting languages.

CAN-SPAM did little to deter or eliminate spammers, and today the spam problem is even worse thanks to huge botnets run by organized cyber-crime syndicates. Phishing attacks are harder to detect and more frequent. Recently, I spent the better part of two days cleaning up the aftermath of a mass mailer worm infection for one of our clients; their email is still being blocked by some servers. In its September 2005 issue, Consumer Reports said, “One Third Of Net Users Damaged By Malware.” Considering that article is three years old, I’d wager that the number of infected computers has doubled since then.

In my job as a systems engineer for Connective Computing, Inc., I deal with the effects of malware nearly every day. My previous releases of this article, “Seven Steps to System Security - 2004″ , and “Eight Steps to System Security – 2005“, listed the field-proven steps I recommend to everyone I know. It’s been nearly three years since I published the last guide, but those eight steps haven’t changed much; they just need to be brought up to date, and a new step involving disabling scripting in the browser has been added. Computer users still haven’t learned safe surfing practices, however (will they ever?), and must modify their on-line behavior–particularly by applying the first step–for rest of these steps to be truly effective.

Did I mention these things are proven? They are. These are practices have been protecting computer users in homes and businesses for as long as I’ve been using them. This is free advice that’s really worth something:

1. Repeat after me: I will NEVER, EVER click on any pop-up of any kind - NEVER, EVER. Not even on the “X” (it’s usually safe, but why take the chance?). Use the key combination Alt-F4 instead; it safely closes the current window. In the slimy world of sleaze-ware, “No” means yes, “Cancel” means yes, “Close” means yes - ANY click on a button means yes. So many times users ask, “How did I get that? I clicked ‘no’ when it asked me!” Well, sorry, but you clicked, so they got you. NEVER, EVER CLICK!
2. Although Internet Explorer 7.0 has enhanced security and has been detached somewhat from the Windows operating system, it is still too big a target. Crackers are still writing malware that exploits IE security flaws. I recommend you use Firefox or Opera to browse the Web. (Some web sites still require IE, so you’ll be forced to use it for those, but you should minimize its use otherwise.) Whatever browser you use, be sure you configure your preferences to block all unwanted pop-ups or install a pop-up killer like the Google Tool Bar. And while you’re at it, re-read #1!
3. Patch your system. If you’re still running XP, make sure you have at least service pack 2. If you’re a home user, install service pack 3. (I still see systems that are running XP with service pack 1 or 1a, probably because they turned off automatic updates. While some argue against it, I recommend you turn them on.) And be sure to install any recommended security updates and patches for ALL software on your system, - especially Microsoft Office - not just Windows. If you’re running Windows Vista, you benefit from its enhanced security, but you still need to keep ALL of your applications patched. Secunia’s Online Software Inspector is an excellent tool for scanning your system’s applications to discover those that need updates.
4. Besides installing a NAT router (see How to Secure Your Computer: Maxim #2), run a properly-configured, proven software firewall. Don’t rely only on Windows XP’s built-in firewall - it blocks inbound attacks only (see this article) and it has flaws of its own (see this article). It will not stop back-door trojans, adware, spyware, and the like from “phoning home” with your sensitive information. (See this article for more info.) While Vista’s firewall does offer outbound filtering, it isn’t much better (see this article for more information). My favorites are the Comodo Personal Firewall (free), and the Sunbelt Kerio Personal Firewall (full-featured for 30 days, then runs free in limited-feature mode, $19.95/yr for full version).
5. Run a good anti-virus program. Choices abound. I have used AntiVir Personal Edition (free) and Grisoft’s AVG (free). Other good ones are Avast! and Comodo AntiVirus.
6. Run multiple anti-spyware/anti-adware programs and keep them updated. I recommend: a. Spyware Blaster. This free program blocks adware and spyware from installing in the first place and is frequently updated; b. Ad-Aware. Scan weekly, more frequently if you are a heavy surfer; c. Spybot S&D. Run it on the same schedule as Ad-Aware; d. Microsoft’s Windows Defender is an excellent product and is installed by default in Windows Vista. Configure it for real time protection and automatic updates. One of the best commercial anti-spyware applications is Sunbelt Software’s CounterSpy. It is a PC World Best Buy award winner. Comodo BOClean:AntiMalware is also a good one and it’s free.
7. Run a spam blocker to isolate junk e-mail. Most malware and all phishing attempts rely on spam. You want to isolate this stuff and delete it. NEVER, I repeat, NEVER, EVER click on a link in any e-mail you are not absolutely certain is legitimate. And to be as safe as possible, always type in the address of your bank, credit card companies, and any other site that you want to keep secure. (See #1 above and apply that principle to links, too!) One of the best programs is Open Field Software’s ella for Spam Control. It uses wizards to “train” it to your personal specifications. There are free and paid versions that work with Outlook, Outlook Express. My clients swear by it. Another good program is Sunbelt Software’s iHate Spam.
8. On Windows XP, set up a restricted user account and use that for routine tasks. Only log on with administrative privileges when you need to install or configure software. This will prevent rogue programs from affecting your system - they won’t be able to install. You can activate the “run as” feature so you can do administrative tasks while logged in as a restricted user. Microsoft Knowledge Base article Q294676 explains how to activate and use this feature. If you are running Vista, you don’t have to worry about this step: User Access Control (UAC) takes care of it.
9. Finally, disable scripting in your browser. If you use IE (you probably shouldn’t, see Step 2), Tony Bradley gives you an excellent step-by-step procedure to accomplish this. Firefox users have a more elegant solution in the form of an add-on: NoScript. I use it on every PC. Scripts are blocked globally by default, but you can selectively activate them if you trust the site. For example, you can trust the main site’s scripts but keep blocking any advertising or other third party scripts with no ill effects.

While total immunity is impossible - new infections and variations on existing exploits appear daily - these nine steps will help prevent, catch, or clean 98 percent of the junkware out there. As for the other two percent - or if you are already badly infected - you’ll need to hire a geek like me.

Jul 25 2008   1:45AM GMT

Sure-fire Spam Zombie Killer

Posted by: Ken Harthun
Networking, Firewalls, Security, Routers, spam, email, Email security, Exchange

The other day, I got a call from one of my clients who said that their email was bouncing back from people they had always been able to send to. I investigated and found that the error message was to the effect of <hostname.domain #5.5.0 smtp;550 Blocked;Spam/Zombie address listed at spamhaus.org sbl-xbl>.

Well, that was odd, because the client is running a bona fide Exchange server and a check of the server revealed nothing wrong that I could see. Thinking that maybe an employee was infected with a mass-mailer trojan, I blocked all traffic on smtp port 25 from all addresses on the network except the Exchange server.

Running the netstat -an command on my client’s PC revealed 88 connections, all trying to send mail out on port 25, which the firewall was now blocking.

Certainly, you don’t want to get infected by a mass-mailer trojan, but blocking outbound traffic on port 25 from your network is a sure-fire spam zombie killer and will prevent your IP address from getting blacklisted if someone does get infected.Of course, you’ll want to clean up that infection as quickly as possible.

Jul 19 2008   12:58AM GMT

Unpatched PC “0wn3d” in Four Minutes or 16 Hours; Which is it?

Posted by: Ken Harthun
Networking, Firewalls, Security, Microsoft Windows, Routers, Vulnerabilities, NAT, Malware

I just love stories like this one. On the one hand, Internet Storm Center researchers say an unpatched PC connected to the Internet will be compromised in less than four minutes. On the other hand, a researcher and co-founder of the German Honeypot Project (GHP), Thorsten Holz, claims the survival time is much higher than 4 minutes and in fact is nearer 16 hours. “Compared to the survival time from the Internet Storm Center [ISC] which is currently below five minutes, we measure a higher survival time,” he said in a post to the project’s blog. The blog has some interesting graphs, one of which shows that survival time is just under 1000 minutes, or about 16 hours.

So, which is it? Do we believe ISC or GHP? I can tell you from experience with my own firewall logs that my IP address is probed for common vulnerabilities about every two minutes, sometimes as often as once per minute. Based on this, I’d be inclined to believe ISC’s estimate. The bottom line is it doesn’t really matter who’s right–we all agree that it’s a bad idea to connect an unpatched PC to the Internet. From the ISC diary:

While the survival time measured varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn’t bet on in Vegas.  Using a NAT router and a correctly configured personal firewall is the way to go - both these measures help a lot to improve the odds in favor or your PC.

Be careful out there.

Ken is a Systems Engineer at Connective Computing, Inc. specializing in network and desktop security for small and medium businesses. Ken helps others through his Ask the Geek blog, is a regular contributor to Dave’s Computer Tips newsletter, and is currently working on his first consumer-oriented book on computer security.

May 18 2008   6:39PM GMT

Are You a Hacker Target?

Posted by: Ken Harthun
Firewalls, Security, Routers, Browsers, NAT, Opinion

Aside from those unenlightened, naive souls who invite every hacker, phisher and Nigerian scammer on the planet into their computers how many people actually fall victim to hackers? I’m talking about people who take reasonable precautions, like installing a NAT router, running a personal firewall (not Windows’ firewall) and anti-virus software. I ask this question because for some months now, I’ve been running half naked behind my hardware firewall: no anti-virus, no software firewall, just a hosts file to block known bad sites (I do update it frequently). I use both IE and Firefox for web surfing.

I haven’t been hacked, nor have I been infected by any malware. In my entire history of computing (since 1974), I’ve never been plagued by a virus or worm. I guarantee you that my PCs are not part of any botnet. No one has ever tried to run a DDOS attack on me. It’s not that I’m invisible–Google my name and you’ll get several thousand hits (some of those aren’t me; apparently more than one Ken Harthun out there). I have a couple of different web sites in plain view, too.

Am I immune to attack or just lucky? Or is it that by applying the various security tips I give you here (yes, I do the same things I tell you to do) , I’m out smarting the hackers so they can’t figure out how to get me? Food for thought. Your comments are welcome.

Apr 17 2008   7:05PM GMT

Top Five Personal Firewalls

Posted by: Ken Harthun
Firewalls, Security, Vulnerabilities, Intrusion detection, HIPS, Instrusion prevention

How well does your personal firewall protect you? GRC’s Leak Test, PCFlank, and Bob Sundling’s TooLeaky all provide a quick way to check your personal firewall to see if it effectively blocks outbound connections. But if you really want to know how well your firewall protects you against a whole host of known attacks, check out Matousec’s Firewall Challenge website. Here are the top five based on Matousec’s extensive testing:

1. Comodo Firewall Pro 3.0.21.329 (Free)
2. Online Armor Personal Firewall 2.1.0.119 ($40, Free version available)
3. ProSecurity 1.43 ($30 single PC home user, $40 household)
4. Outpost Firewall Pro 2008 6.0.2302.264.0490 ($40/year for 3 home PCs)
5. Kaspersky Internet Security 7.0.1.325 ($80/year for 3 PCs)

The top two, Comodo and Online Armor, scored 100% on the tests. I’m using Comodo from now on.

Apr 9 2008   9:11PM GMT

How to Prevent DNS Rebinding Attacks

Posted by: Ken Harthun
Networking, Firewalls, Security, Routers, Browsers, Password

There’s nothing new about the DNS rebinding attack, but it’s in the news again. Dan Kaminsky, Director of Penetration Testing for IOActive has shown a video of the attack in action at the RSA 2008 Conference. I first addressed this problem more than a year ago in a Lockergnome posting, and just recently in this Security Corner article. Both of those articles say the same thing: Change the default password on routers, switches, and any other configurable device on your network.

There’s another thing you can do: Use OpenDNS; they block known phishing and malware-infested sites, thereby making your web surfing more secure. They also just released a nifty tool called FixMyLinksys that makes it easy for anyone to change the default password and enable OpenDNS. An article at DarkReading.com had this to say about OpenDNS:

…“This will stop all the automated attacks that Dan is showing at the RSA conference today. It’s easy and is done over the Web,” says David Ulevitch, CEO of OpenDNS.

OpenDNS also launched a new type of DNS filter today that protects users from a DNS response from a malicious server. “In short, a DNS response from a malicious server that resolves to a host inside your network would get blocked,” Ulevitch says.

I’ve been using OpenDNS for some time; I’m glad to see they’ve addressed this issue directly.

Feb 16 2008   8:02PM GMT

How Not to Invite Attackers into Your PCs or Network - the First Line of Defense

Posted by: Ken Harthun
Networking, Firewalls, Security, NAT, Security maxim

The other day, I gave you what I consider to be the most basic security maxim, one on which I base all of my security practices: The best security measures are completely useless if you invite attackers into your PCs or networks.

Windows users will remember back before Windows XP Service Pack 2 was released that simply plugging your computer into your cable or DSL modem was almost certain to result in your being compromised in short order. (Who can forget the havoc that Sasser and other worms wreaked before Microsoft wised up and finally turned the firewall on by default?) Running naked with all ports open to the world is a gold-gilt invitation to every criminal and mischief maker on the Internet, and while running a software firewall is a good idea, it’s not nearly enough–crackers already know how to take down XP’s firewall.

Consider this: every IP address owned and/or issued by your Internet Service Provider, no matter who that may be, is constantly being targeted by hackers that are scanning the’Net or worms that are infecting the ‘Net. The IP address assigned to me by my cable Internet provider has been scanned or probed 46 times in the last hour; this goes on 24 hours a day, seven days a week. I certainly don’t want my PC’s software firewall subjected to this kind of thing; yet, most people, not knowing any better, plug their computer directly into the broadband modem. Why do this when there is an inexpensive, simple, yet effective first line of defense available at any big box electronics or office supply superstore–a router?

Through the beauty of Network Address Translation (NAT), even the cheapest router becomes an effective hardware firewall, virtually making your PC invisible to the ‘Net. NAT Router Security Solutions by Steve Gibson of “Security Now!” explains NAT in detail. Here’s one of his illustrations from that article:

I must mention that except for one, simple configuration change that is absolutely essential, these simple devices work fine right out of the box. The average user can plug it in and not have to worry about a complicated setup process.

So, here’s Security Maxim #2: A first, important step in securing your PC is to install and configure a NAT router.

(Note: I first posted this maxim nearly a year ago at Ask the Geek, Too. The article was entitled, How to Secure Your Computer: Maxim #2 (or, How Not to Invite Attackers Into Your PCs and Networks). Since then, many routers now contain built-in firewalls, so do double-duty and are even more secure.)

Next time: the one, most overlooked configuration option that can render your router or firewall useless and make you even more vulnerable than you were without it.

Cheers!
The Geek

Your comments are welcome!