Securing your computer

I've been using computers since 1969. I have experience on Control Data and IBM (and compatible) mainframes, and on microcomputers/personal computers.

On microcomputers and personal computers, I have used CP/M, Concurrent CP/M-86, MSDOS, various releases of Windows to Windows XP Professional, OS/2 and various distributions of Linux.

I have worked for large Australian departments, software and hardware vendors, and a small school.

I am able to, and have been paid to do it, install and configure Windows including Windows Server 2003 and Windows Domains, and Linux networks (and firewalls), and at a pinch, Apple's OS X.

I have no experience at all with Windows Vista, and nothing I say here has anything to do with Windows Vista.

My experience have moulded my current view of and use of computers. During all this time, I have not had a computer infected with any kind of malware, except twice when someone penetrated security. I detected those occasions quickly, before the cracker had done much to cause a nuisance beyond the computer in question. Those two incidents involved passwords being guessed.

However, I don't count myself expert in Windows, and I don't use it for my most important computing.

A lot of people, particularly in the Free and Open Source Software community decry Windows security. There is some justice to their views, but to be fair, few of the Windows security problems can be laid at the feet of Windows.

Mostly, the problems are with administrators, starting with Microsoft.

I was amazed when I first installed Windows XP Professional Service Pack 2.

I was even more amazed when I first installed Windows XP Professional Service Pack 3. I was not asked to set a password for Administrator.

This is Intro to Security 101. Set a password.

It goes on. Users are invited, nay demanded, to create a user account. Creating a separate account for a user is good, it allows people to use their computers while providing some protection against malware.

Except that on Windows, it doesn't. The first user account created is another Administrator account, so use of this account for regular daily use is just as bad as using Administrator's account for regular, daily use. Neither provides protection against malware.

So there is Virginia, with her new computer. She dutifully goes through the setup process, creates an account for herself to use for her surfing, reading email and whatever.

In the course of her surfing, she finds her way to youtube, creates an account there, to myspace, makes an account, to bebo, makes an account.

One of her new-found "friends" (she's never set eyes on this person, doesn't really know whether has a fine-looking young fellow about her age, a woman is associated with RIAA and looking for so-called pirates, or anything expect the (maybe) lies she's been told. It's astonishing how much we trust what we see on the 'net. Anyway, this friend tells here about all this great music that can be downloaded for free, music by Kasey Chambers, John Bell Trio, The Beatles. (No matter it's illegal , the copyright holders haven't given their permission).

On asking, she's directed to "This program, it's really easy to use." Probably, it does all that is claimed of it, it does what she wants and is really easy to use. Possibly, it also does things that would horrify her.

If she installs it using an administrator account, the installer can install it wherever its author likes, generally some place under \program files. This is a fine choice, the standard place to install programs on Windows that are for general use. It could also update the registry to start some program or other whenever the system reboots. For some programs, this is necessary, and it might even be reasonable for a file sharer. In fact, it is, Windows file sharing does that. It might also update Windows firewall rules to permit incoming connections

Potentially, Virginia has installed a program that can cause her, and any other users of her computer, a great deal of grief. Read up on spyware

That's how one catches a Trojan Horse, most commonly called a trojan. like the gift in the Trojan Wars, there's more to it than meets the eye.

While I was researching the Internet for this article, I found "this.

Briefly, the person concerned _is_ an experienced Windows user. He knows about protection, but took a short cut. He reinstalled Windows, then before installing updates, he downloaded some drivers. Here's part of his report, "and unwisely browsing the open internet with the unpatched, six year old original version of Internet Explorer 6.0. Danger, Will Robinson! I left Task Manager running as I browsed to MegaGames, downloaded a no-cd patch, and... nothing. I then visited GameCopyWorld, downloaded a no-cd patch, and... all of a sudden, it's crystal clear who the culprit is."

I don't know whether the culprit site, GameCopyWorld is a malware site or it too had a security problem allowing it to become infected. It doesn't matter, really, Jeff took risks and suffered the consequences. Probably, if he had applied all the patches, this would not have happened. In a related article, Jeff says, "This infection was only possible because I was logged in as an administrator. Choosing not to run as an Administrator is easily the single most important security tip for a Windows machine, whether you're running XP or Vista."

Two of the three kinds of computer infection are viruses and trojans. Virginia's experience is the typical way users install trojans, Jeff shows one way to catch a virus. One can also catch them by reading email.

The third, a worm, will not normally infect Windows XP in a typical broadband setup. Exposure to worms comes from being directly exposed to a network where worms already exist. Usually, this means the Internet at large, but if a computer in a LAN becomes infected, then other computers on the LAN may be at risk. However, whether one is at risk from worms has nothing to do whether an Administrator (or anyone) is logged on.

If you use a limited user account, not an Administrator account, that does not prevent you from becoming infected with a virus, but it stops something over
80% of them.

Most viruses are designed to attack Microsoft software, so it makes sense to use alternatives where possible.

Other measures you can take that help.

  • Install all Windows and Internet Explorer updates as they become available
  • Download and install Firefox from www.mozilla.org. It's not there, but there's a lot of software descended from the old Netscape Communicator suite, and www.mozilla.org tells you where to get it. Firefox is a safer alternative to Internet Explorer.
  • Download and install and use Thunderbird from www.mozilla.org. Thunderbird is a safer alternative to Outlook and Outlook Express.
  • Download and install openoffice.org from www.openoffice.org. Openoffice.org is as safe alternative to Microsoft Office.

All those software packages are free of charge, and you don't even need to give them your name and address!

I don't use antivirus software, but that does not mean that you should not. The above steps will do much to keep you safe, but good antivirus software offers improved safety. Unfortunately, I cannot help you there.

Finally, there are other ways to avoid Windows woes. They involve not using Windows at all. They're not for everyone, but a lot of people are happy with their Mac computers running OS X and they have a lot to recommend them. Others, myself included, run Linux. Mostly, I find Linux easy to use, and mostly easier to install than Windows. The good news is it has drivers for almost everything likely to be in your computer, and those drivers will be installed without special action. The bad news is that if some critical hardware lacks a driver, probably you have to wait for a while. Probably, but not necessarily, someone is working on it.

Comments

More evidence

Here is a Microsoft security bulletin about a fix released in September 2009. It is described as "critical," meaning that this is critically important for the safe operation of your Windows computer.

It applies to most current releases and versions of Windows and Internet Explorer 6, 8 and 8.

It operates by exploiting a flaw in the implementation of Jscript (Microsoft's version of Javascript). I quote:
The vulnerability could allow remote code execution if a user opened a specially crafted file or visited a Web site that is running a specially crafted script. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system..
I understand that to mean that visiting a site hosting the "specially crafted script" is bad. If you have Administrator privilege,the consequnces and be really seriously bad.

Need I mention that use of Firefox would avoid this problem?

John

Windows vulnerabilities

Here is an extract from documentation published in September 2009 relating to a problem with jscript in all supported versions of Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 prior to SP2:. For a full list of Windows security updates for September 2009, see http://www.microsoft.com/security/updates/bulletins/200909.aspx

This is quoted from http://www.microsoft.com/technet/security/bulletin/MS09-045.mspx
JScript Remote Code Execution Vulnerability - CVE-2009-1920

A remote code execution vulnerability exists in the way that the JScript scripting engine processes scripts in Web pages. The vulnerability could allow remote code execution if a user opened a specially crafted file or visited a Web site that is running a specially crafted script. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Note the final words, "administrator user rights."

To all victim to this, you had to do these:
1. Browse as an administrative user using Internet Explorer (any supported version, including 8)
2. Load and execute a malicious script, one which might not come from a site you explicitly visit, lots of sites load scripts from google-syndication.com for example.

Easy!

John