Test your Firewall

1
Test your Firewall

• How can you tell if your firewall is keeping the
  bad stuff out?

2
Testing your firewall

• The best way is to have a trusted entity attack
  it.
• Test your firewall for free with both Sygate
  Online Services and Steve Gibsons Shields Up.

3
Sygate Online Services

• Sygate is one of the biggest players in the
  corporate security market, and they also make one
  of the better software firewalls Sygate Personal
  Firewall http//smb.sygate.com/
• They also offer a free web tool called Sygate
  Online Services that probes your firewalls
  looking for vulnerabilities.

4
http//scan.sygate.com/

• scan.sygate.com
• Click on the black Scan Now button.
• This starts something called the Prescan.

5
Sygate prescan

• The first three bits of informationyour IP
  address, your operating system, and the name of
  your web browserare more or less public
  information.

6
IP and OS and browser, oh my!

• If you have a router with NAT, that isnt your IP
  address anyway. Its your routers.
• Your operating system and browser information
  came from the HTTP GET packet your browser sent
  when it requested the Sygate web page.
• See http//www.rexswain.com/httpview.html or
  http//www.ipchicken.com/ if you dont believe me.

7
The important stuff

• Dont worry if Sygate can see your computers IP
  address, operating system, or the name of your
  web browser.
• BUT, if Sygates can see your computer name or
  the services running on your computer, your
  computer could potentially have a serious
  security problem.

8
Windows file and printer sharing

• Windows comes with a built-in service called
  File and Printer Sharing for Microsoft
  Networks.
• File sharing lets you make files and folders in a
  shared folder accessible to others on your home
  network to view, copy, or modify.
• Printer sharing lets you share a printer with all
  the other computers on your home network.
• Check out http//tinyurl.com/ywh8q for more
  information

9
Your files, now available online

• Unless you are really careful, your computer may
  be sharing your files with everyone on the
  Internet.
• How can you tell?
• Scan port 139 on your computer to see
• If file and printer sharing turned on and
• If those shares are accessible from the Internet.

10
Ports

• Ports dont exist in the physical world.
• Theyre pretend addresses inside of your
  computer that your computer uses to route
  incoming data to the appropriate software
  application.
• Port 80 forwards to your web browser.
• Port 110 forwards your email program.
• Port 5190 forwards to AIM.
• How many of these pretend addresses or ports
  are there? Officially, up to 69,536. Source
  http//www.iana.org/assignments/port-numbers

11
The potential danger of port 139

• Crackers and script kiddies LOVE port 139, the
  port used by Windows file and printer sharing.
• Cracker and script kiddies have software that
  scans thousands of Internet connections looking
  for Windows file and printer shares accessible
  through port 139.
• If the cracker or script kiddie maps to that
  share, hes in. Its as if he was sitting in
  front of your computer although, in reality, he
  can only access the stuff that is being shared.

12
Peek-a-boo! We ALL see you!

• Your goal is to have Sygate Online Services to
  tell you that it was both
• Unable to determine your computer name and
• Unable to detect any running services.
• If Sygate cant see your computer, neither can
  the crackers.

13
Uh-oh!

• But if Sygate can see you, it means that
• You dont have a firewall.
• If you do have a firewall, it either isnt
  working or isnt properly configured.
• File and Printer Sharing for Microsoft Networks
  may be sharing your personal files with the
  entire planet.
• To fix your firewall
• Check your firewalls setup instructions.
• Visit the support section of your firewall
  manufacturers web site.

14
Fixing file and printer sharing

• To fix the File and Printer Sharing for Microsoft
  Networks problem,
• You must disable NetBIOS over TCP/IP. You dont
  need it.

15
Disabling NetBIOS over TCP/IP

• See http//comp.bio.uci.edu/security/netbios.htm
  for instructions on how to disable NetBIOS over
  TCP/IP.

16
Wait. Theres more.

• Once Sygate Online Services prescan gives you a
  clean bill of health, there are four more scans
  you need to run.
• Stealth Scan
• Trojan Scan
• TCP Scan
• UDP Scan

17
Stealth Scan

• This re-runs the prescan using common cracker
  stealthing techniques to try to sneak past your
  firewall.
• Takes about 30 seconds.

18
What youre looking for

• Your goal is to have the Stealth Scan tell you
  that all of the ports it scanned are "blocked."
• However, if Sygate tells you that a particular
  port is "Closed" instead of blocked, you could
  have a problem.
• Sygate is telling you that while it couldn't
  break into that particular port it could still
  see it.
• Remember If a port can been seen it can be
  attacked.
• You need to IMMEDIATELY check your firewall's
  setup instructions or the manufacturer's web site
  to find out how to "stealth" that particular port.

19
Trojan Scan

• After the Stealth Scan run a Trojan Scan.
• A Trojan Horse is a type of virus that
  masquerades as a legitimate program but contains
  a payload that can damage your computer.
• Many Trojan Horses have backdoorsthey attach
  themselves to a particular port to listen for an
  activate command from the internet.
• See http//scan.sygate.com443/cgi-bin/probe/troja
  ns.cgi for more information

20
Trojan Scan

• Sygate's Trojan Scan searches through over 65,000
  ports looking for Trojan Horses hiding on your
  computer.
• Takes about 20 minutes

21
What youre looking for

• If your firewall is working properly, there won't
  be anything for Sygate to scan so it will angrily
  give up.
• BUT, if Sygate finds a Trojan Horse on your
  computer
• Write the name of the Trojan Horse on a piece of
  paper
• Go to http//www.symantec.com/avcenter/vinfodb.htm
  l and search for that Trojan's removal
  instructions.

22
TCP Scan

• Sygates TCP Scan checks if any of the first
  1,024 ports on your computer are both open for
  attack and visible to crackers.
• Can take up to 45 minutes.

23
What youre looking for

• If your firewall is working properly, Sygate will
  tell you that all of your first 1,024 TCP ports
  are closed to outside attack.
• BUT, If Sygate tells you that a particular port
  is "Open," immediately check your firewall's
  setup instructions or the manufacturer's web site
  to find out how to both close and stealth that
  particular port.

24
UDP Scan

• Besides TCP ports your computer also has UDP
  ports.
• Sygates UDP Scan tells you if any UDP ports on
  your computer are both open for attack and
  visible to crackers.
• Can take up to 20 minutes.

25
What youre looking for

• Like with the previous scans, youre hoping that
  Sygate tells you your firewall blocked all of its
  probes.
• BUT, if Sygate tells you your firewall isn't
  blocking UDP ports, check your firewall's setup
  instructions or the manufacturer's web site.

26
Done?

• Once you've run all the firewall tests at Sygate
  Online Services you're done, right?
• Not exactly.
• To be COMPLETELY sure your firewall is protecting
  your computer, you really need to test your
  firewall one more time using a different tool
  Steve Gibson's Shields Up.

27
Shields Up!

• grc.com or search for Shields Up
• Click on the file sharing, common ports, all
  service ports, and messenger spam buttons to test
  those particular vulnerabilities.

28
DONE!

• Once you've tested your firewalls with both
  Sygate Online services and Shields Upand once
  you've received a clean bill of health from
  bothyou can pretty much forget about your
  firewalls.
• It's as squared away as it's going to get.
• The next step is to double-check Windows Update /
  Apple Software Update.

29
Part Two Run Windows Update and MBSA

• Close the known operating system vulnerabilities

30
How to patch Windows

• When Microsoft finds a security hole in Windows
  or Internet Explorer, they usually/eventually
  release a patch called a Critical Update.
• In Internet Explorer, go to Tools Windows
  Update.
• Click on Scan for updates.

31
Manually run Windows Update at least once a
week.

• Your computer should, by default, automatically
  check for updates. Thats cool, but also run the
  update manually just to be safe.

32
A dirty Microsoft secret

• Windows Update lies.
• It frequently thinks youve installed a critical
  update you havent, leaving your computer
  vulnerable.
• Thats where Microsofts Baseline Security
  Analyzer MBSA comes in.

33
MBSA 1.2.1

• MBSA is a free program from Microsoft that scans
  for over 60 common system misconfigurations and
  almost any Microsoft security update your
  computer may be missing.

34
What MBSA does

• MBSA double-checks the security of
• Windows ()
• Microsoft Office 2000 and later
• Internet Explorer 5.01 and later
• Windows Media Player 6.4 and later
• A bunch of other Microsoft applications and
  services
• MBSA analyzes, you fix.
• MBSA tells you whats wrong and points you to the
  solution.
• You have to apply the solution.

35
Bad news/good news

• () MBSA only works on Windows XP, 2000, and
  Server 2003.
• It was designed for corporate tech support, but
  there is no reason why you cant use it at home.
  
• Oh, and its free.
• To get the latest version of Microsofts MBSA,
• Search for microsoft mbsa at Google.
• The first hitMicrosoft Baseline Security
  Analyzer V1.2.1takes you to the download page.

36
Running MBSA

• Once youve downloaded and installed
  MBSASetup-EN.msi, double-click on the MBSA
  watering can padlock and checkmark icon
• This opens the MBSA welcome screen.
• Click Scan a computer.

37
Running MBSA

• On the next screen, dont change anything.
• Make sure you are connected to the Internet and
  then click Start scan.
• MBSA calls home to Microsoft and downloads
  something called MSSecure.cab
• This file contains information about practically
  every patch Microsoft has released.

38
How MBSA really works

• MBSA scans your computers operating system,
  operating system components, and Microsoft
  applications.
• MBSA then compares the version numbers of the
  stuff on your computer with the latest version
  numbers in the MSSecure.cab file.
• Finally, MBSA shows you which updates your
  computer is missing.

39
Translating the security report
40
Failures

• Critical failures red Xs require you to
  immediately install a patch or update to ensure
  the strongest security of your computer.
• Non-critical failures yellow Xs happen when
  there is a newer version of something available,
  but you dont really have to upgradeyet.
• Best practices blue asterisks could signify a
  problemMBSA cant confirm that those particular
  security updates have been installed.

41
Whats important and what isnt

• MBSAs security report has seven sections, and
  you only have to worry about two
• Security Update Scan Results at the top of the
  report
• Desktop Application Scan Results at the very
  bottom
• The five sections in the middle dont really
  apply to home users.
• Problems here are important but rarely critical.
• You can fix the problems in the middle five
  sections if you want, but you dont have to.

42
Fixing the critical failures

• Remember, MBSA analyzes, you fix.
• To find a fix for a critical failure in Security
  Update Scan Results or Desktop Application Scan
  Results, click on the Result Details link next to
  that critical failure.

43
Result details

• This shows you exactly whats missing or is
  misconfigured.
• Click on each link and it opens a page in
  Internet Explorer telling you how to download the
  appropriate patch.
• REMEMBER TO INSTALL THE PATCHES AFTER YOU
  DOWNLOAD THEM!
• MBSA wont do it for you.

44
Attention K-Mart shoppers!

• Sometimes MBSA gets confused and cant confirm if
  your computer has a particular patch.
• Thats what the blue asterisks signify.
• Fixing those blue asterisks is a little more
  complicated.

45
Fixing the blue asterisks

• Click on Results Details
• In the description for each Security Update
  youll see a six digit number in parentheses.
• Write down each six digit set of numbers you see.

46
Off we go into the wild blue asterisk

• Then go to Add/Remove Programs in your Control
  Panel.
• Scroll down towards the bottom and look for the
  Windows Hotfixes.

47
Windows hotfixes

• Compare those six digits you wrote down in MBSA
  with the last six digits of the various hotfixes
  in Add/Remove Programs.
• If you find a match, you have the patch. MBSA
  just got confused.
• If you dont find a match, go back to the MBSA
  Results Details page and manually download and
  install the missing patches.

48
MBSA tips

• Run MBSA from time to time just to double-check
  your computers security.
• Dont be surprised if MBSA still gives you blue
  asterisks even after youve installed all the
  patches.
• Sometimes MBSA gets confused.
• Theres no real way to unconfuse it.
• Theres no such thing as a clean MBSA scan,
  especially in the middle five sections.

49
To summarize

• MBSA is a free program from Microsoft that scans
  for over 60 common system misconfigurations and
  almost any Microsoft security update your
  computer may be missing.
• Fix the critical failures red Xs and the best
  practices blue asterisks as soon as possible.
• Think about fixing the non-critical failures
  yellow Xs when you get the time.
• MBSAs security report has seven sections, and
  you only have to worry about two
• Security Update Scan Results at the top of the
  report
• Desktop Application Scan Results at the very
  bottom

50
Part Three Update your Antivirus

• Youd be shocked at how many people never do this.

51
True or False?

• If you have a hardware and software firewall that
  youve tested and you also have all of the
  necessary patches for your operating system, you
  dont really need an antivirus program.

52
FALSE!
53
The reality of the situation

• According to Symantec, as of late September 2004
  there were nearly 68,152 PC viruses out there.
• 10 to 15 new viruses are discovered each day.
• Between 3,650 and 5,475 brand new viruses were
  discovered in just the past year alone.
• The moment you connect your computer to the
  Internet your computer is immediately vulnerable
  to ALL of these viruses.

54
True or False?

• As long as you keep updating your antivirus
  definitions, the antivirus software that came
  with your computer should protect you.

55
FALSE!
56
Now for the Bad News

• Unless your computer is only a few months old,
  your antivirus software is outdated and may not
  be able to detect the newest, polymorphic
  viruses.
• Your antivirus software has two distinct parts
• A computer program that scans your computer for
  viruses.
• Antivirus definitions that tell that program
  exactly what to look for.
• Updating your antivirus definitionswhich you
  should do frequentlyis not the same thing as
  updating your antivirus software.

57
Out with the old, in with the new.

• Just like you need to change the oil in your car
  every few months, you need to change your
  antivirus software every 12 to 18 months.
• Completely uninstall the old version like Norton
  Antivirus 2002.
• Purchase and install the latest version like
  Norton Antivirus 2005.

58
The latest antivirus software

• The top two consumer antivirus software programs
  are
• Norton Antivirus 2005 US50
• McAfee VirusScan 2005 Version 9 US50
• The best free antivirus program is AVG Anti-Virus
  Free Edition version 7 at http//www.grisoft.com/

59
Update schedule

• Completely replace your antivirus software every
  12 to 18 months.
• Update your antivirus definitions daily.
• Most antivirus programs do this automatically.
• Manually update your antivirus definitions
  weekly.
• Automatic updates are cool, but run an update by
  hand each week just to be safe.

60
If your antivirus program doesnt have the latest
virus definitions, your computer isnt protected
against ANY of the new viruses!
61
Part Four Detect, Delete, and Block Spyware and
Malware

• Give spyware and malware the boot.

62
Adware

• Adware is software that displays advertisements
  when a particular program is running.
• A good example is the Eudora email client.
• You can buy it for US50.
• You can also get the exact same program for free,
  but the free version displays an ad window and up
  to 3 sponsored toolbar links.

63
Adware Good.

• Pure adware is a good thing.
• You get software that you otherwise wouldnt be
  able to afford.
• In return, the software displays some ads.
• Unfortunately, pure adware is also rare.

64
Spyware Bad.

• Spyware is software that tracks what you do and
  where you go online.
• Pure spyware like the Google toolbar respects
  your privacy and doesnt share this tracking
  information with anyone else.
• Unfortunately,
• Pure spyware is the exception, not the rule.
• An overwhelming majority of spyware like 99.99
  sells your personal information to marketing
  companies.

65
Why is spyware so bad?

• Besides the privacy implications, spyware can
  often break your computer.
• Spyware code is often poorly-written.
• You may have so many spyware programs running at
  once that your computer slows to a crawl or
  crashes.
• Spyware has been linked to an increase in both
  spam and pop-ups.
• Pornographers use spyware to push explicit
  advertisements to your computer.
• Will some please think about the children?

66
How pervasive is spyware?

• Over 90 of broadband users have spyware
  installed on their systems. Source AOL as quoted
  by http//tinyurl.com/5kdh9
• PestPatrol has identified 124,474 different
  spyware programs or objects on the loose as of
  late September 2004.

67
Where does spyware come from?

• Some spyware piggybacks on top of free software
  you download and install from the Internet.
• Software that comes bundled with spyware include
• File-sharing programs like Grokster and Kazaa
• DiVx
• Weatherbug

68
Where does spyware come from?

• You can also get spyware by clicking on dubious
  pop-up ads.
• Your Computer is Currently Broadcasting an
  Internet IP Address
• Your Internet Connection Is Not Optimized
• Your Current Connection May Be Capable of Faster
  Speeds

69
Where does spyware come from?

• Another way to get spyware is from a virus or
  Trojan Horse, but thats rare.
• And if you use Internet Explorer, you can even
  get spyware just by visiting a particular
  website.
• You dont have to click or download anything.
• Internet Explorer automatically installs the
  spyware for you. Thank you, Microsoft!
• You can download the fix at mozilla.org.
• MANY of these drive-by installations involve not
  only spyware but malware.

70
Malware Very bad!

• Malware can
• Replace legitimate ads on commercial web sites
  with ads from vendors who financially support the
  malwares author a.k.a., scumware.
• Permanently and irreparably change your browsers
  home page and search settings so that they point
  to the malware authors site a.k.a., homepage
  hijackers.
• The site is usually overflowing with advertising
  and pop-ups.
• Fixing homepage hijackers is often quite
  difficult.

Source http//www.doxdesk.com/parasite/
71
Malware Very bad!

• Malware can
• Cause your modem to automatically dial 900,
  long-distance, or international telephone numbers
  whose revenues support the malwares author
  a.k.a., autodialers.
• Open security holes on your computer that can be
  used later to remotely take control of your
  computer a.k.a., Trojan horses.

Source http//www.doxdesk.com/parasite/
72
Malware Very bad!

• Malware can
• Degrade your computers performance and cause
  errors thanks to it being badly-written a.k.a.,
  Microsoft Windows
• Provide no uninstall feature and put its code in
  unexpected and hidden places to make it difficult
  to remove ibid

Source http//www.doxdesk.com/parasite/
73
Bye-bye, IE!

• All kidding aside, its time to stop using IE.
• IE has way too many security holes.
• There hasnt been a major IE upgrade in over
  three years.
• Microsoft only supports IE on XP. There will be
  no more free IE security updates for non-XP
  users.
• Keep IE around so that you can access the sites
  that require itWindows Update, Expedia, MSN,
  Shutterfly, etc.
• Use an alternative browser like Mozilla Firefox,
  Opera, or Safari to access everything else!

74
Detect and delete

• To detect and delete both spyware and malware,
  download and install
• Ad-Aware Personal SE at http//www.lavasoftusa.com
  /
• Spybot Search Destroy 1.3 at http//www.safer-n
  etworking.org/
• MS antispyware at www.microsoft.com/spyware/
• Why all three?
• No one program catches all spyware
• All are free.

75
Definitions

• Antispyware is similar to antivirus programs in
  that they both use definition files to know what
  to look for.
• Always update the definitions before you scan
  your computer.
• In severe cases of infection, it may be best to
  run in Safe mode

76
To prevent spyware installations

• To prevent future spyware and malware
  installations, click on Immunize on Spybot.
• Its not perfect, but it blocks 1,626 known
  spyware applications from installing on your
  computer.
• Enable real-time protection in MS
• Run weekly (minimum)

77
If all else fails

• If you have been using a computer on the internet
  and have not been using a newer antivirus program
  with updated definition files OR you have not
  been using an antispyware program, you may find
  that you have a tremendous number of problems.
  In this case, it is best to reformat the HD and
  reinstall your OS.

78
Two Last Things

• If you do not have the latest version of Java,
  you have another vulnerability that must be
  closed.
• Go to http//www.java.com and select Download
  the latest secure version of Java will be
  installed for you.

79
Windows Media Player

• A vulnerability has been detected with Windows
  Media Player 9 / 10 regarding Digital Rights
  Management. When you click on a link to view a
  video, you are directed to another link (via DRM)
  which downloads a virus or malware onto your
  computer. Presently, the only solution is to
  disable automatic license retrieval and then deny
  the request to retrieve the license unless you
  are sure it is going to a legitimate site.

80
PART 5 WIFI Considerations

• Your own home system
• - Change your userid and password on
  your wireless router
• - Turn on WEP or WPA wireless security
• (WPA is best)
• - Turn off SSID
• - Enable MAC filtering

81
WIFI on the road

• If it is an open (unsecured) system, everything
  you send can be intercepted (dont use an open
  system for email)
• Be sure you are connected to a secure (https)
  site if you need to send sensitive data
• Be sure you have internet sharing turned OFF!