How to defend oneself?

[lupin]

Home machines do actually get hacked, and there are a number of good reasons for an attacker to do this if the attack can be achieved easily and in an automated fashion - e.g. user visits a malicious website, a browser based exploit runs on the system, downloads and runs a trojan which is then managed and controlled by infrastructure already in place on the Internet.

The first reason why this would be worthwhile is to access your online passwords. Primarily online banking (for obvious reasons), but other accounts such as webmail, Facebook etc can be used by attackers to spread either spam or malware.

The second reason why this would be worthwhile is to access your computing resources - bandwidth, storage, processing power, unique IP address, etc. This can be used to send spam, to take part in clickfraud, to hide the true source of other attacks, to store objectionable material, to perform processor intensive tasks, and to perform DDOS attacks (even DDOS for hire). From this perspective it doesn't matter if you don't store or process any useful information (such as passwords) on your system, its worth attacking just to access its resources.

Thats just regular home systems though, if your work gives you access to more sensitive information that what is average, a dedicated hack may be worthwhile in your case. Its all really a matter of understanding the threats you are likely to face and taking precautions appropriate to the risk. Determining appropriate security is a balancing act - set it too high and you suffer from increased inconvenience and cost, set it too low and your information can get stolen, modified or be stolen, lost or otherwise made unavailable.

IMHO any sys/net admin that lets somebody, (who does not know how to protect from, nor has been made aware of the risks of taking a work computer home), take one home, has failed.

The blame the stupid systems administrator routine. Sometimes this might be justified, but it assumes a world where the systems administrator is told about everything that happens on their network or has adequate resources to monitor everything that goes on, and also has final say on everything that happens, and won't get overruled by senior managers who don't want to be inconvenienced. If your world is like that I'm very happy for you. Mine certainly isn't.

[Barry]

I use this.

[Archangel-Amael]

Wow that looks like a good product Barry.

[killadaninja]

Lupin I am not in the infosec industry it is my foremost interest/hobby but not my living so my world does not consist of blaming admins, from your reply you have made me aware of some of the problems admins may face, I still feel my point is a valid one, surely as someone who controls the security of a businesses computers they should make it their job to at least warn the people, the people that are capable of ruining the very thing you go to work to prevent being ruined, of the dangers? If I were to work as a NET/SYS Admin I would, myself, preach security to the employees as standard, if the management did not want to listen then that would be their prerogative I would atleast go home at night knowing I have done my job best I can.

[Archangel-Amael]

killadaninja, that may be all fine and well, but what if you don't work in the same area as those that would be using your (as a sys. admin's) equipment?
What if they work in another part of the world? I work at a remote location however the computers are tied into the corporate network. That means we are on our own when it comes to the majority of "problems". I use the term loosely.
Further what would give you the authority to go about preaching as you put it, to the other employees.
It could be a mistake or it could be considered mis-charging your labor. You get paid to work in the network closet, not in accounts receivable, as an example.

Just wanted to post a counter to your above because not all places/ jobs would allow such things that you mention.


One another note, Happy systems administrators day to those of you reading.

[killadaninja]

That enlightened me Amael, a good example of how things can get difficult, I guess like Lupin says none of our worlds are perfect. I get involved in these "real world" example threads because I feel I get alot out of them, I like to hear about the problems invovlved in the profession to prepare myself for a possible career change over to the infosec world.

[thorin]

I'll also say this- beginning hackers LOVE home systems. They'll hack it just so they can increase their status in the hacker circles.

I can't think of anyone that's gained any notoriety from "hacking" a home system.

None of the replies in this thread are suggesting that home users should be unconcerned about security, more that following some simple rules or good practices will keep you out of trouble 99 times out of 100. (This is different for business, contractors, etc.)

[skull2006]

One question I have is: how to defend oneself?

For example:

I don't click on strange attachments.
I don't surf to links in e-mails because "my bank has suspended my account".
I don't go to dubious sites.

But, having seen the BT Java SET, I think it would be easy to fool me.

I am using Ubuntu. There are less malicious programs for Linux than for Windows but the SET makes it clear that it works for Windows, Mac, and Linux.

So, my question is this: if I do have something on my Ubuntu hard drive, and my AV (Clam) does not detect it, then how would you go about looking for it?

What would someone more knowledgeable than me do? What programs might you use?

Thanks!

After you made as you said you will be secure 70% and the 29% it's about what you know about the hacker how they work and 1% it's what you will make stupid thing or good thing.

That was what i understood from all the Replies, am i correct?

[mnaines]

The beginner hackers (so-called "script kiddies) do target home systems and their sole intent is "creds", or notoriety among their peers. They take other people's scripts, edit them, put their names on them, then hack home users for no other reason than to prove that they can. Now, an ordinary computer user may not see any benefit from doing so, but to the script kiddies, its all about status in the hacker world. There are four levels of hacker: Script kiddie, black hat, gray hat, and white hat. The script kiddies are the biggest threat to home users but also the easiest ones to defeat (a stateful wirewall, WPA2, and a hidden SSID are really all that is needed). The Script Kiddies are also the ones who go for credit card and bank account login info. The Black Hats mainly target corporations and their main goal is to find company secrets and sell them to rival companies.

[lupin]

Lupin I am not in the infosec industry it is my foremost interest/hobby but not my living so my world does not consist of blaming admins, from your reply you have made me aware of some of the problems admins may face, I still feel my point is a valid one, surely as someone who controls the security of a businesses computers they should make it their job to at least warn the people, the people that are capable of ruining the very thing you go to work to prevent being ruined, of the dangers? If I were to work as a NET/SYS Admin I would, myself, preach security to the employees as standard, if the management did not want to listen then that would be their prerogative I would atleast go home at night knowing I have done my job best I can.

Most companies are recommended to have some sort of security awareness training programs to make staff aware of the potential security issues they might face. It wouldn't usually be the network or system administrators job to run those programs. It's generally outside of their area of responsibility, often outside the area of their specialist knowledge, and they generally won't have the time or the access required to give individual and effective briefings to everyone who might be taking a laptop home for example. With regards to security, a systems administrators responsibilities would usually be to design, configure and manage the system in a secure fashion, but as I mentioned before there may be other factors that prevent this from being done properly.

Personally I have my doubts about the effectiveness of education in preventing the new breed of IT Security threats. A lot of Systems Administrators I know don't even understand some of the more common threats, which is why I made that comment about it being outside of their area of knowledge earlier. IT Security is becoming highly specialised, and if we cant expect IT staff to understand the issues how do you expect regular staff to? And an inability to understand the threats, leads to an inability to take the threats seriously, which leads to an attitude in the users of "I dont have to care about this security rubbish - we are running antivirus and firewalls so we must be safe".

There is also the issue of accountibility to consider (or lack of it). A lot of the people who get to make decisions that affect security are not held accountible if something goes wrong, so their incentive is instead focused on reducing cost, and reducing inconvenience to enhance productivity, things their performance is measured against. This is really a failure of management, as matching responsibility with accountibility is core requirement to have a well functioning organisation. Under these circumstances however, its rational for people not to choose good security. This only seems to be different in organisations that have security as part of their core mission (think defence and intelligence agencies) or in organisations that have been burned by security problems before, or where the impact of bad security is very obvious (e.g. banks).

I guess what Im trying to say is that theres a surprising amount of other factors that affect the provision of effective computer security, and many of them, perhaps the most important of them, are completely out of the control of your average systems administrator. The systems administrator should certainly do the best they can within the bounds of their authority to improve security, but that might not be very much.