Presentation on theme: "How to Make Windows Secure -- with Free Software Howard Fosdick (C) 2006.5 FCI V 1.2."— Presentation transcript:
How to Make Windows Secure -- with Free Software Howard Fosdick (C) 2006.5 FCI V 1.2
Who Am I ? * DBA for Oracle (also DB2 & SQL Server) * A founder of IDUG, MDUG, CAMP * Management Consultant * Author Rexx Programmers Reference (see www.amazon.com/rexx www.RexxInfo.org ) Independent Contractor -- hfosdick at the domain compuserve.com
This Presentation is Based On-- * Operating Systems principles (I taught cs550 at IIT) * Hands-on with the products * My column in Enterprise Open Systems Journal www.eosj.com
Outline I. Malware II. Why is Windows Insecure? III. FOSS to Secure Windows IV. Microsoft Alternatives V. Fallout ? Poof !
Malware is Out of Control Source-- MIT Technlogy Reivew March/April 2006 50% 100% Pew Research National Cyber Security Alliance WebRoot 43%61%72% Percent of PCs Infected Millions of PCs are Infected ! Nearly all run Windows.
Infections per Corporate PC (as per WebRoot 20K PC scan) Q404 Q105 Q205 Q305 Q405 Q106 Q206 23.4 Source-- Computerworld 8/7/06 pg. 45 22.7 27.0 23.5 21.5 19.0 Im yours!
The Evolution of Defenses Virus Scanners Spyware Scanners Firewalls Browser Hijack Defenders Module replacement prevention Intrusion Detection Systems (IDS) Real-time email scanners --- etc --- Monolithic or Unitary product ?
Why is Windows Insecure ? * Windows is a target because it predominates -- This explains why Windows is subject to attacks, not why it succumbs to them * Any other OS would have the same problems subject to the same attacks -- Not true! OSs are as different as programming languages. They have different design goals, philosophies,etc Some are more secure than Windows, others are less secure.
Why is Windows Insecure ? To simply say that Windows is insecure is wrong. The problem is that Windows security is inadequate for its role as the untrained publics primary-- -- PC operating system -- for Internet access Windows security is just fine for many other purposes.
Windows User Groups Dont Work for the Internet Number of Infections Win 2000 SP4Win XP SP2 User10 Power User1916 Administrator1916 Tests by EWeek, 11/28/05. Power User suffers the same penetration as Administrator Windows rights management does not adequately address Internet access
Technologies for OS Security ? Wheres the sandbox ? Wheres VM (virtualization technologies) ? What about user rights management ? Ring privileges that work for the requirements ? A system of id groups that make sense! ? Special Browser State run level ? Locks and keys ? Other security techniques Oops!
The Goals Shifted on Them Easy-to-use OS Integrated stack with LAN- controlled networking Early to mid 1990sTodays requirements Secure OS with always-on Internet connection, browser-based communications But Microsoft is Smart… Why Would they Design an Insecure Operating System? They got to 50MM LOC before the problem became apparent !
But Microsoft is Smart… Why Would they Design an Insecure Operating System? -- Microsoft chose ease of use and integration over security * This is how they won the suite wars (vs. Wordperfect, Lotus) -- The integrated stack yielded their desktop monopoly -- by locking out competing products -- Gates did not understand the importance of the Internet until it was too late and they had 50MM lines of legacy code -- Bill Gates The Road Ahead (1995) had 2 pages on Internet! (It was quickly yanked from shelves and quietly replaced with a re-written version with longer Internet coverage) -- When the Internet really took off, we were surprised… --Bill Gates, Preface to the 2nd Edition 1996
The Solution ? --- Try to Retrofit Security Insecure Operating System Its all a retrofit ! the BoxOut of From M icrosoft----- System Restore, System File Checker, Signature Verification, Registry Checker, Trusted web sites, require post-install reboots, Windows OneCare Live, Win. Client Protection FOSS---- Virus Scanners, Trojan, RAT, Rootkit, Keystroke logger detection, Spyware Scanners, Real-time Email Scanning, Bi-directional Firewalls, Browser Protection, Module Replacement Protection
What About Vista ? -- Trustworthy Computing announced Jan. 2002 -- Microsofts promise to fix security in every prior release ================================================== + Vista brings incremental improvements... again ? Sandbox for IE ? Better user rights management ? Drive encryption ? More secure Registry Speculative -- Im not a Vista tester, Vista not yet finalized
User Behavior is the Single Most Important Factor Determining Whether You Get Infected * System Restore checkpoint prior to any install * For older PCs-- Registry Backup & Emergency Repair Disk (ERD) * Full malware scans after any install * Make & keep generational backups * Set high-security Browser settings (or dont use IE) -- Avoid: -- Free screensavers, wallpaper, games -- Porno sites -- Hacker sites -- Music- and file- sharing software -- Browser modifiers (BHOs, Toolbars, Extensions) + Visit only reputable web sites + Selectively open email (an Outlook preview equals an open) + Selectively install programs + Keep real-time protection ON (firewalls, malware scanners, browser protectors) Careful! I didnt know!
Where to Download Products Keep a copy of what you download, free status sometimes changes ! --> or google Last Freeware Version (LFV) Free! * www.TheFreeCountry.com * www.Download.com * www.MajorGeeks.com... Sites offer-- + Central repository for Downloads + Reviews, ratings + Product descriptions Good also for learning about Windows security !
Firewalls -- Microsofts firewall is uni-directional & inadequate. Why? -- Because Microsoft is a spyware vendor. Examples-- -- WGA scandal -- WMP scandal -- WPA controversy -- Windows Search phones home -- Alexa controversy -- Win-98 registration scandal -- Embedded GUIDs -- Index.dat files -- many others * Bidirectional firewall is a must -- + ZoneAlarm=> Very widely used, easy user interface + Tiny=> Small, fast, light, pre-XP (see LFV) + Kerio=> Evolved from Tiny + Agnitum Products I can vouch for personally are in italics in out you
Anti-Malware Overview Categories: * Anti-virus * Anti-spyware * Real-time install prevention * Real-time module replacement protection (aka intrusion protection) * Browser hijack prevention * Rootkit detection...etc... Categories of malware they detect vary. No one product does it all, you need several. Keep definition files updated !
What About Microsofts OneCare Live ? + Single-vendor, integrated solution -- Microsoft has a long track record -- As a spyware vendor -- For inadequate security -- Of privacy violations They sold you a leaky boat... Now youre gonna buy your lifeboat from them ?
Anti-Virus * These features distinguish the best products: + On-access file scans + Incoming email scanner + Real-time activity scanning Recommendations-- + AVG anti-virus=> As good as any purchased pdt + avast! * Lesser products are simple batch scanners (but they may excel at that!) Recommendations-- + ClamWin (aka ClamAV) => Slow scan but finds rootkits, runs on smaller / older PCs + BitDefender Console => Finds Sony/XCP rootkit
Anti-Malware * Spyware detection: + Ewido => New, very effective + Ad-aware=> Widely used + Spybot Search and Destroy=> Popular, Infrequent updates + A-squared=> Runs on smaller / older PCs, inefficient update algorithm. * Prevent Spyware installs: + SpywareBlaster=> Both from JavaCool Software + SpywareGuard=> Real-time protection plus BHO prevention * Prevent alteration of executables: + WinPatrol=> Useful to run one of these + PestPatrol
Anti-Malware * Startup protection: + Startup Cop=> Easy, works great + MSConfig=> Built into Windows * Browser hijacker protection: => Protects you from browser hijacking through secret installs of Browser Help Objects, Browser Extensions, Toolbars, etc. + Dont use IE=> Use Firefox, Mozilla or Opera + Or set IE Options (Security, Privacy, Advanced) very carefully! + Hijack This! => Thorough, requires expertise + SpywareGuard=> Prevents malware installs
Product Updates * Data Definition File Updates: * Keep Definition Files updated for all products + Use built-in Schedulers or Windows Scheduler to do this -- What about Microsofts Windows Update ? -- Not recommended (eg: WGA abuses, installed w/o consent, misrecognized valid Dell licenses, etc) + Shavlik NetChk Protect=> Free, new also covers other products www.shavlik.com www.WindowsSecrets.com
Rootkits * Rootkit detection: + Rootkit Revealer=> Thorough, requires expertise + Anti-Hook=> Thorough, requires expertise + Rootkit Detector (RD-CD)=> From IIT students + IceSword=> + ClamWin => Finds some Rootkits + BitDefender Console=> Finds some Rootkits If a successful Rootkit causes mass re-installs, it could kill Windows in the market place ! Rootkit -- software that gets Superuser rights and compromises the operating system. New, growing threat. Full Detection Ease of Use VersusRemoval !
Your Computer Spies on You ! Windows Tracks-- -- All the web sites you visit -- The email addresses you send to -- Who creates/edits all Office files -- Office file editing statistics -- Puts permanent ID in all Office documents you create -- Tracks everything you have done recently Why do we care ? -- Identity theft -- Loss of your personal power to businesses & governments Windows tracks everything you do Privacy is power, and you have none ! (This is Trustworthy Computing ?)
Your Computer Spies on You ! -- When you delete a file, Windows only removes an index pointer to it, the file is still on disk. How long the file remains on disk depends on the disk allocation operations that follow the delete. * Secure deletion (overwriting): + Eraser=> Shell program + BCWipe=> Can also erase disk (see LFV) + Dereks Boot and Nuke=> Good for volume wiping * Erase temporary file areas: + Browser option built-in, also cache reset + Built-in Disk Cleanup + EmpRunner + Empty Temp Folders
Your Computer Spies on You ! -- Windows tracks your recent activities: Delete traces of your recent activities: + Ad-aware=> This feature is included + MRU Blaster + Windows Washer -- Windows tracks all web sites you visit: + Index Dat Spy=> Lists sites you visited * Erase Internet sites visited logs: + Windows Washer + PurgeIE, PurgeFox-- Not free after 15 days use
Your Computer Spies on You ! -- MS Office -- Keeps Edit Info and GUIDs: Erase document creator, editor, edit statistics: + File Properties Remove GUIDs & other hidden data from Office files: + MS offers manual procedures-- Impractical ! + Doc Scrubber + ID Blaster=> Use w/ care My best recommendation-- Replace Microsoft Office with OpenOffice
Your Computer Spies on You ! -- Data Security Circumvention -- * Boot a Live Linux CD (eg Ophcrack or Knoppix) * Use Win2K Recovery Disk * Break the password with ntpasswd Therefore you must encrypt data: + Built into Win XP on-- Transparent & convenient, but used to leave around unencrypted files in Temp area + QuickCrypt + Many others=> Work on Files, Folders, Volumes, entire System + Email encryption with: + PGP + GNU Privacy Guard + Hushmail
The Web Spies on You ! * Anonymous Surfing Web sites you visit get your: -- IP address (which may uniquely identify you) -- OS type and version -- Browser type and version -- Where you came in from -- What you see on their site -- Your behavior on their site... etc... To be anonymous to web sites you visit-- + TOR=> Firefox with add-ins for anonymity + JAP + I2P + Freenet Note-- this is not a Windows issue, it is an Internet issue You!
The Web Spies on You ! * Cookies: + They dont store them where they used to + Cookie Managers built into FireFox, Mozilla + FOSS available * Web Bugs: + Bugnosis -- IE only Final Exam-- test your system by ShieldsUP! at www.grc.com You! Note-- this is not a Windows issue, it is an Internet issue
Even Your Printer Spies on You ! -- Your Printer Spies on You -- See www.eff.org (www.eff.org/Privacy/printers) for a list of printers that spy on you John wrote this ! This is a Government issue, much like the tracking device in your cell phone
#1 -- Replace MS Client Stack with FOSS Operating System Development Tools Languages Office Suite Security Add-ons Email Many are available FireFox, Mozilla, Opera Thunderbird, Evolution Open Office, others Perl, Python, Rexx, PHP, Tcl/Tk, others Eclipse, Java Linux, BSD, others Browser PC Stack
#2 -- Replace MS Server Stack with FOSS Operating System Development Tools Web Server Languages Many available, few needed! FireFox, Mozilla, Opera JBoss, Tomcat Apache MySQL, PostgreSQL Perl, Python, Rexx, PHP, Tcl/Tk, others Eclipse, Java Linux, BSD, others Application Server Databases Languages Server Stack Browser Security Add-ons
#3 -- Open Windows Operating System Eliminates key vulnerabilities -- -- Internet Explorer -- Outlook -- Outlook Express -- Office Windows All free and open source software FOSS + Windows
#3 -- Open Windows MySQL FOSS + Windows JBoss OpenOffice SugarCRM 40% 50% 68% 35% Percent of FOSS products running on Windows Source-- Computerworld 7/31/06 pg. 14
Why Keep Windows ? -- You dont know any better -- Most consumers -- It ships with the machine -- You buy it whether you want it or not -- Because everybody else does (and compatibility) -- Example #1-- As a contractor, I use what client uses #2-- My backup for this presentation is in Powerpoint #3-- Microsoft controls file formats & file systems #4-- WINE emulator for Linux doesnt run all applications -- You need an app -- Example -- ATT/Yahoo DSL only supports Windows Im only happy when it rains… ?
#4 -- WINE #5 -- ReactOS Linux, BSD, or Unix FOSS + ? Wine - FOSS implementation of Windows API Windows applications Wine - Emulator ReactOS - FOSS version of Windows ReactOS - OS that is binary-compatible w/ Windows (apps & drivers) Windows applications 3K apps (many games) Alpha code
We have an Internet Security Crisis -- Malware is geometrically increasing -- Infestation is huge -- Script kiddies ==> professional criminals -- Identity theft is huge -- Fastest growing crime for past 5 years -- Pew & Gartner studies show public is scared Lets dance while Rome burns ! Our online financial system is at risk !
Is the Internet Broken ? The Internet is Broken by Talbot & Clark MIT Technology Review Dec 2005/Jan 2006 issue at www.techreview.com -- They recommend locking down the Internet -- A comprehensive system of controls => End points handle security, not transport => The problem is Windows security, not Internet security ! => Controlling the Internet means disastrous side effects !
Trustworthy Computing ? From Microsofts Trustworthy Computing Web Site--- REDMOND, Wash., Feb. 6, 2006 -- As Trustworthy Computing at Microsoft reaches the four- year mark, a look back at 2005 provides a solid picture of sure and steady progress toward long-term success... Launched in January 2002... Trustworthy Computing is a long-term, collaborative effort to create and deliver safe, private and reliable computing experiences. Trustworthy Computing encompasses four key areas of focus that Microsoft considers vital to building a foundation of trust in computing: Security means helping to ensure the confidentiality, integrity and availability of customer systems and data. Privacy entails protecting a customers right to be left alone (e.g., from any kind of unwanted communication, including spam and pop ups), as well as ensuring adherence to fair information principles that put people in control of how their data is accessed and used. Reliability refers to ensuring that software and systems are dependable and behave the way customers expect them to. Business practices addresses Microsofts goal of being transparent and responsive in all customer interaction, with a focus on excellence in the companys internal decision-making and implementation processes. --http://www.microsoft.com/presspass/features/2006/feb06/02-08Trustworthy.mspx
Why the Twelve Principles ? 1974 Microsoft is born with a lie -- Gates & Allen lie about having completed BASIC for MITS Altair 1995 Consent Decree 1998 Gates testifies he knows nothing about how his company is run. Judge Boies laughs... 2001 Microsoft is convicted as a Monopolist and for violating 1995 Consent Decree 2001 Nov DOJ settles light penalties on Microsoft immediately after 9/11 2002 Jan Microsoft announces its Trusted Computing Initiative 2004 EU Agreement 2006 EU Fines Microsoft for violating 2004 EU Agreement 2006 30 years in business, Microsoft announces its business practices in 12 Principles
Microsoft Versus the Internet -- Microsofts interests diverge from having an healthy Internet -- Policies to Eliminate piracy and force Planned obsolescence mean millions of -- -- Unpatched & unsupported Windows systems -- Bots -- Spam servers -- etc -- Mono-culture with an insecure Internet OS
Possible Outcomes #1 Vistas incremental improvements will be enough forthe world to stay with Windows … 4+ years into Trustworthy Computing, Microsoft has not solved the problem But everyone bought into previous Microsoft solutions in earlier Windows releases #2 FOSS replaces Windows in response to Microsofts failure Like Apache took off in response to IISs virus crisis 3 years ago Protecting Microsofts OS monopoly could result in a web meltdown
Predictions for Next Few Years * Controlled Internet can only happen if it has political support * Upcoming Elections determine this * Bush Continuation candidate means maybe yes * Any other candidate means definite no Unless the outside chance of a severe security incident occurs (example-- Rootkit requires many re-installs) -- Most will buy into Vista, so Microsoft maintains its monopoly *FOSS continues gains but can not dislodge Windows + Microsoft monopoly erodes: (1) Microsofts Annual Report cites FOSS threat (2) Microsoft investing elsewhere (3) Need only to achieve the tipping point Baby Future In USA Long Term
Predictions for Next Few Years + Microsoft monopoly is presently eroding: (1) Less of a Microsoft monopoly to start with (2) Courts reject the monopoly (3) Governmental leadership (4) Cost pressures Baby Future Outside USA Most products in this presentation are from the EU.
Benefits to FOSS + No cost + No license tracking or inventory issues + No forced upgrade or planned obsolescence + No WPA, WGA, Registry, MS spyware, other control mechanisms + No BSA / Microsoft compliance campaigns + Stop divergence of OS providers interest, and the internets interests + Fix the mis-named Internet security problem! Cost is the least of these benefits !
The Registry is all about Control OSs do not require a Registry-- + Some that do not have a Registry include Unix, Linux, BSD, VAX/VMS, z/OS, z/VM, z/VSE, i5/OS, AS/400, SkyOS, THEOS... Registry -- an artificial mechanism to enforce proprietary control of-- -- Users -- Microsofts Property rights -- Limit and control software use Registry prevents you from operations that are easy on other OSs-- -- Cloning of OSs across machines -- Cloning of software products across machines -- Cloning a disk to a backup disk The Registry increases Windows insecurity