Slashdot Mirror
Most Home PC Users Lack Security
Ant writes "CNET News.com and MSNBC report that a survey of home personal computer (P.C.) users found 81 percent lacked at least one of three critical types of security. However, the number of consumers using firewalls and updated antivirus software is improving, according to a report released Wednesday. The vast majority of consumers surveyed were found to lack at least one of three types of critical security--a firewall, updated antivirus software or anti-spyware protection, according to a report by America Online and the National Cyber Security Alliance. Of this group, 56 percent had no antivirus software, or had not updated it within a week, while 44 percent did not have a firewall properly configured, according to the report. Meanwhile, 38 percent of survey respondents lacked spyware protection..."
Your survey is useless. Have a cookie.
National Cyber Security Alliance? Couldn't they at least have picked a different acronym than one that's been used in the computer field for a really long time?
Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
I vote for AVG.
Real Daleks don't climb stairs - they level the building.
The free ones that work the best are AVG, AntiVir (Classic, Premium isn't free) and Avast!. I currently use AVG but the new version of AntiVir is supposed to work better and have a smaller footprint.
Im quite inclined to agree with the parent. When I did work for a company that rennovated donated computers and gave them out to low income individuals we made sure they had anti virus. AVG had a low enough footprint that it was able to run on machines with 16MB of RAM and Windows 95. That was two years ago, I'm not sure if current versions are as lean but it was a fast scanner and was easy on the resources.
Frankly this subject has been one of the biggest problems I've had to deal wit hback when I was the service manager at a computer store that serviced retail users. The complete and utter lack of security. This fell into three catagories:
Lack of Anti-Virus
Most of the time I tried to hammer it into thier heads that spending $40 now would save them a ton of heartache later. If I was EXTREMLY lucky, I could persuade them to go out and buy the software from Staples, bring it back to us, and we'd install it on thier new machine before it ever left our store and it's own defenses. Most of the time however I'd install the trial version of norton or mcafee, inform them that THEY MUST get the full version before the trial period is over, and STILL see the goddamn thing within two months, loaded with enough viruses to call it the PC version of Typhoid Mary.
The part that sucked was that inspite of a verbal warning, a piece of paper taped to the computer and the monitor warning them that they NEED anti-virus programs, they still came to me with "Well why the @#$% didn't you tell me about this?"
Firewall
Actually this is no longer as much of a problem as it used to be now that we're seeing broadband and multiple computers in a house becoming the norm. We used to sell Linksys routers and that became a strong defense. Myself personally I run Norton Internet Security behind my Symantec Firewall/VPN appliance for a two pronged defense and so far I've yet to be broken into (although I've logged a ton of port sniffing attack attempts).
The third problem is Spyware.
At least this one is easy to fix. I usually install Spyware Doctor on the system that came into my shop and clean out the system (then uninstalling it unless the customer wanted to buy a license from PC Tools), then I'd install the free programs out there (Ad-Aware and Spybot Search and Destroy) to protect them in the future.
Spyware has never been too much of an issue for my customers because I could install a free program and if they ever had a problem I could talk them through the programs over the phone. For the most part that was all they needed so it wasn't too bad of a problem.
It's nice to see that more and more people are getting concerned about security. Just a little effort and a small investment and your computer can be safe with a minimum of fuss.
-- Wiccan Army, 13th Airborne Division "We will not fly silently into the night"
When you purchase a PC, you should have the option of installing freeware that might help you in the incessant barrage of spam, viruses, spyware, adware, bots and phishing emails. It might also help to have a short tutorial on how your PC becomes infected/compromised/used to propogate malicious code. Maybe then Windows would be a better and safer O/S?
d ucts/znalm/freeDownload.jsp (Zone Alarm firewall)
a milyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displa ylang=en (MS Anti-Spyware adware/spyware detection)
For those who need some free help:
http://free.grisoft.com/doc/2/lng/us/tpl/v5 (AVG anti virus)
http://www.zonelabs.com/store/content/company/pro
http://www.lavasoftusa.com/software/adaware/ (Ad-Aware adware/spyware detection)
http://www.safer-networking.org/en/download/ (SpyBot S&D adware/spyware detection)
http://www.microsoft.com/downloads/details.aspx?F
He who knows best knows how little he knows. - Thomas Jefferson
Clamwin is a great opensource A/V program.
Absolutely. The most effective firewall that I have is a not wireless four port home router that sits between the cable modem and my NAT box.
fast as fast can be. you'll never catch me.
AVG still has a free version, you just need to look a little harder for it on the site. I just installed it two weeks ago on my 70 y.o. father's new laptop.
Try http://free.grisoft.com/ for the free version of AVG
The GP wasn't referring to Vax or Unix machines of 20 years ago with regard to their simplicity. It referred to the fact that security was a solved problem on those machines. You yourself go on to say:
The thing really worth noting in your statement is that OS X uses a >20-year-old security system. It's using Unix permissions, straight from the BSD core of the system. The same BSD core used in the NeXTStep operating system a little under 20 years ago (albeit slightly upgraded since then).
Individual software packages, particularly those designed to listen for commands from the network and execute things locally (ssh, etc.) can have the sort of issues you decribe in your last paragraph; As they get more complex, the task of maintaining security does potentially also become more complex. But on an operating system level, there have been sufficient rules in effect for a long long time now. For instance, just saying "this can only be done with root privileges" and "root privileges can only be gained interactively, and on a one-shot basis" will cover a vast amount of potential issues, and is pretty much what OS X does, as you describe (albeit with slight timeouts to root privileges, rather than pure one-shot operation -- although that timeout is user-configurable).
At the end of the day, MS-DOS, QDOS, and such, left that out in the interests of expediency, size, and (maybe) end-user perceived complexity/ease-of-use. It then became a standard. I like to quote my boss on this one:
He tells me that, having worked with Unix/BSD/Vax -level machines in the late seventies, when the IBM PC came out, he and his cohorts were interested to see it. They took one look and put it down as a failure -- a joke, even -- because it lacked so much of what they saw in their current machines. Unfortunately, it became the standard, in the process setting back the state of the art by many years.
Not least is the point that Unix/Vax systems were inherently multi-user systems, and they needed a robust way of preventing one user from destroying another's data. So this was built in from the very start. MS-DOS and QDOS didn't have this capability, so the standard became that any program had full access to just about anything. The only high security implemented was in the CPU itself, where a system trap was needed to get access to 'Ring 0' (privileged) instructions. On top of this, the somewhat limited nature of the system itself led many programmers -- used to working on a more capable OS -- to make modifications to the core system, to help their stuff work. That required privileged access to the system, in order to install hooks, drivers, and so on.
Of course, once this became a standard, it was hard to change that behaviour, and it never was changed because 'backwards compatibility' was the highest goal. So when mutli-user functionality was built into Windows 9x/NT, privileged operation became the norm. People logged in as an administrator, because their programs were designed needing full access to the system, and little or no provision was made for interactive temporary privilege escalation within the OS itself. Unlike Unix/BSD, you couldn't just ask the user for an admin user & pass to get the privs needed to put some file somewhere special, and then lay down those privileges when you were done with them.
As a result, you get the horrible mess we're talking about: An IM program that can corrupt the core operating system and ultimately gain access to privileged-mode CPU cycles? WTF? A game that can modify the system kernel, or the boot sector of the hard disk? They can only do that because the system lets them, or because the system won't let them do some small operation without high privileges, and requires that the entire process runs with those privileges as a result.
-Q
As far as the Windows registry settings?
; EN-US;q120642
.reg files entries on that site:
o wsserver2003/technologies/networking/tcpip03.mspx
o wsserver2003/technologies/networking/tcpip03.mspx# ECAA
/ prodtech/windows/iis/dosrv.mspx
e /secmod150.mspx
e /legsgch3.mspx
s /2005/01/sessionhijacking/default.aspx
e /secmod57.mspx
Start right here @ "the horses mouth" for Windows NT-based Os':
http://support.microsoft.com/default.aspx?scid=kb
(That's a starting point for BOTH Tcp & NetBT & that tends to be "NT/2000 centric" but, most of it applies to Windows XP/Server 2003 as well!)
Here are more, & the very ones I used to define & understand the
Microsoft Windows Server 2003 TCP/IP Implementation Details MAIN PAGE:
http://www.microsoft.com/technet/prodtechnol/wind
Microsoft Windows Server 2003 TCP/IP Implementation Details Parameters:
http://www.microsoft.com/technet/prodtechnol/wind
SECURITY CONSIDERATIONS FOR NETWORK ATTACKS:
http://www.microsoft.com/technet/archive/security
TCP Transport Entries (all esoteric/unusual settings found here):
http://support.microsoft.com/kb/q102973/
TCP/IP Exploits and Countermeasures for Windows 2000 Server:
http://www.microsoft.com/technet/security/guidanc
Network Hardening and Security - Packet filtering Udp/Tcp - PortsAllowed + EnableSecurityFilters:
http://www.microsoft.com/technet/security/guidanc
Prevent Session Hijacking
http://www.microsoft.com/technet/technetmag/issue
ADDITIONAL REGISTRY SETTINGS - FOR AFD SETTINGS (ESPECIALLY):
http://www.microsoft.com/technet/security/guidanc
FOR TUNING PARAMETERS FOR SPEED FOR CABLEMODEM/DSL vs. 57.6k/33.6k/28.8k/14.4k DIALUP MODEMS:
http://www.speedguide.net/
* ENJOY! Those will define the settings altered/hardened & also explain EACH in detail as needed for your reference.
APK
P.S.=> What's in my initial URL is years of research since the NT 4.x-2000 days, & still works/applies to XP/Server 2003, & has had any added info. possible for them as well as the older NT-based OS' also... apk
Pretty much all of the users I've scrubbed machines for had the default free McAffe antivirus installed. They hadn't been updated, ever. No new virus defs downloaded, ever. Definition files were years old.
The users had no idea that they were supposed to be doing this. They don't read the instructions, they just see an antivirus program running, and figure they're protected.
None of this matters if the user is using their machine as a local admin (which most are). Demoting the user to a 'user' (not 'power user) is the biggest security improvement you can make. The rest is icing on the cake.
AVG is good, but I vote clamwin. It seems every bit as effective as the others and it plays real nice with winpooch. Winpooch is a free antispyware detector that checks for hooking (the registry scanning isn't great, but if you have active spyware, winpooch will get it).
As a bonus both of them are open source.