When it comes to network security there are several things one must address. Patch management will take care of any vulnerability that the vendor is aware of and has issued a patch for, but it will do nothing for vulnerabilities for which a patch is still in development or the vendor chose not to fix at all. Furthermore, not all vulnerabilities are caused by software bugs and therefore they cannot be fixed by a patch. Some vulnerabilities are due to bad configurations and that is when a vulnerability scanner becomes an important asset. A good vulnerability scanner will also give you the necessary tools to address said vulnerabilities. This is how one should typically go about the process:
1. Identification
Once the vulnerabilities on the network are identified, the administrator then needs to split the list of vulnerabilities into those that can be addressed through patch management and those which require manual intervention. A good vulnerability scanner will generally make this distinction.
2. Understanding the Vulnerabilities
By reading the information that a vulnerability scanner provides about a particular vulnerability that has been detected, an administrator might be able to ascertain the scope of that vulnerability. For example, having AutoRun enabled on the system is one potential vulnerability. Since AutoRun is generally associated with CD/DVD drives, an administrator might dismiss this as unimportant if the machine on which the vulnerability was identified has no CD/DVD drive. However, the administrator will discover after reading the scanner’s information on that vulnerability that it also applies to removable media. This means that the vulnerability is a realistic threat and applicable to the current environment and thus action needs to be taken.
3. Resolving vulnerabilities
Vulnerabilities are harder to deal with when a simple patch is not the solution. The easiest way to deal with vulnerabilities is generally to disable or remove the software in question but this is not always possible (at least not in a way that does not disrupt the business). A good vulnerability scanner will provide enough information to the administrator on how to rectify the specific vulnerability.
This is generally done by carrying out additional research on the vulnerability itself and what other people did to solve the problem. A good vulnerability scanner will provide various reference numbers on every vulnerability it discovers. There are a number of public vulnerability databases that make use of these reference numbers and through these databases you can find details on what is causing the issue and the steps on how to resolve it. These public vulnerability databases include:
CVEs: Common Vulnerabilities and exposure Database
BIDs: Reference information provided by security Focus
MS BIDL: Microsoft Security Bulletin
Apart from the above resources, searching for the specific ID in any search engine should give you plenty of resources and forum discussions showing how other people went about securing their systems against the specific vulnerability.
Due to the nature of vulnerabilities and the countless variations of setups, dealing with vulnerabilities is a little harder than simply deploying patches; however, a good vulnerability scanner will give you all the necessary tools to detect and research vulnerabilities that affect your system. It’s important not to let the added complexity dishearten you from properly securing your environment. Remember, as with everything in security, all it takes is one weak link to render all your hard work null and void. An attacker only needs to compromise one weakness to gain unauthorized access to your system.
This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging need. Learn more on what to look out for when choosing a vulnerability scanner.
All product and company names herein may be trademarks of their respective owners.
Guest Post: Many thanks to Sarah Spiteri from GFI Software (http://gfi.com) for contribution.
Open Cisco ASA 5505 from packing box, attach power cord and console cable.
Access ASA 5505 console through hyper terminal / putty program and you will see below interface:
ode:
Type help or ‘?’ for a list of available commands.
ciscoasa>
Type the command “enable” to get in enabled mode.
Code:
Type help or ‘?’ for a list of available commands.
ciscoasa> enable
Password:
ciscoasa#
You may see password prompt, just pres “Enter” key as there is no password configured with new appliance.
The 1st thing you want to do is type the command “write erase”. This will delete all the default configuration set by Cisco. You might wonder why but there is a lot of stuff in that configuration that you may not require and you may face some network issues if you connected your ASA 5505 security appliance with your your DHCP enabled network.
You will be prompted to confirm that you want to erase the default configuration. Press enter to proceed to erase content.
Once you erase your startup configuration you are required to reload the ASA to load clean configuration. Type “reload” command to load clean configurations.
Code:
ciscoasa# reload
Proceed with reload? [confirm]
ciscoasa#
***
*** — START GRACEFUL SHUTDOWN —
Shutting down isakmp
Shutting down File system
***
— SHUTDOWN NOW —–
After ASA 5505 reload you will see below prompt to setup firewall through wizard, type “no” to setup ASA 5505 security appliance yourself manually.
Code:
Pre-configure Firewall now through interactive prompts [yes]?
Now enter enabled mode (look up if you forgot how to) and issue the command “show running-config”.
Code:
ciscoasa# show running-config
Looks nice and clean right?
Now we can start manual configuration of ASA security appliance.
Load configuration mode. You can do this by issuing the command “configure terminal”
Code:
ciscoasa# configure terminal
ciscoasa(config)#
Notice the (config) behind the device hostname. This means you’re in configuration mode.
Change Cisco ASA hostname.
Code:
ciscoasa(config)# hostname MyASA
MyASA(config)#
You can see the hostname changes immediately.
Set a username and password to manage the ASA from your desk with SSH/Telnet/ASDM.
Code:
MyASA(config)# username example password example privilege 15
MyASA(config)#
Setting your privilege to 15 is very important if you’re the one that is going to manage the ASA. Privilege 15 is the highest of the privileges and gives you full control over the device.
Configure the inside (LAN) address of the ASA 5505 security appliance.
With the ASA 5505 you work with VLANs instead of assigning IP addresses to actual interfaces. We will use VLAN 1 as our inside VLAN.
Code:
MyASA(config)# interface vlan 1
MyASA(config-if)# ip address 192.168.1.1 255.255.255.0
MyASA(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
All the ASA devices work with security levels that you apply to VLANs/interfaces. With security levels you can always go from high (100) to low (0) but never the other way around unless configured otherwise. This means that no one from the outside can start a session to the inside.
For the inside VLAN:
Configure outside (WAN) interface.
Depending on the provider you might have to do this a little bit different but we are configuring with a static IP address.
Code:
MyASA(config)# interface vlan 2
MyASA(config-if)# ip address 212.115.192.193 255.255.255.248
MyASA(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ExampleASA(config-if)# exit
ExampleASA(config)# route outside 0.0.0.0 0.0.0.0 212.115.192.192
As you can see the ASA sets the security level of the interface called outside to 0. You also need to make a static route if your provider supplied you with a static IP address. This is called the default gateway.
If your provider gives you a IP address trough DHCP the configuration is a little easier.
ode:
MyASA(config)# interface vlan 2
MyASA(config-if)# ip address dhcp set route
MyASA(config-if)# nameif outside
Now we need to attach the outside VLAN to one of the interfaces of the ASA. By default all the interfaces are attached to VLAN 1 and by default all the interfaces are in the “shutdown” state. In this example I will attach the interface “Ethernet 0″ to the outside VLAN (VLAN 2) and make the port operational.
Now this interface is attached to VLAN 2 and operational. You need to make at least one other port operational for your inside network by typing the command “no shutdown”.
Code:
MyASA(config)# interface ethernet0/1
MyASA(config-if)# no shutdown
By default all the interfaces are attached to VLAN 1 so you don’t need to assign a VLAN to the interface.
Configure NAT to make internet work from your inside network.
For NAT fist step: you need to make a global interface to where all the addresses from the inside need to be translated to.
Code:
MyASA(config)# global (outside) 10 interface
INFO: outside interface address added to PAT pool
The number 10 in that line of configuration is a identifier. This way you can tell the NAT on the inside to wich outside IP address they should translate to. The interface part means that you use your interface IP address to translate to. In this case the outside interface.
For NAT second step we need to make a NAT rule for the inside network.
I use used the number 10 in this NAT rule. This links the inside network to the outside global. The subnet behind that states that the network 192.168.1.0/24 is allowed to be translated to the outside IP address.
Congratulations! You configured your ASA to allow internet for your internal LAN with 192.168.1.0 network.
If you want to manage the ASA security appliance remotely i.e without having access to console.
The ASA supports remote administration trough SSH and Telnet. The ASA also has a good graphical interface called the ASDM (Adaptive Security Device Manager). I will guide you to configure the ASA so you should able to connect with the ASDM (graphical) and with SSH (CLI).
Enable SSH on Cisco ASA 5505 security appliance. To enable SSH you will need to generate a key wich will encrypt the traffic between the user and the ASA.
Code:
MyASA(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait…
MyASA(config)#
Now we want to use the username we made earlier to connect to the ASA with SSH.
Code:
MyASA(config)# aaa authentication ssh console LOCAL
The LOCAL means that the ASA uses the local username database to authenticate users.
Setup ACL (access control list) to access ASA with SSH. In this example we only allow users on the inside to access the ASA with SSH.
Securing your Linux server is important to protect your data, intellectual property, and time, from the hands of crackers (hackers). The system administrator is responsible for security Linux box. In this first part of a Linux server security series, I will provide 20 hardening tips for default installation of Linux system.
#1: Encrypt Data Communication
All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with password or using keys / certificates.
Use scp, ssh, rsync, or sftp for file transfer. You can also mount remote server file system or your own home directory using special sshfs and fuse tools.
GnuPG allows to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories.
Fugu is a graphical frontend to the commandline Secure File Transfer application (SFTP). SFTP is similar to FTP, but unlike FTP, the entire session is encrypted, meaning no passwords are sent in cleartext form, and is thus much less vulnerable to third-party interception. Another option is FileZilla - a cross-platform client that supports FTP, FTP over SSL/TLS (FTPS), and SSH File Transfer Protocol (SFTP).
Under most network configurations, user names, passwords, FTP / telnet / rsh commands and transferred files can be captured by anyone on the same network using a packet sniffer. The common solution to this problem is to use either OpenSSH , SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP. Type the following command to delete NIS, rsh and other outdated service: # yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve
#2: Minimize Software to Minimize Vulnerability
Do you really need all sort of web services installed? Avoid installing unnecessary software to avoid vulnerabilities in software. Use the RPM package manager such as yum or apt-get and/or dpkg to review all installed set of software packages on a system. Delete all unwanted packages. # yum list installed # yum list packageName # yum remove packageName OR # dpkg –list # dpkg –info packageName # apt-get remove packageName
#3: One Network Service per System or VM Instance
Run different network services on separate servers or VM instance. This limits the number of other services that can be compromised. For example, if an attacker able to successfully exploit a software installed on that server such as Apache flow, he will get an access to entire server including other services such as MySQL, e-mail server etc… You can find details below to install Virtualization software:
Updating latest security patches is an important part for Linux server maintenance. Linux provides all necessary tools to keep your system updated, and also allows for easy upgrades between versions. All security update should be reviewed and applied as soon as possible. Again, use the RPM package manager such as yum and/or apt-get and/or dpkg to apply all security updates. # yum update OR # apt-get update && apt-get upgrade
You can configure Red hat / CentOS / Fedora Linux to send yum package update notification via email. There is alternative option to apply all security updates via a cron job. Under Debian / Ubuntu Linux you can use apticron to send security notifications.
#5: Use Linux Security Extensions
Linux comes with various security patches which can be used to guard against miss-configured or security compromised programs. If possible use SELinux and other Linux security extensions to enforce limitations on network and other programs. For example, SELinux provides a variety of security policies for Linux kernel.
#5.1: SELinux
I strongly recommend using SELinux which provides a flexible Mandatory Access Control (MAC). Under standard Linux Discretionary Access Control (DAC), an application or process running as a user (UID or SUID) has the user’s permissions to objects such as files, sockets, and other processes. Running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system. See the official Redhat documentation which explains SELinux configuration.
#6: User Accounts and Strong Password Policy
Use the useradd / usermod commands to create and maintain user accounts. Make sure you have a good and strong password policy. For example, a good password includes at least 8 characters long and mixture of alphabets, number, special character, upper & lower alphabets etc. Most important pick a password you can remember. Use tools such as “John the ripper” to find out weak users passwords on your server. Configure pam_cracklib.so to enforce the password policy.
#6.1: Password Aging
The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password. The /etc/login.defs file defines the site-specific configuration for the shadow password suite including password aging configuration. To disable password aging, enter: chage -M 99999 userName
To get password expiration information, enter: chage -l userName
Finally, you can also edit the /etc/shadow file in the following fields:
Minimum_days: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password.
Maximum_days: The maximum number of days the password is valid (after that user is forced to change his/her password).
Warn : The number of days before password is to expire that user is warned that his/her password must be changed.
Expire : Days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.
I recommend chage command instead of editing the /etc/shadow by hand: # chage -M 60 -m 7 -W 7 userName
You can prevent all users from using or reuse same old passwords under Linux. The pam_unix module parameter remember can be used to configure the number of previous passwords that cannot be reused.
#6.3: Locking User Accounts After Login Failures
Under Linux you can use the faillog command to display faillog records or to set login failure limits. faillog formats the contents of the failure log from /var/log/faillog database / log file. It also can be used for maintains failure counters and limits.To see failed login attempts, enter: faillog To unlock an account after login failures, run: faillog -r -u userName Note you can use passwd command to lock and unlock accounts: # lock account passwd -l userName # unlocak account passwd -u userName
#6.4: How Do I Verify No Accounts Have Empty Passwords?
Type the following command # awk -F: ‘($2 == “”) {print}’ /etc/shadow Lock all empty password accounts: # passwd -l accountName
#6.5: Make Sure No Non-Root Accounts Have UID Set To 0
Only root account has UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0: # awk -F: ‘($3 == “0″) {print}’ /etc/passwd You should only see one line as follows:
root:x:0:0:root:/root:/bin/bash
If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.
#7: Disable root Login
Never login as root user. You should use sudo to execute root level commands as and when required. sudo does greatly enhances the security of the system without sharing root password with other users and admins. sudo provides simple auditing and tracking features too.
#8: Physical Server Security
You must protect Linux servers physical console access. Configure the BIOS and disable the booting from external devices such as DVDs / CDs / USB pen. Set BIOS and grub boot loader password to protect these settings. All production boxes must be locked in IDCs (Internet Data Center) and all persons must pass some sort of security checks before accessing your server. See also:
Disable all unnecessary services and daemons (services that runs in the background). You need to remove all unwanted services from the system start-up. Type the following command to list all services which are started at boot time in run level # 3: # chkconfig –list | grep ’3:on’
To disable service, enter: # service serviceName stop # chkconfig serviceName off
#9.1: Find Listening Network Ports
Use the following command to list all open ports and associated programs: netstat -tulpn OR nmap -sT -O localhost nmap -sT -O server.example.com Use iptables to close open ports or stop all unwanted network services using above service and chkconfig commands.
X Windows on server is not required. There is no reason to run X Windows on your dedicated mail and Apache web server. You can disable and remove X Windows to improve server security and performance. Edit /etc/inittab and set run level to 3. Finally, remove X Windows system, enter: # yum groupremove “X Window System”
#11: Configure Iptables and TCPWrappers
Iptables is a user space application program that allows you to configure the firewall (Netfilter) provided by the Linux kernel. Use firewall to filter out traffic and allow only necessary traffic. Also use the TCPWrappers a host-based networking ACL system to filter network access to Internet. You can prevent many denial of service attacks with the help of Iptables:
/etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot time. Sample /etc/sysctl.conf:
# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1
# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter=1
# Disable IP source routing
net.ipv4.conf.all.accept_source_route=0
# Ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_messages=1
# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1
#13: Separate Disk Partitions
Separation of the operating system files from user files may result into a better and secure system. Make sure the following filesystems are mounted on separate partitions:
/usr
/home
/var and /var/tmp
/tmp
Create septate partitions for Apache and FTP server roots. Edit /etc/fstab file and make sure you add the following configuration options:
noexec - Do not set execution of any binaries on this partition (prevents execution of binaries but allows scripts).
nodev - Do not allow character or special devices on this partition (prevents use of device files such as zero, sda etc).
nosuid - Do not set SUID/SGID access on this partition (prevent the setuid bit).
Sample /etc/fstab entry to to limit user access on /dev/sda5 (ftp server root directory):
Make sure disk quota is enabled for all users. To implement disk quotas, use the following steps:
Enable quotas per file system by modifying the /etc/fstab file.
Remount the file system(s).
Create the quota database files and generate the disk usage table.
Assign quota policies.
See implementing disk quotas tutorial for further details.
#14: Turn Off IPv6
Internet Protocol version 6 (IPv6) provides a new Internet layer of the TCP/IP protocol suite that replaces Internet Protocol version 4 (IPv4) and provides many benefits. Currently there are no good tools out which are able to check a system over network for IPv6 security issues. Most Linux distro began enabling IPv6 protocol by default. Crackers can send bad traffic via IPv6 as most admins are not monitoring it. Unless network configuration requires it, disable IPv6 or configure Linux IPv6 firewall:
All SUID/SGID bits enabled file can be misused when the SUID/SGID executable has a security problem or bug. All local or remote user can use such file. It is a good idea to find all such files. Use the find command as follows: #See all set user id files: find / -perm +4000 # See all group id files find / -perm +2000 # Or combine both in a single command find / \( -perm -4000 -o -perm -2000 \) -print find / -path -prune -o -type f -perm +6000 -ls You need to investigate each reported file. See reported file man page for further details.
#15.1: World-Writable Files
Anyone can modify world-writable file resulting into a security issue. Use the following command to find all world writable and sticky bits set files: find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print You need to investigate each reported file and either set correct user and group permission or remove it.
#15.2: Noowner Files
Files not owned by any user or group can pose a security problem. Just find them with the following command which do not belong to a valid user and a valid group find /dir -xdev \( -nouser -o -nogroup \) -print You need to investigate each reported file and either assign it to an appropriate user and group or remove it.
#16: Use A Centralized Authentication Service
Without a centralized authentication system, user auth data becomes inconsistent, which may lead into out-of-date credentials and forgotten accounts which should have been deleted in first place. A centralized authentication service allows you maintaining central control over Linux / UNIX account and authentication data. You can keep auth data synchronized between servers. Do not use the NIS service for centralized authentication. Use OpenLDAP for clients and servers.
#16.1: Kerberos
Kerberos performs authentication as a trusted third party authentication service by using cryptographic shared secret under the assumption that packets traveling along the insecure network can be read, modified, and inserted. Kerberos builds on symmetric-key cryptography and requires a key distribution center. You can make remote login, remote copy, secure inter-system file copying and other high-risk tasks safer and more controllable using Kerberos. So, when users authenticate to network services using Kerberos, unauthorized users attempting to gather passwords by monitoring network traffic are effectively thwarted. See how to setup and use Kerberos.
#17: Logging and Auditing
You need to configure logging and auditing to collect all hacking and cracking attempts. By default syslog stores data in /var/log/ directory. This is also useful to find out software misconfiguration which may open your system to various attacks. See the following logging related articles:
#17.1: Monitor Suspicious Log Messages With Logwatch / Logcheck
Read your logs using logwatch or logcheck. These tools make your log reading life easier. You get detailed reporting on unusual items in syslog via email. A sample syslog report:
general: info: zone XXXXXX.com/IN: Transfer started.: 3 Time(s)
general: info: zone XXXXXX.com/IN: refresh: retry limit for master ttttttttttttttttttt#53 exceeded (source ::#0): 3 Time(s)
general: info: zone XXXXXX.com/IN: Transfer started.: 4 Time(s)
general: info: zone XXXXXX.com/IN: refresh: retry limit for master ttttttttttttttttttt#53 exceeded (source ::#0): 4 Time(s)
———————- Named End ————————-
——————— iptables firewall Begin ————————
Logged 87 packets on interface eth0
From 58.y.xxx.ww – 1 packet to tcp(8080)
From 59.www.zzz.yyy – 1 packet to tcp(22)
From 60.32.nnn.yyy – 2 packets to tcp(45633)
From 222.xxx.ttt.zz – 5 packets to tcp(8000,8080,8800)
———————- iptables firewall End ————————-
——————— SSHD Begin ————————
Users logging in through sshd:
root:
123.xxx.ttt.zzz: 6 times
———————- SSHD End ————————-
——————— Disk Space Begin ————————
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 450G 185G 241G 44% /
/dev/sda1 99M 35M 60M 37% /boot
———————- Disk Space End ————————-
###################### Logwatch End #########################
(Note output is truncated)
#17.2: System Accounting with auditd
The auditd is provided for system auditing. It is responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. With auditd you can answers the following questions:
System startup and shutdown events (reboot / halt).
Date and time of the event.
User responsible for the event (such as trying to access /path/to/topsecret.dat file).
Type of event (edit, access, delete, write, update file & commands).
Success or failure of the event.
Records events that Modify date and time.
Find out who made changes to modify the system’s network settings.
Record events that modify user/group information.
See who made changes to a file etc.
See our quick tutorial which explains enabling and using the auditd service.
#18: Secure OpenSSH Server
The SSH protocol is recommended for remote login and remote file transfer. However, ssh is open to many attacks. See how to secure OpenSSH server:
A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.
It is a good practice to deploy any integrity checking software before system goes online in a production environment. If possible install AIDE software before the system is connected to any network. AIDE is a host-based intrusion detection system (HIDS) it can monitor and analyses the internals of a computing system.
Snort is a software for intrusion detection which is capable of performing packet logging and real-time traffic analysis on IP networks.
#20: Protecting Files, Directories and Email
Linux offers excellent protections against unauthorized data access. Filepermissions and MAC prevent unauthorized access from accessing data. However, permissions set by the Linux are irrelevant if an attacker has physical access to a computer and can simply move the computer’s hard drive to another system to copy and analyze the sensitive data. You can easily protect files, and partitions under Linux using the following tools:
To encrypt and decrypt files with a password, use gpg command.
Backups - It cannot be stressed enough how important it is to make a backup of your Linux system. A proper offsite backup allows you to recover from cracked server i.e. an intrusion. The traditional UNIX backup programs are dump and restore are also recommended.
Hardening Linux - Hardening Linux identifies many of the risks of running Linux hosts and applications and provides practical examples and methods to minimize those risks.
In the next part of this series I will discuss how to secure specific applications (such as Proxy, Mail, LAMP, Database) and a few other security tools. Did I miss something? Please add your favorite system security tool or tip in the comments.
Today, an unprotected computer isn’t just vulnerable, it’s probably already infected. New viruses, spyware, trojans, worms, and other malware are created every day. New threats are disguised to bypass other security measures, and specifically designed to catch you and your PC off guard.
The virus landscape has also changed; viruses that used to be annoying pranks have evolved into pernicious threats capable of not only destroying your computer, but stealing your information and identity.
The benefits of installing a basic security solution on your PC are obvious, but the cost in system slowdown used to make it tough to bear. Luckily, modern antivirus software haven’t just improved their level of protection, they’ve significantly improved resource efficiency and overall speed. You can have ultimate protection without giving up your resources. With advanced technologies and straightforward usability, antivirus software is more effective than ever, and doesn’t require constant maintenance from you. Say goodbye to annoying security warnings and noticeable slowdown; current antivirus programs deliver constant protection and can actually speed up your computer.
The last generation of antivirus software brought advanced heuristic detection into the mix. Continuing to improve, the 2011 lineup of antivirus products often incorporate further developed proactive protection with better behavior checking and even file reputation analysis. Several of the software incorporate ‘in the cloud’ security and other advanced technologies to increase safety and convenience. From gamer modes, to battery saving settings, to integrated web link scanners; antivirus applications are more versatile and have upped the ante for features and functionality.
On antivirus software review site you’ll find a side-by-side comparison of the best antivirus software, helpful articles on computer security, security tips and tricks, buying guides, videos, and comprehensive reviews to help you make an informed decision on which security software is right for you.
All security software is not created equal. Like all consumer products, antivirus software has the good, the bad, and the mediocre. The choices for antivirus protection are many and varied. Although we haven’t reviewed each and every product available, we feature the absolute best antivirus software available today from a number of providers (including big-hitters, lesser-knowns, and new-comers), and compare them so you can match your needs with the right software.
Remember when it really comes down to it, effectiveness and usability can either make or break antivirus software. Security programs are only as good as their level of protection, and if you can’t figure out how to use it, you won’t. Our top-ranked antivirus software combine optimal security with user-friendly features and tools.
Below are the criteria TopTenREVIEWS uses to evaluate and compare antivirus software:
Scope of Protection
While most security solutions tout “multi-layered” protection, “360 degree” defense and/or even “100%” security, some are certainly more thorough than others. The best antivirus solutions will include traditional protection from viruses, worms, Trojans and spyware, but should also include defense from keyloggers, phishing scams, email-borne threats and rootkits. While antivirus programs are by no means full-blown internet security suites, they should protect from as many threats on as many fronts as they can.
Effectiveness
Antivirus is specifically designed to protect your computer, so if it doesn’t do that well, what good is it? All the features, bells and whistles, or sleek interface can’t make up for poor performance. We look at results from the industry-standard security software testers and professional security organizations to find the most effective software available and evaluate overall effectiveness. In general, our highest ranked programs are also the most effective.
Ease of Installation and Setup
Security software shouldn’t be a chore to install, and should have you protected as soon as possible. From download to install, to the first scan; implementing antivirus software should be quick and easy.
Ease of Use
Antivirus software is complex stuff, but shouldn’t require a degree in computer security. The best security programs have all the features security experts want, but are just as easily used by a beginner. Everyday computer users want a security solution that they can install and forget about; software that doesn’t require constant maintenance or have annoying interruptions. The best antivirus software is flexible enough to do exactly what you want to (even if that means running by itself).
Features
A well-rounded feature set takes a security solution from good to great. More than bells and whistles, added features provide security, usability and performance benefits.
Updates
Security software is only as good as its latest update. Viruses are being identified and added to signature databases all the time, so it’s important that your virus definition list updates accordingly. Modern antivirus software are equipped with automatic updates that perform regularly enough that you get faster updates that don’t slow down your system. The best security providers even “push” updates to you as soon as they’re available.
Help & Support
The best software doesn’t require reading an in-depth manual to use, but still has one available. For specific questions, troubleshooting, and additional help, the best antivirus manufacturers provide superior product support online and off. Additional support for software may come in the form of assistance over the phone, email, live chat, or through a number of additional resources (knowledgebase, FAQs, tutorials).
A well-balanced antivirus solution is effective, efficient, and easy to use. Combining all the right features with a usable interface; our top antivirus software choices deliver the best security and usability without a serious investment in time, money, or system resources.
Everyone has been infected with a virus at one time or another either through the common cold or the flu. A virus attacks the human body by entering through one of the many openings and attaching itself to a host cell. It releases a piece of genetic information into the cell and recruits the cell’s enzymes to propagate the genetic information. Once the genetic code has been adequately replicated, it destroys the cell and attacks cells nearby.
How does a computer virus simulate a biological virus? Just as a biological virus injects its own genetic information into a cell and interferes with the body’s normal operations, a computer virus is a program written to interfere with the proper functioning of a computer. It may damage programs, delete files, reformat hard disks and perform other forms of destructive acts.
To be classified as a virus, a program must meet two criteria. It must be able to execute itself by placing its own code in the execution path of another program. The program must also be able to replicate itself by replacing existing computer files with copies of the virus-infected files. Similar to the way a biological virus requires a host cell, a computer virus requires an infected host file to propagate itself.
Viruses have become the villains of the computer world, propagating themselves and destroying everything in their path. However, another tool of destruction, known as the worm, has been creeping into the computer industry. Most of us have heard of the dreaded Blaster worm that attacks Microsoft websites, but what exactly is a worm and how does it differ from a virus? Actually, a worm is a type of virus that attacks the computer in a method differing from the way a typical virus attacks a computer. Unlike the typical virus, the worm does not require a host program to propagate. A worm enters a computer through a weakness in the computer system and propagates itself using network flaws.
The typical virus requires activation through user intervention, such as double clicking or sending outgoing email. However, a worm releases a document containing the “worm” macro and sends copies of itself to other computers through network flaws, therefore bypassing any need for user intervention.
So, what can you do to protect your computer from virus infection? There are a number of preventative measures that you can take. For example, you can purchase and continually update virus scan software. Make sure that this software contains the “real-time” scanning feature which monitors all incoming and outgoing mail. You may also install a firewall which prohibits unauthorized access to your computer. By installing these preventative devices, you can proactively defend against viruses.
References:
AOL.com: What’s the Difference Between Viruses, Worms, and Trojans? (2005).
Phoenix. CastleCops.biz: What is the Difference Between Viruses, Worms, and Trojans? (2003.)
Sullivan, Rob. SearchEnginePosition.com: The Difference Between Viruses and Worms. SEP. (2004)
Symantec.com: What is the Difference Between Viruses, Worms, and Trojans? Symantec Corporation. (2005).
Fake Antivirus scanners, or Rogue scanners come in many forms. Many alter the properties of your browser window to make it look like a legitimate program, when in reality, it’s just a browser window. Others, executed via active-x, script or injected via a Virus, will actually look like a running program. These programs have a single goal, and that is to trick the user into actually installing the program. Once installed, the effects range from annoying to devastating. These programs will produce false alerts telling the user that there is a virus, pornography, and other items on their computer. It then has a fix it button. Once pushed, they are directed to pay a certain amount of money for a solution that never happens.
Some of these rogue programs are unusually deceiving. Programs like Antivirus 360, use the name 360 because the targeted user may believe that it is directly related to Norton 360. Others use names that lead people to believe that they are legitimate. They even go as far as using an exact replica of Microsoft’s Security center, producing an image like the one below.
Notice under “Virus Protection” there is a listing for one of the most common Rogue programs. Here, they want you to click on those buttons, ultimately obtaining your credit card and money from you, with no actual solution to your problem.
Here is a list we have compiled of the Top Ten Rogue Antispyware programs to watch out for, and a description of each one and their tactics. There is actually a very long list, but here are the most commonly seen rogue programs in our experience.
Antispyware XP 2009 – Uses a replica of the Microsoft Security Center, as pictured above. Antivirus 2009 comes in many names, including Antivirus 2008, Antivirus XP/Vista and Antivirus XP 2009, XP Antispyware 2009
Antivirus 360
WinCleaner 2009
Malware Doctor
Spyware XP Guard
Spyware Remover 2009
Total Protect 2009/Total Defender/Total Security
Virus Shield 2009/Virus Shield Pro
Windows Security Suite
WinAntivirus XP/Vista
Should you come across one of these programs on your system, we highly recommend that you get it removed as quickly as possible. It has been our experience that the longer they stay on the computer, the worse the damage gets.
What is SQL Injection
Most new web developers have heard of SQL injection attacks, but not very many know that it is fairly easy to prevent an attacker from gaining access to your data by filtering out the vulnerabilities using MySQL extensions found in PHP. An SQL injection attack occurs when a hacker or cracker (a malicious hacker) attempts to dump the data in a database table in a database-driven web site. In an unprotected and vulnerable site, this is pretty easy to do.
SQL injection is a common vulnerability that is the result of lax input validation. Unlike cross-site scripting vulnerabilities that are ultimately directed at your site’s visitors, SQL injection is an attack on the site itself, in particular its database.
The goal of SQL injection is to insert arbitrary data, most often a database query, into a string that’s eventually executed by the database. The insidious query may attempt any number of actions, from retrieving alternate data, to modifying or removing information from the database.
How does SQL injection attack works
In order for an SQL injection attack to work, the site must use an unprotected SQL query that utilizes data submitted by a user to lookup something in a database table. The data could be from a search box, a login form or any type of query used to look up data using data input by user. It also means that querystring data used to query a database can create vulnerabilities.
For example:
An very simple unprotected query might look like this:
SELECT * FROM items WHERE itemID = '$itemID'
Normally, you would expect a user to submit a username and password, which would be used to query the database table to see if the username and password exists. But what if someone used the following instead of a password?
‘ OR ‘1′ = ‘1
That would make the query used to look for the password look like this:
SELECT * FROM items WHERE itemID = '' OR '1' = '1'
This would always return a True response and could literally display the entire table as the result for the query. This is a pretty scary thought if you are trying to keep your data secure. The problem with SQL injection is that a hacker does not have to know anything about your database or table structure.
What if an error or some other issue caused your table structure to be exposed? Hackers are very good at forcing errors to occur that expose information that allows them to penetrate a site deeper. What if the following was entered in the password field?
‘; drop table users;
How to prevent your database from SQL Injection attacks
There is a method for filtering the data that is used on the right side of the WHERE clause to look up a row in a database. The trick is to escape any characters that may be in the user input portion of the query that could lead to a successful attack.
Use the following function to add backslashes to suspect characters and filter any data that is input by a user.
function cleanQuery($string)
{
if(get_magic_quotes_gpc()) // prevents duplicate backslashes
{
$string = stripslashes($string);
}
if (phpversion() >= '4.3.0')
{
$string = mysql_real_escape_string($string);
}
else
{
$string = mysql_escape_string($string);
}
return $string;
}
// if you are using form data, use the function like this:
if (isset($_POST['itemID'])) $itemID = cleanQuery($_POST['itemID']);
// you can also filter the data as part of your query:
SELECT * FROM items WHERE itemID = '". cleanQuery($itemID)."' "
The first part looks to see if magic quotes is turned on. if so, it may have already added backslash escapes though a POST or GET method used to pass the data. If backslashes were added, they need to be removed prior to running it through the rest of the function.
The next part checks the PHP version. The built-in function that we want to use is called mysql_real_escape_string. This MySQL function only exists in PHP version 4.3.0 or newer. If you are using an older version of PHP, another MySQL function is used called mysql_escape_string.
mysql_escape_string is not as effective as the newer mysql_real_escape_string. The newer version escapes the string according to the current character set. The character set is ignored by mysql_escape_string, which can leave some vulnerabilities ope for sophisticated hackers. If you find that you are using an older version of PHP and you are trying to protect sensitive data, you really should upgrade to a current version of either PHP 4 or PHP 5.
So what does mysql_real_escape_string do?
This PHP library function prepends backslashes to the following characters: \n, \r, \, \x00, \x1a, ‘ and “. The important part is that the single and double quotes are escaped, because these are the characters most likely to open up vulnerabilities.
For those who do not know what an escape is, it is a character that is pre-pended to another character. When a character is escaped, it is ignored by the database. In other words, it makes that character ineffective in a query. In the case of PHP, an escaped character is treated differently by the PHP parser. The standard escape character used by PHP and MySQL is the backslash.
In the case of the SQL query example used above, after running it through the routine, it now looks like this, which breaks the query :
SELECT * FROM items WHERE itemID = '\' OR \'1\' = \'1'
This method should stop the bulk of the SQL injection attacks, but crackers and hackers are very creative and are always finding new methods to break into systems. There are additional steps that can be taken to filter out certain words, such as drop, grant, union, etc., but using this method will strip these words from searches performed by you users. However, if you want to add another level of security and do not have an issue with certain words being deleted from queries, you can add the following just before if (phpversion() >= ‘4.3.0′).
This additional step should prevent a malicious attacker from damaging a database if they found a way to slip through. Just remember that is you take this additional step and you have a site where someone might search for a “plumbing union” or a “drop cloth”, those queries would not work as intended. If you are wondering what the trailing ‘i’ is following each word in the array, it is required to make the preg_replace replacements case insensitive. This wasn’t needed with eregi_replace, but that function has been deprecated in PHP 5.3.
Another important step that needs to be taken with any database is controlling user privileges. When setting up a MySQL user, you should never assign any more privileges than they actually need to accomplish the tasks that you allow on your site. Privileges are easily assigned and managed thought phpMyAdmin, which is found in the the control panel (cPanel, Plesk, etc.) for most hosting companies.
There are many different antivirus and anti-malware protection programs available, ranging in price from free, to several hundred dollars, depending upon their sophistication and scope of use. It is critically important that anyone that connects to the internet has adequate protection against possible infections by viruses, trojans, worms, and various malware that circulate so prolifically these days.
There is an adage that says, “If a little bit is good, then a lot is better”. However, in the case of virus protection, this is normally not true (in fact, in my experience, NEVER). Although it may be permissible to run more than one anti-malware protection program at a time, one should have only one antivirus program operating at any given time. There are reasons for this.
Two different AV programs will often conflict, seeing each other as a virus, because of the nature of their operation. Thus, when one program succeeds in stifling the activities of the other, a window of opportunity for an actual virus may be created. More often, each will manage to limit the effectiveness of the other, thus creating a weakness that can be exploited. “Loops” can be created, wherein two AV programs will endlessly fight each other for control of a given function, leaving that function effectively unprotected. More is NOT better!
One should select their protection carefully, giving thought to the particular sorts of risks they make themselves vulnerable to by their surfing style. As a member of many web professional forums, I prefer to make my selection, after hearing the recommendations of others. I also have found that for my purposes, there is no need to purchase such a program.
There are a number of very effective AV programs, written and maintained by reputable organizations, that can be downloaded and installed at no charge. I presently use Avast, which I feel to be on a par with Avira, in terms of effectiveness in the AV realm. Both also offer enhanced versions for purchase, and have products that specialize in other levels of protection. Kaspersky is another system that has an excellent track record for protection.
Most such products offer a free evaluation period, up to a month, to see if their program does the job you want. I usually warn people away from such evaluation periods, however, simply because some such programs are difficult to remove completely (Symantec’s Norton is one that’s notoriously difficult to get rid of) from your system.
There are a few things that should be remembered, when searching for the best AV program for your system:
NO AV program is perfect! Some are better than others, but new exploits are released almost daily, and your protection is only as good as its relevancy. If it updates virus definitions weekly, then you may be vulnerable to new viruses for several days between updates.
The sort of experts that are capable of developing protection against viruses have their doppelgangers on the other side of the coin… those that develop the viruses to begin with. Both are good at what they do, and at any given moment, one will be a step ahead of the other.
Realtime scanning is an important feature to seek in your AV protection. Scanning emails and downloads is important, but viruses and malware can be activated by the simple act of clicking on a text link, an image or opening an attachment. Just entering a page can enable an infection, without sufficient protection.
The best AV protection available cannot do the job alone. YOU have to take an active part in protecting your system. If you frequent poor reputation sites, hang out in “bad neighborhoods”, the infection of your computer is made much more probable, regardless of the AV protection you run.
AV protection is only one aspect of protection. A reliable firewall and adequate anti-spyware protection are other important protections that should be considered. I suggest you investigate what security bloggers and forum members have to say about the AV protection they have used or are using. A satisfied customer is always a good reference. Seofast
I’m glad to share the information about Live hacking CD that is a Linux distribution packaged with collection of amazing tools for ethical hacking and penetration testing, that includes some IPv6 tools. This CD contains the tools and utilities you need to test and hack your own network but using the tools and techniques that more malicious hackers would use.
Live Hacking CD is based on Ubuntu. This Live CD runs directly from the CD and there is no need installation of these tools on your hard disk. You can use the bundled tools to test, check, ethical hack and perform penetration tests on your network to make sure that it is secure from outside intruders.
As well the standard Linux networking tools like ping, wget, curl, telnet and ssh, the Live Hacking CD has tools for DNS enumeration and reconnaissance as well as utilities for foot-printing, password cracking and network sniffing. It also has programs for spoofing and a set of wireless networking utilities.
This CD is based on open source technology and based on Ubuntu Linux. All the tools included can be freely found in either the Ubuntu repositories on from the Internet. The CD is designed to be a platform to help IT security professionals (as well as those with a general interest in information security) to start, understand and conduct penetration tests and ethical hacking.
The Live Hacking Mini CD is a small Linux distribution designed for ethical hacking. This is compact version of Live Hacking CD contains all necessary tools and utilities but GUI interface is not included in this CD and it’s command based only.
Download Live Hacking CD
Live Hacking CD, Version 1.2 Beta August 25, 2010, ISO-MD5 Hash: ded9ce8ee66c7d7e23f535d38a10e91f Download (SourceForge.net)
Live Hacking CD, Version 1.1 Full April 27, 2010, ISO-MD5 Hash: dd1d96aec7821e6b623c93a1c9569658 Download (SourceForge.net)
Live Hacking Mini CD, Version 1.0 Beta, April 27, ISO-MD5 Hash: dd19a497421f37c508d681586e132c99 Download (SourceForge.net)
Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
Microsoft released ASP.net Vulnerability path through Download centre, for details please click here.
This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.
This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. For more information, see the subsection,Affected and Non-Affected Software, in this section.
The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.
See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.
Known Issues.Microsoft Knowledge Base Article 2418042 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.
