Thursday, October 16, 2008

Security - doing it right

Yesterday I was very pessimistic about how industry is dealing with the malware targeting Windows, basically saying that you should plan on rebuilding your Windows computer (from the recovery disk) and then lock it down tightly. Otherwise, you'll be full of malware faster than a pack of dogs on a three legged cat.

So let's look at what the real problem is. If we can avoid that, we're ahead of the game. The problem has some basic characteristics:
  • Almost all malware targets Windows. The primary reason is market share. If 90% of everyone is running one thing, that's what the Bad Guys focus on.
  • The browser is the primary source for malware downloads, assuming that you have a personal firewall (like a Linksys) in place.
Locking down your Windows computer can address both of these. The problem, of course, is how to lock down your computer. This goes double if you don't have 'l33t Windoze skillz.

Well, thanks to Al Gore's Intarwebz thingie and a little Google-fu, it's easy to find someone with 'l33t skillz who's already solved the problem for you. As a matter of fact, it's a clean, easy solution, perfectly legal, and solves the bulk of the security problem. It's a trifecta! (plus 1)

There are two components that you'll use, both of which are free downloads:
  1. VMWare. VMWare is way cool - technically, it's as close to black magic as I've seen. It lets you run a completely self contained virtual computer inside your computer. What you're going to want is VMWare Player, which is a free download. You'll need round 300 MB of free disk space.
  2. A Linux "Virtual Appliance". VMWare encourages people to create "Virtual Appliances" (pre-configured software images that run inside VMWare). Some of these are commercial (i.e. cost $$), and some are free. We'll look at a pre-configured Linux desktop appliance, Kubuntu. This is a plain old Linux computer that runs inside VMWare, but it's based on the KDE desktop which is very similar to the Windows look and feel. It's free, and it's pre-configured, so you'll be up and running as soon as it downloads. You'll want about a Gigabyte of free disk space; the download is 265 MB. You'll also need 512 MB of RAM.
Let's stop and take a quick look at what you'll have once you do this. You'll have your computer, probably running Windows. You'll have your apps and games on it, just like now. Remember, the malware doesn't really target these - not because it can't, but because the Bad Guys are going for market share, meaning the browser.

Rule #1: Don't use your web browser from Windows. Remember, no browser, no a whole lot less malware.

You'll also have a virtual Linux computer that runs inside your Windows computer. It will connect to the Internet from there, so don't worry. It has Firefox, so all your browsing will work just like now. The cool part? The malware doesn't (very much) target Linux. Your Windows OS is not readily accessable to the Bad Guys. Basically, you can touch the Internet, but it can't touch you.

Rule #2: Do ALL your browsing from your Linux virtual computer. It's also a good idea to run your email there, because email is the other primary vector for malware. This won't make you impervious, but it will keep you from having to reload your Operating System in 6 months.

The last thing to keep in mind is that you should be very, very suspicious of free downloads. Yeah, I've recommended two, but hopefully I've got a clue about Internet Security, and I;m happy to share it with you. Generic downloads from unknown sources - especially games - should be assumed to be malware until proven otherwise. Borepatch's law still applies:
"Free Download" is Internet-speak for "Open your mouth and close your eyes."
This will make you much more secure than you probably are today. It will also introduce you to some cool Linux software, like OpenOffice, which has free word processor, spreadsheet, etc. Best of all, you don't need l33t Windows or Linux skillz to get this up and running.

Good introduction to Linux use here.

No comments: