RE: Protecting Home Machines

["Hays Jim." <HaysJ () ci hoover al us>]

Hope he don't get a help desk job

 
 



-----Original Message-----
From: Byron Sonne [mailto:blsonne () rogers com] 
Sent: Thursday, November 20, 2003 8:05 PM
To: Cherian M. Palayoor
Cc: security-basics () securityfocus com
Subject: Re: Protecting Home Machines


> He swears that he had not downloaded
> anything nor tried any removable media on this machine.

Users lie and exaggerate (for many reasons); maybe it really happened a 
couple hours after he plugged it into the net and his kids got to the 
computer first. Perhaps he may not be aware of automatic software 
updating mechanisms. Or spyware! Never trust what users say, or at the 
least, treat it as suspect. I've had immediate family 'lie' to me about 
what they did or didn't install "But it's just Windows MediaPlayer, all 
I did was download an mp3!" Well, that counts as an install to me.

Maybe you used questionable antivirus software; latest updates doesn't 
neccesarily make you invulnerable. When I helped run hospital IT 
infrastructure (lotta users and many vectors for infection), we 
constantly updated our AV software and used dual scan engines. Stuff 
still got through. But I do have to give points to dual AV engines, it 
really did make a difference.

> Following a bit of research on the matter, I am now aware that it is 
> possible for machines to get infected on the fly especially through 
> unprotected home internet connections. The question is, "What do I do 
> to prevent such occurrences which have increased of late."

Switch operating systems to something that doesn't allow itself to be so 
easily attacked or manipulated. Running windows/Microsoft products and 
being connected to the internet is, simply put, asking for it. Sorry but 
that's the harsh truth. Their software is designed to be popular, not 
secure.

You can't prevent all such occurences, but you can take steps to 
minimize them such as restricting what access and software the client 
uses on his machine, although this isn't much help on consumer windows 
boxen which don't adhere to acceptable (my opinion) privilege seperation 
models.

The standard stuff applies; turn off active content via email, eliminate 
the preview pane, STOP USING OUTLOOK, use decent proxy/junkbusting 
software (check out http://www.privoxy.org/), etc. Maybe switch browsers 
too. Firewall off the appropriate ports (135, 137, etc.) when connecting 
to the net and implement stateful filtering. If the BIOS has boot block 
protection or stuff like that, it might be worth turning it on after 
checking it out. If they're accessing the net through a/your company, 
and only via that route, then you might be able to impose something on 
them when they connect.

I would consider it interesting and worthwhile, if allowable in your 
case, to install some kind of logging software on the machine so you can 
verify what the user or their machine is accessing, downloading, or 
installing. Take a baseline of it before you ship it out and compare it 
when it comes back. Even if it doesn't help you help the user, you'll 
find it interesting. Real life field returns are excellent educational 
opportunities; considering making an image of it and creating a library 
of infections so you can test your own infrastructure or AV software. 
Just don't infect your own network!

Regards,
Byron Sonne

-- 

        For good, return good. For evil, return justice.


---------------------------------------------------------------------------
----------------------------------------------------------------------------