Home Computer Security and Privacy: Verification and Prevention a presentation byPatrick Douglas Crispen Faculty Development CenterCalifornia State University, Fullerton
A quick review: Worms and crackers • Connect to the internet and two things will target and attack your computer: Worms and crackers. • To protect your computer, you need to “hide” it. • If worms and crackers can’t see your computer, they [hopefully] won’t attack you. • How do you hide your computer? Use a firewall.
A quick review: What is a firewall? • Either hardware or software that stands between your computer and the Internet and provides “access control”—it determines what can and cannot pass. • Broadband users need both a hardware firewall/router and a software firewall. • Dial-up users only need a software firewall.
Uh… WHAT!? If all of this is Greek to you, check out the free “Home Computer Security and Privacy: Firewalls and Exploit Management” presentation at http://fdc.fullerton.edu/crispen/
Our goals • Double-check your firewall’s effectiveness at preventing attacks. • Verify that your computer really does have all of the critical security patches from Microsoft or Apple. • Learn why up-to-date antivirus software is an absolute necessity. • Protect your computer from spyware and malware. • Do all of this in ENGLISH!
Part One: Test your Firewall[s] How can you tell if your firewall is keeping the bad stuff out?
Testing your firewall • The best way is to have a trusted entity attack it. • There are people called “white hat hackers” or “sneakers” who can do this for you…for a price. • That price is usually the same as the price of a mortgage payment in Beverly Hills. • Or you can do it yourself for free with both “Sygate Online Services” and Steve Gibson’s “Shields Up.”
Sygate Online Services • Sygate is one of the biggest players in the corporate security market, and they also make one of the better software firewalls: Sygate Personal Firewall [http://smb.sygate.com/] • They also offer a free web tool called “Sygate Online Services” that probes your firewall[s] looking for vulnerabilities. • And since the scan is done online, it works with PCs, Macs, and *nix boxes.
http://scan.sygate.com/ • scan.sygate.com • Click on the black “Scan Now” button. • This starts something called the “Prescan.”
Sygate prescan The first three bits of information—your IP address, your operating system, and the name of your web browser—are [more or less] “public” information.
IP and OS and browser, oh my! • If you have a router with NAT, that isn’t your IP address anyway. It’s your router’s. • Your operating system and browser information came from the HTTP GET packet your browser sent when it requested the Sygate web page. • See http://www.rexswain.com/httpview.html or http://www.ipchicken.com/ if you don’t believe me. • “There’s nothing to see here. Move along.”
The important stuff • Don’t worry if Sygate can see your computer’s IP address, operating system, or the name of your web browser. • BUT, if Sygate’s can see your computer name or the services running on your computer, your computer could potentially have a serious security problem.
Windows file and printer sharing Windows comes with a built-in service called “File and Printer Sharing for Microsoft Networks.” • File sharing lets you make files and folders in a shared folder accessible to others on your home network to view, copy, or modify. • Printer sharing lets you share a printer with all the other computers on your home network. • Check out http://tinyurl.com/ywh8q for more information
Your files, now available online • Unless you are really careful, your computer may be sharing your files with everyone on the Internet. • How can you tell? • Scan “port 139” on your computer to see: • If file and printer sharing turned on; and • If those shares are accessible from the Internet.
Grandma, what big pipes you have! • You connect to the Internet through a single wire—a telephone line, a coaxial cable, etc. • That one wire carries everything: Web pages, instant messages, emails, spam, etc. • How does your computer sort through the wire’s incoming data and forward that data to the appropriate software applications? • Well, your computer uses something called “ports.”
Ports • Ports don’t exist in the physical world. • They’re “pretend” addresses inside of your computer that your computer uses to route incoming data to the appropriate software application. • Port 80 forwards to your web browser. • Port 110 forwards your email program. • Port 5190 forwards to AIM. • How many of these pretend addresses [or ports] are there? Officially, up to 69,536. Source: http://www.iana.org/assignments/port-numbers
The potential danger of port 139 • Crackers and script kiddies LOVE port 139, the port used by Windows file and printer sharing. • Cracker and script kiddies have software that scans thousands of Internet connections looking for Windows file and printer shares accessible through port 139. • If the cracker or script kiddie maps to that share, he’s in. It’s as if he was sitting in front of your computer [although, in reality, he can only access the stuff that is being shared.]
Peek-a-boo! We ALL see you! • Your goal is to have Sygate Online Services to tell you that it was both • Unable to determine your computer name; and • Unable to detect any running services. • If Sygate can’t see your computer, neither can the crackers.
Uh-oh! • But if Sygate can see you, it means that • You don’t have a firewall. • If you do have a firewall, it either isn’t working or isn’t properly configured. • File and Printer Sharing for Microsoft Networks may be sharing your personal files with the entire planet. • To fix your firewall • Check your firewall’s setup instructions. • Visit the support section of your firewall manufacturer’s web site.
Fixing file and printer sharing To fix the File and Printer Sharing for Microsoft Networks problem, • Call both your Internet Service Provider’s and your school’s/employer’s helpdesks and ask them: “Can you think of any reason why I shouldn’t disable NetBIOS over TCP/IP on my home computer?” • If the answer is yes, ask for a handout showing you how to secure your NetBIOS over TCP/IP connection. • If the answer is no, disable NetBIOS over TCP/IP. You don’t need it.
Disabling NetBIOS over TCP/IP See http://comp.bio.uci.edu/security/netbios.htm for instructions on how to disable NetBIOS over TCP/IP.
Wait. There’s more. Once Sygate Online Services’ prescan gives you a clean bill of health, there are four more scans you need to run. • Stealth Scan • Trojan Scan • TCP Scan • UDP Scan
Stealth Scan • This re-runs the prescan using common cracker stealthing techniques to try to sneak past your firewall. • Takes about 30 seconds.
What you’re looking for • Your goal is to have the Stealth Scan tell you that all of the ports it scanned are "blocked." • However, if Sygate tells you that a particular port is "Closed" instead of blocked, you could have a problem. • Sygate is telling you that while it couldn't break into that particular port it could still see it. • Remember: If a port can been seen it can be attacked. • You need to IMMEDIATELY check your firewall's setup instructions or the manufacturer's web site to find out how to "stealth" that particular port.
Beware of G[r]eeks bearing gifts • After the Stealth Scan run a Trojan Scan. • A Trojan Horse is a type of virus that masquerades as a legitimate program but contains a payload that can damage your computer. • Many Trojan Horses have backdoors—they attach themselves to a particular port to listen for an activate command from the internet. • See http://scan.sygate.com:443/cgi-bin/probe/trojans.cgi for more information
Trojan Scan • Sygate's Trojan Scan searches through over 65,000 ports looking for Trojan Horses hiding on your computer. • Takes about 20 minutes
What you’re looking for • If your firewall is working properly, there won't be anything for Sygate to scan so it will angrily give up. • BUT, if Sygate finds a Trojan Horse on your computer • Write the name of the Trojan Horse on a piece of paper • Go to http://www.symantec.com/avcenter/vinfodb.html and search for that Trojan's removal instructions.
TCP Scan • Sygate’s TCP Scan checks if any of the first 1,024 ports on your computer are both open for attack and visible to crackers. • Can take up to 45 minutes.
What you’re looking for • If your firewall is working properly, Sygate will [eventually] tell you that all of your first 1,024 TCP ports are closed to outside attack. • BUT, If Sygate tells you that a particular port is "Open," immediately check your firewall's setup instructions or the manufacturer's web site to find out how to both close and stealth that particular port.
UDP Scan • Besides TCP ports your computer also has UDP ports. • Sygate’s UDP Scan tells you if any UDP ports on your computer are both open for attack and visible to crackers. • Can take up to 20 minutes.
What you’re looking for • Like with the previous scans, you’re hoping that Sygate tells you your firewall blocked all of its probes. • BUT, if Sygate tells you your firewall isn't blocking UDP ports, check your firewall's setup instructions or the manufacturer's web site.
Done? • Once you've run all the firewall tests at Sygate Online Services you're done, right? • Not exactly. • To be COMPLETELY sure your firewall is protecting your computer, you really need to test your firewall one more time using a different tool: Steve Gibson's “Shields Up.”
Shields Up! • grc.com or search for “Shields Up” • Click on the file sharing, common ports, all service ports, and messenger spam buttons to test those particular vulnerabilities.
DONE! • Once you've tested your firewall[s] with both Sygate Online services and Shields Up—and once you've received a clean bill of health from both—you can pretty much forget about your firewall[s]. • It's as squared away as it's going to get. • The next step is to double-check Windows Update / Apple Software Update.
Part Two: Run Windows Update, Apple Software Update, and MBSA Close the known operating system vulnerabilities
How to patch Windows • When Microsoft finds a security hole in Windows or Internet Explorer, they [usually/eventually] release a patch called a “Critical Update.” • In Internet Explorer, go to Tools > Windows Update. • Click on Scan for updates.
How to patch the Apple OS • Apple menu > Software Update • To get updates immediately: • Choose System Preferences from the Apple menu. • Choose Software Update from the View menu. • Click Update Now. • In the Software Update window, select the items you want to install, then click Install. Image courtesy Apple.com
Manually run Windows Update or Apple Software Update at least once a week. Your computer should, by default, automatically check for updates. That’s cool, but also run the update manually just to be safe.
A dirty Microsoft secret • Windows Update lies. • It frequently thinks you’ve installed a critical update you haven’t, leaving your computer vulnerable. • That’s where Microsoft’s Baseline Security Analyzer [MBSA] comes in.
MBSA 1.2.1 MBSA is a free program from Microsoft that scans for over 60 common system misconfigurations and almost any Microsoft security update your computer may be missing.
What MBSA does • MBSA double-checks the security of • Windows (*) • Microsoft Office 2000 and later • Internet Explorer 5.01 and later • Windows Media Player 6.4 and later • A bunch of other Microsoft applications and services • MBSA analyzes, you fix. • MBSA tells you what’s wrong and points you to the solution. • You have to apply the solution.
Bad news/good news • (*) MBSA only works on Windows XP, 2000, and Server 2003. • It was designed for corporate tech support, but there is no reason why you can’t use it at home. • Oh, and it’s free. • To get the latest version of Microsoft’s MBSA, • Search for “microsoft mbsa” at Google. • The first hit—Microsoft Baseline Security Analyzer V1.2.1—takes you to the download page.
Running MBSA • Once you’ve downloaded and installed MBSASetup-EN.msi, double-click on the MBSA “watering can” [padlock and checkmark] icon • This opens the MBSA welcome screen. • Click Scan a computer.
Running MBSA • On the next screen, don’t change anything. • Make sure you are connected to the Internet and then click Start scan. • MBSA calls home to Microsoft and downloads something called “MSSecure.cab” • This file contains information about practically every patch Microsoft has released.
How MBSA really works • MBSA scans your computer’s operating system, operating system components, and Microsoft applications. • MBSA then compares the version numbers of the stuff on your computer with the latest version numbers in the MSSecure.cab file. • Finally, MBSA shows you which updates your computer is missing.
Failures • Critical failures [red Xs] require you to immediately install a patch or update to ensure the strongest security of your computer. • Non-critical failures [yellow Xs] happen when there is a newer version of something available, but you don’t really have to upgrade…yet. • Best practices [blue asterisks] could signify a problem—MBSA can’t confirm that those particular security updates have been installed.
What’s important and what isn’t • MBSA’s security report has seven sections, and you only have to worry about two: • Security Update Scan Results [at the top of the report] • Desktop Application Scan Results [at the very bottom] • The five sections in the middle don’t really apply to home users. • Problems here are important but rarely critical. • You can fix the problems in the middle five sections if you want, but you don’t have to.
Fixing the critical failures • Remember, MBSA analyzes, you fix. • To find a fix for a critical failure in Security Update Scan Results or Desktop Application Scan Results, click on the Result Details link next to that critical failure.
Result details • This shows you exactly what’s missing or is misconfigured. • Click on each link and it opens a page in Internet Explorer telling you how to download the appropriate patch. • REMEMBER TO INSTALL THE PATCHES AFTER YOU DOWNLOAD THEM! • MBSA won’t do it for you.