Is complete home security possible?

Oh, I did, but I had no choice. The trojan did something to my XP Pro installation that prevented Windows from booting up after I rebooted. Left a STOP error but rebooted every single time before I could read the error! Couldn't solve the issue except by reinstalling the OS.

I deleted all the files it put in my startup sections, and I'm not worried about any traces remaining, as I don't believe there are any. Kaspersky never found any new remnants and Task Manager doesn't show any programs loaded that I do not recognize, nor does Kerio show anything calling out that I do not recognize. The reason I caught this trojan in the first place was because the hacker got greedy and used too many programs to call out at once. Had it just been one, it might not have been so easy to spot.

Yeah right. Great advise. Why don't I just forget about using a computer, and the next time I want to check out the net, I'll just stand behind someone at the library. It's always the bleeding obvious that eludes you, isn't it?

What kind of drugs are you on, exactly? At what point did I ever say I was using Internet Explorer with Install On Demand? Stop pulling stuff out of your arse, will ya. I use FireFox, which doesn't even know what an ActiveX is.

And I'm well aware that ANY browser can download backdoor trojans, by simply visiting a malicious web site. That's why I have an anti-virus program.

Listen, I've been working with personal computers for over 20 years. I think I take a FAR GREATER interest in what is actually in my Windows computer than most Windows users, and have been doing so since before Windows was invented. The fact that I'm posting here should give you an indication of that. And I don't think you are in a position to say what I have or haven't done to secure my system, on the basis of my having said I spotted the trojans via the task manager. There are too many "quick-fix pro's" here in this thread, and not enough real experts, who can intelligently analyze a situation.

Furthermore, I do not use "bloatware" security software written on the command of "well funded marketing departments". If you know anything about firewalls, you would have known that the Kerio 2.1 I mentioned using is anything but bloated, and its also free. Can't be a good marketing dept. that sells the software for nothing, can it. I've tried a number of consumer firewall software on the market, I happen to think its as good as any.

As for a FW router, well as mentioned, I have no need for a router, since I'm not networking any PC's. If I'm supposed to buy a FW router just for the FW part, then before spending hard cash on this, I'd want to know exactly how this thing would have protected me against the trojan where the software firewall failed. From the differing opinions here, I'm not convinced the hardware FW is any magic bullet either. I'm sure they carry their own set of problems and caveats.

Generally speaking, people do not "choose" to download trojans. It's usually done unknowingly.

Contrary to what someone else here said, I did not "click" willy nilly on some unknown program and give birth to the mutated trojans. I know what's on my system, so I know what I'm clicking on. At best, I may have opened up a ZIP that opened a trojan in a temp directory. The way this thing was able to work was because it wrote some code in the startup areas of the registry, and the next time I booted, Windows ran the trojans, which used TFTP to call out through various ports.

Unlike everyone else here, I am not ready to conclude that the trojan malware disabled my firewall and virus program. Its not impossible for this to happen by other means, and if this is the case, then it isn't any wonder the trojan wasn't caught by my AV and FW programs, since I never bothered to reinstate them until a few days after I noticed they were absent.

SOLUTIONS: Simply put, this situation could have been avoided WITHOUT the use of a router, or migrating to Linux, or any other nonsense like that. It would simply mean having a bulletproof, fool-proof method of ensuring that software that is supposed to stay resident, stays resident. If it isn't, you could have backup software that is (or nearly) impossible for a trojan to disable, warn you that the security software has been disabled. Oh wait a second... doesn't SP2 do just that? Guess I can't take credit for that idea. Funny, no one asked me if I was running SP2... well, I'm not. Didn't care for the overhead. Didn't think I needed Windows telling me my AV and FW programs are or arent' running, since I can very well see that from the system tray.

Question is, SP2's security center runs at boot time, so is it possible for a trojan to disable SP2, as well as your AV and FW programs, and if so, how? If not, there's your solution. Provided you have a good AV and FW program, if SP2's security center will keep it up, you have reasonable protection against the type of malware that took over my system recently.

In some cases, you get the malware from unexpected sources. Just today, I suddenly saw a window pop up on the screen telling me that "ViewPoint Media Player" had been updated, but to take full advantage of this, I would have to upgrade my Browser. Checking out what the hell was going on, it turned out that Adobe Acrobat installed "Adobe Athmosphere", which in turn silently installed ViewPoint Media Player, which wanted to add a toolbar to IE (the ad toolbar was the "browser upgrade"). The EULA that this Viewpoint Media Player displayed said that I either had agreed to this behaviour before, or that it came bundled with other software. There were no services, no scheduled tasks or anything else -- I had read some Acrobat text documents earlier in the day, and Acrobat stays resident after you quit it (without telling you), trickling down the malware. Since I explicitly set Adobe Acrobat to *never* auto-update, I didn't like this one bit.

Now this is BAD KARMA, Adobe. Enough so that I've uninstalled Acrobat Reader and Distiller, and from now on will use 3rd party utilities to read PDF files with, and other formats for created documents.

Regards,

On Sat, 5 Feb 2005 23:02:46 -0800, Charles Newman spoketh

That's bull. Even in the old days of Windows 95, that wasn't even close to the truth. Stick to accounting, buddy. Hopefully, you're better at it.

Lars M. Hansen

'badnews' with 'news' in e-mail address)

On Sun, 06 Feb 2005 12:15:16 -0600, Moe Trin spoketh

So? Even if I have to spend 2 minutes to reboot my Windows box twice a month, that doesn't really make any big difference in the big picture. What's the hangup on the uptime anyway? Is that really the only thing that Linux has on Windows? A nice counter saying how long the system has been up without a reboot?

Lars M. Hansen

'badnews' with 'news' in e-mail address)

I didn't have to work quite hard, but I did and do have enough experience to properly configure a stable platform and system running Windows NT 4,

2000, and now 2003. [snip joke]

I actually recommend that PEOPLE, meaning home users and small shops, install updates when they come out - as most of those places don't have an IT staff and don't have a clue about what they are installing anyway.

For our group, where we manage workstations and servers and our own systems, I still do Windows XP Updates nightly, but the servers, since they are managed and BEHIND a firwall, we test and then update as needed.

I've been all over the country and from what I've seen of development shops I'm not surprised it hit MS or anyone else. There are still shops that have their SQL servers attached directly to the Internet without any firewall or other protection, same for other servers. I have not found any valid business case to expose a server directly to the Internet, and I bet I wont.

When Slammer hit, we had about 30 MS SQL Servers online, in addition to

30+ IIS 5 Web Servers and Exchange..... Nothing was compromised, but that's because we isolate our services from the public and if a partner needs access to the SQL ports then they have to VPN to them. If our servers had been compromised it would have been localized as the firewall would not have permitted the outbound attacks.

I'm not disagreeing with you, I'm typing this on a FC3 Box that I've been using for almost a week now (not had to use my XP Box in my office except for the Firewall management interface - my laptop is another story, use it all day long)....

I wish that MS did more to secure the OS, but, based on what I've seen, it would break a LOT of apps and they are not ready to deal with that issue.

What we need to do is stop the marketing hype that allows vendors to market NAT devices as Firewalls and just call them routers, owning up to their mistake.

It would also be nice to see ISP's provide NAT at the Cable/DSL router as the default mode of operation.

There are many ways to secure a Windows PC, but people have to want to learn before it will make any difference - the ignorant will always complain.

I don't think you want any advice, no matter who gives it, expert or otherwise.

Jason

Joe, here's the deal, if you got a virus, trojan, worm, etc... it was due to some error on your part. Security has many layers and in your 20 years of experience you've just not figured them all out. I'm not saying your not computer savvy, I'm saying that by your own admission that you are not security savvy.

Let me restate something I've already posted that you should learn from:

If you have a high/speed connection then were talking cable/dsl and that means you can install a simple NAT Router as the first barrier. With NAT you are going to be blocking all inbound that you didn't invite and it works no matter how you screw with the computer.

There are several steps, and here's what I've found that makes most home users computers secure - if it worked for my mother in-law it can work for you:

1) Install a router that provides NAT - change the default network address 2) Setup the password on the router for something with 12+ characters, letters, numbers, upper/lower case. 3) Block outbound destination ports 135,136,137,138,139,445,1433,1434 (these are destination port blocks, not local port blocks). 4) Install a quality antivirus program - one that gets frequent updates and ranks in the top 3 by most corporate users. Norton AV and Symantec AV are my personal choices, but not the suites, just the AV software. 5) Setup Windows Updates to install at 3AM every day. 6) Download and install FireFox and ThunderBird - free browser and email clients. 7) Set Program Access defaults to use FireFox and ThunderBird as the primary, allow IE to be accessed. 8) Follow MS's suggestions on securing IE and do it - it's a pain to use in high security mode, but it works. Do this even if you stop using it. 9) Create a "User" type account and use it instead of an "Administrator" level account - only use Administrator to install software or to run programs that won't run as User - do not play with email/web when as Administrator. 10) Monitor the in/outbound logs from your NAT router - this will tell you what's going on with the public network connection. If you get a linksys router you can download WallWatcher for free and it's very clear as to what's happening with your Internet connection. 11) If you're machine is compromised, get a router with NAT, get behind it, and then wipe/reinstall your system - while you're get people telling you that you don't have to go to that extreme, do you know of any way YOU can be sure that you have a clean machine? I've never signed a document saying a compromised system was clean unless I wipe/reinstall it, and I won't either. 12) Don't open email with attachments from ANYONE, even people you know, unless you asked them to send you the email with the attachment - just because you know the sender does not mean it's really being sent by the person you think you know. 13) And the number one thing, after all the above, do not install Peer-2-Peer file sharing/swapping programs or other sharing programs from any source - almost everyone of them includes spyware or other malicious code that you don't want on your machine. 14) Do not visit web sites of questionable nature unless you've done all of the above.

If you follow the above then you will have to TRY to become compromised, and it will surely be your fault if you are.

At best all he did was unzip a file that magically started itself? But he knows what he's clicking on...

He's either trolling or clueless.

On Sun, 06 Feb 2005 17:48:20 GMT, Robin T Cox spoketh

Bullshit. There is no need to switch from Windows to anything else in order to have a safe and secure computer on the internet.

Lars M. Hansen

'badnews' with 'news' in e-mail address)

On 7 Feb 2005 22:09:00 -0800, Joe Samangitak spoketh

Here's a quick list of goodies to protect yourself:

1) Don't use Internet Explorer. If you have to, then set the security to High for the internet zone. 2) Since you have broadband, consider getting a NAT router. It's not a perfect solution, but it really does keep most of the crap out. 3) Use a reputable anti-virus solution. 4) Don't download and install every program from every website you find. 5) Disable services on your computer that you don't need. This includes the Server service, Messenger service and also DCOM. That's just the short list.

That, along with a little common sense should keep you safe.

(I realize that you may have some of these already, I just included everything to make the list more complete).

I have followed these simple rules for a long time, and I've never had a problem. No pop-ups, no spyware, no adware, no viruses.

Lars M. Hansen

'badnews' with 'news' in e-mail address)

I don't know much about this subject, but I will use this opportunity to ask this: What is the possibility of the 'mouseover' option to be used to install unwanted files?

I found that in my old Netscape 4.08, with scripting disabled, seems that Shockwave could do that.

Thanks. Geo

Yeah, that's apparently the timer that shut down the air traffic control system (LA Center) last September. But why did Microsoft feel that 32 bits need only last 49.7 days?

Oh, you mean the concept of 'reboot and see if that fixes the problem"? While my users could always power cycle their system (they'd be in deep weeds if they did), we rather prefer to see what went wrong, and correct the cause. Rebooting merely hides the clues, and does nothing to prevent the problem from re-occurring.

Old guy

Didn't notice you posting this - but from a computer literate standpoint I have to ask "what the heck does a game need administrator privileges for"? For that matter, why does ANY user application need such privileges?

And why might that need to be done as administrator?

A heritage of applications being for a single user system. User configuration tweaks should be part of the user's setup, not the system.

It prevents mommy from seeing that you've been visiting a pr0n site - and other casual inspection of the disk. If it were so great, why is it not being used by the military or even military contractors (as one example)? We're not even doing government work here, but the disks on systems used in the development area get physically destroyed rather than reused. The same for backup media. They're also on an isolated network (not just firewalled - _isolated_ from the rest of the facility).

So, you are saying that they don't care what you do as long as the evidence that you used their stuff is destroyed? What school was this?

I've seen that type of application used quite often at schools. Rarely have they been worrying about piracy - it's about the viruses that get installed by the students, and about restoring the defaults for applications (if the admin is stupid enough to allow applications to be reconfigured by users).

Did it also wipe the router/firewall logs?

Old guy

Oh, wonderful. Well, that's why we audit updates before installing them.

I can agree with that. Most people never read the documentation - NEVER MIND the EULA, first off because it's usually to complex, and is intentionally written to be hard to get around if you don't fully agree with every nit.

I normally use Ghostscript for that - I don't know if it's available for windoze.

[compton ~]$ whatis gs gv gs (1) - Ghostscript (PostScript and PDF language interpreter and previewer) gv (1x) - a PostScript and PDF previewer [compton ~]$

Old guy

The local radio computer show was commenting about XP SP2 when it came out recommending people be cautious about applying it. I thought that funny because they actually operate a chain of computer service centers, and stand to make money when the user applies a patch and the system goes pear shaped.

The advantage of rpms is that you can get the binaries and the SRPMs. If you install the latter, you'll find not only the basic tarball, but all of the patches and the rpm spec file (which controls how the binary is built). We ALWAYS audit the SRPM and build out own binaries to avoid surprises. We put the binaries on an update server, and a cron job on all the systems will grab it and install overnight. Debian packages can be handled the same way.

Development systems that are isolated (or at least well firewalled) are one thing - but this was their production and distribution areas.

Servers are a broad term. Web, mail, DNS, even anonymous FTP have to be visible. The file server keeping your payroll records, secret marketing plans, etc., are not to be public. And yes, I've seen that foolishness too.

Correct me if I'm wrong (I really don't follow windoze stuff except for the stuff on Bugtraq and the security groups), but a major part of the problem was that most people didn't realize they had this stuff running at all. This comes from the 'just work damit' mode, and the 'here is a nifty feature someone might need'. Early Linux distributions had this problem too - for example, RH was installing a wide open sendmail up until about RH4.2 when they disabled relaying by default, and RH7.1 when they made the default configuration to only listen to localhost:25.

I doubt they can. Most users don't want to spend any time learning anything about computers, and expect things to just work. Do you remember the size of the manuals that came with the IBM PC (even the PC-XT and AT)? As I recall, there were two 6 x 9 x 2 inch maroon binders, plus the gray ones for DOS, and the crap colored one for Basic. Then most people went out and bought a book or two like the Norton books (that was before IDG and their yellow "for Dummies" line). My wife was working in an accounting office, and she had two or three books on each application she was using (Lotus 123, dBASE, and some now long gone word processor). Heck, today, most people are pushing their skill limits just figuring out where the power switch is. Expecting then to do something complicated like setting the clock is pushing it.

A few do - IP addresses are expensive. But yeah, most ISPs don't want to get into the firewall business out of liability concerns, and the added work and hardware it would entail.

Another problem is that Microsoft is aimed at people who don't want to know. Installing all the extra "features" because someone _might_ need them might be OK if they were disabled by default, but that would mean forcing the user to learn something to enable the service (and that is not going to happen), never mind how to use it safely. You see the same problem in the Linux installations, where you are usually given the choice of a base install, a workstation, server (whatever that might mean) and "the works". Care to guess how many elect to install everything?

Old guy.

One might ask why is it needed? The usual reason I see given is to fix software problems, which include memory leaks, and changes in one area that unexpectedly effect something completely different.

s/Linux/\\*nix/

It's been a feature of Unix since the 1980s at least.

Actually, it is more useful as a security check. The command actually started as an auditing tool, just like the login message telling you when and where the last time you logged in from.

Old guy