How Are You Protecting Your Computers?

b0m8ad1l asks: "I'm wondering what AV, software/hardware firewalls Slashdot readers are using these days. I remember another Ask Slashdot a long time ago, but i'm curious as to how everyone is keeping up with the times. I'm using Kaspersky AV, Sygate Personal Firewall Pro, behind a Netgear RP114 router"

If I told you...

[Tim_F]

The slashdot editors would have all the information they'd need to hack me...

I'm using

[Trikenstein]

D-Lonk DI-604 router, Zone Alarm personal, Norton AV 2K2. When I install XP, I disconnect the computer from the network, install XP, and SP1, Zone Alarm, Norton AV, then reconnect to network and patch up.

Not doing dumb things...

[Spoing]

...keeping my systems as simple as possible (from apps to services) and following my own advice on firewalls (see signature).

If you add complexity to deal with complexity you are introducing additional vectors for even more security problems. (One example: trusting that a virus detector is working because it says 'everything is fine'...only to find out later that the last virus through disabled the virus detector so it would always report 'everything is fine'.)

a la carte

[Down8]

AVG AntiVirus. (Free)

Windows Firewall (XP Pro). (~Free)

Aerielink (Soyo) router. (~$60, incl. USB-WiFi used by other computer)

Before the router I ran Tiny Personal Firewall (now Kerio PF), and loved it (free and better than Zonealarm or BlackICE, for my needs). Also had Norton AV for a while, but it was just 'eh', and isn't free.

-bZj

Home setup

[consolidatedbord]

Yes, it's a bit of damn overkill for a home setup, but you can never be too safe. :)

-cable modem->linux 2.4 kernel router running iptables
-norton antivirus corporate edition
-Microsoft Software Update Services for the Windows boxes
-iptables for the Linux boxes
-ntop and snort for traffic monitoring
-I have a WRT54G that I don't use for routing anymore, just as a bridge. Anything that I use over wireless is done over ssh. Host connection, bank account checking, email, vpn to work, etc.
-various other utilities to monitor tcp/ip traffic
-good old fashioned obsessive tailing of logfiles along with vgrep
:)

Re:You forgot the web browser (Firefox)

[going_the_2Rpi_way]

Hmmm... I don't know about this. You either want to run scripts or not. You either want to use plug-ins and accept cookies or you don't. Any browser that's configured to do those things will be somewhat insecure. You probably make yourself less of a target by using relatively eccentric browsers, but, if subjected to the same scrutiny as the more popular ones, are they any more secure? The real question is where does the lack of functionality outweight the lack of security/privacy? Do we all go back to Lynx?

K.I.S.S. - always been and always will be best

[mabu]

It's amusing that people focus on the latest-and-greatest security software, which IMO is more counterproductive than it is productive.

You get a whiz-bang anti-virus/firewall system set up and what does it do? Give you a false sense of security so you can feel more confident about engaging in irresponsible computer use. The problem is almost every piece of security software out there has at one point or another been vulnerable, so you're flirting with disaster.

I think no matter how many advances we have in this area, the basic rules of security will always apply:

1. Limit Accessibility.

99% of security issues are inside jobs. Limit physical access to your resources. Don't put any sensitive data on a machine that anyone else has access to that you don't want public. Use encryption, multi-wipe free space and turn off your machine when you're not using it.

Some people don't want to hear this but it needs to be said: DON'T USE WIRELESS if you're worried about security. No matter what precautions you're taking, by going Wireless you dramatically lower the integrity of your personal security PERIOD. It's one thing to use wireless on the road, but you should limit the sensitive information on your laptop in the first place because it's mobile, but it's really just plain lazy and irresponsible to run wireless in a permanent installation like your home if there is any practical way to avoid doing so.

I can't stress this enough: *unconditionally* WIRELESS IS MUCH LESS SECURE. It doesn't matter what protocol/encryption you're using, by going wireless you introduce additional ways your system/data can be accessed.

Remember the first commandment: True security is more dependent upon reducing access points than it is implementing protection of access points.

2. Disable ALL non-critical services. Don't run anything except what you need on your PC. Close all unused ports; remove all services and extra features and plug-ins that aren't needed. The fewer systems, the fewer points of vulnerability.

3. Keep all software fully-patched and up to date.

4. If possible, never use the "industry standard" software if it's not the most secure solution available. Dump IE and Outlook and switch to Firefox and Eudora.

5. TEXT ONLY E-MAIL... This, after #1 is IMO the biggest threat of them all. The added superficial benefit of html-email is not worth the security liabilities that come along with it. If you want to use html e-mail, I'd recommend a second, sandboxed account for that.

6. Never put a machine on public-addressable IP space unless it's a public server. Use a DSL/cable switch and put your systems on a VPN on the other side of a hardware firewall that filters out all non-essential traffic.

7. After you've taken care of 1-6, then and only then should you consider anti-virus/spyware and related software to be a useful addition.

Re:K.I.S.S. - always been and always will be best

[CaptainCheese]

IPSEC can be brute brute-forced and/or dictionary attacked, just like anything can... and IPtables are the same, if the cracker can assume any neccessary IP address and remain adressable. Whereas a net based attack must come from a correctly addressed (even if it's a compromised 3rd party) machine, or the packets will simply never return to the attacker.

You are comparatively safe with IPsec, however this is just because five people down the block don't know what it is, making them a softer target.

Anyone who really wants in to a cable based LAN has to find a place to jack in, and you're fitting a metaphorical socket to your front door.

Of course, any external networking connections are inherently insecure compared to none - physical security is the best security layer, But I doubt many /. readers are using that policy.

Re:K.I.S.S. - always been and always will be best

[Hast]

No, the statement that RSA is somehow "security through obscurity" is just plain incorrect.

STO is when you use unpublished methods and rely on the attacker not bothering to try to reverse-engineer your system as a method of protection. Examples are using XOR and similar cyphers in obfucated ways to hide the details.

So far RSA has not been compromised. Until such a time using RSA in open and peer reviewed protocols (remember that RSA etc are only a small part of the big security system) is in no way "Security Through Obscurity", it is in fact Best Practices (tm) and that is pretty fucking far from STO! And if a really good way to factor into primes comes up then you CHANGE the encryption scheme!

Most people have a grasp of just how many combinations there exist in a 2^1024 key. As far as we know the number of atoms in the universe (including dark matter and such) is on the order of 2^200. Now in RSA and other asymmetrical systems not all keys can be used, but still I'm willing to guestimate that a typical 2^1024 key has way more than 2^1000 valid keys (I can't be bothered to do a real estimate, and that's probably way to small).

Now consider that the Universe is Pretty Damned Big, yet the number of valid keys completely dwarfs that. It is hard to put into words just how completely unlikely you are to brute-force an RSA key (or any other key for that matter). Just imagine all the absurd unlikely events EVER happening to you in the same microsecond. Then multiply that by about 50 billion times and you'll still be ways off, but you'll get the idea.

In short, you are not going to brute force a key which is even 2^256, it's just not happening.

If you are that worried about someone tapping into your wireless systems do you also ensure that all your electronics is protected from people snooping on your electric signals? Or do you wear sunglasses and gloves all the time to protect you from someone trying to get a copy of your iris/retina or finger prints? That's a lot more likely than someone breaking your encrypted wireless communication.

Besides I'd rather have my precious data under my desk in encrypted form than in some bunker with a bunch of morons with explosives. No way to be sure what they end up shooting at when they are drunk and bored.

Re:K.I.S.S. - always been and always will be best

[bushidocoder]

Gonna have to call you out on wireless networks. Wireless networks are bad iff you don't know how to configure them right. 802.11g with WPA with preshared public keys is pretty safe. Can it be cracked? Yes. But then again, so can SSL, SSH, PGP and every other encrypted data you throw out there in due time.

The key to proper wireless setup is to associate different levels of trust between the wired and unwired components. Require WPA. Most household wireless routers allow you to specify a physical address list for visiting assets - do not allow unregistered MAC addresses to join your network. Have the wired network use a different subnet than your wireless network, so that the IPSecurity policies on your wired boxes can be set to prohibit access to the wireless agents on your house. Also, some routers let you set firewall rules between your wired and wireless subnets.

Audit everything. Everything. Disk space is cheap.

Also, run a packet sniffer on your wireless network. I once had a Netgear wireless router that would broadcast packets wired computers had sent it to route to the public internet across the wireless network - it had no concept of how to route correctly. If that's happening, throw that PoS away and get a real router.

Can this be compromised? Yes, but it requires breaking through various levels of real, cryptographically enforced security. Remember that only one part of information security is denying access to intruders because at the end of the day, the most locked down boxes plugged into a network can still be hacked. You must be constantly vigilant to detect intruders as they attempt access, you must have a recovery plan if you are compromised (everyone needs AV software and an individual firewall on each computer behind the NAT firewall), and must be sufficiently auditted that you can trace access attempts back to the source. Watch your wireless traffic - with this type of security, in the very very remote chance you are compromised, its going to take a long while. Is someone trying a variety of network attacks on your wireless network? If so, I've got good news - rule out that its not someone in a car outside, and you can pinpoint it pretty quick down to a neighbor. Talk to them if you think its their 16 year old punk teen, call the police, leave a note on their door with a picture of Sauron's eye saying they need to be more sneaky, whatever.

Re:You forgot the web browser (Firefox)

[venomkid]

Well, you could go so far as to say (correctly) that by inviting any data into your computer, you're less secure. Even by plugging in a network cable and letting it sit there you're less secure.

"Scripts or not" doesn't help when something like the recent GDI debacle occurs.

The trick is in finding a balance that keeps you safe enough from attack but open enough to do what you want to do.

So far, considering how fast they put out updates and how many exploits the leading browser has, I think Firefox does a pretty good job of this.

Re:Not much

[skinfitz]

...Never got infected through Internet Explorer or Outlook Express though. I don't use antivirus software and I don't get viruses or spyware.

Forgive me for pointing out the obvious, but how do you know?

Absolutely nothing you have there would prevent the latest GDI exploit from running code of attackers choice on your Windows box by you doing nothing more complicated than viewing an image.

Ok, fine, I'll bite...

[MachDelta]

Goddamn. The things people do to run Windows... It makes me glad I use Linux.

Oh come on, lets not be hypocritical here. I seriously doubt anyone can say they've done a fresh install of *distro-of-choice* and not spent some time tweaking things to get their system into a fully usable state.
Everyone does it, and just because one person has to install a firewall and another person has to hunt down drivers doesn't make either person superior to the other. Yeah I know, this is slashdot, where "Windows sux and Linux rulez", but if we're going to be asking serious questions we might as well be giving serious answers.

Myself, I use KPF and AVG, with AdAware on the side. Fortunatly, these three programs don't have much to do, thanks to Firefox and my cheap yet trusty DI-604 router. I'm actually going to be putting together a box for my parents this weekend too, so i've been busy loading up my USB flash drive with some of the aforementioned programs, and other first boot goodies. And if i'm lucky, my parents will turn over custody of their old computer (an aging P3-500) to me, which I hope to turn into my very first Linux box to muck around on. Then i'll get to experience the numerous pains-in-the-ass of both worlds! Should be fun. :)

Tin Foil and DuctTape

[Sean+Johnson]

I completely covered my PC with it. There`s no airlow, but at least it`s safe. I also sprinkled some holy water on it for good measure. Those Nazis will never get to my PC now.

Re:vmlinuz

[NanoGator]

"I don't know what you mean by "suddenly disappear" (it certainly wasn't in reference to anything I stated in my post)."

I apologize if I have misinterpreted your meaning, but your post does read that way.

"If you run Linux (or OS X, which you left out in your reply), your odds of being cracked/spywared drop low enough that it's not really worth fretting over--even if you don't turn on the built-in firewalls (which are infinitely superior to the Windows built-in firewall)."

I left out OSX only because he cannot install OSX on a Windows machine.

As for the odds being low, that doesn't really help, does it? You still have to regularly install updates to Linux and the apps you run on top of it, Mozilla for example. I found this out myself. Buying all of Slashdot's hype that Linux is secure, I built a Linux webserver for my company. 2 weeks later it was rooted. Our newly hired Linux expert had to rebuild it 'securely'. Thankfully for them, they had him on hand to clean up the mess caused by my incompetance.

"So while you may be playing the pedant card and using language that is "technically correct", you have added more confusion than clarification to the issue. I hope you don't mean that Windows, Linux, and Mac OS X are all equally crackable. If you aren't careful, you can end up with a cracked XP system during the install process, what a joke!"

My only real point is that you have to be vigilant either way. It's a question of whether or not it's 'worth the fuss'. Interestingly enough, Windows' highly publicized insecurity has lead to some interesting developments such as auto-updating virus protection and Windows Update itself. If Linux doesn't have these, it needs them, especially when it reaches enough users for worms etc to really be an issue.

I'll put it another way: I'm a Windows user. I have several machines I have to take care of. I don't have problems with exploits trojans or spyware. Once in a great while something will come along. I take care of it, bfd. I spent more time building the ill-fated Linux/Apache server than I have in a year of maintaining exploit-related Windows problems.

Hmm

[Vokbain]

I bought a Macintosh ^_^

Old PC running Devil-Linux boot CD-ROM ..

[torpor]

.. which also doubles as my Squid proxy/cache and DNS machine ..

Gotta say, I love the bootCD firewall solutions. Pretty darn hard to beat ...

Re:vmlinuz

[node+3]

I apologize if I have misinterpreted your meaning, but your post does read that way.

No problem. If you re-read my original post you'll see it's more of how you read it than how I said it (I imagine you read it through slashdot-colored glasses, as it were).

I left out OSX only because he cannot install OSX on a Windows machine.

But presumably it is an option available to him. Cost is an issue he'll have to weigh for himself if he deems it worthwhile. I was just offering two options that work for me.

Buying all of Slashdot's hype that Linux is secure, I built a Linux webserver for my company. 2 weeks later it was rooted.

The guy doesn't sound like he's interested in running a web server. There are plenty of ways to make an apache install insecure. Again, to make a fair comparison, it's easier to crack IIS than it is Apache. That you got 0wn3d doesn't detract from my point. I never said Linux was uncrackable, I said it's more secure (by a large margin).

My only real point is that you have to be vigilant either way.

This is the "what do you mean by that realm". 'Vigilant' is a term that is subjective. Under Debian, 'vigilant' means running apt/aptitude/dselect (whichever is your choice) and telling it to update your system. Under Mac OS X, 'vigilant' means clicking "install" when Software Update pops up. Under Windows, 'vigilant' is far more involved.

Subjectively you can say both require 'vigilance', but they are not equal. You are repeating the confusion of a Windows apologist. When a Linux advocate (yeah, sometimes they are rabid too), claims that Windows is less secure, the Windows apologist will say Linux has security holes too. But when you look closely, you'll see a world of difference. Both a glass of water, and a handfull of rattle snakes can kill you, but one is far safer than the other.

It's far easier to crack a Windows computer than a Linux computer by a wide margin.

It's a question of whether or not it's 'worth the fuss'.

Which is what I said in my original post.

I'll put it another way: I'm a Windows user. I have several machines I have to take care of. I don't have problems with exploits trojans or spyware. Once in a great while something will come along. I take care of it, bfd. I spent more time building the ill-fated Linux/Apache server than I have in a year of maintaining exploit-related Windows problems.

Then Linux isn't for you. I never said it was for everyone. I suggested he consider it (maybe he has, maybe he hasn't, I have no way to know, but both Linux and Mac OS X are viable alternatives and worth considering).

Why TightVNC? Other questions.

[Futurepower(R)]

Many questions:

Why did you choose TightVNC? Why not RealVNC, UltraVNC, or TridiaVNC?

Is it better to pay for VNC software, like Tridia VNC Pro or Radmin? Which software has video resolution scaling of the remote desktop?

What security is best? Is it good to use a VPN for secure access, or is SSH better? What Windows SSH server do you use?

What VPN hardware is best? We bought a NetGear FVS318 hardware firewall/router/VPN for a customer, and discovered that the remote administration password is openly transmitted. We found that logging out in the remote administration menu didn't always actually log out. We found Javascript errors. With the 2.4 firmware, more than one client can be logged in at the same time. That situation, two clients at the same time, would give an error message with the 2.3 firmware, so things seem to be going backward in some ways, in firmware that is already shaky. Our experience with Netgear technical support is that it is very limited. On the telephone we got someone in Tamil Nadu, India, who was allowed to practice for a short time with Netgear equipment, but who doesn't any longer have access to actual equipment. The online tech support just gave error messages. Not only that, but Fry's and Netgear arranged a rebate trick. They have a very long rebate receipt, and ask you to enter your address both at the top and at the bottom. If you don't enter it at the bottom, they deny your rebate.

truly wonderful firewall

[nusratt]

-- Agnitum.com's "Outpost" firewall, with all kinds of free plug-ins which let me control -- on a PER-DOMAIN basis -- things like scripts, activeX, java, referrers, etc. Also controls those things separately for http vs mail vs news.
Tried it on trial, liked it so much I paid for it. :o

-- McAfee VirusScan, because I got it free (corporate) and it seems to work ok.

-- on another system, english.mks.com.pl "mks_vir", which has recently been favorably reviewed for its dynamic adaptablility to not-yet-signatured new threats.

-- SpyBot, AdAware

Re:RSA is far less obscure than physical security

[pthisis]

[Note that I make no judgement on whether STO is necessarily a good thing or a bad thing].

Cryptography is obfuscation

Yes, but "security through obscurity" is a technical term of art. It's either ignorant or disingenuous to use English-language definitions to define a technical term when that term is clearly used in context. Yes, the private key in an RSA implementation must be "obscure" in the English sense for the system to be at all secure.

But, as wikipedia puts it (you can read more there):
"In cryptography, the reverse of security by obscurity is Kerckhoffs' principle from the late 1880s, which states that system designers should assume that the entire design of a security system is known to all attackers, with the exception of the cryptographic key"

This is supported by how this term is used in practice by experts in the field.

The key principle of systems described by "security through obscurity" is that the _design_ of the system (algorithms, etc) is hidden.

The key to non-security-by-obscurity systems is that the design of the system is public so that it can be publically audited and the assertion that "it's secure when used with any key that satisfies condition X" is well-vetted (X is usually: "Product of 2 large primes", in some algorithms it may be "Never reused" or "not a Weak Key" for some rigorous definition of weak key, in some algorithms other ). It's also usually key that there is a good objective test for condition X, such that implementors have a high degree of confidence that not only is their crypto implementation basically sound but that the keys they implement are believed to be secure as well.

More generally, in non-keyed systems it's not considered reliant on "security through obscurity" if the system architecture as a whole is well-vetted and the conditions that are prerequisites to security are documented and objectively testable via some well-vetted method.

Of course, you probably already new that and were trying to change the accepted definition by arguing against the OP based on an idiosyncratic (within the context) definition.

(Of course, whether or not a system relies on security through obscurity is kind of a spectrum; very few systems are completely non-STO and very few are completely STO.)