Embed Size (px)
Citation preview
How to MakeWindows Secure --
with Free Software
Howard Fosdick(C) 2006.5 FCI V 1.2
Who Am I ?
* DBA for Oracle (also DB2 & SQL Server)
* A founder of IDUG, MDUG, CAMP* Management Consultant * Author Rexx Programmers Reference
(see www.amazon.com/rexx www.RexxInfo.org )
Independent Contractor --hfosdick at the domain compuserve.com
This Presentation is Based On--
* Operating Systems principles (I taught cs550 at IIT)
* Hands-on with the products
* My column in Enterprise Open Systems Journal
www.eosj.com
Outline
I. Malware
II. Why is Windows Insecure?
III. FOSS to Secure Windows
IV. Microsoft Alternatives
V. Fallout ?
Poof !
I. Malware
Malware is Out of Control
Source-- MIT Technlogy ReivewMarch/April 2006
50%
100%
Pew Research
National CyberSecurity Alliance
WebRoot
43% 61% 72%Percentof PCsInfected
Millions of PCs are Infected !
Nearly all run Windows.
Malware is Growing Exponentially
Source-- EWeek11/28/05 pg. 5
7k
2k
2000 2001 2002 2003 2004 2005
Keystroke Loggers Released (thousands of apps)
4k
1k
2003 2003 2004 2004 2005 J-June Jul-Dec J-June Jul-Dec J-June
6k
8k
10kWin32 Viruses andWorms Discovered
Source-- EWeek9/26/05 pg. 24
Infections per Corporate PC (as per WebRoot 20K PC scan)
Q4’04 Q1’05 Q2’05 Q3’05 Q4’05 Q1’06 Q2’06
23.4
Source-- Computerworld8/7/06 pg. 45
22.7 27.0 23.5 21.5 21.5 19.0
I’m yours!
The Evolution of Malware
Boot Disk Viruses
Word and Excel Macros
Email Attachments
EPROM Bios “updates”
Media attacks (Audio, Film Clips, RSS)
Trogans, RATs, keystroke loggers
Database attacks
1. Type of attack2. Attack technology3. Payload
Drive-bys (ActiveX, ActiveScript, BHOs, Javascript, AJAX, etc)
1980s
1990s
2000s
RPC open port attacks
More to come !
RootKits
Cross-site scripting
The Evolution of Payloads
Boot Disk Viruses
Word and Excel Macros
Email Attachments
EPROM Bios “updates”
Media attacks (Audio, Film Clips, RSS)
Database attacks
. . . Identity Theft
Compromise US financial system
Destroy Data
Destroy PC Hardware
“Play” with you
Destroy OS
Drive-bys (ActiveX, ActiveScript, BHOs, JavaScript, AJAX, etc.)
RPC open port attacks
More to come !
Trogans, RATs, keystroke loggers
HackerKids
ProfessionalCriminals
RootKits
Cross-site scripting
The Evolution of Defenses
Virus Scanners
Virus ScannersSpyware ScannersFirewallsBrowser Hijack DefendersModule replacement preventionIntrusion Detection Systems (IDS)Real-time email scanners --- etc ---
Monolithic or Unitary product ?
II. Why is Windows Insecure ?
Why is Windows Insecure ?
* “Windows is a target because it predominates”
-- This explains why Windows is subject to attacks, not why it succumbs to them
* “Any other OS would have the same problems subject to the same attacks”
-- Not true!
OS’s are as different as programming languages.
They have different design goals, philosophies,etc
Some are more secure than Windows, others are less secure.
Why is Windows Insecure ?
To simply say that “Windows is insecure” is wrong.
The problem is that Windows security is inadequate for its role as the untrained public’s primary--
-- PC operating system
-- for Internet access
Windows’ security is just fine for many other purposes.
Why is Windows Insecure ?
Example #1 -- Using the Internet
-- The design assumption is that the Internet is free to program your PC and the PC OS does not need to protect itself
-- Therefore -- Active scripting, ActiveX controls, .Net Framework, AJAX, JavaScript.. -- Dynamic OS installs (of plug-ins, controls, BHO’s, Toolbars,
Browser Extensions, fonts, etc) -- Most use Administrator or Power User to access Internet Example #2 -- Installing applications
-- The design assumption is the OS does not have to protect itself from apps-- Therefore -- Untrained users use Administrator to install applications
-- Application installs can change OS (eg install DLLs) -- Application installs update critical unprotected OS storage
(the Registry)
Versus Unix -- To install an Application, you create the application user id: + No Superuser for installs
+ The install can not change the OS (including Shared Libraries or DLLs)
It violates fundamental principles for secure OS design
Oops!
Example #1 -- Using the Internet
Example #2 -- Installing applications
Windows User Groups Don’t Work for the Internet
Number of Infections
Win 2000 SP4 Win XP SP2User 1 0Power User 19 16Administrator 19 16
Tests by EWeek, 11/28/05.
Power User suffers the same penetration as Administrator
Windows’ rights management does not adequately address Internet access
Technologies for OS Security
? Where’s the sandbox
? Where’s VM (virtualization technologies)
? What about user rights management
? Ring privileges that work for the requirements
? A system of id groups that make sense!
? Special “Browser State” run level
? Locks and keys
? Other security techniques
Oops!
The Goals Shifted on Them
Easy-to-use OS
Integrated stack
with LAN-controlled networking
Early to mid 1990s Today’s requirements
Secure OS
with always-on Internet connection,
browser-basedcommunications
But Microsoft is Smart…Why Would they Design an Insecure Operating System?
They got to 50MM LOC before the problem became apparent !
But Microsoft is Smart…Why Would they Design an Insecure Operating System?
-- Microsoft chose ease of use and integration over security
* This is how they won the “suite wars” (vs. Wordperfect, Lotus) -- The “integrated stack” yielded their desktop monopoly
-- by locking out competing products
-- Gates did not understand the importance of the Internet until it was too late and they had 50MM lines of legacy code
-- Bill Gates’ The Road Ahead (1995) had 2 pages on Internet!
(It was quickly yanked from shelves and quietly replaced with a re-written version with longer Internet coverage)
-- “When the Internet really took off, we were surprised…”--Bill Gates, Preface to the 2nd Edition 1996
The Solution ? --- Try to Retrofit “Security”
Insecure OperatingSystem
It’s all a retrofit !
the BoxOut of
From M icrosoft-----
System Restore, System File Checker, Signature Verification, Registry Checker, Trusted web sites, requirepost-install reboots, Windows OneCare Live, Win. Client Protection
FOSS----
Virus Scanners,Trojan, RAT, Rootkit, Keystroke logger detection,Spyware Scanners,Real-time Email Scanning, Bi-directional Firewalls,Browser Protection,Module Replacement Protection
What About Vista ?
-- Trustworthy Computing announced Jan. 2002
-- Microsoft’s promise to fix security in every prior release
==================================================
+ Vista brings incremental improvements . . . again
? Sandbox for IE ? Better user rights management
? Drive encryption ? More secure Registry
Speculative -- I’m not a Vista tester, Vista not yet finalized
III. FOSS to Secure
Windows
User Behavior is the Single Most Important Factor Determining Whether You Get Infected
* System Restore checkpoint prior to any install* For older PC’s-- Registry Backup & Emergency Repair Disk (ERD)* Full malware scans after any install
* Make & keep generational backups* Set high-security Browser settings (or don’t use IE)
-- Avoid:
-- Free screensavers, wallpaper, games -- Porno sites -- Hacker sites -- Music- and file- sharing software -- Browser modifiers (BHOs, Toolbars, Extensions) + Visit only reputable web sites + Selectively open email (an Outlook preview equals an open) + Selectively install programs + Keep real-time protection ON (firewalls, malware scanners, browser protectors)
Careful!
I didn’t know!
Where to Download Products
Keep a copy of what you download, free status sometimes changes !
--> or google “Last Freeware Version” (LFV)
Free!
* www.TheFreeCountry.com
* www.Download.com
* www.MajorGeeks.com . . .
Sites offer--
+ Central repository for Downloads + Reviews, ratings
+ Product descriptions
Good also for learning about Windows security !
Firewalls-- Microsoft’s firewall is uni-directional & inadequate. Why?
-- Because Microsoft is a spyware vendor. Examples--
-- WGA scandal -- WMP scandal-- WPA controversy-- Windows Search phones home
-- Alexa controversy -- Win-98 registration scandal
-- Embedded GUIDs-- Index.dat files
-- many others
* Bidirectional firewall is a must --
+ ZoneAlarm => Very widely used, easy user interface+ Tiny => Small, fast, light, pre-XP (see LFV)+ Kerio => Evolved from Tiny+ Agnitum
Products I can vouch for personally are in italics
in
out
you
Anti-Malware Overview
Scanners
Batch Real-time+
Signatures
Signatures
Heuristics
+
Anti-Malware Overview
Categories:
* Anti-virus* Anti-spyware
* Real-time install prevention* Real-time module replacement protection
(aka intrusion protection)* Browser hijack prevention* Rootkit detection . . .etc. . .
Categories of malware they detect vary.No one product does it all, you need several.
Keep definition files updated !
What About Microsoft’s OneCare Live ?
+ Single-vendor, integrated solution
-- Microsoft has a long track record
-- As a spyware vendor
-- For inadequate security
-- Of privacy violations
They sold you a leaky boat . . .
Now you’re gonna buy your lifeboat from them ?
Anti-Virus
* These features distinguish the best products:
+ On-access file scans+ Incoming email scanner
+ Real-time activity scanning
Recommendations--+ AVG anti-virus => As good as any purchased pdt + avast!
* Lesser products are simple batch scanners (but they may excel at that!)
Recommendations--+ ClamWin (aka ClamAV) => Slow scan but finds rootkits,
runs on smaller / older PCs+ BitDefender Console => Finds Sony/XCP rootkit
Anti-Malware
* Spyware detection:
+ Ewido => New, very effective+ Ad-aware => Widely used
+ Spybot Search and Destroy => Popular, Infrequent updates+ A-squared => Runs on smaller / older PCs,
inefficient update algorithm.
* Prevent Spyware installs:
+ SpywareBlaster => Both from JavaCool Software+ SpywareGuard => Real-time protection plus
BHO prevention
* Prevent alteration of executables:
+ WinPatrol => Useful to run one of these+ PestPatrol
Anti-Malware
* Startup protection:
+ Startup Cop => Easy, works great+ MSConfig => Built into Windows
* Browser hijacker protection:
=> Protects you from browser hijacking through secret installs of Browser Help Objects, Browser Extensions, Toolbars, etc.
+ Don’t use IE => Use Firefox, Mozilla or Opera + Or set IE Options
(Security, Privacy, Advanced) very carefully!+ Hijack This! => Thorough, requires expertise+ SpywareGuard => Prevents malware installs
Product Updates
* Data Definition File Updates:
* Keep Definition Files updated for all products+ Use built-in Schedulers or Windows Scheduler to do this
-- What about Microsoft’s Windows Update ?
-- Not recommended (eg: WGA abuses, installed w/o consent, misrecognized valid Dell licenses, etc)
+ Shavlik NetChk Protect => Free, newalso covers other products
www.shavlik.com
www.WindowsSecrets.com
Rootkits
* Rootkit detection:
+ Rootkit Revealer => Thorough, requires expertise+ Anti-Hook => Thorough, requires expertise+ Rootkit Detector (RD-CD) => From IIT students+ IceSword => + ClamWin => Finds some Rootkits+ BitDefender Console => Finds some Rootkits
If a successful Rootkit causes mass re-installs,it could kill Windows in the market place !
Rootkit -- software that gets Superuser rights and compromises the operating system. New, growing threat.
FullDetection
Ease of UseVersus Removal !
Your Computer Spies on You !
Windows Tracks--
-- All the web sites you visit-- The email addresses you send to-- Who creates/edits all Office files-- Office file editing statistics-- Puts permanent ID in all Office documents you create-- Tracks everything you have done recently
Why do we care ?
-- Identity theft-- Loss of your personal power to businesses & governments
Windows tracks everything you do
Privacy is power, and you have none !
(This is “Trustworthy Computing” ?)
Your Computer Spies on You !
-- When you delete a file, Windows only removes an index pointer to it, the file is still on disk.
How long the file remains on disk depends on the disk allocation operations that follow the delete.
* Secure deletion (overwriting):
+ Eraser => Shell program+ BCWipe => Can also erase disk (see LFV)+ Derek’s Boot and Nuke => Good for volume wiping
* Erase temporary file areas:
+ Browser option built-in, also cache reset+ Built-in Disk Cleanup+ EmpRunner+ Empty Temp Folders
Your Computer Spies on You !
-- Windows tracks your recent activities:
Delete traces of your recent activities:
+ Ad-aware => This feature is included+ MRU Blaster+ Windows Washer
-- Windows tracks all web sites you visit:
+ Index Dat Spy => Lists sites you visited
* Erase Internet sites visited logs:
+ Windows Washer+ PurgeIE, PurgeFox -- Not free after 15 days use
Your Computer Spies on You !
-- MS Office -- Keeps Edit Info and GUIDs:
Erase document creator, editor, edit statistics:
+ File Properties
Remove GUIDs & other hidden data from Office files:
+ MS offers manual procedures -- Impractical !
+ Doc Scrubber+ ID Blaster => Use w/ care
My best recommendation--
Replace Microsoft Office with OpenOffice
Your Computer Spies on You !
-- Data Security Circumvention --
* Boot a Live Linux CD (eg Ophcrack or Knoppix) * Use Win2K Recovery Disk * Break the password with ntpasswd
Therefore you must encrypt data:
+ Built into Win XP on -- Transparent & convenient, but used to leave around unencrypted files in Temp area
+ QuickCrypt+ Many others => Work on Files, Folders,
Volumes, entire System+ Email encryption with:
+ PGP+ GNU Privacy Guard+ Hushmail
The Web Spies on You !
* Anonymous Surfing
Web sites you visit get your:
-- IP address (which may uniquely identify you)-- OS type and version-- Browser type and version-- Where you came in from-- What you see on their site -- Your behavior on their site . . . etc . . .
To be anonymous to web sites you visit--
+ TOR => Firefox with add-ins for anonymity+ JAP+ I2P + Freenet
Note-- this is not a Windows issue, it is an Internet issue
You!
The Web Spies on You ! * Anonymous Surfing
It’s much more difficult to avoid your ISP tracking your every move
+ See SSL procedures for major subscription services like+ Anonymizer -- Not free for ISP anonymity+ Guardster -- Not free for ISP anonymity
Why do we care ?
-- ISP can sell your data to anyone -- ISP gives your data to the government
-- AT&T’s new so-called “Privacy Policy” --“While your account may be personal to you, these records constitute business records that are owned by AT&T”
-- Evidence indicates government is spying on your emails,surfing habits, searches, and phone calls
You!
Note-- this is not a Windows issue, it is an Internet issue
The Web Spies on You !
* Cookies:
+ They don’t store them where they used to+ Cookie Managers built into FireFox, Mozilla+ FOSS available
* Web Bugs:
+ Bugnosis -- IE only
Final Exam-- test your system by ShieldsUP! at www.grc.com
You!
Note-- this is not a Windows issue, it is an Internet issue
Even Your Printer Spies on You !
-- Your Printer Spies on You
-- See www.eff.org (www.eff.org/Privacy/printers)for a list of printers that spy on you
John wrotethis !
This is a Government issue, much like the tracking device in your cell phone
IV. Microsoft Alternatives
#1 -- Replace MS Client Stack with FOSS
Operating System
Development Tools
Languages
Office Suite
Security Add-ons
Many are available
FireFox, Mozilla, Opera
Thunderbird, Evolution
Open Office, others
Perl, Python, Rexx, PHP, Tcl/Tk, others
Eclipse, Java
Linux, BSD, others
Browser
PC Stack
#2 -- Replace MS Server Stack with FOSS
Operating System
Development Tools
Web Server
Languages
Many available, few needed!
FireFox, Mozilla, Opera
JBoss, Tomcat
Apache
MySQL, PostgreSQL
Perl, Python, Rexx, PHP, Tcl/Tk, others
Eclipse, Java
Linux, BSD, others
Application Server
Databases
Languages
Server Stack
Browser
Security Add-ons
#3 -- “Open Windows”
Operating System
Eliminates key vulnerabilities --
-- Internet Explorer -- Outlook -- Outlook Express
-- Office
Windows
All freeandopensourcesoftware
FOSS +Windows
#3 -- “Open Windows”
MySQL
FOSS +Windows
JBoss OpenOffice SugarCRM
40%
50%
68%
35%
Percent of FOSS products running on Windows
Source-- Computerworld7/31/06 pg. 14
Why Keep Windows ?
-- You don’t know any better -- Most consumers
-- It ships with the machine -- You buy it whether you want it or not
-- Because everybody else does (and compatibility)-- Example #1-- As a contractor, I use what client uses
#2-- My backup for this presentation is in Powerpoint #3-- Microsoft controls file formats & file systems
#4-- WINE emulator for Linux doesn’t run all applications
-- You need an app-- Example -- ATT/Yahoo DSL only supports Windows
“I’m only happywhen it rains…”
?
#4 -- WINE#5 -- ReactOS
Linux, BSD, or Unix
FOSS + ?
Wine - FOSS implementation of Windows API
Windows applications
Wine - Emulator
ReactOS - FOSS version of Windows
ReactOS - OS that is binary-compatible w/ Windows (apps & drivers)
Windows applications
3K apps (many games) Alpha code
IV. Concluding Thoughts
We have an Internet Security Crisis
-- Malware is geometrically increasing
-- Infestation is huge
-- “Script kiddies” ==> professional criminals
-- Identity theft is huge-- Fastest growing crime for past 5 years-- Pew & Gartner studies show public is scared
Let’s dance while Rome burns !
Our online financial system is at risk !
Is the Internet Broken ?
“The Internet is Broken” by Talbot & Clark
MIT Technology Review Dec 2005/Jan 2006 issue
at www.techreview.com
-- They recommend “locking down the Internet”
-- A comprehensive system of controls
=> End points handle security, not transport
=> The problem is Windows security, not Internet security !
=> “Controlling the Internet” means disastrous side effects !
Trustworthy Computing ? From Microsoft’s Trustworthy Computing Web Site---
“REDMOND, Wash., Feb. 6, 2006 -- As Trustworthy Computing at Microsoft reaches the four-year mark, a look back at 2005 provides a solid picture of sure and steady progress toward long-term success...
Launched in January 2002... Trustworthy Computing is a long-term, collaborative effort to create and deliver safe, private and reliable computing experiences.
Trustworthy Computing encompasses four key areas of focus that Microsoft considers vital to building a foundation of trust in computing:
Security means helping to ensure the confidentiality, integrity and availability of customer systems and data.
Privacy entails protecting a customer’s right to be left alone (e.g., from any kind of unwanted communication, including spam and pop ups), as well as ensuring adherence to fair information principles that put people in control of how their data is accessed and used.
Reliability refers to ensuring that software and systems are dependable and behave the way customers expect them to.
Business practices addresses Microsoft’s goal of being transparent and responsive in all customer interaction, with a focus on excellence in the company’s internal decision-making and implementation processes.”
--http://www.microsoft.com/presspass/features/2006/feb06/02-08Trustworthy.mspx
Why the “Twelve Principles” ?
1974
Microsoft is bornwith a lie --
Gates & Allenlie about havingcompleted BASICfor MITS Altair
1995
ConsentDecree
1998
Gates testifies he knows nothingabout how hiscompany is run.
Judge Boies laughs...
2001
Microsoft is convicted as aMonopolistand for violating1995 ConsentDecree
2001 Nov
DOJ settleslight penaltieson Microsoftimmediatelyafter 9/11
2002 Jan
Microsoftannounces its Trusted ComputingInitiative
2004
EU Agreement
2006
EU Fines Microsoftfor violating2004 EU Agreement
2006
30 yearsin business,Microsoftannouncesits businesspractices in“12 Principles”
Microsoft Versus the Internet
-- Microsoft’s interests diverge from having an healthy Internet
-- Policies to Eliminate piracy and force Planned obsolescence
mean millions of --
-- Unpatched & unsupported Windows systems-- Bots -- Spam servers-- etc
-- Mono-culture with an insecure Internet OS
Possible Outcomes
#1 Vista’s incremental improvements will be enoughfor the world to stay with Windows …
4+ years into “Trustworthy Computing,” Microsoft has not solved the problem
But everyone bought into previous Microsoft “solutions” in earlier Windows releases
#2 FOSS replaces Windows in response to Microsoft’s failure
Like Apache took off in response to IIS’s virus crisis 3 years ago
Protecting Microsoft’s OS monopoly could result in a web meltdown
Predictions for Next Few Years
* “Controlled Internet” can only happen if it has political support
* Upcoming Elections determine this* “Bush Continuation” candidate means maybe yes* Any other candidate means definite no
Unless the outside chance of a severe security incidentoccurs (example-- Rootkit requires many re-installs)
-- Most will buy into Vista, so Microsoft maintains its monopoly
* FOSS continues gains but can not dislodge Windows
+ Microsoft monopoly erodes:
(1) Microsoft’s Annual Report cites FOSS threat(2) Microsoft investing elsewhere(3) Need only to achieve the tipping point
Baby “Future”
In USA
Long Term
Predictions for Next Few Years
+ Microsoft monopoly is presently eroding:
(1) Less of a Microsoft monopoly to start with(2) Courts reject the monopoly(3) Governmental leadership(4) Cost pressures
Baby “Future”
Outside USA
Most products in this presentation are from the EU.
Benefits to FOSS
+ No cost
+ No license tracking or inventory issues
+ No forced upgrade or planned obsolescence
+ No WPA, WGA, Registry, MS spyware, other control mechanisms
+ No BSA / Microsoft “compliance campaigns”
+ Stop divergence of OS provider’s interest,and the internet’s interests
+ Fix the mis-named “Internet security” problem!
Cost is the least of these benefits !
??
? ?
?questions...
?
??
?
V. Extras
The Registry is all about Control
OS’s do not require a “Registry”--
+ Some that do not have a Registry include Unix, Linux, BSD, VAX/VMS, z/OS, z/VM, z/VSE, i5/OS, AS/400, SkyOS, THEOS . . .
Registry -- an artificial mechanism to enforce proprietary control of--
-- Users-- Microsoft’s Property rights
-- Limit and control software use
Registry prevents you from operations that are easy on other OS’s--
-- Cloning of OSs across machines-- Cloning of software products across machines-- Cloning a disk to a backup disk
The Registry increases Windows’ insecurity
