Cotexfood Trading LTD


Guidance for those wishing to have their computer or other device connected to the CFDN (Cotexfood Data Network)

Email : davidn@cotexfood-trading.com

(44) (020) 71019530 / mobile 07837 986578

Configuring your own Computer Securely (alias: how not to get hacked)

A few notes for those connecting computers to the network and not asking a technician to do the difficult bits for them. These notes do not stand on their own, and should be read with other documents (such as the relevant rules).

Computers are nowadays much cheaper than a few years ago, network connections much easier to obtain, and Windows / Linux much easier to install and configure. And that is the Bad News. Yes, the Bad News.

The Problem

Athough debates about how warped one's mind must be before one becomes a virus writer or hacker are interesting, in the Real World hackers and virus writers exist. One must therefore limit the damage such people can readily do, in the hope that they will find softer targets elsewhere. Note that securing your machine is much akin to neighbourhood watch; it doesn't so much prevent crime as hopefully drive it elsewhere where pickings are easier.

A single insecure computer, device or user account can result in a major security incident.

Currently malicious people scan the network looking for potential weaknesses about once every two hours. Several times a week an attempt to exploit a potential weakness is made. A gratitously insecure machine is unlikely to survive a whole day connected to the CFDN before it is hacked, and very unlikely to survive a week.

Probes, breakins and attempted breakins should be reported to the network administrator. Details of the latest fashion in probes are reported on local newsgroup cotexfood.security.

Viruses come in at least as frequently, and it is important to avoid sending them out again...

The Potential Impact?

Dealing with a hacked machine is (relatively) easy. In a sense. After any analysis that the administrator and others may want, one simply wipes the disks of all data, reinstalls the operating system and applications, restores one's files from the last backup which provably predates the hack, and, of course, removes whatever vulnerabilty was used to hack the machine in the first place. A mere (!) couple of days work for a single machine, and several weeks work for a more extended network. Mind-numbingly boring too.

As machines in Cotexfood tend to be more trusted by other machines in Cotexfood than external machines, once one machine falls, others may fall rapidly due to attacks from it. Thus an insecure laptop may be the route into a chain causing many hundreds of pounds worth of downtime and inconvenience. This may upset your colleagues.

Viruses need similar treatment, and can be similarly expensive.

If one is spectacularly unlucky, one's hacked laptop is used to launch attacks on US military computers. This can be hard to explain away.

The Advice: UNIX

According to some slightly old pages on the cotexfood server, (in the local users only area) `

So, you need to keep your Unix System Secure do you? ', which starts `This document is just to get you started; it is not exhaustive' the time investment involved is:

"Spend at least a fortnight getting familiar with your system. Understand what the files and commands really do. This will take a huge chunk out of your time, but that's too bad; it's the price you have to pay for the convenience of a system on the Internet."

and

"Expect to spend two to three hours every week looking after your machine."

One could argue that this over-estimates the time involved in securing a single-user UNIX machine (though not a multi-user one!). However, to argue thus one must ensure the machine is fairly securely configured:

Obviously if you do not install telnet, ftp, mail, WWW and IRC servers, you will not be vulnerable to any security issues discovered with them. It is hard to see why a personal machine in Cotexfood needs more than an sshd listening to connections from other Cotexfood addresses only.

Of course, do check your machine occassionally: I have often found services running I had intended to turn off, and failed (or a patch kit had helpfully turned back on). It is for this reason the administrator runs automated weekly scans of the network (much as the hackers do); this is known as friendly probing.

The Advice: Windows

With Windows viruses are a much greater issue than under UNIX, and IIS (the default WWW server) is a complete disaster: don't use it. One should remember that viruses can be caught from infected WWW sites as well as from emails.

Do run a virus scanner. Do keep the virus scanner up-to-date, either manually, or, better, automatically.

The Advice: General

You must read the relevant fora for security information for the system you are running, and you will need to patch the thing (un)fairly frequently. Windows has an automatic update system, as do most Linux distributions, and there are various other resources that exist.

You should check these sources more than once a week: a serious new hack or virus can spread a long way in a couple of days. If you don't know how to read newsgroups, are you sure you should be running your own computer attached to the network? Indeed, you should be familar with the differences between server-side and client side authentication, plain-text and encrypted protocols, and, for UNIX people, privileged and unprivileged ports. But that is all learnt in about two hours, a small fraction of your time really.

Once the OSes manufacturer no longer releases security patches for an OS, running it safely becomes (much!) harder. Ancient versions of Windows (XP and earlier), Linux (especially RedHat), Irix and the rest do really need upgrading.

Common Sense!

If a man in a dirty raincoat and a thick accent accosted you in a Market Sqaure, pulled a disk from an inside pocket, and said "Pssst. Put a load of this on your computer at work" most people would refuse. If an email full of forged headers turns up reading "Click here to download and install this excellent piece of high-quality free software" many happily do so. I have never understood why.

(If the email claims to be from someone whom you trust, you do check the headers for obvious forgery, or ask yourself whether you were expecting the software, (don't you)? Microsoft does not send out unsolicited patches by email, though a recent virus did in its name.)

Private Addresses / Firewalls

You may well be given a 'private' IP address (one which permits connection only to other machines within the institution), or your computer may be firewalled. Indeed, at present, the administrator does do some basic port blocking automatically. Although such measures do improve security, they are no substitute for keeping the machine intrinsically secure, and they do not imply that the person running the firewall has taken over all (or any!) responsibity for your machine's security.

What operating systems are supported?

If run by Cotexfood, the version of our choice of an O/S we currently support. Requests to support things we do not currently run are unlikely to be well received.

If run by you, anything you like. So long as it is supported and kept up to date. Note that in particular Microsoft no longer update or support Windows XP or earlier. Machines bought before the release of Windows 7 (October 2009) are probably not worth upgrading and we strongly recommend purchasing a new PC.

What do Cotexfood provide?

Currently a direct connection to the Cotexfood network, so the question is more `what can Cotexfood provide?' In the future, some form of firewall may appear, which may impose some restrictions, particularly on protocols other than TCP and UDP.

What will Cotexfood not permit?

We will not support or permit any device to be connected if it presents a security risk.

How should any machine connected be configured?

Securely.

It is important that people outside Cotexfood cannot use your machine to inject traffic onto our network (or syphon it off).

Do keep the machine patched and up to date (for Windows this means using windows automatic update at the very minimum) with security patches.

Windows XP (and later) Security

In their wisdom M$ have enabled by default things that you should really have turned off. In particular fast user switching. You shouldn't still be running XP anyhow, as noted above.

Network Services permitted

For those who run systems which offer significant external services (typically UNIX), the list of the good, the bad and the ugly is:

We like: ping, identd.

We can ignore: talkd, tftpd, quote, daytime, time, echo, discard, sshd, rshd, lpd, rlogind.

We absolutely cannot tolerate: mail servers (pop, imap, smtp or sendmail, other than the official company server), news servers (nntp), netstat, bind, IRC, NFS servers (except with permission), anonymous ftp, passwordless accounts.

We don't like: daemons running as root whose functioning you cannot explain and justify.

We might permit, after negotiation: telnetd, ftpd, httpd, gopher servers, xdm listening, 3rd party accounts.

To put it another way, we do not mind (much) what services are available from the physical computer (console), we mind a lot what services are offered to the world.

The only other way of causing major upsets is by excessive use of broadcasts or by emitting malformed packets. It is trivial to stop the whole Cotexfood network like this...

Have fun

And try to find that elusive balance between running a computer and actually doing some work.

The Bottom Line:

Your computer was not designed to be connected to a hostile network (like the internet!). By doing so you are using it in a manner for which it was not designed. There is nothing wrong in this, except that it is your responsibility to understand in some detail what you are doing. For intelligent people the excuse 'I can't get my head around computers' is likely to raise questions about whether you can cope with intellectually similar areas, such as many other aspects of working life.

The ultimate sanction:

Any machine which is persistently found in an insecure state will, after a reasonable number of warnings, be disconnected, possibly permanently. This group is far too attached to its computers to permit anything to remain that is a risk to them. We also owe this service not only to the rest of Cotexfood but indeed the world at large. One person's recklessness can easily cost another substantial sums, both in financial terms and their time.

To recap: If your computer causes trouble, it will be disconnected from the network. Possibly permanently. If its owner is the greater source of trouble, he too can be suspended, possibly permanently.

The purpose of this document was to remind you that a computer on a public network needs proper servicing, just as a car driven on a public road does. There is no absolute requirement to involve oneself in the hassle and expense of car ownership, or dealing with computers on public networks. However, some enjoy the experience, and it would seem unfair to stop them, whilst they act safely.

Home

Clothing

Food

Alcoholic Drinks

Soft Drinks

Miscellaneous

Downloads (PDF ETC)