Protecting your computer
Antivirus Computer Security Personal firewall (Keeping bad guys out of your computer) Updates for vulnerabilities (security patches) Anti-spyware Chris Taylor, President Ottawa PC Users’ Group It is far easier to keep your computer free of security problems than fix it after it has security problems!
Viruses
“Malware” (virus, worm, Trojan) Antivirus – Virus spreads from one file to another – Worm spreads by itself from one computer to another – Trojan does some malicious action but does not spread itself – Other variants
How they spread Virus scanner
Removable media Real-time scanning (CD-R, USB memory sticks, …) – Watches as files are read/written Programs On-demand scanning Documents – Checks files already written to disk E-mail In-memory scanning Networks – Some worms are never written to disk (e.g. SQL Slammer) Drive-by downloads Signature vs. heuristics Keeping it effective
Signature Law #8: “An out of date virus scanner – Looks for exact byte patterns is only marginally better than no virus – Can have false positives (rare) scanner at all.” * – Only as good as the last update New versions = new functionality Heuristics Keep it on unless an installation – Looks for “virus-like” activity requires it be disabled – Can catch some “unknown” malware On-access & in-memory scanning most – Can’t catch everything important
* The Ten Immutable Laws of Security from Microsoft technet.microsoft.com/en-ca/library/cc722487.aspx
Check suspicious files World is changing www.VirusTotal.com
First half of 2011 – 150,000 new, unique malware per day! * – That’s one unique piece of malware every half second, 24 hours per day! (up from 95,000 in 2010, 50,000 in 2009) – Signatures can’t keep up – New techniques required – Reputation most promising
* Sophos Security Threat Report Mid-Year 2011
Free On-demand Scanners Free Off-line Scanners
Trend Micro - HouseCall - housecall.trendmicro.com/ Trend Micro - HouseCall - housecall.trendmicro.com/ Bootable optical disc or USB flash drive Bitdefender - www.bitdefender.com/scanner/online/free.html Kaspersky - www.kaspersky.com/virusscanner Scan system before Windows loads ESET - www.eset.com/us/online-scanner/ Microsoft Standalone System Sweeper F-Secure – www.f-secure.com/en/web/labs_global/removal/online- beta scanner Panda Activescan - – connect.microsoft.com/systemsweeper www.pandasecurity.com/homeusers/solutions/activescan/ Kasperski Rescue Disk 10 Microsoft Safety Scanner - www.microsoft.com/security/scanner/en-us/default.aspx – www.kaspersky.com/virusscanner (can be used on non-connected PCs)
Inclusion here should not be taken as any sort of endorsement on the part of the Ottawa PC Users’ Group Other protection Free Antivirus Resources
Don’t click on everything on Internet Free antivirus programs – Microsoft Security Essentials - Use a file viewer www.microsoft.com/security_essentials/ – Free Opener - www.freeopener.com – Avast Home Edition – www.avast.com/free-antivirus- download – FreeFileViewer - www.freefileviewer.com – AVG – free.avg.com/download-avg-anti-virus-free-edition Consider using a different PDF reader – Avira AntiVir – www.avira.com/en/avira-free-antivirus – Foxit Reader - www.foxitsoftware.com/Secure_PDF_Reader/ Free Offline Scanners – Microsoft Standalone System Sweeper beta - Be suspicious connect.microsoft.com/systemsweeper – Not always enough – Kasperski Rescue Disk 10 - Always show file extensions www.kaspersky.com/virusscanner – Control Panel | Folder Options | View tab Inclusion here should not be taken as any sort of endorsement on the part of the Ottawa PC Users’ Group
Free Antivirus Resources
Free file viewers – www.freeopener.com – www.freefileviewer.com Personal Firewalls – www.foxitsoftware.com/Secure_PDF_Reader/ Check suspicious files – VirusTotal – www.virustotal.com
Inclusion here should not be taken as any sort of endorsement on the part of the Ottawa PC Users’ Group
Personal firewall Computers on Internet
A: Web server Checks traffic going in and Address: 69.196.181.75 Listening on port 80 TCP/IP is the protocol used on A (sometimes) out of your computer the Internet Every machine has a unique May check for applications accessing address To connect to another the Internet computer, you connect to a port May check for known attack patterns B B: Your computer Address: 65.48.198.200 Source port: 13248 Open ports What a firewall does
Every computer has ports listening Watches traffic going in and out of your computer You don’t want people to initiate connections to your computer Can block or allow traffic based on; – Direction You don’t even want people to know – Protocol your computer is there – Source IP address – Source port – Destination IP address – Destination port
Firewall rules Intrusion detection
Rule 1 – direction outbound, protocol TCP, source port any, source address any, Not really a firewall technology destination port 80, destination address 69.196.181.75, allow Not really a firewall technology Rule 2 – direction outbound, protocol TCP, source port any, source address any, Examines traffic for known attack destination port 80, destination address any, deny patterns Rule 1 would allow web browser to – Ping can be useful access the OPCUG web server – Specially crafted ping packet (ping of Rule 2 would block all other normal death) can be harmful web browsing
Application based rules Learning mode
Rule 1 – iexplore.exe, direction outbound, protocol TCP, source address local Allows normal use machine, source port any, destination address any, destination port 80 or 443, Allows normal use time of day 16:00 to 22:00, allow Pops up when traffic detected Rule 2 – systrayicon.exe, direction outbound, protocol any, source address local machine, destination address any, destination port any, deny You can permit or deny traffic – Firewall creates a rule Rule 1 allows Internet Explorer to access any web site from 4-10pm You can edit or delete rules Rule 2 blocks the Sub7 Trojan program from accessing any external site Outbound Firewall – WTF? Outbound Firewall – WTF?
Outbound Firewall – WTF? Outbound Firewall – WTF?
Outbound Firewall – WTF? Outbound Firewall – WTF? Free Personal Firewalls
Free Firewall software – Windows XP SP2/SP3, Windows Vista, Windows 7 Updates for – Zone Alarm www.zonealarm.com/security/en-us/zonealarm-pc- Vulnerabilities security-free-firewall.htm – Comodo - http://personalfirewall.comodo.com/ (security patches)
Inclusion here should not be taken as any sort of endorsement on the part of the Ottawa PC Users’ Group
Security vulnerabilities Automatic Updates
All software may contain security Microsoft has a decent service known vulnerabilities as “Automatic Updates” – Allow a denial of service – Use at least in “notify” mode – Steal information/credentials – Would you rather have Microsoft – Allow a cracker to take over the computer automatically install software on your Most software does contain vulnerabilities computer or a cracker in eastern Europe The more popular the software, the more do it. likely vulnerabilities will be found Periodically do a manual check at Keep up to date on security patches Microsoft Update as a double-check
Before updating Patching 3rd Party Apps
Regular patches Major service packs A few vendors include auto-update – Race is on once – Don’t rush (24 month – If they have it, use it released window) – Apply within a few – Read documentation Get Secunia’s Personal Software days – Update drivers Inspector – Check for compatibility – Detects over 12,000 applications and – Backup system monitors for security vulnerabilities – Not while on battery – FREE – Reboot before and after – Use it! Free Vulnerability Management
Update Microsoft software – Microsoft update www.microsoft.com/update Adware / Spyware
Update third party software – Secunia Personal Software Inspector www.secunia.com/vulnerability_scanning/personal/
Inclusion here should not be taken as any sort of endorsement on the part of the Ottawa PC Users’ Group
Adware Spyware
Generally not malicious By definition, spyware is malicious – Shows ads while using your computer – Shows ads while using your computer Can “see” anything you can see and Often added as a companion to some transmit the information to a cracker “free” program you choose to install – Passwords Many useful programs use adware to – Credit card numbers pay for themselves – Bank account numbers Can cause stability problems Often causes instability May be difficult to remove
Spyware (continued) Spyware (continued)
By installing the Software, you understand and agree that the Software may, May be buried in an EULA without any further prior notice to you, automatically perform the following: display advertisements of advertisers who pay a fee to BetterInternet, in the form of pop-up ads, pop-under ads, interstitials ads Would you agree to allow someone to; and various other ad formats, display links to and advertisements of related websites based on the information you view and the websites you visit; store non-personally identifiable statistics of the websites you have visited; – Install anything they want without redirect certain URLs including your browser default 404-error page to or through the Software; provide advertisements, links or information in notification response to search terms you use at third-party websites; provide search functionality or capabilities; automatically update the Software and install added features or functionality or additional software, including search – Uninstall anything they want without clients and toolbars, conveniently without your input or interaction; install desktop icons and installation files; install software from notification BetterInternet affiliates; and install Third Party Software. Just one tiny part of one of 37 sections to an EULA for Flashtalk PC, a drive- – Modify any part of your operating system by software installation offered when browsing to certain web sites. without notification Of course not!! Free Adware/Spyware Resources
Great free programs for removing adware and spyware – Microsoft Security Essentials Other Considerations www.microsoft.com/security_essentials/ – Malwarebytes – www.malwarebytes.org – Spybot Search & Destroy www.safer-networking.org/en/index.html – Ad-Aware - www.lavasoftusa.com/software/adaware/ Use them regularly If the program can watch for and block new spyware, consider using it
Inclusion here should not be taken as any sort of endorsement on the part of the Ottawa PC Users’ Group
Compromised web sites Reputation services
No such thing as a safe web site any more Netcraft toolbar (Firefox only) – Drive-by downloads (Fake AV very common) toolbar.netcraft.com – Malvertising Internet Explorer SmartScreen Filter – Social engineering – SEO poisoning Google reports up to 1.3% of results infected 19,000 new malicious URLs each day * – 80% compromised legitimate web sites
* Sophos Security Threat Report Mid-Year 2011 Inclusion here should not be taken as any sort of endorsement on the part of the Ottawa PC Users’ Group
Netcraft Toolbar SmartScreen Filter
Risk rating & reports on sites For Internet Explorer 8 & 9 Only for Firefox – Looks for suspicious characteristics toolbar.netcraft.com – Checks against list of known bad sites – Checks downloaded files for known bad Not all “Doom & Gloom” Resources – Security Info
Know your security software www.sans.org Keep antivirus up-to-date www.cert.org/homeusers/ HomeComputerSecurity/ Use a personal firewall www.microsoft.com/security/default.aspx Keep software patched, especially labmice.techtarget.com/security/default.htm Microsoft Windows, Office, Adobe www.securityfocus.com Reader/Flash/Shockwave, Apple QuickTime, Oracle Java Watch for “unusual” behaviour