# How To Lock Down and Secure the Information on Computer



## neos1 (Feb 13, 2006)

I would like to hear from the Security Specialists, a step by step procedure on locking down sensitive files and folders, tightening up any possible leaks, closing any possible back-ways-in
and cleaning up any corners where sensitive information could be lying around.

Most of us know about firewalls and anti-malware software, maybe we could concentrate on good habits/best practices.

These days, if you watch any television at all the writers of some of those shows would have the public believe that anyone that uses encryption probably is a criminal/pervert and that if one were honest one would not have anything to hide. I disagree with that, as with most of what I see on the vegimatic.

I use two products; True Crypt, http://www.truecrypt.org/ and 
AIRoboform, http://www.roboform.com/

True Crypt is freeware and Roboform is free in limited usage. I like Roboform so much I bought the software only because I have and use more than ten different passwords nine to !tHiR1t3EEn?~ characters long.

BACKGROUND: I was under the illusion that sensitive information was or could be stored in the page/scratch file. I've since learned that was not the case. I'm sure that I'm not the only one that labors under false impressions of one sort or another. So let us hear from the Security MVP's and the Guru's of Code, or anyone that has an hard won nugget of information


----------



## Stoner (Oct 26, 2002)

My serious route was to keep sensitive material on a computer that has no network access, meaning no internet connectivity in my case.
That comp is located in my home and access is limited to my usage.

I figure that's the best I can do while still remaining rational about security.


BTW....I'm not a security specialist, but for home protection ...'Roscoe is my Friend'


----------



## neos1 (Feb 13, 2006)

Okay, I'll bite, who's Roscoe?


----------



## Stoner (Oct 26, 2002)

neos1 said:


> Okay, I'll bite, who's Roscoe?


Old fashioned nickname for snub nose revolver  _

.....guess that kinda dates me age wise


----------



## neos1 (Feb 13, 2006)

Stoner said:


> Old fashioned nickname for snub nose revolver  _
> 
> .....guess that kinda dates me age wise




I'm wondering though, if you have any online accounts, you don't do any banking or internet buying?


----------



## valis (Sep 24, 2004)

use a firewall for any machine connected to the net, and as stoner says, don't keep anything sensitive connected to the internet. With my 'sensitive' machine, about once every couple months I enable the default gateway, see if there are any critical updates I need, then disable the default gateway again. On my home rig I run Zone Alarm firewall, and it's blocked PILE of intrusion attempts. 

There was this article by the bbc recently where they simply installed xp on a machine, connected it to the internet (didn't even open a browser, just connected the damn thing) and the AVERAGE time it took before it was infected was something like 15 minutes. 

Insane. There's a zillion pc's out there scanning ports, so keep yer data backed up to something other than your pc, and run a solid firewall and a.v. software, and scan regularly for malware.


----------



## valis (Sep 24, 2004)

here's the link:

http://news.bbc.co.uk/2/hi/technology/5414502.stm



> The BBC honeypot was a standard PC running Windows XP Pro that was made as secure as possible. This ran a software program called VMWare which allows it to host another "virtual" PC inside the host. Via VMWare we installed an unprotected version of Windows XP Home configured like any domestic PC.
> 
> VMWare is useful as it makes it easy to pause the "virtual" PC or roll it back to an earlier configuration. This proved essential when recovering from an infection.
> 
> When we put this machine online it was, on average, hit by a potential security assault every 15 minutes. None of these attacks were solicited, merely putting the machine online was enough to attract them. The fastest an attack struck was mere seconds and it was never longer than 15 minutes before the honeypot logged an attempt to subvert it.


----------



## Stoner (Oct 26, 2002)

neos1 said:


> I'm wondering though, if you have any online accounts, you don't do any banking or internet buying?


I've used a credit card several times.
I do not keep those records in my online machine, nor the account number.
I do realize there is risk there even the way I minimally use the card.

I do no banking on line and definitely no stock market transactions.
I view the addition expense as the cost of security. Some people accept that, many don't and operate their finances from their online computer.

I made the decision on this some years ago when I first got a computer because I didn't understand the risks.
Something to think about today..........from some of the discussions from the 'experts' I've read, it's now possible for malicious script to be injected into a web site that can add code to the firm ware of a connected computer's hardware.
That in essence means, there exists the possibility to flash into your hardware a rootkit only dependent on that hardware being attached to your computer. It ( the rootkit) survives a reboot after removal from memory or the hard drive and it survives a re-format.

Grim, eh?

I am glad I am not in business and dependent on having to accept the above exposure.


----------



## neos1 (Feb 13, 2006)

I wanted this to be friendly Stoner, you just ruined my whole day

Would you be able to track that article down?


----------



## Stoner (Oct 26, 2002)

I'll run a quick search. 

Trust me, I'm not trying to be unfriendly.......But it is a 'war' between us and the thieves that want what we have.


----------



## Stoner (Oct 26, 2002)

Here's the first article that popped up.....introducing a rootkit into the bios:

http://www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdf

Crafty ..........


----------



## neos1 (Feb 13, 2006)

valis said:


> here's the link:
> 
> http://news.bbc.co.uk/2/hi/technology/5414502.stm


I'm behind a router, and when I do a leak test it shows all of my ports in stealth mode, and I'm using a firewall called Netveda which requires rules to be set up. When first installed in is in learning mode but then eventually the firewall quits asking for instructions until an update changes a program in some significant way, i.e., I updated to Firefox 2.0.0.4 and got flags asking if I wanted to trust the newly updated version.

To be honest I'm not savvy enough to know if I have my Firewall configured well. I've read that Firewalls that require rules to be written are not only the more personally configurable but are better at stopping attacks - that is if the rules are written correctly. What say you?


----------



## Stoner (Oct 26, 2002)

neos1 said:


> I'm behind a router, and when I do a leak test it shows all of my ports in stealth mode, and I'm using a firewall called Netveda which requires rules to be set up. When first installed in is in learning mode but then eventually the firewall quits asking for instructions until an update changes a program in some significant way, i.e., I updated to Firefox 2.0.0.4 and got flags asking if I wanted to trust the newly updated version.
> 
> To be honest I'm not savvy enough to know if I have my Firewall configured well. I've read that Firewalls that require rules to be written are not only the more personally configurable but are better at stopping attacks - that is if the rules are written correctly. What say you?


I agree that a fire wall that only allows what you designate ...is the best choice.
Something to consider, though.......I've heard that some malware/spyware/trojans have the ability to turn off that firewall or alter the rule sets with out the owner being aware. So if you are infected, there exists the possibility of outbound security being compromised. And you won't know this in a leak test against your router.

So security is a combination of all aspects, from infection to the ability to control connections....as one concept. Not separate concerns.

I did have a Norton firewall compromised in much this manner some years ago, which made me a lot more alert( you could read paranoid), as you can see 
Currently I an using Kerio, but there are others that are excellent.

Firefox is a wise choice of browsers.....imo......:up:
I use adblock, flashblock and noscript extensions.
Firewall routers are a good first line of defense against unwanted connections.

Have you changed the default password in your router?


----------



## neos1 (Feb 13, 2006)

Stoner said:


> Here's the first article that popped up.....introducing a rootkit into the bios:
> 
> http://www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdf
> 
> Crafty ..........


The PDF reads like a sales brochure for the Trusted Computing Platform that Microsoft and others have been pushing basically saying that the bad guys are gonna win but if you run into our arms and let us protect you, we will "take care of you" from the cradle to the grave.

A quote from the GNU:

"Who should your computer take its orders from? Most people think their computers should obey them, not obey someone else. With a plan they call "trusted computing", large media corporations (including the movie companies and record companies), together with computer companies such as Microsoft and Intel, are planning to make your computer obey them instead of you. (Microsoft's version of this scheme is called "Palladium".) Proprietary programs have included malicious features before, but this plan would make it universal.

"Proprietary software means, fundamentally, that you don't control what it does; you can't study the source code, or change it. It's not surprising that clever businessmen find ways to use their control to put you at a disadvantage. Microsoft has done this several times: one version of Windows was designed to report to Microsoft all the software on your hard disk; a recent "security" upgrade in Windows Media Player required users to agree to new restrictions. But Microsoft is not alone: the KaZaa music-sharing software is designed so that KaZaa's business partner can rent out the use of your computer to their clients. These malicious features are often secret, but even once you know about them it is hard to remove them, since you don't have the source code."

The threat maybe real as you say, but I would question that article just because it is slanted towards selling the "Trusted Computing" platform.

I'm believing that this discourse will bring out alternatives other than giving up control of my life to Microsoft and "those who intend to govern" and still being able to confidently go about my day to day business. But then, I've been wrong before.

Edit: I don't mean this to sound confrontational.


----------



## Stoner (Oct 26, 2002)

> The PDF reads like a sales brochure for the Trusted Computing Platform that Microsoft and others have been pushing basically saying that the bad guys are gonna win but if you run into our arms and let us protect you, we will "take care of you" from the cradle to the grave.




You've been told ...................


----------



## Stoner (Oct 26, 2002)

Link

A cashed Wikipedia link to showcase the topic...firmware rootkits.

excerpt>>



> Detection in firmware can be achieved by computing a cryptographic hash of firmware and comparing hash values to a whitelist of expected values, or by extending the hash value into TPM configuration registers, which are later compared to a whitelist of expected values. Code that performs hash, compare, and/or extend operations must itself not be compromised by the rootkit. The notion of an immutable (by a rootkit) root-of-trust ensures that the rootkit does not compromise the system at its most fundamental layer. Rootkit detection using a TPM is further described in Stopping Rootkits at the Network Edge, January 2007.


None of my detection apps currently do that.


----------



## 1002richards (Jan 29, 2006)

I do all my online sessions via Sandboxie in addition to a firewall, Zone Alarm and others I have seen recommended at TSG. It adds an extra layer of security, plus you can run new progs 'Sandboxed' - to try them out- without installing them.

http://www.sandboxie.com/

Richard.


----------



## valis (Sep 24, 2004)

Stoner said:


> Something to think about today..........from some of the discussions from the 'experts' I've read, it's now possible for malicious script to be injected into a web site that can add code to the firm ware of a connected computer's hardware.


this is not only a possibility, this is a very common issue. Skype is currently suffering from stuff that dumps rootkits via scripts, which is obviously a huge problem for Skype; running malicious scripts on pages is pretty common; keep your security high on your browsers and that will eliminate that.

That, and safe surfing.


----------



## Stoner (Oct 26, 2002)

Hi Tim 

Yeah......it gets down to how safe a persons usage is and how much risk they are willing to accept.
As someone in Civ Debate presented....there is no absolute certainty to certain things (  ) and this is one of them. We do the best we can.

Thanks richards....I've thought about giving sandboxie a try.
Maybe on my next re-install..........
Did you notice any degradation of performance?


----------



## neos1 (Feb 13, 2006)

Stoner said:


> I agree that a fire wall that only allows what you designate ...is the best choice.
> Something to consider, though.......I've heard that some malware/spyware/trojans have the ability to turn off that firewall or alter the rule sets with out the owner being aware. So if you are infected, there exists the possibility of outbound security being compromised. And you won't know this in a leak test against your router.
> 
> Have you changed the default password in your router?


I have changed the user id and password for the router.

If I understand it correctly, that is the reason Microsoft's Firewall is useless - does not stop anything from leaving the computer.


----------



## neos1 (Feb 13, 2006)

valis said:


> this is not only a possibility, this is a very common issue. Skype is currently suffering from stuff that dumps rootkits via scripts, which is obviously a huge problem for Skype; running malicious scripts on pages is pretty common; keep your security high on your browsers and that will eliminate that.
> 
> That, and safe surfing.


I was not disagreeing with Stoner. I guess it was a stick my fingers in my ears sort of reaction. I thought I was well informed and here is something that I hadn't even heard of that was more insidious than all of the other things combined.


----------



## Stoner (Oct 26, 2002)

neos1 said:


> I have changed the user id and password for the router.
> 
> If I understand it correctly, that is the reason Microsoft's Firewall is useless - does not stop anything from leaving the computer.


Personally, I want control over all connections, so that includes outbound.

I have seen the argument presented that if a computer already has unauthorized outbound traffic, the system is already compromised and relying on any filtering is a risk.
If un-compromised....all outbound traffic is legit.

Not my argument....just repeating what I've heard.


----------



## Stoner (Oct 26, 2002)

neos1 said:


> I was not disagreeing with Stoner. I guess it was a stick my fingers in my ears sort of reaction. I thought I was well informed and here is something that I hadn't even heard of that was more insidious than all of the other things combined.


Better to learn about it this way than by experience


----------



## valis (Sep 24, 2004)

Stoner said:


> Better to learn about it this way than by experience


which is precisely how I learned.  an alternate member of my family d/l about 106k trojans in about 10 seconds onto my machine.....

if you a rather cursory scan of your machine for security purposes, you can use gibson's site (http://www.grc.com/default.htm, cilck on 'shieldsup', follow the prompts) and you'll get a rough idea of how secure your machine is. For instance, my wife has a few ports open on her rig; then again, she uses wireless, so that's not entirely uncommon. Wireless likes to be heard. My rig is registered as 'invisible', which is very good, but again, this is just gibson's security site, and while he's good, he's not as good as some of the folks out there writing malicious code.

Always keep your security settings for the internet on high. Any site that wants to write something to my pc has to have my express written authorization (sorta like MLB ) or I don't let it. As stoner put it, better to learn this way than through experience, and this is why I don't let sites write to my machine.

But see what gibson's tells you; that's as good a starting point as any. Curious to see the results, then we can begin closing whatever doors are open.


----------



## neos1 (Feb 13, 2006)

So according to the SubVirt PDF (Samuel T. King and Peter M. Chen) "The only time the VMBR loses control of the system is in the period of time after the system powers up until the VMBR starts Any code that runs in this period can access the VMBR's state directly. The first code that runs in this period is the system BIOS. The system BIOS initializes devices and chooses which medium to boot from. In a typical scenario, the BIOS will booth the VMBR, after which the VMBR regains control of the system. However, if the BIOS boots a program on an alternative medium, that program can access the VMBR's state.
Because VMBR's lose control when the system is powered off, they may try to minimize the number of times full system power-off occurs. The events that typically cause power cycles are reboots and shut-downs. VMBRs handle reboots by restarting the virtual hardware rather than resetting the underlying physical hardware. By restarting the virtual hardware, VMBRs provde the illusion of resetting the underlying physical hardware without relinquishing control."

So I bought this computer used from a company that takes corporate leases that have expired, refurbishes said machine and sells them to the highest bidder. It is possible that this computer came to me infected with a Virtual Machine Bios Rootkit already installed and there is no way for a regular guy to be able to detect or remove it.


----------



## valis (Sep 24, 2004)

even if it's a vm rootkit, it should be able to be removed. if you think that your machine is infected, click the red triangle next to one of your posts (upper right) and have it moved to security where they will be able to tell you if you are, indeed, infected. I've had to deal with exactly one vm rootkit, and it wasn't that difficult to get rid of, so I know that they can be removed; this was back in december, though, and things may have stepped up a bit since then.


----------



## neos1 (Feb 13, 2006)

There are four leds A,B,C,D, that light an amber green and for the life of me I cannot remember if when I powered down, all of them went dark. Lately I've noticed that C stays
lit after power down. The one tell that a machine may be infected with a bios level rootkit
is that the led's do not go out when powered down. 

I have GRC bookmarked. I'll head over there and let you know the results.


----------



## lotuseclat79 (Sep 12, 2003)

neos1 said:


> I'm behind a router, and when I do a leak test it shows all of my ports in stealth mode, and I'm using a firewall called Netveda which requires rules to be set up. When first installed in is in learning mode but then eventually the firewall quits asking for instructions until an update changes a program in some significant way, i.e., I updated to Firefox 2.0.0.4 and got flags asking if I wanted to trust the newly updated version.
> 
> To be honest I'm not savvy enough to know if I have my Firewall configured well. I've read that Firewalls that require rules to be written are not only the more personally configurable but are better at stopping attacks - that is if the rules are written correctly. What say you?


When the leak test you run indicates all of your ports in stealth mode - is that all of your ports from 0-1024 or all of your ports from 0-65535?

The leak tests at http://www.firewallleaktester.com are considered fairly complete though there are others cited at Wilders Security Forums at: http://www.wilderssecurity.com

Rootkits that infect the BIOS, and Polymorphic trojans (able to morph their identity which makes it about impossible to identify) are definitely to be reckoned with, however, they are very rarely found in the wild on the Internet - esp. the Polymorphic trojans which you would expect.

Since most nefarious rootkits are placed for the motive of profit these days, the home user is not a big target like corporations with industrial secrets.

I would recommend using a USB based OS browser combo that creates a fake file system in memory the same as a Linux Live CD (which is what I use). When I surf, my disks are unmounted. And anything that gets into memory is wiped when I power down. If the rootkits and trojans require saving to a file system, memory is as far as they get on my computer - and then el wipo when I shutdown! That does not mean that the BIOS could not be compromised, however, I would probably have to visit a website that cannot be trusted to get the compromising software loaded onto my system because my iptables firewall is very restrictive regarding ports and dumps anything that is not first requested.

-- Tom

P.S. I would also go with NOD32 which is probably the best heuristic malware detector, however, I also recommend visiting the http://www.av-comparatives.org website to see the testing data on the best AVs available today. Also highly recommend using Watcher from: http://www.donationcoders.com/kubicle/watcher/index.html which saved my butt after I had unknowingly downloaded and installed some malware - and on the next reboot, it gave me a chance to recind the installation - whew! that was close.


----------



## 1002richards (Jan 29, 2006)

Stoner said:


> Hi Tim
> Thanks richards....I've thought about giving sandboxie a try.
> Maybe on my next re-install..........
> Did you notice any degradation of performance?


IE & Firefox perhaps a tiny bit slower to load, but nothing irritating. 
Hope it suits your needs. Here's an independent review at Tech Support Alert, it's #4 on this list:

http://www.techsupportalert.com/best_46_free_utilities.htm

Richard


----------



## neos1 (Feb 13, 2006)

> When the leak test you run indicates all of your ports in stealth mode - is that all of your ports from 0-1024 or all of your ports from 0-65535?


The first 1024 ports.

I downloaded all the leak tests at http://www.firewallleaktester.com and did the AWFT test 
- that one first because I downloaded them into a folder and XP alphabetizes except for test number 1 I failed the other 4.

I had to shut down my anti-virus to down load a couple of the tests.

I cannot remember what happened, but a few weeks ago every time that I would log on to TSG and then make the jump to a forum page I would lose my log in and even if I logged into that page it would jump back to the TSG welcome page and when I made the jump, say to tips and tricks, I would lose my log in again. It is happening again and I cannot figure out what has changed. Cookies are enabled. I cleared the cookie cache. I've reset the firewall back as it was. I've rebooted. I rebooted the router. Can't figure it out. Oh I'm on another computer, only reason why I can post. I've been working on this for the past two hours. Anybody got any ideas?


----------



## Stoner (Oct 26, 2002)

Sorry.....no ideas of what's wrong.
Perhaps you should post a 'hijack this log' in the security forum along with your concerns.
Instructions are over there on where to download and how to use, as I remember.


It's too ate now, but when you get straightened out, perhaps you should think about imaging your OS partition as a quick restore option.

Seagate/Maxtor offers a free imaging app to owners of their products.


----------



## lotuseclat79 (Sep 12, 2003)

Try rebooting the computer you are on, and then attempt to get back to TSG - you may have to login again if the cookies were wiped. Just trying to advise that your platform does not sound too stable, and in those cases a reboot has always helped me get going again.

-- Tom


----------



## neos1 (Feb 13, 2006)

lotuseclat79 said:


> Try rebooting the computer you are on, and then attempt to get back to TSG - you may have to login again if the cookies were wiped. Just trying to advise that your platform does not sound too stable, and in those cases a reboot has always helped me get going again.
> 
> -- Tom


I've rebooted no help. It is not just TSG that I can't access but my Yahoo mail accounts. The last time this happened was when I upgraded Roboform, and it was something simple. I'll figure it out.

I'm still running through the leak tests - not good. I did try a different firewall and the results are much better.

The only live cd's that I have are Ubuntu. That is not a bad thing it's just I'm stuck in the XP mode for now so I'm going to give Sandboxie a go.


----------

