1 / 62

How to Make Windows Secure -- with Free Software

How to Make Windows Secure -- with Free Software. Howard Fosdick. (C) 2006 . 5 FCI. V 1.2. Who Am I ?. * DBA for Oracle (also DB2 & SQL Server) * A founder of IDUG, MDUG, CAMP * Management Consultant * Author Rexx Programmers Reference (see www.amazon.com/rexx

alida
Download Presentation

How to Make Windows Secure -- with Free Software

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. How to Make Windows Secure -- with Free Software Howard Fosdick (C) 2006.5 FCI V 1.2

  2. Who Am I ? * DBA for Oracle (also DB2 & SQL Server) * A founder of IDUG, MDUG, CAMP * Management Consultant * Author Rexx Programmers Reference (see www.amazon.com/rexx www.RexxInfo.org ) Independent Contractor -- hfosdickat the domaincompuserve.com

  3. This Presentation is Based On-- * Operating Systems principles (I taught cs550 at IIT) * Hands-on with the products * My column in Enterprise Open Systems Journal www.eosj.com

  4. Poof ! Outline I. Malware II. Why is Windows Insecure? III. FOSS to Secure Windows IV. Microsoft Alternatives V. Fallout ?

  5. I. Malware

  6. Millions of PCs are Infected ! Nearly all run Windows. Malware is Out of Control 100% 50% Percent of PCs Infected 43% 61% 72% Pew Research National Cyber Security Alliance WebRoot Source-- MIT Technlogy Reivew March/April 2006

  7. 10k Win32 Viruses and Worms Discovered 8k Malware is Growing Exponentially Source-- EWeek 9/26/05 pg. 24 6k 2k 2003 2003 2004 2004 2005 J-June Jul-Dec J-June Jul-Dec J-June 7k Keystroke Loggers Released (thousands of apps) 4k Source-- EWeek 11/28/05 pg. 5 1k 2000 2001 2002 2003 2004 2005

  8. I’m yours! Source-- Computerworld 8/7/06 pg. 45 Infections per Corporate PC (as per WebRoot 20K PC scan) 21.5 21.5 23.5 27.0 22.7 23.4 19.0 Q4’04 Q1’05 Q2’05 Q3’05 Q4’05 Q1’06 Q2’06

  9. RootKits Media attacks (Audio, Film Clips, RSS) More to come ! Cross-site scripting Drive-bys (ActiveX, ActiveScript, BHOs, Javascript, AJAX, etc) The Evolution of Malware 2000s Trogans, RATs, keystroke loggers RPC open port attacks 1990s Database attacks Email Attachments EPROM Bios “updates” 1980s 1. Type of attack 2. Attack technology 3. Payload Word and Excel Macros Boot Disk Viruses

  10. RootKits Media attacks (Audio, Film Clips, RSS) More to come ! Cross-site scripting Professional Criminals . . . Identity Theft Compromise US financial system Destroy Data Destroy PC Hardware “Play” with you Destroy OS Drive-bys (ActiveX, ActiveScript, BHOs, JavaScript, AJAX, etc.) The Evolution of Payloads Trogans, RATs, keystroke loggers RPC open port attacks Database attacks Hacker Kids Email Attachments EPROM Bios “updates” Word and Excel Macros Boot Disk Viruses

  11. The Evolution of Defenses Virus Scanners Monolithic or Unitary product ? Virus Scanners Spyware Scanners Firewalls Browser Hijack Defenders Module replacement prevention Intrusion Detection Systems (IDS) Real-time email scanners --- etc ---

  12. II. Why is Windows Insecure ?

  13. * “Windows is a target because it predominates” -- This explains why Windows is subject to attacks, not why it succumbs to them * “Any other OS would have the same problems subject to the same attacks” -- Not true! OS’s are as different as programming languages. They have different design goals, philosophies,etc Some are more secure than Windows, others are less secure. Why is Windows Insecure ?

  14. Why is Windows Insecure ? To simply say that “Windows is insecure” is wrong. The problem is that Windows security is inadequate for its role as the untrained public’s primary-- -- PC operating system -- for Internet access Windows’ security is just fine for many other purposes.

  15. Oops! It violates fundamental principles for secure OS design Example #1 -- Using the Internet Why is Windows Insecure ? Example #1 -- Using the Internet -- The design assumption is that the Internet is free to program your PC and the PC OS does not need to protect itself -- Therefore -- Active scripting, ActiveX controls, .Net Framework, AJAX, JavaScript.. -- Dynamic OS installs (of plug-ins, controls, BHO’s, Toolbars, Browser Extensions, fonts, etc) -- Most use Administrator or PowerUser to access Internet Example #2 -- Installing applications -- The design assumption is the OS does not have to protect itself from apps -- Therefore -- Untrained users use Administrator to install applications -- Application installs can change OS (eg install DLLs) -- Application installs update critical unprotected OS storage (the Registry) Versus Unix -- To install an Application, you create the application user id: + No Superuser for installs + The install can not change the OS (including Shared Libraries or DLLs) Example #2 -- Installing applications

  16. Number of Infections Win 2000 SP4Win XP SP2 User 1 0 Power User 19 16 Administrator 19 16 Tests by EWeek, 11/28/05. Power User suffers the same penetration as Administrator Windows User Groups Don’t Work for the Internet Windows’ rights management does not adequately address Internet access

  17. Oops! Technologies for OS Security ? Where’s the sandbox ? Where’s VM (virtualization technologies) ? What about user rights management ?Ring privilegesthat work for the requirements ?A system of id groups that make sense! ? Special “Browser State” run level ? Locks and keys ? Other security techniques

  18. But Microsoft is Smart… Why Would they Design an Insecure Operating System? The Goals Shifted on Them Secure OS with always-on Internet connection, browser-based communications Easy-to-use OS Integrated stack with LAN-controlled networking Early to mid 1990s Today’s requirements They got to 50MM LOC before the problem became apparent !

  19. But Microsoft is Smart… Why Would they Design an Insecure Operating System? -- Microsoft chose ease of use and integration over security * This is how they won the “suite wars” (vs. Wordperfect, Lotus) -- The “integrated stack” yielded their desktop monopoly -- by locking out competing products -- Gates did not understand the importance of the Internet until it was too late and they had 50MM lines of legacy code -- Bill Gates’ The Road Ahead (1995) had 2 pages on Internet! (It was quickly yanked from shelves and quietly replaced with a re-written version with longer Internet coverage) -- “When the Internet really took off, we were surprised…” --Bill Gates, Preface to the 2nd Edition 1996

  20. From M icrosoft----- System Restore, System File Checker, Signature Verification, Registry Checker, Trusted web sites, require post-install reboots, Windows OneCare Live, Win. Client Protection FOSS---- Virus Scanners, Trojan, RAT, Rootkit, Keystroke logger detection, Spyware Scanners, Real-time Email Scanning, Bi-directional Firewalls, Browser Protection, Module Replacement Protection The Solution ? --- Try to Retrofit “Security” Insecure Operating System Out of the Box It’s all a retrofit !

  21. -- Trustworthy Computing announced Jan. 2002 -- Microsoft’s promise to fix security in every prior release ================================================== + Vista brings incremental improvements . . . again ? Sandbox for IE ? Better user rights management ? Drive encryption ? More secure Registry What About Vista ? Speculative -- I’m not a Vista tester, Vista not yet finalized

  22. III. FOSS to Secure Windows

  23. Careful! * System Restore checkpoint prior to any install * For older PC’s-- Registry Backup & Emergency Repair Disk (ERD) * Full malware scans after any install * Make & keep generational backups * Set high-security Browser settings (or don’t use IE) -- Avoid: -- Free screensavers, wallpaper, games -- Porno sites -- Hacker sites -- Music- and file- sharing software -- Browser modifiers (BHOs, Toolbars, Extensions) + Visit only reputable web sites + Selectively open email (an Outlook preview equals an open) + Selectively install programs + Keep real-time protection ON (firewalls, malware scanners, browser protectors) User Behavior is the Single Most Important Factor Determining Whether You Get Infected I didn’t know!

  24. Free! * www.TheFreeCountry.com * www.Download.com * www.MajorGeeks.com . . . Sites offer-- + Central repository for Downloads + Reviews, ratings + Product descriptions Good also for learning about Windows security ! Where to Download Products Keep a copy of what you download, free status sometimes changes ! --> or google “Last Freeware Version” (LFV)

  25. -- Microsoft’s firewall is uni-directional & inadequate. Why? -- Because Microsoft is a spyware vendor. Examples-- -- WGA scandal -- WMP scandal -- WPA controversy -- Windows Search phones home -- Alexa controversy -- Win-98 registration scandal -- Embedded GUIDs -- Index.dat files -- many others * Bidirectional firewall is a must -- + ZoneAlarm => Very widely used, easy user interface + Tiny => Small, fast, light, pre-XP (see LFV) + Kerio => Evolved from Tiny + Agnitum Firewalls in you out Products I can vouch for personally are in italics

  26. Anti-Malware Scanners Anti-Malware Overview + Batch Real-time Signatures + Signatures Heuristics

  27. Anti-Malware Categories: * Anti-virus * Anti-spyware * Real-time install prevention * Real-time module replacement protection (aka intrusion protection) * Browser hijack prevention * Rootkit detection . . .etc. . . Anti-Malware Overview Categories of malware they detect vary. No one product does it all, you need several. Keep definition files updated !

  28. What About Microsoft’s OneCare Live ? + Single-vendor, integrated solution -- Microsoft has a long track record -- As a spyware vendor -- For inadequate security -- Of privacy violations They sold you a leaky boat . . . Now you’re gonna buy your lifeboat from them ?

  29. Anti-Malware * These features distinguish the best products: + On-access file scans + Incoming email scanner + Real-time activity scanning Recommendations-- + AVG anti-virus => As good as any purchased pdt + avast! * Lesser products are simple batch scanners (but they may excel at that!) Recommendations-- + ClamWin (aka ClamAV) => Slow scan but finds rootkits, runs on smaller / older PCs + BitDefender Console => Finds Sony/XCP rootkit Anti-Virus

  30. Anti-Malware * Spyware detection: + Ewido => New, very effective + Ad-aware => Widely used + Spybot Search and Destroy => Popular, Infrequent updates + A-squared => Runs on smaller / older PCs, inefficient update algorithm. * Prevent Spyware installs: + SpywareBlaster => Both from JavaCool Software + SpywareGuard => Real-time protection plus BHO prevention * Prevent alteration of executables: + WinPatrol => Useful to run one of these + PestPatrol Anti-Malware

  31. Anti-Malware * Startup protection: + StartupCop => Easy, works great + MSConfig => Built into Windows * Browser hijacker protection: => Protects you from browserhijacking through secret installs of Browser Help Objects, Browser Extensions, Toolbars, etc. + Don’t use IE => Use Firefox, Mozilla or Opera + Or set IE Options (Security, Privacy, Advanced) very carefully! + Hijack This! => Thorough, requires expertise + SpywareGuard => Prevents malware installs Anti-Malware

  32. * Data Definition File Updates: * Keep Definition Files updated for all products + Use built-in Schedulers or Windows Scheduler to do this -- What about Microsoft’s Windows Update ? -- Not recommended (eg: WGA abuses, installed w/o consent, misrecognized valid Dell licenses, etc) + Shavlik NetChk Protect => Free, new also covers other products www.shavlik.com www.WindowsSecrets.com Product Updates

  33. Rootkit -- software that gets Superuser rights and compromises the operating system. New, growing threat. Rootkits Full Detection Ease of Use Versus Removal ! * Rootkit detection: + RootkitRevealer => Thorough, requires expertise + Anti-Hook => Thorough, requires expertise + Rootkit Detector (RD-CD) => From IIT students + IceSword => + ClamWin => Finds some Rootkits + BitDefenderConsole => Finds some Rootkits If a successful Rootkit causes mass re-installs, it could kill Windows in the market place !

  34. Windows tracks everything you do Windows Tracks-- -- All the web sites you visit -- The email addresses you send to -- Who creates/edits all Office files -- Office file editing statistics -- Puts permanent ID in all Office documents you create -- Tracks everything you have done recently Why do we care ? -- Identity theft -- Loss of your personal power to businesses & governments Your Computer Spies on You ! Privacy is power, and you have none ! (This is “Trustworthy Computing” ?)

  35. -- When you delete a file, Windows only removes an index pointer to it, the file is still on disk. How long the file remains on disk depends on the disk allocation operations that follow the delete. * Secure deletion (overwriting): + Eraser => Shell program + BCWipe => Can also erase disk (see LFV) + Derek’s Boot and Nuke => Good for volume wiping * Erase temporary file areas: + Browser option built-in, also cache reset + Built-in DiskCleanup + EmpRunner + Empty Temp Folders Your Computer Spies on You !

  36. Your Computer Spies on You ! -- Windows tracks your recent activities: Delete traces of your recent activities: + Ad-aware => This feature is included + MRU Blaster + Windows Washer -- Windows tracks all web sites you visit: + Index Dat Spy => Lists sites you visited * Erase Internet sites visited logs: + Windows Washer + PurgeIE, PurgeFox -- Not free after 15 days use

  37. Your Computer Spies on You ! -- MS Office -- Keeps Edit Info and GUIDs: Erase document creator, editor, edit statistics: + File Properties Remove GUIDs & other hidden data from Office files: + MS offers manual procedures -- Impractical ! + Doc Scrubber + ID Blaster => Use w/ care My best recommendation-- Replace Microsoft Office with OpenOffice

  38. -- Data Security Circumvention -- * Boot a Live Linux CD (eg Ophcrack or Knoppix) * Use Win2K Recovery Disk * Break the password with ntpasswd Therefore you mustencrypt data: + Built into Win XP on -- Transparent & convenient, but used to leave around unencrypted files in Temp area + QuickCrypt +Many others => Work on Files, Folders, Volumes, entire System + Email encryption with: + PGP + GNU Privacy Guard + Hushmail Your Computer Spies on You !

  39. You! * Anonymous Surfing Web sites you visit get your: -- IP address (which may uniquely identify you) -- OS type and version -- Browser type and version -- Where you came in from -- What you see on their site -- Your behavior on their site . . . etc . . . To be anonymous to web sites you visit-- + TOR => Firefox with add-ins for anonymity + JAP + I2P + Freenet The Web Spies on You ! Note-- this is not a Windows issue, it is an Internet issue

  40. You! * Anonymous Surfing It’s much more difficult to avoid your ISP tracking your every move + See SSL procedures for major subscription services like + Anonymizer -- Not free for ISP anonymity + Guardster -- Not free for ISP anonymity Why do we care ? -- ISP can sell your data to anyone -- ISP gives your data to the government -- AT&T’s new so-called “Privacy Policy” -- “While your account may be personal to you, these records constitute business records that are owned by AT&T” -- Evidence indicates government is spying on your emails, surfing habits, searches, and phone calls The Web Spies on You ! Note-- this is not a Windows issue, it is an Internet issue

  41. You! * Cookies: + They don’t store them where they used to + Cookie Managers built into FireFox, Mozilla + FOSS available * Web Bugs: + Bugnosis -- IE only The Web Spies on You ! Final Exam-- test your system by ShieldsUP! at www.grc.com Note-- this is not a Windows issue, it is an Internet issue

  42. -- Your Printer Spies on You -- See www.eff.org (www.eff.org/Privacy/printers) for a list of printers that spy on you Even Your Printer Spies on You ! John wrote this ! This is a Government issue, much like the tracking device in your cell phone

  43. IV. Microsoft Alternatives

  44. PC Stack Many are available FireFox, Mozilla, Opera Thunderbird, Evolution Open Office, others Perl, Python, Rexx, PHP, Tcl/Tk, others Eclipse, Java Linux, BSD, others #1 -- Replace MS Client Stack with FOSS Security Add-ons Browser Email Office Suite Languages Development Tools Operating System

  45. Server Stack Many available, few needed! FireFox, Mozilla, Opera JBoss, Tomcat Apache MySQL, PostgreSQL Perl, Python, Rexx, PHP, Tcl/Tk, others Eclipse, Java Linux, BSD, others #2 -- Replace MS Server Stack with FOSS Security Add-ons Browser Application Server Web Server Databases Languages Languages Development Tools Operating System

  46. FOSS + Windows #3 -- “Open Windows” Eliminates key vulnerabilities -- -- Internet Explorer -- Outlook -- Outlook Express -- Office Windows All free and open source software Operating System

  47. FOSS + Windows Percent of FOSS products running on Windows 68% #3 -- “Open Windows” 50% 40% 35% Source-- Computerworld 7/31/06 pg. 14 MySQL JBoss OpenOffice SugarCRM

  48. ? “I’m only happy when it rains…” Why Keep Windows ? -- You don’t know any better -- Most consumers -- It ships with the machine -- You buy it whether you want it or not -- Because everybody else does (and compatibility) -- Example #1-- As a contractor, I use what client uses #2-- My backup for this presentation is in Powerpoint #3-- Microsoft controls file formats & file systems #4-- WINE emulator for Linux doesn’t run all applications -- You need an app -- Example -- ATT/Yahoo DSL only supports Windows

  49. FOSS + ? Wine - Emulator ReactOS - OS that is binary-compatible w/ Windows (apps & drivers) #4 -- WINE #5 -- ReactOS Windows applications Wine - FOSS implementation of Windows API Windows applications ReactOS - FOSS version of Windows Linux, BSD, or Unix 3K apps (many games) Alpha code

  50. IV. Concluding Thoughts

More Related