AND
PROTECTING YOUR
PRIVACY
BOB COOK
DOAI WEBMASTER
©2010
PC INFECTION
RATES
•25% of Business PC’s infected
•60% of all PC’s infected
•Vast majority of users are unaware
•More security attacks in 2009 than all
previous years combined
• Source: Sophos
PROJECT AURORA
•Google and 30 other top companies
were recently attacked and data stolen
using sophisticated malware techniques
•These attacks were not against Google
servers....they were targeted at individual
laptops which were then used to get
“inside” access
•And you think you are safe?
SECURITY
VULNERABILITIES
•Windows (XP, Vista, Windows 7)
•Applications
•(Browser, Excel, Powerpoint, PDF, ZIP,
JAVA, JavaScript)
•Hardware Drivers
•(Computer, Printer, Scanner, etc)
•Must keep them all updated!
• But the biggest vulnerability is YOU!
HOW ARE
VULNERABILTIES
EXPLOITED?
• First, they have to get on your computer:
•
•
•
•
•
•
Open email attachments, click on links
Downloading Files (Programs, Pictures, PDF’s,
ZIP files, etc)
Just VISITING a website, perhaps through a
poisoned Google SEO search result
Just VISITING a “good” website that has been
hacked
(such as US Treasury, reported May, 2010)
In some cases, just RECEIVING an email, no
SEO POISONING
EXAMPLE
•
•
•
Four of top five hits are links to poisoned
sites (Underlined in Red)
Downloaded malware submitted to VT
Only 24% detection rate!
PROTECTING
YOUR COMPUTER
FIRST LINE OF
DEFENSE
GET
THE
UPDATES
•WINDOWS - Windows Update
•
•APPLICATIONS - Secunia PSI
•DRIVERS - Computer / Hardware
Note - SP3 is only version supported for XP
Vendor,
•Device Doctor
SECOND LINE OF DEFENSE
PRACTICE SAFE COMPUTING
•Never log in as Administrator when on Internet
• Keep confidential files on external drive that is
only connected when you need it
• Encrypt confidential files (or keep on external
drive)
• Don’t open attachments
• Don’t download or share files
• Don’t click on shortened URL’s
• Turn off scripting (not a viable alternative)
• Use a more secure browser (Chrome)
THIRD LINE OF
DEFENSE
•Use an AntiVirus program and keep it
updated
•OK, I did all that stuff (well, maybe not all
of it). But why do I still get infected?
Why won’t my AV program protect me?
MALWARE FACTS
• Malware testing results are mostly
bogus, driven by advertising dollars
• Six different kinds of rootkits, most AV
only catch one (the easiest)
• Malware author tests his product
against AV software ($Billion business)
• Timeline between discovered malware
and patch can be months - in the
meantime, you are vulnerable
• Heuristics and activity-based detection
catch at most 40% of “new” malware
(optimistic)
• Rootkits, Bootkits, File Infectors big
problems that defy detection and mostly
not used by testing labs to report AV
“success” rates
• Most malware testing is done against a
published set of malware, allowing
vendor “optimization” of results.
• Matousec testing is most comprehensive
MATOUSEC TEST
RESULTS
A BETTER AV
ALTERNATIVE
• Almost all malware depends on memory
corruption (usually as a result of a buffer
overflow that allows the malware to load
and execute)
• - eEye Blink Personal is an excellent
alternative since it prevents against
memory corruption attacks generically
(no need for scanner or heuristics
• Blink includes three AV scanners to
detect malware you unintentionally
install
• If you have been paying attention, you
realize that - even if you are 100%
diligent, you are still highly at risk!
• This is why Project Aurora and other
targeted attacks are successful, in spite
of traditional protection measures.
• You need a way for your computer to
magically return itself to a pristine state
every time you turn it on, ridding itself of
any malware it may have contracted.
VIRTUALIZATION
• A program that allows you to run your
browser and any other applications you
choose in a “sandbox”, completely
separate from your “host” computer.
• Empty the sandbox, and everything you
did disappears, including all traces of
malware you may have contracted - and
nothing ever touched your host
computer. Its like getting a new clean
computer every day!
SANDBOXIE
EASY
VIRTUALIZATION
• SandboxIE will allow you to easily run
your browser, email program, and any
other programs you choose in a
sandbox.
• Anything that happens in the sandbox
does not affect your computer.
• Empty the sandbox, and everything
disappears. Works with all versions of
Windows.
LEARN HOW TO USE
SANDBOXIE
• Updates and downloads must be done
outside of the sandbox
• Consider using web-based email and
bookmarks
• Malware not caught by your AV suite will
run in the sandbox until you empty it
• Empty browser sandbox each time
before you visit a confidential site eliminates anything bad that got by your
AV software
DISK IMAGING
•
•
•
•
•
•
•
•
Just in case bad things happen....
Create a Disk Image of your OS and a rescue CD
Completely restore your HD, apps and OS, in 15
minutes
- crashed HD, corrupted registry, etc
- Malware that snuck by
- Use to repair 95% of your computer problems, avoid
frustration and service charge
Easeus Disk Copy, Acronis TrueImage,
DriveImageXML,
Comodo Time Machine
PROTECTING YOUR
• Your privacyPRIVACY
/ identity is at risk:
•
• 1. Information others have about you
• 2. Personal records you lose / theft
• 2. Your computer usage
•Sandboxing and your AV/AS will not
completely protect your privacy
INFO OTHERS
• Over 350MMHAVE
data records lost by
businesses since 2005 (Source: privacyrights.org)
• Your doctor, dentist, insurance
company, gov’t agency all have enough
info for someone to steal your identity
• You are at risk even if you never use a
computer
• It is up to you to protect your identity /
credit
•
IDENTITY THEFT
DEFENSE
• Best defense is to freeze your credit at
all three national credit reporting
agencies (Equifax, TransUnion,
Experian)
• Each state regulates terms and cost
• Cost usually $10 or less for each
freeze/thaw
• If you need credit, initiate thaw at only
the reporting agency your creditor will
OTHER THREATS
•Debit Cards - burden of proof on you
•Cell Phone
• - Wipe data before disposal
• www.recellular.com
•- turn off Bluetooth when not using
•- Lock access with passcode
•- Smartphone apps may be malware
•- Turn off location services unless needed
• Be careful what you post, it will be
cached
• Social networking sites are a haven for
malware and social engineering attacks
• Don’t broadcast you are not home
• Don’t use real password hint answers
• Don’t use real personal info
• Many cordless phones are easily
eavesdropped, so are VOIP calls
• Even your car spies on you - computer
tracks your speed, braking, steering, etc
PROTECTING YOUR
COMPUTER
PRIVACY
COOKIES &
PRIVACY
•HTML cookies
mostly safe. Used to
identify you as you browse a website.
Easily deleted by your browser
•“Zombie” (aka Browser Helper Objects)
are another matter.
•- May be persistent
•- Can’t delete via browser
•- Can turn on your microphone or
webcam
ZOMBIE COOKIES
• Manage at:
• http://www.macromedia.com/support/do
cumentation/en/flashplayer/help/settings
_manager02.html
MANY WAYS TO STEAL
YOUR PERSONAL INFO
ONLINE
• Pfishing
• Clickjacking
• Keyloggers
• Hijacking
• TabPhishing
• “Social Engineering”, and the list goes
on
BEST DEFENSES
•Don’t visit porn or other questionable sites (Web
of Trust browser add-on or OpenDNS client)
•Use a password manager (LastPass) and let it
choose secure passwords
•Financial websites
•Use two-factor authentication (Token, SMS, call,
etc)
•Empty you sandbox and close your browser
•Use Site-Specific Browser
• Maybe LOTS of info on your computer’s hard
drive. Nuke the HD or destroy it if you are
disposing of an old computer. Remove all
confidential data from HD if taking it in for
service.
• Keep confidential info on external drive that is
not connected to your computer unless you
need it.
• Encrypt confidential information on your hard
drive and on your external or flash drive using a
program such as TrueCrypt
• Crossing the border?
Homeland Security gives
them the right to seize any electronic equipment
CREDIT CARD USE ON
WEB
• OK to use at major sites
• Make sure SSL is enabled (https)
• For best security, check your credit card
vendor for one-time-use option
• PayPal - pay via your credit card, not
your bank account
• Use PayPal for unfamiliar sites, NOT a
credit card (they may steal your
number)
•
•
•
•
•
•
WIFI
AT HOME:
Use WPA2 encryption
Change router default login and password
Don’t allow others to connect to your
network (LAN or WIFI) unless you provide
them with a separate router
Or, get a router that allows separate Guest
Access that completely isolates the guest
Or, just turn off all your computers until
guest is done and disconnected
PUBLIC WIFI / LAN
• Simple software allows anyone to capture your
session on unencrypted/Shared Key WIFI
• Email login and password may be sent “in the
clear”
• YahooMail (and others) has secure login, but
messages are not encrypted
• General web browsing done “in the clear”
• Best Defense - use HotSpot Shield
• Free service - www.hotspotshield.com
• Always use a software firewall
• Ensure file sharing is disabled
• Turn off WiFi and Bluetooth when not using
ADDITIONAL HINTS
• Inventory possessions for insurance (include
pictures, receipts, serial numbers, model
numbers, date purchased, etc)
• Keep updated list of all impt info (credit card
numbers and contact info, medical/prescription
info, banking, insurance, vehicle license/serial
numbers, insurance info, etc) KEEP ONE
COPY OFFSITE, ENCRYPTED
• Don’t carry your checkbook with you