As we rely more on our computers, the potential for hackers to hurt us through them likewise has grown, threatening to expose or destroy our private data and personal records. Current hacker tools are sophisticated, automated, and more difficult to spot. In addition, broadband connections have made us more vulnerable; always-connected computers, typically with static or rarely changing IP addresses (the addresses computers on the Internet use to find you), give would-be attackers unlimited time to discover and exploit system vulnerabilities. With a few tricks and tools, however, you can secure your home or small-office computer against the average hacker searching for the low-hanging fruit.
Network Invaders
Network Invaders
The most common type of malicious software (“malware”) is a virus, a bit of code that sneaks onto your machine, normally as an e-mail attachment or download. Traditional viruses self-replicate within a machine but need human intervention (such as sharing infected documents) to spread. Newer malware, including Trojan horses and worms, allows attacks of even greater dimensions.
Named for the Greek legend, Trojan horses, or Trojans, infiltrate your machine and wait for an opportune time to open the city gates. The Trojan listens on a designated network port (more on this below) and waits for a remote program to activate it, then takes control of the machine. Unlike viruses, Trojans dont replicate themselves.
Worms, on the other hand, do replicate, but unlike traditional viruses, worms dont need any user assistance to move from machine to machine. The danger of a worm is that it can allow a variety of attacks to propagate over the Internet. For example, a well-crafted worm can look for vulnerable machines, embed itself in them, and wait to launch a synchronized denial-of-service (DoS) attack on a set target.
By now most people are wary of e-mail attachments they didnt request. But even clicking on a link could allow ActiveX content embedded in a Web site to run programs on your PC, read your Clipboard, and even steal personal data. These days, you need to be vigilant—nearly to the point of paranoia—to stay safe.
Be Less Vulnerable
Be Less Vulnerable
Plenty of tools are available to keep you safe and protect your privacy online. For instance, every computer should already be running antivirus (AV) software. Antivirus software will catch the majority of known threats, provided its virus definitions are properly updated. (For more on AV software, see “10th Annual Utility Guide” in our issue of June 11.) But AV tools work best against signature-based attacks.
Next, youll want to consider a firewall of some sort. Firewalls come in two flavors: software and hardware. Each has strengths and weaknesses, and neither covers all the bases to our satisfaction. We review six software firewalls and five hardware firewalls in the pages that follow. But before you erect those lines of defense, follow these simple (and free) steps.
Periodically check for downloadable patches for your operating system and software. You can do so at vendors Web sites, and some let you sign up for bulletins. If youre running Microsoft Windows 98 or later, run Windows Update to download fixes. Microsoft Critical Update Notification, downloadable for Windows 2000 and built into Windows XP, tells you when updates are available. For other Microsoft application patches, check out Microsoft TechNet (www.microsoft.com/technet). Click on Hotfix & Bulletin Search to see which program holes need patching.
Of course, patches can remedy only the known flaws and vulnerabilities. New vulnerabilities are continually being uncovered, and hackers seek them through port scanning. (Each IP address has more than 65,000 ports through which applications can communicate.) Good firewalls can defeat such scans.
The next thing to check is configuration. Browsers have dozens of security settings that define which kinds of code can run, which sites can receive information from your cookies, and so on. Run something like Qualyss Free Browser Checkup (http://browsercheck.qualys.com) to test your settings for weaknesses and find out how to fix them.
Windows users can also try Microsoft Baseline Security Analyzer. This free download from TechNet scans your system, looking for misconfigured settings. Youll be surprised at the number of flags that go up the first time you scan yourself.
If you use instant messaging (IM), remember, dont talk to strangers. The popular free programs, like AOL Instant Messenger (AIM), expose your IP address and engage you in peer-to-peer connections when you okay file transfers. Additionally, the clients can use most ports, including port 80 (the one for Web traffic, which most firewalls leave open). Such openings offer easy entry for hackers who gain the confidence of the unsuspecting.
Software Firewalls
Software Firewalls
With Windows XP, Microsoft introduced Internet Connection Firewall (ICF), a bare-bones firewall that shuts down access to ports to prevent hackers from scanning them. But ICF wont stop outward data transmissions (of, say, your tax returns).
At heart, all firewalls are designed to close off systems to scanning and entry, which they can do simply by blocking ports. Some software firewalls also prevent information from leaving your PC by blocking nontrusted services and applications from accessing the network.
With software, you must install a firewall on every PC that needs protection, whereas hardware firewalls centrally protect all machines in a network. Because software firewalls run locally, however, they have intimate knowledge of whats happening on systems. A hardware firewall will likely allow any e-mail traffic out over port 25; a software firewall can differentiate between Microsoft Outlook and Trojans.
Typically, the first time a program tries to access the Internet, a software firewall asks whether it should permit the communication. Some firewalls now identify common applications (such as AIM, Lotus Notes, and Microsoft Office), creating appropriate rules during setup. Ideally, after a day or two of training, a firewall will protect you with only a few interruptions—as when you install applications—but thats not what we found.
Software firewalls show their weaknesses when they encounter programs for which they have no default rule. For example, when the program Lsass.exe attempts to access the Internet, Symantecs Norton Internet Security simply tells you so and asks whether you want to allow it to proceed. How would you (or your family) answer? For programs this firewall knows something about, it tells you more: In this case, it tells you that Lsass.exe is “the local security authentication server [that] generates the process that the Winlogon service uses to authenticate users.” It also tells you a bit about the machine its talking to. Is that enough to help you configure your rule?
In most cases you can opt to have your firewall ask you each time the program tries to get online. The prompts usually get so annoying most users end up making a rash decision with little more information than they originally had.
If youre unsure, you can deny access and see whether anything breaks. But we dont recommend this approach. You might, for example, block Windows from checking for security updates. Youll never notice the missing notifications for the updates that help plug newly discovered operating-system security holes.
The other danger is that things can get too fouled up for the average user to fix easily. Lets say you mistakenly deny Iexplore.exe access to the Internet. Goodbye, Internet Explorer! Recovering from such an error is often complicated and likely to make users reluctant to deny permission to anything. (See the sidebar “Whats That File?” for advice on common files.)
Hardware Firewalls
Hardware Firewalls
The inexpensive router appliances that move traffic between the Internet and one or more machines on home and small-office networks have long used Network Address Translation (NAT), which some companies incorrectly refer to as a firewall. NAT simply hides the IP addresses of pcs so that all outgoing traffic seems to come from the same address, but its possible to bypass a firewall-free NAT device.
Recently, the router manufacturers have been including true firewalls that block inappropriate inbound and outbound traffic through various techniques. IP filtering, for example, can block users behind the firewall from accessing or receiving anything from specific IP addresses. Similarly, the administrator can block traffic to or from network cards on the LAN, each with a specific MAC address (a unique identifier for each network card).
The hardware firewalls in this roundup add another layer of protection: Stateful Packet Inspection (SPI). SPI examines the content of packets (rather than just the source and destination addresses and ports) to determine whether to grant access to your network.
Hardware firewalls can also control traffic via keyword and domain filters. Administrators can block traffic to specific domains or to any domain containing certain keywords. Some firewalls let administrators create sophisticated rules, such as denying traffic based on the source, destination address, port, or protocol being used (such as ICMP, TCP, or UDP).
Confused by this alphabet soup? Therein lies the hardware firewall rub. The average user is unlikely to have a deep enough understanding of networking to know his udp from a hole in his firewall. Some of the firewalls we tested come with reasonably good default settings, but if these arent appropriate—for example, for multiuser games that need specific ports open—changing the settings can be challenging. Will the person playing the game even realize why it isnt working?
On the other hand, the average user will likely appreciate the “set it and forget it” nature of hardware solutions, which tend to operate quietly in the background, without generating as many queries and alerts as software firewalls. For those who have multiple computers on home networks, managing one device is easier than monitoring individual machines with a software firewall on each. Also, physical installation is trivial: Run an Ethernet cable between your cable or DSL modem and the firewall, then connect each PC on your network to the firewall through either a wired or wireless Ethernet connection. (Some routers also let you share a dial-up modem.)
Which Is Right for
You?”>
Which Is Right for You?
Because of their limitations, we cant enthusiastically recommend either a software or hardware firewall. Each type has its pros and cons, but to go unprotected is an appalling idea.
If youre a mobile worker, the choice is obvious: Its impractical to lug a hardware firewall around. Go with the software. If your machine is stationary, the choice is more difficult. A hardware router with an SPI firewall, typically considered only for networks, is a simple and inexpensive way to protect a PC. But a software firewalls application-level protection may be more practical protection against todays most common threats. And a few companies, including Network Associates and Symantec, bundle their firewalls with security suites that include antivirus, ad-blocking, privacy-control, and spam-removal software.
For multiple machines, a router will typically be cheaper than multiple software licenses, especially since the firewall adds very little to the cost of this nearly mandatory piece of networking equipment.
For the best security, get both. The hardware guards your network, while the software provides a second line of defense and keeps an eye on your Internet-enabled applications.
Whatever you install, keep it up to date. Also, consider running occasional port scans from outside your network to see how youre faring. One of our favorites is Gibson Researchs ShieldsUP! (www.grc.com). Ideally, port scanners should be unable to detect your computer name or any services youre running. If youre using a hardware firewall, a scanner shouldnt be able to detect the existence of your internal network.
Remember that even behind a properly configured firewall, risky actions will still compromise your computer. Think before you download, and view the Internet with the proper level of suspicion. No system is foolproof, but the right combination of hardware, software, and defensive habits might just keep you out of trouble.
I
. The Bad Guys”>
I. The Bad Guys
DDoS (distributed denial-of-service) Attack An electronic assault in which many compromised systems are made to flood a target with requests and overwhelm its capacity.
Malicious Web sites Pages embedded with ActiveX, Java, or JavaScript attacks that execute when those pages are loaded.
Trojan horse Malicious code that enters computers through innocuous-seeming applications or data files, then attacks the systems from within.
Virus A piece of malicious code that causes undesirable events by infecting files, system/boot records, or applications.
Worm A malicious file or piece of code that replicates itself over a network, reproducing until it has consumed system resources.
I
I. The Vulnerabilities”>
II. The Vulnerabilities
E-mail attachments E-mail must get through your firewall to be useful, so it is a favorite delivery method among attackers.
Open ports (network or TCP ports) Not securing your ports is like leaving the windows open on your house: Anyone with a ladder can enter.
Outdated software Many software updates patch security problems. The older the hole, the more attackers will know how to exploit it.
Persistent connection The longer youre online, the more time attackers have to find and compromise you.
Uninformed user One who engages in risky computing behavior, such as using infected disks or not changing default passwords.
Hardware Firewalls vs
. Software Firewalls”>
Hardware Firewalls vs. Software Firewalls
|
|
PROS |
PROS |
Inexpensive |
Inexpensive |
Stops most hackers when used correctly |
Stops most hackers when used correctly |
Works at the port level |
Works at the application level |
Can protect multiple PCs |
Ideal for one machine with many users |
Nonintrusive |
Analyzes incoming and outgoing traffic |
Uses a dedicated, secure platform |
Convenient for travelers, mobile workers |
Hides PCs from the outside world |
Easy to update |
Doesnt affect PC performance |
|
CONS |
CONS |
Can be complicated for beginners |
Can be complicated for beginners |
Difficult to customize |
Doesnt hide a PC from the outside world |
Ignores most outgoing traffic |
Can be intrusive |
Inconvenient for travelers |
Shares OS vulnerabilities |
Upgrades only via firmware |
Affects PC performance |
Creates a potential bandwidth bottleneck |
Must be uninstalled in case of a conflict |
Safety Tips
Safety Tips
1. Dont share. Turn off file sharing and printer sharing if you dont need them. If you must turn them on, dont share with anyone outside your network, and never allow anonymous shares.
2. Download updates. Get all the security and firmware updates for your os, firewalls, device drivers, and software applications.
3. Use common sense when downloading files. Watch out for files that end in exe, bat, vbs, and com.
4. Dont open e-mail attachments from strangers. Also, be suspicious of attachments from people you do know. If an attachment seems out of character, check with the sender before opening.
5. When in doubt, deny. When setting firewall rules, if youre not sure about a file trying to access the Internet, do some research before letting it in. A search on Google can give you some idea of what the file does.
6. Know your network. If you know the IP address ranges your network uses, youll recognize when an outsider is trying to worm in.
7. Scan yourself. To see what hackers can see, test your vulnerabilities with a free tool like Gibson Researchs ShieldsUP! (www.grc.com).
8. If you dont need it, disable it. Turn off services you dont need, such as http, ftp, telnet, and any personal Web server.
9. Protect your passwords. Create strong passwords, and if anyone can get access to your PC, disable password management in your browser (see www.pcmag.com/passwords for more information).