Home page logo
/

basics logo Security Basics mailing list archives

Re: Protecting Home Machines
From: Byron Sonne <blsonne () rogers com>
Date: Thu, 20 Nov 2003 21:05:04 -0500

He swears that he had not downloaded
anything nor tried any removable media on this machine.

Users lie and exaggerate (for many reasons); maybe it really happened a couple hours after he plugged it into the net and his kids got to the computer first. Perhaps he may not be aware of automatic software updating mechanisms. Or spyware! Never trust what users say, or at the least, treat it as suspect. I've had immediate family 'lie' to me about what they did or didn't install "But it's just Windows MediaPlayer, all I did was download an mp3!" Well, that counts as an install to me.

Maybe you used questionable antivirus software; latest updates doesn't neccesarily make you invulnerable. When I helped run hospital IT infrastructure (lotta users and many vectors for infection), we constantly updated our AV software and used dual scan engines. Stuff still got through. But I do have to give points to dual AV engines, it really did make a difference.

Following a bit of research on the matter, I am now aware that it is possible
for machines to get infected on the fly especially through unprotected home
internet connections.
The question is, "What do I do to prevent such occurrences which have
increased of late."

Switch operating systems to something that doesn't allow itself to be so easily attacked or manipulated. Running windows/Microsoft products and being connected to the internet is, simply put, asking for it. Sorry but that's the harsh truth. Their software is designed to be popular, not secure.

You can't prevent all such occurences, but you can take steps to minimize them such as restricting what access and software the client uses on his machine, although this isn't much help on consumer windows boxen which don't adhere to acceptable (my opinion) privilege seperation models.

The standard stuff applies; turn off active content via email, eliminate the preview pane, STOP USING OUTLOOK, use decent proxy/junkbusting software (check out http://www.privoxy.org/), etc. Maybe switch browsers too. Firewall off the appropriate ports (135, 137, etc.) when connecting to the net and implement stateful filtering. If the BIOS has boot block protection or stuff like that, it might be worth turning it on after checking it out. If they're accessing the net through a/your company, and only via that route, then you might be able to impose something on them when they connect.

I would consider it interesting and worthwhile, if allowable in your case, to install some kind of logging software on the machine so you can verify what the user or their machine is accessing, downloading, or installing. Take a baseline of it before you ship it out and compare it when it comes back. Even if it doesn't help you help the user, you'll find it interesting. Real life field returns are excellent educational opportunities; considering making an image of it and creating a library of infections so you can test your own infrastructure or AV software. Just don't infect your own network!

Regards,
Byron Sonne

--

        For good, return good. For evil, return justice.


---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault