Thursday 9 February 2012

Steps to avoid malware


  1. Keep your operating system (OS) up-to-date. The easiest way for malicious people to track and record everything about you is to have you install a spyware/virus or to automatically break into your computer. By keeping your OS up-to-date, your allow your OS provider to release security updates for critical parts of your system that could prevent automatic security breach exploitation and could turn some spyware into some useless pieces of code.
  2. Keep your programs up-to-date. New versions of a program are made to enhance user experience, to add some features, that's true. But not only: this is also a way to correct bugs. There are different kinds of bugs: some of them will just produce visual artifacts, others will prevent you from doing something advertised, others can be remotely and automatically exploited by hacker to take over your computer. Without bugs, no remote attacks.
  3. Keep your antivirus up-to-date and running (under MS Windows). If the signature database of the antivirus is not up-to-date, some viruses won't be found right away. If your antivirus is not running in the background and if your system is not checked on a regular basis, you'd better uninstall your antivirus software. It's worth noting that antivirus programs usually seek for viruses, spyware, rootkit and worms. The specific anti-spyware programs are not better, most of the time.
  4. Use only ONE UNIQUE antivirus program. An antivirus program need to act very suspiciously to work well. In the best case scenario, you will get a false positive by one program or the other, in the worse case scenario, the different anti-malware programs will prevent each other from working correctly. If you really want to use more than one antivirus, update signature database, unplug your computer from the internet, disable your main antivirus completely and run the second one in a "on-demand" mode. Then, you may have a false positive (your main antivirus) : it's ok. Launch your main antivirus and you can use your computer as usual.
  5. Never download anything except on official sites (any OS) or trusted repositories (Linux/BSD/MacOS). For instance, if you want to download the VLC media player, download it from its official site (search google for it and you find : www.videolan.org/vlc/). Do never ever use links in any random non-official websites, even if your antivirus is not screaming when you do so.
  6. If you can, check binary signatures (see [[1]] for example and the wiki article [please note that md5 is not enough enymore, use sha256]). Basically, the idea here is to create a signature from a file (e.g. a program installer). This signature is given on the official website or in a trusted database. When you download the file, you can produce this signature yourself from the file with a special program. Then, you can compare this signature with the one on the website : if they are identical, you are sure you have the good installer. If not, you most probably downloaded a fake installer containing a virus or your download did not succeed (either ways, you have to download the file again to make sure). This process is done automatically in most Linux distro and in *BSD using any package manager without doing anything special. Under Windows, you have to manually check.
  7. Use a firewall. Under Linux/*BSD, there are two wonderful firewalls integrated (netfilter/iptables and pf respectively). Under MS Windows, you have to find a good one. One thing you have to understand is that a firewall is like a switchman in a middle of a huge train station with trains (network data), platforms (ports) and railways (streams). A train by itself can't unload what it is carrying : he'll need someone to do that (a service or daemon : a program that runs in background that is listening to a particular port). Without that someone, that service, even if the train can reach the platform, it can do absolutely nothing. Let me remind you: a firewall is not a wall or a gate, it's a switchman (you can do much more with a firewall than allowing or preventing data from crossing)! That said, keep in mind that you can't control outgoing connections (except if you block everything or unplug the cable) but you can log what is going out... Most spyware find clever ways to go through your firewall but they can't hide what they are doing and it's much easier to find a spyware sending stuff to a remote server on port 993 in spite of your not using IMAP programs that finding it, hiding in the Internet Explorer process and sending data in port 443 that you are using every day. If you have access to a stateful firewall (netfilter/iptables and PF are), just log unexpected outgoing data and block anything ingoing except established and related connections. Don't forget to allow everything on the loopback device (lo) : this is safe and required.
  8. If you firewall is stateless, use it for log purpose only. You can't smartly block ingoing stuff. Avoid per-application filtering: it is bothersome, useless and gives a false feeling of security. Most of today's spyware append their malicious code to a trusted application that is expected to access the internet (usually Internet Explorer): it is launched with Internet Explorer. When Internet Explorer tries to connect to the internet, your firewall ask you if you want it to do so, you answer "yes" and then the spyware can send anything through ports 80 and 443, in the middle of your own genuine data.
  9. Check what services (also called daemons) are running: as I said, if there is no one on the platform to unload the train, NOTHING can happen. You are not a server: you don't need services to be up and listening to the outside (be careful : most of Windows/Linux/MacOS/BSD services ARE needed and are not listening to the outside! If you can, disable useless services or block any traffic on the corresponding ports with your firewall (for example, if the NetBios daemon is listening to the ports 135 and 138, you can block any ingoing and outgoing traffic on these ports if you don't use Windows shares. Please remember: bugs in services are the open doors to remotely take over you computer, if there are no services or if those are blocked by a firewall, noone can remotely break into your computer. You can also try port scanning programs such as nmap to determine which ports you have to block or which services you have to disable (it gives the same results).
  10. Don't use an admin account: it's better in Windows Vista and Seven, but if you are using an admin account, any software can ask for admin privileges, even malware you've launched recklessly. If you are not admin, the spyware must be much smarter to be used at full potential. At most, if you are a standard user, the spyware can send information about you, but not the other users. It cannot use a lot of useful part of the system to help it sending data and it's much more easier to remove it from your computer.
  11. If you don't need to play games or to use some very rare niche software, switch to Linux. Until today on, there is only a dozen of known malware programs running under Linux. Those programs were disabled a long time ago thanks to security updates. Binaries are taken from verified, signed, authenticated repositories. You don't need any antivirus and there are plenty of free, open source, great quality programs to do almost everything (firefox, chrome, inkscape, gimp, pidgin, openoffice, filezilla, ffmpeg (used in almost every audio/video converter for windows out there), ghostscript (used in almost every pdf converter out there), xchat, and much much more were firstly developed by and for Linux and then ported to Windows because they were great).

EditSteps to avoid someone spying at your connection

  1. Make sure your wired network is not accessible without you seeing it or disabled.
  2. Make sure your wireless network is encrypted with WPA-TKIP at worst or with WPA(2)-CCMP or WPA2-AES at best. Nowadays, using WEP encryption or no encryption at all is as dangerous : don't do that !
  3. Never browse the internet through a proxy: when you do so, please keep in mind you are forced to trust the unknown random stranger who set it up. He/She can log, save, store everything that your are sending to/receiving from the internet through his/her proxy! He/She can even unset encryption provided by the protocol you are using (such as HTTPS, SMTPS, IMAPS, etc.) if you are carefree. Doing so, they could catch your credit card number and so one. It's far far more safer to use HTTPS when possible directly to the site than using such dangerous monkeys-in-the-middle.
  4. Use encryption whenever possible. This is the only way to make sure than nobody except you and the remote server can understand what you sent and what you received. Use SSL/TLS everytime you can, avoid plain FTP, HTTP, POP, IMAP and SMTP (use SFTP, FTPS, HTTPS, POPS, IMAPS, and POPS instead). If your browser say a certificate is wrong, leave the website. Period.
  5. Do not use IP-hidders services: those are actually proxies. All your data will go into that, they can log, store, save anything, they can give you fake webpages to get your credentials and even directly use them on the good website so that you don't even notice you gave it to stangers

No comments:

Post a Comment