Special Report:
Lock
down your PC
by Simon Edwards
How to protect your privacy, files and computer system
Your computer contains a lot of information about you, the services you use and the way you use them. But while it is sensible to keep much of this information at your fingertips, you should also be aware that other people may be able to access it too.
Not everyone is worried about giving out their phone numbers to the general public (hence the existence of public phone directories), but no-one in their right mind would want to publish their credit card details to the world at large. And yet many users of personal finance software will happily dial up to the Internet and take no protective measures to prevent their files from being accessed or tampered with.
Word-processed letters written to banks, insurance companies and pension providers will all be available on the hard disk, as well as any saved Windows and Web passwords, email databases, contact lists and work schedules. This stuff is not locked in a safe - it's available to anyone who has access to your computer, be they a member of your family, a work colleague or an online attacker.
So how do you stop your personal information falling into the wrong hands? Read on to discover that with a small amount of effort you can really lock down your data, and keep it safe from prying eyes.
Identify the risks
Before you start cranking up your computer's security, identify the risks. That way you'll spend your time and money in the most sensible way. Don't spend hours implementing some form of clever disk encryption if you haven't got a firewall, anti-virus package or the latest operating system patches installed. Similarly, if you are trying to secure a work PC from the guy next to you you'll spend your time more fruitfully ensuring that all unnecessary accounts are deleted and that your password is strong, rather than playing around with personal intrusion detection systems.
Have a brainstorm and work out where and how your sensitive data is stored, and how is most likely to access it. Some things you may want to protect include: credit card and bank account numbers; your home address and phone number; passwords to online systems such as Hotmail, your online bank and any external systems at work; access to your own PC; accounts files; contact lists; appointments; any information that may help an attacker guess any of your passwords.
Take a holistic approach - some little piece of data may not in itself seem dangerous but if you publish a personal Web page about your cat Tiddles and your email password is 'Tiddles' or 'T1ddl3s' then look out. A non-casual attacker will put two and two together. Similarly, Word documents can give details away. Check out the Properties of a .doc file and you may see the author's name, the name of his manager, and any other internal data that Word has been configured to include. Does the untrusted recipient of your latest letter need to know all this?
Hackers on the Internet
The Internet attacker is the threat most widely covered by a rash of new books and magazine articles. There is something particularly chilling about the idea of a madman sitting millions of miles away tapping into your system and wreaking his evil magic. But while it would be irresponsible to ignore the very real threat of digital vandals and thieves, it is also important to put things in perspective. You may be more at threat from your three year old daughter, if she gets hold of you're My Documents folder and runs rampage with the Delete key. Address these larger threats first before continuing.
An attacker wants you access your PC for one of three main reasons. He may dislike you as an individual and want to delete your files or obstruct your Internet connection. Or he may believe that you, again as an individual, hold files that he can use. These may be valuable copies of software, sensitive business information or your own credit card numbers. Finally, and most likely, the attacker will see your computer as a way to give himself anonymity when pursuing his life of crime. Whichever motive the attacker has, you need to keep him out.
A hacker does not need to gain access to your system to gain your credit card number. Instead he may have access to the databases held by an insecure online shop. Once you pass your details to such an enterprise the attacker can gather them, along with those of other customers. An attacker may even set up an online shop himself and pretend to be a legitimate business.
For this reason it is important to only shop with known and trusted business, and to ensure that at the very least they use encrypted Web connections to transfer your card number to their systems. Otherwise a well-placed attacker could 'sniff' your number off an unencrypted connection. This potentially high-risk problem can be solved easily. And should your favourite Web shop be hacked and your card number used without authority, your credit card company will reimburse you.
Whether or not an online shop employs an encrypted connection, you should still avoid it if you've never heard of it and this goes double if it fails to publish a physical address or a reachable phone number. The deal that seems too good to be true may well be just that, and not only will you give away your credit card number but also your e-mail address, delivery address, mobile phone number and other personal details.
The most prominent type of hacking is Web site defacement, where an attacker gains access to a Web site and changes the homepage to announce his victory over the administrator's security skills. In this feature we will deal with personal and small business Web services rather than those used by enterprise-level companies. As such, the main problems for your site will be that the hosting company has not configured it with the latest operating system patches, it has failed to turn off all necessary services and that you are sharing server space with a number of other sites. If CGI scripts are permitted you could be in trouble because, if another site on the site is compromised through a badly written CGI, the whole group of sites on the server will be at risk.
The usual solution is to either opt for a dedicated server, where the hosting company rents you a whole PC to yourself that you can configure as you please, or to build your own and place it in a rented space at a hosting company. The latter option, known as co-location, is ideal for technically-able administrators because it costs less.
Connecting a PC to an ADSL, cable or even modem Internet connection is risky if you have not spent any time locking down the computer. A personal firewall such as BlackICE PC Protection, Zone Alarm or Tiny Personal Firewall should be installed at a very minimum. These will control the network traffic flowing both into and out of the PC. They are important because without them an attacker could crash your system or, in the very worst case, gain access to it. A personal firewall will also foil most Trojans (see Computer Viruses below) that need to establish a connection with another system on the Internet.
If you run a personal Web server for testing purposes then a firewall is an absolute essential. Configured correctly it will not only prevent those on the Internet from viewing your pages, but will also protect against the numerous vulnerabilities that plague Microsoft's Internet Information Server (IIS). If you need to allow access to your PC from the Internet you should still use a firewall to prevent access to other services that are for internal use only - such as the aforementioned test Web server. If you sometimes use a modem as a backup connection to a flaky ADSL service ensure that your personal firewall is configured to cover this connection too.
A hardware firewall such as the Trend Micro GateLock X200 or the SofaWare S-box (both reviewed in the September issue) will provide solid protection to your entire network and provide the ability to segregate any systems that provide external access, such as an SSH (Secure Shell) or Web server. Hardware firewalls are less prone to failure because they don't run a wide variety of software programs that may be prone to crashing and 'feature' security holes.
Your e-mail can be read if an attacker has access to any systems that lie between you and the recipient. In-house IT staff, your ISP and the police can also read your mail. For this reason you should use encryption if you want to keep your mail private. The freeware version of PGP (Pretty Good Privacy) is still available, although the commercial version is now in mothballs and no longer available to buy. Other options include the PGP-compatible GnuPG, which is available for commercial and personal use. Be aware that using encryption on a sporadic basis will simply draw attention to your confidential messages. If you can, try to use encryption as often as possible, even with mundane communications. And dealings with financial service providers, such as accountants, should be encrypted. Our accountant installed PGP on request.
Computer viruses
You may not think that viruses pose much of a threat to your online privacy, but then you may not have heard of the Sircam virus. This nasty little program used a common means of spreading, by sending itself to people chosen from the victim's Outlook or Outlook Express address book. But it also attached a random file from the hard disk and sent it out too. Earlier this year we received a number of internal documents, CVs and so on - sent unwittingly by the infected system.
Another recently discovered virus called Badtrans installs a hidden keylogger, which records every keystroke and sends out the logs to one of a number of e-mail addresses. It also steals cached passwords, so victims who have Internet Explorer configured to remember their passwords to restricted access Web sites (perhaps a remote access to company e-mail) will have suffered a significant security compromise.
Fortunately there are a number of ways in which to defeat such viruses. The most obvious step is to install anti-virus software, and keep it up to date. But while this will filter out the random viruses that come your way, it won't defeat an aggressive attacker who is determined to install a Trojan on your system. Earlier this year I tested ten mainstream anti-virus programs and found that all but one detected the common but nasty Back Orifice 2000 backdoor program. However, with a bit of unsubtle tinkering using freely available and easy-to-use software, the same Trojan became invisible to every package with the notable exception of Kaspersky Lab's Anti-Virus Personal Pro. The details are available at www.transceiver.co.uk/txt/pav.html.
When viruses, or advanced attackers, gain control of your system they will usually attempt to alter certain essential files. You can prevent this from happening, or detect that it has, by using file integrity software. Symantec's Norton AntiVirus carries this feature, as does the BlackICE PC Defender personal firewall. In fact we've noticed that personal firewalls and anti-virus software has started to combine, which makes utter sense. Firewalls can prevent the unauthorised connections initiated by Trojans and some viruses.
An anti-virus gateway can be useful to take the load off your desktop and catch those viruses that slip through either because the desktop software wasn't up to the job, was out of date or the user has switched it off. A gateway can be a dedicated hardware box similar to a firewall, or may be an extra piece of software installed on an Internet connection sharing system. Trend Micro's GateLock X200, mentioned above, is an inexpensive way to provide extra anti-virus protection to a small network.
Don't be tempted to turn off anti-virus software just because it is affecting the PC's performance. Consider it an essential part of the computing experience and, if your system is too slow, upgrade the hardware rather than compromising on security. Remember that your data is probably worth many times the initial value of the hardware.
Malicious and gullible users
It is sad but true, but one of the greatest threats to your computer-based privacy will be other people browsing through your files using your own keyboard and mouse. Work colleagues, family members, visitors and even burglars have physical access to your computer. Thieves will have more time than the others to access your data, but will most likely just wipe the drive before selling the PC on. However, you need to be sure that everyone from the most casual user to an aggressive snoop won't be able to read your files.
If you have even a passing interest in security from a local point of view you'll have given up on Windows 98/Me ages ago. There is no in-built password protection available that will keep your files from prying eyes. Instead you'll probably be using Windows NT, Windows 2000 or Windows XP. Of these, the last two support the strongest password system. While it is possible for an attacker to steal and decrypt the password from a 2000/XP system it is not as trivial a task as it is with a default un-patched installation of NT. Of course, this assumes that you have provided a password to your account in the first place.
Choosing a strong password will prevent an attacker from gaining quick access to your machine. Brute-force cracking programs take ages, so if you have chosen well, and change passwords regularly, you'll be able to stay ahead of an attacker. To illustrate this we took (with permission) the password file of a live Web server and fed it into a password cracking program, namely John the Ripper. The software was running on a Pentium III 700MHz PC dedicated to the job of cracking this single file, in which there was only one user account. It took 28 days. This is because the user had picked a relatively strong password of eight characters in length that was not a dictionary word. Had it been just one or two characters longer, our job would have taken much more time to complete.
If
you've been using strong passwords and take the sensible precaution of changing
them regularly, you'll have run up against the problem of remembering them. A
simple way to manage your passwords is to save them to a text file and encrypt
that file using PGP. Alternatively, password generating software often comes
with a database facility in which you can store your passwords. Password Safe
from http://passwordsafe.sourceforge.net/
is a good, simple and free program that will generate strong passwords and helps
to organise them. For more on choosing and using strong passwords see below.
However, if things have got to the stage where your passwords are being cracked on a monthly basis then your PC is likely to be exhibiting one or two exploitable vulnerabilities. The likelihood is that these are due to buggy software for which a patch is already available. It is essential that you install security updates for Windows and your other software when they become available.
It is sensible that you disable any unnecessary services. Not only will this keep Internet-based hackers off your machine but, if you work on a network with others, it will also prevent colleagues hacking into your machine via a forgotten instance of IIS. It is possible that you are administering a machine that others have authorisation to use. In these cases you should install personal firewalls, anti-virus software and other security measures. And you should deny your users the right to reconfigure or remove these programs, no matter how much they moan about needing admin rights. This also guards against users who believe that they are technically skilled but who may harm the system through ill-advised actions.
For example, if your users only need to use applications rather than install them, reduce their privileges. You'll be reducing the chances of Trojans and other nasties being introduced to the system via pirated software, too. BlackICE PC Defender can block unknown applications from launching, which will also reduce the risks.
At the very least, when a low-privileged user does something silly, it only affects the system at this level rather than at the potentially disastrous administrator level. For this reason you should set up a non-administrator account for yourself too and only log in as the superuser when you really need to.
When you leave your system, perhaps for a toilet lunch break, lock it. You don't need to shut down all your programs and log out. With Windows 2000 simply press Control-Alt-Delete and choose the Lock option. If you are running Windows XP you can choose the Switch User option. Once you're in the habit your PC will become almost unassailable by office jokers, who really just want to log into your e-mail and spoof 'amusing' messages to your colleagues or change your desktop wallpaper to display pornography.
A dedicated local attacker can still gain access to your PC by restarting it and booting from a floppy disk. You can make his life much harder by using a BIOS password that must be entered before the system can start, although this can make life hard for any systems administrators who need to legitimate access your machine. BIOS passwords can be bypassed given ten minutes of uninterrupted time with the PC and a screwdriver - this usually involves shorting a pair of pins on the motherboard.
The real solution to keeping your PC as safe as possible from this type of aggressive attack is to encrypt the whole hard disk. Luckily Windows 2000 and XP (Professional, not Home Edition) have an option to implement an Encrypting File System (EFS). At this point it is worth quoting one of Microsoft's Ten Immutable Laws of Security: "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore." This is important to note because it is actually possible to reset the Administrator password and then gain access to the encrypted files.
Info-collecting Web sites
There is a lot of worry about Web sites that gather your personal details. Type DoubleClick and cookies into any search engine and you'll see thousands of links, mostly to pages addressing privacy issues. DoubleClick is an online advertising company that provides sites with an advert-serving feature. There are many benefits of such a service to online ventures, one of them being that it is possible to see which adverts have been seen the most, which have been clicked on most frequently and so on. The problem, as many people see it, is the level of information that DoubleClick collects from you when it shows you an advert.
When a banner appears in the top of your Web browser your system is simultaneously telling DoubleClick (or whichever ad-serving service is being used by your favourite site) a number of things, including your IP address, the type of domain you are using (eg. .com, .co.uk, .org), your Web browser type, your local time, which ISP you're using, which pages on the site you are choosing to view and any keyword searches you make on the site.
DoubleClick and other companies can combine this data with demographic databases. This means that you may be shown adverts that are statistically likely to be of more interest to you than others. DoubleClick keeps track of your system by planting a small text file known as a cookie on the hard disk.
While it would be easy to get hysterical about what seems like a massive breach of privacy, it is important to remember that the companies will not link personally identifiable information to anonymous user activity across Web sites. DoubleClick did plan to do this in 2000, but pressure caused the company to back down. In fact, DoubleClick and other major advertising companies allow you to opt-out of receiving their cookies. You can do so by visiting www.networkadvertising.org, which provides options to avoid tracking by DoubleClick and Avenue A.
Internet Explorer 6.0 has a beefed-up set of privacy options that block cookies that uniquely identify you by default. You can also customise the settings so that your favourite sites are allowed to gather a certain degree of information but all others may not. The browser will also alert you to sites that do not have privacy policies enabled. Privacy policies are XML files that state the site's intentions on using your personal information. They are not enforceable, though, so don't go trusting them too much.
Accidental leakage
It is all too easy to give away information about yourself without realising it. One incredibly obvious example would be an individual who follows all of the advice in this feature but then publishes a Web page about himself, including phone numbers, address, photos of his car (complete with registration plate) and so on. The inclusion of an e-mail address will almost certainly ensure his place on a spam mailing list. If you need to include an e-mail address on your site write it in the format 'me at mydomain dot com', or use a graphic that displays the address in the usual format.
Registering an Internet domain places your personal details on a publicly-available database. Queries to this database aren't loggable by you so you won't know who's been looking. When you register a domain, try using your office address rather than your home details, and an e-mail address that will only be used for administering the domain. Otherwise your home address, phone number and personal e-mail address will be available to anyone who can type 'whois yourdomain.com' or 'whois -h whois.nic.uk yourdomain.co.uk'. You can easily check which details are currently made available by using the Whois query on the Samspade.org Web site.
Newsgroups (AKA Usenet) are a helpful resource when seeking answers to technical questions such as, "I am running RedHat 7.0 and am having problems setting access controls." Of course, anyone who posts such a message is advertising the operating system, applications and possibly IP address of their system - a system they have just publicly announced is not working properly. This is useful information for an attacker. If you need to ask such questions avoid giving genuine IP addresses in your postings
While it is possible to post to newsgroups anonymously, bear in mind that you could lose some credibility if you routinely do so. You can check that someone has made a genuine posting by following the advice at http://digital.net/~gandalf/spamfaq.html. This article will also show what sort of information you give away when you send messages to Usenet groups. With all this in mind, you could explore anonymous remailers. These allow you to send mail and newsgroup postings as anonymously as is reasonably possible.
Using a remailer is not straightforward and in some cases you have to trust the administrators of the system. Ideally you'd use more than one remailer in a chain, and use strong layers of encryption. The problem with this type of system is that if just one remailer in the chain stops working your message won't get through. If you're interested in the academia of remailers and their vulnerabilities a visit to http://www.obscura.com/~loki/ would be a good start. You can get a list of current remailers from http://anon.efga.org.
Internet chat can be fun, but be aware that information you pass to other people is not secure. Even if you know the person you are chatting to over MSN Messenger, IRC or some other chat system, you are still communicating without encryption. In the worst cases administrators of the chat server can access the chat logs. Your private conversation with a friend could find itself posted on a public Web site if the person with access deems it amusing or important. An attacker could steal such logs and distribute them, which would be particularly embarrassing if this showed evidence of job seeking in work hours and using the company's resources.
If you must chat about highly sensitive and private matters with close friends you might consider setting up your own IRC server, making it available only to those users who have a local account. Of course, they'll still have to trust you not to share the logs and to ensure that the system has been made as secure from attackers as possible. If you intend to use Instant Messaging (IM) for business purposes you can use a virtual private network to encrypt the traffic as it flows from one site to another. Or install a dedicated IM server available from companies such as IBM, Imici or Bantu. Good (but expensive) solutions encrypt the online chat session, however these are really corporate options. If you're simply trying to secure your own personal use of Internet chat the easiest thing to do is keep a tight check on everything you say - and impart no information that you wouldn't be happy seeing stuck to your office notice board.
Conclusion
Protecting your privacy and keeping attackers out of your system requires time and effort. Sadly a fresh installation of almost every operating system won't be sufficiently strong, and users' behaviour (including your own) can leak information more quickly and more effectively than a casual hacker.
But don't lose heart. A lot of the most important checks you can make are very simple and take very little time. Once you've patched your systems, starting shopping only with familiar and secure sites, chosen better and more varied passwords and started behaving in a generally more paranoid way you'll find yourself under less scrutiny from online advertisers, spammers and hackers. And you can rest assured that those unscrupulous people interested in gathering personal data will be concentrating on the users who cannot be bothered to secure their data, rather than on you.
Checking for Trojans
How do you know if your system is infected with a Trojan? The chances are that your anti-virus software will have detected it and alerted you, while simultaneously disabling it. However, as we've discovered, judicious use of an executable packer can make working copies of Trojans invisible to the most up-to-date anti-virus software from most of the main players. But you can detect most Trojans manually, if you know where to look.
The first clue is to check for any programs that are listening for an incoming connection. Backdoors usually work like this, maintaining an open port for the attack to connect to. On any Windows or UNIX PC you can obtain a list of listening ports by typing 'netstat -a', which will bring up a display similar to that below:
Proto Local Address Foreign Address State TCP my_pc:2851 MY_PC:0 LISTENING TCP my_pc:44334 MY_PC:0 LISTENING TCP my_pc:44334 MY_PC:0 LISTENING TCP my_pc:1220 MY_PC:0 LISTENING TCP my_pc:2851 pop.dial.pipex.com:pop3 SYN_SENT TCP my_pc:137 MY_PC:0 LISTENING TCP my_pc:138 MY_PC:0 LISTENING TCP my_pc:nbsession MY_PC:0 LISTENING TCP my_pc:1220 chimmi.xcron.com:22 ESTABLISHED TCP my_pc:pop3 MY_PC:0 LISTENING TCP my_pc:2791 MY_PC:0 LISTENING UDP my_pc:44334 *:* UDP my_pc:nbname *:* UDP my_pc:nbdatagram *:* UDP my_pc:2791 *:*
There is a connection to my POP3 account with Pipex, which is not unexpected because I am running an automatic e-mail monitor. However, something is connected to a funny-sounding system called chimmi.xcron.com. We don't know what program is doing this, but a utility called TCPView from Sysinternals will. Run it and it will show a list as above, but with an additional column showing which program is running. In this case it harmlessly turned out to be a local user using SSH to connect to another system.
Choosing passwords
Choosing a strong password is not hard - you just need to come up with a random string of letters, numbers and punctuation at least eight characters long, preferably longer. Ideally you'd do this for every e-mail account, system log-in and other Internet, network or host-based service that you are authorised to access. The obvious problem comes when you need to remember all of these codes, which is where password management software, PDAs and possibly even removable USB storage 'pens' can come in handy.
Here are some examples of good and bad passwords:
BAD
my.very.long.password
This is not ideal because it is based on real words and
uses a rather obvious method of separating each one into a phrase, but it's
better than 'password' or 'banana'.
l3tm31n
This is 'hacker' speak for let me in, changing e's into 3's, i's into
1's and so on. It is standard practice for attackers to construct dictionaries
with these substitutions, so make up your own if you want to follow this method
of easily memorable passwords.
V100PDQ
This could be a car registration number. Anyone who knows the user
could guess this without much trouble.
GOOD
Practically_Unbr3akaBl3 Memorable as the phrase "Practically Unbreakable", it's unlikely that this password will be broken in any useful time period.
0981Fleeqi0o This is a randomly-generated password that has a long usage life. Don't use the same strong password with every account, though. If someone discovers it (maybe via key-logging) all your other accounts will be compromised too.
First published in PC Pro, December 2002.
The above article is © Dennis Publishing Limited 2002. UK property of Dennis Publishing Ltd. This article may not be reproduced or transmitted in any form in whole or in part without the written consent of the publishers.