Comprehensive security?

Hello. I have not posted here before, but it seems like you folks can
probably give good analysis of computer security problems.
If I understand things correctly, the following combinations should
provide good security:

Firewalls and real-time AV programs are the only defense against
unsolicited problems?
Bios password protects against unauthorized access, so long as the
hard drive is in the same computer as it was when the password was
installed.
Whole-drive encryption protects unauthorized access if your drive
is removed and accessed by a third party as an external data storage
device.
Encrypting transmissions across the internet will provide security
if my transmissions are intercepted.
Some sort of tunneling (ssl, ssh, ssd, etc.) can be used to secure
transmissions over the internet.
An anonymizing service can prevent tracking by a local ISP.

Are there any other nodes where security can be compromised? How
can I prevent them from being compromised?
Obviously, my IP address is necessary in order for any other computer
to send me the files I am trying to access. Is there any way to make
my IP address unrecognizable to anyone intercepting a transmission?
I am not concerned about anyone knowing my RL identity, and things
like that, I just don't want anyone to know anything I don't explicitly
put out there.

I am currently running XP, Comodo firewall, and avast! anti-virus.

Sincerely,

DES

Unknown

"Frank Merlott" <> wrote in message
news:...

>> Bios password protects against unauthorized access, so long as the
>> hard drive is in the same computer as it was when the password was
>> installed.
>
> You can reset the BIOS password opening the case and taking out the
> battery, a child's game. In addition some companies have a master password
> for the BIOS (i.e backdoor).

Yes, I had read that. In this group, it seemed that there was at least some
merit to using it. However, it appears that this is the weak link in
computer
security. Originally I came up with the idea of including password
protection
in the "read" command protocols. If a "read disk" command was issued,
the "read disk" hardware would not implement the "read" before checking
that it had proper permission to do so. But I have not been able to come
up with a way of implementing that kind of programming, either hard or
soft. Further, the password and the protocol would have to be on the
HD, and encrypted, so that the disk address read would always have to be
the same, i.e., preprogrammed. This would allow for anyone reading the
disk as an external device to simply read a given track/sector/etc., get the
password, and go from there. Even if the disk was encrypted, some disk
info would be available, and would probably eventually allow for decryption.

> The obvious thing, if you computer is switched and someone can access it
> whole disk encryption will not help you, SSH will not help you, nothing
> will help you, make sure your computer is never switched on when you are
> not there.

.... because all of these things operate automatically once you are booted
up and logged in. Thus my interest in preventing boot-up.

> Do not install warez (ie cracked software) in your computer, they may
> contain trojans and once a trojan is in your computer they will do
> anything they like with it.

I have seen the term warez, but I have never known what it is. I have
never had anything to do with it. Thanks for the info.

DES

Unknown

"Frank Merlott" <> wrote in message
news:...

> I would add to that JanusVM or Operator and Truecrypt.

Question: Is VMware player or VMware server the better choice? What are
the differences?

Thanks for all your help.

DES

Unknown

On Fri, 28 Nov 2008 12:10:21 -0500, Unknown wrote:

> Hello. I have not posted here before, but it seems like you folks can
> probably give good analysis of computer security problems.
> If I understand things correctly, the following combinations should
> provide good security:
>
> Firewalls and real-time AV programs are the only defense against
> unsolicited problems?
> Bios password protects against unauthorized access, so long as the
> hard drive is in the same computer as it was when the password was
> installed.
> Whole-drive encryption protects unauthorized access if your drive
> is removed and accessed by a third party as an external data storage
> device.
> Encrypting transmissions across the internet will provide security
> if my transmissions are intercepted.
> Some sort of tunneling (ssl, ssh, ssd, etc.) can be used to secure
> transmissions over the internet.
> An anonymizing service can prevent tracking by a local ISP.
>
> Are there any other nodes where security can be compromised? How
> can I prevent them from being compromised?
> Obviously, my IP address is necessary in order for any other computer
> to send me the files I am trying to access. Is there any way to make
> my IP address unrecognizable to anyone intercepting a transmission?
> I am not concerned about anyone knowing my RL identity, and things
> like that, I just don't want anyone to know anything I don't explicitly
> put out there.
>
> I am currently running XP, Comodo firewall, and avast! anti-virus.

"*Security is a process not a product*" (Bruce Schneier).

Educational reading:
10 Immutable Laws of Security.
http://technet.microsoft.com/en-us/l.../cc722487.aspx

For WinXP the most dependable defenses are:-
1. Do not work as Administrator; For day-to-day work routinely use a
Least-privileged User Account (LUA).
Applying the Principle of Least Privilege to User Accounts on
WindowsXP
http://technet.microsoft.com/en-us/l.../bb456992.aspx

2. Secure (Harden) your operating system.
http://www.5starsupport.com/tutorial...ng-windows.htm

3. Don't expose services to public networks.
Windows XP Service Pack 3 Service Configurations
http://www.blackviper.com/WinXP/servicecfg.htm

4. Keep your operating (OS) system (and all software on it)
updated/patched.
How to configure and use Automatic Updates in Windows XP
http://support.microsoft.com/kb/306525
http://www.update.microsoft.com/wind....aspx?ln=en-us

4a.Got SP3 yet?
Why Service Packs are Better Than Patches.
http://www.microsoft.com/technet/arc....mspx?mfr=true

5. Reconsider the usage of IE and OE.
Utilizing another browser application and e-mail provider can add to
the overall security of the OS.
Consider: Opera, FireFox or Seamonkey and PegasusMail, Thunderbird,
or WLM.

5a.Secure (Harden) Internet Explorer.
Internet Explorer7 Desktop Security Guide.
http://www.microsoft.com/downloads/d...displaylang=en

6. Review your installed 3rd party software applications/utilities;
Remove clutter, *including* all Anti-WhatEver ware and 3rd party
software personal firewall application (PFW) - the one which
claims: "It can stop/control malicious outbound traffic".

7. If on dial-up Internet connection, activate the build-in firewall.
Windows XP: How to turn on your firewall.
http://www.microsoft.com/protect/com...rewall/xp.mspx

7a.Configure Windows by using:
Seconfig XP 1.1
http://seconfig.sytes.net/

7b.If on high-speed Internet connection use a Router and
implement Countermeasures against DNSChanger.
http://extremesecurity.blogspot.com/...-hijacked.html

7c.And (just in case) Wired Equivalent Privacy (WEP) has been
superseded by Wi-Fi Protected Access (WPA).

8. Utilize one (1) each 'real-time' anti-virus and anti-spy
application.
Consider: Avira AntiVir® PersonalEdition Classic - Free
and Windows Defender.

9. Employ back-up application(s).
Windows XP Backup Made Easy
http://www.microsoft.com/windowsxp/u..._03july14.mspx
Consider: Acronis, Casper or Norton Ghost and ERUNT.

9a.Utilize vital operating system monitor utilities/applications.
Consider: Process Explorer, AutoRuns, TCPView, WALLWATCHER, Wireshark,
Port Reporter etc.

10.Routinely practice Safe-Hex.
http://www.claymania.com/safe-hex.html

The least preferred defenses are:-
Myriads of popular anti-whatever (*real-time*) applications and staying
ignorant.

FYI:
Avoiding Rootkit Infection.
"The rules to avoid rootkit infection are for the most part the same as
avoiding any malware infection however there are some special
considerations:
Because rootkits meddle with the operating system itself they *require*
full Administrator rights to install. Hence infection can be avoided by
running Windows from an account with *lesser* privileges" (LUA in XP and
UAC in Vista).

Good luck

Kayman

"Moe Trin" <> wrote in message
news:...

> <Snickers> Is all of that crap up to date? I doubt it.
>
> Old guy

Assuming that your post was intended as flame-bait, I will keep this short.

I don't know how old you are, but I doubt you've been using desk-tops,
the internet, or newsgroups longer than I have. I've been using computers
for longer than any of those things have been around, and certainly since
long before RFC1855 was even a thought. I check for updates daily,
at least. Most of the suggestions given so far I had already implemented
(including all but one of the suggestions given in the websites suggested by
Kayman), but was looking for input from other perspectives, in case I had
missed something. Yours was particularly un-helpful, but will nevertheless
be scrutinized for any bit of information I can glean from it (which might
be more than you think). I've even been reading, but not posting to,
acs. for some time.

DES

Unknown

"Moe Trin" <> wrote in message
news:...
> On Sat, 29 Nov 2008, in the Usenet newsgroup alt.computer.security, in
> article
> <b0650$49318230$4832fca$>, Unknown wrote:
>
>>Assuming that your post was intended as flame-bait, I will keep this
>>short.
>
> It wasn't - really simple. Most mal-ware infections are the result of
> the user doing st00pid things. If you're not aware of that, no
> anti-mal-ware is going to help. Tunneling and anonymizing sound
> great. Do you know who is operating the service you are using?
> Recently, a spammer posted to a number of newsgroups advertising such
> services... using servers located in Guangdong province. Trivial to
> discover if you have a clue - most people don't.

Actually, my only tunneling experience has been with my brief association
with a news provider other than my ISP. It was configured by that news
provider (funny, I can't remember which news provider it was -- many
of them are offering tunneling as an add-on to the basic subscription.)

>>I don't know how old you are, but I doubt you've been using desk-tops,
>>the internet, or newsgroups longer than I have.
>
> Does a 'bang-path' mean anything to you? Mine was two links beyond Ames.

No, that doesn't mean anything to me. I was never a computer nerd, geek, or
anything else like that. Computers have always been a tool to me.

>>I've been using computers for longer than any of those things have been
>>around, and certainly since long before RFC1855 was even a thought.
>
> RFC1855 was from 1995. Usenet is about 15 years older than that, and
> computer networks go back years before even that. Do you remember the
> original 3 MHz Ethernet?

I remember Ethernet, is there still any of it still around? Couldn't say if
it
was 3MHz or not.

> It predates the S-100 and Apple I, never mind
> the Apple ][ or IBM PC. We finally retired our last 3Base5 subnet about
> fifteen years ago.

The first small "computer" I had was a TI programmable calculator. Since
it was able to save a program it counted as a computer, although I didn't
know that at the time. I briefly had a Commodore 64. My college-level
work was mostly sciences (I graduated with a BS in Combined Sciences
in 1980), but along the way I picked up 2-3 years of computer science
classes as electives. Some of those were basic classes (I've programmed
in IBM 360 assembler language, Fortran, and a few other relatively low-level
languages; have even entered hex code into debug for short programs).
One of those classes was a senior level course in "Microcomputer System
Architecture", in which I wrote operating systems for the "new" desktop
computers that had just recently come out. Actually, my first computer
course was a continuing education class at the local university while I
was still in high school, about 1970 or 71. I graduated high school in
1972.

>>I check for updates daily, at least. Most of the suggestions given
>>so far I had already implemented (including all but one of the
>>suggestions given in the websites suggested by Kayman), but was looking
>>for input from other perspectives, in case I had missed something.
>
> and yet you are using Outlook Express on an Internet connection. Why?
> In another article here, you state that you have Xnews and alternative
> browsers, so it's not as if LookOut is the only application you've
> bothered to learn how to use. That application _alone_ has more CERT
> advisories than anything else.

I don't really know why. Maybe I'm just comfortable with it. Xnews does
seem to have more reliable downloads, though. Fewer come through
uncorrupted.

As to the "big eight" - one of the things that I liked when I saw this
group
was the more relaxed attitudes that I saw here. It's kinda like sitting
around
a pitcher of beer, with no full glasses, each person in turn (or out)
exclaiming
"No ****, there I was..."! I have my own story....

BTW, I do "read" the porn groups, my mommy knows it, and just shakes her
head. Not much she can do about it at my age, and the fact that she doesn't
live with me. But she loves me anyway! Actually, most of my online
activity
is educational... I have special interests in anaerobic digester --> fuel
cell
technologies, biosystematics, cosmology, history, and the history of movies,
newspapers, magazines, radio, and television.

But in fact, I do not limit my browsing in any way. For that reason alone
I am subject to malicious intrusions from both the bad guys and the
(supposed)
good guys (government) who try to censor what I can look at. I suppose the
fact that I once emailed Janet Reno threatening to purchase a gun (legally)
for the first time in my life specifically to protect myself from law
enforcement
agents (of various ilk) doesn't help my situation any. I didn't actually
threaten
to harm anyone, just defend myself, but basically it was saying that the
government was the bad guy, and that doesn't sit well with LE.

DES

Unknown

"Tim Jackson" <> wrote in message
news: et...

> Hey is this an old IT guys convention. Can I join in? I did my time on
> card punches.

Yeah, even my earliest college-level computer courses used cards...
no such thing as a micro-/mini- computer back then.

So, maybe it is an "old IT guys convention". I have never been a
professional in the field, but many years ago I did a few years
formal study in the field of computers. Some of my courses
bordered on mathematical logic, and I actually do have some
formal work in logic. Courses like "discrete structures" were
taught as both math and computer science courses. "Data Structures"
taught things like stacks, queues, linked lists, and the like (are those
things still used today in "file system" types of software?)

DES

Unknown

"Moe Trin" <> wrote in message
news:...

> It wasn't - really simple. Most mal-ware infections are the result of
> the user doing st00pid things. If you're not aware of that, no
> anti-mal-ware is going to help.

So, let me explain how I see security through software. It has a most
precise analogy with "safety",
as in the workplace, at home, etc.

For 17 years I worked as an industrial pretreatment sampler. My job was to
take samples of
industrial waste water, do some very basic tests such as measuring pH and
such, prepare those
samples for further lab analysis, and clean the equipment. At every stage I
was exposed to
hazardous chemicals, some extremely so. Some of them were common things,
like hydrochloric
acid, sodium hydroxide, etc., but in much higher concentrations than one
might find in most
home or commercial settings. Sometimes I worked with 99.99% concentrations.
HCl could
burn through you on contact. There were also the unknowns. Since we were
testing for
what was in the water, it goes without saying that we really didn't know for
sure what was in
the water.

Doing the job was fairly straightforward. We sucked up water into glass
bottles, poured that
sample into multiple other bottles, put acids and bases into the bottles in
order to "preserve"
what we were going to test for, and apply caps and labels. Cleaning our
equipment was done
with HCl, strong enough to burn skin on contact. During this whole process,
if we were very
careful, there would be no spills, splashes, overflows, etc. But if things
didn't go perfectly
(and of course, nothing's perfect), there were all manner of things that
could go wrong, from
broken glass flying at your head (yes, that actually happened to me) to
splashing acid on your
skin and into your eyes (yes, had both those things happen to me), to
irritations of the skin,
lungs, and digestive tract. Sometimes I took samples from down in the
sewers. We were
always in danger of inhaling and swallowing waterborne pathogens. Since we
tested hospital
waste, we were in danger of coming into contact with improperly (and
illegally) disposed of
syringes, needles, and other medical waste (on several occasions this
happened).

Because of the dangers, we did our job in isolation, setting up a protected
area around
the work site, to exclude the uninformed from doing anything that might be
dangerous,
simply out of ignorance of the situation.

Throughout all the process there were specified personal protective
equipment (PPE). They
might include simple face masks, like you can get in any hardware store;
more complex
cannister-style filter masks; gloves that could withstand high water
temperatures; latex and
other gloves to handle medical dangers; sometimes full body suits; goggles,
and other safety
glasses; etc.

Now, I can get onto the Internet, and use all of the services available, and
do so with ease.
If there are no leaks, spills, overflows, dumps, etc. everything is okay.
But I would really
like my computer to have its own PPE. Thus, encryption, tunneling,
passwords, etc.

All these things are the PPE for my computer, and I wouldn't want to do
anything without
them.

DES

Unknown

(Moe Trin) writes:
> RFC1855 was from 1995. Usenet is about 15 years older than that, and
> computer networks go back years before even that. Do you remember the
> original 3 MHz Ethernet? It predates the S-100 and Apple I, never mind
> the Apple ][ or IBM PC. We finally retired our last 3Base5 subnet
> about fifteen years ago.

the internal network was larger than the arpanet/internet from just
about the beginning until possibly late '85 or early '86.

from old reference giving network sizes circa '85

BITNET 435
ARPAnet 1155
CSnet 104 (excluding ARPAnet overlap)
VNET 1650
EasyNet 4200
UUCP 6000
USENET 1150 (excluding UUCP nodes)

old announcement for the first gateway between the internal
network and CSnet:
http://www.garlic.com/~lynn/98.html#email821022
in this post
http://www.garlic.com/~lynn/98.html#0

.... BITNET (and EARN) was educational network sponsored by the
corporation using similar technology to that used for the
internal (VNET) network ... misc. past bitnet/earn posts
http://www.garlic.com/~lynn/subnetwork.html#bitnet

misc. past internal network posts
http://www.garic.com/~lynn/subnetwork.html#internalnet

I got blamed for doing computer conferencing on the internal network in
the late 70s and early 80s ... there then followed some number of
investigations into this "new" phenonama. somewhat as a result, a
researcher was paid for nine months to sit in the back of my office for
nine months to take notes on how I communicated; they also got copies of
all my incoming and outgoing email as well as logs of all instant
messages. In addition to (corporate) research report, the material was
also used for a Stanford phd thesis in the mid-80s (joint between
language and AI departments) as well as some number of papers and books.
misc. past posts mentioning computer mediated communication
http://www.garlic.com/~lynn/subnetwork.html#cmc

most of the machines on the internal network ran a virtual machine
operating system ... orginally developed by the science center
in the mid-60s. In the late 60s and early 70s there saw some number
of commercial time-sharing service bureaus formed leveraging
virtual machine operating systems as the base platform ... misc.
past posts
http://www.garlic.com/~lynn/submain.html#timeshare

one such was company called TYMSHARE ... which also developed computer
conferencing facility on their platform. In the mid-70s, TYMSHARE
offered "free" use of the computer conferencing facility to the
vendor customer organization ... website here:
http://www.share.org/

and archive of that computer conferencing starting August 1976 is
archived here:
http://vm.marist.edu/~vmshare/

for related ... this post has some pictures of online home setup in the
late 70s through mid-80s ... which for part of the time, also included a
compact microfiche viewer (at work had access to microfiche printer)
http://www.garlic.com/~lynn/2008m.html#51

this recent post discusses some of the virtual machine platform
characteristics
http://www.garlic.com/~lynn/2008q.html#62

"security" was important issue for the commercial time-sharing service
bureaus ... but also important to some number of gov. agencies that also
used the platform (starting in the 60s & 70s)... minor reference here:
http://www.nsa.gov/selinux/list-archive/0409/8362.cfm

for the heck of it, my rfc index
http://www.garlic.com/~lynn/rfcietff.htm

in the "RFCs listed by" section, clicking on the "Date" field ... brings
up frame given RFCs by date.

and for the fun of it, some posts in recent thread from usenet news
a.f.c:
http://www.garlic.com/~lynn/2008r.html#3 What if the computers went back to the '70s too?
http://www.garlic.com/~lynn/2008r.html#5 What if the computers went back to the '70s too?
http://www.garlic.com/~lynn/2008r.html#6 What if the computers went back to the '70s too?

other nostalgia some postings related to Interop '88 held in san jose
http://www.garlic.com/~lynn/subnetwork.html#interop

this was somewhat leading edge of the federal gov. mandates that
required eliminating tcp/ip (internet), replacing it with OSI (gosip
stuff) ... and there were lots of OSI products in the booths that year
at interop.

--
40+yrs virtualization experience (since Jan6, online at home since Mar70

Anne & Lynn Wheeler

"Moe Trin" <> wrote in message
news:...

> about 12 years after I started working with computers.

Ah, so you really ARE an old guy! | : > )

>>> and yet you are using Outlook Express on an Internet connection.
>>> Why? In another article here, you state that you have Xnews and
>>> alternative browsers, so it's not as if LookOut is the only
>>> application you've bothered to learn how to use.

Not quite correct. When I first installed those alternatives, I tested them
with email, news, and web browsing. That required that I learn how to
use them.

> Consider learning something else. Nearly _anything_ else is going to
> be less of a security hole.

Suggestions, from a security perspective, are welcome. Saying that OE
is the worst doesn't really say anything about any others.

>>But in fact, I do not limit my browsing in any way.
>
> If you like playing with fire, expect to be burnt now and then, even if
> you are wearing an asbestos suit.

Yep, and people who jump out of airplanes know that someday BOTH
of their chutes might fail. See my other post about working with hazardous
chemicals. I was injured even though I was using all the required PPE.

DES

Unknown