Security Watch

A Call to Arms, Continued

Letters from the security front.

• By Roberta Bragg
• 02/04/2004

As I read your column, it occurred to me we should write some good viruses. Why doesn't Microsoft write some viruses that install the patches everyone needs?

Roberta responds—Whoa, that's like trying to make everyone's teeth less susceptible to decay by putting fluorides in the water supply. Oh, wait, we do that, don't we? Actually, "good" viruses or worms isn't a concept I favor. Part of the problem generated by bad worms and viruses (indeed, the point of many) is Denial of Service. Any infection of "good" worms will have the same effect. In fact, we saw just that with the Welchia or Nachi worm; it tried to patch systems against the RPC DCOM buffer overflow (exploited by the Blaster worm) but became a nuisance itself. The other problem is their ability to do wrong. Instead of writing "good" infectious agents, better code and better patching processes are needed, for all software.

I think a great place to start when educating users is http://www.personalfirewallday.org. The folks behind that site put some thought into simplicity, and tailored the explanations to non-technical readers.

Yup, a great site to find information written for consumers (which I discussed previously; see http://mcpmag.com/newsletter/article.asp?EditorialsID=242 for more information). Look below for another site that includes steps users should take to secure their systems. Microsoft also offers such information. Use these sites to learn how to talk "non-techie"; you're not going to get many end-users to do security if you throw around lots of tech jargon.

For anyone on a broadband or better Internet connection, I'd set their antivirus to update hourly, without prompting (which can be annoying). Dial-up users should check for updates at least every time they log in. If the antivirus vendors can respond more quickly than they did to MYDOOM.A—and I think most will next time around—this will help anyone that isn't hit by the first couple waves dodge the bullet.

Mitchell Herbert had a great idea: "Considering how busy we all are keeping our own corporate networks (or those of our clients) secure, perhaps there should be a tax deduction for time spent securing computers and networks for non-paying customers. Yeah, I know it'll be a cold day in...but 'tis the (tax) season, after all..."

Actually, I believe you can get a tax deduction for the expenses you incur in helping not-for-profit agencies. I'm not a tax lawyer, so obtain professional advice before attempting to use this deduction. Even I can see, however, that it doesn't apply to just helping your neighbor. Anyone want to start a not-for-profit that helps secure folks who can't afford to pay for their own IT staff?

Some of you, however weren't quite so enthusiastic. You've had your fill of providing free consulting services. And I understand. We all have to make a living and do things other than other people's work in our free time. If you find it's hard for you to create the types of boundaries that will prevent overload, perhaps you can provide service in another way. Maybe you'd be the perfect public speaker? You don't have to fix things, just get others interested in doing so.

No one is suggesting that this become a second full-time job. And yes, there really are lots of small businesses that can afford to pay for a little bit of help. You may find that by helping home users and small businesses, you can get a foot in the door. For example, one visit to get them started is free, but any work afterwards you will charge for, or any work over an hour, and so on. Maybe you can turn a desire to evangelize security into a part time business.

Martin Criminale provided his own short list, and even keeps a Web page, http://www.criminale.com/martin/computer.asp, with helpful, consumer-oriented security advice. Martin had the following to say:

• Make sure that the firewall is applied to all the computer's network connections. I've seen lots of laptops that had the Windows XP firewall turned on for the Local Area Connection but not for the wireless card.
• Disable or remove the wireless card before installing or reinstalling the OS. I've seen tons of admins perform a "clean" install of Windows on a laptop with the wireless card still in. And then wonder why they got infected before they could install the service packs and patches, even though no Ethernet cable was plugged in. Duh…
• Check to make sure that the AV software subscription is still current/active. Many PCs come with some anti-virus software installed and many users just let it expire.
• In addition to current AV software, I also recommend that users (especially home users, who by default are members of the Administrators group and can write to their hard drive) install spyware-blocking software. Two really good ones are Ad-aware, http://lavasoft.element5.com/software/adaware and Spybot, http://www.safer-networking.org.
• Not only should the user have the most current version of their e-mail client, they should update their copy of Microsoft Office (if they have it) until every update is installed.
• If they're using XP, check to make sure the Guest account is disabled and that all user accounts have a (reasonably) strong password.