Contents of article "Internet Security - the basics"
Internet Security - the basics
If you’re reading this, you most likely have a computer and spend time browsing the web. How much, I wonder, do you know or think about internet security? Patrick Boyle has spent almost all his working life in occupations associated with computers and computing. Most recently he was the Systems Manager for a small Suffolk company with Windows Server based systems, hence his knowledge and interest in Windows security related issues. He moved to the Pyrenees-Orientales with his wife Caroline at the end of October 2005, ’in search of the French dream.’ He has kindly agreed to be our site ’computer consultant’ and in this first article, gives you advice on the best way to protect yourself from attack.
Internet Security - the basics
Almost all internet users will be aware that the internet today is a potentially risky environment. The unpleasant fact is that all internet users (and their computers) are constantly under attack from a multitude of sources, and with the high stakes involved (credit card details, for example), it is essential that we do everything possible to protect ourselves. You should be aware that some banks have tried to refuse to recompense customers who have been the victim of identity or card theft if the bank can show that the customer’s software hasn’t been kept up to date!
So, what can we do to protect our computers?
There are four types of threat that need to be recognized:
1. Exploits that use weaknesses in computer software
2. Viruses and worms
3. Spyware
4. Wireless networking hacks
In fact threats 2 and 3 largely use threat 1, the weaknesses in computer software, to gain access to a computer or to take control of it and ‘patching’ these weaknesses regularly is the single most important step in securing your machine. There are quite literally thousands of individuals working all over the world to discover new software weaknesses and then be the first to exploit them before they get patched. If you don’t keep your computer patched up to date, then you considerably increase your risk of becoming a victim of new exploits and you can also help to spread them to other users.
The first step:
Although all computer software will have weaknesses that could be exploited, it is usually the most widely installed software, which has the potential to affect the most users, that will be targeted. At present this means the Microsoft Windows operating systems (including its browser, Internet Explorer) and to a lesser extent, the Microsoft Office packages, since they all have the greatest user base. Because of this, Microsoft has developed its ‘Windows Update’ and ‘Office Update’ facilities to allow users to patch their computers as new exploits are discovered. Over the last couple of years this process has been automated so that, once set up, you have little or nothing to do to keep up to date. You simply need to be aware that the facility exists and know how to take advantage if it.
The second step:
To further secure a computer against attack it is essential to install an automatically updating anti-virus (AV) facility and to install a firewall facility on the machine. Both of these are necessary - they do different jobs - although we are starting to see some vendors providing security software ‘Suites’ which roll both functions into one facility. The anti-virus is needed to recognize and disable harmful pieces of software if they ever get onto your machine - from an email, or by visiting a web page, for example. The firewall is there to resist external attempts to get inside your machine, and almost as importantly, to alert you if something that has infected your machine tries to communicate back to its instigators or to pass itself on to other machines or users.
The third step:
Finally, and increasingly more importantly, you need an anti-spyware facility to do much the same thing as the AV software, but for that category of exploit which tries to monitor what you do on your machine and send that information back to its instigators or which tries to hijack your browser and take you to sites you don’t want to go to or continually show you pop-up adverts you probably don’t want to see.
So, taking each of these in turn:
1. How do you get your machine’s operating system (OS) patched up to date, and then how do you keep it that way?
The Windows Update facility works in two slightly different ways:
Manual Update
a) You can visit the Windows Update site, using Internet Explorer, and use the site’s facilities to scan your machine and determine what patches are needed to bring it up to date. You can then either be shown which updates are needed (the ‘Custom’ option) so that you can choose which ones to apply, or you can let the site apply whatever it thinks is necessary (the ‘Express’ option). If you take the ‘Custom’ option you will also be shown any non-critical updates and any hardware patches that are available for your machine. If you choose the ‘Express’ option, you will just get the security patches.
Automatic Update
b) For the more recent versions of the Windows OS - Windows 2000 and Windows XP - there is the ability to switch on the Automatic Updates feature of the OS (found in Control Panel) so that your machine will contact the Update site regularly on its own and apply any necessary updates. You can only use this option if your machine is already reasonably up to date (updated or bought within the last 12 - 18 months), but updating manually using method a) above will then make the Automatic Updates facility available. However, Windows 95, 98 and ME owners have only got the manual option open to them (more on Windows Update and these OS versions later).
Large downloads might be necessary
It should also be said that if your machine is badly out of date, you could find yourself facing several tens of megabytes of download, so a broadband connection is essential. Once your machine is up to date, you can often get away with a dial-up connection, since the automatic process downloads the patches in the background, as long as you are connected to the internet for long enough.
The Microsoft update cycle
It is helpful to understand the Microsoft update cycle, to know when patching might be necessary. Security updates are only issued by Microsoft once each month on the second Tuesday of the month. However, not all patches will be relevant to all versions of the OS, and some will not be ‘Critical’. So how do you know whether any updates are necessary? Although you can sign up for an email bulletin from Microsoft explaining the impact and scope of each new update, the safest action is either switch on Automatic Updates, or visit the Update site as soon as possible after Patch Tuesday.
Don’t forget to shoot the browser - Internet Explorer
Another victim of software-based threats is the Microsoft browser, Internet Explorer (IE). Although it has received a lot of updates in the last couple of years, most commentators in the industry recommend that PC users only use IE to access the Windows Update site and financial sites, which often force the use of IE only. It seems that Microsoft’s browser has had a number of security design problems, many of which Microsoft has dragged it heels over fixing. Also it is an obvious target for attack simply because there are so many users who automatically always use it. The usual recommendation is to use the latest versions of either Firefox or Opera. These browsers are at least as robust as Explorer from the security standpoint, are far less the subject of security exploits. Their developers also seem far more responsive than Microsoft when security holes are discovered.
Even the Office is at risk
Finally, Microsoft’s Office suite has been the subject of some exploits in the past, and so if you are an Office user, you should also make a point of visiting the Office Update site, where a similar routine to the Windows Update site will establish what patches you need. These updates are very often large (20 - 40 megabytes) so a broadband connection is necessary. Any major update will also require you to insert the original CD containing the Office programs.
Now there’s Microsoft Update
Earlier this year Microsoft released a combined Windows and Office update called Microsoft Update, which will keep both suites patched automatically. You will often see ads. on the Microsoft sites inviting you to sign up for this facility. If you are already patched up to date for both suites, it might save some update time to sign up, but I am not aware of any compelling reasons to do so.
The ‘legacy’ OS’s
Windows 95, 98 and ME users are a reducing number. Which is just as well, since Microsoft will not produce security updates for their OS versions, unless it considers that the threat is critical. It should be said that these OS’s are no longer mainstream and are not often specifically targeted by virus writers, so they are protected to some extent by their declining usage. Only the manual update option is available - there is no Automatic Update facility for these older operating systems. However you would be well advised to keep your legacy machines as up to date as Microsoft will allow you, even if it has to be done by hand.
2. What is my choice of Anti-Virus and Firewall software?
Turning to Anti-Virus and Firewalls, the first choice is between free and paid solutions. Historically most of these were either free, or available in a free version, and some of the suppliers still keep faith with that original concept. However their number is dwindling.
Something for nothing
There is nothing wrong with using a free AV solution or a free Firewall - experience shows that as long as you surf safely (i.e. don’t visit suspect or dubious sites) and don’t leave your email address all over the internet (e.g. in Newsgroups) you are not taking an unreasonable risk. This is especially so if your ISP already provides anti-virus for your email, as part of your internet subscription.
The two most credible free AV solutions are from AVG and Avast. In my experience, AVG is the simpler to install and operate.
There are also four reputable free-for-personal-use firewalls, from Kerio, Sygate, Tiny and Zone Alarm.
The Kerio product has just (December 1) been acquired by Sunbelt Software (a well-known anti-spam and anti-spyware vendor), but is currently still available.
Sygate has also recently been purchased by Symantec (a major anti-virus player) and with Symantec’s reputation, the free option might disappear.
The Tiny product was acquired earlier this year by another predatory software vendor (CA) who used to have their own free firewall which they ditched unceremoniously after a short while. The latest version (TPF 2005) isn’t free, but there are some sources for the unsupported previous version. Zone Alarm was bought some time ago by Check Point, a hardware firewall manufacturer.
All four products have been around since the early days of firewalls.
You don’t get owt for nowt!
If you feel that something as important as anti-virus and firewall protection should be paid for if they are to be relied upon, then the product with one of the best records in the home computing area is that from ZoneLabs. They have recently introduced a combined AV and firewall product which several industry commentators have praised. An alternative (not as popular as Zone Alarm) is the Platinum 2006 Internet Suite from Panda Software.
Take note - 1
One point regarding firewalls: Windows XP comes with a firewall (already switched on in SP2). However, you need to be aware that it is only half a firewall in that it blocks incoming attacks, but does nothing to alert the user about any attempts by a piece of malware on his machine to try to “phone home”.
Take note - 2
Only ever run one anti-virus and one firewall program on your machine - running two of each could cause serious problems.
3. Anti-spyware as well! - where will it all end?
The need for anti-spyware protection is a recent development - as if we didn’t have enough to do with all the other areas of attack - and it is currently the most difficult to define and identify. However, evidence of the potentially serious nature of this threat is given by the fact that, this time last year, Microsoft purchased Giant, one of the most well-regarded anti-spyware vendors at the time, and re-badged the product as its own Microsoft Anti-spyware offering. It is free (at the moment), it works in real-time and it does receive automatic updates. However, industry commentators remain suspicious of Microsoft’s impartiality in an area like this. An independent paid-for product that is often recommended is CounterSpy from Sunbelt Software. Another fairly well-rated offering is Webroot’s SpySweeper. My advice would be to choose whichever one you feel comfortable with and install it without delay - this is the next threat growth area on the internet, with virus writers joining forces with spyware authors to produce more and more sophisticated attack methods. You will be far better off protected than caught-out when the next big attack arrives.
4. Wire-less isn’t threat-less!
Finally wireless networking threats. Anyone with new laptop will probably have an integral wireless networking capability. Used with a wireless modem/router or access-point, this can be used to surf the internet free from the need to be connected by a network cable. However there is a risk attached - wireless networks are inherently insecure. By default, your wireless network will be open to be used by any other wireless-enabled machine within radio range. As if this wasn’t bad enough, this also means that anybody with a relatively small amount of knowledge can hack into the machines on your network and do almost whatever they like with them. Most recent wireless routers will provide at least one security option that can be switched on - WEP. However this level of security can now be hacked, using tools freely available on some web sites, in a matter of minutes!
The only truly secure wireless protocol is known as WPA, and recently-purchased wireless routers will either support this as well as WEP, or they will be able to be upgraded to support it. Unfortunately, that isn’t the end of the story. Your laptop will almost certainly NOT support WPA without you obtaining a WPA client so that it can “talk WPA” to the wireless router.
Microsoft, in its wisdom, has provided Windows users with a free WPA client - which only works with Windows XP.
A free WPA client which works with Windows 2000 can be obtained from Symantec, following their purchase of Wireless Security Corp, earlier this year. However, the new owners do not have the reputation of providing anything for free, so any Windows 2000 user who might need this facility in the future should obtain a copy now, while it exists.
