Here are a few messages regarding security for home computers.
Enjoy!


From IT Help
To All Company
Date Wednesday, 20 November 2002
Subject  Fw: Linksys security hole

I know there are a number of people in the company that use the Linksys firewall product mentioned in the following article: http://www.eweek.com/article2/0,3959,663801,00.asp. I encourage everyone to continue to use firewalls and other adequate security means for your home systems. There are some common sense things you can do that will help keep your machine secure, *OUR* data safe, and your network from participating in automated attacks:

01. Turn off all services that you aren't using. If you don't need to share files on your home network, turn off file sharing. If you aren't running a web site, turn off the web server. Etc, etc.

02. Turn off all remote management capability on your firewall and anything else on your network. When you manage your systems, you do it from home, right? If you allow remote management of your equipment, someone you don't know will start managing it for you...

03. If you use wireless networking at home, assume that your neighbor is also using *your* network. Don't share sensitive information over wireless. It's fine if you use VPN on your wireless laptop, as long as you don't have files shared off it. So, go ahead and sit in the living room, in front of the TV, and read your e-mail at the office; just turn off file sharing while you do it.

04. Please feel free to ask the IT folks for advice on security for your home network. HOME NETWORKS are the easiest way to access our corporate data, so it is in everyone's best interest to make sure even your home systems are secure.

Thanks for listening. I hope your Wednesday is going well.

- Jeff Nieusma, Director of IT


From IT Help
To All Company
Date Wednesday, 20 November 2002
Subject  wireless security information

Here is some more good information sent in by one of our more safety conscious readers for your enjoyment.

> For the wireless, (since I am part of that crowd now) you may want to
> advise people not to allow public usage of their Access points/Bridges.
> To authenticate by MAC address and use at least a 128 bit Key.
> 
>     -----Original Message-----
> 	03. If you use wireless networking at home, assume that your 
>         neighbor is also using *your* network. Don't share sensitive 
>         information over wireless. It's fine if you use VPN on your 
>         wireless laptop, as long as you don't have files shared off it. 
>         So, go ahead and sit in the living room, in front of the TV, and 
>         read your e-mail at the office; just turn off file sharing while 
>         you do it.
Basically, wireless routers/bridges/access points should be configured to only allow wireless users that *YOU* program into the system. It's a little more inconvenient, but it's a LOT more secure.

Please practice safe computing and have a nice day.

- Jeff


From IT Help
To All Company
Date Wednesday, 20 November 2002
Subject  Re: home computer security

>  -----Original Message-----
> Jeff, 
> 
> When I use the VPN client, my home computer becomes part of the 
> corporate domain, right? What issues can arise out of that? I would
> really like to keep my computer secure...

Yes, that is correct. In fact, if you load your computer full of viruses and trojan horses while surfing the web on your cable modem or DSL, and someone else has access to your computer (VERY COMMON), you could be granting access to our entire corporate network.

There are a number of programs out there that install themselves on your computer then just sit and wait for another "network connection" to come alive. (When you bring up your VPN session, it is another network connection.) Then the software wakes up, sends a notification to some hacker group somewhere, then turns on a software router feature that will allow remote users to access our corporate network. It sounds difficult, but it really quite easy.

Most anti-virus software, if kept current with Internet updates, will detect this type of activity and let you know. There are a few caveats:

01. You actually have to update your anti-virus software. I do mine every day. I suggest you do yours AT LEAST every week.

02. You actually have to READ the little pop up messages that occur while you are surfing. If a program asks for permission to install software on your computer, TELL IT NO.

03. There are lots of cutesy little applications that seem harmless, but are simply running "interference" for the real payload of the program. The most famous example is a wack-a-mole program that was widely distributed through e-mail. It was a little applet that allowed you to hit moles on the head as they looked up at you from their holes. Unfortunately, the first time you ran the program it also installed back-door remote control software on your machine allowing hackers access to everything on your machine. They could take it over and run it just like PC Anywhere; in fact, the software is better remote control software than PC Anywhere. It also gives the hacker access read and write files and devices in a stealth mode. In fact, with access to your microphone, hackers can listen to conversations in the same room as your computer.

The moral of this story is it's better to be safe than sorry. Please install anti-virus software on your computer and keep it current. Turn off services that you aren't using. Please use common sense when surfing the web and reading e-mail. Don't blindly run applications sent to you in e-mail. Even if it's from someone you know, it might be another virus/trojan in the endless stream of software coming from people who don't have anything better to do with their time than create headaches for IT departments. And last, but not least, keep your systems patches current. It's really easy with windows: just select windows update from the start menu. If you are running Linux at home, I STRONGLY encourage you to keep that patched. Linux and Windows are irresistible targets for today's young, sophisticated, upwardly-mobile hackers.

- Jeff Nieusma, Director of IT and Chief Paranoia Officer

"They don't want your data, they want your bandwidth and access!"
"Hey, it's my job to make your job easier."


From IT Help
To All Company
Date Wednesday, 20 November 2002
Subject  Re: home computer security

>  --5 November 2002  Phone Phreakers Rack Up $11,000 Bill in Ohio
> Hackers guessed an Ohio woman's voice mail password, and recorded a
> message that would sound to operators as if someone were accepting
> charges for a collect call so that they could use her line to
> make lengthy international calls.  Her one-month phone bill was
> nearly $11,000.
> 
> http://www.ohio.com/mld/ohio/news/local/4446396.htm

Let's make sure our voice mail passwords aren't too easy to guess.
Please don't use the last four digits of your phone number.
Please don't use 1234
Please don't use 1111
etc. etc.

Thanks! I'd hate to have to explain a bill like that to my boss...

- Jeff