In addition to malwarebytes and VIPRE, I’m a big fan of ComboFix. -Paul
From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, November 07, 2012 11:24 PM To: NT System Admin Issues Subject: Kurt's current security recommendations for your computer - the 2012 update All, I sent out the last version of this back over a year ago. It's time for a refresh. I've only done a few minor updates, as things haven't really changed much. However, I'd be pleased if share with me any thoughts you have on what I've written. The first thing to remember is that security (computer or otherwise) is not an end state. It's a process, and a mind set. Why do security professionals say that? For three related reasons: o- The world changes Trite, perhaps, but it's fundamental. For the computing world, this means new applications, new versions of applications, new versions of operating systems, patches to current operating systems and applications, etc. It also means new criminals and new ways of crime - they are tricksy beasts. o- All software has bugs Lots of them. If (when!) encountered, many of those bugs will cause your computer to behave in ways that are much less safe than you would hope or expect. o- The computing world has more risks than the physical world There are hostile actors in the computing world trying to take advantage of the above, which means that what might have been relatively safe earlier is unlikely to be so in short order. What you *MUST* understand is that, for these people, infecting your computer is a business. They make money from it, in several different ways. The specifics of the business are beyond the scope of this discussion, but understanding that should lead you to understand that you and your computer are a target, no matter how insignificant or obscure you think you or your computer might be. And, they can be anywhere in the world - Bulgaria, China and North Dakota are as close and your next door neighbor. But, all is not lost, nor insuperable. Understanding the above, and following a few pieces of advice, will keep you out of most trouble and will improve your odds of safe computing over the longer term. Understand that the situation in the computing world is fluid and that the enemy is mobile, agile and hostile, and you're in better shape that would otherwise be the case. So, the advice, in rough order: o- Mobile devices are still more dangerous than traditional computers such as laptops and desktops They, and the software on them, are still not mature, and methods for using and managing them safely are not well developed. In particular, it's very difficult to achieve separation of privileges between administrative functions and normal user functions, because there aren't any easy ways to use more than one account. What that means, and why this is important will become a bit more clear if you read this whole message. Right now I'll just caution you that mobile devices are under intense scrutiny by computer criminals for any advantage, and are the fastest rising targets for malicious activity. Be careful with them. Don't a) install apps without understanding what they do and what privileges they require, b) open random text messages - especially you shouldn't follow links in text message to web sites, or c) perform any really sensitive tasks on them - by this I mostly mean doing financial tasks or keeping financial data on the device without encrypting it. Do keep your eyes peeled for good security software and for unexpected or suspicious behavior on your mobile device. o- Keep your machine patched For your computer's operating system (Windows, Mac, Linux or other) and for every program that you commonly use on your machine, make sure that at least once a month you visit the vendor's web site and keep current with the latest security updates. This includes your operating system (Windows, Mac, Linux, whatever), and your application software - not only the major pieces like MS Office or OpenOffice, and your web browser, but also the various Adobe products (including especially Acrobat Reader, Flash and Shockwave), Java (if it's installed) and any other free or paid software you use. Fortunately much software now is capable of updating itself. Pay attention though - make sure that if you get a piece of software that wants to update itself that it's *really* that software that's asking. o- Simple is better Uninstall any software that you don't use any more, or that you don't use regularly enough to make it worth keeping around. Also, don't gratuitously or promiscuously install software, especially if a web page unexpectedly prompts you do to so. This especially means supposed video codecs from some web sites, or special drivers to see or work with content on their pages. If they want you to do that, be extremely suspicious of it. Some software asks if you want to install addons from partners. Decline them. Even if they are from legitimate firms, these addons usually cause nothing but grief. (The free Adobe Acrobat Reader and Flash Player are two of the most egregious in this regard, but Sun's Java is also prone to it.) o- Be cautious browsing the web Hover your mouse over any link before clicking on it, whether in email or on a web page. You should see either a popup or a notification at the bottom of the page of what's really in that link. If the popup doesn't match the visible link, don't click on it. o- Be cautious reading email If you're using an email application such as Outlook, Pegasus or some other non-web-browser email, you should be able to set it so that by default it displays only plain text. Don't click on links just because they appear in emails that appear to come from someone you know, or from your bank or credit card vendor. After inspecting an email and deciding it's worthy, you should be able to cause it to display any web content. Most emails are not worthy. o- Fortify your browser Use browser-based tools to help protect you from malicious web content. My favorite browser is Firefox. Hands down, it's the best of the browsers, for one simple reason: it has the best security plugins I know of. I use bunches of plugins and addons for various purposes (many of them not related to security), but these are the ones that I absolutely install wherever I can - each covers a different facet of web security: NoScript Request Policy Adblock Plus Better Privacy Ghostery - new for this edition of my advice Be aware that the first two, in their default configurations, are fairly disruptive, until you know what they do and how to work with them. They extract a price, in that you must pay attention to them, and understand what they are doing, in order to optimise your browsing experience. They pay big dividends, though, in much safer browsing. They will also astonish you, by revealing how incredibly complex web pages are, and how many agents have their fingers in your browsing. Better Privacy and Ghostery in their default configurations aren't intrusive, but can be if you get carried away with them, although they are also extremely valuable. A fascinating addon for Firefox is Collusion. It aims to demonstrate which web sites know about you and talk with each other about your browsing habits. It doesn't prevent anything - it's merely shows you a graph, but it's really useful for understanding how the web is tied together. o- Get a good antimalware package I like Sunbelt Software's VIPRE. I *don't* like either McAfee or Symantec. I've heard good things about Kaspersky, but haven't used it. Trend used to be good, but I have no opinion on it currently, because I haven't used it in years. Microsoft's Security Essentials is free and does a very good job, but it's only for Windows. There are lots of others, and I have no way to tell you anything about them, as I haven't used them. o- Don't panic If, in spite of having a good antimalware package, your computer does get infected, you will need to use other software to help out. Currently, I'm a big fan of malwarebytes - you can get a free version from http://www.malwarebytes.com. Also recommended is VIPRE Live - get it from http://live.sunbeltsoftware.com. Don't run them at the same time - let one finish, then run the other. If things are really fubar'ed you'll want to engage a professional, as there are other tools out that require more expertise to use, such as UBCD4Win, various Linux-based rescue disks, etc. Please understand that not all situations can be remedied, so be cautious in your computing. o- You are not a computer, and your memory is limited and much more volatile You probably visit many different web sites, for many different purposes, many of which require an ID and password. Use a different ID and password for every one of them. You are going to have problems remembering that much account information, so use an application to help you manage them - there are two that I can recommend: Password Safe Keepass Both are good, and allow you to use a single master password to protect your other passwords and other account details. Both of these, BTW, have versions that work on smart phones, too. o- Refresh your passwords Change your passwords regularly, for all of your accounts, both on your computer and for the various web sites you browse. The fundamental rules of passwords are: - The longer and more complex they are, the better - Change web site passwords at least every six months - Change each of your passwords at least every six months - though the longer the password the longer you can go between password changes Wherever I can, I use a passphrase, which is really just a very long password, but it's easier to type and remember. It's easier because it's a regular sentence, with punctuation, spaces and capitalization all correct. If you throw in a number, you're especially well off. By way of example, I consider the sentence There are 23 ways to cook pasta. much easier to remember and type than something like X8&2Rdd-/az and it's stronger, too. For web pages that don't allow really long passwords/passphrases, you have your password manager to help generate random passwords of sufficient complexity. o- Lie to web sites When they are asking you to answer security questions that will be used to reset passwords or verify your identity in some way, don't give them a real answer. If, for instance, they ask for your mother's maiden name, use something else, like the name of your high school PE teacher or the kind of car you like, or your favorite sports team. Record that in your password management application. Lie to web sites about everything you can. Use different answers for different web sites. Why? Two reasons. 1) Because it helps keep your privacy - more than would otherwise be the case. 2) Because if hackers crack the web site and get the data, it won't be applicable to your other accounts. Keep your lies straight with your password manager. o- Back up your data If you have data on your machine that you would be unhappy to lose permanently, regularly copy that data somewhere else - perhaps even two or three places, and if it's *really* valuable data, make sure a copy is stored somewhere away from the building in which your computer resides. Valuable data comes in many forms: Financial records and pictures/videos are the two most common, but only you can judge what's valuable to you. Don't forget to include backups of the data in your password management system. Pro tip: It's not a really good idea to keep backups from your home computer at work. Why? Because your work might consider it *theirs* if you do, or you might lose your job and not have time to take it with you after being frogmarched out the door due to layoffs, or something stupid like that. It's also true in reverse. Storing work data at home is a sin. Don't do it. o- Keep your passwords on paper, and on your person or another safe place If you're away from your computer, and need use someone else's to get to a web site that needs a password, you can use the list of your most important accounts and passwords that you've printed out and keep safe in your wallet or purse. Then, when you get home, you'll change that password immediately, because you don't know what else was running on the computer you borrowed. o- Understand the principle of Least Privilege, and don't be an Administrator all the time One of the hardest practices of them all to perform well, because everyone (including me!) is lazy, and because operating systems don't always make it easy, is to use two different computer account logins on your personal computer. Why? Because there are two different sets of tasks that you perform on your computer. The first set of tasks is the set that you bought your computer to help with - playing games, web browsing, reading emails, whatever. This set of tasks should be done with an account that has very little power on your machine. You shouldn't be able to install software or change major system-wide settings with this account. Why? Because this is the account you'll use to do things in the relatively dangerous world of the Internet. The other account is the Administrator or root account. This is the account you use to perform the other set of tasks on your computer - maintenance, including installing software and changing major system-wide settings. Never do anything else with this account - don't browse the web (other than to get updates from the publishers of the software you use) or play games or anything else with that account. This approach is called, among other things, Least Privilege Computing. If you're running Windows, one tool that helps with this is native to the operating system: RunAs. It allows you to log in as your less-privileged user, and then run a necessary program as your higher-privileged account. I don't know Macs, but for Linux and other Unix variants, there are similar tools. And, please, don't use the same password for these two accounts. If you can follow all of the above, you'll do as well as anyone else - and better than many professionals. I hope this was helpful, rather than overwhelming. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin