Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Are You Protecting Your Computers?

Posted by Cliff on from the what-steps-are-you-taking dept.

b0m8ad1l asks: "I'm wondering what AV, software/hardware firewalls Slashdot readers are using these days. I remember another Ask Slashdot a long time ago, but i'm curious as to how everyone is keeping up with the times. I'm using Kaspersky AV, Sygate Personal Firewall Pro, behind a Netgear RP114 router"

13 of 193 comments (clear)

  1. If I told you... by Tim_F · · Score: 5, Funny

    The slashdot editors would have all the information they'd need to hack me...

  2. Not doing dumb things... by Spoing · · Score: 4, Insightful
    ...keeping my systems as simple as possible (from apps to services) and following my own advice on firewalls (see signature).

    If you add complexity to deal with complexity you are introducing additional vectors for even more security problems. (One example: trusting that a virus detector is working because it says 'everything is fine'...only to find out later that the last virus through disabled the virus detector so it would always report 'everything is fine'.)

    --
    A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  3. a la carte by Down8 · · Score: 4, Informative

    AVG AntiVirus. (Free)

    Windows Firewall (XP Pro). (~Free)

    Aerielink (Soyo) router. (~$60, incl. USB-WiFi used by other computer)

    Before the router I ran Tiny Personal Firewall (now Kerio PF), and loved it (free and better than Zonealarm or BlackICE, for my needs). Also had Norton AV for a while, but it was just 'eh', and isn't free.

    -bZj

    --
    .sig
  4. Home setup by consolidatedbord · · Score: 5, Interesting

    Yes, it's a bit of damn overkill for a home setup, but you can never be too safe. :)

    -cable modem->linux 2.4 kernel router running iptables
    -norton antivirus corporate edition
    -Microsoft Software Update Services for the Windows boxes
    -iptables for the Linux boxes
    -ntop and snort for traffic monitoring
    -I have a WRT54G that I don't use for routing anymore, just as a bridge. Anything that I use over wireless is done over ssh. Host connection, bank account checking, email, vpn to work, etc.
    -various other utilities to monitor tcp/ip traffic
    -good old fashioned obsessive tailing of logfiles along with vgrep
    :)

    --
    while true ; do echo this is my sig; done
  5. K.I.S.S. - always been and always will be best by mabu · · Score: 4, Insightful

    It's amusing that people focus on the latest-and-greatest security software, which IMO is more counterproductive than it is productive.

    You get a whiz-bang anti-virus/firewall system set up and what does it do? Give you a false sense of security so you can feel more confident about engaging in irresponsible computer use. The problem is almost every piece of security software out there has at one point or another been vulnerable, so you're flirting with disaster.

    I think no matter how many advances we have in this area, the basic rules of security will always apply:

    1. Limit Accessibility.

    99% of security issues are inside jobs. Limit physical access to your resources. Don't put any sensitive data on a machine that anyone else has access to that you don't want public. Use encryption, multi-wipe free space and turn off your machine when you're not using it.

    Some people don't want to hear this but it needs to be said: DON'T USE WIRELESS if you're worried about security. No matter what precautions you're taking, by going Wireless you dramatically lower the integrity of your personal security PERIOD. It's one thing to use wireless on the road, but you should limit the sensitive information on your laptop in the first place because it's mobile, but it's really just plain lazy and irresponsible to run wireless in a permanent installation like your home if there is any practical way to avoid doing so.

    I can't stress this enough: *unconditionally* WIRELESS IS MUCH LESS SECURE. It doesn't matter what protocol/encryption you're using, by going wireless you introduce additional ways your system/data can be accessed.

    Remember the first commandment: True security is more dependent upon reducing access points than it is implementing protection of access points.

    2. Disable ALL non-critical services. Don't run anything except what you need on your PC. Close all unused ports; remove all services and extra features and plug-ins that aren't needed. The fewer systems, the fewer points of vulnerability.

    3. Keep all software fully-patched and up to date.

    4. If possible, never use the "industry standard" software if it's not the most secure solution available. Dump IE and Outlook and switch to Firefox and Eudora.

    5. TEXT ONLY E-MAIL... This, after #1 is IMO the biggest threat of them all. The added superficial benefit of html-email is not worth the security liabilities that come along with it. If you want to use html e-mail, I'd recommend a second, sandboxed account for that.

    6. Never put a machine on public-addressable IP space unless it's a public server. Use a DSL/cable switch and put your systems on a VPN on the other side of a hardware firewall that filters out all non-essential traffic.

    7. After you've taken care of 1-6, then and only then should you consider anti-virus/spyware and related software to be a useful addition.

    1. Re:K.I.S.S. - always been and always will be best by Hast · · Score: 4, Insightful

      No, the statement that RSA is somehow "security through obscurity" is just plain incorrect.

      STO is when you use unpublished methods and rely on the attacker not bothering to try to reverse-engineer your system as a method of protection. Examples are using XOR and similar cyphers in obfucated ways to hide the details.

      So far RSA has not been compromised. Until such a time using RSA in open and peer reviewed protocols (remember that RSA etc are only a small part of the big security system) is in no way "Security Through Obscurity", it is in fact Best Practices (tm) and that is pretty fucking far from STO! And if a really good way to factor into primes comes up then you CHANGE the encryption scheme!

      Most people have a grasp of just how many combinations there exist in a 2^1024 key. As far as we know the number of atoms in the universe (including dark matter and such) is on the order of 2^200. Now in RSA and other asymmetrical systems not all keys can be used, but still I'm willing to guestimate that a typical 2^1024 key has way more than 2^1000 valid keys (I can't be bothered to do a real estimate, and that's probably way to small).

      Now consider that the Universe is Pretty Damned Big, yet the number of valid keys completely dwarfs that. It is hard to put into words just how completely unlikely you are to brute-force an RSA key (or any other key for that matter). Just imagine all the absurd unlikely events EVER happening to you in the same microsecond. Then multiply that by about 50 billion times and you'll still be ways off, but you'll get the idea.

      In short, you are not going to brute force a key which is even 2^256, it's just not happening.

      If you are that worried about someone tapping into your wireless systems do you also ensure that all your electronics is protected from people snooping on your electric signals? Or do you wear sunglasses and gloves all the time to protect you from someone trying to get a copy of your iris/retina or finger prints? That's a lot more likely than someone breaking your encrypted wireless communication.

      Besides I'd rather have my precious data under my desk in encrypted form than in some bunker with a bunch of morons with explosives. No way to be sure what they end up shooting at when they are drunk and bored.

    2. Re:K.I.S.S. - always been and always will be best by bushidocoder · · Score: 5, Informative

      Gonna have to call you out on wireless networks. Wireless networks are bad iff you don't know how to configure them right. 802.11g with WPA with preshared public keys is pretty safe. Can it be cracked? Yes. But then again, so can SSL, SSH, PGP and every other encrypted data you throw out there in due time.

      The key to proper wireless setup is to associate different levels of trust between the wired and unwired components. Require WPA. Most household wireless routers allow you to specify a physical address list for visiting assets - do not allow unregistered MAC addresses to join your network. Have the wired network use a different subnet than your wireless network, so that the IPSecurity policies on your wired boxes can be set to prohibit access to the wireless agents on your house. Also, some routers let you set firewall rules between your wired and wireless subnets.

      Audit everything. Everything. Disk space is cheap.

      Also, run a packet sniffer on your wireless network. I once had a Netgear wireless router that would broadcast packets wired computers had sent it to route to the public internet across the wireless network - it had no concept of how to route correctly. If that's happening, throw that PoS away and get a real router.

      Can this be compromised? Yes, but it requires breaking through various levels of real, cryptographically enforced security. Remember that only one part of information security is denying access to intruders because at the end of the day, the most locked down boxes plugged into a network can still be hacked. You must be constantly vigilant to detect intruders as they attempt access, you must have a recovery plan if you are compromised (everyone needs AV software and an individual firewall on each computer behind the NAT firewall), and must be sufficiently auditted that you can trace access attempts back to the source. Watch your wireless traffic - with this type of security, in the very very remote chance you are compromised, its going to take a long while. Is someone trying a variety of network attacks on your wireless network? If so, I've got good news - rule out that its not someone in a car outside, and you can pinpoint it pretty quick down to a neighbor. Talk to them if you think its their 16 year old punk teen, call the police, leave a note on their door with a picture of Sauron's eye saying they need to be more sneaky, whatever.

  6. Re:Not much by skinfitz · · Score: 4, Insightful

    ...Never got infected through Internet Explorer or Outlook Express though. I don't use antivirus software and I don't get viruses or spyware.

    Forgive me for pointing out the obvious, but how do you know?

    Absolutely nothing you have there would prevent the latest GDI exploit from running code of attackers choice on your Windows box by you doing nothing more complicated than viewing an image.

  7. Ok, fine, I'll bite... by MachDelta · · Score: 5, Insightful
    Goddamn. The things people do to run Windows... It makes me glad I use Linux.
    Oh come on, lets not be hypocritical here. I seriously doubt anyone can say they've done a fresh install of *distro-of-choice* and not spent some time tweaking things to get their system into a fully usable state.
    Everyone does it, and just because one person has to install a firewall and another person has to hunt down drivers doesn't make either person superior to the other. Yeah I know, this is slashdot, where "Windows sux and Linux rulez", but if we're going to be asking serious questions we might as well be giving serious answers.

    Myself, I use KPF and AVG, with AdAware on the side. Fortunatly, these three programs don't have much to do, thanks to Firefox and my cheap yet trusty DI-604 router. I'm actually going to be putting together a box for my parents this weekend too, so i've been busy loading up my USB flash drive with some of the aforementioned programs, and other first boot goodies. And if i'm lucky, my parents will turn over custody of their old computer (an aging P3-500) to me, which I hope to turn into my very first Linux box to muck around on. Then i'll get to experience the numerous pains-in-the-ass of both worlds! Should be fun. :)
  8. Tin Foil and DuctTape by Sean+Johnson · · Score: 5, Funny

    I completely covered my PC with it. There`s no airlow, but at least it`s safe. I also sprinkled some holy water on it for good measure. Those Nazis will never get to my PC now.

    --
    >>>>>> Chewie, take the professor in the back and plug him into the hyperdrive.
  9. Hmm by Vokbain · · Score: 5, Funny

    I bought a Macintosh ^_^

  10. Old PC running Devil-Linux boot CD-ROM .. by torpor · · Score: 4, Interesting

    .. which also doubles as my Squid proxy/cache and DNS machine ..

    Gotta say, I love the bootCD firewall solutions. Pretty darn hard to beat ...

    --
    ; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
  11. truly wonderful firewall by nusratt · · Score: 4, Interesting

    -- Agnitum.com's "Outpost" firewall, with all kinds of free plug-ins which let me control -- on a PER-DOMAIN basis -- things like scripts, activeX, java, referrers, etc. Also controls those things separately for http vs mail vs news.
    Tried it on trial, liked it so much I paid for it. :o

    -- McAfee VirusScan, because I got it free (corporate) and it seems to work ok.

    -- on another system, english.mks.com.pl "mks_vir", which has recently been favorably reviewed for its dynamic adaptablility to not-yet-signatured new threats.

    -- SpyBot, AdAware