Wednesday, April 06, 2005
WINDOWS :: Sidestepping Microsoft's Internet Security Problems
To this day, the biggest complaint of most Linux or Apple users about Windows is regarding the horrible security loopholes in Microsoft's Internet Explorer web browser. Even many seasoned Windows veterans are getting fed up with the constant patches and updates that attempt to stem the never-ending tide of spyware and viruses that take advantage of those loopholes to get on your system and make a mess of things.
The biggest cause of these security holes is Microsoft's reliance on a pointless technology called "ActiveX". Now this isn't to be confused with "DirectX", which is Microsoft's software for 3D graphics processing, among a few other things related to gaming and multimedia. ActiveX allows a web designer to write small programs that install themselves on your computer when you access their site. It was originally intended to make the site a little more interactive. For example, when you visit WindowsUpdate.com, you are asked for permission to install an ActiveX control from Microsoft. This little program scans your computer's configuration, then compares that with what Microsoft has available in their update library. Then, you are shown only those updates that are of use to your computer.
The problem with ActiveX is that it's a little *too* flexible. A malicious programmer can write an ActiveX program that sneaks onto your hard drive (without even asking you for permission to install), and then sit and wait until you search on Yahoo for "cookie recipes", then quick-format your hard drive. (!!!)
This little "feature" is one reason Microsoft is continually patching Internet Explorer, which really becomes a hassle since MS refuses to dump ActiveX. They still think it's the best thing ever, and apparently plan to stand by their mutant child no matter what happens. One reason for this unexplainable behavior may be that they have built their entire Windows product update infrastructure around the capabilities that ActiveX provides.
Of course, there are many other things that Microsoft would be well-advised to adopt in the interest of keeping their customers happy, but that's not something I will go into here.
So, how to secure yourself effectively, and most importantly, for FREE? One URL says it all for the first part: www.getfirefox.com
Mozilla's Firefox internet browser project was just recently released out of its previous beta stage, which means that the developers feel they have all the major bugs worked out. For those who already use it, you know that the beta version was actually quite stable and feature-packed anyhow. Firefox is a completely free, does not allow ActiveX, and even includes built-in popup blocking and a search bar with Yahoo and Google (among many other services) ready to use, right from within the browser itself! Heck, Firefox will even import your Internet Explorer bookmarks for you! How's THAT for service?
Since many malicious spyware/adware bugs take advantage of IE's security holes to do some nasty stuff, (permanently changing your homepage to an advertising or "search engine" site etc), if you are using Firefox you will still get some spyware/adware on your system, but none of it will be the truly nasty stuff. For the most part the worst you will see while using Firefox is an occasional tracking cookie or registry entry.
By the way, for those of you that think getting rid of ActiveX usability is bad, consider this: any web developer that requires the use of MS' Internet Explorer is either a very amateur developer (and therefore won't likely have much of interest on his/her site), or has "other", more sinister reasons for forcing you to do it his/her way. A well-done website should be accessible by almost any browser, but at the very least Internet Explorer, Firefox and Netscape.
So now you have a nice, tight, secure and most importantly, FREE browser in place. What else?
Well, another major hazard source comes from viruses. Or virii if you're one of the geeks caught in that particular endless debate. There are two major programs that will take care of these monsters for you. Norton's Antivirus, and McAffee VirusScan. Yes, you do have to pay for these programs, but your money goes to a worthy cause. These companies spend millions of dollars every year to keep a harem of uber-nerds on staff, that write virus detection patterns within minutes of their initial discovery. While I do recognize that Trend Micro does put out a free Housecall scanning tool, you need to know that Trend Micro is a very good product, IF you plan on spending a few thousand dollars for the Coporate-level license. The online scanner they offer is also ActiveX-based. Uh oh. Do yourself a favor and buy a copy of McAffee, or my personal fav, Norton's. The current versions of both will also detect and remove spyware/adware, BUT, they do NOT remove all of it. No single product does, unfortunately. You can solve this problem by reading on.
Norton and McAffee do a great job offering peace of mind on the Internet, and their added ability to scan for spyware/adware is a huge plus, but in order to get all of those buggers out, you will need to throw a triple-threat at them. You can do this by downloading two free programs. The first is called Spybot : Search & Destroy, and the second is Adaware. There are multiple versions of Adaware, but the SE Personal Edition is free. Spybot is universally free. Download them, install them and let them get their latest updates before running a scan on your system. It wouldn't be a good idea to run them both at the same time, though.
Now, you are secured against viruses (or virii), spyware/adware, and malicious ActiveX controls. Wait, what about worms? Those nasty, pervasive type of virus that actively crawl the web, looking for open connections and attempting to hijack your machine so they can bring your PC to its knees as it replicates and emails itself to all of your Outlook contacts? They are a different story. A regular virus comes to you through an infected email or file download, while worms can make their way onto your drive all by themselves. They can infect your poor PC even if you don't have a browser open, if you are connected to DSL (logged in of course) or cable broadband service. Norton and McAffee will both make a stellar attempt at keeping these things off of your drive, but they can only do so much. Some worms can even mimic regular web traffic, so antivirus software can sometimes let them right in! Bad news. Many people never even know they've been infected until their Service Provider sends them an email, threatening to cut off their service if they don't stop mass-emailing (spamming) from their computer. The hapless victim didn't even realize this was happening, because it's all going on behind the scenes, just as the real spammers who created the worm intended. Why should they invest in all the hardware and take the risk with their own internet service providers when they can simply use your computer and those of your friends to spread their evil?
You CAN stop them from getting to you. You need a firewall. There are two ways to get one though, and in the end it's up to you to decide which method is better. If you have multiple computers connected to a broadband service, then good for you! You probably have a router installed. A router, just through the nature of how it functions, provides a relatively secure and affordable hardware firewall. Don't mess with the router's settings, and you can sleep peacefully tonight, for a router left at default security settings is nearly impenetrable. Wait, scratch that. You should mess with at least one setting on that router: its access password setting. Most decent hackers are aware of the major router brands sold today, and through trial and error, can work out which one you have and use the default password to get into your router and open your computer to the world once more.
If you only have one computer in the home, or are on a dialup connection (modem), a router won't be a very useful choice for you. In your case, there are software solutions that can perform the same protection duties, but that give the user a little more control over EXACTLY what gets to talk to the internet, and what does not. They can help expose a potential infection when the firewall software asks if a program that the user doesn't recognize can access the internet. There is a bit of a learning curve with these programs though. They will force you to become a little more familiar with some of the normal everyday Windows processes that communicate with the web, and can be safely allowed to do so. Norton puts out one such program in their Internet Security bundle, which also includes their Antivirus software. McAffee offers Personal Firewall, and Zone Labs puts up ZoneAlarm.
All three programs seem to be very effective, although I admittedly have limited experience with them, (see my DIY article here on TopLevel to understand why). Among those three, ZoneAlarm is the only freebie.
That's it! With those items in place, and with scans run regularly once a week, you can surf your heart out and know that no matter where you go, there you are... I mean... you'll be secure.
I know that all this sounds like a lot of extra effort, but it really isn't. I mean, if you think about it, wouldn't you rather just clean house once a week rather than being forced to reformat your hard drive to get rid of the more tenacious bugs that you could get? Yeah, I thought so too.
Deadweasel has a worm farm on his back patio, but they never do any hacking.
The biggest cause of these security holes is Microsoft's reliance on a pointless technology called "ActiveX". Now this isn't to be confused with "DirectX", which is Microsoft's software for 3D graphics processing, among a few other things related to gaming and multimedia. ActiveX allows a web designer to write small programs that install themselves on your computer when you access their site. It was originally intended to make the site a little more interactive. For example, when you visit WindowsUpdate.com, you are asked for permission to install an ActiveX control from Microsoft. This little program scans your computer's configuration, then compares that with what Microsoft has available in their update library. Then, you are shown only those updates that are of use to your computer.
The problem with ActiveX is that it's a little *too* flexible. A malicious programmer can write an ActiveX program that sneaks onto your hard drive (without even asking you for permission to install), and then sit and wait until you search on Yahoo for "cookie recipes", then quick-format your hard drive. (!!!)
This little "feature" is one reason Microsoft is continually patching Internet Explorer, which really becomes a hassle since MS refuses to dump ActiveX. They still think it's the best thing ever, and apparently plan to stand by their mutant child no matter what happens. One reason for this unexplainable behavior may be that they have built their entire Windows product update infrastructure around the capabilities that ActiveX provides.
Of course, there are many other things that Microsoft would be well-advised to adopt in the interest of keeping their customers happy, but that's not something I will go into here.
So, how to secure yourself effectively, and most importantly, for FREE? One URL says it all for the first part: www.getfirefox.com
Mozilla's Firefox internet browser project was just recently released out of its previous beta stage, which means that the developers feel they have all the major bugs worked out. For those who already use it, you know that the beta version was actually quite stable and feature-packed anyhow. Firefox is a completely free, does not allow ActiveX, and even includes built-in popup blocking and a search bar with Yahoo and Google (among many other services) ready to use, right from within the browser itself! Heck, Firefox will even import your Internet Explorer bookmarks for you! How's THAT for service?
Since many malicious spyware/adware bugs take advantage of IE's security holes to do some nasty stuff, (permanently changing your homepage to an advertising or "search engine" site etc), if you are using Firefox you will still get some spyware/adware on your system, but none of it will be the truly nasty stuff. For the most part the worst you will see while using Firefox is an occasional tracking cookie or registry entry.
By the way, for those of you that think getting rid of ActiveX usability is bad, consider this: any web developer that requires the use of MS' Internet Explorer is either a very amateur developer (and therefore won't likely have much of interest on his/her site), or has "other", more sinister reasons for forcing you to do it his/her way. A well-done website should be accessible by almost any browser, but at the very least Internet Explorer, Firefox and Netscape.
So now you have a nice, tight, secure and most importantly, FREE browser in place. What else?
Well, another major hazard source comes from viruses. Or virii if you're one of the geeks caught in that particular endless debate. There are two major programs that will take care of these monsters for you. Norton's Antivirus, and McAffee VirusScan. Yes, you do have to pay for these programs, but your money goes to a worthy cause. These companies spend millions of dollars every year to keep a harem of uber-nerds on staff, that write virus detection patterns within minutes of their initial discovery. While I do recognize that Trend Micro does put out a free Housecall scanning tool, you need to know that Trend Micro is a very good product, IF you plan on spending a few thousand dollars for the Coporate-level license. The online scanner they offer is also ActiveX-based. Uh oh. Do yourself a favor and buy a copy of McAffee, or my personal fav, Norton's. The current versions of both will also detect and remove spyware/adware, BUT, they do NOT remove all of it. No single product does, unfortunately. You can solve this problem by reading on.
Norton and McAffee do a great job offering peace of mind on the Internet, and their added ability to scan for spyware/adware is a huge plus, but in order to get all of those buggers out, you will need to throw a triple-threat at them. You can do this by downloading two free programs. The first is called Spybot : Search & Destroy, and the second is Adaware. There are multiple versions of Adaware, but the SE Personal Edition is free. Spybot is universally free. Download them, install them and let them get their latest updates before running a scan on your system. It wouldn't be a good idea to run them both at the same time, though.
Now, you are secured against viruses (or virii), spyware/adware, and malicious ActiveX controls. Wait, what about worms? Those nasty, pervasive type of virus that actively crawl the web, looking for open connections and attempting to hijack your machine so they can bring your PC to its knees as it replicates and emails itself to all of your Outlook contacts? They are a different story. A regular virus comes to you through an infected email or file download, while worms can make their way onto your drive all by themselves. They can infect your poor PC even if you don't have a browser open, if you are connected to DSL (logged in of course) or cable broadband service. Norton and McAffee will both make a stellar attempt at keeping these things off of your drive, but they can only do so much. Some worms can even mimic regular web traffic, so antivirus software can sometimes let them right in! Bad news. Many people never even know they've been infected until their Service Provider sends them an email, threatening to cut off their service if they don't stop mass-emailing (spamming) from their computer. The hapless victim didn't even realize this was happening, because it's all going on behind the scenes, just as the real spammers who created the worm intended. Why should they invest in all the hardware and take the risk with their own internet service providers when they can simply use your computer and those of your friends to spread their evil?
You CAN stop them from getting to you. You need a firewall. There are two ways to get one though, and in the end it's up to you to decide which method is better. If you have multiple computers connected to a broadband service, then good for you! You probably have a router installed. A router, just through the nature of how it functions, provides a relatively secure and affordable hardware firewall. Don't mess with the router's settings, and you can sleep peacefully tonight, for a router left at default security settings is nearly impenetrable. Wait, scratch that. You should mess with at least one setting on that router: its access password setting. Most decent hackers are aware of the major router brands sold today, and through trial and error, can work out which one you have and use the default password to get into your router and open your computer to the world once more.
If you only have one computer in the home, or are on a dialup connection (modem), a router won't be a very useful choice for you. In your case, there are software solutions that can perform the same protection duties, but that give the user a little more control over EXACTLY what gets to talk to the internet, and what does not. They can help expose a potential infection when the firewall software asks if a program that the user doesn't recognize can access the internet. There is a bit of a learning curve with these programs though. They will force you to become a little more familiar with some of the normal everyday Windows processes that communicate with the web, and can be safely allowed to do so. Norton puts out one such program in their Internet Security bundle, which also includes their Antivirus software. McAffee offers Personal Firewall, and Zone Labs puts up ZoneAlarm.
All three programs seem to be very effective, although I admittedly have limited experience with them, (see my DIY article here on TopLevel to understand why). Among those three, ZoneAlarm is the only freebie.
That's it! With those items in place, and with scans run regularly once a week, you can surf your heart out and know that no matter where you go, there you are... I mean... you'll be secure.
I know that all this sounds like a lot of extra effort, but it really isn't. I mean, if you think about it, wouldn't you rather just clean house once a week rather than being forced to reformat your hard drive to get rid of the more tenacious bugs that you could get? Yeah, I thought so too.
Deadweasel has a worm farm on his back patio, but they never do any hacking.
