Académique Documents
Professionnel Documents
Culture Documents
Johnny Long
http://johnny.ihackstuff.com
The BIG Disclaimer
λ This presentation is based on the
SecurityFocus Checklist by Scott Granneman
entitled “A Home User's Security Checklist for
Windows“
λ Download:
http://www.securityfocus.com/columnists/220
λ Scott did the work. I’m here to spread the
word, keep it simple and show how it can be
abused.
λ Basic Windows security is possible, and it only
takes 15 minutes.
The little disclaimer
λ It’s hard to account for all versions of
Windows here, so I use Windows XP
Professional for the examples.
λ This presentation is for entry-level
users.
λ For most examples I will show an attack
followed by the appropriate fix.
λ In some cases I will just show a fix.
Problem: Administrative Access
λ Although it’s simpler, do not use the
Administrator account (or an
equivalent) for every-day work.
λ It’s too easy for an attacker to abuse
you machine and unless you know what
you’re doing, it’s too easy to mess
things up!
Fix: Restrict Admin Access
λ Do Not run Windows as Administrator
A attacker
can use
simple
commands to
browse your
machine
without a
password...
Attack! Accounts without passwords
the attacker
connects to your
computer with your
password...
Another way is
from Start -->
“Help and
Support Center”
click
“Windows
Update”
Fix: Windows Update
λ Never follow update instructions sent
via email.
λ This technique is called “phishing” and
opens the door for malicious users
Fix: Application updates
λ Always keep on top of updates for
applications you install.
λ Keep a list of apps you install and the
website for that product.
λ For example, visit
http://office.microsoft.com/officeupdate
for updates to MS Office products.
Problem: Malicious code
λ Regardless of your protection from the
network, viruses and other types of
malicious code can cause disruption or
affect the security of your computer.
Fix: Anti-Virus Programs
λ An anti-virus program should be installed
λ The software should be set to:
λ automatically scan the computer at least once a
day
λ automatically scan email messages
λ allow scanning of Instant Messaging downloads
λ automatically update virus signatures via the web
Problem: Malicious Email
λ Email is often used to propagate
malicious code
λ Depending on the configuration of your
email reader, malicious code can enter
your system without even being read
λ “Web bugs” can track your location and
your activities
Attack: Fake Email scams…
Malicious users
can pose as
respected web
sites via email. Is
this real? How can
you know?
If you trust the
site, go to the
website by typing
the URL in your
browser.
Fix: Email reader configuration
λ Turn off the preview pane
λ Always know who an email is from before you
open it
λ Disable Javascript
λ HTML-based email is nice, but Javascript in an
email message can be very dangerous
λ Go offline
λ Email tracking (web bugs) do not work in offline
mode.
Fix: Email safety
λ Never open attachments that are
programs
λ Only open attachments that you are
expecting
λ Always scan attachments for viruses,
even if you think your virus scanner is
doing it automatically.
Fix: Email safety
λ Never reply to spam, even to be
“removed” from their mailing list
λ Remember that secure web sites will
never request you to change your
password, enter your PIN, or answer
other sensitive questions via email
Problem: Browser Security
λ There are many different ways an
attacker can deliver malicious code via
your web browser.
λ Configure your web browser safely.
λ Scott wrote a terrific article entitled
“Securing Privacy“ available from
http://www.securityfocus.com/infocus/1585
Fix: Browser Security Tests
λ The Browser Security Test
λ http://bcheck.scanit.be/bcheck/
λ PC Flank’s Tests
λ http://www.pcflank.com/about.htm
λ Jason Levine’s Toolbox
λ http://www.jasons-toolbox.com/BrowserSecurity/
Problem: Spyware
λ Spyware is software designed to track
Internet users.
λ This invasion of privacy can also be
disruptive and subversive to your online
activities.
Fix: Anti-Spyware Programs
λ You should install and implement and
anti-spyware program.
λ You should keep up with updates,
automatically if the program allows it.
λ http://www.anti-spyware-review.toptenreviews.com/
lists reviews of the most popular anti-
spyware programs.
Closing
λ Be sure to download Scott’s complete
checklist for all the details.
λ http://www.securityfocus.com/columnists/220
λ This presentation can be downloaded
from my website
λ http://johnny.ihackstuff.com