INTERNET SECURITY FOR YOUR COMPUTERANDPROTECTING YOUR PRIVACY • BOB COOK • DOAI WEBMASTER • ©2010
PC INFECTION RATES • 25% of Business PC’s infected • 60% of all PC’s infected • Vast majority of users are unaware • More security attacks in 2009 than all previous years combined • Source: Sophos
PROJECT AURORA • Google and 30 other top companies were recently attacked and data stolen using sophisticated malware techniques • These attacks were not against Google servers....they were targeted at individual laptops which were then used to get “inside” access • And you think you are safe?
HOW ARE VULNERABILTIES EXPLOITED? • First, they have to get on your computer: • Open email attachments, click on links • Downloading Files (Programs, Pictures, PDF’s, ZIP files, etc) • Just VISITING a website, perhaps through a poisoned Google SEO search result • Just VISITING a “good” website that has been hacked • (such as US Treasury, reported May, 2010) • In some cases, just RECEIVING an email, no action required
SEO POISONING EXAMPLE • Four of top five hits are links to poisoned sites (Underlined in Red) • Downloaded malware submitted to VT • Only 24% detection rate!
FIRST LINE OF DEFENSEGET THE UPDATES • WINDOWS - Windows Update • Note - SP3 is only version supported for XP • APPLICATIONS - Secunia PSI • DRIVERS - Computer / Hardware Vendor, • Device Doctor
SECOND LINE OF DEFENSEPRACTICE SAFE COMPUTING • Never log in as Administrator when on Internet • Keep confidential files on external drive that is only connected when you need it • Encrypt confidential files (or keep on external drive) • Don’t open attachments • Don’t download or share files • Don’t click on shortened URL’s • Turn off scripting (not a viable alternative) • Use a more secure browser (Chrome) • Turn off HTML email, turn off preview
THIRD LINE OF DEFENSE • Use an AntiVirus program and keep it updated • OK, I did all that stuff (well, maybe not all of it). But why do I still get infected? Why won’t my AV program protect me?
MALWARE FACTS • Malware testing results are mostly bogus, driven by advertising dollars • Six different kinds of rootkits, most AV only catch one (the easiest) • Malware author tests his product against AV software ($Billion business) • Timeline between discovered malware and patch can be months - in the meantime, you are vulnerable
Heuristics and activity-based detection catch at most 40% of “new” malware (optimistic) • Rootkits, Bootkits, File Infectors big problems that defy detection and mostly not used by testing labs to report AV “success” rates • Most malware testing is done against a published set of malware, allowing vendor “optimization” of results. • Matousec testing is most comprehensive
A BETTER AV ALTERNATIVE • Almost all malware depends on memory corruption (usually as a result of a buffer overflow that allows the malware to load and execute) • - eEye Blink Personal is an excellent alternative since it prevents against memory corruption attacks generically (no need for scanner or heuristics • Blink includes three AV scanners to detect malware you unintentionally install
If you have been paying attention, you realize that - even if you are 100% diligent, you are still highly at risk! • This is why Project Aurora and other targeted attacks are successful, in spite of traditional protection measures. • You need a way for your computer to magically return itself to a pristine state every time you turn it on, ridding itself of any malware it may have contracted.
VIRTUALIZATION • A program that allows you to run your browser and any other applications you choose in a “sandbox”, completely separate from your “host” computer. • Empty the sandbox, and everything you did disappears, including all traces of malware you may have contracted - and nothing ever touched your host computer. Its like getting a new clean computer every day!
SANDBOXIEEASY VIRTUALIZATION • SandboxIE will allow you to easily run your browser, email program, and any other programs you choose in a sandbox. • Anything that happens in the sandbox does not affect your computer. • Empty the sandbox, and everything disappears. Works with all versions of Windows.
LEARN HOW TO USE SANDBOXIE • Updates and downloads must be done outside of the sandbox • Consider using web-based email and bookmarks • Malware not caught by your AV suite will run in the sandbox until you empty it • Empty browser sandbox each time before you visit a confidential site - eliminates anything bad that got by your AV software
DISK IMAGING • Just in case bad things happen.... • Create a Disk Image of your OS and a rescue CD • Completely restore your HD, apps and OS, in 15 minutes • - crashed HD, corrupted registry, etc • - Malware that snuck by • - Use to repair 95% of your computer problems, avoid frustration and service charge • Easeus Disk Copy, Acronis TrueImage, DriveImageXML, • Comodo Time Machine
PROTECTING YOUR PRIVACY • Your privacy / identity is at risk: • 1. Information others have about you • 2. Personal records you lose / theft • 2. Your computer usage • Sandboxing and your AV/AS will not completely protect your privacy
INFO OTHERS HAVE • Over 350MM data records lost by businesses since 2005 (Source: privacyrights.org) • Your doctor, dentist, insurance company, gov’t agency all have enough info for someone to steal your identity • You are at risk even if you never use a computer • It is up to you to protect your identity / credit
IDENTITY THEFT DEFENSE • Best defense is to freeze your credit at all three national credit reporting agencies (Equifax, TransUnion, Experian) • Each state regulates terms and cost • Cost usually $10 or less for each freeze/thaw • If you need credit, initiate thaw at only the reporting agency your creditor will use
OTHER THREATS • Debit Cards - burden of proof on you • Cell Phone • - Wipe data before disposal • www.recellular.com • - turn off Bluetooth when not using • - Lock access with passcode • - Smartphone apps may be malware • - Turn off location services unless needed
Be careful what you post, it will be cached • Social networking sites are a haven for malware and social engineering attacks • Don’t broadcast you are not home • Don’t use real password hint answers • Don’t use real personal info • Many cordless phones are easily eavesdropped, so are VOIP calls • Even your car spies on you - computer tracks your speed, braking, steering, etc
COOKIES & PRIVACY • HTML cookies mostly safe. Used to identify you as you browse a website. Easily deleted by your browser • “Zombie” (aka Browser Helper Objects) are another matter. • - May be persistent • - Can’t delete via browser • - Can turn on your microphone or webcam
ZOMBIE COOKIES • Manage at: • http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html
MANY WAYS TO STEAL YOUR PERSONAL INFO ONLINE • Pfishing • Clickjacking • Keyloggers • Hijacking • TabPhishing • “Social Engineering”, and the list goes on
BEST DEFENSES • Don’t visit porn or other questionable sites (Web of Trust browser add-on or OpenDNS client) • Use a password manager (LastPass) and let it choose secure passwords • Financial websites • Use two-factor authentication (Token, SMS, call, etc) • Empty you sandbox and close your browser • Use Site-Specific Browser
Maybe LOTS of info on your computer’s hard drive. Nuke the HD or destroy it if you are disposing of an old computer. Remove all confidential data from HD if taking it in for service. • Keep confidential info on external drive that is not connected to your computer unless you need it. • Encrypt confidential information on your hard drive and on your external or flash drive using a program such as TrueCrypt • Crossing the border? Homeland Security gives them the right to seize any electronic equipment • Backup your data and keep one copy off-site
CREDIT CARD USE ON WEB • OK to use at major sites • Make sure SSL is enabled (https) • For best security, check your credit card vendor for one-time-use option • PayPal - pay via your credit card, not your bank account • Use PayPal for unfamiliar sites, NOT a credit card (they may steal your number)
WIFI • AT HOME: • Use WPA2 encryption • Change router default login and password • Don’t allow others to connect to your network (LAN or WIFI) unless you provide them with a separate router • Or, get a router that allows separate Guest Access that completely isolates the guest • Or, just turn off all your computers until guest is done and disconnected
PUBLIC WIFI / LAN • Simple software allows anyone to capture your session on unencrypted/Shared Key WIFI • Email login and password may be sent “in the clear” • YahooMail (and others) has secure login, but messages are not encrypted • General web browsing done “in the clear” • Best Defense - use HotSpot Shield • Free service - www.hotspotshield.com • Always use a software firewall • Ensure file sharing is disabled • Turn off WiFi and Bluetooth when not using
ADDITIONAL HINTS • Inventory possessions for insurance (include pictures, receipts, serial numbers, model numbers, date purchased, etc) • Keep updated list of all impt info (credit card numbers and contact info, medical/prescription info, banking, insurance, vehicle license/serial numbers, insurance info, etc) KEEP ONE COPY OFFSITE, ENCRYPTED • Don’t carry your checkbook with you