Security For All First Birthday: Revisiting Using public Wi-Fi safely

Number 2 with a bullet on the First Annual Security For All Hit List was a surprise [to me anyway]. This post on March 16, 2009 titled Using public Wi-Fi safely was a review/amplification of this article by Rich Vázquez. So I came up with this great idea that I would do another review/amplification on my original review/amplification. Are you confused yet? Don’t worry you will be. Here are the high points.

Certainly you want to verify that the wireless net is what you expect prior to connecting, but the more important issue is that the operative word in “open Wi-Fi” is open. Most open Wi-Fi nets don’t need an evil twin. They are totally amoral by definition. Open means exactly that – anyone and everyone is invited to join in the fun. Which is great if you are adequately protected. Or a grifter looking for marks.

While this is certainly true, it’s a little light on actionable advice. Open Wi-Fi nets can be really useful if you want to do some innocuous web surfing or anything that doesn’t involve disclosure of sensitive information. Having said that, the unfortunate reality is that pretty much anything you would want to do online – including innocuous surfing – involves disclosure of sensitive information. The point is that if you want to use open public Wi-Fi you need to have your PC, whether it is running Windows, Mac OS/X or Linux, locked down tight. But what exactly does “locked down tight” mean? Turns out that is addressed in the next section.

Actually using personal firewall software is the first line of defense. Anti-virus is the last line of defense. While I’m sure this will cause a great deal of controversy (at least I hope so – bring it!) I submit that anti-virus software is optional and a good bi-directional firewall is critical. How so? Glad you asked. The firewall should make you invisible to the outside network. Many, if not most, popular firewalls do not do this out of the box. You need to make a visit to the Gibson Research (Steve Gibson of Security Now! fame) Shields Up! site and tweak your firewall setup until you are in “stealth mode”. If you don’t do that, then even good anti-virus software – and I’m dubious that such a thing exists – will not be useful. The greatest threat posed by the open network is  information leakage, not malware infection. The risk of your PC being infected by malware that steals your information is significantly mitigated by the firewall. And once the PC is infected by such malware, if your firewall blocks egress to everything but approved processes – a feature of those good bi-directional firewalls mentioned earlier, information leakage should be prevented anyway. My point: it is a lot more effective to prevent malware infestation than to detect it after the fact. It should be noted here, that Rich makes an excellent and critical point: there is almost always a time lag between when information is stolen and when the stolen information is used. Sometimes the time lag is significant, so just because your stolen information hasn’t been exploited yet doesn’t mean it hasn’t been stolen.

I’ll admit it, I’m not a fan of the concept of anti-virus. I think it’s a sucker game with no winners but the anti-virus vendors and professional hackers. Certainly not you, the user. But far be it from me to suggest that you dump your anti-virus. If you use Microsoft Windows, then you probably should continue using it. But if I were you, I’d certainly stop paying for it. There are free anti-malware suites available – including one from Microsoft – that are as good or even better than the subscription based stuff. Just remember to keep it updated. The main point here is that anti-virus is optional but a good firewall is critical. Mac OS/X and most distributions of Linux (certainly all of the popular distros) ship with a very good firewall. Unfortunately the firewall that ships with Windows XP and earlier is weak and should be replaced with one of the excellent third-party software firewalls available. Many for free. To understand why you need a firewall, you need to know what it is and how it works. So allow me to digress. If you already know this stuff then feel free to skip it. Or comment on what I got wrong or oversimplified.

[Begin Digression: Firewalls]

When a computer communicates over a network there must be a way for other computers to find it. Otherwise no communication happens. Therefore each computer must have an address, not unlike a post office box. In order for any kind of communication to take place there must be at least two parties involved. Same with computers. Only computers have strict rules of etiquette governing conversations. There are always two distinct roles in a computer conversation. The server and the client. The server is the computer that is going to provide most of the information in the conversation. The client is the one asking for information. It’s easy to see this in action any time you connect to a web site. Your computer [acting as the client] contacts the web site computer [acting as the server] and requests information. The server sends the information in the form of a web page back to your client which displays it in your browser. So how did your computer [the client] know how to reach the server? And how did the server know where to send the reply? Remember those addresses I mentioned earlier? Well, the URL that you typed into your browser (or the link you clicked on) gets translated into one of those PO Boxes. But that’s only half the story. Each of those PO boxes is shared by a bunch of different services. So each PO box has a port for each of the services. When the message goes to a specific port in the PO box, the service listening for messages will respond. The service knows where to respond because there is a return address (including a port) in the message. If a service is not listening at it’s port or the port is not accepting messages this is referred to as the port being closed. Any messages sent there are ignored. Here is the critical thing to know about ports: Server ports are well-known and advertised (otherwise nobody would be able to start a conversation) but client ports are random and used for one and only one conversation. In other words when your client contacted that web site, the “http://” in the URL meant “send this message to port 80“, the HTTP port. Your client put a random port in the message return address so only replies to this particular message can get back to your client. By this time your probably wondering what this has to do with firewalls. Everything, actually. Stay with me. Something that might not be obvious is that every networked computer is both a client and a server. That’s right. Even your PC or Mac. This is where a firewall comes in. A firewall controls all of the ports on your computer. A good firewall will start with almost all ports closed. In other words if you want your computer to share folders with other computers (i.e. be a server for the share service) then the firewall needs to open the share service ports (139 and 445). Early Windows XP (before Service Pack 2) had lots of ports open by default. Stuff like Universal Plug and Play (UPNP) and Remote Registry. This was a really bad idea since black-hat hackers figured out ways to crash or abuse those services and get malware on your computer by sending malicious messages to those open ports. But if you have a firewall, you can close all ports that you don’t need. That way even if the service is listening for messages, it will never get them. And all those malicious messages will just be ignored. Further, a good bi-directional firewall watches for outgoing network messages. It knows that your browser and email program should be allowed to start conversations with other  computers (well duh, they wouldn’t be very useful if they couldn’t). But it will block and/or warn you when something it doesn’t recognize (say NastyMalware.exe) tries to start a conversation with another computer. That’s why firewalls are so important.

[End Digression: Firewalls]

[In response to Rich's advice that file sharing be turned off] Absolutely spot-on here! The average personal computer does not implement many of the file sharing protections that are available on corporate networks. Otherwise very few home users would ever be able to take advantage of file sharing. As Rich points out, whatever you share is shared with everyone on the network. The entire open Wi-Fi network. Just say no to file shares.

Actually that just about covers it. There is never a good reason to have a Windows file server on an open Wi-Fi network. Period.

In fact most of the threats in a “coffee shop” environment (i.e. your typical open Wi-Fi hotspot) are decidedly low-tech. Fortunately the best defense is also low-tech – don’t be an idiot. One of the examples Rich uses is a perfect case in point: if you are doing your taxes online from an open Wi-Fi hotspot you are a moron and deserve to be pwned. I’m sorry but it’s true. There really is no mitigation for user stupidity. Seriously though, social engineering is by far the most effective tool black hat hackers have. There is definitely one born every minute. Don’t be the one.

There is no substitute for common sense. If you want to check your personal email from a Wi-Fi hotspot, sure go ahead. Much as we would like to believe the contrary, our personal mail is mundane, boring and of little value to anyone else. Your tax return, or your employer’s internal profit forecast are a completely different story.

Regardless of how “steathy” your PC is, it still has lots of incoming and outgoing traffic that is easily sniffed on the open Wi-Fi network. Go snag a copy of AirSnort if you want to see just how easy this is. Your traffic had better be encrypted if you don’t want it to be completely public. Having said that, encryption in and of itself is not enough. As Hugh Thompson says you can’t just “sprinkle on the magic crypto fairy dust”. For example if you’ve already been compromised by a Man-In-The-Middle attack, starting an encrypted session might simply result in a nice encrypted pipe that is available to no one but you, your bank and the attacker. Also, a site’s use of  HTTPS is no indication of the legitimacy of the site unless you actually check the validity of the SSL certificate. And very few people do that. Or even know how to do that. So back to an earlier point, don’t be an idiot. Encryption does not mitigate stupidity. Recently this article from Thomas Nicholson at Nicholson Security blog entitled People will always be the weakest link in security described a situation in a coffee shop where a business person connects to the corporate LAN (no doubt securely), starts up a remote desktop session (again no doubt securely)  and then goes to the restroom leaving the laptop unlocked and unattended for 10 minutes. Doh!

In case you forgot, your Wi-Fi adapter is a radio. The hot spot wireless access point is also a radio. Radio waves go everywhere and can be received by anybody in range with a radio receiver tuned to the right frequency. It’s not just talk radio hosts that think this is a swell idea. But again, regardless of how well protected your Wi-Fi signal is, if there is sensitive information on the screen, where anybody within sight range can see it, it’s still exposed. Remember, if you stand naked in front of a window, even if the window has bulletproof glass, you’re still exposed.

Finally, as far as I know Rich still hasn’t joined the Security Bloggers Network. And he still should.

Using public Wi-Fi safely

Rich Vázquez, a fellow CISSP, has an article in the Georgetown Hutto/Taylor by way of Community Impact Newspaper entitled Ways to use public Wi-Fi safely. While generally good advice I feel compelled to, if not disagree exactly,  elaborate of some of his statements. So here goes.

The first thing to do in a public space is find the name of the network to connect to. Hackers sometimes set up similarly spelled networks, such as HavaHouse instead of JavaHouse. This is called an Evil Twin Attack. Once connected to the imitation network, hackers can get information from the computer and internet activity. It is important to verify the name of the intended network before connecting to one.

Certainly you want to verify that the wireless net is what you expect prior to connecting, but the more important issue is that the operative word in “open Wi-Fi” is open. Most open Wi-Fi nets don’t need an evil twin. They are totally amoral by definition. Open means exactly that – anyone and everyone is invited to join in the fun. Which is great if you are adequately protected. Or a grifter looking for marks.

Using anti-virus and firewall software is a front line of defense. A firewall prevents someone from finding a program on a computer that would allow them to connect and steal information. If a hacker can connect to a victim’s computer, he or she can also find a way to infect the victim’s computer with a virus and later steal private information. Many criminals collect information in large databases and work through the names over time. Some frauds are executed over many months or years, so victims may not realize their information or computer has been compromised until the criminal is ready to use it.

Actually using personal firewall software is the first line of defense. Anti-virus is the last line of defense. While I’m sure this will cause a great deal of controversy (at least I hope so – bring it!) I submit that anti-virus software is optional and a good bi-directional firewall is critical. How so? Glad you asked. The firewall should make you invisible to the outside network. Many, if not most, popular firewalls do not do this out of the box. You need to make a visit to the Gibson Research (Steve Gibson of Security Now! fame) Shields Up! site and tweak your firewall setup until you are in “stealth mode”. If you don’t do that, then even good anti-virus software – and I’m dubious that such a thing exists – will not be useful. The greatest threat posed by the open network is  information leakage, not malware infection. The risk of your PC being infected by malware that steals your information is significantly mitigated by the firewall. And once the PC is infected by such malware, if your firewall blocks egress to everything but approved processes – a feature of those good bi-directional firewalls mentioned earlier, information leakage should be prevented anyway. My point: it is a lot more effective to prevent malware infestation than to detect it after the fact. It should be noted here, that Rich makes an excellent and critical point: there is almost always a time lag between when information is stolen and when the stolen information is used. Sometimes the time lag is significant, so just because your stolen information hasn’t been exploited yet doesn’t mean it hasn’t been stolen.

File sharing is also a big risk. Many people have multiple computers in their homes and share files. If folder with family pictures or business documents is shared at home, those files will still be shared when connected in a public place and may be exposed to anyone else on the network.

Absolutely spot-on here! The average personal computer does not implement many of the file sharing protections that are available on corporate networks. Otherwise very few home users would ever be able to take advantage of file sharing. As Rich points out, whatever you share is shared with everyone on the network. The entire open Wi-Fi network. Just say no to file shares.

Not every attack is high-tech. While engrossed in email or doing taxes online, someone may be sitting nearby carefully watching for user names, passwords or other personal information. This is called shoulder surfing. Social engineering can be a series of emails, phone calls or a conversation that tricks a victim into revealing information that can be used later to bypass security. That same person who was looking over a victim’s shoulder could start a conversation and during casual chatter find out additional personal information such as birthdays, names of children and names of pets — all commonly used passwords. Without ever touching a computer, a hacker could find out e-mail providers, banking information, and answers to commonly asked security questions.

In fact most of the threats in a “coffee shop” environment (i.e. your typical open Wi-Fi hotspot) are decidedly low-tech. Fortunately the best defense is also low-tech – don’t be an idiot. One of the examples Rich uses is a perfect case in point: if you are doing your taxes online from an open Wi-Fi hotspot you are a moron and deserve to be pwned. I’m sorry but it’s true. There really is no mitigation for user stupidity. Seriously though, social engineering is by far the most effective tool black hat hackers have. There is definitely one born every minute. Don’t be the one.

The easiest way to confirm a secure connection is to check for the https, with an s at the end, on a  website to verify that it is using basic encryption for the traffic. Errors on the page could also be an indicator to watch out for. Sites using https are using SSL Certificates, which help verify the website is authentic. The information sent between visitors and the website is also encrypted, or scrambled so that someone watching the network cannot read the information.

Encryption helps protect website visitors from wireless sniffing. Tools are available for free that enable information to be tracked as it moves on the network. Attackers can watch a website vistor’s traffic and use it to find passwords or even recreate a document or file sent to someone via the internet.

Again Rich makes a very important point. Regardless of how “steathy” your PC is, it still has lots of incoming and outgoing traffic that is easily sniffed on the open Wi-Fi network. Go snag a copy of AirSnort if you want to see just how easy this is. Your traffic had better be encrypted if you don’t want it to be completely public. Having said that, encryption in and of itself is not enough. As Hugh Thompson says you can’t just “sprinkle on the magic crypto fairy dust”. For example if you’ve already been compromised by a Man-In-The-Middle attack, starting an encrypted session might simply result in a nice encrypted pipe that is available to no one but you, your bank and the attacker. Also, a site’s use of  HTTPS is no indication of the legitimacy of the site unless you actually check the validity of the SSL certificate. And very few people do that. Or even know how to do that. So back to an earlier point, don’t be an idiot. Encryption does not mitigate stupidity. Recently an entry on the Security Bloggers Network (sorry I forget who, please set me straight since I’d really like to give credit where credit is due) described a situation in a coffee shop where a business person connects to the corporate LAN (no doubt securely), starts up a remote desktop session (again no doubt securely)  and then goes to the restroom leaving the laptop unlocked and unattended for 10 minutes. Doh!

[UPDATE] The blog entry referenced earlier is from Thomas Nicholson at Nicholson Security blog entitled People will always be the weakest link in security. In addition, I referenced it earlier in this blog in an entry entitled Save us from the other people

Check out Rich’s article, he’s got some great resouces listed. Maybe we can even convince him to blog with the SBN.

7 Lessons SMBs can learn from big IT redux

1104459_buildings_and_towers

David Strom has an interesting article in Network World about 7 Lessons That SMBs Can Learn from Big IT. It’s basically sound and definitely worth checking out. But there are some important gotchas and caveats that didn’t make the cut. So I thought I’d just stuff in a few extra ideas and warnings into the list.

1. Standardize on Desktops and Cell Phones to Reduce Support Differences

This is really a great idea, and you will definitely save money, pain and suffering by standardizing your hardware and software. This would work really swell in an ideal world where you started from zero – with no existing “legacy” equipment or software and were able to bring everything in completely new. Problem is, not only do you have legacy hardware and software, you also can’t afford to refresh every desktop or cell phone simultaneously. So what you are forced to do is review your standards continuously and develop a “refresh path plan” that takes into consideration that different departments (or users) have completely different refresh schedules. For example, you need to refresh engineering every year, but accounting can probably refresh every 3 years. This also leads to some gnarly incompatibilities with different versions of software. A notorious example of this is brought to you by Microsoft who chose a new, improved and decidedly not backward compatible format for Word documents in Office 2007. Finally there is the problem of what “standard” means to hardware vendors. Just for grins compare actual hardware – with the same SKU – that ships in early and later versions of a Dell model number. Just keep in mind that if you choose to save money by standardizing on consumer hardware you run the risk of incompatibilities even with the same model number.

2. Perform Off-Site Backups

Off-site backup are definitely a must have. But they must also be automatic. No transferring data by hand from one place to another. Recall those data breaches by way of lost backup tapes? David suggests some online solutions and even cites a nifty side effect of this method.

Earlier this summer, Damian Zikakis, a Michigan-based headhunter, had his laptop stolen when someone broke into his offices. He replaced it a few days later; and because he had used Mozy, he thought that he was covered in terms of being able to bring back his files from the Internet backup.

When Zikakis had a moment to examine the layout of his new machine, he “found several incriminating files. The individuals who had my computer did not realize that the Mozy client was installed and running in the background. They had also used PhotoBooth to take pictures of themselves and had downloaded a cell phone bill that had their name on it,” he says.

Another possibility is to utilize your web hosting provider or colocation service to provide backup and archive space. In any case, it has to be offsite, easy and automatic otherwise it just won’t work.

3. Use Hardware to Secure Your Internet Connection

An article like this really shouldn’t have to include a point this obvious. But sadly it does. Not only that, it cannot be stress strongly or often enough that you have to understand and configure your security hardware. You can’t just plug it in and be safe. Furthermore, the appropriate selection of a security solution is critical. No, they are not all created equal. And no, they don’t all do the same things. The hardware that David mentions by way of example is a Unified Threat Management (UTM) system which generally puts quite a bit of security functionality into a single box. UTMs basically secure your internet access and if you intend to become larger than an SMB you need to be aware that they don’t scale up that well. Also if your problem is access control, rather than internet security a Network Access Control (NAC) system might be more appropriate. Or you might need both. Or something lighter weight like StillSecure’s Cobia network platform. Or something completely different. The point is that while everyone agrees that you need something – just which something is a not a trivial question. There is no one size fits all security solution. Here’s where judicious use of your consulting budget makes a lot of sense. And no, I’m not a consultant. I just play one on the internet.

4. Use a VPN

If you don’t like eavesdroppers and you do anything remotely, you need a Virtual Private Network (VPN). Period. They are cheap, easy to set up and will probably even come with that UTM solution you are considering in #3. If you choose to do this in-house instead of a managed VPN services like the ones mentioned by David, make sure you have the internal expertise to handle it. Do not hire a contractor to set up your VPN. Either outsource it all or none of it.

5. Run Personal Firewalls, Especially on Windows PCs

Actually what this title should probably be is “Run a desktop security suite on Windows PCs and make sure that all endpoints are compliant to your policies before you let them on your network.” While that is certainly longer winded that David’s succinct title, it more accurately captures what he is saying. The point is that you should have a desktop security policy that specifies what software your network endpoints must be running and have a way to determine if your network endpoints are compliant to that policy. The best way to accomplish that is with a Network Access Control (NAC) solution, like the Napera appliance mentioned in the article. There is, as usual, more to the story. Once you determine that an endpoint is non-compliant you can’t quarantine them forever. You have to provide a remediation mechanism, preferably automated, so that they can get back to work as soon as possible. It’s been my experience that sales guys get really cranky if you quarantine them for a long time. And just try that with your CEO. Bet it only happens once. And if you are going to have a NAC solution in place, what about “guest” users – you know contractors, visiting product reps, partners. They all need varying levels of access to your network as well, while you still need to be protected. The point is that this isn’t as easy as slapping in an appliance and your endpoint compliance problems are solved. If a sales guy tells you different, hang up the phone. Now.

6. Rely on VoIP PBX for Your Phone System

This is definitely one of the biggest money and time savers you can do. The services associated with a good VoIP PBX system are killer and my experience with these systems has been excellent. The only caveat here is that you should definitely get VoIP as a managed service unless you have some really serious talent in-house. If you think you can just whip an Asterisk server on one of your Linux boxes and you are good to go, think again. VoIP is very cool and it isn’t that hard if you really know what you are doing. Which I don’t and you probably don’t either.

7. Have a Solid Test Plan for Adding New Technology

This is probably the most important point. Treat your technology test plan like an actual project. It’s not good enough to simply say, “Joe will look into it”. That’s not a plan. And it assumes that Joe will do it during his slack time (an IT guy with slack time – whoa!). What will actually happen is that Joe will call one or two vendors and talk to the nice sales folks and ultimately pick the one with the best swag or the hottest looking booth babes. Just pony up and do it right. It will save you beaucoup time, money, pain and suffering. And you stand a chance of actually developing some of that in-house expertise.

Security ideas for your mom revisited

Information security for  everyone is a big deal with me. I even have a weblog devoted to that very ideal. So Julie Seedorf’s Something About Nothing article, “Be careful of what you store on computers” definitely resonated with me.

I read an article from PC Magazine recently. It was titled “Day in the Life of A Web 2.0 Hacker.” Because many of my days consist of repairing damage done by viruses and hackers to people’s computers, this article was of interest to me.

I like the Internet. I remember years ago my first experience with the Internet. It was exciting to be able to read Web pages created by people many miles and countries away from my home. It was exciting to be able to connect with new people. The Internet was a new information highway that would revolutionize our life.

There is no question that the Internet has changed the way we receive our news, the way we do business and the way we are in touch with people. However, reading this article confirmed what I have been feeling recently. I am frustrated with the dangers that the Internet has invoked upon our society. I am frustrated with the controls we need on our computer to keep our information safe. I am frustrated by the lack of security enforcement by law officials.

While I completely concur with Julie’s sentiments, isn’t everybody aware of the risks of our Web 2.0 lives? Aren’t there plenty of wise and erudite security experts providing all of the information that everyone needs to know about being secure? And what about all the excellent and ubiquitous security suite software packages available? Surely a tech savvy person like Julie has nothing to be concerned about. And clearly if you are a Republican VP candidate the Feds are quick to enforce even the most trivial security breaches at least as long as the Feds are Republicans. Sorry couldn’t resist.

Unfortunately all of the preceding rhetorical questions are pure irony. Phillip Hallam-Baker’s Web Security Blog article “Zero Overhead Security” sums it up this way.

Folk tell me that if you take 60 confused users, split them into three groups of 20 and show them different security interfaces they are all still confused. Well what did they expect?

A good part of the problem can be laid our door, fellow security professionals. We can certainly build brilliant complex software and our marketing and sales brethren can sell the heck out of it. But there is something very wrong when at the end of the day someone like Julie is left with this anemic solution.

The new security programs are good. The problem with many of the new programs is that they put blocks and watch everything we do on the computer and sometimes they make it difficult for us to understand how they work. These programs sometimes block sites that we want to use. These programs sometimes warn us more than we want.

Why am I writing this column? There is no fun in this column. I don’t feel funny about the Internet right now. I am here to tell you to put a good security suite on your computer and learn what it does and what you need to do to keep your computer and information safe. Make sure you update your virus signatures, keep your firewall on and be careful what you open.

Be careful of the personal information you share with others. Create strong passwords that contain a mix of numbers and letters and don’t use the same one for all Web sites. Watch what your kids and teenagers are doing on the Web.

All of these precautions may not protect you completely but they will help.

So why do I say this is anemic? Isn’t this exactly what we’ve been telling Julie to do? Hasn’t she hit on every “best practice” point? Enough with the ironic rhetorical questions. How about some concrete ideas that Julie or you can give your mom on security that will make a difference. In three earlier articles here, here and here I attempted to build a framework of ideas that mom should consider when getting a new computer and going online. What’s missing from those articles are specific details. So without further ado:

Security Ideas for Mom – Revisited

  1. Get a good firewall. Most of the popular security suites available will come with a desktop firewall, but not all of these are created equal and some are not even created well. Specifically several of the most popular include predefined exceptions for their “partners”. Now I don’t know about you, but just because someone has finances to partner with a security vendor does not imply that I should trust them. Note to vendors – transitive trust is not a desirable feature of a firewall. What I would suggest here is to think outside the software box a little (I know, heresy for a software geek, but I’m also an EE). Why not buy a hardware firewall? Like the ones that come with decent wireless access points. Even if you aren’t interested in running wireless (yet) and only have a single computer (so far) this is still a great idea, not to mention a bargain. Given that the annual subscription fee for the most popular security suite is $60, you can get a very nice wireless router for that price. And you only have to pay for it once. Furthermore, setting up the firewall, and other features on a consumer NAT router is simple. They really aren’t that smart. Which is a good thing. The only caveats are do not keep any of the defaults (i.e. SSID and passwords) and if you actually use wireless, lock it down to the specific hardware (MAC) addresses of the devices you want to allow on your network and turn off any broadcast or UPNP. Also turn off any remote maintenance. You can also use desktop firewall software along with a hardware firewall and NAT router, if you are paranoid (and you should be). Just be sure and get a good bidirectional firewall that watches outgoing as well as incoming traffic so it can stop spyware and adware that wants to phone home. Once you get your NAT router/firewall system in place, you need to go to Gibson Research web site and run ShieldsUP!. You should be completely stealth. A ghost on the internet. In my opinion, a hardware NAT router and firewall, coupled with a bidirectional software firewall eliminates most of the need for anti-virus software (more heresy I know). But l like the idea of cutting off the malware at the pass as is were.
  2. If your computer is portable use full disk encryption. Period. No exceptions. Essentially full disk encryption converts the entire contents of your hard disk to random noise that cannot be deciphered without a key (passphrase or hardware key). There have been rumors over the years of groups like the NSA having the capability to break strong encryption, but trust me, you, me and mom are not worth the effort. The most widely known full disk encryption package is Microsoft Bitlocker, which is available with Vista Ultimate. For most average users, it’s probably not worth the $300 upgrade to Vista Ultimate, but for business users that are running Vista Ultimate on their mobile workstations should definitely contact their IT folks and get it set up. Fortunately there are some great (some would argue superior) alternatives to Bitlocker. I use the open source TrueCrypt package, because it runs on all of the platforms I use (Windows, Mac and Linux) and it’s free. The point is that when you lose your portable computer and the disk is encrypted, all that is really lost is the hardware (assuming you have backups) which is far less valuable than your data and personal information.
  3. Get a good password manager. Certainly you can try to create and remember 50 odd strong passwords, but it’s a whole lot easier to create and remember one strong password that can be used to access hundreds of your insanely strong and impossible to remember passwords. I’ve already written an article about this, so you can read all about it. There are some very good password managers, both open source and commercial. An important feature of the password manager you choose should be the ability to set up expirations on your passwords – i.e. something that reminds you to change passwords. For email accounts you should change the password every 6 months and financial services every 3 months. Since with a good password manager this is easy to do, feel free to do it more often.
  4. Get different email addresses for different purposes. When you sign up with your ISP you get an email address that is your primary. If you intend to do Web 2.0 stuff, like say a weblog or social networking like facebook or MySpace you should get a free online email address from Google (GMail), Yahoo (Yahoo Mail) or Microsoft (Windows Live Hotmail). Use this online account when you register for social networking sites. Then you can have your friends and casual acquaintances contact you via the social network site. Only use your primary email account (the one from your ISP) for banking and other communication where there is a risk of Personally Identifiable Information (PII) leakage. Do not give out your primary email to address to anyone but those sensitive accounts. This can be a problem if you’ve already let the horse out of the barn so to speak. Fortunately you can still get around it by sending out change of email address notices to everyone who has your primary asking that they use the new email address or contact you through your social network. If they don’t, just ignore them. They’ll figure it out. Or not. If you are involved in a legal or highly sensitive situation where privacy and confidentiality is crucial then you should check out a secure email service like VaultletSuite 2 Go. This service includes a minimal, but extremely secure email environment. For everyday it’s overkill, but if you are sending sensitive messages to your lawyer, it is definitely worth considering.
  5. Use different web browsers for different purposes. Let me be specific here: use Internet Explorer for your banking and financial sites, and no other sites. Use Firefox, Opera, Safari, Chrome or even another copy of IE for your social networking and casual surfing. The reason I recommend IE for banking and insurance sites is that they tend to work best (or only) with IE. Social sites, on the other hand tend to favor Mozilla (Firefox) or Webkit (Safari and Chrome) browsers. Now wait, isn’t it really inconvenient to share bookmarks between browsers? Yes. Exactly. Which is why you don’t want to do that. Your banking browser should only have bookmarks for your banks. Actually sharing bookmarks is not hard and if you really want to share between multiple social browsers, get a del.icio.us account. With your public email from #4.
  6. If you download software get a disposable virtual environment. Downloading anything from the web and installing it on your PC is risky business, even if it is from a reputable site, but it can be catastrophic if your tastes run to the wild side. The problem is that even decent shareware (of which I’m a huge fan) rarely uninstalls cleanly from Windows. And much of the stuff available for free download isn’t decent. In fact a fair portion of it is infected with malware, malicious or just plain bad. What you need is a virtual environment where you can download this stuff, install it and try it out before you commit it to your real environment. This can be done a number of ways. Virtualization software like VMware and Parallels allow you to create virtual machines that are exactly that. If you trash one, you just delete it and move on. The downside, as you can well imagine, is that virtualization software requires a lot of resources (i.e. a very powerful computer) and it’s not trivial. There is another kind of software that you can use to accomplish this: sandbox software. Basically a sandbox sets aside a place on your computer where programs can play nicely, isolated from everything else. Just like naughty children. The best known of these packages is Sandboxie. Using this kind of software, you can run any program “sandboxed”. Then if it blows up, or simply tuns out not to be what you wanted, you just clean out the sandbox. If you do happen to decide that you want to keep your changes for real, you can recover everything to your computer. Trust me, this will save your bacon.
  7. Keep your professional and personal stuff separate. By stuff, I mean everything: email accounts, social networking sites, computers and software. Everything. That means, don’t pay games or have personal email on your work computer. It also means don’t copy that spreadsheet from work to your home machine. Now hold on, I can see not doing personal stuff on my work PC, but what’s wrong with working on my personal PC? Ask your IT folks which is worse. They’ll tell you most emphatically that taking company data into an unsecured environment is way worse than stealing a some CPU cycles, hard disk space and time playing games. Either way it’s bad for you and bad for business. If you really must check your personal email at work, then use one of your web mail accounts (see #4). Also be aware that if you are using your employer’s computer equipment you have no reasonable expectation of privacy. Think about that before you fire off a note to that hotty you met last night. But what about connecting to the office VPN from my home machine? Well okay, but just be aware that if you have a home network where you share stuff like photos, music and files you could be sharing them with everyone on your company VPN. I’d think about that for a while. Finally if you work for the government, you may have safeguards and accountability requirements on your email. So don’t be like Sarah. Nuff said.

I’m sure there are other good, and straightforward ideas for securing mom’s computer. I would love to know about them. I would also love to hear about problems with the ideas I’ve put forth here [note - blatant pandering for comments]. Maybe we can make things a bit nicer for Julie and mom. Or convince them that the internet is funny again.