How to Make

1

• How to Make
• Windows Secure --
• with Free Software

Howard Fosdick
(C) 2006.5 FCI
V 1.2
2

• Who Am I ?

DBA for Oracle (also DB2 SQL Server) A
founder of IDUG, MDUG, CAMP Management
Consultant Author Rexx Programmers
Reference (see www.amazon.com/rexx
www.RexxInfo.org )
Independent Contractor -- hfosdick at the domain
compuserve.com
3

• This Presentation is Based On--

Operating Systems principles (I taught
cs550 at IIT) Hands-on with the products
My column in Enterprise Open Systems Journal
www.eosj.com
4

• Outline

Poof !
I. Malware II. Why is Windows
Insecure? III. FOSS to Secure Windows IV.
Microsoft Alternatives V. Fallout ?
5

• I. Malware

6

• Malware is Out of Control

Millions of PCs are Infected ! Nearly all run
Windows.
100
50
Percent of PCs Infected
43
61
72
Pew Research
National Cyber Security Alliance
WebRoot
Source-- MIT Technlogy Reivew March/April 2006

7

• Malware is Growing Exponentially

10k
Win32 Viruses and Worms Discovered
8k
Source-- EWeek 9/26/05 pg. 24
6k
2k
2003 2003 2004 2004 2005
J-June Jul-Dec J-June Jul-Dec J-June
7k
Keystroke Loggers Released (thousands of
apps)
4k
Source-- EWeek 11/28/05 pg. 5
1k
2000 2001 2002 2003 2004 2005
8

• Infections per Corporate PC
• (as per WebRoot 20K PC scan)

Im yours!
Source-- Computerworld 8/7/06 pg. 45

21.5
21.5
23.5
27.0
22.7
23.4
19.0
Q404 Q105 Q205 Q305 Q405 Q106
Q206
9

• The Evolution
• of Malware

RootKits
Media attacks (Audio, Film Clips, RSS)
More to come !
Cross-site scripting
Drive-bys (ActiveX,
ActiveScript, BHOs, Javascript, AJAX, etc)
2000s
Trogans, RATs, keystroke loggers
RPC open port attacks
1990s
Database attacks
Email Attachments
EPROM Bios updates
1980s
1. Type of attack 2. Attack technology 3.
Payload
Word and Excel Macros
Boot Disk Viruses
10

• The Evolution
• of Payloads

RootKits
Media attacks (Audio, Film Clips,
RSS)
More to come !
Cross-site scripting
Professional Criminals

.
.
.

Identity Theft
Compromise US
financial system Destroy
Data Destroy PC Hardware
Play with you Destroy OS
Drive-bys (ActiveX,
ActiveScript, BHOs, JavaScript, AJAX, etc.)
Trogans, RATs, keystroke loggers
RPC open port attacks
Database attacks
Email Attachments
Hacker Kids
EPROM Bios updates
Word and Excel Macros
Boot Disk Viruses
11

• The Evolution of Defenses

Virus Scanners
Monolithic or Unitary product ?
Virus Scanners Spyware Scanners Firewalls Browser
Hijack Defenders Module replacement
prevention Intrusion Detection Systems
(IDS) Real-time email scanners --- etc ---
12

• II. Why is
• Windows
• Insecure ?

13

• Why is Windows Insecure ?

Windows is a target because it
predominates -- This explains why Windows is
subject to attacks, not why it succumbs to
them Any other OS would have the
same problems subject to the same
attacks -- Not true! OSs are
as different as programming languages.
They have different design goals,
philosophies,etc Some are more
secure than Windows, others are less secure.

14

• Why is Windows Insecure ?

To simply say that Windows is insecure is
wrong.
The problem is that Windows security is
inadequate for its role as the untrained
publics primary-- -- PC operating system --
for Internet access
Windows security is just fine for many
other purposes.
15

• Why is Windows Insecure ?

Oops!
It violates fundamental principles for secure OS
design
Example 1 -- Using the Internet
Example 1 -- Using the Internet -- The design
assumption is that the Internet is free to
program your PC and the PC OS
does not need to protect itself -- Therefore --
Active scripting, ActiveX controls, .Net
Framework, AJAX, JavaScript.. -- Dynamic OS
installs (of plug-ins, controls, BHOs, Toolbars,
Browser
Extensions, fonts, etc) -- Most use
Administrator or Power User to access Internet
Example 2 -- Installing applications -- The
design assumption is the OS does not have to
protect itself from apps -- Therefore --
Untrained users use Administrator to install
applications -- Application installs
can change OS (eg install DLLs) --
Application installs update critical unprotected
OS storage (the Registry) Versus Unix --
To install an Application, you create the
application user id No Superuser
for installs The install
can not change the OS (including Shared Libraries
or DLLs)
Example 2 -- Installing applications
16

• Windows User Groups
• Dont Work for the Internet

Number of Infections Win 2000 SP4 Win
XP SP2 User 1 0 Power User 19 16 Adm
inistrator 19 16 Tests by EWeek, 11/28/05.
Power User suffers the same penetration as
Administrator
Windows rights management does not adequately
address Internet access
17

• Technologies for OS Security

Oops!
? Wheres the sandbox ? Wheres VM
(virtualization technologies) ? What about user
rights management ? Ring privileges that work
for the requirements ? A system of id groups
that make sense! ? Special Browser State run
level ? Locks and keys ? Other security
techniques
18
But Microsoft is Smart Why Would they Design an
Insecure Operating System?

• The Goals Shifted on Them

Secure OS with always-on Internet connection,
browser-based communications
Easy-to-use OS Integrated stack with
LAN-controlled networking
Early to mid 1990s
Todays requirements
They got to 50MM LOC before the problem became
apparent !
19

• But Microsoft is Smart
• Why Would they Design an
• Insecure Operating System?

-- Microsoft chose ease of use and integration
over security This is how they
won the suite wars (vs. Wordperfect, Lotus)
-- The integrated stack yielded their
desktop monopoly -- by locking out
competing products -- Gates did not
understand the importance of the Internet until
it was too late and they had
50MM lines of legacy code -- Bill Gates
The Road Ahead (1995) had 2 pages on Internet!
(It was quickly yanked
from shelves and quietly replaced
with a re-written version with longer
Internet coverage) -- When the Internet
really took off, we were surprised --Bi
ll Gates, Preface to the 2nd Edition 1996
20

• The Solution ? ---
• Try to Retrofit Security

From M icrosoft----- System Restore, System File
Checker, Signature Verification, Registry
Checker, Trusted web sites, require post-install
reboots, Windows OneCare Live, Win. Client
Protection FOSS---- Virus Scanners, Trojan,
RAT, Rootkit, Keystroke logger
detection, Spyware Scanners, Real-time Email
Scanning, Bi-directional Firewalls, Browser
Protection, Module Replacement Protection
Insecure Operating System
the Box
Out of
Its all a retrofit !
21

• What About Vista ?

-- Trustworthy Computing announced Jan.
2002 -- Microsofts promise to fix security in
every prior release
Vista brings
incremental improvements . . . again ?
Sandbox for IE ? Better user rights
management ? Drive encryption ? More
secure Registry
Speculative -- Im not a Vista tester,
Vista not yet finalized
22

• III. FOSS to
• Secure
• Windows

23

• User Behavior is the Single Most Important Factor
  Determining Whether You Get Infected

Careful!
System Restore checkpoint prior to any
install For older PCs-- Registry Backup
Emergency Repair Disk (ERD) Full malware
scans after any install Make keep
generational backups Set high-security
Browser settings (or dont use IE) -- Avoid
-- Free screensavers, wallpaper, games
-- Porno sites -- Hacker sites
-- Music- and file- sharing software --
Browser modifiers (BHOs, Toolbars, Extensions)
Visit only reputable web sites
Selectively open email (an Outlook preview
equals an open) Selectively install
programs Keep real-time protection ON
(firewalls, malware scanners,
browser protectors)
I didnt know!
24

• Where to Download Products

Free!
www.TheFreeCountry.com
www.Download.com www.MajorGeeks.com . .
. Sites offer-- Central repository for
Downloads Reviews, ratings
Product descriptions Good also for learning
about Windows security !
Keep a copy of what you download, free status
sometimes changes ! -- or google Last Freeware
Version (LFV)
25

• Firewalls

-- Microsofts firewall is uni-directional
inadequate. Why? -- Because Microsoft is a
spyware vendor. Examples-- -- WGA
scandal -- WMP scandal -- WPA
controversy -- Windows Search phones home
-- Alexa controversy -- Win-98
registration scandal -- Embedded GUIDs --
Index.dat files -- many others
Bidirectional firewall is a must --
ZoneAlarm Very widely used, easy user
interface Tiny Small, fast, light,
pre-XP (see LFV) Kerio Evolved from
Tiny Agnitum
in
you
out
Products I can vouch for personally are in italics
26
Anti-Malware

• Anti-Malware Overview

Scanners

Batch
Real-time
Signatures

Signatures

Heuristics
27
Anti-Malware

• Anti-Malware Overview

Categories Anti-virus Anti-spyware
Real-time install prevention Real-time
module replacement protection (aka intrusion
protection) Browser hijack prevention
Rootkit detection . . .etc. . .
Categories of malware they detect vary. No one
product does it all, you need several. Keep
definition files updated !
28

• What About
• Microsofts OneCare Live ?

Single-vendor, integrated solution --
Microsoft has a long track record -- As a
spyware vendor -- For inadequate
security -- Of privacy violations
They sold you a leaky boat . . . Now youre
gonna buy your lifeboat from them ?
29
Anti-Malware

• Anti-Virus

These features distinguish the best
products On-access file scans
Incoming email scanner Real-time activity
scanning Recommendations-- AVG
anti-virus As good as any purchased pdt
avast! Lesser products are simple batch
scanners (but they may excel at
that!) Recommendations-- ClamWin (aka
ClamAV) Slow scan but finds
rootkits, runs on smaller / older
PCs BitDefender Console Finds
Sony/XCP rootkit
30
Anti-Malware

• Anti-Malware

Spyware detection Ewido New,
very effective Ad-aware Widely used
Spybot Search and Destroy Popular,
Infrequent updates A-squared Runs on
smaller / older PCs, inefficient
update algorithm. Prevent Spyware
installs SpywareBlaster Both from
JavaCool Software SpywareGuard
Real-time protection plus BHO
prevention Prevent alteration of
executables WinPatrol Useful to
run one of these PestPatrol
31
Anti-Malware

• Anti-Malware

Startup protection Startup Cop
Easy, works great MSConfig Built
into Windows Browser hijacker protection
Protects you from browser hijacking through
secret installs of Browser Help Objects,
Browser Extensions, Toolbars, etc. Dont
use IE Use Firefox, Mozilla or Opera
Or set IE Options (Security, Privacy,
Advanced) very carefully! Hijack This!
Thorough, requires expertise
SpywareGuard Prevents malware installs
32

• Product Updates

Data Definition File Updates Keep
Definition Files updated for all products
Use built-in Schedulers or Windows Scheduler to
do this -- What about Microsofts Windows
Update ? -- Not recommended (eg WGA abuses,
installed w/o consent, misrecognized
valid Dell licenses, etc) Shavlik NetChk
Protect Free, new also covers
other products www.shavlik.com
www.WindowsSecrets.com
33

• Rootkits

Rootkit -- software that gets Superuser rights
and compromises the operating
system. New, growing threat.
Full Detection
Ease of Use
Versus
Removal !
Rootkit detection Rootkit
Revealer Thorough, requires expertise
Anti-Hook Thorough, requires expertise
Rootkit Detector (RD-CD) From IIT
students IceSword ClamWin
Finds some Rootkits BitDefender
Console Finds some Rootkits
If a successful Rootkit causes mass
re-installs, it could kill Windows in the market
place !
34

• Your Computer Spies on You !

Windows tracks everything you do
Windows Tracks-- -- All the web sites you
visit -- The email addresses you send to --
Who creates/edits all Office files -- Office
file editing statistics -- Puts permanent ID
in all Office documents you create -- Tracks
everything you have done recently Why do we care
? -- Identity theft -- Loss of your
personal power to businesses governments

Privacy is power, and you have none ! (This is
Trustworthy Computing ?)
35

• Your Computer Spies on You !

-- When you delete a file, Windows only removes
an index pointer to it, the file is still
on disk. How long the file remains on disk
depends on the disk allocation operations that
follow the delete. Secure deletion
(overwriting) Eraser Shell
program BCWipe Can also erase disk
(see LFV) Dereks Boot and Nuke Good for
volume wiping Erase temporary file areas
Browser option built-in, also cache reset
Built-in Disk Cleanup EmpRunner Empty
Temp Folders
36

• Your Computer Spies on You !

-- Windows tracks your recent activities Delete
traces of your recent activities
Ad-aware This feature is included MRU
Blaster Windows Washer -- Windows tracks
all web sites you visit Index Dat Spy
Lists sites you visited Erase Internet sites
visited logs Windows Washer PurgeIE,
PurgeFox -- Not free after 15 days use
37

• Your Computer Spies on You !

-- MS Office -- Keeps Edit Info and
GUIDs Erase document creator, editor, edit
statistics File Properties Remove GUIDs
other hidden data from Office files MS
offers manual procedures -- Impractical !
Doc Scrubber ID Blaster Use w/
care My best recommendation--
Replace Microsoft Office with OpenOffice
38

• Your Computer Spies on You !

-- Data Security Circumvention -- Boot a
Live Linux CD (eg Ophcrack or Knoppix)
Use Win2K Recovery Disk Break the
password with ntpasswd Therefore you must
encrypt data Built into Win XP on --
Transparent convenient, but used to
leave around unencrypted files in
Temp area QuickCrypt Many others
Work on Files, Folders, Volumes,
entire System Email encryption with
PGP GNU Privacy Guard Hushmail
39

• The Web Spies on You !

You!
Anonymous Surfing Web sites you visit get
your -- IP address (which may uniquely
identify you) -- OS type and version --
Browser type and version -- Where you came in
from -- What you see on their site --
Your behavior on their site . . . etc . .
. To be anonymous to web sites you visit--
TOR Firefox with add-ins for anonymity
JAP I2P Freenet
Note-- this is not a Windows issue, it is an
Internet issue
40

• The Web Spies on You !

You!
Anonymous Surfing Its much more difficult
to avoid your ISP tracking your every move
See SSL procedures for major subscription
services like Anonymizer -- Not free for
ISP anonymity Guardster -- Not free for
ISP anonymity Why do we care ? -- ISP can
sell your data to anyone -- ISP gives your
data to the government -- ATTs new so-called
Privacy Policy -- While your account may be
personal to you, these records constitute
business records that are owned by ATT --
Evidence indicates government is spying on your
emails, surfing habits, searches, and phone
calls
Note-- this is not a Windows issue, it is an
Internet issue
41

• The Web Spies on You !

You!
Cookies They dont store them where they
used to Cookie Managers built into FireFox,
Mozilla FOSS available Web Bugs
Bugnosis -- IE only
Final Exam-- test your system by ShieldsUP! at
www.grc.com
Note-- this is not a Windows issue, it is an
Internet issue
42

• Even Your Printer Spies on You !

-- Your Printer Spies on You -- See
www.eff.org (www.eff.org/Privacy/printers) fo
r a list of printers that spy on you
John wrote this !
This is a Government issue, much like the
tracking device in your cell phone
43

• IV. Microsoft
• Alternatives

44

• 1 -- Replace MS Client
• Stack with FOSS

PC Stack
Many are available FireFox, Mozilla,
Opera Thunderbird, Evolution Open Office,
others Perl, Python, Rexx, PHP, Tcl/Tk,
others Eclipse, Java Linux, BSD, others
Security Add-ons
Browser
Email
Office Suite
Languages

Development Tools
Operating System
45

• 2 -- Replace MS Server
• Stack with FOSS

Server Stack
Many available, few needed! FireFox, Mozilla,
Opera JBoss, Tomcat Apache MySQL,
PostgreSQL Perl, Python, Rexx, PHP, Tcl/Tk,
others Eclipse, Java Linux, BSD, others
Security Add-ons
Browser
Application Server
Web Server
Databases

Languages
Languages
Development Tools
Operating System
46
FOSS Windows

• 3 -- Open Windows

Eliminates key vulnerabilities -- --
Internet Explorer -- Outlook --
Outlook Express -- Office Windows
All free and open source software

Operating System
47
FOSS Windows

• 3 -- Open Windows

Percent of FOSS products running on Windows
68
50
40
35
Source-- Computerworld 7/31/06 pg. 14

MySQL
JBoss
OpenOffice
SugarCRM
48
?

• Why Keep Windows ?

Im only happy when it rains
-- You dont know any better -- Most
consumers -- It ships with the machine --
You buy it whether you want it or not --
Because everybody else does (and
compatibility) -- Example 1-- As a
contractor, I use what client uses
2-- My backup for this presentation
is in Powerpoint
3-- Microsoft controls file formats file
systems 4-- WINE emulator for Linux
doesnt run all applications -- You
need an app -- Example -- ATT/Yahoo DSL only
supports Windows
49

• 4 -- WINE
• 5 -- ReactOS

FOSS ?
Wine - Emulator
ReactOS - OS that is binary-compatible
w/ Windows (apps drivers)
Windows applications
Wine - FOSS implementation of Windows API
Windows applications
ReactOS - FOSS version of Windows
Linux, BSD, or Unix
3K apps (many games)
Alpha code
50

• IV. Concluding
• Thoughts

51

• We have an
• Internet Security Crisis

-- Malware is geometrically increasing --
Infestation is huge -- Script kiddies
professional criminals -- Identity theft is
huge -- Fastest growing crime for past 5
years -- Pew Gartner studies show public is
scared
Lets dance while Rome burns !
Our online financial system is at risk !
52

• Is the Internet Broken ?

• The Internet is Broken by Talbot Clark
• MIT Technology Review Dec 2005/Jan 2006
  issue
• at
  www.techreview.com
• -- They recommend locking down the Internet
• -- A comprehensive system of controls
• End points handle security, not transport
• The problem is Windows security, not
  Internet security !
• Controlling the Internet means disastrous
  side effects !

53

• Trustworthy Computing ?

From Microsofts Trustworthy Computing Web
Site--- REDMOND, Wash., Feb. 6, 2006 -- As
Trustworthy Computing at Microsoft reaches the
four-year mark, a look back at 2005 provides a
solid picture of sure and steady progress toward
long-term success... Launched in January
2002... Trustworthy Computing is a long-term,
collaborative effort to create and deliver safe,
private and reliable computing experiences. Trust
worthy Computing encompasses four key areas of
focus that Microsoft considers vital to building
a foundation of trust in computing Security
means helping to ensure the confidentiality,
integrity and availability of customer systems
and data. Privacy entails protecting a
customers right to be left alone (e.g., from any
kind of unwanted communication, including spam
and pop ups), as well as ensuring adherence to
fair information principles that put people in
control of how their data is accessed and
used. Reliability refers to ensuring that
software and systems are dependable and behave
the way customers expect them to. Business
practices addresses Microsofts goal of being
transparent and responsive in all customer
interaction, with a focus on excellence in the
companys internal decision-making and
implementation processes. --http//www.microsoft
.com/presspass/features/2006/feb06/02-08Trustworth
y.mspx
54

• Why the Twelve Principles ?

2001 Microsoft is convicted as
a Monopolist and for violating 1995 Consent Decree
1998 Gates testifies he knows nothing about how
his company is run. Judge Boies laughs...
1995 Consent Decree
1974 Microsoft is born with a lie -- Gates
Allen lie about having completed BASIC for MITS
Altair
2006 30 years in business, Microsoft announces i
ts business practices in 12 Principles
2001 Nov DOJ settles light penalties on
Microsoft immediately after 9/11
2002 Jan Microsoft announces its Trusted
Computing Initiative
2004 EU Agreement
2006 EU Fines Microsoft for violating 2004 EU
Agreement
55

• Microsoft
• Versus
• the Internet

-- Microsofts interests diverge from having
an healthy Internet -- Policies to Eliminate
piracy and force Planned obsolescence mean
millions of -- -- Unpatched unsupported
Windows systems -- Bots -- Spam
servers -- etc -- Mono-culture with an
insecure Internet OS
56

• Possible Outcomes

1 Vistas incremental improvements will be
enough for the world to stay with Windows
4 years into Trustworthy Computing,
Microsoft has not solved the problem But
everyone bought into previous Microsoft
solutions in earlier Windows releases 2
FOSS replaces Windows in response to Microsofts
failure Like Apache took off in response to
IISs virus crisis 3 years ago Protecting
Microsofts OS monopoly could result in a web
meltdown
57

• Predictions for Next Few Years

Controlled Internet can only happen if it
has political support Upcoming Elections
determine this Bush Continuation candidate
means maybe yes Any other candidate means
definite no Unless the outside chance of
a severe security incident occurs (example--
Rootkit requires many re-installs) -- Most
will buy into Vista, so Microsoft maintains its
monopoly FOSS continues gains but can not
dislodge Windows Microsoft monopoly
erodes (1) Microsofts Annual Report cites
FOSS threat (2) Microsoft investing
elsewhere (3) Need only to achieve the tipping
point
In USA
Long Term
Baby Future
58

• Predictions for Next Few Years

Microsoft monopoly is presently
eroding (1) Less of a Microsoft monopoly to
start with (2) Courts reject the
monopoly (3) Governmental leadership (4)
Cost pressures
Outside USA
Baby Future
Most products in this presentation are from the
EU.
59

• Benefits to FOSS

No cost No license tracking or inventory
issues No forced upgrade or planned
obsolescence No WPA, WGA, Registry, MS
spyware, other control mechanisms No BSA /
Microsoft compliance campaigns Stop
divergence of OS providers interest, and the
internets interests Fix the mis-named
Internet security problem!
Cost is the least of these benefits !
60
?
?

• ?

?
?
questions...
?
?
?
?
61

• V. Extras

62

• The Registry is all about Control

OSs do not require a Registry--
Some that do not have a Registry include Unix,
Linux, BSD, VAX/VMS, z/OS, z/VM,
z/VSE, i5/OS, AS/400, SkyOS, THEOS . .
. Registry -- an artificial mechanism to enforce
proprietary control of-- -- Users --
Microsofts Property rights -- Limit and
control software use Registry prevents you from
operations that are easy on other OSs-- --
Cloning of OSs across machines -- Cloning of
software products across machines -- Cloning a
disk to a backup disk
The Registry increases Windows insecurity