Prevent Yourself from Being Hacked Part IIFollow

This is the second guide I wrote for a previous game community I was part of. I haven't played this game in a couple years now so some of this information may be out of date, but I'm posting it so that people who don't know better can get a feel for whats out there. All comments and critique are welcome.

I am starting this Thread as a follow up to my first 'Prevent Yourself from Hackers”. This tutorial will attempt to go more in depth with the subjects of Knowing process's are doing what on your machine and what programs are communicating with remote machines as well as some deeper thoughts on previously mentioned items. Again as I start laying out information that you see is incorrect or incomplete, please feel free to chime in with additional comments. I am bound to make a mistake or not go deep enough on a subject that you would like more info on. I’m only human and cannot be perfect, but as my Last thread had EXCELLENT feed back from the many contributors it has become a solid tutorial. My hopes is that the same will happen here, after all, if we work together as a community to help others we can hope to prevent more of these hackings. Please also forgive me if I jump from topic to topic, as I have written this guide over the course of several days in my spare time.

Use A Firewall:
This is a topic that I covered briefly in my last post but I will go a bit deeper here.
Hardware Based:
Most Hardware Firewalls come as default accept mode. This means that it is configured to allow easy install of the Firewall with minimal configuration to get it running. The problem with this is most people stop there. They figure that the firewall is in place so that’s good enough. Well the hard truth of the matter is most firewalls will just allow anyone access, you see this most visibly with Wireless Routers. When you unbox your Wireless Router and plug it in, it is generally configured to accept any traffic that tries’s to authenticate with it. If you really don't care about the safety of your network/data then this is fine. And it is fine for most people, HOWEVER, if you are looking to better secure your network then you should go into the configuration (which I will not be going into detail here as there are too many to cover specifically, for more information on this please refer to the main website of the product you have) and Turn on some validation. Most routers have several options for this depending on your preference. Turning on some sort of security is essential as well as not broadcasting your network. Broadcasting your network allows anyone in wireless range to view that you have a wireless network. Most people know this when they go to find their network and they see 'Bob's Wireless Network - No Encryption' and they can just connect to it. Bob might be their neighbor or someone that lives close. If Bob has shared network drives then anyone that can see his wireless network can get into those folders.

Software Based:
Software based firewalls generally come configured as Default Deny, Which is a good thing. You probably notice when you’re running Zone Alarm or a similar product and a message comes up saying "Entropia Universe is trying to send data via ??? Port. Default Deny is excellent and I’m glad that software based firewalls take this approach. Most of us our capable of saying "Yes I know EU is trying to get out so Ignore this message and EU is a safe program". HOWEVER some people are too liberal when it comes to hitting the ignore button and will allow software that they do not know about unrestricted access to your ports. Please Be Aware of what you are allowing to connect. If you are Unsure of what the program is, Look it up first.

Executable Type Files: Let me first start this off by talking briefly about Executable files. Most people know that files named .EXE and .COM are files that can be Run or executed. It is code that someone has written and then put into a Compiler which basically translates the coding language into Machine Language so that your processor can understand it and perform the tasks required. Now, these are not the only files that can be run on the computer, in fact the most dangerous ones these days are the Executable scripts. What a script is simply the code that someone has written that has not been sent to a compiler. So it in itself is not harmful. The script requires the Scripting runtimes in order to operate. Scripts do a number of various tasks and make it easier to perform operations on your computer. The way these are used maliciously is by taking advantage of the fact that almost every computer has the scripting runtimes loaded to view webpage’s etc. However if someone knows the in's and outs of the scripting language they can do things that can cause your life to be bad. One of the MOST common malicious scripts is one where someone sends an email to your hotmail address with a script attached. Once you open this email it executes the script thinking that it might be something to do with the layout or looks of the email. At this point the script would make it look like hotmail has logged you out (when in fact it’s just the script loading a look-alike login page) and you go and log back in. Now you have just entered your username and email address which is instantly emailed to the attacker. At this point either the script or the attacker will change your password and now you can no longer get into your email. This makes you think about how password resets work for things like EU...

Watching your Process list:
Here is another topic that I will go deeper into. For this example I personally use 'What’s Running'. Basically we are trying to learn what our computer is doing right? In doing this we must understand what processes are good in order to ignore them. Personally, it was hard for me to comprehend all the process’s that windows is using at any given time to do what it needs to do to allow your computer to function. When I was first learning this what I would do is Format my computer using an authentic Windows Stamped disc. After All updates were done, I would open up my process list and write down everything that’s running to give me a ballpark feel of what process's are windows owned. With programs like 'What’s Running' you can click on it and it will do a search on that process and tell you information on it. This method really only works to a certain extent. A couple years back now, there was a very nasty Virus (most of you IT guys will remember) Blaster worm. This worm actually used a good process called 'SVCHost' to perform its tasks of ruining your machine. It’s rare but not out of the question that these hacks come into play. Using windows against itself is the most common type of attack for PC based users, exploiting holes in code that was written by Microsoft. Unfortunately for these types of exploits we rely on our Virus protection. The downfall here is it’s hard to detect a virus that was written today or written for a specific purpose. Most viruses are spread through junk emails or things of this nature. However the ones that cause us the most Grief are the ones written with the specific purpose to get to YOU. Virus Protection company’s have problems here because they never receive the malicious code. The person doing the wrong, wrote the code and gave it to you and you alone, so there is no mass spreading of it, therefore it never reaches the Virus Protection Company’s visibility. Any good Virus protection goes above and beyond and watches for things that are happening out of the ordinary and Firewalls have taken some of this weight off the shoulders. Watching what's modifying key windows files and registry settings and bringing these things to your attention. But as I stated in my previous section, most people disregard and just hit accept on these when the program is telling you something important. We must strive to know what’s going on. Programs like 'What’s Running' will tell you the location of the process's executable file so that you can inspect it further.

Watching your network Traffic:
This is going to be a hard topic to cover as there is so much to know (a lot of stuff that I still have to learn as well) I personally use TCPVIew (by sysinternals who appears to have been taken over by Microsoft since my last visit to their page) What TCPView will do is show you a list of all open connections to and from your computer. Now as I said there is ALOT of communication that is happening while you are connected to the internet. However all of them should be communicating through a process that shows up in your process list. You will see a lot of communication coming from processes like SVCHost and InetInfo which are ok. However this is where you are looking if you suspect a program is sending/receiving data. Let’s say you got that new 3rd party app and you want to see if it’s transmitting data. Load up TCPView first. THEN load up your 3rd party app to see if it shows up in this list. IF IT DOES, then your 3rd party app IS transmitting data to somewhere. From here it will show you the IP address of where your computer is talking with. If you find something strange like this you probably want to First and Foremost kill that process and connection (which can be done inside TCPView by right clicking and Closing the Connection) Next thing I would do is do a Whois Search on the IP address to see what pops up. It might be a website someone owns or more likely a personal IP address which will lead to a dead end. At this point I would contact the maker of the software to find out just what data is being communicated. If they deny it, take immediate steps to eradicate the software from your machine as they are lying to you, which is one flag to let you know probable malicious intent.

Know what’s out there:
This is where a fine line is drawn in the sand between security experts and hackers. Some of the best security teams out there were former hackers. AtStake is a company I can think of right off the top of my head that were the developers of some really advanced Trojan's that are allegedly used as baselines to write the Carnivore/Magic Lantern Projects. One day they decided to profit off of their knowledge and turned to the security world. In order to know how to protect yourself, you MUST know WHAT you’re protecting yourself against. There are so many types of attacks to your system, from DoS (Denial of Service) Attacks, to Trojans and Root kits, Key loggers, Spy ware to name a few. All of these affect you in different ways. I highly suggest reading up on some of these subjects so that you know how they do affect you. I will cover a few of the top ones in a very basic overview.

Key logger: These are programs out there that simply record anything that happens on your keyboard or mouse. Most of the versions available have extensive logging as well to show what program was opened and then what was typed in that program. So you can visibly see things like
[MouseClick] 30,109
[ProgramOpen] POL.exe
[Keyboard] ABCD1234 <TabKey> ILoveFFXI
(And no this isn't my real account info, You think i'm that dumb to show you it? I AM writing a security piece after all)
Now a key logger isn't a bad thing in and of itself, because creating a log on your machine is still yours right? Well the problem comes when that log is accessed. A lot of key loggers have either 1 of 2 methods of getting this data to the person who sent it to you. One method involves random emails sent from your machine to the attacker. The key logger gets a bunch of info and fills a log. Once that log is filled it transmits that log via email to the attackers email address. The problem with detecting this method is that there is no outbound connection until that log is filled at which point an email is generated using (typically) a random mail server. If you can catch this connection while it is happening via a packet viewer you might be able to see where the email is being sent to, but would be very hard unless you knew it was there and filled it up on your own by clicking lots of random things. The second method of obtaining this log will bring me into my next topic

Trojans/Root kits: There are subtle differences to these but for the intent of this article I will omit the differences and talk about them as 1 and the same. Trojans are programs that mimic the functionality of programs like Net meeting/PC Anywhere and things of this nature. Basically what it does is turn your computer into a remote terminal that one can access at their own will and they will have the same amount of access as the person sitting at the keyboard. Including but not limited to (Reading anything on your network, Viewing connections, Seeing YOUR desktop (just the same as you do), Looking through your webcam, Listening through your microphone etc..) Trojans are probably the worst type of attack out there in my opinion. They can quite literally ruin your life. You keep your resume on your computer? Now the attacker knows your Phone, Address, Previous Employers, and School History. I don’t need to get into what kind of identity fraud this can lead to.

DoS Attacks: DoS (Denial of Service) Attacks can happen in a number of different ways and basically means that some program/script is causing one of the services on your machine to perform below standards. The services that are most commonly affected are your Internet traffic, Processing power or Hard Drive seek times. DoS Attacks happen alot in conjunction with the previous 2 mentioned types of attacks and can happen at various stages. It can be the method that a Trojan is installed on your machine. The possibilities for this attack are plentiful so I am not going to go through the various ways it can happen but I will give you one example that is commonly used so you have an idea as to what I’m talking about. When an attacker wants to get a Trojan/Root kit on your machine, Most of the time virus protection blocks it. So what the attacker will do is write a program that will cause your machine to get into a continuous loop. Now depending on what the attacker is trying to do they can strategically pick a Memory bank that is being used by say, your Virus protection. They create data and send it to that particular memory bank at speeds that will cause your computer to appear to freeze up until programs start to crash. Now if they did it specifically to one purpose (crashing your virus protection say) the program that is causing the DoS then sees that its tasks have been successful. Now it can load the Trojan onto your machine without worry that the virus protection will block it. At this point it can do very bad things, because your computer is still in a hung state and the Trojan is loaded. Now it stops jamming the memory bank and allows the attacker to get in. This is just one of the MANY strategies that are used.

This is where I will close my thoughts for now, and like I said, if anyone wants to know more about a paticular area let me know and perhaps I will address it in more detail with a followup or modified post. Also if you see anything that needs to be corrected please let me know asap so that I can change it. I've read it over a few times now but its late and i'm tired so its almost gaurenteed that i've screwed something up. Anyways I hope you got some info out of this that could be benificial to you.

All in all, a great set of posts with very good advice on securing a home PC :)

However, there is one security measure I have not seen anyone post - apologies if it has been mentioned, but it bears repeating here with the above list.

NEVER use the Administrator or root account, or an account with administrator rights, for your general everyday use. Rename your administrator account and have a secondary general account with restricted rights to use for gaming, surfing the net, etc.

And/Or, for those users of Microsoft products, go to Microsoft's support site and read the article about "Drop my rights". It shows how to set up commands in your shortcuts that automatically remove install and other admin rights when you start a program. (e.g. IE and other browsers)

The result of this would be that programs called through IE or other browsers would not be able to install. This is one more layer of security to add to your firewall, AV and popup blockers, and can even prevent many zero-day vulnerabilities from being installed on your PC.

Yes, what I describe is locking down your PC to an annoyingly restricted level, but it's my 2 cents as a CISSP.

And even with Firewall, AV, and dropping your rights, you can still be hacked. Renaming and protecting the administrator account will limit the damage that can be done, and give you a possible way to take back your PC.

Don't mod them.

That's as far of security you can get for yourself, the rest is up to M$ and Sony to protect your consoles, its hard/near-impossible to give a console a virus, but it can be hacked regardless if you're using the net services supplied by the companies.