Are you asking to be cracked?

Does rubbing penicillin on your keyboard sound like solid anti-virus protection? Do you think spyware refers to the stuff Q cooked up in the James Bond movies? Is the only firewall you own between your car’s engine and your feet? Was your last software update from DOS to Windows 95? If you answered yes to any of the above (and please, please say you didn’t), then your system is seriously at risk. Unfortunately, even if you answered no to all of these, you’re still probably courting danger.

Attackers are out there. It’s a fact of life for anyone who has a computer system: Somebody is always out there, trying to make unauthorized use of your system. Sadly, these days, it’s easier and easier for them to do it. Could they do it to you?

Malicious attacks take many forms: viruses, spyware, adware, worms, rootkits, keyloggers, unauthorized VNC systems, and a host more. Any computer can be cracked (ask the US Department of Defense about that one ) though some are obviously more attractive than others. As an IT professional, the most common response I hear to warnings about attacks is “I’m not worried, because I don’t have anything that anyone would want.” Though it doesn’t always do any good, I’m very clear with my answer:

Oh yes you do.

Black hats (another term for crackers) want to crack systems for a variety of reasons. I personally think the most common reason is curiosity: They just want to see if they can do it. Others do so in order to steal information from others, or to use the system for other illegal activities. Your quiet little Windows PC is incredibly valuable to a cracker looking for personal and financial information or quick zombie target (zombies are cracked computers that can be used by the cracker to launch attacks on other systems). I once was called in to investigate a “slow” system and ended up scrubbing 24,000 separate infections. (I honestly thought I might need to mix Clorox and Holy Water to get it clean.)

If all of us are at risk, and the attackers are only a breath away, what can you do? How do you protect yourself from the most common threats, especially if you’re on a budget?

  • Be sure your system is up-to-date, and pay attention to software news. If you use Windows, be sure you are updating your system (either through Automatic Updates or manually). System updates are usually a good thing, but occasionally something goes wrong, so be sure you’re paying attention to tech news, just in case.
  • Functional and up-to-date anti-virus software is critical, and be sure it is active anytime your computer is turned on. I recommend Grisoft’s AVG Anti-Virus Free Edition for home users, even if you can afford to pay for a pay program, because it works well, updates automatically, and you don’t have to worry about your subscription (and your protection) running out. Whichever program you pick, be sure to run only one anti-virus package, as running multiples can cause them to malfunction.
  • Download a spyware utility and run it frequently. Grisoft’s AVG Anti-Spyware Free Edition and Lavasoft’s AdAware 2007 Free both scan and remove spyware infections. I recommend using both programs, as there is no danger from multiple anti-spyware packages: what one misses, the other will likely find. Be sure to keep them up-to-date and run the scans frequently. AVG also offers an anti-rootkit package that detects and removes rootkit threats.
  • Get a personal firewall program and run it at high security. ZoneAlarm makes a good firewall that is free for personal and charitable use . Be sure to pay attention to the pop-ups requesting access – if an unknown program requests access, ZoneAlarm will offer advice about what to do.
  • Secure your network, if you have one. Routers and switches have passwords, and some of them can be accessed from outside your network if you haven’t configured them properly. Wireless networks are even more vulnerable, as anyone can drive up and log on with a laptop, so be sure wireless networks are secure and password protected. Check with customer support for the company that manufactured your hardware if you aren’t sure how to configure your network properly, or hire a qualified technician to advise you.
  • Get rid of Internet Explorer! I’ve written before about dumping IE for Firefox , and it makes good security sense. Most exploits are written for IE, because most people use IE, so getting rid of it increases your security immediately. Additionally, Firefox has built in security features (and even more security through extensions) to offer additional protection. (If you’re really daring, you can ditch Windows entirely for Mac’s OS X or a Linux distribution, but I can’t really recommend that for everyone.)
  • On passwords:
  • Choose good passwords. “Password” is the worst password you can pick, period. Even if you write it as p@$$w0rd, it’s an invitation to cracking. Anything related to you (your address, phone number, kid’s names) is bad. Lower-cased all-letter passwords, especially short ones (6 characters or less) can be cracked literally in minutes. All-number passwords are even easier.
  • Always use long (10 character or more), mixed case passphrases with letters and punctuation marks. It doesn’t need to be hard-to-remember random text, something like J0hn_10v3$_8dri@n3 (“John loves Adriane”) is secure and easy to remember. If you have trouble translating letters to similar characters, try this English-to-Leet (“1337”) translator , set at about 15% to 25% leet. (If you don’t know what leet is, ask a handy teenager.)
  • If you’re storing your user ID’s and passwords in your internet browser, make sure you’re using a master password, or else they’re available to anyone who gets control of your computer.
  • Don’t write down your passwords, and certainly don’t leave it on a sticky-note on your monitor or desk. If you must write passwords down, keep them locked up somewhere secure (like a safe or a lockbox). If you use secure passphrases, you should be able to remember your password with little trouble.
  • Change your passwords regularly. No, you don’t need to change them every week, especially if you’re using strong phrases, but every three to six months is a good idea.
  • Finally, don’t use the same password for everything, and put your strongest password on your email account. Nearly every web application allows you to reset your password via your email, so if an attacker can get in there, all your web passwords are just a reset form away.

There is quite a bit more to say on the subject (and I’m sure plenty of it will come up in the comments) but this is a basic dip into securing your system from attacks. If you don’t come away with anything else, be sure to remember this: It can happen to you. Be vigilant, take steps to keep yourself secure, and be well.

If you’ve been the victim of an attack, or if you think I’ve left something out, please share it in the comments.

Disclaimers: With the obvious exception of Wisebread, I’m not affiliated with any of the sites or products I’ve linked. I use the terms “crack” and “cracker” as opposed to “hack” and “hacker” to refer to unauthorized (and in many cases, illegal) access to computers or other systems. Although most people associate hacking with cracking, there are other types of hacking that aren’t malicious, and I believe using the terms interchangeably should be avoided.

This entry was posted on Monday, July 30th, 2007 at 3:04 pm and is filed under Tech, Wisebread. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.