Ergebnis für URL: http://dwheeler.com/essays/securing-windows.html Securing Microsoft Windows (for Home and Small Business Users)
[1]David A. Wheeler
2006-03-29 updated 2011-10-05
Here are some tips on how to secure your Microsoft Windows system, if you're a
home user, small business user, or other small organization user (such as small
non-profits).
Introduction
Since I work in computer security I occasionally get asked by Microsoft Windows
users questions like "I got this strange error message -- do I have spyware?" or
"How do I keep my [Windows] computer secure?" Large businesses employ people who
secure computer systems as a full-time job, but that doesn't help if you're a
home or small business user.
Why Should you Secure Your Systems?
You can't ignore the problem -- if you ignore security, and connect to the
Internet, your Windows machine will almost certainly have serious security
problems, and soon. One study found that [2]an unpatched Windows XP system only
lasted 4 minutes on the Internet before it was compromised. The [3]"AOL/National
Cyber Security Alliance Online Safety Study" of October 2004 determined that 80%
of Windows users were infected by at least one spyware/adware product. Many
organizations such as [4]BusinessWeek have reported on spyware and other Windows
security problems. Researcher [5]Ben Edelman did a test where he installed one
WindowsMedia video file, and through its digital rights management mechanisms it
deceptively installed 31 spyware/adware programs He noted that "All told, the
infection added 58 folders, 786 files, and an incredible 11,915 registry entries
to my test computer. Not one of these programs had showed me any license
agreement, nor had I consented to their installation on my computer". ([6]Edelman
provides much more information about spyware if you're curious). [7]The top six
reasons that Explorer crashes aren't traditional defects - they're side-effects
of a virus infection (Windows is the only OS with a serious virus problem).
Attacks are more serious now, because they're not longer just kids' pranks.
[8]BusinessWeek reported in February 2006 that profits from cyber crime were
higher than profits from the sale of illegal drugs for the first time in 2005.
[9]NetworkWorldFusion stated in December 13, 2004 that "a spyware program can
send corporate data directly from your company's client computers to an
Internet-based data collection facility, such as a shady adware site or other
group of bad guys". It also said that "some spyware sends captured data to North
Korean intelligence agency servers. The North Korean government analyzes what it
captures, sells the data to criminals and organizes international distributed DoS
attacks. South Korea's defense ministry recently said that North Korea has
trained more than 500 computer hackers to wage cyber-warfare against the U.S. The
ministry reported that North Korean militant hackers, who have undergone a
five-year university course geared toward penetrating the computer systems of the
U.S., South Korea and Japan, are among the best in the world". [10]Imam Samudra's
fall 2004 jailhouse autobiography contained virulent justifications for his part
in Bali attacks that murdered 202 innocent people -- and a chapter titled
"Hacking, Why Not?", where he urges others to attack U.S. computers, especially
to perform credit card fraud ("carding") to finance murder and terror. RIAA/MPAA
contractor Overpeer distributes files that appear to be music, but instead open
multiple ad pages and attempt to install software on the viewer's computer
without permission (see articles by [11]PC World and [12]P2PNet). And many
businesses have discovered that they can make a profit exploiting your privacy,
harrassing you with ads, and so on. In short, companies doing corporate
espionage, organized crime, terrorists, foreign governments, and people who
simply enjoy causing damage can cause you serious problems with the click of a
button if you don't watch out.
Upgrading to the Vista version of Windows will solve it all, right? No.
[13]Experts agree that Vista will continue to have vulnerabilities. Ben Fathi,
the former head of Microsoft's security group and now the chief of development in
the Windows core operating system group, said at the RSA Conference 2007 in San
Francisco last month that if Vista had half the security vulnerabilities that
Windows XP had, he would consider Vista reaching a "great goal". Eugene Spafford,
executive director of the Purdue University Center for Education and Research in
Information Assurance, says that Windows is inherently insecure, which is why the
market for "anti-virus software, intrusion detection systems and firewalls is so
huge". Graham Cluley, senior technology consultant for Sophos PLC, said, "What
isn't in doubt is that there will continue to be flaws found in Microsoft Vista".
In May 2007 [14]extensive testing by CRN determined that users of Windows Vista
and Windows XP "are equally at risk to viruses and exploits and that overall
Vista brings only marginal security advantages over XP... Vista's security failed
to impress Test Center engineers. Vista remains riddled with holes... [offering]
no improvement in virus protection vs. XP, [and] little or no security gains over
its predecessor against such threats as RDS exploits, script exploits, image
exploits, VML exploits, malformed Web pages and known malicious URLs". In [15]May
2008, John E. Dunn's article "Vista laid low by new malware figures" stated that
"Vista's reputation for improved security could be heading for the pages of
history... new figures appear to back up [PC Tools'] claim that Vista is almost
as vulnerable as its predecessors... [27% of all Vista machines probed] were
compromised by at least one piece of malware over the six months to May 2008.
Don't confuse nagging with security; [16]iReboot's developers conclusively
demonstrated that "Windows Vista ... [makes software development] more
complicated without actually providing any any further protection for end users
from malware". Vista certainly isn't making [17]everyone happy, with its many
incompatibilities. Indeed, many organizations have decided that Vista (and/or
Office 2007) is a bad investment - it creates numerous incompatibilities with the
rest of the world, costs a lot of money (e.g., because of forced hardware updates
and retraining), so much so that [18]in 2008, InfoWorld stated that "XP must be
saved". [19]One-third of Vista users downgrade it to XP in 2008, says one report;
another says that [20]in June 2008, 60% of IT administrators have no plans to
deploy Vista. There are even statements that [21]Vista is 'dead'; it'll sell, but
mostly because it comes pre-installed or via forced upgrades.
What is this Paper all About?
I've created this page to give you, the home or small business user, a few simple
things to do that will help make your existing system more secure. This paper is
for those who don't know much about computers, or for those who normally use an
operating system other than Microsoft Windows but suddenly must secure a
Microsoft Windows system. I hope you find this information helpful. You don't
have to do every step, but I've tried to describe what will happen if you don't,
so you'll know what you're risking. [22]Some argue it's easier to constantly buy
new machines to get rid of the spyware - a better way is to keep it off in the
first place.
Many tips are independent of what system you use, but many other tips are unique
or more important to Windows users. Many independent observers agree that Windows
has the worst security record of all operating systems, unfortunately. [23]You
can eliminate the many Windows-specific vulnerabilities addressed here by
switching to an alternative product; even [24]The New York Times' "Tips for
Protecting the Home Computer" by John Markoff in 2007 noted that using a
non-Windows system is a defense worth considering. I always urge people to
consider their options before making a decision -- it's just the smart thing to
do! Nevertheless, for purposes of this paper I'll presume that you've chosen to
use Microsoft Windows, for whatever reason, and that you want to reduce your
risks to something manageable.
The basic ideas here are actually quite simple. We want to create a set of
layered defenses (such as by using firewalls), avoid adding or running arbitrary
(untrusted) programs, replace programs that have a bad security track record
(particularly Internet Explorer and Outlook) with more trustworthy programs, and
keep up with patches. These are all my own opinions -- I represent no one here --
but I offer up these ideas in the hopes that they'll help others protect their
systems, based on experience.
In this paper, "small business" includes small non-profits like churches,
schools, civic groups, and consortiums. I'll use the term "Windows" (with the
initial capital letter) as an abbreviation for Microsoft Windows; the term
"windows" is actually a generic computing term that predates Microsoft's product
by many years.
I'm not an anti-Microsoft person, and please don't read this text as "Microsoft
is always bad". Indeed, I applaud Microsoft for recently training their
developers in how to write secure software (a task their developers didn't know
how to do), and I hope that future products will be more secure (though [25]some
have pointed out reasons to be skeptical). But I'll also condemn decisions
they've made that harm their customers when they've occurred. It's no secret that
this has occurred; even [26]Microsoft's Craig Mundie admitted that their products
were "less secure than they could have been" because they were "designing with
features in mind rather than security" -- even though most people didn't use
those new features. For security, users need to follow some guidelines (to
mitigate the problems), replace those products, or suffer the consequences.
The Tips
1. [27]Don't let computers in kids' rooms, or highly sensitive business
locations, have access to the Internet.
2. [28]Limit and isolate privileges: Make sure everyone has their own user
account on shared computers, don't give most of them "admin" (Administrator)
privileges if you can help it, and rename the Administrator account.
3. [29]Choose good passwords, especially for the "Guest" account.
4. [30]When using the web, never type information you really want private (such
as the password for a bank account) into a non-SSL encrypted page.
5. [31]Get anti-virus and anti-spyware programs. (For example, no-cost AVG
Anti-virus and Spybot S&D.)
6. [32]Make sure you're behind an external firewall, and turn on any built-in
firewalls too.
7. [33]Install patches.
8. [34]Stop using Internet Explorer (IE); switch to a different web browser such
as Firefox (with Adblock).
9. [35]Turn off third-party web cookies.
10. [36]For email, switch from Outlook or Outlook Express to something else if
you can.
11. [37]Disable hidden filename extensions.
12. [38]Never run programs sent via email.
13. [39]Don't just open attachments from strangers.
14. [40]Don't run "pirated" programs. You can use OpenOffice.org to replace
Microsoft Office, and the GIMP to replace Photoshop.
15. [41]Don't download and run arbitrary programs before checking out their
reputation.
16. [42]Ideally you should read any program license agreement ("EULA") before
installing it -- but if you won't do that, at least check its reputation
first (as noted above).
17. [43]Be wary of phishing attacks; limit information you send, especially if
you didn't initiate the interaction.
18. [44]Make backups.
19. [45]Disconnect from the Internet when you're not using it, and turn off the
computer when you're not using it.
20. Tell your younger kids to never reveal their real name, address, email, or
phone number without your permission.
21. [46]If you let your kids have email, configure it so only whitelisted
addresses will be received.
22. [47]Change your configuration so it's harder to attack.
23. [48]Configure your wireless setup to be secure, too.
24. [49]Don't forget physical security.
It's not my focus, but using CCleaner and setting MyDefrag to run once a week
improve performance and make performance loss more obvious.
Not sure what any of these tips mean? Here is more detail about each one:
1. Don't let computers in kids' rooms, or highly sensitive business locations,
have access to the Internet. Many people balk at this suggestion, but I list
it first because it can eliminate a whole host of other problems. Consider it
seriously; you may find it's not as hard as you think, especially for young
children or for really sensitive information.
Home users can feel free to use child filters/blockers (sometimes called porn
blockers), but they should not depend on blockers. In my experience such
blockers don't work well enough to be relied on; they don't filter what you
want them to, and they filter out material that you do want them to have
access to. You just can't depend on them. Worse, parental filters do nothing
to stop stalkers from interacting with your kids, which I think are a much
worse threat to your children. So don't even put a network or wireless card
into computers you can't easily monitor. Instead, make sure that any Internet
access is limited to public access areas (like a family room or living room)
or adult-only areas (like the parents' bedroom or office). This is probably
less practical as the kids get much older, but particularly for small
children, just tell them those are the house rules; they'll live! Then talk
with and monitor your kids, just like you'd talk with and monitor them in
physical public settings.
You can add filters as well, of course. [50]Dan's guardian is freely
available and is open source software. However, the program itself runs on
Linux or BSD, so you need to create a Linux or BSD system to run it, and then
have the Windows systems access the Internet through it.
A different kind of filter is one involving web search engines. Start by
logging in as your child and then set their search engine's preferences. For
Google, [51]set their Google SafeSearch preferences to use strict filtering.
For AltaVista, [52]set the AltaVista family filter.
If you run a business, you may have some highly sensitive data that you don't
want copied or modified. If it's really sensitive, don't connect the machine
holding that data to the Internet at all; make it a stand-alone computer, and
use floppies, CD-ROMs, USB sticks, or other media to send data in and out.
You can encrypt and decrypt data on that machine, using secure encryption
algorithms like AES or 3DES, and then send/receive encrypted files. You can
share passwords and keys using other means (such as an initial face-to-face
meeting). If you can't do that, at least give it only brief Internet access,
and set your firewall to really limit what it can do... but that's a far less
effective method. Today computers are cheap, and dedicating a disconnected
computer (or even a small network) to especially sensitive information is one
of the most effective measures to prevent and limit the damage of many
attacks.
2. Limit and isolate privileges: Make sure everyone has their own user account
on shared computers, don't give most of them "admin" (Administrator)
privileges if you can help it, and rename the Administrator account. If
everyone logs into a computer separately, then your settings won't be
unintentionally shared. Even better, on Windows NT, 2000, 2003, XP, and
later, having separate unprivileged accounts will really help security since
these systems try to enforce user separation.
Unfortunately, many Windows programs (especially many games, educational
programs, and custom programs used by businesses) won't run on these later
systems without admin privileges -- if they run at all on later versions of
Windows. There are historical reasons for this. Earlier versions of Windows
Windows didn't support the notion of unprivileged accounts, and even now many
Windows application developers do not develop and test their programs to see
if they'll work without admin privileges. Indeed, [53]Keith Brown, author of
Programming Windows Security, reported in 2005 that 70% of all Windows
applications cannot be run without admin privileges. This is all in contrast
to Unix-like systems (including Linux and MacOS X); Unix-like systems have
enforced security for decades, generally without giving users unnecessary
privileges. As a result, application developers for those systems normally
ship products that don't require excess privileges. This is one of the
technical reasons why Windows systems get viruses so often, while
[54]Unix-based systems essentially never see viruses (see also [55]Bruce
Ediger's information on viruses).
If you're a home user, you might want to set up a specially-designated
Windows system just to run the programs that require admin privileges, and
don't connect that machine to the Internet. It's quite reasonable to make
that isolated system a Windows 95/98/ME system, especially since so many
programs don't work on later versions of Windows anyway. Yes, people do use
older systems -- at the [56]end of 2004, 21% of Windows users are Windows
95/98/ME users (this study includes home users). [57]A different study by
AssetMetrix of businesses found that in the first quarter of 2005, only 38%
of business PCs used Windows XP (the current version of Windows), and 48% of
business PCs used Windows 2000.
It's also a good idea to rename the "Administrator" account. This is a
powerful account, and renaming it counters a few attacks without harming
normal use.
3. Choose good passwords, especially for the "Guest" account. Good passwords are
unguessable and generally have more than 8 characters, are not a dictionary
word or based on a name you know, and have a mixture of uppercase, lowercase,
and numerals or punctuation. Take pride in how hard they are to guess. Maybe
you trust everyone in your household, but an attacker may be able to connect
remotely so that good passwords are your only real protection. You need to
use long passwords; short ones can often be found by programs that simply try
out all possible combinations.
When you access the web, don't use the same password everywhere. Instead, if
you care about what the password protects, use different passwords for
different websites and use good passwords. At one time, it was a good
practice to memorize passwords and not write them down, but good passwords
are too long and you need too many passwords for that to be practical
nowadays. Instead, do one of the following:
1. Write down the password, and store your passwords securely as though
they were cash (e.g., in your wallet). That risks theft, however, so I
recommend another approach instead.
2. Use a program that encrypts the passwords, say on your PDA. [58]For Palm
PDAs, STRIP is a reasonable program.
3. Let your web browser record your website passwords. If you do this, you
risk password theft if your browser is broken in to. However, in my
experience, people who don't let their browsers record website passwords
often choose simpler (bad) passwords and share the same password among
different systems, and that's even worse. Don't use Internet Explorer
(IE) if you do this, because it's too easy to break into IE. Make sure
your web passwords are protected by a master password if you share your
machine; that's not a bad thing to do even if you don't share that
machine.
There's a "Guest" account on Windows that's disabled in many configurations,
but some attackers exploit or manage to enable it. So give the "Guest"
account a password and leave it disabled (this suggestion comes from Tony
Bradley's [59]Microsoft Windows Security 101). There's a serious defect in
Windows XP Home edition: according to [60]LabMice, when you disable the Guest
account in Windows XP Home Edition via the Control Panel, Windows only
removes the listing of the Guest account from the Fast User Switching Welcome
screen and the Log-On Local right. What you really wanted to remove -- the
network credentials -- will remain intact and guest users will still be able
to connect to shared resources of the affected machine across a network!
[61]Microsoft Knowledge Base Article: 300489 says that this horrific defect
is actually intentional. The best workaround for XP Home Users is to assign a
strong password to the Guest account.
4. When using the web, never type information you really want private (such as
the password for a bank account) into a non-SSL encrypted page. Any Internet
connection that isn't encrypted (by mechanisms like SSL) can be snooped by a
vast number of people; treat most interactions with the Internet and email as
though you were shouting to the world. When you're using a web browser, you
can tell if you're using a secured connection because the URL address will
begin with "https://" and you'll see a "lock" symbol. If you don't see those
things, don't type in a password you care about. Otherwise, snoopers can see
whatever you send and receive. An SSL connection doesn't protect you against
some problems (the person on the other end may be a fraud, or be taken over
by an attacker, or leak your private information), but it at least prevents
snoopers from easily capturing critical information.
5. Get anti-virus and anti-spyware programs. If you don't use Microsoft's
operating systems, you just don't have a virus problem, and you're very
unlikely to have a spyware problem either. Non-Windows systems are designed
to prevent viruses, the vectors for spyware aren't as easy to exploit either,
and there are fewer attackers who target non-Windows systems (it's not just
market share; [62]Apache has triple the market share, yet fewer security
problems, than Microsoft's competing IIS). There are some viruses for other
systems, but since their designs resist them, they just aren't a serious
issue for anyone else. Apple Macintoshes have some, though not many; for
Linux and Unix they simply don't happen in the real world. So this is a
Windows-unique recommendation, since nobody else has this as a serious
problem.
But if you use Microsoft Windows to access the Internet, you must deal with
viruses and spyware. Windows systems are heavily attacked, and in my opinion,
they don't do a good job defending themselves. Microsoft has recently added
DRM capabilities (digital restrictions management), which has made things
worse; [63]attackers are using DRM to attack users and add spyware. In short,
while they are nearly unknown elsewhere, if you use Windows, viruses and
spyware are serious problems you can't ignore.
Most Anti-virus programs are fairly mature, and most of the well-known ones
do a reasonable job at blocking or cleaning up old (known) viruses. One
example of a reasonable program is [64]AVG, and they have a no-cost edition.
Unfortunately, [65]Microsoft's own flagship product, OneCare, is one of the
worst - several independent studies have determined that it's unacceptable
for use. Andreas Clementi, senior tester at AV Comparatives, declared after
testing that "[Microsoft OneCare] performed very low in the test, and did not
reach the minimum requirements for participation" - the only product in a
large suite that failed.
So, if you use Windows, get a reputable anti-virus system, and continuously
keep your virus software up-to-date (this usually requires paying continuing
maintenance fees). If you are not willing to do this, consider using another
operating system instead (such as MacOS or Linux).
Anti-spyware programs, unfortunately, don't do all that well, but the
reputable ones are better than nothing. You should get an anti-spyware
program, and then use other methods to give additional layers of defense,
since spyware is also a serious problem. More info on anti-spyware programs
is at: [66]http://www.firewallguide.com/spyware.htm and
[67]http://spywarewarrior.com/asw-test-guide.htm. A [68]PC World review found
that the reputable free programs such as Spybot Search & Destroy (S&D) were
better than the heavily advertized pay-for anti-spyware programs. [69]Network
World (December 13, 2004) evaluated four anti-spyware programs, though for
large enterprises (which have some different requirements such as needing
centralized management); they liked Spy Sweeper Enterprise 1.5 and Omniquad
AntiSpy Enterprise Edition 4.0. They thought that Spybot Search & Destroy did
"quick, accurate elimination of spyware" at no cost, though they didn't like
it that technical support was only available via email (that may not matter
to you). They didn't like InterMute SpySubtract Pro 2.5 as much, saying it
had very poor ease-of-use. For spyware, I've seen good reports about
Ad-aware, GIANT AntiSpyware (now Microsoft), Pest Patrol, Spybot Search &
Destroy, and Webroot Spy Sweeper. [70]Be wary; a few of the "anti-spyware"
programs are made by spyware makers, and will actually cause you problems by
inserting spyware. If you have (or think you might have) spyware or viruses,
it'd be better to erase the hard drive & re-install, though I understand
that's very time-consuming. But even if you re-install, you need protective
programs.
More recently, [71]Microsoft has bought GIANT and provides a derivative of it
as their own product. As of 2005-01-06 this is a buggy beta product, but
hopefully it will get more stable quickly.
Unfortunately, there are lots of scammers. For example, [72]MS Antivirus is a
"scareware rogue anti-virus", and in spite of its name, should not be
confused with Microsoft Security Essentials or Microsoft Antivirus. This
program (and ones like it) fraudulently claim that you have a problem, and
then asks you to send money to "upgrade" so it can fix the problems.
Neither anti-virus nor anti-spyware programs are perfect. Anti-spyware
software in particular is not very good at removing problems; they'll
probably miss about half of the problems. So, you need to take other
preventative steps; certainly don't depend on just these programs!
6. Make sure you're behind an external firewall, and turn on any built-in
firewalls too. An Avantgarde study by Kevin Mitnic and Marcus V. Colombano
found that [73]an unpatched Windows XP system only lasted 4 minutes on the
Internet before it was compromised. Windows systems without the latest
patches just don't last long when connected to the Internet; it's a hostile
world. I know a computer expert who tried to patch his Windows system in 2003
without using a firewall, figuring that he'd be able to download the patches
before an attacker would find his system; he was wrong. His system was
controlled by a malicious adversary ("0wned") before he could even finish
downloading the patches.
Buy a separate component that does firewalling for you; don't just depend on
the firewall built into some versions of Windows. It's likely you already
have this separate component; firewalls often come built-in with wireless
hubs, cable "modems", and DSL modems. While not as function-rich as dedicated
firewalls, for most home and small business owners these firewalls are quite
sufficient. Most small business' connection to their ISP includes a firewall
already (and if not, they're easily added, and you really should). Otherwise,
buy one; you may find it cheaper to buy a router or wireless hub with a
firewall, even if you only need it for one computer now (if you buy a
wireless hub, disable the radio or secure it as I discuss below).
Alternatively, you can turn an obsolete PC into a dedicated firewall with two
network cards and freely-available programs like [74]Smoothwall ([75]here's a
Smoothwall review), [76]Astaro, [77]IPCop, [78]Coyote Linux ([79]here's a
review of Coyote Linux), or [80]floppyfw. Coyote Linux and floppyfw only
require a floppy drive (no hard drive or CD-ROM needed) to run, and have
trivial hardware requirements (Coyote Linux requires a 486 or better,
floppyfw requires a 386 or better); you can often find such a computer for
free.
Windows XP includes a built-in firewall, and Windows XP Service Pack 2 (SP2)
turns on the built-in firewall. You should turn on any built-in firewalls you
have available as well, but the built-in firewall of Windows is easy to
disable (particularly by spyware), and for many versions it allows far more
than it should. So I think a typical home/small business owners shouldn't
just depend on it. If you just can't afford an external firewall, and you
have a single system that dual-boots between Windows and some other operating
system, consider disabling all network drivers in Windows as an alternative.
This is primarily a Windows problem; other operating systems such as
GNU/Linux and the BSDs are better able to withstand attacks without a
firewall (and in fact they're often used to implement firewalls). There are
several reasons for this. These other systems have built-in firewalls that
are very strong and have been there for years. Also, these other systems
don't normally export services unless you specifically ask them to; by not
providing attackers with unnecessary services to attack, these other systems
tend to be a lot less vulnerable than Windows. It's a good idea to run behind
a firewall for any system, since firewalls provide some additional
protection, and I'd suggest it for any system. But since Windows has an
especially poor security record, external firewalls are basically mandatory
for Windows users.
7. Install patches. All systems have occasional security problems, so you need
to install security patches as they become available. This is particularly
true for Microsoft Windows, and I think it's because Windows has a monolithic
design (e.g., the browser is embedded in the operating system, as are major
portions of the graphical user interface). Thus, defects that are merely
minor annoyances in other systems can become serious security vulnerabilities
in Windows. C'est la vie.
Keep all programs up-to-date with any patches that are available. But in
particular, keep [81]Oracle Java JRE, Adobe Reader / Acrobat, Adobe Flash,
and Microsoft Internet Explorer updated. Historically, most exploits come
through those programs.
You really should back up before installing a Microsoft patch; patches
(especially Service Pack 2, aka SP2) can cause the system to become unusable
in certain cases. But not patching (or delaying too long) will eventually
cause serious problems; someone will exploit your system if you fail to do so
(and you ever connect it to the Internet). Remember to firewall your system
before trying to download patches! And remember that in Windows most patches
require a reboot after installation (again, this isn't true for most other
operating systems), and dependencies may require that you do this several
times. That means that patching can take more time to implement than on
competing systems; be sure to plan for this time.
If you use Windows XP, you should install Service Pack 2 (SP2), but you must
do this extremely carefully and only after you have backed everything up. SP2
is a major improvement in security and well worth it if your system and
applications will still work once it's installed. Unfortunately, many people
have had a lot of problems with SP2. Thus, you need to be prepared to
reinstall all your data and all your software if necessary. Some people's
critical applications stop working, and in some cases the entire system won't
even boot, after installing SP2. As noted in [82]The Dark Side of Windows XP
Service Pack 2, you're more likely to be successful if you first remove
spyware, update drivers (especially if you use nVidia), and back up your
system before installing SP2. Be prepared for extra time to get your
applications running again after installing SP2. Some applications don't work
at all with SP2 or have limitations; for example, security scanners like nmap
can only work on Ethernet connections when Service Pack 2 is installed (if
this is a problem for you, you'll need to switch to a different operating
system or avoid SP2). Use Google to find suggestions for how to configure
applications that balk at SP2. But if you use Windows XP, install SP2 if at
all possible. Yes, it can be painful, but security problems can be even
worse.
Patching is no guarantee; attackers will attack Windows using exploits for
which there are no patches. So you still need to do other steps.
8. Stop using Internet Explorer (IE); switch to a different web browser such as
Firefox. Microsoft's Internet Explorer has been the source of an endless
stream of vulnerabilities, and of patches that don't really address its root
problems (such as allowing ActiveX components to run in certain circumstances
and being deeply embedded in the operating system). Microsoft has finally
decided to upgrade their browser (after abandoning it for years), but
[83]ZDNet suggests that even the new Internet Explorer is not worth waiting
for. ZDNet says, "Internet Explorer 7 for XP Beta isn't a Mozilla Firefox
killer -- far from it. Given the high expectations, we're unimpressed with
the IE 7 for XP Beta". The new IE will finally add tabbed browsing and
built-in RSS support, which have been available for years by everyone else,
but it still fails to implement web standards (like CSS). Even worse, only
those running Windows XP SP2 will be able to run it, so everyone else needs
to use an alternative anyway. As ZDNet says, "We're not convinced that the
security features touted in IE 7 will be enough to stave off the almost
monthly security patches required to keep IE secure"; after all, IE continues
to use the design approaches (like ActiveX) that cause so many
vulnerabilities. IE is a constant source of vulnerabilities; you're better
off switching to an alternative.
Many others say the same thing: switch away from Internet Explorer.
[84]Security expert Bruce Schneier recommends not using IE. An [85]editorial
in Redmondmag.com also recommended switching from IE to Firefox. [86]The Wall
Street Journal's Walter S. Mossberg says "I suggest dumping Microsoft's
Internet Explorer... I recommend instead Mozilla Firefox". (he [87]repeats
this again at the end of 2004). [88]USA Today's Byron Acohido and Jon Swartz
recommend switching from Internet Explorer to Firefox for improved security,
and [89]Forbes' Arik Hesseldahl recommends switching from Internet Explorer
to Firefox as well. In 2005, [90]Forbes labelled Firefox as their favorite
web browser in their "best of the web" awards. [91]eWEEK.com Senior Editor
Steven J. Vaughan-Nichols thinks IE is too dangerous to keep using (he says
[92]Internet Explorer is insecure junk, and it's time for Windows users to
move to Firefox if they want to protect their systems). [93]Government
Computer News' product review of Firefox stated: "Put simply, Firefox is
everything you need in a browser, minus the security risks common with
Explorer". [94]Washington Post columnist Rob Pegoraro says "I think anybody
using Internet Explorer should switch to Firefox today. Seriously". He also
says that "Firefox's security goes deeper than that. It doesn't normally
support Microsoft's dangerous ActiveX software, which gives arbitrary Web
sites (and any attacker who has taken them over) control of your computer as
though they were you. It omits IE's extensive hooks into the rest of Windows,
which can turn a mishap into a systemwide meltdown". [95]Gartner noted that
IE has many design flaws that fundamentally impede its security: "because IE
is integrated into the Windows operating system, flaws in IE have a greater
impact than flaws in a stand-alone browser. Also, it takes longer to create
fixes (since regression testing must include the entire operating system),
and applying IE patches is often more time-intensive and expensive (requiring
reboots, for example)". In March 2005 the [96]Denver Post said "Experts agree
these two programs [Linux and Firefox] are less susceptible to viruses and
other Internet ills than Microsoft's [products]". Longtime Internet guru
[97]Peter da Silva reports that "when Microsoft started integrating the
browser and the desktop, I managed to get Internet Explorer, Outlook, and
other applications that used the same interface banned... we continued to use
Windows... and we took a relatively lightweight approach to security other
than banning IE. Result? Occasional single-workstation virus alerts, almost
never an infection beyond one user's machine... and a large percentage of the
time it was a user running Outlook "unofficially" that caused the problem.
Far fewer problems than my counterparts at sites that imposed heavy
restrictions but standardized on IE". The article [98]Spyware, Adware,
Windows, GNU/Linux, and Software Culture notes that it's very important to
switch to a browser other than IE. [99]Desktop Pipeline's Scot Finnie praises
Firefox as well. Even many who are often supporters of Microsoft recommend
dropping Internet Explorer. [100]MCSE Daniel Miessler "I happen to like quite
a few of Microsoft's products... [but] Don't use Internet Explorer". He gives
two reasons for saying this:
1. "Due to the combination of ActiveX, scripting, and its integration with
the Windows operating system, Internet Explorer is more vulnerable to
attack than many other browsers".
2. "The designers of Internet Explorer have purposely turned their back on
the standards designed to benefit the Internet as a whole. They have
done this for years, continue to do it today, and appear to have nothing
but their own interests at heart".
Vulnerabilities have repeated with such regularity in IE that [101]in
December 2004 Pennsylvania State University issued an alert to students and
staff telling them to drop IE and use an alternative. David Hammond's
[102]Internet Explorer is dangerous article explains in more detail why
switching is a good idea. [103]Scanit's Browser Security Test group found
that in 2004, 98% of time Internet Explorer was vulnerable to dangerous known
remote attacks, with no patch available to prevent it, compared to 17% for
Opera and 15% for Mozilla/Firefox. [104]There were only 7 days in 2004 where
Internet Explorer could be safely used (where patches were available for all
publicly-known worst-case vulnerabilities). A [105]2006 survey found that
again, IE was far more dangerous to use than Firefox. No browser is perfect,
but why choose one that is so much worse than the alternatives?
Many other security organizations have expressed serious concern. The
[106]US-CERT listed as one of its solutions to IE vulnerabilities switching
to a different web browser; they report vulnerabilities in many products, but
typically don't include switching to another product as one of the options.
The simplest summary was that [107]US-CERT was warning Web surfers to stop
using icrosoft's Internet Explorer (IE) browser. US-CERT noted that the
fundamental design of IE makes it much more vulnerable than alternatives; it
said that "there are a number of significant vulnerabilities in technologies
relating to [IE]" and that "IE is integrated into Windows to such an extent
that vulnerabilities in IE frequently provide an attacker significant access
to the operating system". [108]Other news organizations widely noted this
concern. According to Secunia, as of 2004-12-17 IE has many more unpatched
yet known security vulnerabilities compared to other widely-used browsers
(see their reports for [109]IE, [110]Firefox, and [111]Opera). The [112]SANS
Most Critical Internet Security Vulnerabilities lists 10 critical
vulnerabilities for Windows, and the Version 5.0 (October 8, 2004) edition
includes web browsers (#5) and mail client #9. Once you delve in, you
discover that the real dangers are really IE and Outlook, since the
alternatives don't have many of the same problems. SANS identifies 6 serious
problems with IE, compared to alternatives: (1) IE has a larger number of
vulnerabilities than other browsers, (2) it's taken a longer time to patch
known IE vulnerabilities (sometimes in excess of 6 months), (3) ActiveX and
Active Scripting can be used to bypass the security constructs of the
browser, (4) A large number of unpatched vulnerabilities, (5) Spyware/Adware
vulnerabilities, and (6) Integration of IE into the operating system (OS)
makes the OS more vulnerable to exploitation. SANS states that "If using an
alternative browser is not an option, consider disabling ActiveX entirely
except for internal ActiveX applets that can be preinstalled on the machine".
The article [113]Can You Bank on IE Security? from Bankers Online (a magazine
for bankers) noted that respected organizations like CERT, SANS, and NIPC
have all essentially suggested switching from Internet Explorer, and tells
banks to prepare for the many users who will be switching away from IE.
[114]Scott Granneman's article on SecurityFocus pleads for users to stop
using IE, too, because of its legions of security problems.
Trying to visit only trustworthy sites won't protect you as much as you'd
think. Attackers have found many ways (such as breaking into those sites or
their advertizers, or redirecting data through them) to send malicious data
to IE users. [115]BusinessWeek's Stephen H. Wildstrom believes that using
Internet Explorer is just too risky, after exactly that kind of attack
exploiting known but unpatched flaws in Microsoft IIS and IE impacted a vast
number of IE users; as a result, many IE users had their keystrokes
(including bank account information and passwords) logged and sent to a
computer in Russia.
I suggest that you switch to the [116]freely-available Firefox web browser
instead (a suggestion many others make, as you can tell above). Firefox costs
nothing, it's more secure, and it's generally a better browser. [117]Firefox
has rapidly grown in market share, (with [118]25 million downloads in just 99
days), and [119]lots of reviewers like Firefox. Some [120]January 2005
statistics from Net Applications show that Firefox use has continued to grow,
while IE's usage has been steadily shrinking. Firefox's source code and
internal documentation are publicly available and it has been widely
scrutinized; indeed, the Mozilla [121]bug bounty program pays people who
report critical security bugs, and they're given all that information to work
with. Thus, there are no "secret spying codes" in it (people have looked!),
and it has a far lower security risk. It's a spin-off from Netscape
Navigator, so most people have no trouble using it (indeed, if you've ever
used Netscape Navigator it'll seem familiar). And many are supporting it; for
example, [122]Google employs Firefox's leading developer (see [123]Goodger's
blog entry). Even [124]one of Internet Explorer's former developers switched
to Firefox. The tabbed browsing and built-in search window capabilities alone
are enough reasons to switch, but if you don't want viruses, spyware, and
endless pop-ups, this is a serious help. It has much better for standards,
and [125]Google works more quickly with Firefox than with IE (because Firefox
supports something called "prefetching"). If you're curious to learn more
about how browsers work, see [126]How Firefox Works.
Just about any other browser (such as Netscape and Opera) would be better
too. In a few cases websites won't look right, but I find that's pretty rare,
and there are many sites IE won't display correctly as well. You can run IE
for a specific website if you need to, and tell the site owner to fix their
website while you do (there is even a Firefox extension, IE View that lets
you view the current page in IE if necessary). Besides, if it won't work for
Firefox, it won't work for most PDAs, cell phones, TVs, and the many other
gadgets that can access the web, so they'll need to fix their site anyway.
There are other alternatives, too, such as Opera and Mac OS Safari.
Now this does not mean that Firefox will be free of any security problem.
Firefox will have security problems too! But past history strongly suggests
there will be far fewer of them that affect you than in IE, which means that
you greatly lower your risk by switching.
Firefox automatically disables pop-ups; [127]pop-ups are serious problem with
most versions of Internet Explorer. Older versions of Internet Explorer let
pop-ups fly through; while XP Service Pack 2 tries to close this problem,
[128]there are still attacks that break through Internet Explorer's pop-up
protection on SP2).
Perhaps more importantly, switching away from IE will automatically disable
ActiveX, a very good thing since ActiveX is a constant source of serious
security problems ([129]ActiveX has been noted as a design flaw for years,
and in fact it's endemic of the general problem that Microsoft often reuses
code for new purposes even when it's unsafe to do so). You can also disable
Java and JavaScript for an additional measure of security, but both are
needed by many websites, and they're much less dangerous than ActiveX.
JavaScript and Java run in a "secure sandbox" that tries to protect you from
problems (and it usually succeeds), while ActiveX components disable all
application security when they run -- a key reason why ActiveX is so
dangerous. This isn't just my opinion; [130]the CERT/CC notes that ActiveX is
a far greater danger than sandboxed techniques like Java, and the Department
of Defense defines [131]ActiveX as a Category 1 (maximum risk) technology.
[132]As pointed out by Professor Edward Felten of Princeton University,
"ActiveX security relies entirely on human judgement. ActiveX programs come
with digital signatures from the author of the program and anybody else who
chooses to endorse the program. ... The main danger in ActiveX is that you
will make the wrong decision about whether to accept a program. ... The most
dangerous situation, though, is when the program is signed by someone you
don't know anything about. You'd really like to see what this program does,
but if you reject it you won't be able to see anything. ... The only way to
avoid this scenario is to refuse all programs, no matter how fun or
interesting they sound, except programs that come from a few people you know
well". [133]Some of the security problems of ActiveX were demonstrated back
in February 1997 by the Chaos Computer Club (CCC). The CCC showed that an
ActiveX control that could use Intuit's Quicken financial software to
automatically transfer money from a user's account to the CCC bank account.
[134]Microsoft's Charles Fitzgerald, program manager of Microsoft's Java
team, stated that "If you want security on the `Net," said Fitzgerald,
"unplug your computer. ... We never made the claim up front that ActiveX is
intrinsically secure". Given today's attacks, it's absurd to depend on such a
poor foundation. A quick [135]search through the CVE vulnerability database
using ICAT demonstrates that ActiveX is dangerous. Yes, you can get ActiveX
components signed, but that doesn't tell you what you need to know; anyone
can get a digital signature by paying for it. If you use some internal
application with ActiveX, work with the developer to wean them from ActiveX
quickly, or drop it quickly. ActiveX is a bad idea anyway; its
non-portability means you can't use it on many useful platforms that have web
browsers (including Macs, Linux, PDAs, cell phones, and so on). But from a
security point-of-view, allowing ActiveX to run is an unacceptable risk today
-- today's computers are under constant attack. Intrinsically insecure
ActiveX is just a bad bet.
[136]Firefox has become such a threat that Microsoft has started developing
IE again. But there's no need to wait, and there's no evidence that the next
version of IE will actually be better (from a security point of view) than
Firefox or other alternatives. For example, Microsoft has not committed to
disabling ActiveX as the default, or to separating the browser from the
operating system. And security is not something you just "add in" in a few
months; it takes years, hard work, and lots of review to really create a
secure product. It's easy to say "we'll eliminate security bugs" -- but the
only real proof is in the pudding, and Mozilla/Firefox is in a lead measured
by years from a security point-of-view.
Also, [137]Microsoft still hasn't committed to implementing critical web
standards (such as the W3C's CSS2), even though they were released many years
ago, others have done so, and services like Google Maps have shown the value
of supporting these standards. Web developers have complained to Microsoft
for years about their inadequate standards support; if you switch now, you
can enjoy support for web standards right now. Major Australian newspaper
[138]The Age's article "Firefox explorers" discusses why supporting standards
is so important; it gives as an example Bill Robertson's De Bortoli Wines,
who switched 450 workers to Firefox primarily because they wanted to use
standards (instead of being locked into any particular vendor's proprietary
interfaces).
Oh, and if you're not using Windows XP, or you haven't installed XP Service
Pack 2, that means that you need to switch from IE to something else even
faster. SP2 finally adds some helpful security capabilities, but users of
older versions of Windows will not get them without an expensive upgrade (of
software and possibly hardware too). And there's no evidence that IE users of
Windows versions before XP SP2 will get necessary security updates of IE;
Microsoft has only announced that they're working on an IE upgrade for XP
SP2. If you're curious, you can try out things like [139]scan-it's browser
security scanner (though it's not perfect, it can be interesting). So switch.
now.
9. Turn off third-party web cookies. "Cookies" are small pieces of information
that a web server can send to your browser; your browser holds them, and can
resend them back to the web server later. They're used for web shopping and
many other web activities, to help the store determine which shopper you are.
But because they support tracking, they can also be a privacy problem. I
suggest turning off third-party web cookies to help with that. In Firefox,
select Tools/Options/Privacy, and disable accepting third-party cookies. (In
Firefox 2.0, select Tools/Options/Cookies; allow sites to set cookies, but
turn on the option "for the originating web site only".)
10. For email, switch from Outlook or Outlook Express to something else if you
can. Email programs must accept data from arbitrary people -- including
attackers in other countries -- and handle it without getting exploited.
Outlook hasn't done well in this regard; internally it uses the Internet
Explorer functions to display email; see above for what that means.
[140]Outlook is actually the cause of many security problems; you're better
off replacing it with a program that has a better track record. Outlook
Express 6 users should consider switching to something else anyway; [141]a
serious defect in Outlook Express 6 causes its forwarded email to look just
like spam, and thus get automatically rejected by many recipients. The
article [142]Spyware, Adware, Windows, GNU/Linux, and Software Culture notes
that an important part of securing Windows is to junk Outlook.
If you want to use a local program (like Outlook or Outlook Express),
consider using [143]Mozilla Thunderbird; this email reader has had many rave
reviews (such as [144]a positive review of Thunderbird in PC Magazine,
[145]Flexbeta, and [146]Linux Times) and has [147]many interesting
extensions. Thunderbird doesn't have some of the features of Outlook, in
particular, as of 2004 Thunderbird's calendar application (a common
Thunderbird extension) is not as capable as Outlook's. On the other hand,
Thunderbird has lots of wonderful features, such as built-in trainable
Bayesian spam filtering, built-in support for the popular news protocols NNTP
and RSS, and the ability to view emails in the conversation format (like
Gmail). Many home users and small businesses will find Thunderbird works well
for them, and without the problems of Outlook (which uses the Internet
Explorer display components, and thus is vulnerable to many of the same
attacks). A [148]News.com story noted that one company recently installed
Thunderbird on 44,000 desktops.
Other options for local email reading include the older Mozilla Mail and
Netscape Mail; I use those two currently, since they have a longer history.
In fact, there are lots of other email clients; Eudora is still common.
Novell's Evolution is probably the best email program available, period, but
it hasn't been available for Windows for a while; [149]Shellter's Evolution
on Windows is a recent port to Windows. Many people have switched to a
web-based email system, such as Yahoo, Google, Runbox, Hotmail, and so on; in
those cases, just use your web browser (which should not be Internet
Explorer).
The CERT has suggestions such as "Don't open unknown email attachments",
"Don't run programs of unknown origin", "Disable hidden filename extensions",
"Disable Java, JavaScript, and ActiveX if possible", and "Disable scripting
features in email programs". Switching from Outlook will automatically
implement these suggestions, at least in part, without worrying about
accidentally making a mistake.
You might also seriously consider disabling HTML mail. HTML mail has nice
features, but it's also often abused for security exploits.
11. Disable hidden filename extensions. Many attacks work against Windows users
by misleading the user into thinking one thing is happening, but another is
really happening. A really common problem on Windows is that Windows often
doesn't really display the true filename. As a result, you can't avoid
dangerous files. [150]Implement this CERT incident note so that hidden
filename extensions are displayed.
12. Never run programs sent via email. If someone emails you a "neat program",
delete it instantly, even if you know the person. The email may have been
forged. That other person may have had their system taken over by a malicious
program, and now their system is sending out malicious programs to everyone
in their address book. Besides, even if the person intentionally sent it,
it's unlikely that the person actually wrote the program, and you probably
aren't going to review its code... so neither of you have any idea what it
really does. And if you don't know the person, this is even more true --
never run a program sent by a spammer! They can make money by exploiting your
system (say to send more spam, selling data they find on your system, and so
on).
If you want to send a program, don't send the program itself -- send a URL to
a web address. That way, recipients can download it at their own time, and if
the maker updates it, recipients can get the update. You shouldn't just run
arbitrary programs you download from the web either, but we'll get to that.
13. Don't just open attachments from strangers. Don't open attachments from
people you don't know, even if they appear "safe"; they may exploit your
system and cause you to run programs in ways you weren't expecting.
To get work done, you'll need to open attachments. Here, try to avoid opening
attachments from strangers; at least, look at the message body carefully
before taking that risk.
You can reduce your risk greatly by only opening types of attachments that
are less risky. To determine its type, just look at the last characters in
the filename (yes, it's more complicated than that, but I can't go into that
here and have a reasonable suggestion for ordinary users). It's hard to list
what can be an executable, since there are many different program formats
(.exe, .com, .bat, and so on), and some programs aren't designed to handle
arbitrary data. It's a lot easier to say what's safer. A .txt file is
generally safe to open (but don't save and run it!). A .htm or .html file is
usually safe, as long as you don't let Internet Explorer look at it (IE may
be fooled into thinking it's a "local" file, disabling its security; other
browsers aren't so easily fooled). Although office suite files (.doc, .ppt,
.xls) can have programs (macros) embedded in them, as long as your office
suite doesn't run macros you're usually fine. PDF files (.pdf) are designed
to be sent safely over the web, and have fairly low risk. Handling any data
involves some risk, but these formats have a much lower risk.
Image formats (like .jpg, .png, and .gif) and audio formats (like .mp3 and
.ogg) are actually a slightly higher risk in my opinion. Many image and audio
formats are passed on to Windows code with a history of failure to protect
itself (I suspect the developers had no idea that this was security-relevant,
and that they didn't know how to write secure code anyway). Still, if you
know the person they are from, they are usually fine.
If you get an attachment, but do not know what its format is, ask the sender
first. Then use search engines (like Google) to find out your risk. Don't be
a victim.
14. Don't run "pirated" programs. Some people install and use programs copied
illegally; this is sometimes called "piracy". Don't do this; it should be
reason enough that it's illegal. However, there are also good security
reasons. You usually won't get support or security patches for your illegally
copied software (e.g., [151]Microsoft will severely curtail the updates
available to illegal copies of Windows). Some programs try to determine if
they're legal, and if they think they're not, they do malicious things. And
if you've downloaded the pirated programs from one of the many "warez" sites,
you have an additional problems: some such programs have had malicious
software (such as "Trojan Horses") intentionally inserted into them, and
often such software is changed but poorly tested (so it's likely to have
subtle problems that legitimate copies won't have). Yes, some software is
expensive; doing the right thing is often expensive.
Buy your programs, or use freely-available alternatives that are legal to
copy. I particularly like widely-used open source software, since they can
get security reviews worldwide, and they are often free or low cost. One of
the more heavily pirated programs is Microsoft Office; instead of copying it
illegally, either buy it or use [152]OpenOffice.org instead, which is free
and legal to copy (here's a [153]review from 2004 of the two suites).
[154]The OpenDisc project (formerly [155]OpenCD) has a nice collection of
free open source software for Microsoft Windows that fits on a single CD; it
includes OpenOffice.org (office suite), PDFCreator (to create PDF documents),
the GIMP (for editing images/photographs), 7-Zip (for creating and unpacking
compressed files like the .zip format), and Audacity (for sound editing),
along with games and other things. If you don't like to create CDs, you can
also buy OpenOffice plus Firefox by buying Linspire's [156]OOoFf! You can
suport from various sources; [157]Flexiety sells a boxed version of
OpenOffice.org with support; they have deals with various CompUSA stores, and
it's also available at [158]tigerdirect.com
15. Don't download and run arbitrary programs before checking out their
reputation. A program that's widely-advertized can still be spyware, but it's
likely that someone on the Internet has noticed. So use [159]Google and other
search services to see what the reputation of that program is. Of course,
someone can falsely accuse a program of being spyware, and it may be that the
problems are't known, but by searching you're more likely to at least be
warned of problems. Run only a few programs, and check out their reputation
first before you do.
Free isn't necessarily bad; indeed, PCWorld found that the free anti-spyware
programs were better than the for-pay ones they evaluated.
[160]Cleansoftware.org has a list of no-cost software widely believed to be
free of adware, spyware, harmful/intrusive components, and threats to
privacy.
Some programs are "open source software", meaning that anyone can view its
blueprints (the "source code"), modify it, and redistribute those changes.
The Internet, Email, and World Wide Web have all been based on these kinds of
programs. It's certainly possible to create malicious open source software;
people have done it. But since anyone can review its code, if it's popular,
it's harder to hide malicious code in it, and many of the financial reasons
to create malicious code disappear. But don't just run arbitrary open source
software, either!
In the end -- be careful out there. Run a minimum number of programs -- just
those you really need -- and check out their reputation first.
16. Ideally you should read any program license agreement ("EULA") before
installing it -- but if you won't do that, at least check its reputation
first (as noted above). First, let me give you the "official" advice you'll
hear from most authorities, because it's considered by many people to be the
safest course. Officially, you should carefully read any end-user license
agreements ("EULAs") of a program before you install it. After all, many
EULAs say that you'll allow the vendor to do all sorts of things that are
invasive, dangerous, and/or unexpected, and you should (in theory) consider
those issues before you install it. Many spyware programs are apparantly
legal because their license says that they're allowed to do all sorts of
frightening things... and you "agreed" to it.
Unfortunately, I must admit that the advice of actually reading EULAs is hard
to follow. License agreements are notoriously hard to understand; they're
often intentionally written so that the most important parts are the hardest
to understand. Even when the drafters try to be clear, legal documents are
still hard for many people to understand. Many people have a large number of
programs on their systems, and asking them to read all that stuff is
impractical, even when they're easy to read. To many people, EULAs make no
sense in the first place -- they expect the conditions governing shrinkwrap
programs they buy to be just like those of a book or a car. In most
jurisdictions, typical EULA conditions are on shaky legal ground, making it
harder to justify wading through them. At least one lawyer I know (and
respect) recommends not reading EULAs, since it's usually harder for a
company to enforce a license if you did not read it.
And let's be honest -- [161]almost no one actually reads EULAs, as a PC
Pitstop experiment showed. PC Pitstop included a clause in one of its own
EULAs that promised anyone who read it "special consideration", including
money. "After four months and more than 3,000 downloads, one person finally
wrote in. That person, by the way, got a check for $1,000..". Think about
that -- it took 3,000 downloads and four months before one person read the
EULA! Clearly, it's very unusual for anyone to actually read a EULA.
This is unfortunate; from a security point of view you should read the EULA,
since it might warn you of security problems. After all, [162]many EULAs
include dangerous clauses.
If you won't read the whole EULA, try to at least read the first line,
because there's one case where reading that one line can substantially lower
your risk. Basically, widely-used [163]open source software / Free Software
licenses do not include any text to permit spyware or other dangerous
activities, and the license text is the same for many different programs. So
at least try to read the first line of the EULA to see if the license is the
[164]GNU General Public License (GPL), the [165]GNU Lesser General Public
License (LGPL), or the [166]MIT license. If the EULA is one of those
licenses, your risk is much lower. (Some lawyers would say that these
licenses are technically not EULAs, but this is a technicality; in practice
they are sometimes displayed during installation just like a EULA.)
Unfortunately, every proprietary program generally has its own license, so I
can't point to a single widely-used safe EULA that covers many proprietary
programs. Indeed, many EULAs of even common proprietary products are rather
scary; for example, [167]the Windows XP End-User License Agreement (EULA)
requires you to reveal private information to the vendor, it allows the
vendor to modify your computer's software at will, it states that the vendor
may collect personal data about you without warning or limitation, and it
states that the vendor can terminate the agreement at any time without due
process (leaving you without a working version of Windows). And not all
spyware programs will reveal what they do in their EULA, anyway.
So whether or not you read the EULA, check the reputation of the company and
the product you're considering, as I recommended above.
17. Be wary of phishing attacks; limit information you send, especially if you
didn't initiate the interaction. Many attacks, particularly from email, try
to fool you into giving away important information by pretending to be
someone else. Emails can be easily forged; don't believe a "From" address at
all, since it's trivial to set that to any value. It's easy to set up web
sites that look legitimate, so be careful about that too.
Don't trust any email links that send you elsewhere, because there are many
ways to be deceptive (www.paypa1.com is different than www.paypal.com because
"one" looks like an "l"; http://forbes.com@attacker.com will send you you
attacker.com; and many trusted sites can be fooled into resending attacker
information if you invoke them oddly). Don't give any personal information
unless you initiated the entire transaction. Don't provide unrequired
information on any web site you visit; required information is usually noted
with an asterisk (*).
18. Make backups. Back up your data. You should anyway; hard disks eventually
crash. That way, if someone erases all your data, you can quickly recover.
Thumb drives or second hard drives are good ways to back up; CD-ROMs become a
pain after a while, but do work.
19. Disconnect from the Internet when you're not using it, and turn off the
computer when you're not using it. Unplugging is the simplest approach, if
you have a wired network but you still want to use the computer.
Obviously, it's harder to attack a computer that's turned off. But it may
surprise you to know that most of today's computers can be turned back on,
remotely, using a network command! Most systems don't enable that by default,
but yours may, and there's always the risk that a vendor has a security
vulnerability that lets someone turn it on even if you've disabled it. The
best solution is an external firewall, which you need anyway. Firewalls will
generally prevent such remote turn-on commands from entering your network in
the first place.
20. Tell your younger kids to never reveal their real name, address, email, or
phone number without your permission. Reputable kids' sites won't even ask
for this information. Zip code is okay; indeed, a site can probably guess one
of a small set of zip codes from your IP address. You should be able to judge
as they get older what's okay. The risk here is stalkers, who try to exploit
chat systems and the like to gain their trust. Unfortunately, getting older
doesn't necessarily make your child safer against predators.
21. If you let your kids have email, configure it so only whitelisted addresses
will be received. I don't recommend that young kids have email access; if
they need to send an email, do it through a parent. But older kids will
typically need email access. The problem is that spammers will eventually get
that email address, or guess it, and soon your kid will be getting hardcore
porn, hate group advocacy propaganda, and so on. So, configure your kids'
accounts so only email from an approved "whitelist" list of senders can get
through, and throw away the rest.
22. Change your configuration so it's harder to attack. You'll be better off if
you change the default settings into something that's more secure (this is
called hardening your system). In particular, if you use an old version of
Microsoft Office, make sure it doesn't run macros by default. Very old
versions of office had this flaw; more recent versions of office have fixed
this.
[168]The NSA Security Configuration Guides give a lot of information on how
to configure some Windows versions; yes, you're not the Department of
Defense, but wouldn't you like your system to have security more like theirs?
Another good source for how to configure systems securely is [169]U.S.
National Institute of Standards and Technology (NIST) checklists/information
guides, some of which were developed by others and then adopted by NIST. Look
specifically at the Desktop Application STIG and checklist, and the various
Windows STIGs and checklists.
If you use Windows 2003, take a look at Microsoft's configuration guide for
Windows 2003. [170]Microsoft's Security Home Page has other useful tips on
securing Windows systems (though they often focus on the latest versions of
their products, even though you may find no reason to upgrade). Other
documents such as [171]Microsoft Windows Security 101 have useful information
too. You don't need to accept every suggestion, but information like this can
help you secure your system. Unfortunately, this can be time-consuming; sorry
about that.
23. Configure your wireless setup to be secure, too. Many Windows users have a
wireless setup, typically 802.11b (though 802.11g, 802.11a, and others are
out there too). If you do, configure it securely too. You must plan on
spending some time to configure your wireless devices to be secure; they'll
come with all security disabled.
Some people like to share their wireless access with the world. Feel free to
do so (if your ISP allows it), but at that point you need to treat wireless
users as potential attackers. Be sure to segregate your open wireless setup
from your "internal" machines, at least by placing a firewall between the
wireless and wired network. But I feel more comfortable making it hard for
anyone else to connect in, and for new wireless users I suggest that as well.
I'll concentrate on the basics of securing 802.11 based wireless connections,
since they're the most common. Here, you need to configure your wireless hub
(access point) and computers so that their wireless connection is more
secure. Use the new 802.11i security standard if you can (but few can),
otherwise use WPA if you can (though relatively few can), otherwise at least
turn on WEP. Unfortunately, WEP is very vulnerable to attackers; for more
information, see [172]WEP: Dead Again. Indeed, the [173]FBI demonstrated that
a determined attacker can usually break 128-bit WEP (the strongest form of
WEP) in 5-10 minutes. On the other hand, WEP is better than than nothing at
all (it stops casual attackers, who often move on to an easier target). Set
your WEP/WPA key to a nice long unguessable 128-bit key (aka 104-bit); don't
use a default key, and change the key every once in a while. And if your
WEP-only components can be freely upgraded to WPA (e.g., through a "firmware
upgrade"), please do so.
Disable broadcasting of your Server Set ID (SSID); that way, when no one is
using your wireless connection an attacker is less likely to find your
equipment. Turn on the configuration setup of your base station, and (re)set
every password you can to something only you would know (this would include a
configuration password, SNMP password, and so on). Point your base station
antenna(s) so that the signals are much weaker where you don't plan to use it
(an attacker can amplify the signal to potentially miles, but many don't).
Some folks recommend using media access control (MAC) address restrictions; I
don't particularly recommend this, because this significantly adds
complications without any significant security benefits (attackers can easily
work around it), but it won't hurt if you do.
Ideally, you should segregate your wireless network from your internal wired
network, even if you use other mechanisms like WEP, WPA, or 802.11i. This is
especially a good idea for WEP users. For many home users this may be
excessive, but for small businesses adding an extra firewall between the
wired and wireless networks is a cheap measure that improves their security.
You can get more information from resources such as [174]Wireless LAN
Security FAQ, [175]Tips for Wireless Security, and the Wireless STIG and
checklist available via the set of [176]U.S. National Institute of Standards
and Technology (NIST) checklists/information guides.
24. Don't forget physical security. In any situation, make sure it's not easy to
steal your equipment, or allow an attacker to modify it. Home users: remember
to lock the door on the way out! In a business, make sure that only a few
people can physically access the the equipment, especially the firewall (a
locked closet works well). To secure a laptop, consider locking it in a safe
when you're not using it, or using a cable and lock; treat it like a wallet.
Where Can I get More Tips?
You might also find [177]CERT/CC's Home Network Security document very helpful;
it also describes the kinds of attacks that homes and small businesses must
endure, and how to help defend your system. CERT's document is slightly older,
though; for example, when I reviewed it on December 7, 2004, it didn't cover
spyware or alternative programs. [178]The US-CERT has some useful tips on
securing your Windows system, [179]LabMice.net have a nice list of ideas for
securing your Windows system, and [180]security expert Bruce Schneier has his own
list for "Safe Personal Computing". Terry Bollinger has a nice Crosstalk article
titled [181]How to Secure Windows PCs and Laptops, which also notes how dangerous
the current climate has become. [182]Howard Fosdick's "How to Secure Your Windows
Computer and Protect Your Privacy - with Free Software: An Easy Guide for the
Windows User" has lots of good information; I learned about it after writing
this.
Unlike some guidance documents (say from CERT), since this is a personal essay I
can give you the real story on how to secure your system, including naming names.
For example, many organizations avoid saying that you should replace a program
with a bad security record for one with a good record -- and they certainly don't
give you specific alternatives! I understand their restrictions; they don't want
to appear to recommend any particular product. However, since this is a personal
article, I can suggest applications you should replace to secure your system.
Many attacks exploit Internet Explorer and Outlook, so just replacing those
programs eliminates many problems. Many lists also fail to warn you about the
problems of certain updates, in particular, many people have had problems with XP
Service Pack 2 (SP2). Instead of avoiding the issue, I recommend that you try to
apply SP2, but I also warn you that you need back up everything first so that you
can reload your system (if necessary). I don't give keystroke-by-keystroke help,
but this checklist should be enough to get you started (so you'll know what to
look for). Hopefully you'll still find this list useful.
Conclusions
This is not a complete list; there are many other steps you can take. Think of
this as a starting point, if you haven't done anything before. Basically, create
a set of layered defenses (like firewalls), don't add arbitrary programs, replace
programs that have a bad security track record (like IE and Outlook), and keep up
with patches.
By the way, I say the same thing about other programs that have poor track
records. You're more likely to be secure if you switch to a product with a
significantly better security track record. What a surprise. For example, if you
have an infrastructure for sending email, I would heartily recommend replacing
Sendmail (a common component with a terrible security record) with Postfix or
some other common alternative with an excellent security record. (There's a new
Sendmail 10 coming up, which basically tries to reimplement the same approach
Postfix uses for security.) Past performance is no guarantee of future results --
but it's one of the best predictors we have.
If you're part of a larger organization, in particular, one with your own IT
personnel, you need to do more. In fact, you should already have implemented far
more. If that describes you, you should be talking about meeting standards like
ISO 17799 (or more specific standards for your circumstance), and doing things
like devising security policies (including incident response and disaster
recovery), doing more formal threat analysis and vulnerability testing,
performing active filtering and monitoring of your network (including intrusion
detection and scanning for unauthorized modems/wireless nodes), and so on. If
you're actually a direct target (e.g., you're concerned about economic espionage
or a foreign government targeting you), you'll need to go far, far beyond these
steps. Still, these steps might be a useful starting point.
Of course, a completely different option is to switch from Microsoft Windows to a
different system that has a better security track record. It's not that you can't
run Windows relatively securely; I believe that with effort and careful control
of your environment (such as by using external firewalls) you can use Microsoft
Windows relatively securely. In fact I do use Windows systems myself. But to run
Windows securely, you have to think like a full-time system administrator, and
stay on top of things with extreme diligence; even a security expert can tire of
this. When connecting to the Internet, at home I've switched to running Linux
instead, from which I do all the typical things people do with computers (such as
surf the web, send/receive email, and send/receive common data formats including
pdf, doc, ppt, and xls). As a result, I don't have these kinds of security
problems. I'm not alone; in 2008 [183]InformationWeek noted that Linux-based
systems have become far more popular and easier to get - Wal-mart couldn't keep
them in stock due to high demand. I still end up helping others who need to
secure their Windows systems, though, which is why I wrote this article.
Microsoft correctly notes that other products have occasional security
vulnerabilities, but that's misleading; I want a good track record compared to
the competition, considering both the number and severity of the vulnerabilities.
Alternative products like [184]Fedora (the one I use), [185]Red Hat Enterprise,
[186]Ubuntu, and [187]Novell SuSE, have much to recommend to first-time users.
Fedora even includes buffer overflow protection for all programs and mandatory
access controls, both of which help prevent problems in the first place.
Experienced people might be happy with products such as [188]FreeBSD,
[189]OpenBSD, or [190]Debian. [191]DistroWatch has a summary of the top ten open
source distributions. Mac OS X is also relatively strong from a security
point-of-view, though that's not based on general-purpose PC hardware (so you'll
have to buy new hardware to switch). (Mac OS does not include measures like
buffer overflow protections using N+X and randomization, nor does it embed
mandatory access controls, so in my opinion Fedora and Red Hat Linux have
stronger security than Mac OS - but it's not bad.) But many people aren't willing
to switch from whatever they use, no matter what the product does or doesn't do.
Which is too bad; if enough customers will say "we'll stop buying your products
because they're less secure than the competition", then market forces would have
forced all vendors to have secure products many years ago. I have hopes that the
market is just starting to make this happen.
In general, you need to create layers of defense, and/or switch to more secure
programs, if you want to keep your computer safe. And complain to Microsoft if
you find this unacceptable; they're already starting to change some things,
thankfully. Microsoft Windows XP Service Pack 2 in particular is a significant
improvement (although it still features the monolithic design, and insecure
technologies like ActiveX, that are the root cause of many security problems).
But the more the outcry, the faster Microsoft will work to fix this. They've sold
products, and later decided to try to secure them, with very predictable results.
All products have defects, but the number of serious security defects in their
products is shamefully large. It's not just market share; Apache has twice the
market share that Microsoft's IIS product has, and yet IIS has more security
vulnerabilities. It's a mindset. One that I hope Microsoft is actively trying to
change. Let's help encourage them to change it... and in the meantime, if you
choose to use their products, follow steps like these to reduce your risks.
Other Information
Please feel free to [192]visit my home page.
References
Visible links:
1. https://dwheeler.com/contactme.html
2. http://www.avantgarde.com/xxxxttln.pdf
3. http://www.staysafeonline.info/news/safety_study_v04.pdf
4. http://www.businessweek.com/magazine/content/04_40/b3902115_mz070.htm?chan=sb
5. http://www.freerepublic.com/focus/f-news/1312830/posts
6. http://www.benedelman.org/spyware/
7. http://blogs.msdn.com/oldnewthing/archive/2008/05/21/8525411.aspx
8. http://www.businessweek.com/technology/content/feb2006/tc20060202_832554.htm
9. http://www.nwfusion.com/reviews/2004/121304rev.html
10. http://www.washingtonpost.com/wp-dyn/articles/A62095-2004Dec13.html
11. http://www.pcworld.com/news/article/0,aid,119016,00.asp
12. http://p2pnet.net/story/3421
13. http://blogs.govexec.com/techinsider/archives/2007/03/is_that_windows_system_safe.html
14. http://www.crn.com/software/199701019
15. http://www.computerworld.com.au/index.php/id;128348660;fp;16;fpid;1
16. http://neosmart.net/blog/2008/ireboot-and-working-around-uac-limitations/
17. http://youtube.com/watch?v=FVbf9tOGwno
18. http://www.infoworld.com/article/08/01/14/02FE-why-save-xp_1.html
19. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9112885
20. http://practical-tech.com/uncategorized/vista-adoption-going-no-where-it-considering-linux-and-mac-instead/
21. http://www.vnunet.com/vnunet/news/2229275/comment-pdc-suggests-vista-dead
22. http://www.theinquirer.net/?article=24690
23. https://dwheeler.com/essays/securing-windows.html#alternativeos
24. http://www.nytimes.com/2007/01/07/technology/07tips.html?_r=1&oref=slogin
25. http://www.healconsulting.com/Documentation/security.html
26. http://www.vnunet.com/news/1135763
27. https://dwheeler.com/essays/securing-windows.html#nokidsrooms
28. https://dwheeler.com/essays/securing-windows.html#ownaccount
29. https://dwheeler.com/essays/securing-windows.html#goodpasswords
30. https://dwheeler.com/essays/securing-windows.html#sslprivate
31. https://dwheeler.com/essays/securing-windows.html#antivirus
32. https://dwheeler.com/essays/securing-windows.html#firewall
33. https://dwheeler.com/essays/securing-windows.html#patches
34. https://dwheeler.com/essays/securing-windows.html#dontuseie
35. https://dwheeler.com/essays/securing-windows.html#cookies
36. https://dwheeler.com/essays/securing-windows.html#dontuseoutlook
37. https://dwheeler.com/essays/securing-windows.html#hiddenextensions
38. https://dwheeler.com/essays/securing-windows.html#noprogramsviaemail
39. https://dwheeler.com/essays/securing-windows.html#nostrangerattachments
40. https://dwheeler.com/essays/securing-windows.html#nopiracy
41. https://dwheeler.com/essays/securing-windows.html#checkreputation
42. https://dwheeler.com/essays/securing-windows.html#readlicense
43. https://dwheeler.com/essays/securing-windows.html#phishing
44. https://dwheeler.com/essays/securing-windows.html#backups
45. https://dwheeler.com/essays/securing-windows.html#disconnect
46. https://dwheeler.com/essays/securing-windows.html#whitelistemail
47. https://dwheeler.com/essays/securing-windows.html#harden
48. https://dwheeler.com/essays/securing-windows.html#wireless
49. https://dwheeler.com/essays/securing-windows.html#physical
50. http://dansguardian.org/
51. http://www.google.com/preferences
52. http://www.altavista.com/web/ffset?ref=Lw
53. http://www.pcworld.com/resource/article/0,aid,120314,pg,1,RSS,RSS,00.asp
54. http://www.faqs.org/faqs/computer-virus/alt-faq/part2/
55. http://www.users.qwest.net/~eballen1/virefs.html
56. http://www.washingtonpost.com/wp-dyn/articles/A55207-2005Feb26.html
57. http://news.com.com/The+slow+road+to+Windows+XP/2100-1016_3-5746046.html?part=rss&tag=5746046&subj=news
58. http://www.zetetic.net/solutions/strip/index.html
59. http://netsecurity.about.com/cs/windowsxp/a/aa100903.htm
60. http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm
61. http://www.microsoft.com/technet/support/kb.asp?ID=300489
62. https://dwheeler.com/oss_fs_why.html
63. http://www.eweek.com/article2/0,1759,1749993,00.asp
64. http://en.wikipedia.org/wiki/AVG_%28software%29
65. http://news.bbc.co.uk/1/hi/technology/6418965.stm
66. http://www.firewallguide.com/spyware.htm
67. http://spywarewarrior.com/asw-test-guide.htm
68. http://www.pcworld.com/news/article/0,aid,118362,00.asp
69. http://www.nwfusion.com/reviews/2004/121304rev.html
70. http://www.spywarewarrior.com/rogue_anti-spyware.htm
71. http://microsoft.blognewschannel.com/index.php/archives/2005/01/06/microsoft-anitspyware-first-impression/
72. http://en.wikipedia.org/wiki/MS_Antivirus_%28malware%29
73. http://www.avantgarde.com/xxxxttln.pdf
74. http://www.smoothwall.org/
75. http://software.newsforge.com/article.pl?sid=05/03/04/1552242&from=rss
76. http://www.astaro.org/
77. http://www.ipcop.org/
78. http://www.coyotelinux.com/products.php?Product=coyote
79. http://software.newsforge.com/article.pl?sid=05/03/07/1720217&from=rss
80. http://www.zelow.no/floppyfw/index.html
81. http://net-security.org/malware_news.php?id=1863
82. http://www.wown.com/articles_tutorials/Dark-Side-Windows-XP-SP2.html
83. http://reviews.zdnet.co.uk/software/internet/0,39024165,39210992,00.htm
84. http://www.schneier.com/blog/archives/2004/12/safe_personal_c.html
85. http://redmondmag.com/features/article.asp?editorialsID=439
86. http://ptech.wsj.com/archive/ptech-20040916.html
87. http://ptech.wsj.com/archive/ptech-20041230.html
88. http://www.usatoday.com/tech/news/computersecurity/2004-09-08-zombieinfect_x.htm
89. http://www.forbes.com/2004/09/29/cx_ah_0929tentech.html?partner=tentech_newsletter
90. http://www.forbes.com/bow/b2c/category.jhtml?id=301
91. http://www.eweek.com/article2/0,1759,1617931,00.asp
92. http://www.eweek.com/article2/0,1759,1745091,00.asp
93. http://www.gcn.com/24_1/reviews/31474-1.html
94. http://www.washingtonpost.com/wp-dyn/articles/A47146-2004Nov13.html
95. http://www.smh.com.au/news/Breaking/Gartner-caution-on-Firefox-takeup/2005/02/09/1107890254074.html?oneclick=true
96. http://www.denverpost.com/Stories/0,1413,36%257E32540%257E2785364,00.html
97. http://www.scarydevil.com/~peter/io/longhorn.html
98. http://linuxmafia.com/~karsten/Rants/spyware.html
99. http://www.desktoppipeline.com/53700233
100. http://channels.lockergnome.com/news/archives/20040615_why_you_should_dump_internet_explorer.phtml
101. http://www.informationweek.com/story/showArticle.jhtml?articleID=55301109
102. http://nanobox.chipx86.com/ie_is_dangerous.php
103. http://bcheck.scanit.be/bcheck/page.php?name=STATS2004
104. https://dwheeler.com/blog/2005/08/06/#ie-horrific
105. http://blog.washingtonpost.com/securityfix/2007/01/internet_explorer_unsafe_for_2.html
106. http://www.kb.cert.org/vuls/id/713878
107. http://www.internetnews.com/security/article.php/3374931
108. http://news.bbc.co.uk/2/hi/technology/3840101.stm
109. http://secunia.com/product/11/
110. http://secunia.com/product/4227/
111. http://secunia.com/product/761/
112. http://www.sans.org/top20/
113. http://www.bankersonline.com/security/security_browserthreat070204.html
114. http://www.securityfocus.com/columnists/249
115. http://www.businessweek.com/technology/content/jun2004/tc20040629_7734_tc120.htm
116. http://www.mozilla.org/
117. http://www.nytimes.com/2004/12/19/business/yourmoney/19digi.html?oref=login
118. http://weblogs.mozillazine.org/asa/archives/007574.html
119. http://vtbsd.net/Firefox_Poster.pdf
120. http://informationweek.com/story/showArticle.jhtml?articleID=159902316
121. http://www.mozilla.org/security/bug-bounty.html
122. http://arstechnica.com/news.ars/post/20050124-4549.html
123. http://weblogs.mozillazine.org/ben/archives/007366.html
124. http://www.scottberkun.com/blog/?p=115
125. http://www.google.com/help/features.html#prefetch
126. http://computer.howstuffworks.com/firefox.htm/printable
127. http://www.popuptest.com/
128. http://www.malware.com/flopup.html
129. http://news.com.com/2009-1001-276735.html?legacy=cnet
130. http://www.cert.org/tech_tips/malicious_code_FAQ.html
131. http://www.defenselink.mil/nii/org/cio/doc/mobile-code11-7-00.html
132. http://www.cs.princeton.edu/sip/java-vs-activex.html
133. http://news.com.com/2100-1023-268947.html?legacy=cnet
134. http://www.javaworld.com/javaworld/jw-03-1997/jw-03-component.web97.html
135. http://icat.nist.gov/icat.cfm
136. http://www.mozillazine.org/talkback.html?article=6079
137. http://www.eweek.com/article2/0,1759,1776943,00.asp
138. http://www.theage.com.au/articles/2005/03/21/1111253920087.html?oneclick=true
139. http://bcheck.scanit.be/bcheck/
140. http://weblogs.mozillazine.org/ben/archives/007185.html
141. http://bugzilla.spamassassin.org/show_bug.cgi?id=2072
142. http://linuxmafia.com/~karsten/Rants/spyware.html
143. http://www.mozilla.org/products/thunderbird/
144. http://www.pcmag.com/article2/0,1759,1745956,00.asp
145. http://www.flexbeta.net/main/articles.php?action=show&id=36
146. http://www.linuxtimes.net/modules.php?name=News&file=article&sid=587&page=1
147. http://texturizer.net/thunderbird/extensions/
148. http://news.com.com/Mozillas+Lightning+to+strike+Outlook/2100-7344_3-5501618.html?tag=nefd.top
149. http://shellter.sourceforge.net/evolution/
150. http://www.cert.org/incident_notes/IN-2000-07.html
151. http://www.msnbc.msn.com/id/6868504/
152. http://www.openoffice.org/
153. http://www.eweek.com/article2/0,1759,1571626,00.asp
154. http://theopendisc.com/
155. http://theopencd.sunsite.dk/index.php
156. http://www.oooff.com/
157. http://www.flexiety.com/
158. http://www.tigerdirect.com/
159. http://www.google.com/
160. http://www.cleansoftware.org/
161. http://www.pcpitstop.com/spycheck/eula.asp
162. http://eff.org/wp/eula.php
163. https://dwheeler.com/oss_fs_why.html
164. http://www.gnu.org/copyleft/gpl.html
165. http://www.gnu.org/copyleft/lesser.html
166. http://www.opensource.org/licenses/mit-license.html
167. http://www.groklaw.net/article.php?story=20050106075631519
168. http://www.nsa.gov/snac/
169. http://csrc.nist.gov/pcig/cig.html
170. http://www.microsoft.com/security/
171. http://netsecurity.about.com/cs/windowsxp/a/aa100903.htm
172. http://securityfocus.com/infocus/1814
173. http://www.tomsnetworking.com/Sections-article111.php
174. http://www.iss.net/wireless/WLAN_FAQ.php
175. http://www.windowsitpro.com/Windows/Article/ArticleID/39201/39201.html
176. http://csrc.nist.gov/pcig/cig.html
177. http://www.cert.org/tech_tips/home_networks.html
178. http://www.us-cert.gov/cas/tips
179. http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm
180. http://www.schneier.com/blog/archives/2004/12/safe_personal_c.html
181. http://www.stsc.hill.af.mil/crosstalk/2005/06/0506Bollinger.html
182. http://rexxinfo.org/html/open_consulting.html
183. http://www.informationweek.com/news/showArticle.jhtml?articleID=205604334&cid=nl_IWK_BTL
184. http://fedora.redhat.com/
185. http://www.redhat.com/
186. http://www.ubuntulinux.org/
187. http://www.novell.com/linux/suse/
188. http://www.freebsd.org/
189. http://www.openbsd.org/
190. http://www.debian.org/
191. http://distrowatch.com/dwres.php?resource=major
192. https://dwheeler.com/
Hidden links:
194. https://dwheeler.com/essays/securing-windows.html#kidsnoreveal
Usage: http://www.kk-software.de/kklynxview/get/URL
e.g. http://www.kk-software.de/kklynxview/get/http://www.kk-software.de
Errormessages are in German, sorry ;-)