Windows XP Security - Linux Alternatives

This is the fourth and (intended) final article in a series on Windows XP security. The first three focused on cleaning malware, preventing malware with software and preventing malware with defensive computing habits. This article will identify how to prevent operating system level malware by switching operating systems.

There are a lot of reasons why Windows in all its versions, has the predominant market share in desktop computing. Discussion of those reasons would branch into the depths of marketing practices and technical merits. Without going there, I'd submit that at the end of the day it is due to preloading. Virtually every retail PC sold has Windows preloaded. Not many consumers will take time to research alternatives, learn new skills, potentially spend additional dollars - when they have something that works. As long as it works for you, I agree. For those that find it not working, at whatever threshold that is for you, continue reading.

For the vast majority of home users, at least those that I deal with that don't make their living in some form of technical field, it doesn't matter what they're running. Any device that allows web surfing, web mail, plays video and handles file attachments (documents and spreadsheets) will do just fine. With that market segment in mind, major PC manufacturers have started offering alternatives such as Dell does with Ubuntu (a distribution of Linux), often at reduced fees - because most all distributions of Linux are free.

The good news is that PC owners don't have to buy a new system to try a new operating system. It can be downloaded for free, tried without any risk or changes to the current operating system, then installed in a variety of co-existent or replacement modes. All at your own pace and comfort level.

Many choices exist for free and open source operating systems. Most will be some base form of Linux assembled into a bundle of applications called a distribution. The selection of which distribution is "best" or "right" is subjective, however all will offer security advantages over *a default* Windows XP installation. This is primarily because Linux distributions, like all Unix variants, are designed to work with the principle of "least privilege". Users do not run as system adminstrators. If elevated level of access is required, the user is prompted for their password, the task is completed then the default level of privilege is restored. All applications will run within this security model without additional steps. As described in earlier articles, it can be implemented in Windows XP, but not all applications will run seamlessly with this change. There have been modifications to the architecture of later versions of Windows, but this series focuses on XP.

For the majority of Windows users looking for alternatives, I believe Linux Mint will make for an extremely smooth transition. Linux purists will howl at this statement, but it is the most "Windows like" right out of the box. What it means to the "average" PC user is that it provides full multimedia support without any extra effort, meaning that you can listen to MP3's watch DVD's and view web pages that require Flash technology right after install. Wireless internet connectivity and printing will work seamlessly as well.

As many Linux distributions do, Linux Mint combines both the installation CD with a Live CD that will run the full operating system straight from the CD, without modifying the hard drive. Download the "Live CD, 32 bit, The standard version" from http://www.linuxmint.com/download.php The filetype of .iso you've downloaded is a CD image, meaning it must be opened by a CD burning program that can use it to make a CD. This is different than simply burning a file to CD. If you need a CD burning program for Windows, a good free one is CDBurnerXP from http://cdburnerxp.se/ The same site describes how to burn an ISO image to CD at http://cdburnerxp.se/help/Data/burn-iso

Boot from the CD for a couple of sessions and see how things work.  Recognize that the boot from the CD will be much slower than from an operating system installed to the hard drive because of the orders of magnitude speed difference in the two different disk technologies.  When you're ready to install to the hard drive, for the speed improvement and ability to save your customizations - backup your data!  Then you have several options:  installing under windows as any other application; installing in dual boot mode; completely replacing Windows XP as the sole operating system on the hard drive.  There are advantages to each.  Booted from the CD, selecting the Install icon on the Desktop and installing in dual boot mode may be the most comfortable choice for those starting out.

Additional information is available in the excellent Introduction to Linux Mint document, the Ubuntu (on which Mint is based) community documentation and many sites with guides to getting started using Linux for persons whose only experience is Windows.  If you want a system that runs clean and fast - and stays that way - it may be worth your time do do a little reading.  Don't be afraid to experiment either, with computers it can be the best way to learn.

In this series, I've attempted to cover the short course on tools and techniques I use when pressed into service to assist someone with a malware problem on Windows XP.   The articles have covered cleanup, two types of prevention and my recommended alternative to almost everyone (especially anyone I've helped more than once).  There are other similar articles around, written for there own purposes.  This series provides the answer for when I'm asked "what would you do?".

Now you know.  Enjoy.

Edited 2010.10.04 - Added Ubuntu community documentation reference.

Windows XP Security - Safe PC Usage

This is the third in a series on Windows XP security. The first two focused on cleaning malware and preventing malware with software. This article will identify how to prevent malware with defensive computing habits.

The lists below are terse. Quick soundbites, easily digestable. Not so easily explained. The rationale behind some, including attack vectors, exploits and countermeasures could fill volumes. There are many blogs by security experts that cover vulnerabilities and exploits extremely well.  In this space we'll just focus on practical security measures, again for the "average" PC user.

 Safe Computing

• Don't login with Administrator rights. Make yourself a standard user and Run As... a separate Administrator privileged account only when needed. At least run applications that connect to the internet with reduced privileges via programs such as DropMyRights
• Don't install programs unless they're absolutely necessary. Screensavers, wallpaper switchers, video players, system "upgrades" and other freeware utilities often have a hidden (malware) reason they're free.
• Install programs only from trusted sources such as SourceForge at http://sourceforge.net/ or those reviewed by reputable third parties such as Gizmo at http://www.techsupportalert.com/  (yes, the name - I know) or to a lesser extent CNet at http://download.cnet.com - read the user reviews, not just the editor rating.

Safe Surfing

• Select websites from Favorites/Bookmarks or manual typing
• Never click on links in email, even from a sender you believe you can trust
• Search for websites instead of guessing the URL or risking a typo
• Use different passwords (and userids) for each website (use an encrypted password database like KeePass)
• Heed the warnings provided by McAfee SiteAdvisor in searching for websites
• Examine SSL certificate security warnings, don't just click through them
• Close popups via the taskbar vs clicking anywhere in the popup - right click on the taskbar, select Close
• Consider carefully entering personal data on a site that has a "This page contains both secure and nonsecure items" warning when visited
• Understand unexpected program launches caught by the outbound firewall
• Log out then close all browser windows after done using any site with financial transactions
• Keep only one browser window or tab open when performing financial transactions, don't multi task by general surfing
• Remember "Google is your friend" - search for file names, program names, virtually anything that you encounter that you don't understand. You don't need to be a computer genius to understand most results and make decisions.

Notes

• Firefox will not make you invincible.
• Even trusted websites can be compromised by partner content or bad programming
• NoScript is good, but actually makes you more susceptible (by default) to ClickJacking
• No one security program can do it all - think before you click

Windows XP Security - Protecting a Clean PC

Part two in a series on Windows XP Security. This article focus on keeping a clean PC clean - from malware. We're going to start with the assumption that we have a newly loaded Windows XP machine, preferably from the manufacturer's recovery CD, not yet connected to the internet. Possibly even from a cleanup on an infected machine, using techniques described in the first article in the series.

The steps below can be done in virtually any order, however do not place the clean machine directly on the internet without having installed a hardware router.  Don't wait to do it later, you're not as fast as the bad guys - they're automated.  Also, some may question the necessity of installing this many tools.  Each covers primarily one space and together they implement what is known as "defense in depth".

As with the first article's selections, the tools chosen may not represent an absolute best in breed, but focus on tool availability (aka "free") and potential acceptance for the "average" Windows PC user.   Based on personal experience with these recommendations, I believe they are within the grasp of all moderately experienced computer owners.

1. Install a hardware router in between your home network and the cable modem. Even if you only have one machine. Even if that machine is wired. Even if you don't think you can do hardware. This will greatly remove threat and network load on your PC because of the firewall implementation in the router. One I've recommended and installed for friends and family which is absolutely foolproof is the Cisco - Linksys E1000
2. Install all updates from http://windowsupdate.microsoft.com   Configure automatic updates to occur on a scheduled basis, using the link on the site. Note the firewall warning below.
3. Set a system restore point following the instructions at http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx . This can be done multiple times when known good configurations are achieved and in theory reverted to in the event of system corruption.  This is a good point to make the first one.  Learn how to restore from one too, before you need to.
4. Install a firewall that blocks outbound connnections. This is noisy at first because each first time you start an application the firewall will ask you if you want to allow the connection. If you can be certain that the requested action is the direct result of an an application you started, create a rule for it and you won't be asked again. One caveat is that you may have to manually run system updates as the firewall can block this process. Well worth it. My recommendation here is: Comodo - http://www.comodo.com/home/download/download.php?prod=firewall 
5. Install Microsoft Security Essentials. This contains anti-virus and anti-spyware from the mother ship, for free. http://www.microsoft.com/security_essentials/  Note that the vast majority of anti-virus applications on the internet are frauds. They themselves are malware. Choose from a major vendor or a trusted freeware evaluation.  These protections focus on free software tools. Particularly in the anti-virus space, there are excellent paid alternatives such as (in alphabetical order) Kaspersky, McAfee, Nod32, Symantec and Trend Micro.  Your ISP may provide one as well.
6. Install a monitor that watches when applications are added to one of multiple startup areas on your PC. You will be asked for permission before the application (or malware) can imbed itself there. Don't just say "No" to malware attempting to install an auto-start however, you'll still need to deal with the malware running somewhere on your machine.  One warning to this is that some programs that have auto-updaters will attempt to have their "Check for updates" program install each time they're loaded. It can be a nuisance, but the trade off is improved performance and free memory. You choose. My recommendation here is:  Startup Monitor  http://www.mlin.net/StartupMonitor.shtml 
7. Switch from Internet Explorer to Firefox. I'm not going to wade into the fervor that surrounds this one, however there are several add-ons to Firefox that I feel make the difference for the average user. Install Firefox from Mozilla, then the following add-ons: AdBlock Plus and optionally NoScript. NoScript may disable valid functionality on sites that you want to re-enable on a per-site basis (the discussion can get complicated quickly on this one). Like the firewall, this activity will be less over time, but helps reduce some browser based exploits on untrusted sites.  http://www.mozilla.com/en-US/products/download.html 
8. Install McAfee SiteAdvisor to provide a first level threat rating of sites returned in Google searches. http://www.siteadvisor.com/  This ties directly to a safe computing recommendation (for the next article) - never type a url directly - search for it, then click the correct result.
9. Install Microsoft DropMyRights and configure to be able to run Firefox, Internet Explorer, and Outlook Express for example, with non-administrator icons. http://msdn2.microsoft.com/en-us/library/ms972827.aspx The following article de-mystifies implementation http://cybercoyote.org/security/drop.shtml  An alternative which is even better is to run everything as a non-admin, as described below.
10. Run as non-administrator.  This really should be first (second behind the hardware router/firewall) but is last because of the amount of software to be installed listed above.  In daily computer usage, new programs are almost never installed and so administrator rights are not needed and in practice are almost always a bad thing. Open the Control Panel, start the User Accounts applet and create a new account.  Give it administrator level rights.  Log in as the new administrator account, open the User Accounts applet again and drop your original account to a standard User.  Insure that the Guest account is disabled.  Insure that all accounts have non trivial, different passwords.  Log in to the original account.  You're done, start surfing.  If you ever find the need to run as an administrator, don't login to the administrator account, instead right click the program and select Run As... choosing the created administrator account.

One step not listed in above because it isn't really a preventative step is backing up your data.  Select a program and process that is workable for you.  Then execute it on a regular basis.  How often depends on how frequently your data changes and how much you can afford to lose.   I would personally recommend backing up to an external hard drive.  Others favor a burning to DVD's with offsite storage rotation.  Just do something.

While we're at it, if you're using a constantly on desktop PC, consider investing in a Uninterruptible Power Supply (UPS).  Not only will they provide battery backup in the case of power failures, they can condition line voltage to extend the life and reliability of your equipment.


Additional information on protecting your Windows PC can be found at http://www.microsoft.com/security/pypc.aspx and many more places on the web.  Remember "Google is your friend."

Disclaimer - no warranty is expressed or implied by this article.  Proceed at your own risk.  Understand all directions and consequences before using any tools or making any system modifications.  I have no affiliation with any product, service, or retail establishment listed above as they are given for illustration purposes only.

Windows XP Security - Cleaning An Infected PC

Every so often I'm asked for advice on PC's. Usually running Windows XP. Typically running so slow that the owner is ready to buy a new one. The question then usually comes in one of the following two flavors: "What computer should I buy?" or "What would you do?". To avoid keeping anyone in suspense, my two answers are "The computer you can afford, which you can test running all the applications you want to use." and "Backup all data, reload an operating system, prevent it from happening again." respectively.

So for those adventurous souls that want to remain on Windows XP and control their own PC destiny, I've decided to write what will likely be an article series on my recommendations for the following Windows XP Security topics: Cleaning an Infected PC; Protecting a Clean PC; Safe PC Usage; Linux Alternatives.

The series will cover malware software issues on marginally running machines. Not software boot errors. Not hardware problems. Not Windows versions other than XP.  Not using tools I personally haven't had some measure of success with.  Let's get started.

Like most who find themselves in their circle of family and friends as the designated "computer expert" I have my own answers to both questions in the first paragraph, using my own set of preferred tools and techniques. While this is not part of my current professional role, in the past I have been part of infrastructure support teams. That experience guides some of my choices but really isn't reflected directly in the tools and techniques chosen. Mostly because I've chosen to focus on tool availability and comprehension for the "average" Windows PC user. For this reason as well, some tools and techniques might not be the choice of the experienced technorati, but should be well with the grasp of most and still provide good results.

If you're unsure if this is what you want to do, those with virtually unusable PC's have the following options:

• Pay a computer tech to fix the problem. The well known Geek Squad charges fees that start at $149 for in store service.  I've personally known friends that have paid close to $300 when everything was said and done. Too expensive for me.
• Buy a new computer. A decent laptop will still set you back around $600.  This is the most expensive option, and does have advantage of temporarily having a new machine. If the problem machine still exceeds specs for the applications you need to run, I'd rather make sure its truly hopeless before going this route.
• Fix it yourself. Obviously where this article comes in. The financial cost of this route is minimal, limited to a blank CD or two and possibly a USB flash drive. It's likely that most people already own both. The real cost here is time, potentially lots of it.

Realize that in order to save hundreds of dollars in support fees or for a new system, you are becoming your own computer expert.  You don't have to be an expert in every computer domain - that's impossible for anyone. You just have to become enough of an expert this one time to fix this one problem. Another thing that is impossible is for this article to contain enough prescriptive advice to cover every situation and every tool usage scenario. As an aside, its primarily for that reason that I've resisted writing an article like this before now. Therefore, the instructions provided assume some level of computer usage (not support) proficiency and leave it up to the reader to Google specific questions regarding a tool or technique recommended.

Having a cleanly running second computer available to search for information, download utilities, burn CDs and other tasks can make this odyssey a whole lot faster and easier, effectively determining the success of the effort.

Backup Data

Backing up data at this stage, before any changes are attempted has the risk at this stage of potentially backing up infected files, such as malicious macros contained in the above filetypes, but do it anyway. If something goes wrong later, it will be worth every second spent.  You can always make a second known good backup later.

1. Create a bootable CD from a Linux live cd distribution on a working system. Linux Mint is a good choice.
2. Boot the suspect system from the CD. You may need to set the boot order in the BIOS of the system to select the CD ahead of the hard drive.
3. Copy all data to a USB flash drive. USB 8Gb drives under $20 can be found on sale.  Booted using Linux Mint, select Menu then Computer. Those who have used copy and paste file operations with Windows Explorer should be comfortable copying directories to the USB device.
4. Make sure that data for all users is backed up. Look in "C:\Documents and Settings" to see the profiles of each user on the machine. Under each, good starting choices for backup would be "My Documents" and "Favorites".
5. Only backup data files such as documents, spreadsheets, presentations, financial, music, photos, etc. Don't backup the actual applications themselves.
6. Backup your product keys, especially for Microsoft products such as Windows and Office. Product key finders can make this easier. Some applications will list their keys under the menu items Help / About.

Set Limits

Don't skip this step. Even for experienced PC technicians, cleanup can take hours of research, utility execution and experimentation. Professional support teams usually have limits they'll expend in investigation on unknown problems - some as short as 10 minutes for a unusable machine - then they reimage (reload) the operating system on the machine. Its faster (and more enjoyable) to reconfigure a clean, fast machine once reloaded, than to spend more time trying to clean a painfully slow infected one.

Clean Up

Download the tools below on a known good machine. Malware may block and/or infect these as the download and attempt to run. Plus the performance will likely be terrible - why you started this in the first place. Burn to a CD - not a USB flash drive, but a device that malware can't corrupt. Boot the suspect machine in safe mode with networking by pressing F8 once a second or so, after the BIOS spash screen (the first screen of any type) displays. Login as administrator, insert the tools CD you just burned, run or install each one at a time, according to directions on the download site. Some may not run in Safe Mode and will tell you so. Its still best to try first.

1. McAfee Stinger - http://vil.nai.com/vil/stinger/  Follow the steps on the download site.
2. Ad-Aware - http://www.lavasoft.com/  Install the application and all updates. Run a full scan.
3. Spybot-S&D - http://www.safer-networking.org/en/index.html  Install the application and all updates. Run a full scan.
4. CCleaner - http://www.ccleaner.com/  Install and run the application. Use the Tools to investigate and Disable any suspected malware that is set to Autostart.  Google Tools you don't recognize by File, initially disabling (vs deleting) ones that are suspect.  Analyze and clean the system with the Cleaner. Scan and clean the Registry.  Reboot after usage.
5. Malicious Software Removal Tool - http://www.microsoft.com/security/malwareremove/default.aspx  Install the application and run a full scan.  Note that the tool itself is updated the second Tuesday of every month, with additional threat removal capabilities.
6. Browser Hijacks - For Internet Explorer, follow the steps at http://www.microsoft.com/security/spyware/browserhijacking.aspx  For Firefox, follow the steps at http://kb.mozillazine.org/Standard_diagnostic_-_Firefox  You may want to have a clean download of Firefox on the CD.

The next set of tools are actually built into the Windows operating system.  No download needed.

1. Task Manager - Ctrl-Alt-Del, choose Task Manager. Choose the process tab and look around. Columns can be sorted by double clicking on the header. Start with Googling "Image Name"s that have high CPU utilization, either constantly or in spikes. Stop any that you believe are malware by Right Clicking, then choosing End Process. Choosing the wrong one may de-stabilize your system.
2. Service Management - Press the Windows Key + R, type services.msc, press ENTER.  Focus initially on items that show Startup Type as Automatic. Google ones you suspect, then Disable by right clicking, selecting Properties... and using the dropdown for Startup Type.

The next tool isn't for downloading and burning to CD, but for execution on a machine that is running to the point where it can reliably bring up a browser to connect to the internet.

1. Trend Micro Online AV Scan - http://housecall.trendmicro.com/
   

Deep Cleaning

Can't get the anti-malware programs to launch from the CD? Perhaps a window or splash screen opens momentarily and then goes away? You no longer own your machine - a malware supervisor program is controlling what loads. Seriously think about reformatting the drive and reloading everything. If you're still in the game, these next two bootable CD's may keep you going. Focus initially on populating only the anti-malware tools. Be sure to have your original Windows CD handy. Building these is another task to perform on a clean machne.

1. BartPE - http://www.nu2.nu/pebuilder/
2. UBCD - http://www.ultimatebootcd.com/

A good summary of bootable utility CDs is available on LifeHacker.  Another good summary, including using PhotoRec to recover deleted files, is from CGSecurity.

Investigate

These can be used at any time. Check for high CPU utilization, strange file/process names, listening ports open to sites you don't recognize, etc. This is the truly deep dive territory, but remember - "Google is your friend".

1. Process Explorer - http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx  Lists all running processes and open files.
2. CurrPorts - http://www.nirsoft.net/utils/cports.html  Lists all process and applications which have open connections (ports) to the internet, potentially sending out information or waiting for instructions
3. HijackThis - http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html  Lists all locations on the PC that process are started from.
4. WinDirStat - http://download.cnet.com/WinDirStat/3000-2248_4-10614593.html  Graphically displays disk space utilization

So in closing, manage your time carefully and consider my original advice: "Backup all data, reload an operating system, prevent it from happening again." Backup was covered in this article, we'll get to the rest later.


Disclaimer - no warranty is expressed or implied by this article.  Proceed at your own risk.  Understand all directions and consequences before using any tools or making any system modifications.  I have no affiliation with any product, service, or retail establishment listed above as they are given for illustration purposes only.


Edit 2010.09.28 - Added specific browser hijack advice.  Clarified a few lines.
Edit 2010.10.04 - Added product key backup.
Edit 2010.10.15 - Added bootable CD links

Struts 1.x Logical Flow

Java programmers should be familiar with Apache Struts as an extremely popular free and open-source framework for creating web applications. Although the 2.x branch of the project is the one currently being developed, the 1.x version continues to be widely used for a variety of reasons.

At one point a couple of years ago I found myself needing to explain the control flow through Struts 1 and was unable to find a visual representation that illustrated what I was thinking. Therefore I created the logical control flow shown below.

It does bear some resemblance to a spaghetti chart, but does illustrate several elements of a simple Struts control flow. While originally created for a single purpose, uses for it still surface occasionally in various forums, so I thought there may be some value in posting it for those learning or teaching Struts 1.

Permission to use, copy, modify, and distribute this graphic is freely granted, provided that the original authorship notice is preserved.

One more thing out of my GTD "Someday" category. Enjoy.

Collected Entropy - 2010.09.25

Collected Entropy since the last post with this title. No particular order, rhyme or reason. Mostly too long to tweet

Special limited time only, while they last, small town edition. 

• Marshville is the home of Randy Travis, poultry processing plants and the annual Boll Weevil festival of Union County held last weekend. Even based on the erradication of tiny bugs...you just gotta love small town celebrations. Seriously. Charlotte may be think they've outgrown them, but here are a few more small towns that haven't.
• Unionville is having it's annual BBQ in a little over a month. Don't let the fact that the event is held at an elementary school fool you. These folks are serious about BBQ and on a large scale.  Check out the photos from last year, then mark your calendar for the first Friday in November.
• In keeping with the small town trend of this post, here is a calendar of other small town festivals coming up in Union County including the BBQ cookoff in Waxhaw on October 8-9th.
• Finishing off with a small town that has a big reputation...the 27th annual BBQ festival will be held in Lexington, NC on October 23rd.    Be sure to sample some of the Monk family's BBQ from Lexington #1.

Collected Entropy - 2010.09.22

Collected Entropy since the last post with this title. No particular order, rhyme or reason. Mostly too long to tweet.

• "Do you prefer murder, misogyny or simple undirected anger?" Why does this question from the Sept 9th 'Zits' comic strip seem a little too close to real life.
• Memorials are to help people remember, even keep them motivated. Apparently there are still people in federal agencies that understand that.
• The Charlotte Observer started a public insight network to provide a structured way to obtain reader opinions. If they listen to views that differ from the editorial desk, this might be a blended media experiment that seems worth watching.
• Cambridge MA may have Harvard, MIT and now parking tickets with yoga positions printed on them. To reduce the stress of the ticket. You can't make this kind of news up.
  

Collected Entropy - 2010.09.10

Collected Entropy since the last post with this title. No particular order, rhyme or reason. Mostly too long to tweet.

• Parental fears and reality don't always line up very well. As a parent, are you worrying about (defending against or preparing for) the right thing? Analysis by the NPR, citing independent sources, might help with the decision.
• Comedians typically find easy pickings from the world of politics, at the expense of the politicians. Now it seems some politicians are taking their message directly to the comedians. What happened to reasoned analysis and debate?
• The next time that someone trots out the old "bear in the woods" footrace analogy to belittle some problem, try explaining the prairie dog ecosystem to them as described by Robert Hansen. You'll get a business security perspective and an executive evaluation in the same article as a free bonus.
• An example of where gun control worked, in Miami of all places, from the SunSentinel.

Capitol Tour

Fascinating perspective on what the Founding Fathers believed and what the meaning behind their words as they framed the documents which formed the United States. I'll let David Barton do the rest of the talking.



A hat tip to B.T. for sending this my way.