Slashdot Mirror

← Back to Stories (view on slashdot.org)

Computer Security for the Home and Small Office

Posted by timothy on from the opposite-of-obscurity dept.

Andrew Murphy writes " The Register's security guru Thomas Greene has written a book for the average computer user, though it contains a great deal of information that professionals need to know. It's insightful, instructive, and calls for open source software even on Windows for enhanced security. The single most interesting feature is the author's emphasis on open source software as a security feature per se. He rightly notes that there are no secrets in OSs, and teaches users to leverage this transparency regardless of their platform. As early as the introduction, Mozilla is urged as a secure replacement for IE and OE, and this came before the Scob outbreak." Read on for the rest of Murphy's review. Computer Security for the Home and Small Office author Thomas C. Greene pages 405 publisher Apress rating 9 reviewer Andrew Murphy ISBN 1590593162 summary No secrets means that open source software, when it survives, tends toward robustness -- so it can help even if you run a closed-source operating system.

The book covers popular OSs replacements for Windows applications and utilities; it explains vulnerabilities; it offers practical setup information for both Windows and Linux to harden a system and make it extremely difficult to attack.

The Preface describes the book in general terms. The Introduction explains firewalls and their limitations, and explains how to install Mozilla to limit email and http exploits and spam.

Chapter One debunks the malicious-hacker mythology and shows that most so-called hackers are only script kiddies who are easily thwarted with commonsense tactics.

Chapter Two explains malware, spyware, bad system configurations, and the scores of other routes to system exploitation and privacy invasion that firewalls and antivirus software don't address. It includes a step-by-step guide to simplifying and hardening a system. Most importantly, it offers a useful guide to turning off unnecessary services and networking components for both Windows and Linux, and setting sensible user permissions, and is liberally illustrated with screen shots.

Chapter Three offers a good breakdown of social engineering and phishing scams, and how to defend against them.

Chapter Four is about using common tools, like Ethereal, Netstat, PGP, etc. It explains how to monitor an Internet connection to spot software secretly reaching out or phoning home to remote servers; how to monitor your system for signs of malicious processes; and how to use PGP and GnuPG to encrypt sensitive files and Internet correspondence. This is one of the best introductions to using encryption available anywhere.

Chapter Five explains how to eliminate all traces of Web activity from your computer and defeat forensic recovery of stored data; how to surf the Web anonymously using an encrypted connection and defeat remote monitoring; how to set up and use SSH (SecureShell) to conceal both your identity, and the data content of your Internet sessions from all third parties, including your ISP. The many hiding places of sensitive or incriminating data are revealed for both Windows and Linux users.

Chapter Six explains the advantages and disadvantages of migrating from Windows to Linux; why Linux is easier to configure for security, and why it's better suited to less technically-inclined users; how to judge whether Linux is right for you, and the issues you should consider before migrating. The author is clearly biased towards Linux, but he understands that most users will stick with Windows. Hence the emphasis on tools that run on Windows.

Chapter Seven is a catchall essay explaining security from an anecdotal point of view. There were places where it got a bit tedious, but the idea is to look at security as a process or a frame of mind, not a specific series of computer settings. The material in this section is informative in only a general sense. The real configuration information comes in chapters Two, Four, and Five.

There are several indexes with useful information on firewalls, ports, Trojan activity, sources of information, and more. Most of this information is conveniently located and linked at the author's website, BasicSec.org

Overall, the book is exceptionally well written for a tech manual. The author is a good writer and his prose flows nicely. The book is highly readable, and even witty in parts. I found myself laughing aloud on several occasions. The author has the art of The Register's irreverent presentation. I enjoyed reading it. But it is not perfect, so I give it a 9 out of 10.

My biggest criticism is that the book shifts back and forth from practice to theory and back again. It's good that readers learn the reasons for the (very sensible) procedures and settings listed; but I felt that the book was organized wrong. This is a minor issue, and the book remains exceptionally useful; but instead of interlacing the various parts, theory and practice might better have been separated in two distinct sections. It's difficult simply to flip to a section of this book and learn what needs to be done: there is a lot of theoretical talk between each practical item. It's very good talk, and very instructive talk, all right, but I would have preferred that it be located in a particular place. I would rather not have to read the entire book through in order to tweak my system for good security. Unfortunately, the author has structured the book so that a read-through is necessary.

Overall, this book will tell professionals what they need to do, and novices everything that professionals ought to know, but probably don't. It's in plain English, so no one should worry that they can't grasp it. You can make your computer, or your network, very hard to attack, whether you use Windows or Linux. This book will show you how in excellent detail. You've got to read the whole thing, unfortunately -- but it will work nicely for you, casual user and sysadmin alike.

You can purchase Computer Security for the Home and Small Office from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

10 of 146 comments (clear)

  1. The problem with security books for the home user by prostoalex · · Score: 5, Insightful

    ...is that few people ever read them.

    The banner urging you to install the latest Internet optimizer or a totally free peer-to-peer app is so much more convincing.

  2. This book should be open source by TheSpoom · · Score: 5, Insightful

    Really, I'd LOVE to be able to point one of my tech support callers to a free online version of this book. It would be very helpful because I wouldn't have to explain to them why Firefox is better than Internet Explorer, and then have them think I'm just paranoid when I tell them all the ways spyware can get in their system.

    --
    It's better to vote for what you want and not get it than to vote for what you don't want and get it.
    - E. Debs
  3. Re:Oh by Anonymous Coward · · Score: 5, Funny

    Don't misoverestimate this place.

    It contains all of the information that the average /. reader claims to already know and/or brags about knowing.

  4. Average user? by scowling · · Score: 5, Insightful

    Chapter Four is about using common tools, like Ethereal, Netstat, PGP, etc. It explains how to monitor an Internet connection to spot software secretly reaching out or phoning home to remote servers; how to monitor your system for signs of malicious processes; and how to use PGP and GnuPG to encrypt sensitive files and Internet correspondence. This is one of the best introductions to using encryption available anywhere.

    (And so on.) It looks to me as if the book has failed completely as a guide for the average home or small office user. Your mom is the average user. Your mom plays Pogo all evening and clicks on every mail she receives. You need to explain security to her in such a way that it can fit on both sides of an index card. GnuPG? I think not.

    --
    www.kitchengeek.com -- Nosh for
    1. Re:Average user? by stratjakt · · Score: 5, Interesting

      Well, as the lead-in says, this was written by the "guru at theregister.com", or translated, by an out-of-touch linux zealot.

      By out-of-touch, I mean he has no idea what an average user is, or what they're willing to do. Ethereal is next to useless as a security tool, it's a great tool for troubleshooting complex networking setups, but a box with XP Home that dials into AOL is hardly a complex network.

      They might as well suggest the "average user" set up an elaborate honeynet.

      A security book for the average user probably could fit on both sides on an index card, hell one side: Know what a firewall is and how to configure it. Know not to run executable code unless you trust the source. Keep your machine up to date, and scan for viruses reguarly.

      That's about it, at least, thats about all I'd expect out of an average user, and that's about all I'm willing to do myself. I've never cracked out ehtereal to "secure my box". Thats ridiculous.

      The "dont run executables" is a tricky one under Windows, because it's no longer clear to the average user what's executable or not. It used to be simple: files that end in .bat, .com or .exe. Now it could be .vbs or a macro in a .doc or .xls. How many average users know what .msi means?

      Not that it's easier for the average user to know in the unix world, where they have to "ls -l" to see if the executable bit is set.

      --
      I don't need no instructions to know how to rock!!!!
  5. Re:The problem with security books for the home us by lukewarmfusion · · Score: 5, Informative

    The parent post is actually insightful (as well as funny). So many of us have tried to tell our parents, friends, relatives - even complete strangers - about the importance of security. But they still download Kazaa (not lite), they still choose a password named after their dog, and they still open every damn attachment they get.

    Security = extra work, confusing settings, and ways to mess things up
    Insecurity = identity theft, loss of property or information, and probably cancer

    It sounds like a pretty easy choice to me.

  6. something missing here... by kaan · · Score: 5, Interesting

    "Overall, this book will tell professionals what they need to do, and novices everything that professioanls ought to know, but probably don't."

    While I agree that novices probably ought to know a lot of the topics covered, there is something fundamentally missing when many (most?) novices still barely realize they have an alternative to using Windows. I interface with lots of people who basically think you have two choices - owning "a computer", or owning "a Mac" (as though owning a Mac wasn't a real computer).

    The bigger problem, aside from addressing security problems, is educating the general public that they have choices, and there are different security impacts based on your choices. We live in a world where hundreds of thousands of Windows users don't even know about Windows Update, which is arguably the simplest thing you can do to avoid security vulnerabilities (yeah, yeah, I know sometimes they introduce problems through WU, but Microsoft seems to fix half a dozen "critical" security flaws per month).

    So what novice out there is going to even take note that there's a book that covers security problems/issues and offers fixes for problems they're not even aware of?

  7. Impressive link collection by Anonymous Coward · · Score: 5, Informative

    Just in case his site gets /.'ed, here is his impressive list of links. - Jonah Hex in non-karma whore mode.
    Downloads
    Linux Wipe Tools: Three shell scripts for securely wiping all data from the swap partition, wiping unused disk space on the root partition, or wiping an entire disk, by Thomas C. Greene.

    No Messenger: A batch file that eliminates Windows Messenger and fixes the problem of Outlook Express loading slowly when Messenger is absent, by an anonymous friend of The Register.

    FileCheck MD5: A free, simple, lightweight MD5 utility for Windows, courtesy of Brandon Staggs.

    Errata: A text file containing my various blunders and ommissions in the book (right-click and "save as," or view as HTML). Last updated 6 June 2004.

    Links to Other Goodies
    Mozilla: A free, open source Web browser and e-mail client for Linux and Windows, feature rich and far more secure than Internet Explorer and Outlook Express. Recommended for novices.

    Firefox: A free, open source, stand-alone Web browser for Linux and Windows. Very light and fast. Recommended for intermediate users.

    Thunderbird: A free, open source e-mail and news client for Linux and Windows. Recommended for intermediate users.

    GnuPG: Gnu Privacy Guard; a free, open source replacement for PGP, for Windows and Linux.

    WinPT: Windows Privacy Tools; a free, open source GUI frontend to GnuPG for Windows.

    Anonymizer: Various services for anonymous Web surfing, e-mail, chat, etc.

    OpenSSH: A free, open source SSH (Secure Shell) client and server for Windows and Linux.

    PuTTY: A free, open source GUI frontend to OpenSSH for Windows.

    Ethereal: A free, open source network traffic analyzer for Windows and Linux. Windows users will need to install WinPcap before installing Ethereal.

    Ad-Aware: A free, closed source adware/spyware scanner for Windows.

    SpyBot Search & Destroy: A free, closed source adware/spyware scanner for Windows.

    Sam Spade: CGI gateways to numerous online tools, such as whois, traceroute, etc.

    SourceForge: A vast repository of open-source software for Windows and Linux. The site can be overwhelming, but it has a search engine to help users locate packages.

    GNU Project: The home base of the open source movement. A repository of open source products, chiefly for UNIX-compatible systems.

    Security Information
    About Internet/Network Security: An informative and useful site dealing with computer and Internet security, with reviews of security products and books, practical howtos and tips, and links to numerous tools and information resources, geared toward beginners and intermediate users.

    SANS Institute: An educational and research organization with a vast archive of security research documents, news, and advisories, geared toward intermediate and advanced users.

    CERT/CC: Computer Emergency Response Team Coordination Cente

  8. Re:A Most important home-use chapter by Pidder · · Score: 5, Insightful

    Just because the book contains more advanced topics doesn't mean it can't be aimed at the casual user. To me it seems that the book is aimed at the casual but interested user. Someone who's not the least interested in security will not pick this up no matter how basic it is. As Joe Sixpack starts reading this book he will learn more and more and by the time he comes to chapter 5 he will hardly be Joe Sixpack anymore.

  9. Re: The book is missing "dummies" in the title by Alwin+Henseler · · Score: 5, Insightful
    Too many people lack common sense.

    No, they don't. They just don't (and/or don't want to) understand all the inner workings of technology they use every day. That's true for computers, cars, kitchen appliances, VCR's, whatever.

    So in terms of computer security, an average user behaves like a dummie. The book should have been named "Computer security for Dummies" or something like that, to appeal more to the target audience. Isn't this "... for dummies" series of books very popular anyway?