Hi Folks,
This message is directed at users of Windows and Windows IT Administrators.
If you've become sickened by the unrelenting security issues that turn up each and every day (one need only stop by ZDnet's Zero-Day blog and read), things may seem desperate but there is hope.
While MS continue to apply due diligence (questionable) in addressing vulerabilities/exploits with out-of-band patches and monthly Tuesday patch cycles, that still is not enough to keep the n'er do wells away.
The most recent incident highlights the true severity of Microsoft's Windows security predicament:
http://www.computerworld.com/s/article/9182238/Rootkit_with_Blue_Screen_history_now_targets_64_bit_Windows?source=rss_news
Now, Windows 7 64-bit is proven to be exploitable (Zero-Day, no patch in site) by the Alureon root kit.
A root kit is the worst of possible scenarios one can encounter in terms of to what extent a PC can become compromised or 'owned'.
This comment might spawn the reflexive to say all O/Ses are vulnerable to root kits. Indeed, this is true.
But, unfortunately, the situation for Windows 7 is such that there isn't a way for its kernel to 'police' or effectively stop a buffer overflow from attempting to inject a DLL into the kernel's memory space.
All of this has been written up and most recently there are even some 200 estimated Apps which run on top of Windows 7 which are subject to a DLL exploit on all versions of Windows.
So, what is the remedy? Microsoft, not a third-party vendor, should develop and provide an API with hooks to an external security module interface that couples up and binds to the kernel at boot time which allows the user/admin to set up predefined or user-customizable Application mandatory-access-control profiles.
Such a profile when present and running in the kernel mac security module would be the final 'permission-giver' for a granular set of actions that the App, and, this is important, the KERNEL takes on behalf of the App process id.
Microsoft has not provided this very much needed facility.
They indeed have done a lot of work to 'sandbox' their own in-house development, specifically the newest Microsoft Office 2010 will sandbox its family of Apps.
But as far as all other 3rd-party Applications, there is no such sandbox externel module that can be called on each discrete action and approved by the security module, even the actions taken by the kernel on behalf of the App.
So, I submit to you that while Microsoft's due diligence is put into question, Linux offers precisely this much needed additional security 'policing' or 'cross-check' on what an App is doing at any moment in time.
It is called Linux Security Module (LSM).
There are several LSM modules which are present in various Linux Distributions, including SELinux, GrSecurity, AppArmor, and the like.
If you truly demand a maximum of security and analyze the Windows security for what it is, you will reach the conclusion (an obvious one) that the general design of Windows 7 security is lacking per the above LSM explanation and therefore is deficient.
Please make time to allow a full investigation of the alternatives and consider Linux for its superior security.
May I recommend you please consider Canonical's Ubuntu Linux 10.04 LTS, which includes AppArmor LSM by default.
Ubuntu Linux: The safest operating system on the planet.
I stake my reputation in it.
Thank you Scott for a nice sensible write-up (and funny).
The internet is an unsafe place. Your data is at risk. Your right to privacy is being violated. Your identity is going to be stolen, your credit ruined, your career destroyed, your house burned down, your fields will be defiled and your women will be pillaged. Dogs and cats, living together! Mass hysteria!
The net has become a bleak place for people that do not practice safe computing methods. Cybercrime is big business these days–it’s no longer the domain of a surly miscreant in a basement writing viruses that infect floppy disks. Now the bad guys are organized, smart, and running their operations like a big business.
Most people are aware of the dangers, but not how to protect themselves. The truth is, if a hacker wants to get into your system, usually the only way to prevent that access is to completely cut the system off from the internet. Even then, there’s still a remote possibility that access can be gained. Just recently, the US Department of Defense reported that a successful network intrusion had been accomplished through the use of a rogue USB flash drive.
On a smaller scale, cyber thieves are interested in capturing information about you: your credit cards, social security number, banking information. The intent is obvious, of course. The worst part is that many security attacks can come from known friends whose own systems have already been compromised.
While it is true that some computer operating systems are more secure than others–Microsoft Windows being the most vulnerable by virtue of its ubuquity and therefore interest to criminals–no one system is 100% safe. The majority of security violations can be pinned squarely on the shoulders of human error, through inattention, ignorance and even apathy.
There are a number of precautions a computer user can take in order to start securing their data. Anti-virus and anti-malware applications are a good start. If you run a Windows system, Avira AntiVir Personal is a decent, free option. Microsoft has also released a good, free antivirus package called Microsoft Security Essentials. I would also recommend using Malwarebytes’ Anti-Malware to scan your system on a regular basis. It has been known to catch things other applications miss.
While Linux and Mac users are fairly safe from virus infection, they can still run Windows in a virtual machine, and can pass along infected files. The open source ClamAV is available in both Linux and Mac versions.
Good security practices involve multiple layers of protection. If you have a hardware firewall, use it. Block any inbound ports that are not in use. Use network address translation (NAT) so that the network address of your computer is masked from the outside world. Unless you run a server at home, you won’t need to have the firewall forward ports back to your computer from the outside.
If you don’t have a hardware firewall, use the one built-in to your operating system. All modern versions of Windows, OSX and Linux have firewall options.
That’s just scratching the surface. There’s so much on the internet today designed to trap the unwary cyber traveler. Junk email is filled with lottery and inheritance scams, fake file attachments with trojans that can take over your computer, links to websites infested with malware and code that attacks your web browser. Most email providers already filter out the worst of these, or provide you with tools to do the same. Modern email clients usually block infected file attachments.
The motto of “better safe than sorry” really does apply here. If you don’t know who it’s from, delete it. Don’t open file attachments unless you are sure of their origin. Don’t accept instant message chat from strangers. Stay off of unsavory websites–porn and software piracy websites are notorious for being havens for malware.
It’s recommended that if you have no alternative to visiting unknown websites, use an ad blocker like Ad Muncher which works with all browsers, or free options like Adblock Plus for Firefox and Chrome. Please keep in mind, however, that many legitimate websites are paid for through the use of ad revenue–so as a courtesy to them, disable the ad blocking while visiting those sites.
As I mentioned earlier, one of the biggest issues with computer security is the human element. Hackers use social engineering to crack security. Notorious hacker Kevin Mitnick has said that it’s quite easy to simply call up a random low-level person in a company, tell them you’re from the IT department and ask for their username and password. Many people will just hand over this information without even thinking twice about it.
Your passwords are supposed to be kept private, just like your ATM PIN that you use to get cash at the bank. Never give your password to anyone. Never make it easy to guess, like your own name or a pet’s name. Don’t put it on a Post-It note and stick it to your monitor. And if anyone ever asks for it, don’t give it to them.
A common scam is called phishing, where someone sends a legitimate-looking email that appears to come from your bank, asking you to provide your account number, your ATM pin, your username and password. Or sometimes they provide a fake website link that appears to go to the banking website, but is actually one made to appear like your bank website but is only there to siphon your credentials so they can empty out your account. Do not respond to these emails, and do not click on the links in them.
Another trap to avoid are the TV commercials promoting a faster computer free of viruses and spyware. These are actually ransomware scams where the program doesn’t actually clean anything, but keeps demanding money to keep your computer safe. The parent company also theatens anyone that reviews them in a negative light, which is why I have not named them directly in this article. Not surprising, considering their reputation. There are many malware programs pretending to protect your security; research them first before using any of them.
Let’s face it, with computers come risk. If you have information on them that others would find valuable, inevitably someone will try to take it from you. The alternative is to completely cut yourself off from all network and computer access and never put any personal information on one. The only problem with that is there are many companies out there with your personal info, and the news has seen plenty of stories over the past 20 years where customer information was leaked or stolen.
The threat of data and identity theft will always exist. The best thing to do is to be safe, be careful, and be smart.
