Category Archives: Uncategorized

Thoughts on Blocking Malware

A friend just got her computer back from “the computer doctor.” Evidently it had been compromised with a root kit (the really nasty sort of software that runs at such a low-level your anti-virus software can’t see it). She uses three different anti-malware tools and was quite surprised that none of them caught it.

The problem with anti-virus software is it can only protect you against problems that are already known. The bad guys are constantly looking for new ways to attack your computer and the anti-virus programs are playing catch up. I’m not saying don’t use anti-virus software (the free version of Avast has saved me several times), just don’t count on it as your only defense.

So, is there any 100% guaranteed way to stop malware? Well, you could always unplug your computer from the Internet and never use it to access any USB drives or CDs, but that’s not exactly practical. And if you do stay online, even visiting only “known safe” sites doesn’t help much, since even legit sites get compromised on occasion.

But there are a few things you can do to help your odds. None of these approaches is 100% guaranteed to keep you safe, but they should help.

The Basics

This is “the usual stuff” you hear any time someone talks about how to stay safe online. It seems obvious, and yet it bears repeating because it’s easy to get careless:

  • Don’t open attachments you weren’t expecting, not even from people you know and trust. Maybe that attachment from your friend Bob really is the really important document the email says, but if you weren’t expecting it, you have no way of knowing.
  • Be skeptical of clicking links in unexpected emails. Your bank isn’t going to tell you to click a link to verify your account information. (If something like this ever does turn out to be legit, you need to change banks.)
  • Don’t download pirated software. Aside from the legal issues, pirated software frequently contains malware.

Slightly more Difficult

Beyond the basics, there are a few other things that are easy enough to do, but don’t always make it into the “How to stay safe” discussions. Most attacks against your computer are targeting the applications you run, not the operating system. (Running Windows isn’t as risky as reading a PDF file with Acrobat reader.)

  • Use a browser other than Internet Explorer. Microsoft’s made a lot of progress with the safety of Internet Explorer over the past few years. But even though IE recently dropped below 50% of the total browser market, it’s still the single most popular browser out there and therefore the one most likely to be targeted in online attacks.
  • Keep your system up to date. Not just the Windows/Mac/Whatever Operating System patches, but also the software you use. Use Microsoft Update instead of Windows Update to get patches for Office. Install Secunia’s Personal Software Inspector tool to find out what other software on your computer is out of date.
  • Uninstall software you don’t use. The more programs you have, the more likely you are to have something which has security problems. Bonus: You also save disk space!
  • Run “alternate” software. The more widely-used a given program is, the more tempting a target it becomes for the bad guys. Instead of Acrobat Reader, use Foxit Reader. Instead of Microsoft Office, use Libre Office (fully compatible documents, but also available for free.)
  • Uninstall Java. Most home users don’t need it, and older versions were not only laden with security problems, but the updates didn’t remove the older versions.
  • Don’t run as the Administrator. When you set up your computer, reserve the main account for software installations and the like. Create a second, less-privileged login ID for day to day tasks.

Security journalist Brian Krebs talks a bit more about keeping software up to date and what to install or delete in his: 3 Basic Rules for Online Safety

Going for the Gusto

Wanna go really hard-core?

  • Uninstall Flash (or install a flash blocker so that you have to approve any Flash scripts that run).
  • Install NoScript (same idea).
  • Don’t do any online banking with a Windows machine, use a Linux live CD instead. (For a business, I’d consider this one an absolute must.)
  • Use a third-party DNS provider. Both Open DNS and Google Public DNS provide a facility where you change a couple system settings and if you then attempt to access a site which serves up malware, they’ll block the connection.

The Takeaway

There are no magic bullets. None of these suggestions will provide absolute protection for all users. What might be overkill for one person’s situation might not be nearly enough protection for another. But by choosing the practices which make the most sense for you personally, you can tilt the odds a bit more in your favor.

Bonus Reading: Get a Mac/Switch to Linux

In most discussions of online security, someone inevitably replies “Get a Mac!” or “Switch to Linux.” It’s a bit like going to a concert and someone yelling, “Play Freebird.” It’s a wonderful song, and a few groups have done great covers in response, but it’s not always the best fit.

But if the suggestion is inevitable, I may as well be the one to make it and bring up some of the tradeoffs.

Switching to a Mac may actually make sense for some folks, but don’t make the switch thinking you’ll be invincible. At the annual CanSecWest security conference, there’s a “Pwn2Own” contest where security professionals attempt to break into computers running the latest versions of the Mac OS, Windows and Linux. The first one to succeed, wins the computer. Every year, the Mac is the first system compromised.

Now that’s what happens at a security conference. Macs are less common than Windows computers; so the bad guys have to work harder to find them. It’s much easier to attack the more common computers.

But malware targeting Macs has been cropping up too.

Other concerns with switching to a Mac:

  • You’ll have to buy all your software again. Assuming a Mac version even exists. Otherwise, you might have to look for an equivalent program.
  • Despite the marketing pitch, a Mac doesn’t always “just work.” Just two weeks ago a co-worker returned a Mac Notebook that was downloading over his WiFi at just 1/10 the speed of Windows computer. (Apple’s support wasn’t able to resolve the problem.)
  • You may encounter problems with incompatible file formats when sharing files with people who use Windows. Particularly if the programs you were using on Windows aren’t available for Mac and you had to switch to something else.

Linux tends to be the most secure OS of all (as noted earlier, most of the problems these days are the software you run on top of it). The main downfalls of Linux are:

  • Availability. Yes, it’s free to get a copy, but you still have to find where to download it, burn a CD, and install it. Although this is getting easier, it’s still not a set of tasks the average home user will be comfortable with.
  • Commercial software. Few software vendors on Windows or Mac have Linux versions of their software. Some do, but most do not. You’ll generally have to find an open source equivalent, and then work out how to share files with others who are on Windows or Mac.

Installing Subversion on the PogoPlug

After converting the PogoPlug to run arbitrary programs, I was able to install subversion and manually run svnserve as a daemon (it’s in the manual, just run “svnserve -d”), but having to remember to do that after every boot is a nuisance.

A Google search for install svnserve as a daemon turned up instructions for setting up svnserve on Ubuntu, as well as a few scripts.  Obviously PlugBox Linux isn’t Ubuntu, but it was a step in the right direction.  Installing httpd during the initial PogoPlug hack had already introduced me to the /etc folder, the rc.conf file, and the rc.d subfolder.

Poking around in rc.d, I discovered the httpd startup script.  So now I knew where my svnserve script needed to go.  The Ubuntu setup instructions included several helpful bash scripts in the comments, my next step was to run “view httpd” and verify that it was also a bash script.  Knowing that, I could just use the new script verbatim.

Then I listed the files in /etc/rc.d and discovered that one of them was named svnserve.  Sonuvagun, the svn package included a script!

So in the end, all I had to do was go to /etc and edit rc.conf.  The very last line in the file is DAEMONS=(…).  All I had to do was add svnserve to the list.

Well… that was actually the next to last thing.

After rebooting (“shutdown -r now”), TortoiseSVN would connect to the svn server, but it couldn’t find my repository atsvn://plugbox/test.  I’d forgotten that by default, svnserve serves up repositories in any directory on the entire machine.  My test repository was now located at svn://plugbox/media/external_drive/Subversion/test.

To go back to a short URL, I went to /etc/conf.d,  edited svnserve, and set

SVNSERVE_ARGS=”-r /media/external_drive/Subversion/”

Next I ran

/etc/rc.d/svnserve stop

followed by

/etc/rc.d/svnserve start

and voila! My repository was back at svn://plugbox/test

Experimenting with the PogoPlug

I’ve had a PogoPlug for a little more than a year.

The pluses to the device are:

  • It’s an easy way for a home user to convert old drives into network attached storage
  • You can access your files from anywhere you have an internet connection.
  • Drives connected to the device appear as local drives (even across the internet).
  • It can convert video files to play on (supposedly) any device.

There are some down sides too:

  • The video conversion is slow (not completely unexpected with a low-power, always-on device)
  • The client software requires a new login after every boot.
  • The attached drive sometimes “disappears” until you tell the software to “reload” it.
  • My experience with the Android application has been that it’s a bit flaky.

All in all, it’s an interesting device and I can definitely see where home users might find it useful if they’re comfortable with the fact that you need to login via a third-party service (the My PogoPlug service), even when you’re accessing it a home.  (If Cloud Engines ever goes out of business, PogoPlug owners may find themselves with an unusable device.)

Part of my reason for acquiring the PogoPlug in the first place was that it seemed like a potentially inexpensive way to accomplish a few things on my home network:

  1. File sharing between my various computers.
  2. Running a private web server I could access without switching the main computer on.
  3. Running a private subversion server.

Goal 1 was easy enough to accomplish straight out of the box.  Goals 2 and 3 were going to take some work.

When I finally decided to hack the PogoPlug, a Google search led me to LifeHacker’s tutorial on turning the device into a “Full-Featured Linux Web Server.”  It was a good starting place, but in the end I decided to follow the source instructions from   (CAUTION: As it says on the PlugApps instructions, hacking your PogoPlug will void the warranty.)

My initial install was onto a 4GB SanDisk Cruzer flash drive.  The initial reboot came up fine, but later boots tended to come back to PogoPlug Linux,  which after the first steps of the install would no longer connect to the MyPogoPlug service. If I manually mounted and mounted the thumb drive  before running /sbin/reboot, that would take me over to PlugBox Linux, but going through those steps repeatedly is a pain.  I reran the install for PlugBox Linux using a no-name 16GB drive and it’s been working reliably ever since  (I love that storage has become so cheap that I had a 16GB drive “just laying around”).

To accomplish Goal #1 (file sharing), I installed Samba.  It works like a champ and I’ve been able to back to doing my backups to a network drive.

To accomplish Goal #2 (private web sever), LifeHacker’s instructions did the job.  By default, the web site is served out of /srv/http, and there’s also an ftp site in /srv/ftp.

Goal #3 took some guesswork. I didn’t see any mention of Subversion on PlugApps, but I made a guess and ran  pacman -Sy subversion.  I haven’t got around to setting up svnserve to run as a daemon at boot time, but it’s running right now.  (Getting it set up as a daemon will require putting a script in /etc/rc.d/ and adding it to the list of daemons at the end of /etc/rc.conf.)

So mission accomplished.  Not bad for a $100 device.