Saturday, May 26, 2007
Norton Anti-Virus Dumped!! How secure is your data and identity really?
Against all the tech-rag conventional wisdom, and my own good sense, I finally grew tired of my computer crawling after startup for 20-30 minutes, due to the ridiculous scanning shenanigans and update activities of Norton Internet Security. I first disabled it for a couple of days to see what would happen, and when hackers didn't drop on my computer like hawks waiting to strike a wounded rabbit, I...(oh dear!), completely un-installed the bloated thing. I could not believe the difference in performance...Read on for the full report of some ways to get back your CPU, and not leave yourself totally wide open to attack. This is the first in a series on home security for the non-guru type...
Internet security is a much misunderstood animal. Most folks don't realize that the team of cutting-edge hackers working out of China (or some other shady underground government bunker) whose job it is to break into every computer in the world and turn it to a zombie probably can't even see your computer on the Internet (even if they wanted to, which they probably don't). Unless you do something stupid like visit a virus-infested porn site, or open a malware attachment in an e-mail, you are probably safer than you imagine. In fact, I submit that you could purchase and bring home "almost" any new computer running XP or Vista, turn it on, and run it with minimal risk of infection. It would "probably" go completely unmolested for quite a long period of time, believe it or not (remember I said "probably" and "almost")... Mainly if you didn't use it, that is. It's true... Once you plug a computer into a network that is in any form connected to the Internet, you run the risk of a computer break-in or attack, but here's some information the big security vendors won't tell you. It's not quite that bad. Most major ISPs today employ some basic security for you (else they risk getting hacked, and losing mucho business). Your ISP probably has a strong NAT/Firewall device--Network Address Translation...basically hides your computer's real IP address and is usually coupled with a proxy and firewall. They have this in place to protect you and your neighbors from the bad guys out there on the Internet. That's not to say you are safe, mind you. Oh no, there is a real threat, but it comes mostly from your own Internet habits--the sites you visit, and the things you download and install. Or maybe even the habits of your neighbors...You never know when that teenage geeky kid down the street might start poking around inside your ISP's local network or even try to bust into your wireless hub. Running a fancy security product is only one piece of this puzzle.
Last year I got a new-old computer in an on-line contest. It was an old Sun Ultra-10 workstation. Old, but refurbished and running great. Being a UNIX bigot (and a Windows bigot as well...there are certain aspects of each platform that I love), I had to install it on my network and get it running, just to play with it. Many people may not realize you can download the Sun Solaris operating system free and install it. So I grabbed Solaris 10, and installed the basic workstation build on my Sun box, and had it up and running on my home network and even chatting, browsing, and e-mailing on the Internet in no time. So I got to thinking about security for it. It's not like you can go get Zone Alarm and install it on a Sun box. Like Windows XP, Solaris can run a module which does basic packet filtering (which is what a firewall does). This means the firewall process on your computer checks each incoming and outgoing network data packet against a set of rules you define. If the packet passes all your rules, it gets to go through, and if it doesn't, it gets dropped. The Solaris firewall module I used is called ipfilter, and is a little harder to properly configure than Windows, because it has a cryptic sort of shorthand config file that defines each rule (which you have to learn of course, and have to know some UNIX as well). It was a cool experience, because I had to learn basic firewalling techniques in order to do it correctly, along with ways to test my network security posture.
What I found is that the Windows firewall is not too shabby in it's own right, if you understand it's limitations. It only filters inbound traffic, so if you bring a trojan or a worm into your environment (by accidently clicking on something you shouldn't), Window's firewall won't stop it from running amok on your network. If the virus is sophisticated enough, it might even get around your other machine's defenses as well, and take down your whole network (this is usually what worms do, once they get in, they replicate across open ports between machines). Firewalls have to have some ports open or else your machines would hardly function at all. Trojans and Worms exploit this weakness.
So, we have the begining picture of the sum of your true home security posture. You buy a new computer, wireless router, and cable modem from your ISP, and set it all up. Out of the box, here are the strong security points in this configuration:
1. Your ISP is protecting your little home network enclave behind it's firewall.
2. Your Wireless Access point or router probably has some form of encryption and basic security/filtering (which many during setup will prompt you to turn on, or turn on for you).
3. Your Windows computer has a firewall turned on by default (both Vista and XP).
This is what is called, in security guru terms, a defense in-depth. Basically, without you doing any major re-configuration, reading a stack of network security manuals, or adding any additional software/hardware at all, you have 3 levels of protection between you and the bad packets that want to fry your hard drive (you probably want to check with your ISP to ensure they use a decent firewall before making this assumption, though). Sounds pretty safe, huh? There are still holes, count on it:
1. Your ISP can block problem ports and nasty public address ranges or sites known for malicious behavior, but they can't block everything. You can still visit a hacked web-site and bring a malicious software download right through their defenses.
2. Your router may not have all security features turned on, like MAC filtering for instance, which is a good step to take. This helps ensure only you and your family can get local access to your network (in addition to using the built-in encryption most WAPs provide)
3. Windows may have a firewall and even some basic form of memory protection against virus-like behavior, but it also has open holes in it's various applications, which a nasty bit of data can still easily exploit, allowing a virus to climb to the top of the application stack, elevate it's priviledges, hide itself from the OS (which is what a rootkit does), and possibly take over your computer or send your personal information to baddies on the Internet. Again, the most common vector is usually something brought in by a download, an e-mail, or a friend's memory stick. Last year, Sony was putting virus-like rootkit software on their own CD's which was infecting people's computers, and then hiding the malware from the operating system, which means you couldn't detect it running.
To make things worse, Windows has a bunch of stuff configured out of the box that are significant security risks. It shares out drives that you didn't know were shared (drive letters C$ or E$, etc. are typically shared out as Administrative shares, for instance), and has built-in accounts like the Guest account which would be known to a potential hacker. Programs or services typical to mere user-level accounts require elevated priviledges to run properly on Windows, so that when a virus can attack, it takes the higher-level access of the system account, with the ability to do more damage or take total control of the system. Admittedly, Vista is better in this regard than XP, but make no mistake, the hackers will find more. So what can a security program or suite of programs on your computer do for you?
I'd be stupid to say that you aren't better protected with an additional security program than without one, but only relatively so. Most security suites add a more robust firewall to replace the Windows one (inbound and outbound filtering). They are designed by professionals to be as turn-key as possible for the average user, while offering better protection and monitoring tools (adding another layer in your defenses). They also scan/monitor your computer files, processes, and registry for virus-like behavior in order to stop malicious intrusions cold. They are indeed your last line of defense in this regard. The weakness of these tools lie in their reliance on signature or config file updates--that they are mostly reactive in nature. The things they are scanning for may have already mutated into a different variant (meaning some hacker tweaked the virus to remain undetected, or simply found a new hole to exploit). If the new virus hits your system before the virus scanner can get updates, it may very well escape detection. Anti-virus, Anti-Spam, Anti-Adware, etc. all work on really the same basic principal as a firewall, just at a higher level. It's important to note that they are signature based, which means they react to a known pattern of behavior that is known to match virus and malware types in the wild at a point in time. Like your OS and applications, they need to be updated constantly to be effective.
So, you might be asking yourself at this point, why then Nate did you completely remove your Norton Internet Security program? More protection is always better, right? Maybe, but that depends on the network and the computer. It's a matter of acceptable level of risk (and performance) when it comes to implementing security. Any security pro will tell you that. My Windows home computer is almost 5 years old and slow compared to today's machines (although it screams for what I need it for). It has some music, movies and family pictures on it, for which I have backups, and I never use it for important scary stuff, like on-line banking. My work laptop, which is newer (and faster), and loaded with important proprietary corporate data has a Firewall, Ad-ware scanner, the works (Norton actually), and an encrypted hard drive in case I ever lose the whole thing. So in short, I felt the performance hit I was suffering at home by running an additional firewall, and all the other Norton startup activities, etc. was worth the risk of downgrading the security there a bit. Here's what I do to mitigate this lower security posture:
1. I always install patches for Windows and it's applications as soon as they are available. I have Windows update set to automatically download updates (but let me choose which to install).
2. I still run a virus scanner, but a more lightweight one. I am now using the AVG free version. It seems to work reasonably well (though I know it's not as reliable as NAV), but it has made my home computer usable again from a performance standpoint.
3. I periodically monitor my router activity (most home access points/routers have some logging function in the setup web-pages used to configure them), or just note the level of activity on my WAP. If you develop a feel for how much and where most of your traffic is going, it's often easy to spot something unusual.
4. I make sure I have Windows firewall enabled and I monitor it. There is an option to log the activity on your firewall, and I suggest using it. Every system administrator who has had front-facing servers on the Internet knows how important it is to monitor them. This is equally true at home.
5. Most important...I never download stuff and just open it. I manually scan it first. I also never open attachments in e-mails from untrusted sources, or that I don't expect to receive.
6. I am a responsible web-browser. If I think a site is doing something sketchy, like re-directing me for no good reason or attempting to run script when it shouldn't need to, I kill the browser session. Simple as that. I go mostly where I know it's safe to go on the web. My browser is set to alert me of scripts attempting to run. Most are harmless, and if I have high-confidence in the site I'm visiting, I'll allow the script to run, if not...it doesn't run. I use Spybot S&D to scan for spyware and adware on a regular basis and keep it updated, and flush all my caches on a regular basis.
7. I turn off my gear at night when I go to bed.
In the final analysis, I'm not as secure as I was with Norton, but then I also feel I am secure enough for the purpose of using my home computer. My computer runs remarkably faster now and as long as I continue to be vigilant, the chances are low that I will have a major security incident. There is still a risk that I could get slammed even before I finish this post, but it's a risk I'm willing to accept. Norton and many security suites on the market are great, and if you want more peace of mind and can accept the performance hit, I recommend them, but remember this...Even the best scanner/filter is not 100% full-proof against attack. Your best possible chance of avoiding infection or worse (stolen credentials, identity information, etc.) is to have a multi-faceted approach to securing your system. You have to monitor your system, and know what it's normal behavior looks like. Stay away from the Internet back-alleys, and teach your family to do the same. Just basic common sense really, and you might find you can dump some security software bloat, too.
...Stayed tuned and next time, we can delve a little deeper into monitoring techniques for your home systems, and investigate some basic XP lockdowns.
Posted by Natestera