Goodbye Cruel World - Basic Internet Security for MicroSoft
First - the great trick to dealing with basic system security on the Internet is to understand how the greater network see's your system. You are a collection of ports (sockets if you will) at an address (an IP address) that allows or disallows the greater network access to the services, software and information running or stored on your system. Potentially anything that can be done on your hardware/software can be done by anyone, anywhere, anytime - if they have interest and know how. This is not specific to MicroSoft windows, but, there are a lot more MS operating systems connected to the internet and thusly - it makes for ready prey.

.. The Big Players
On a business level, you are assumed to be at least one personal median income of +25-30k and very probably employed (as opposed to being retired or a business owner). You are just this side of probably being female, you have access to or own a credit card and have performed some e-commerce transaction online with sites you consider to be reputable. This is not on average true actually, however, in terms of the legitimate business market that they can measure - people who have acted on supervised i-net marketing efforts (say online travel reservations) - its the model. In short - like how 'TV ratings' work. I think its sexist myself.

Criminals and Boiler rooms - you are (as is everyone they can get any sort of message to) a potential rube. And everyone at some level is - as pretty much everyone has some greater charitable or personal interest in something. If they can represent to you that they are a reputable or successful service in that interest (the more obscure the better) - they can then exploit their message with further and more traditional confidence tricks. This is almost always some extension of a standing telemarketing scheme or mail fraud for products, services or activism wherein the electronic message is a trigger to get you to pick up the phone or to reply to a site with information.

Harvesters - They are in place to deliver the triggering message for both constituencies noted above and actively seek e-mail addresses and connected machines that will accept 'pop-up's'. As well - they are constantly scanning for 'exploitable' IP addresses (perhaps your machine) to help deliver (or relay) the triggering message or pop-up on their behalf. On the top end of the scale they maintain relationships with some of the most prominent service providers and software companies to perform the functions required to provide 'qualified' potential customers for legitimate (if I think completely misguided) business marketing activity. On the lower end - there are the 'bulk' harvesters who provide actionable datacores to any and all at the lowest possible competitive price - usually for a very thin pay per click or provable receipt. For those of you out there on the credit limb - there is a huge and rapidly growing business with these weasels. Birds of a feather I suppose.

Modelers - They are in place to support the harvesters and/or to provide specific information to a specific client (like the folks who wrote the freeware copy of your fav software) about what you like to do when you surf the Internet. Cookies and 'Referer' information plays a large part in both their lives and yours. The Modelers and the Harvesters make up the majority of the harmless nuisance traffic on your Internet connection - but their work lays the foundation for the earnestly unpleasant that follow them in.

Crackers and Script Kiddies - the rogues, rogue wanna bees, zealots and/or legitimate researchers. A very few individuals are actively and legitimately trying to improve the computer and Internet experience by carefully opening then reporting breaches in Operating Systems and networks - or - are attempting to provide facilities ('mined' systems and 'tarpits') to limit exploit impact spread. This is sometimes done for profit wherein the 'whitehat' will then hope to consult with the affected system or vendor. Equally, there are those involved in academic or interest research - the folks that report the exploits or exploited that need patching. Check out the SpamCop link above on how you can be one of the whitehats yourself.

In terms of total system traffic - these last players are a relatively limited spectrum. Of which - the whitehats represent a miniscule constituency in comparison to the malicious 'blackhat' (often automated) players who are in point of fact trying actively to get your passwords and your system information to rip you off or turn you in. However despite the hype, this is not (yet) as prevalent as you might think given that you do not on average represent a 'high value' blackhat target - where it is easier to bleed .10 cents a day off a hundred accounts at a medium sized business who have customer record databases incorrectly secured. Effectively - they are more likely to get caught if they clean you out personally in one shot. Although this wisdom is rapidly changing as more and more people with extensive credit resources but not a lot of real computer expertise use the Internet to perform e-commerce. Your recently retired mom or dad for example. And no offense meant to the MANY retired folks who do know their stuff - often better than the recent CompuCert grad. It is a just an example. Ignorance knows no age - however folks with paid off houses and large unused credit limits are usually a little older.

Relays and Zombies - Potentially anyone on the Internet - you, me and everyone else. I use the term 'Zombie' to describe a system that has been exploited and is being used to pass out virii or to crack other systems so as to cloak the blackhat's identity. This is most often automated - you get a virus - it starts trying to copy itself directly to all the IIS servers it can find and access on your ISP. This is different from 'Relays' - where a system is being used to 'bounce' things like spam out (but not necessarily only spam - see 'child porn' below) to bypass filtering systems. But they are not all that different and symptomatic of the same kind of system problems really.

Given that there is a wide crossover between the Crackers, Modelers, Script Kiddies - and - Harvesters, Boiler Rooms and their clients (legit or otherwise) - it is wise to treat all unrecognized inbound system activity as blackhat regardless as the whitehats will usually be glad to explain themselves if called on it.

.. 'DON'T PANIC' its computer science, not rocket science
Much advice has been forwarded regarding tool sets and Operating System options and it comes from hard won experience. However, at the core of it - the basic trick is to do what you can to make yourself a 'low value' target. Basically - make it difficult enough to breach your system that the wolves move on and don't be posting out to public spaces like news groups, message boards or chat services that your mother in law just won a house lottery.

This is well achieved by basic common sense, a virus checker, ad blockers and software firewalls. Although you want to be very careful because, of course, your 'free' software may in fact already be (or may one day be) also acting as a higher level Harvester or Modeler. This is a concern with many freeware or shareware software solutions particularly security warez - although not all and to a substantially lesser degree - the open source software community efforts. Which are far and few between for MicroSoft windows - but very popular on UNIX and coming our way more and more.

For example, KAZAAlite does not charge you for their services or software - however they sell you (or allow you to be sold) to interested messaging and/or advertising parties. Equally, just because you are not seeing a pop-up anymore - everything that is triggering a 'targeted' pop-up based on your surfing history (which is usually how it's done) may still be being triggered and recorded for alternative message delivery models - spam for example. Which in turn, you may still not be seeing depending on how actively your ISP is blocking spam for you. 'You're all right jack' as the saying goes - but you may not be eventually as you may later find your e-mail address then being used by the Harvesters as the reply to address on spam, kiddie porn, Nigerian banking offers - or some other much more subtle offer someone with a real lawyer foolishly acts upon one day.

The OS swap solution is the most radical and most often a successful strategy - however - the learning curve is very high and the truth is that moving to a UNIX based operating system should not to be entered into lightly. You will have to learn even more about all this security guff to get it to connect to the internet at all. Moverover you probably use your computer to work with larger organizations and regular individuals still committed to MicroSoft Solutions - which do not easily communicate with most Unix type software as a rule.

.. So what to do - you know - exactly?

Read..

Use google or zeal and read. This is were most older folks have it all over us stiffs who goofed off through the last 40 years of modern 'caring' public education..

Reading is much underrated these days and it contributes greatly to problems across the Internet and in real life as well. Try to actually understand how a greater exploit is working rather than a blindly following a set of quick 'how-to' instructions because what you do today to secure your system may itself provide a different exploit opportunity at a later date - putting aside the new exploits no one has thought up yet.

Pick up an Anti Virus package. I usually advise Norton as - despite it's great weight on the system and several correctly outlined problems regarding closing the barn door after the fact - Norton is widely supported and understood by folks who will have to fix your system after is has been breached. This is mostly true of many other AV solutions as well, but Norton will provide basic and automated protection without any real need to understand how it, any of it, works.

Install the AV package, run, fix whatever it tells you to fix - then perform a third party 'port scan'.

While there are a lot of very good services out there, I again advise norton for the 'average user' as the reporting provides (or provided) good basic informational and actionable links on what to do about open ports or system services on your connection. You do not need to have any AV product installed - start at this link here: Norton

It will test your home system ports for potential exploits and give you instructions and recommendations on to how to fix it. Naturally - in all cases they will also recommend their software firewall (its a free service after all).

Your call on that one, I don't run a firewall here. Instead, I custom hardened my W2K machine natively over about 8 months of reading and testing. Judge on your level of interest - but anyone can probably basically lock down a system in a week or two if they don't want to act as a standing and 'mined' public server as I have it here.

Here is an excellent starting link on the subject of rolling your own custom firewall using W2K/XP: IPSec at ZEAL. Beginners might want to try using the 'IP Security - IPSec' link first.

As noted above - the 'pop-up' blocker is a bit of a double edged sword at the end of the day. While it will stop you from seeing pop-up advertising, depending on what you use and what happens to what you are using later - you should remain concerned that it may still be calling home. There are many ways to fix this. The simplest being to open up your system services stack as described (and with warnings noted) below - then setting NetMeeting and Messenger services to 'manual'. Then later - after booting a couple of times and working with the system normally for few days to make sure its not broken - to disabled.

Personally - I do not trust software firewalls or AV packages on MicroSoft windows given the 'after the fact' problem and instead hid my system behind a hardware firewall until I could spend time reading and understanding the Windows system services stack. The 'Stack' is what is behind that list of running 'tasks' that comes up when you press ctrl-atl-del - and a couple of other things awaiting 'the call'. After I got it sorted out I took down the hardware firewall and opened Radio Free Dexterdyne up to the Internet.

You can go as far as getting into System Services utility (google it) and removing system services outright, which will also speed up your machine. But, again, beware - this is not for the faint of heart.

If your system is normally set up and you are logged in as the 'administrator' - you can see and adjust the details of your services stack this way:

start>run>services.msc

They are not named the same as the running 'tasks' list - so it's a maze. Once you are in sevices.msc - right click and read up on the properties of the different services. For the love of god don't change anything unless you know what you are turning off having at least quickly googled up on and/or visited zeal with the service name. Pay attention to 'dependencies'.

MicroSoft ships with a lot of services turned on that probably shouldn't be. The idea is that several of these system services provide for MicroSoft software packages you will, of course, be installing later on. Which - once they are configured properly - are supposed to go a long way to securing your system. This is going to be different for Windows 2003 and beyond for obvious reasons - but I don't think that's any excuse to slack off just yet given the track record so far.

For example, W2K pro default installed with 'telnet' as a running open service so that your machine could be logged into to affect installation upgrades and support across a network or Internet connection at a command line level (the DOS prompt). It assumed that you understood and correctly activated and configured your security manager and that it was working properly to begin with. Almost nobody did and it certainly didn't and thusly - if you haven't gone to system services and explicitly set it's default property to 'disabled' - pretty much anyone anywhere with an interest and some time can eventually issue almost any DOS command line instruction anytime they (or more likely their automated virus/trojan) gets the urge. Say 'cd \' and then 'delete *.* /s' ..

However - again - great care is required here as turning off the wrong thing will make your system unbootable and you will probably not be able to fix it without taking it to a qualified person who has done the reading - which you can no longer do given you can't boot up and google or zeal after the fact. But it's dead simple if you are still online really. Assume the system services descriptions are misleading - use google or zeal - type in the system service name and your windows OS level (W2K/XP) and read up on what it really does.

.. OK - Done - I Mostly Knew This Already
You need a good port monitoring tool and I'm currently recommending 'ActivePorts' from smartline: ActivePorts

They have a several interesting commercial products, but this one is solid freeware which will tell you in real time what is happening on your network ports and what software/service is holding the door open awaiting 'visitors' as well as where exactly you are opening a traceable IP to when you visit a webpage. It's not always where you think and I recently came across a site that triggered a complete port scan against my IP from China when I opened the site (which is where your virus checker might miss an inbound virus when you are browsing - it may not monitor all ports).

Activeports has a neat feature which will allow you to kill off a service running on a port immediately. Killing off a service this way may make your system unstable until you reboot - but could save your tax records. Pay attention to port 135, it shouldn't be open at all. But if it is - you can see the IP doing it and fink them out to their ISP if you use something like: SamSpade

SamSpade is a tracer tool that lets you find out who an IP really belongs to and how to get in touch with their upstream administrative staff.

You also need a good windows based spam blocker - which is a misnomer really. Unless you are running a mail server of your own - you can only usually mark spam for deletion rather than denying it access to your system in the first place. If you are not paying attention - that file folder can get very big and quite dangerous very quickly. I am very pleased with this so far: SpamPal

I have rigged SpamPal to operate in conjunction with my e-mail server as a fully dedicated and very 'thin' spam firewall of sorts and my hack of it has dropped spam transactions that get through at all from about 1,500 a week to about 120 - of which only 15 or 20 get though not marked as spam.

.. Life on the Internet
Ignore the privacy policy - the organization may get sold or even just cracked open like the Nova Scotia Government Human Resources resume storage system was. In which case the privacy policy only covers what they are doing at the exact moment you are reading it. If someone else does something later - best of luck.

What you do on the Internet is almost more important than what you do to secure your system. Spend a lot of time downloading music or 'warez' - you can expect to be spending a lot of time fixing up your system after the fact. Spend a lot of time surfing the blue stuff - expect to get a lot of odd messages regarding just how happy your wife or girlfriend really is with your dimensions. Not that either of these activities are the only 'trigger' and you are going to be in the wrong accusing anyone of surfing anything on the basis of what turns up in your family e-mail. You are just as likely to have be on someone's now unsecured CC list somewhere or sometimes you are literally just the next possible address in 10 million addresses being hit.

Anyway - you would no more hand out your credit information on the phone than you would on the Internet - right? How did you pay for or confirm that last pizza or Chinese food order?

Someone calls you up and says you can have a free sample of something if you give them your name, address and phone number and you tend to pay very close attention to the details - right? However, someone in a NG invites you to check out a bitcast on live365/shoutcast and you hand over the Internet equivalent every time you log in.

Almost everyone 'breaks' their 'reply to' address when posting out to public systems like News Groups or Message Boards - millions of folks in fact. Does anyone really suppose the professional harvesters haven't worked it out so that if they bother scanning it - they don't know how to decode the address? Pick up a news reader service, better yet get a 'throw away address' at hotmail if your ISP will let you. At the very least - get a better handle on how to really 'munge' your address so at least the text harvesters are fooled for a little while longer.

Get a better browser and e-mail client if you are using Windows and don't have a full time system admin looking after you. I've finally given up on Netscape and gone Opera (and bought the paid copy to get rid of the ad banner and cookie the comes with the free one). www.opera.com

Opera is very good at letting you natively control security at great depth while still allowing you to use cookies and fake the 'explorer only' sites out so you can get in without handing over your drive cache to see their dog and pony. Rough, but useable multi account e-mail system too. It is pretty bad about importing addresses and stored e-mail from netscape 4.7 - better with 7+ I think - but very good with bookmark imports. Don't delete anything until you've got what you want over to it. It is tricky, but you can also set up multiple copies of the browser for different users.

I thusly now treat explorer like the old CompuServe interface - which is to say that I use it to visit MicroSoft only. Then dump everything from history and cache (which is set to a custom directory) before shutting it down and rebooting.

Turn off your 'web enabled' screen background by right clicking and using display properties. I also don't use or install any screen savers (OEM or downloads). I just power down the screen if I'm away for a moment. As nice as it is to offer your unused CPU resources to things like the 'SETI Project' - it opens up your system to potential exploit unless you understand how to properly configure IPSec - which is worth doing on its own - even if you don't help out the SETI project.

.. Final Considerations
Not everything and/or everyone is out to get you on the Internet.

Support and use sites and services that do not require you use or allow anything special to transact with them unless you are really comfortable that the site isn't harvesting or being harvested and/or the thing they want you to use is pretty commonly used by a lot of other people. A flash plug in or a well know audio player for example.

If you do get an infection alert, an infected site, a spam (viral and otherwise) or a persistent connection on port 135 that keeps coming back once you have Activeports and a decent AV prog running. Use SamSpade to find out where it came from and report it to the 'DNS' host. This sometimes requires a second trace to figure out who exactly is actually providing the bandwidth - even then, a lot of system admins could care less. So join and support (paypal) an anti-spam 'blacklist' like: www.SpamCop.net

This is not www.spamcop.com - or www.spamcop.org - which are different sites completely. Do not accept imitations - www.spamcop.net is the rabid rat bastard of the anti-spam biz and thusly very reliably protecting you and yours from the forces of evil.

Finally - although there is much debate on this (particularly after you've secured everything properly) - I do not advise leaving your system powered up and connected to the Internet without being there. If you must leave it on - you can easily just disconnect (it says 'disable' - but it means simply disconnect) your network connection from the little icon in the system tray. My logs here see a huge spike in automated overnight traffic which is deliberately timed to run when you probably aren't at your system. They match IP ranges and time zones. Yes, your windows system and/or your hardware is most likely to fail on boot rather than just running - but it is a fair trade off to avoid coming down one morning to find the FBI/RCMP at your door with a warrant regarding the surprisingly large collection of child porn your system has tucked away on it that has been e-mailed out to everyone else on your ISP using your IP. And try proving you didn't know after the fact.

However - again - not everything is out to get you and once you do have a handle on what your system is actually doing, it provides a lot of peace of mind and allows you to not rely on someone else's ad-blocker or overly long and perhaps incorrect advise (like mine).

This is very empowering actually - like knowing what the mechanic is talking about when the Safety inspection comes up on the car and just as popularly admirable and really as easy as spending some time doing, you know, the reading.