18. Consider Alternatives for High-Value and High-Security Work

Corresponding tool kit file:

"Better" is not the same thing as foolproof. The procedures just described will work well for getting rid of most if not all spyware on your system, detecting hidden hardcore spyware (shivas), and providing basic protection against ordinary forms of online break-ins. However, it will not prevent the more persistent forms of hacking whose goal is to plant new spyware on your computer. In a Windows system in early 2005, it is not uncommon for a system in which all of the measures in this procedure have bee taken to get serious attempts at break-ins every one to two weeks.

Unfortunately, if you use your home or small business to high-value information such as financial transfers, patent applications, confidential corporate data, or official-use-only government data, even such "occasional" break-ins by spyware are likely to be unacceptable. If you fall into one of these high-value categories, you should consider additional measures for bringing your security up to the highest level possible.

Alternative A: Switch to a Different Operating System
One such option is to abandon Windows and replace it with an operating system such as Macintosh, Linux, or OpenBSD, all of which are (at least at present) significantly less subject to spyware threats. A Macintosh, which uses the OS X operating system, is an exceptionally friendly alternative for users who want an easy-to-use, minimal-hassle computer environment capable of executing all major business software applications. OS X is based on Apple's open source Darwin operating system, which is in turn based on the popular FreeBSD, thus making OS X a distant cousin of OpenBSD.  Linux is a good option for those who want extensive support and prefer detailed control of their systems. OpenBSD, which its developers claim with good evidence to be one of the most carefully checked-over Unix-like operating systems in existence, is an option for expert Unix technophiles who want maximum security, even if it means greatly reduced application variety and a need for detailed knowledge of Unix internals.

One caution: While alternative operating systems typically have a good selection of firewalls, including some outstanding ones, they are usually much weaker on virus and spyware checkers, largely because they have had so much fewer problems with spyware. Ironically, this could mean that if one of these systems does get infected, it will be harder to detect than a comparable level of infection on a Windows system. Balancing this is the observation that if you make good use of firewalls on non-Windows systems, you can reduce your risk of spyware getting into your system to a level that nicely approximates zero.

Alternative B: Maximize Windows Resistance to Hacking
The other alternative is to maximize your Windows security by (1) ensuring that you are free of spyware, (2) fully updating Windows and Internet Explorer, (3) removing any unnecessary communication programs, (4) making sure you system is invisible, or stealthed, to anyone looking at it from the Internet, (5) adding active guards to watch for changes characteristic of spyware insertions, (6) maximizing firewall protection, and (7) ensuring that every system in your local network is comparably well protected.

Step 1 is provided by the spyware removal procedure you have just completed. Remember a simple once-over with a spyware checker is flatly not sufficient for this, since that will not remove the most deeply hidden forms of spyware (shivas).

Step 2, fully updating Windows and Internet Explorer, was completed earlier in this spyware removal procedure.

Step 3, removing unnecessary communication programs, is a bit of no-brainer for critical systems. Even simple, practical programs such as time synchronization programs can cause problems, as can widely used auto-updating programs such as automated screen savers with thousands of available images. Multimedia programs, which often include their own softcore spyware, can also be problems when used online. While harmless in themselves, such programs provide well-known forms of communication that a hacker can hijack and use for alternative purposes.

Another deeper form of removal is to use your firewall to block certain types of Windows services that are intended primarily for use between small groups of people who trust each other completely. Such trust is utterly unwarranted on the modern Internet, where such services are far more likely to be used against you than for you. Examples of services that show up in the Sygate firewall list and can be shut off unless you know specifically that you need them are listed under Applications. For a simple system that lacks any special software applications, examples of Windows services that can usually be shut off from the Internet without causing problems include Win32 Kernel core component, Spooler Sub System Process, Distributed COM Services, and WIN32 Network Interface Service Process.

An interesting problem area for communications is Virtual Private Networks, or VPNs. VPNs are a very popular technique for providing secure access to business networks while using only the public Internet. VPNs increase security by encrypting (indecipherably scrambling) the data that is over the Internet, but they can also provide holes by which determined hackers can break into a system -- e.g., by leaving a communications process running in your computer. The best general advice for using VPNs is to make sure you have the latest possible software, and that you do not leave such tempting targets running when you are not actually using them.

For Step 4, stealthing your system, I highly recommend the Shields Up! web site, a free service by the Gibson Research Corporation. Another very good site is Sygate Online Services (SOS), which is looks for many of the same issues as Shields Up! and adds testing for Trojans hidden within your system. Both of the Gibson and the Sygate testing sites look for tell-tale responses when your system is queried in various ways over the Internet. It's important to realize that until you achieve a perfect score on such tests, your system is still responding to remote software and remains acutely at risk of revealing itself to the wrong people at the wrong time. A non-stealthed answer is roughly equivalent to hiding behind a bush while continuing to answer anyone who asks you the right question. With automated break-in software, it's possible to ask a lot of questions in a hurry, making even a single non-stealthed response glaringly obvious to automated hackers. The full details of stealthing are beyond the scope of this procedure, but the above two web sites will provide powerful starting points for determining where your particular system may have problems, and on what steps you should take next to resolve them.

Step 5 was accomplished three times over by this procedure, since three of the spyware checkers you installed -- Spybot Search & Destroy with TeaTimer, GIANT AntiSpyware, and Webroot Spy Sweeper -- provide active spyware guards that look for the kinds of changes to your internal Windows setting that could indicate the insertion of spyware.  Since as of early 2005 these three guards are closely comparable in fundamental capabilities, it is only necessary to keep one of them running in your  system. I personally prefer to use multiple guards, but such an approach results in annoying repetitions of the same confirmation questions by all three guards whenever software changes are made to your system. The TeaTimer guard in Spybot Search & Destroy is free, and so is an easy choice for low cost. The GIANT guard is the most intelligent, figuring out many new answers based on your previous ones. While no longer available for purchase since Microsoft bought GIANT, its features should hopefully become standard in Windows XP and, hopefully, other versions of Windows in the near future. Finally, Webroot Spy Sweeper has fully effective guards, although its user interface s a bit more intrusive and annoying -- e.g., it leaves a window up even after you have have approved a change, rather than disappearing promptly as the other guards do.

It is Step 6, the choice of a firewall, that is the single most critical to bringing break-ins down to negligible levels. With a good to very good firewall such as the free Sygate Personal Firewall, partially successful attempts to hack hardcore spyware such as CoolWebSearch, a keylogger, or a RAT into your system can be reduced to once every week or so, which is still a frighteningly high rate for high-value targets.  Nightly scans can generally catch such break-ins, but not if the hacker manages to get enough control of your system to transform the spyware into fully stealthed shivas, you may not realize you have been hacked until the characteristic odd behaviors of keyloggers and RATs begin to show up. (An even more drastic partial solution is to temporarily hamstring Windows by shutting down the DLLs most often used when such break-ins occur. However, this makes a very poor long-term solution because it cripples the normal operation of Windows.)

A better approach is to find a firewall that closes even the briefest opportunities for attack, such as when the firewall is started or shut down. It also needs anti-hijacking features that confuse or identify attempts to take over your communications with a legitimate site.

Based both on features and the success I've seen so far at cutting down residual break-ins to my own systems, my recommendation for this particularly critical step is that high-value users download the 30-day demo version of Sygate Personal Firewall Pro, which is a for-purchase version of the Sygate Firewall that includes several critical features not available in the free version. After installing Pro, activate all of the features listed under the Options->Security tab. You may have to temporarily deactivate some of these features for performing tasks such as VPN, since, for example anti-IP spoofing is not compatible with some Cisco VPN login procedures. However, keeping such features active as your default results in much higher overall security and, from what I've seen so far at least, a very significant reduction in break-in attempts. If your experience with the 30-day demo version provides you with comparable results on a high-value system plagued by break-in attempts, the moderate cost (under US$50) of buying the full version of Pro be well worth it.

I would expect that other firewalls perform similarly well, but Sygate Pro is a cost effective way of getting features that directly address problem I've observed directly, such as spyware-related activities that occur during the security gap the firewall is starting up or shutting down.

(Examples? On multiple occasions I've seen well-cleaned Windows systems behave normally until the owner initiates a shutdown. Since during a full shutdown the firewall must also shut down at some point, a particularly "sticky" process hidden deep in the bowels of the Windows kernel can refuse to shutdown until all firewalls and all logging software are down. The hidden process can then dispatch a short burst -- say less than a tenth of a second -- of selected high-priority data to a remote receiver. The giveaway to this subtle ploy is that the Windows shutdown process hangs if your system has been disconnected from the Internet. If you reconnect it, you can then watch the activity lights see a short burst of data go out, followed by your system finally shutting down. Check your logs, though, and you will find nothing at all, because the event did not occur until all such logs were deactivated.)

Step 7 consists of ensuring that all of the systems on your local network -- that is, any computers you have in your home or small business that share access to each other, to printers,  or to the same Internet line -- have the same level of protections as your system. This step is needed because locally initiated attacks from nominally "trusted" local computers can be significantly more dangerous than ones launched from the Internet. If you have infected systems in your local network, they can become dangerous sources of repeated attacks against your system.

Version 2005-01-02. Copyright 2005 by Terry Bollinger